asyncrat | 3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4

Analysis

max time kernel
355s
max time network
359s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2022 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GoogleDriver.exe
Size

63KB
MD5

dae21c538a7a4f8294d7e19916be9100
SHA1

cea1c44030c6f45243a9408e59f8e43304402438
SHA256

3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4
SHA512

8e9dd2b4e4ec9b28cb7c40e41f6ba8607e1c16351398d5de84965ee0a596fe255b8bfafb61eee99c83281d7cb43b029695ce68db3b7c942acfe392d63f7d4e26
SSDEEP

1536:6hQDnx1Ak32YGbHZCyYaN1bbLwtY3L3VG/tpqKmY7:6hQDnx1Ak32HHZCyP1bbLxL322z

Score

10^/10

asyncrat redline xmrig cheat new discovery infostealer miner rat spyware stealer upx

Malware Config

Extracted

Family

asyncrat

Version

1.0.7 - modded by last

Botnet

New

nicehash.at:4343

Mutex

adsasutex_qwqdanchun

Attributes

delay
1
install
true
install_file
GoogleDriver.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

cheat

nicehash.at:1338

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\rdln.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\rdln.exe	family_redline
behavioral2/memory/3096-156-0x0000000000DD0000-0x0000000000DEE000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 8 IoCs

Processes:

mina.exeupdater.execonhost.exe

description	pid	process	target process
PID 4984 created 2824	4984	mina.exe	Explorer.EXE
PID 4984 created 2824	4984	mina.exe	Explorer.EXE
PID 4984 created 2824	4984	mina.exe	Explorer.EXE
PID 4832 created 2824	4832	updater.exe	Explorer.EXE
PID 4832 created 2824	4832	updater.exe	Explorer.EXE
PID 4832 created 2824	4832	updater.exe	Explorer.EXE
PID 3956 created 2824	3956	conhost.exe	Explorer.EXE
PID 4832 created 2824	4832	updater.exe	Explorer.EXE

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3812-132-0x000002BD37110000-0x000002BD37126000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Roaming\GoogleDriver.exe	asyncrat
C:\Users\Admin\AppData\Roaming\GoogleDriver.exe	asyncrat

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3872-191-0x00007FF7DADE0000-0x00007FF7DB5D4000-memory.dmp	xmrig

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

GoogleDriver.exerdln.exemina.exeupdater.exe

pid process

2476 GoogleDriver.exe
3096 rdln.exe
4984 mina.exe
4832 updater.exe

pid	process
2476	GoogleDriver.exe
3096	rdln.exe
4984	mina.exe
4832	updater.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3872-191-0x00007FF7DADE0000-0x00007FF7DB5D4000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GoogleDriver.exeGoogleDriver.exerdln.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	GoogleDriver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	GoogleDriver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	rdln.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 4832 set thread context of 3956	4832	updater.exe	conhost.exe
PID 4832 set thread context of 3872	4832	updater.exe	conhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4820 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4084 timeout.exe

pid	process
4820	schtasks.exe

pid	process
4084	timeout.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

GoogleDriver.exepowershell.exeGoogleDriver.exerdln.exemina.exepowershell.exepowershell.exeupdater.exepowershell.execonhost.exe

pid	process
3812	GoogleDriver.exe
3812	GoogleDriver.exe
3812	GoogleDriver.exe
3812	GoogleDriver.exe
3812	GoogleDriver.exe
3812	GoogleDriver.exe
3812	GoogleDriver.exe
3812	GoogleDriver.exe
3812	GoogleDriver.exe
3812	GoogleDriver.exe
3812	GoogleDriver.exe
3812	GoogleDriver.exe
3812	GoogleDriver.exe
3812	GoogleDriver.exe
3812	GoogleDriver.exe
3812	GoogleDriver.exe
3812	GoogleDriver.exe
3812	GoogleDriver.exe
3812	GoogleDriver.exe
3812	GoogleDriver.exe
3812	GoogleDriver.exe
3812	GoogleDriver.exe
3812	GoogleDriver.exe
740	powershell.exe
740	powershell.exe
2476	GoogleDriver.exe
3096	rdln.exe
3096	rdln.exe
4984	mina.exe
4984	mina.exe
1976	powershell.exe
1976	powershell.exe
4984	mina.exe
4984	mina.exe
4984	mina.exe
4984	mina.exe
956	powershell.exe
956	powershell.exe
4832	updater.exe
4832	updater.exe
4560	powershell.exe
4560	powershell.exe
4832	updater.exe
4832	updater.exe
4832	updater.exe
4832	updater.exe
3956	conhost.exe
3956	conhost.exe
4832	updater.exe
4832	updater.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

