xmrig | 2811b96344264d2752dfe7fa5c0d124444a2337745bb66c3836e406c7df2b916

General

Target

给老子冲/影流之王🈹 (7).exe
Size

10.7MB
MD5

a090c26b4be46ffdf226a0b7a453f51f
SHA1

6a1743d359bef4ee18fdee6a6bf5199e69f07cfb
SHA256

bb93f0838f72a557c09e03593360e5458ab7d43921773d3961287a28201289ef
SHA512

83c90f4efff01cb84bb97030c84bac212b8b143723c7f1f3ecd3379000be85de3850d211519c2d429ebf4dba8b555c3a9a4c9a77f6ab856630907da681822691
SSDEEP

196608:/NQqSiD+bU2fbWzTRdtMQ4GraMTsGhbgOp4m:hmfqXtMQPravGh0Oym

Score

10^/10

xmrig evasion miner themida trojan

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

Processes:

影流之王🈹 (7).exeupdater.exe

description	pid	process	target process
PID 1312 created 1284	1312	影流之王🈹 (7).exe	Explorer.EXE
PID 1312 created 1284	1312	影流之王🈹 (7).exe	Explorer.EXE
PID 1312 created 1284	1312	影流之王🈹 (7).exe	Explorer.EXE
PID 1312 created 1284	1312	影流之王🈹 (7).exe	Explorer.EXE
PID 1312 created 1284	1312	影流之王🈹 (7).exe	Explorer.EXE
PID 1928 created 1284	1928	updater.exe	Explorer.EXE
PID 1928 created 1284	1928	updater.exe	Explorer.EXE
PID 1928 created 1284	1928	updater.exe	Explorer.EXE
PID 1928 created 1284	1928	updater.exe	Explorer.EXE
PID 1928 created 1284	1928	updater.exe	Explorer.EXE
PID 1928 created 1284	1928	updater.exe	Explorer.EXE

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

影流之王🈹 (7).exeupdater.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	影流之王🈹 (7).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe

XMRig Miner payload 11 IoCs

miner

Processes:

resource	yara_rule
behavioral5/memory/1928-112-0x000000013FF70000-0x0000000140D6A000-memory.dmp	xmrig
behavioral5/memory/360-116-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral5/memory/360-118-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral5/memory/360-121-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral5/memory/360-123-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral5/memory/360-125-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral5/memory/360-127-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral5/memory/360-129-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral5/memory/360-131-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral5/memory/360-133-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral5/memory/360-135-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Drops file in Drivers directory 2 IoCs

Processes:

影流之王🈹 (7).exeupdater.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	影流之王🈹 (7).exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

updater.exe影流之王🈹 (7).exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	影流之王🈹 (7).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	影流之王🈹 (7).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe

Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

1928 updater.exe
Loads dropped DLL 1 IoCs

Processes:

taskeng.exe

pid process

1260 taskeng.exe

pid	process
1928	updater.exe

pid	process
1260	taskeng.exe

Themida packer 23 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral5/memory/1312-54-0x000000013FE30000-0x0000000140C2A000-memory.dmp	themida
behavioral5/memory/1312-55-0x000000013FE30000-0x0000000140C2A000-memory.dmp	themida
behavioral5/memory/1312-58-0x000000013FE30000-0x0000000140C2A000-memory.dmp	themida
behavioral5/memory/1312-57-0x000000013FE30000-0x0000000140C2A000-memory.dmp	themida
behavioral5/memory/1312-56-0x000000013FE30000-0x0000000140C2A000-memory.dmp	themida
behavioral5/memory/1312-59-0x000000013FE30000-0x0000000140C2A000-memory.dmp	themida
behavioral5/memory/1312-60-0x000000013FE30000-0x0000000140C2A000-memory.dmp	themida
behavioral5/memory/1312-61-0x000000013FE30000-0x0000000140C2A000-memory.dmp	themida
behavioral5/memory/1312-66-0x000000013FE30000-0x0000000140C2A000-memory.dmp	themida
behavioral5/memory/1312-80-0x000000013FE30000-0x0000000140C2A000-memory.dmp	themida
behavioral5/memory/1312-85-0x000000013FE30000-0x0000000140C2A000-memory.dmp	themida
\Program Files\Google\Chrome\updater.exe	themida
C:\Program Files\Google\Chrome\updater.exe	themida
behavioral5/memory/1928-89-0x000000013FF70000-0x0000000140D6A000-memory.dmp	themida
behavioral5/memory/1928-94-0x000000013FF70000-0x0000000140D6A000-memory.dmp	themida
behavioral5/memory/1928-93-0x000000013FF70000-0x0000000140D6A000-memory.dmp	themida
behavioral5/memory/1928-92-0x000000013FF70000-0x0000000140D6A000-memory.dmp	themida
behavioral5/memory/1928-91-0x000000013FF70000-0x0000000140D6A000-memory.dmp	themida
behavioral5/memory/1928-90-0x000000013FF70000-0x0000000140D6A000-memory.dmp	themida
behavioral5/memory/1928-96-0x000000013FF70000-0x0000000140D6A000-memory.dmp	themida
behavioral5/memory/1928-108-0x000000013FF70000-0x0000000140D6A000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida
behavioral5/memory/1928-112-0x000000013FF70000-0x0000000140D6A000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

