Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06/10/2022, 09:32
Static task
static1
Behavioral task
behavioral1
Sample
a8ca391420619d51b69cdecd69de91f7.exe
Resource
win7-20220812-en
General
-
Target
a8ca391420619d51b69cdecd69de91f7.exe
-
Size
8.0MB
-
MD5
a8ca391420619d51b69cdecd69de91f7
-
SHA1
df53d79107c81f47f9244bd81f06d526bf6575ea
-
SHA256
669e1697823eb434f2004523e648735a41ec9044e3ca8a34a055268e0ffaf45b
-
SHA512
8ad3ce8701f19a9bbaa84fadd25b2b314772114b4f9635f59f4112e79fa27fdd9b24a392e8a7aa215fbfee57d4013522c7ac71af2b53be94d0977ae499a17e86
-
SSDEEP
196608:4JNLHNhcPQJ/HmZfovBFRuICGJrbJy3PoypzYS34dZ67YgqgP8:mHJOJirRubG9M/pYS34dZePE
Malware Config
Extracted
redline
185.215.113.69:15544
-
auth_value
1372cd9fae57c6645ea8737ff631eb3c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
resource yara_rule behavioral1/memory/69164-88-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/69164-93-0x000000000041B51E-mapping.dmp family_redline behavioral1/memory/69164-94-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/69164-95-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe -
XMRig Miner payload 2 IoCs
resource yara_rule behavioral1/memory/1616-158-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/1616-160-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig -
Executes dropped EXE 4 IoCs
pid Process 1644 Setup.exe 1572 WinDefenderUpdater.exe 324 Updater.exe 924 updater.exe -
resource yara_rule behavioral1/memory/1616-158-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/1616-160-0x0000000140000000-0x00000001407F4000-memory.dmp upx -
resource yara_rule behavioral1/files/0x0009000000012752-65.dat vmprotect behavioral1/files/0x0009000000012752-67.dat vmprotect behavioral1/files/0x0009000000012752-66.dat vmprotect behavioral1/files/0x0009000000012752-64.dat vmprotect behavioral1/files/0x0009000000012752-72.dat vmprotect behavioral1/files/0x0009000000012752-73.dat vmprotect behavioral1/memory/324-80-0x00000000008F0000-0x0000000000966000-memory.dmp vmprotect -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion updater.exe -
Loads dropped DLL 12 IoCs
pid Process 1452 a8ca391420619d51b69cdecd69de91f7.exe 1452 a8ca391420619d51b69cdecd69de91f7.exe 1452 a8ca391420619d51b69cdecd69de91f7.exe 1452 a8ca391420619d51b69cdecd69de91f7.exe 1452 a8ca391420619d51b69cdecd69de91f7.exe 1452 a8ca391420619d51b69cdecd69de91f7.exe 1452 a8ca391420619d51b69cdecd69de91f7.exe 1452 a8ca391420619d51b69cdecd69de91f7.exe 1572 WinDefenderUpdater.exe 1572 WinDefenderUpdater.exe 1572 WinDefenderUpdater.exe 908 taskeng.exe -