668

pid	process
668

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

GoogleDriver.exeGoogleDriver.exepowershell.exerdln.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3812	GoogleDriver.exe
Token: SeDebugPrivilege	2476	GoogleDriver.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	3096	rdln.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeIncreaseQuotaPrivilege	1976	powershell.exe
Token: SeSecurityPrivilege	1976	powershell.exe
Token: SeTakeOwnershipPrivilege	1976	powershell.exe
Token: SeLoadDriverPrivilege	1976	powershell.exe
Token: SeSystemProfilePrivilege	1976	powershell.exe
Token: SeSystemtimePrivilege	1976	powershell.exe
Token: SeProfSingleProcessPrivilege	1976	powershell.exe
Token: SeIncBasePriorityPrivilege	1976	powershell.exe
Token: SeCreatePagefilePrivilege	1976	powershell.exe
Token: SeBackupPrivilege	1976	powershell.exe
Token: SeRestorePrivilege	1976	powershell.exe
Token: SeShutdownPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeSystemEnvironmentPrivilege	1976	powershell.exe
Token: SeRemoteShutdownPrivilege	1976	powershell.exe
Token: SeUndockPrivilege	1976	powershell.exe
Token: SeManageVolumePrivilege	1976	powershell.exe
Token: 33	1976	powershell.exe
Token: 34	1976	powershell.exe
Token: 35	1976	powershell.exe
Token: 36	1976	powershell.exe
Token: SeIncreaseQuotaPrivilege	1976	powershell.exe
Token: SeSecurityPrivilege	1976	powershell.exe
Token: SeTakeOwnershipPrivilege	1976	powershell.exe
Token: SeLoadDriverPrivilege	1976	powershell.exe
Token: SeSystemProfilePrivilege	1976	powershell.exe
Token: SeSystemtimePrivilege	1976	powershell.exe
Token: SeProfSingleProcessPrivilege	1976	powershell.exe
Token: SeIncBasePriorityPrivilege	1976	powershell.exe
Token: SeCreatePagefilePrivilege	1976	powershell.exe
Token: SeBackupPrivilege	1976	powershell.exe
Token: SeRestorePrivilege	1976	powershell.exe
Token: SeShutdownPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeSystemEnvironmentPrivilege	1976	powershell.exe
Token: SeRemoteShutdownPrivilege	1976	powershell.exe
Token: SeUndockPrivilege	1976	powershell.exe
Token: SeManageVolumePrivilege	1976	powershell.exe
Token: 33	1976	powershell.exe
Token: 34	1976	powershell.exe
Token: 35	1976	powershell.exe
Token: 36	1976	powershell.exe
Token: SeIncreaseQuotaPrivilege	1976	powershell.exe
Token: SeSecurityPrivilege	1976	powershell.exe
Token: SeTakeOwnershipPrivilege	1976	powershell.exe
Token: SeLoadDriverPrivilege	1976	powershell.exe
Token: SeSystemProfilePrivilege	1976	powershell.exe
Token: SeSystemtimePrivilege	1976	powershell.exe
Token: SeProfSingleProcessPrivilege	1976	powershell.exe
Token: SeIncBasePriorityPrivilege	1976	powershell.exe
Token: SeCreatePagefilePrivilege	1976	powershell.exe
Token: SeBackupPrivilege	1976	powershell.exe
Token: SeRestorePrivilege	1976	powershell.exe
Token: SeShutdownPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeSystemEnvironmentPrivilege	1976	powershell.exe
Token: SeRemoteShutdownPrivilege	1976	powershell.exe
Token: SeUndockPrivilege	1976	powershell.exe
Token: SeManageVolumePrivilege	1976	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

conhost.exe

pid	process
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

conhost.exe

pid	process
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe
3872	conhost.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