影流之王🈹 (7).exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	影流之王🈹 (7).exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

影流之王🈹 (7).exeupdater.exe

pid process

1312 影流之王🈹 (7).exe
1928 updater.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 1928 set thread context of 1040	1928	updater.exe	conhost.exe
PID 1928 set thread context of 360	1928	updater.exe	explorer.exe

Drops file in Program Files directory 2 IoCs

Processes:

影流之王🈹 (7).exeupdater.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	影流之王🈹 (7).exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1716 sc.exe
1972 sc.exe
1500 sc.exe
864 sc.exe
828 sc.exe
760 sc.exe
928 sc.exe
568 sc.exe
1644 sc.exe
1860 sc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1048 schtasks.exe
1624 schtasks.exe

pid	process
1716	sc.exe
1972	sc.exe
1500	sc.exe
864	sc.exe
828	sc.exe
760	sc.exe
928	sc.exe
568	sc.exe
1644	sc.exe
1860	sc.exe

pid	process
1048	schtasks.exe
1624	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 9082ab906f7ad901	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

影流之王🈹 (7).exepowershell.exepowershell.exeupdater.exepowershell.exepowershell.exeexplorer.exe

pid	process
1312	影流之王🈹 (7).exe
1312	影流之王🈹 (7).exe
1160	powershell.exe
1312	影流之王🈹 (7).exe
1312	影流之王🈹 (7).exe
1312	影流之王🈹 (7).exe
1312	影流之王🈹 (7).exe
1312	影流之王🈹 (7).exe
1312	影流之王🈹 (7).exe
276	powershell.exe
1312	影流之王🈹 (7).exe
1312	影流之王🈹 (7).exe
1928	updater.exe
1928	updater.exe
1704	powershell.exe
1928	updater.exe
1928	updater.exe
1928	updater.exe
1928	updater.exe
1928	updater.exe
1928	updater.exe
1480	powershell.exe
1928	updater.exe
1928	updater.exe
1928	updater.exe
1928	updater.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
464

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowershell.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exeupdater.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeShutdownPrivilege	1656	powercfg.exe
Token: SeShutdownPrivilege	1692	powercfg.exe
Token: SeShutdownPrivilege	1740	powercfg.exe
Token: SeShutdownPrivilege	620	powercfg.exe
Token: SeDebugPrivilege	276	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeShutdownPrivilege	1916	powercfg.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeShutdownPrivilege	1964	powercfg.exe
Token: SeShutdownPrivilege	852	powercfg.exe
Token: SeShutdownPrivilege	1748	powercfg.exe
Token: SeDebugPrivilege	1928	updater.exe
Token: SeLockMemoryPrivilege	360	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exepowershell.exetaskeng.execmd.execmd.exepowershell.exeupdater.exe