resource yara_rule behavioral1/files/0x0008000000005c50-55.dat themida behavioral1/files/0x0008000000005c50-57.dat themida behavioral1/files/0x0008000000005c50-61.dat themida behavioral1/memory/1644-77-0x000000013F4E0000-0x0000000140187000-memory.dmp themida behavioral1/memory/1644-79-0x000000013F4E0000-0x0000000140187000-memory.dmp themida behavioral1/memory/1644-81-0x000000013F4E0000-0x0000000140187000-memory.dmp themida behavioral1/memory/1644-82-0x000000013F4E0000-0x0000000140187000-memory.dmp themida behavioral1/memory/1644-83-0x000000013F4E0000-0x0000000140187000-memory.dmp themida behavioral1/memory/1644-84-0x000000013F4E0000-0x0000000140187000-memory.dmp themida behavioral1/memory/1644-100-0x000000013F4E0000-0x0000000140187000-memory.dmp themida behavioral1/memory/1644-114-0x000000013F4E0000-0x0000000140187000-memory.dmp themida behavioral1/files/0x00070000000139dc-124.dat themida behavioral1/files/0x00070000000139dc-126.dat themida behavioral1/memory/924-128-0x000000013F260000-0x000000013FF07000-memory.dmp themida behavioral1/files/0x00070000000139dc-129.dat themida behavioral1/memory/924-130-0x000000013F260000-0x000000013FF07000-memory.dmp themida behavioral1/memory/924-131-0x000000013F260000-0x000000013FF07000-memory.dmp themida behavioral1/memory/924-133-0x000000013F260000-0x000000013FF07000-memory.dmp themida behavioral1/memory/924-134-0x000000013F260000-0x000000013FF07000-memory.dmp themida behavioral1/memory/924-135-0x000000013F260000-0x000000013FF07000-memory.dmp themida behavioral1/memory/924-136-0x000000013F260000-0x000000013FF07000-memory.dmp themida behavioral1/memory/924-138-0x000000013F260000-0x000000013FF07000-memory.dmp themida behavioral1/memory/924-156-0x000000013F260000-0x000000013FF07000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Setup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1644 Setup.exe 924 updater.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1572 set thread context of 69164 1572 WinDefenderUpdater.exe 30 PID 924 set thread context of 632 924 updater.exe 47 PID 924 set thread context of 1616 924 updater.exe 53 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 69252 schtasks.exe 53908 schtasks.exe 1056 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 57 IoCs
pid Process 324 Updater.exe 324 Updater.exe 324 Updater.exe 324 Updater.exe 324 Updater.exe 324 Updater.exe 324 Updater.exe 324 Updater.exe 324 Updater.exe 324 Updater.exe 324 Updater.exe 324 Updater.exe 69164 AppLaunch.exe 69528 powershell.exe 69180 powershell.exe 1684 powershell.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeDebugPrivilege 324 Updater.exe Token: SeDebugPrivilege 69164 AppLaunch.exe Token: SeDebugPrivilege 69528 powershell.exe Token: SeDebugPrivilege 69180 powershell.exe Token: SeDebugPrivilege 1684 powershell.exe Token: SeIncreaseQuotaPrivilege 1568 WMIC.exe Token: SeSecurityPrivilege 1568 WMIC.exe Token: SeTakeOwnershipPrivilege 1568 WMIC.exe Token: SeLoadDriverPrivilege 1568 WMIC.exe Token: SeSystemProfilePrivilege 1568 WMIC.exe Token: SeSystemtimePrivilege 1568 WMIC.exe Token: SeProfSingleProcessPrivilege 1568 WMIC.exe Token: SeIncBasePriorityPrivilege 1568 WMIC.exe Token: SeCreatePagefilePrivilege 1568 WMIC.exe Token: SeBackupPrivilege 1568 WMIC.exe Token: SeRestorePrivilege 1568 WMIC.exe Token: SeShutdownPrivilege 1568 