GoogleDriver.execmd.execmd.exeGoogleDriver.execmd.exepowershell.exerdln.execmd.exepowershell.exeupdater.execmd.exe

description	pid	process	target process
PID 3812 wrote to memory of 4560	3812	GoogleDriver.exe	cmd.exe
PID 3812 wrote to memory of 4560	3812	GoogleDriver.exe	cmd.exe
PID 3812 wrote to memory of 4948	3812	GoogleDriver.exe	cmd.exe
PID 3812 wrote to memory of 4948	3812	GoogleDriver.exe	cmd.exe
PID 4560 wrote to memory of 4820	4560	cmd.exe	schtasks.exe
PID 4560 wrote to memory of 4820	4560	cmd.exe	schtasks.exe
PID 4948 wrote to memory of 4084	4948	cmd.exe	timeout.exe
PID 4948 wrote to memory of 4084	4948	cmd.exe	timeout.exe
PID 4948 wrote to memory of 2476	4948	cmd.exe	GoogleDriver.exe
PID 4948 wrote to memory of 2476	4948	cmd.exe	GoogleDriver.exe
PID 2476 wrote to memory of 216	2476	GoogleDriver.exe	cmd.exe
PID 2476 wrote to memory of 216	2476	GoogleDriver.exe	cmd.exe
PID 216 wrote to memory of 740	216	cmd.exe	powershell.exe
PID 216 wrote to memory of 740	216	cmd.exe	powershell.exe
PID 740 wrote to memory of 3096	740	powershell.exe	rdln.exe
PID 740 wrote to memory of 3096	740	powershell.exe	rdln.exe
PID 740 wrote to memory of 3096	740	powershell.exe	rdln.exe
PID 3096 wrote to memory of 4984	3096	rdln.exe	mina.exe
PID 3096 wrote to memory of 4984	3096	rdln.exe	mina.exe
PID 1652 wrote to memory of 1624	1652	cmd.exe	choice.exe
PID 1652 wrote to memory of 1624	1652	cmd.exe	choice.exe
PID 956 wrote to memory of 1068	956	powershell.exe	schtasks.exe
PID 956 wrote to memory of 1068	956	powershell.exe	schtasks.exe
PID 4832 wrote to memory of 3956	4832	updater.exe	conhost.exe
PID 4492 wrote to memory of 2464	4492	cmd.exe	WMIC.exe
PID 4492 wrote to memory of 2464	4492	cmd.exe	WMIC.exe
PID 4832 wrote to memory of 3872	4832	updater.exe	conhost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\GoogleDriver.exe
"C:\Users\Admin\AppData\Local\Temp\GoogleDriver.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6A14.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:4084

C:\Users\Admin\AppData\Roaming\GoogleDriver.exe
"C:\Users\Admin\AppData\Roaming\GoogleDriver.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rdln.exe"' & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rdln.exe"'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740

C:\Users\Admin\AppData\Local\Temp\rdln.exe
"C:\Users\Admin\AppData\Local\Temp\rdln.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096

C:\Users\Admin\AppData\Local\Temp\mina.exe
"C:\Users\Admin\AppData\Local\Temp\mina.exe"
8⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "GoogleDriver" /tr '"C:\Users\Admin\AppData\Roaming\GoogleDriver.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "GoogleDriver" /tr '"C:\Users\Admin\AppData\Roaming\GoogleDriver.exe"'
4⤵
- Creates scheduled task(s)
PID:4820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nbmct#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#pabzpsih#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
3⤵
PID:1068