description	pid	process	target process
PID 1424 wrote to memory of 864	1424	cmd.exe	sc.exe
PID 1424 wrote to memory of 864	1424	cmd.exe	sc.exe
PID 1424 wrote to memory of 864	1424	cmd.exe	sc.exe
PID 1424 wrote to memory of 1860	1424	cmd.exe	sc.exe
PID 1424 wrote to memory of 1860	1424	cmd.exe	sc.exe
PID 1424 wrote to memory of 1860	1424	cmd.exe	sc.exe
PID 1424 wrote to memory of 828	1424	cmd.exe	sc.exe
PID 1424 wrote to memory of 828	1424	cmd.exe	sc.exe
PID 1424 wrote to memory of 828	1424	cmd.exe	sc.exe
PID 1424 wrote to memory of 760	1424	cmd.exe	sc.exe
PID 1424 wrote to memory of 760	1424	cmd.exe	sc.exe
PID 1424 wrote to memory of 760	1424	cmd.exe	sc.exe
PID 1424 wrote to memory of 1716	1424	cmd.exe	sc.exe
PID 1424 wrote to memory of 1716	1424	cmd.exe	sc.exe
PID 1424 wrote to memory of 1716	1424	cmd.exe	sc.exe
PID 1556 wrote to memory of 1656	1556	cmd.exe	powercfg.exe
PID 1556 wrote to memory of 1656	1556	cmd.exe	powercfg.exe
PID 1556 wrote to memory of 1656	1556	cmd.exe	powercfg.exe
PID 1556 wrote to memory of 1692	1556	cmd.exe	powercfg.exe
PID 1556 wrote to memory of 1692	1556	cmd.exe	powercfg.exe
PID 1556 wrote to memory of 1692	1556	cmd.exe	powercfg.exe
PID 1556 wrote to memory of 1740	1556	cmd.exe	powercfg.exe
PID 1556 wrote to memory of 1740	1556	cmd.exe	powercfg.exe
PID 1556 wrote to memory of 1740	1556	cmd.exe	powercfg.exe
PID 1556 wrote to memory of 620	1556	cmd.exe	powercfg.exe
PID 1556 wrote to memory of 620	1556	cmd.exe	powercfg.exe
PID 1556 wrote to memory of 620	1556	cmd.exe	powercfg.exe
PID 276 wrote to memory of 1048	276	powershell.exe	schtasks.exe
PID 276 wrote to memory of 1048	276	powershell.exe	schtasks.exe
PID 276 wrote to memory of 1048	276	powershell.exe	schtasks.exe
PID 1260 wrote to memory of 1928	1260	taskeng.exe	updater.exe
PID 1260 wrote to memory of 1928	1260	taskeng.exe	updater.exe
PID 1260 wrote to memory of 1928	1260	taskeng.exe	updater.exe
PID 1984 wrote to memory of 1972	1984	cmd.exe	sc.exe
PID 1984 wrote to memory of 1972	1984	cmd.exe	sc.exe
PID 1984 wrote to memory of 1972	1984	cmd.exe	sc.exe
PID 1984 wrote to memory of 1500	1984	cmd.exe	sc.exe
PID 1984 wrote to memory of 1500	1984	cmd.exe	sc.exe
PID 1984 wrote to memory of 1500	1984	cmd.exe	sc.exe
PID 1984 wrote to memory of 928	1984	cmd.exe	sc.exe
PID 1984 wrote to memory of 928	1984	cmd.exe	sc.exe
PID 1984 wrote to memory of 928	1984	cmd.exe	sc.exe
PID 1984 wrote to memory of 568	1984	cmd.exe	sc.exe
PID 1984 wrote to memory of 568	1984	cmd.exe	sc.exe
PID 1984 wrote to memory of 568	1984	cmd.exe	sc.exe
PID 1984 wrote to memory of 1644	1984	cmd.exe	sc.exe
PID 1984 wrote to memory of 1644	1984	cmd.exe	sc.exe
PID 1984 wrote to memory of 1644	1984	cmd.exe	sc.exe
PID 524 wrote to memory of 1916	524	cmd.exe	powercfg.exe
PID 524 wrote to memory of 1916	524	cmd.exe	powercfg.exe
PID 524 wrote to memory of 1916	524	cmd.exe	powercfg.exe
PID 524 wrote to memory of 1964	524	cmd.exe	powercfg.exe
PID 524 wrote to memory of 1964	524	cmd.exe	powercfg.exe
PID 524 wrote to memory of 1964	524	cmd.exe	powercfg.exe
PID 524 wrote to memory of 852	524	cmd.exe	powercfg.exe
PID 524 wrote to memory of 852	524	cmd.exe	powercfg.exe
PID 524 wrote to memory of 852	524	cmd.exe	powercfg.exe
PID 524 wrote to memory of 1748	524	cmd.exe	powercfg.exe
PID 524 wrote to memory of 1748	524	cmd.exe	powercfg.exe
PID 524 wrote to memory of 1748	524	cmd.exe	powercfg.exe
PID 1480 wrote to memory of 1624	1480	powershell.exe	schtasks.exe
PID 1480 wrote to memory of 1624	1480	powershell.exe	schtasks.exe
PID 1480 wrote to memory of 1624	1480	powershell.exe	schtasks.exe
PID 1928 wrote to memory of 1040	1928	updater.exe	conhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\给老子冲\影流之王🈹 (7).exe
"C:\Users\Admin\AppData\Local\Temp\给老子冲\影流之王🈹 (7).exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:864