WMIC.exe Token: SeDebugPrivilege 1568 WMIC.exe Token: SeSystemEnvironmentPrivilege 1568 WMIC.exe Token: SeRemoteShutdownPrivilege 1568 WMIC.exe Token: SeUndockPrivilege 1568 WMIC.exe Token: SeManageVolumePrivilege 1568 WMIC.exe Token: 33 1568 WMIC.exe Token: 34 1568 WMIC.exe Token: 35 1568 WMIC.exe Token: SeIncreaseQuotaPrivilege 1568 WMIC.exe Token: SeSecurityPrivilege 1568 WMIC.exe Token: SeTakeOwnershipPrivilege 1568 WMIC.exe Token: SeLoadDriverPrivilege 1568 WMIC.exe Token: SeSystemProfilePrivilege 1568 WMIC.exe Token: SeSystemtimePrivilege 1568 WMIC.exe Token: SeProfSingleProcessPrivilege 1568 WMIC.exe Token: SeIncBasePriorityPrivilege 1568 WMIC.exe Token: SeCreatePagefilePrivilege 1568 WMIC.exe Token: SeBackupPrivilege 1568 WMIC.exe Token: SeRestorePrivilege 1568 WMIC.exe Token: SeShutdownPrivilege 1568 WMIC.exe Token: SeDebugPrivilege 1568 WMIC.exe Token: SeSystemEnvironmentPrivilege 1568 WMIC.exe Token: SeRemoteShutdownPrivilege 1568 WMIC.exe Token: SeUndockPrivilege 1568 WMIC.exe Token: SeManageVolumePrivilege 1568 WMIC.exe Token: 33 1568 WMIC.exe Token: 34 1568 WMIC.exe Token: 35 1568 WMIC.exe Token: SeLockMemoryPrivilege 1616 svchost.exe Token: SeLockMemoryPrivilege 1616 svchost.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
pid Process 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe -
Suspicious use of SendNotifyMessage 41 IoCs
pid Process 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe 1616 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1452 wrote to memory of 1644 1452 a8ca391420619d51b69cdecd69de91f7.exe 26 PID 1452 wrote to memory of 1644 1452 a8ca391420619d51b69cdecd69de91f7.exe 26 PID 1452 wrote to memory of 1644 1452 a8ca391420619d51b69cdecd69de91f7.exe 26 PID 1452 wrote to memory of 1644 1452 a8ca391420619d51b69cdecd69de91f7.exe 26 PID 1452 wrote to memory of 1572 1452 a8ca391420619d51b69cdecd69de91f7.exe 27 PID 1452 wrote to memory of 1572 1452 a8ca391420619d51b69cdecd69de91f7.exe 27 PID 1452 wrote to memory of 1572 1452 a8ca391420619d51b69cdecd69de91f7.exe 27 PID 1452 wrote to memory of 1572 1452 a8ca391420619d51b69cdecd69de91f7.exe 27 PID 1452 wrote to memory of 1572 1452 a8ca391420619d51b69cdecd69de91f7.exe 27 PID 1452 wrote to memory of 1572 1452 a8ca391420619d51b69cdecd69de91f7.exe 27 PID 1452 wrote to memory of 1572 1452 a8ca391420619d51b69cdecd69de91f7.exe 27 PID 1452 wrote to memory of 324 1452 a8ca391420619d51b69cdecd69de91f7.exe 28 PID 1452 wrote to memory of 324 1452 a8ca391420619d51b69cdecd69de91f7.exe 28 PID 1452 wrote to memory of 324 1452 a8ca391420619d51b69cdecd69de91f7.exe 28 PID 1452 wrote to memory of 324 1452 a8ca391420619d51b69cdecd69de91f7.exe 28 PID 1572 wrote to memory of 69164 1572 WinDefenderUpdater.exe 30 PID 1572 wrote to memory of 69164 1572 WinDefenderUpdater.exe 30 PID 1572 wrote to memory of 69164 1572 WinDefenderUpdater.exe 30 PID 1572 wrote to memory of 69164 1572 WinDefenderUpdater.exe 30 PID 1572 wrote to