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\mina.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\System32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:1624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nbmct#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4560

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe edycnlwzugcaw
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:3956

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
2⤵
PID:3704

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
2⤵
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
PID:2464

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe uuhuzuzzdeatgvvd 6E3sjfZq2rJQaxvLPmXgsFbIFjbxmk9QBL7MU6NBupSQ/yPb49Ni8CWmHiG+BmFOZlQDiFNUDfkmEWc2woFGLRtqlxZaMJqfYVCHASAmDi4WqDx2BN1SWbf1FzX3l0BO5odAt9xZ8ywS1nNJVreZJQbhXAWcCXGR2lY/kjxaiE1MX2s7iWnTBwp8KIXfg7HDcPuznp1Elm0jyGorgknzRusTYuproFIGUWn2iFRCj4FEecMuZozROLfx1UuYPLnyjZ2ngHwcFq84HGbPGEsn6L0hkAW1RXnmqvrhxROpX915Fh05CVAxtNj7E4dJWh4xLltr7YWVBP/WuI8oBeZcMdU2HfidYrEtMA+iYLM7jO+2iEMvS8aT18wo0pp/zDaySbsDkF1Sp9QAEiymHjwAbQ==
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3872

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\GoogleDriver.exe.log
Filesize
425B

MD5
fff5cbccb6b31b40f834b8f4778a779a

SHA1
899ed0377e89f1ed434cfeecc5bc0163ebdf0454

SHA256
b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76

SHA512
1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
7ff9440dc25523a288d278b38add13a1

SHA1
d67faf5afe85cacd9d816349f17ded3686ecf1a7

SHA256
ac518124d3bd39440bfba66739f8fab57ff82ea778f707ea2c902b29efde0ee0

SHA512
7116fcf6760a69efebfbffeba5abcfef903cc8647e142117023e022bb34c5fe6d1a35c727faab1e6d6505b2bd69689cf52f8ecef5253ca12d99d425021799911

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4ee95b2cc6050ec464890e249f411da7

SHA1
c23b3ba1e2e9438e67037cd93cd05e69fdcb23e3

SHA256
1842cfc5151d4f9821e1df20f1c64a44f1f478bb0932723cd605a031e11c5b01

SHA512
22806a64855bd867e2593486f6f4b08e93d4900f55fd73ed6b4df0349ea5ab2b3e0c9872e9bc1d9a4438ad083cab7ea49af37b0bfe650a7b2b962de2c52c3ec4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8688d60597fefe2171f1eec397d4e370

SHA1
0420388a2c6ea976c6b75ebcba2b30998107290f

SHA256
62c8234faa12fd93b9b29b4a104c2b690061b65702c29e68ad655316f63fd48e

SHA512
a2311eefdae2d7f85b868ede642d4de5aee3127c6c5f52cbfb453b1f77b784b06a5d4dc3bc1bfe573c68c7767e7201c1e6916e097aaefbcad9431ad8fc7783be

Download Submit
C:\Users\Admin\AppData\Local\Temp\mina.exe
Filesize
3.5MB

MD5
bd3bd541461eb9e8b3510441ee459746

SHA1
2ea26afe0901163b0eb7b9c84f46866f3ffd91f7

SHA256
505a09c5be91d9e44a7b459ac5e8961fe01a234c1633a789ba290e94e81fa5f5

SHA512
22abd36091dd6f2542a2d8ae77d34a176d757b7bb90bbe1b0515b08883f33438b5eb6e6753a1e2cef5c5d8e7b9a8e869c2756369029f666c88c92736520be6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\mina.exe
Filesize
3.5MB

MD5
bd3bd541461eb9e8b3510441ee459746

SHA1
2ea26afe0901163b0eb7b9c84f46866f3ffd91f7

SHA256
505a09c5be91d9e44a7b459ac5e8961fe01a234c1633a789ba290e94e81fa5f5

SHA512
22abd36091dd6f2542a2d8ae77d34a176d757b7bb90bbe1b0515b08883f33438b5eb6e6753a1e2cef5c5d8e7b9a8e869c2756369029f666c88c92736520be6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdln.exe
Filesize
95KB

MD5
6aefd743bed0887a18bbbd3b0c533dfb

SHA1
bb8140a7efc7a1dec295fa4894b0efa7203c6b49

SHA256
001170049bf107796ad564d572ef540743e0a66805f61a51a980998f7c09f5d1

SHA512
70cc520173a922443d4ec81f487227a4d6a5e2c3f7d3cee1c0a6ecc94cf8ceee64e53d75e6f6a5f51d0ae050939d78b9cad9d72bf5a3872c72a2ad7a69842929

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdln.exe
Filesize
95KB

MD5
6aefd743bed0887a18bbbd3b0c533dfb

SHA1
bb8140a7efc7a1dec295fa4894b0efa7203c6b49

SHA256
001170049bf107796ad564d572ef540743e0a66805f61a51a980998f7c09f5d1

SHA512
70cc520173a922443d4ec81f487227a4d6a5e2c3f7d3cee1c0a6ecc94cf8ceee64e53d75e6f6a5f51d0ae050939d78b9cad9d72bf5a3872c72a2ad7a69842929

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6A14.tmp.bat
Filesize
156B

MD5
31770c143014dfa0bb3aac42eaa71cdf

SHA1
d53a13618756a81bc1c38cd7d87f04c35c6a1a09

SHA256
3f1389cc813f5018341d265d9b12c34ac2a6f4736aa96dd3f16cfb069a6f196f

SHA512
d0ea4f41582d9d96b937b76e28c5580fcb5bdef6fc79827675e35954013cde35a62390d9a2901093a8db752bc5d407fdce2e7ded1f35a7211fe8a401b31c133b

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleDriver.exe
Filesize
63KB

MD5
dae21c538a7a4f8294d7e19916be9100

SHA1
cea1c44030c6f45243a9408e59f8e43304402438

SHA256
3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4

SHA512
8e9dd2b4e4ec9b28cb7c40e41f6ba8607e1c16351398d5de84965ee0a596fe255b8bfafb61eee99c83281d7cb43b029695ce68db3b7c942acfe392d63f7d4e26

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleDriver.exe
Filesize
63KB

MD5
dae21c538a7a4f8294d7e19916be9100

SHA1
cea1c44030c6f45243a9408e59f8e43304402438

SHA256
3184a8183ddd00795ae4da31244c3bdf010ab97addc4df2b66129982c9ede4e4

SHA512
8e9dd2b4e4ec9b28cb7c40e41f6ba8607e1c16351398d5de84965ee0a596fe255b8bfafb61eee99c83281d7cb43b029695ce68db3b7c942acfe392d63f7d4e26

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
3.5MB

MD5
bd3bd541461eb9e8b3510441ee459746

SHA1
2ea26afe0901163b0eb7b9c84f46866f3ffd91f7

SHA256
505a09c5be91d9e44a7b459ac5e8961fe01a234c1633a789ba290e94e81fa5f5

SHA512
22abd36091dd6f2542a2d8ae77d34a176d757b7bb90bbe1b0515b08883f33438b5eb6e6753a1e2cef5c5d8e7b9a8e869c2756369029f666c88c92736520be6aa

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
3.5MB

MD5
bd3bd541461eb9e8b3510441ee459746

SHA1
2ea26afe0901163b0eb7b9c84f46866f3ffd91f7

SHA256
505a09c5be91d9e44a7b459ac5e8961fe01a234c1633a789ba290e94e81fa5f5

SHA512
22abd36091dd6f2542a2d8ae77d34a176d757b7bb90bbe1b0515b08883f33438b5eb6e6753a1e2cef5c5d8e7b9a8e869c2756369029f666c88c92736520be6aa

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
memory/216-148-0x0000000000000000-mapping.dmp

Download
memory/740-155-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/740-149-0x0000000000000000-mapping.dmp

Download
memory/740-150-0x000001B93AB30000-0x000001B93AB52000-memory.dmp

Filesize
136KB

Download
memory/740-151-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/956-181-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/956-178-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/1068-179-0x0000000000000000-mapping.dmp

Download
memory/1624-176-0x0000000000000000-mapping.dmp

Download
memory/1976-174-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/1976-173-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/1976-172-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/2464-186-0x0000000000000000-mapping.dmp

Download
memory/2476-145-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/2476-146-0x0000015DE3840000-0x0000015DE38B6000-memory.dmp

Filesize
472KB

Download
memory/2476-147-0x0000015DC81B0000-0x0000015DC81CE000-memory.dmp

Filesize
120KB

Download
memory/2476-140-0x0000000000000000-mapping.dmp

Download
memory/2476-144-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/3096-159-0x00000000057B0000-0x00000000057EC000-memory.dmp

Filesize
240KB

Download
memory/3096-158-0x0000000005750000-0x0000000005762000-memory.dmp

Filesize
72KB

Download
memory/3096-167-0x0000000007310000-0x000000000732E000-memory.dmp

Filesize
120KB

Download
memory/3096-156-0x0000000000DD0000-0x0000000000DEE000-memory.dmp

Filesize
120KB

Download
memory/3096-165-0x00000000071C0000-0x0000000007236000-memory.dmp

Filesize
472KB

Download
memory/3096-163-0x0000000006F10000-0x0000000006F76000-memory.dmp

Filesize
408KB

Download
memory/3096-162-0x0000000007440000-0x000000000796C000-memory.dmp

Filesize
5.2MB

Download
memory/3096-164-0x0000000007120000-0x00000000071B2000-memory.dmp

Filesize
584KB

Download
memory/3096-166-0x0000000007F20000-0x00000000084C4000-memory.dmp

Filesize
5.6MB

Download
memory/3096-153-0x0000000000000000-mapping.dmp

Download
memory/3096-161-0x0000000006D40000-0x0000000006F02000-memory.dmp

Filesize
1.8MB

Download
memory/3096-160-0x0000000005A60000-0x0000000005B6A000-memory.dmp

Filesize
1.0MB

Download
memory/3096-157-0x0000000005E30000-0x0000000006448000-memory.dmp

Filesize
6.1MB

Download
memory/3812-136-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/3812-132-0x000002BD37110000-0x000002BD37126000-memory.dmp

Filesize
88KB

Download
memory/3812-133-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/3872-189-0x00007FF7DB5D2720-mapping.dmp

Download
memory/3872-194-0x00000143BB990000-0x00000143BB9B0000-memory.dmp

Filesize
128KB

Download
memory/3872-193-0x00000143B9F90000-0x00000143B9FB0000-memory.dmp

Filesize
128KB

Download
memory/3872-192-0x00000143BB950000-0x00000143BB990000-memory.dmp

Filesize
256KB

Download
memory/3872-191-0x00007FF7DADE0000-0x00007FF7DB5D4000-memory.dmp

Filesize
8.0MB

Download
memory/3872-190-0x00000143B9F20000-0x00000143B9F40000-memory.dmp

Filesize
128KB

Download
memory/3872-195-0x00000143B9F90000-0x00000143B9FB0000-memory.dmp

Filesize
128KB

Download
memory/3872-196-0x00000143BB990000-0x00000143BB9B0000-memory.dmp

Filesize
128KB

Download
memory/3956-185-0x00007FF6651014E0-mapping.dmp

Download
memory/4084-139-0x0000000000000000-mapping.dmp

Download
memory/4560-184-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/4560-183-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/4560-134-0x0000000000000000-mapping.dmp

Download
memory/4820-138-0x0000000000000000-mapping.dmp

Download
memory/4948-135-0x0000000000000000-mapping.dmp

Download
memory/4984-168-0x0000000000000000-mapping.dmp

Download