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1860

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:828

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:760

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1716

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#bcvarz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:276

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
3⤵
- Creates scheduled task(s)
PID:1048

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
2⤵
PID:1404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1972

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1500

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:928

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:568

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1644

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#bcvarz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
3⤵
- Creates scheduled task(s)
PID:1624

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
PID:1040

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:360

C:\Windows\system32\taskeng.exe
taskeng.exe {A6D7A432-A38E-4B4C-B8D4-C40871C49E9A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
10.7MB

MD5
a090c26b4be46ffdf226a0b7a453f51f

SHA1
6a1743d359bef4ee18fdee6a6bf5199e69f07cfb

SHA256
bb93f0838f72a557c09e03593360e5458ab7d43921773d3961287a28201289ef

SHA512
83c90f4efff01cb84bb97030c84bac212b8b143723c7f1f3ecd3379000be85de3850d211519c2d429ebf4dba8b555c3a9a4c9a77f6ab856630907da681822691

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
10.7MB

MD5
a090c26b4be46ffdf226a0b7a453f51f

SHA1
6a1743d359bef4ee18fdee6a6bf5199e69f07cfb

SHA256
bb93f0838f72a557c09e03593360e5458ab7d43921773d3961287a28201289ef

SHA512
83c90f4efff01cb84bb97030c84bac212b8b143723c7f1f3ecd3379000be85de3850d211519c2d429ebf4dba8b555c3a9a4c9a77f6ab856630907da681822691

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\11WZ73IWRMUT2G25PAGL.temp
Filesize
7KB

MD5
5e7babdb1743ef97b3487d964c00f984

SHA1
2fa8dca762fef9c4730bf53acacca10156ff3882

SHA256
2a5ec2f290cac14e9c996cb992b3566b058db8167eb701bd8df971b0c500c7de

SHA512
877b1465b1233cdc2fd4670653243b617d30d582c1dde87b3e16f4d7b9e3b94d869ea1996166e97a38747a5f139077cd269d2853f83509aa98a4a0179f54bb50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
5e7babdb1743ef97b3487d964c00f984

SHA1
2fa8dca762fef9c4730bf53acacca10156ff3882

SHA256
2a5ec2f290cac14e9c996cb992b3566b058db8167eb701bd8df971b0c500c7de

SHA512
877b1465b1233cdc2fd4670653243b617d30d582c1dde87b3e16f4d7b9e3b94d869ea1996166e97a38747a5f139077cd269d2853f83509aa98a4a0179f54bb50

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
2KB

MD5
3e9af076957c5b2f9c9ce5ec994bea05

SHA1
a8c7326f6bceffaeed1c2bb8d7165e56497965fe

SHA256
e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

SHA512
933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\Google\Chrome\updater.exe
Filesize
10.7MB

MD5
a090c26b4be46ffdf226a0b7a453f51f

SHA1
6a1743d359bef4ee18fdee6a6bf5199e69f07cfb

SHA256
bb93f0838f72a557c09e03593360e5458ab7d43921773d3961287a28201289ef

SHA512
83c90f4efff01cb84bb97030c84bac212b8b143723c7f1f3ecd3379000be85de3850d211519c2d429ebf4dba8b555c3a9a4c9a77f6ab856630907da681822691

Download Submit
memory/276-78-0x000000001B130000-0x000000001B412000-memory.dmp

Filesize
2.9MB

Download
memory/276-82-0x0000000001F70000-0x0000000001FF0000-memory.dmp

Filesize
512KB

Download
memory/276-83-0x0000000001F70000-0x0000000001FF0000-memory.dmp

Filesize
512KB

Download
memory/276-81-0x0000000001F70000-0x0000000001FF0000-memory.dmp

Filesize
512KB

Download
memory/276-79-0x0000000002050000-0x0000000002058000-memory.dmp

Filesize
32KB

Download
memory/360-131-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/360-121-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/360-119-0x0000000000580000-0x00000000005A0000-memory.dmp