memory of 69164 1572 WinDefenderUpdater.exe 30 PID 1572 wrote to memory of 69164 1572 WinDefenderUpdater.exe 30 PID 1572 wrote to memory of 69164 1572 WinDefenderUpdater.exe 30 PID 1572 wrote to memory of 69164 1572 WinDefenderUpdater.exe 30 PID 1572 wrote to memory of 69164 1572 WinDefenderUpdater.exe 30 PID 324 wrote to memory of 69252 324 Updater.exe 31 PID 324 wrote to memory of 69252 324 Updater.exe 31 PID 324 wrote to memory of 69252 324 Updater.exe 31 PID 1644 wrote to memory of 69528 1644 Setup.exe 36 PID 1644 wrote to memory of 69528 1644 Setup.exe 36 PID 1644 wrote to memory of 69528 1644 Setup.exe 36 PID 69528 wrote to memory of 53908 69528 powershell.exe 38 PID 69528 wrote to memory of 53908 69528 powershell.exe 38 PID 69528 wrote to memory of 53908 69528 powershell.exe 38 PID 1644 wrote to memory of 69180 1644 Setup.exe 39 PID 1644 wrote to memory of 69180 1644 Setup.exe 39 PID 1644 wrote to memory of 69180 1644 Setup.exe 39 PID 69180 wrote to memory of 944 69180 powershell.exe 41 PID 69180 wrote to memory of 944 69180 powershell.exe 41 PID 69180 wrote to memory of 944 69180 powershell.exe 41 PID 908 wrote to memory of 924 908 taskeng.exe 43 PID 908 wrote to memory of 924 908 taskeng.exe 43 PID 908 wrote to memory of 924 908 taskeng.exe 43 PID 924 wrote to memory of 1684 924 updater.exe 44 PID 924 wrote to memory of 1684 924 updater.exe 44 PID 924 wrote to memory of 1684 924 updater.exe 44 PID 1684 wrote to memory of 1056 1684 powershell.exe 46 PID 1684 wrote to memory of 1056 1684 powershell.exe 46 PID 1684 wrote to memory of 1056 1684 powershell.exe 46 PID 924 wrote to memory of 632 924 updater.exe 47 PID 924 wrote to memory of 632 924 updater.exe 47 PID 924 wrote to memory of 632 924 updater.exe 47 PID 924 wrote to memory of 632 924 updater.exe 47 PID 632 wrote to memory of 992 632 conhost.exe 48 PID 632 wrote to memory of 992 632 conhost.exe 48 PID 632 wrote to memory of 992 632 conhost.exe 48 PID 924 wrote to memory of 320 924 updater.exe 49 PID 924 wrote to memory of 320 924 updater.exe 49 PID 924 wrote to memory of 320 924 updater.exe 49 PID 320 wrote to memory of 1568 320 cmd.exe 52 PID 320 wrote to memory of 1568 320 cmd.exe 52 PID 320 wrote to memory of 1568 320 cmd.exe 52 PID 924 wrote to memory of 1616 924 updater.exe 53 PID 924 wrote to memory of 1616 924 updater.exe 53 PID 924 wrote to memory of 1616 924 updater.exe 53
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8ca391420619d51b69cdecd69de91f7.exe"C:\Users\Admin\AppData\Local\Temp\a8ca391420619d51b69cdecd69de91f7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#yodokpfwe#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:69528 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'4⤵
- Creates scheduled task(s)
PID:53908
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#krdpmezpo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:69180 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC4⤵PID:944
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\WinDefenderUpdater.exe"C:\Users\Admin\AppData\Local\Temp\WinDefenderUpdater.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:69164
-
-
-
C:\Users\Admin\AppData\Local\Temp\Updater.exe"C:\Users\Admin\AppData\Local\Temp\Updater.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 3 /tn "MicrosoftEdgeUpdate" /tr "C:\Users\Admin\AppData\Roaming\Updaterx.exe\Updater,exe.exe" /f3⤵
- Creates scheduled task(s)
PID:69252
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:69324
-
C:\Windows\system32\taskeng.exetaskeng.exe {909671C9-A862-4F69-8DBB-B48F23BB3C9A} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exeC:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#yodokpfwe#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'4⤵
- Creates scheduled task(s)
PID:1056
-
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe xcntavhndiimtz3⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\system32\cmd.execmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"4⤵PID:992
-
-
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"3⤵
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1568
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe kjyytlcxpfuxqnbv 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPrqBymCm+Z5ixc+hig85/4xzrcYceFHd4j0OBxFoiH0w2I3xdoGmQnmzbM5au/RYBQdUB+LCtFQUO3qxWLPJvscrmn9DH5gqtJ+xzyJ2pEn9z16cyWe1k359t91uWH0xQkG6db+ji/OgssDUEZ8hXGEWX7wbkYLXyTyl9pBgDvjdhkWT6mYPzAjaXfsk1vfF7a1MYXsKD0gZrx9wha1xOnPJym0QIRPzQcnSND10bhLDVygSUUG9g9EQb8XLayvsM+kHwWGJeClkojWx5sQ0B8Obgc3Ajws1HRJNdTPzNw/YYSGjYO+K0lNanFJvGzusY1GGOj41dCK6OrvTHTF9iZ37s0XLapfsZ1wf3tFNSVU7HslCNhnYARJlkaiRogvdxlIDXTlQYx3zE04kBHExyk0mU1OFBjGqIOM37t4AOuE3y07HUA4i7uagypHrQheJO6DyV4E5isgYtW9iwBCIuE4kCVqf0prMPglstZoz3FnZerc3iFYHu6FDmpalff10xk=3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1616
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.0MB
MD533303879b30d7f28dcdf091642f57568
SHA1409c6d577cef0447a71c714cdaacbbe4ae76d379
SHA2569a41c8ce89ec0d6a09d2f383097efe375882cab9eb418360c2a6bc4db57ff95b
SHA512633d0a8ddfbab8d725a93ecb436201ac43d83a861174b844779d3d06ed5273647ade9cc097f53cfb6bdf8089c4f843373e3c6fa10a25de24aa65b7469798db3f
-
Filesize
7.0MB
MD533303879b30d7f28dcdf091642f57568
SHA1409c6d577cef0447a71c714cdaacbbe4ae76d379
SHA2569a41c8ce89ec0d6a09d2f383097efe375882cab9eb418360c2a6bc4db57ff95b
SHA512633d0a8ddfbab8d725a93ecb436201ac43d83a861174b844779d3d06ed5273647ade9cc097f53cfb6bdf8089c4f843373e3c6fa10a25de24aa65b7469798db3f
-
Filesize
275KB
MD5a69eb2e41c9d3d8783d307cda98f612d
SHA1394b19629a71cac603e378d12ba037ffce12074c
SHA25670b566861ca2286cd90d939661abcd6864f239b7ad4e4f765a45a26c3dc7dc50
SHA512f56d3d11fef4468fe5ed53743391c957cdacb50c2248402ba243035a602ebf7a5287a5e7d0343835955e281c405b3816901c074791abac4d2158b778c66756c9
-
Filesize
275KB
MD5a69eb2e41c9d3d8783d307cda98f612d
SHA1394b19629a71cac603e378d12ba037ffce12074c
SHA25670b566861ca2286cd90d939661abcd6864f239b7ad4e4f765a45a26c3dc7dc50
SHA512f56d3d11fef4468fe5ed53743391c957cdacb50c2248402ba243035a602ebf7a5287a5e7d0343835955e281c405b3816901c074791abac4d2158b778c66756c9
-
Filesize
2.5MB
MD542cb921e726d99dd48588d9782f3eb0f
SHA1d6c46db0c9a2f2b65ad4113c4ee388837c15da4f
SHA256ea3da2c63aeaaf1bf692e24ee296598f2d3ce46efd9ca21ae8577548d5705f7e
SHA512efbedf7b584b233651989a8393d7dcb1ae84944fbdda9fd2e9dd49b27875d31e502d7cd35bffa77e771c6d8f3e36aa5669d3ac24f76ddcd5b78dc6e9a2268e17
-
Filesize
2.5MB
MD542cb921e726d99dd48588d9782f3eb0f
SHA1d6c46db0c9a2f2b65ad4113c4ee388837c15da4f
SHA256ea3da2c63aeaaf1bf692e24ee296598f2d3ce46efd9ca21ae8577548d5705f7e
SHA512efbedf7b584b233651989a8393d7dcb1ae84944fbdda9fd2e9dd49b27875d31e502d7cd35bffa77e771c6d8f3e36aa5669d3ac24f76ddcd5b78dc6e9a2268e17
-
Filesize
7.0MB
MD528bc5e41ab8fd6c319a24416d4f590e6
SHA15e20315a9fb794f660b30072556525ad1503a2e4
SHA256db6408c654a3bc4b89f888a6d231ea4c391f048af1f516e8be94c512bf317b20
SHA512efa99980959919a16699d11bfa172bbdeb1b505d296398ede7af5d25b44575f237243a64e35016fca4847b1852e6146d23c9583e8c2e569c8dab58ab714ab844
-
Filesize
7.0MB
MD528bc5e41ab8fd6c319a24416d4f590e6
SHA15e20315a9fb794f660b30072556525ad1503a2e4
SHA256db6408c654a3bc4b89f888a6d231ea4c391f048af1f516e8be94c512bf317b20
SHA512efa99980959919a16699d11bfa172bbdeb1b505d296398ede7af5d25b44575f237243a64e35016fca4847b1852e6146d23c9583e8c2e569c8dab58ab714ab844
-
Filesize
198B
MD537dd19b2be4fa7635ad6a2f3238c4af1
SHA1e5b2c034636b434faee84e82e3bce3a3d3561943
SHA2568066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07
SHA51286e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5dd20ed6089c6fbe6a7b11de97bccc7f2
SHA1b1a3efefde7964bf8bacbb354adf9b841df16562
SHA2568c5e9df07348824604d749b8fd9dc421d9682d7c987f5741ce0195e1c939fdf7
SHA512b5d98a61b605a3a7961825098fa4a6d611471f163bc4f1b2892fca4ab55f9005d727018d75341b99fd006e8762593cfaa023797ba164c80676c7b1ba96e2a005
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5dd20ed6089c6fbe6a7b11de97bccc7f2
SHA1b1a3efefde7964bf8bacbb354adf9b841df16562
SHA2568c5e9df07348824604d749b8fd9dc421d9682d7c987f5741ce0195e1c939fdf7
SHA512b5d98a61b605a3a7961825098fa4a6d611471f163bc4f1b2892fca4ab55f9005d727018d75341b99fd006e8762593cfaa023797ba164c80676c7b1ba96e2a005
-
Filesize
7.0MB
MD533303879b30d7f28dcdf091642f57568
SHA1409c6d577cef0447a71c714cdaacbbe4ae76d379
SHA2569a41c8ce89ec0d6a09d2f383097efe375882cab9eb418360c2a6bc4db57ff95b
SHA512633d0a8ddfbab8d725a93ecb436201ac43d83a861174b844779d3d06ed5273647ade9cc097f53cfb6bdf8089c4f843373e3c6fa10a25de24aa65b7469798db3f
-
Filesize
275KB
MD5a69eb2e41c9d3d8783d307cda98f612d
SHA1394b19629a71cac603e378d12ba037ffce12074c
SHA25670b566861ca2286cd90d939661abcd6864f239b7ad4e4f765a45a26c3dc7dc50
SHA512f56d3d11fef4468fe5ed53743391c957cdacb50c2248402ba243035a602ebf7a5287a5e7d0343835955e281c405b3816901c074791abac4d2158b778c66756c9
-
Filesize
275KB
MD5a69eb2e41c9d3d8783d307cda98f612d
SHA1394b19629a71cac603e378d12ba037ffce12074c
SHA25670b566861ca2286cd90d939661abcd6864f239b7ad4e4f765a45a26c3dc7dc50
SHA512f56d3d11fef4468fe5ed53743391c957cdacb50c2248402ba243035a602ebf7a5287a5e7d0343835955e281c405b3816901c074791abac4d2158b778c66756c9
-
Filesize
275KB
MD5a69eb2e41c9d3d8783d307cda98f612d
SHA1394b19629a71cac603e378d12ba037ffce12074c
SHA25670b566861ca2286cd90d939661abcd6864f239b7ad4e4f765a45a26c3dc7dc50
SHA512f56d3d11fef4468fe5ed53743391c957cdacb50c2248402ba243035a602ebf7a5287a5e7d0343835955e281c405b3816901c074791abac4d2158b778c66756c9
-
Filesize
275KB
MD5a69eb2e41c9d3d8783d307cda98f612d
SHA1394b19629a71cac603e378d12ba037ffce12074c
SHA25670b566861ca2286cd90d939661abcd6864f239b7ad4e4f765a45a26c3dc7dc50
SHA512f56d3d11fef4468fe5ed53743391c957cdacb50c2248402ba243035a602ebf7a5287a5e7d0343835955e281c405b3816901c074791abac4d2158b778c66756c9
-
Filesize
2.5MB
MD542cb921e726d99dd48588d9782f3eb0f
SHA1d6c46db0c9a2f2b65ad4113c4ee388837c15da4f
SHA256ea3da2c63aeaaf1bf692e24ee296598f2d3ce46efd9ca21ae8577548d5705f7e
SHA512efbedf7b584b233651989a8393d7dcb1ae84944fbdda9fd2e9dd49b27875d31e502d7cd35bffa77e771c6d8f3e36aa5669d3ac24f76ddcd5b78dc6e9a2268e17
-
Filesize
2.5MB
MD542cb921e726d99dd48588d9782f3eb0f
SHA1d6c46db0c9a2f2b65ad4113c4ee388837c15da4f
SHA256ea3da2c63aeaaf1bf692e24ee296598f2d3ce46efd9ca21ae8577548d5705f7e
SHA512efbedf7b584b233651989a8393d7dcb1ae84944fbdda9fd2e9dd49b27875d31e502d7cd35bffa77e771c6d8f3e36aa5669d3ac24f76ddcd5b78dc6e9a2268e17
-
Filesize
2.5MB
MD542cb921e726d99dd48588d9782f3eb0f
SHA1d6c46db0c9a2f2b65ad4113c4ee388837c15da4f
SHA256ea3da2c63aeaaf1bf692e24ee296598f2d3ce46efd9ca21ae8577548d5705f7e
SHA512efbedf7b584b233651989a8393d7dcb1ae84944fbdda9fd2e9dd49b27875d31e502d7cd35bffa77e771c6d8f3e36aa5669d3ac24f76ddcd5b78dc6e9a2268e17
-
Filesize
2.5MB
MD542cb921e726d99dd48588d9782f3eb0f
SHA1d6c46db0c9a2f2b65ad4113c4ee388837c15da4f
SHA256ea3da2c63aeaaf1bf692e24ee296598f2d3ce46efd9ca21ae8577548d5705f7e
SHA512efbedf7b584b233651989a8393d7dcb1ae84944fbdda9fd2e9dd49b27875d31e502d7cd35bffa77e771c6d8f3e36aa5669d3ac24f76ddcd5b78dc6e9a2268e17
-
Filesize
2.5MB
MD542cb921e726d99dd48588d9782f3eb0f
SHA1d6c46db0c9a2f2b65ad4113c4ee388837c15da4f
SHA256ea3da2c63aeaaf1bf692e24ee296598f2d3ce46efd9ca21ae8577548d5705f7e
SHA512efbedf7b584b233651989a8393d7dcb1ae84944fbdda9fd2e9dd49b27875d31e502d7cd35bffa77e771c6d8f3e36aa5669d3ac24f76ddcd5b78dc6e9a2268e17
-
Filesize
2.5MB
MD542cb921e726d99dd48588d9782f3eb0f
SHA1d6c46db0c9a2f2b65ad4113c4ee388837c15da4f
SHA256ea3da2c63aeaaf1bf692e24ee296598f2d3ce46efd9ca21ae8577548d5705f7e
SHA512efbedf7b584b233651989a8393d7dcb1ae84944fbdda9fd2e9dd49b27875d31e502d7cd35bffa77e771c6d8f3e36aa5669d3ac24f76ddcd5b78dc6e9a2268e17
-
Filesize
7.0MB
MD528bc5e41ab8fd6c319a24416d4f590e6
SHA15e20315a9fb794f660b30072556525ad1503a2e4
SHA256db6408c654a3bc4b89f888a6d231ea4c391f048af1f516e8be94c512bf317b20
SHA512efa99980959919a16699d11bfa172bbdeb1b505d296398ede7af5d25b44575f237243a64e35016fca4847b1852e6146d23c9583e8c2e569c8dab58ab714ab844