Filesize
128KB

Download
memory/360-118-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/360-125-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/360-127-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/360-116-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/360-129-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/360-113-0x0000000000150000-0x0000000000170000-memory.dmp

Filesize
128KB

Download
memory/360-133-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/360-135-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/360-123-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/360-114-0x0000000000580000-0x00000000005A0000-memory.dmp

Filesize
128KB

Download
memory/1040-115-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1040-122-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1160-71-0x000000000264B000-0x0000000002682000-memory.dmp

Filesize
220KB

Download
memory/1160-67-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/1160-68-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/1160-70-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/1160-69-0x0000000002644000-0x0000000002647000-memory.dmp

Filesize
12KB

Download
memory/1260-95-0x000000013FF70000-0x0000000140D6A000-memory.dmp

Filesize
14.0MB

Download
memory/1312-85-0x000000013FE30000-0x0000000140C2A000-memory.dmp

Filesize
14.0MB

Download
memory/1312-66-0x000000013FE30000-0x0000000140C2A000-memory.dmp

Filesize
14.0MB

Download
memory/1312-57-0x000000013FE30000-0x0000000140C2A000-memory.dmp

Filesize
14.0MB

Download
memory/1312-58-0x000000013FE30000-0x0000000140C2A000-memory.dmp

Filesize
14.0MB

Download
memory/1312-60-0x000000013FE30000-0x0000000140C2A000-memory.dmp

Filesize
14.0MB

Download
memory/1312-59-0x000000013FE30000-0x0000000140C2A000-memory.dmp

Filesize
14.0MB

Download
memory/1312-80-0x000000013FE30000-0x0000000140C2A000-memory.dmp

Filesize
14.0MB

Download
memory/1312-56-0x000000013FE30000-0x0000000140C2A000-memory.dmp

Filesize
14.0MB

Download
memory/1312-61-0x000000013FE30000-0x0000000140C2A000-memory.dmp

Filesize
14.0MB

Download
memory/1312-55-0x000000013FE30000-0x0000000140C2A000-memory.dmp

Filesize
14.0MB

Download
memory/1312-54-0x000000013FE30000-0x0000000140C2A000-memory.dmp

Filesize
14.0MB

Download
memory/1480-106-0x0000000000D7B000-0x0000000000DB2000-memory.dmp

Filesize
220KB

Download
memory/1480-105-0x0000000000D70000-0x0000000000DF0000-memory.dmp

Filesize
512KB

Download
memory/1480-104-0x0000000000D70000-0x0000000000DF0000-memory.dmp

Filesize
512KB

Download
memory/1480-103-0x0000000000D70000-0x0000000000DF0000-memory.dmp

Filesize
512KB

Download
memory/1704-98-0x00000000010C4000-0x00000000010C7000-memory.dmp

Filesize
12KB

Download
memory/1704-99-0x00000000010CB000-0x0000000001102000-memory.dmp

Filesize
220KB

Download
memory/1928-92-0x000000013FF70000-0x0000000140D6A000-memory.dmp

Filesize
14.0MB

Download
memory/1928-112-0x000000013FF70000-0x0000000140D6A000-memory.dmp

Filesize
14.0MB

Download
memory/1928-108-0x000000013FF70000-0x0000000140D6A000-memory.dmp

Filesize
14.0MB

Download
memory/1928-96-0x000000013FF70000-0x0000000140D6A000-memory.dmp

Filesize
14.0MB

Download
memory/1928-90-0x000000013FF70000-0x0000000140D6A000-memory.dmp

Filesize
14.0MB

Download
memory/1928-91-0x000000013FF70000-0x0000000140D6A000-memory.dmp

Filesize
14.0MB

Download
memory/1928-93-0x000000013FF70000-0x0000000140D6A000-memory.dmp

Filesize
14.0MB

Download
memory/1928-94-0x000000013FF70000-0x0000000140D6A000-memory.dmp

Filesize
14.0MB

Download
memory/1928-89-0x000000013FF70000-0x0000000140D6A000-memory.dmp

Filesize
14.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads