xmrig | 2811b96344264d2752dfe7fa5c0d124444a2337745bb66c3836e406c7df2b916

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
29-04-2023 05:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

给老子冲/影流之王🈹 (7).exe
Size

10.7MB
MD5

a090c26b4be46ffdf226a0b7a453f51f
SHA1

6a1743d359bef4ee18fdee6a6bf5199e69f07cfb
SHA256

bb93f0838f72a557c09e03593360e5458ab7d43921773d3961287a28201289ef
SHA512

83c90f4efff01cb84bb97030c84bac212b8b143723c7f1f3ecd3379000be85de3850d211519c2d429ebf4dba8b555c3a9a4c9a77f6ab856630907da681822691
SSDEEP

196608:/NQqSiD+bU2fbWzTRdtMQ4GraMTsGhbgOp4m:hmfqXtMQPravGh0Oym

Score

10^/10

xmrig evasion miner themida trojan

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 1312 created 1284	1312	影流之王🈹 (7).exe	14
PID 1312 created 1284	1312	影流之王🈹 (7).exe	14
PID 1312 created 1284	1312	影流之王🈹 (7).exe	14
PID 1312 created 1284	1312	影流之王🈹 (7).exe	14
PID 1312 created 1284	1312	影流之王🈹 (7).exe	14
PID 1928 created 1284	1928	updater.exe	14
PID 1928 created 1284	1928	updater.exe	14
PID 1928 created 1284	1928	updater.exe	14
PID 1928 created 1284	1928	updater.exe	14
PID 1928 created 1284	1928	updater.exe	14
PID 1928 created 1284	1928	updater.exe	14

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	影流之王🈹 (7).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe

XMRig Miner payload 11 IoCs

miner

resource	yara_rule
behavioral5/memory/1928-112-0x000000013FF70000-0x0000000140D6A000-memory.dmp	xmrig
behavioral5/memory/360-116-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral5/memory/360-118-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral5/memory/360-121-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral5/memory/360-123-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral5/memory/360-125-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral5/memory/360-127-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral5/memory/360-129-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral5/memory/360-131-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral5/memory/360-133-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral5/memory/360-135-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	影流之王🈹 (7).exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	影流之王🈹 (7).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	影流之王🈹 (7).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe

Executes dropped EXE 1 IoCs

pid	Process
1928	updater.exe

Loads dropped DLL 1 IoCs

pid	Process
1260	taskeng.exe

Themida packer 23 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral5/memory/1312-54-0x000000013FE30000-0x0000000140C2A000-memory.dmp	themida
behavioral5/memory/1312-55-0x000000013FE30000-0x0000000140C2A000-memory.dmp	themida
behavioral5/memory/1312-58-0x000000013FE30000-0x0000000140C2A000-memory.dmp	themida
behavioral5/memory/1312-57-0x000000013FE30000-0x0000000140C2A000-memory.dmp	themida
behavioral5/memory/1312-56-0x000000013FE30000-0x0000000140C2A000-memory.dmp	themida
behavioral5/memory/1312-59-0x000000013FE30000-0x0000000140C2A000-memory.dmp	themida
behavioral5/memory/1312-60-0x000000013FE30000-0x0000000140C2A000-memory.dmp	themida
behavioral5/memory/1312-61-0x000000013FE30000-0x0000000140C2A000-memory.dmp	themida
behavioral5/memory/1312-66-0x000000013FE30000-0x0000000140C2A000-memory.dmp	themida
behavioral5/memory/1312-80-0x000000013FE30000-0x0000000140C2A000-memory.dmp	themida
behavioral5/memory/1312-85-0x000000013FE30000-0x0000000140C2A000-memory.dmp	themida
behavioral5/files/0x00070000000139dc-86.dat	themida
behavioral5/files/0x00070000000139dc-88.dat	themida
behavioral5/memory/1928-89-0x000000013FF70000-0x0000000140D6A000-memory.dmp	themida
behavioral5/memory/1928-94-0x000000013FF70000-0x0000000140D6A000-memory.dmp	themida
behavioral5/memory/1928-93-0x000000013FF70000-0x0000000140D6A000-memory.dmp	themida
behavioral5/memory/1928-92-0x000000013FF70000-0x0000000140D6A000-memory.dmp	themida
behavioral5/memory/1928-91-0x000000013FF70000-0x0000000140D6A000-memory.dmp	themida
behavioral5/memory/1928-90-0x000000013FF70000-0x0000000140D6A000-memory.dmp	themida
behavioral5/memory/1928-96-0x000000013FF70000-0x0000000140D6A000-memory.dmp	themida
behavioral5/memory/1928-108-0x000000013FF70000-0x0000000140D6A000-memory.dmp	themida
behavioral5/files/0x00070000000139dc-110.dat	themida
behavioral5/memory/1928-112-0x000000013FF70000-0x0000000140D6A000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	影流之王🈹 (7).exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1312	影流之王🈹 (7).exe
1928	updater.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1928 set thread context of 1040	1928	updater.exe	68
PID 1928 set thread context of 360	1928	updater.exe	69

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	影流之王🈹 (7).exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1716	sc.exe
1972	sc.exe
1500	sc.exe
864	sc.exe
828	sc.exe
760	sc.exe
928	sc.exe
568	sc.exe
1644	sc.exe
1860	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1048	schtasks.exe
1624	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 9082ab906f7ad901	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1312	影流之王🈹 (7).exe
1312	影流之王🈹 (7).exe
1160	powershell.exe
1312	影流之王🈹 (7).exe
1312	影流之王🈹 (7).exe
1312	影流之王🈹 (7).exe
1312	影流之王🈹 (7).exe
1312	影流之王🈹 (7).exe
1312	影流之王🈹 (7).exe
276	powershell.exe
1312	影流之王🈹 (7).exe
1312	影流之王🈹 (7).exe
1928	updater.exe
1928	updater.exe
1704	powershell.exe
1928	updater.exe
1928	updater.exe
1928	updater.exe
1928	updater.exe
1928	updater.exe
1928	updater.exe
1480	powershell.exe
1928	updater.exe
1928	updater.exe
1928	updater.exe
1928	updater.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe
360	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeShutdownPrivilege	1656	powercfg.exe
Token: SeShutdownPrivilege	1692	powercfg.exe
Token: SeShutdownPrivilege	1740	powercfg.exe
Token: SeShutdownPrivilege	620	powercfg.exe
Token: SeDebugPrivilege	276	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeShutdownPrivilege	1916	powercfg.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeShutdownPrivilege	1964	powercfg.exe
Token: SeShutdownPrivilege	852	powercfg.exe
Token: SeShutdownPrivilege	1748	powercfg.exe
Token: SeDebugPrivilege	1928	updater.exe
Token: SeLockMemoryPrivilege	360	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 864	1424	cmd.exe	32
PID 1424 wrote to memory of 864	1424	cmd.exe	32
PID 1424 wrote to memory of 864	1424	cmd.exe	32
PID 1424 wrote to memory of 1860	1424	cmd.exe	33
PID 1424 wrote to memory of 1860	1424	cmd.exe	33
PID 1424 wrote to memory of 1860	1424	cmd.exe	33
PID 1424 wrote to memory of 828	1424	cmd.exe	34
PID 1424 wrote to memory of 828	1424	cmd.exe	34
PID 1424 wrote to memory of 828	1424	cmd.exe	34
PID 1424 wrote to memory of 760	1424	cmd.exe	35
PID 1424 wrote to memory of 760	1424	cmd.exe	35
PID 1424 wrote to memory of 760	1424	cmd.exe	35
PID 1424 wrote to memory of 1716	1424	cmd.exe	36
PID 1424 wrote to memory of 1716	1424	cmd.exe	36
PID 1424 wrote to memory of 1716	1424	cmd.exe	36
PID 1556 wrote to memory of 1656	1556	cmd.exe	41
PID 1556 wrote to memory of 1656	1556	cmd.exe	41
PID 1556 wrote to memory of 1656	1556	cmd.exe	41
PID 1556 wrote to memory of 1692	1556	cmd.exe	42
PID 1556 wrote to memory of 1692	1556	cmd.exe	42
PID 1556 wrote to memory of 1692	1556	cmd.exe	42
PID 1556 wrote to memory of 1740	1556	cmd.exe	43
PID 1556 wrote to memory of 1740	1556	cmd.exe	43
PID 1556 wrote to memory of 1740	1556	cmd.exe	43
PID 1556 wrote to memory of 620	1556	cmd.exe	44
PID 1556 wrote to memory of 620	1556	cmd.exe	44
PID 1556 wrote to memory of 620	1556	cmd.exe	44
PID 276 wrote to memory of 1048	276	powershell.exe	45
PID 276 wrote to memory of 1048	276	powershell.exe	45
PID 276 wrote to memory of 1048	276	powershell.exe	45
PID 1260 wrote to memory of 1928	1260	taskeng.exe	49
PID 1260 wrote to memory of 1928	1260	taskeng.exe	49
PID 1260 wrote to memory of 1928	1260	taskeng.exe	49
PID 1984 wrote to memory of 1972	1984	cmd.exe	54
PID 1984 wrote to memory of 1972	1984	cmd.exe	54
PID 1984 wrote to memory of 1972	1984	cmd.exe	54
PID 1984 wrote to memory of 1500	1984	cmd.exe	55
PID 1984 wrote to memory of 1500	1984	cmd.exe	55
PID 1984 wrote to memory of 1500	1984	cmd.exe	55
PID 1984 wrote to memory of 928	1984	cmd.exe	56
PID 1984 wrote to memory of 928	1984	cmd.exe	56
PID 1984 wrote to memory of 928	1984	cmd.exe	56
PID 1984 wrote to memory of 568	1984	cmd.exe	57
PID 1984 wrote to memory of 568	1984	cmd.exe	57
PID 1984 wrote to memory of 568	1984	cmd.exe	57
PID 1984 wrote to memory of 1644	1984	cmd.exe	58
PID 1984 wrote to memory of 1644	1984	cmd.exe	58
PID 1984 wrote to memory of 1644	1984	cmd.exe	58
PID 524 wrote to memory of 1916	524	cmd.exe	63
PID 524 wrote to memory of 1916	524	cmd.exe	63
PID 524 wrote to memory of 1916	524	cmd.exe	63
PID 524 wrote to memory of 1964	524	cmd.exe	64
PID 524 wrote to memory of 1964	524	cmd.exe	64
PID 524 wrote to memory of 1964	524	cmd.exe	64
PID 524 wrote to memory of 852	524	cmd.exe	66
PID 524 wrote to memory of 852	524	cmd.exe	66
PID 524 wrote to memory of 852	524	cmd.exe	66
PID 524 wrote to memory of 1748	524	cmd.exe	65
PID 524 wrote to memory of 1748	524	cmd.exe	65
PID 524 wrote to memory of 1748	524	cmd.exe	65
PID 1480 wrote to memory of 1624	1480	powershell.exe	67
PID 1480 wrote to memory of 1624	1480	powershell.exe	67
PID 1480 wrote to memory of 1624	1480	powershell.exe	67
PID 1928 wrote to memory of 1040	1928	updater.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284
- C:\Users\Admin\AppData\Local\Temp\给老子冲\影流之王🈹 (7).exe
  "C:\Users\Admin\AppData\Local\Temp\给老子冲\影流之王🈹 (7).exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:864
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1860
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:828
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:760
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1716
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#bcvarz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:276
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1048
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1972
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1500
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:928
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:568
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1644
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1916
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#bcvarz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1624
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:1040
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:360

C:\Windows\system32\taskeng.exe
taskeng.exe {A6D7A432-A38E-4B4C-B8D4-C40871C49E9A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
10.7MB

MD5
a090c26b4be46ffdf226a0b7a453f51f

SHA1
6a1743d359bef4ee18fdee6a6bf5199e69f07cfb

SHA256
bb93f0838f72a557c09e03593360e5458ab7d43921773d3961287a28201289ef

SHA512
83c90f4efff01cb84bb97030c84bac212b8b143723c7f1f3ecd3379000be85de3850d211519c2d429ebf4dba8b555c3a9a4c9a77f6ab856630907da681822691

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
10.7MB

MD5
a090c26b4be46ffdf226a0b7a453f51f

SHA1
6a1743d359bef4ee18fdee6a6bf5199e69f07cfb

SHA256
bb93f0838f72a557c09e03593360e5458ab7d43921773d3961287a28201289ef

SHA512
83c90f4efff01cb84bb97030c84bac212b8b143723c7f1f3ecd3379000be85de3850d211519c2d429ebf4dba8b555c3a9a4c9a77f6ab856630907da681822691

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\11WZ73IWRMUT2G25PAGL.temp

Filesize
7KB

MD5
5e7babdb1743ef97b3487d964c00f984

SHA1
2fa8dca762fef9c4730bf53acacca10156ff3882

SHA256
2a5ec2f290cac14e9c996cb992b3566b058db8167eb701bd8df971b0c500c7de

SHA512
877b1465b1233cdc2fd4670653243b617d30d582c1dde87b3e16f4d7b9e3b94d869ea1996166e97a38747a5f139077cd269d2853f83509aa98a4a0179f54bb50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5e7babdb1743ef97b3487d964c00f984

SHA1
2fa8dca762fef9c4730bf53acacca10156ff3882

SHA256
2a5ec2f290cac14e9c996cb992b3566b058db8167eb701bd8df971b0c500c7de

SHA512
877b1465b1233cdc2fd4670653243b617d30d582c1dde87b3e16f4d7b9e3b94d869ea1996166e97a38747a5f139077cd269d2853f83509aa98a4a0179f54bb50

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
3e9af076957c5b2f9c9ce5ec994bea05

SHA1
a8c7326f6bceffaeed1c2bb8d7165e56497965fe

SHA256
e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

SHA512
933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
10.7MB

MD5
a090c26b4be46ffdf226a0b7a453f51f

SHA1
6a1743d359bef4ee18fdee6a6bf5199e69f07cfb

SHA256
bb93f0838f72a557c09e03593360e5458ab7d43921773d3961287a28201289ef

SHA512
83c90f4efff01cb84bb97030c84bac212b8b143723c7f1f3ecd3379000be85de3850d211519c2d429ebf4dba8b555c3a9a4c9a77f6ab856630907da681822691

Download Submit
memory/276-78-0x000000001B130000-0x000000001B412000-memory.dmp

Filesize
2.9MB

Download
memory/276-82-0x0000000001F70000-0x0000000001FF0000-memory.dmp

Filesize
512KB

Download
memory/276-83-0x0000000001F70000-0x0000000001FF0000-memory.dmp

Filesize
512KB

Download
memory/276-81-0x0000000001F70000-0x0000000001FF0000-memory.dmp

Filesize
512KB

Download
memory/276-79-0x0000000002050000-0x0000000002058000-memory.dmp

Filesize
32KB

Download
memory/360-131-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/360-121-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/360-119-0x0000000000580000-0x00000000005A0000-memory.dmp

Filesize
128KB

Download
memory/360-118-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/360-125-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/360-127-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/360-116-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/360-129-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/360-113-0x0000000000150000-0x0000000000170000-memory.dmp

Filesize
128KB

Download
memory/360-133-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/360-135-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/360-123-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/360-114-0x0000000000580000-0x00000000005A0000-memory.dmp

Filesize
128KB

Download
memory/1040-115-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1040-122-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1160-71-0x000000000264B000-0x0000000002682000-memory.dmp

Filesize
220KB

Download
memory/1160-67-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/1160-68-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/1160-70-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/1160-69-0x0000000002644000-0x0000000002647000-memory.dmp

Filesize
12KB

Download
memory/1260-95-0x000000013FF70000-0x0000000140D6A000-memory.dmp

Filesize
14.0MB

Download
memory/1312-85-0x000000013FE30000-0x0000000140C2A000-memory.dmp

Filesize
14.0MB

Download
memory/1312-66-0x000000013FE30000-0x0000000140C2A000-memory.dmp

Filesize
14.0MB

Download
memory/1312-57-0x000000013FE30000-0x0000000140C2A000-memory.dmp

Filesize
14.0MB

Download
memory/1312-58-0x000000013FE30000-0x0000000140C2A000-memory.dmp

Filesize
14.0MB

Download
memory/1312-60-0x000000013FE30000-0x0000000140C2A000-memory.dmp

Filesize
14.0MB

Download
memory/1312-59-0x000000013FE30000-0x0000000140C2A000-memory.dmp

Filesize
14.0MB

Download
memory/1312-80-0x000000013FE30000-0x0000000140C2A000-memory.dmp

Filesize
14.0MB

Download
memory/1312-56-0x000000013FE30000-0x0000000140C2A000-memory.dmp

Filesize
14.0MB

Download
memory/1312-61-0x000000013FE30000-0x0000000140C2A000-memory.dmp

Filesize
14.0MB

Download
memory/1312-55-0x000000013FE30000-0x0000000140C2A000-memory.dmp

Filesize
14.0MB

Download
memory/1312-54-0x000000013FE30000-0x0000000140C2A000-memory.dmp

Filesize
14.0MB

Download
memory/1480-106-0x0000000000D7B000-0x0000000000DB2000-memory.dmp

Filesize
220KB

Download
memory/1480-105-0x0000000000D70000-0x0000000000DF0000-memory.dmp

Filesize
512KB

Download
memory/1480-104-0x0000000000D70000-0x0000000000DF0000-memory.dmp

Filesize
512KB

Download
memory/1480-103-0x0000000000D70000-0x0000000000DF0000-memory.dmp

Filesize
512KB

Download
memory/1704-98-0x00000000010C4000-0x00000000010C7000-memory.dmp

Filesize
12KB

Download
memory/1704-99-0x00000000010CB000-0x0000000001102000-memory.dmp

Filesize
220KB

Download
memory/1928-92-0x000000013FF70000-0x0000000140D6A000-memory.dmp

Filesize
14.0MB

Download
memory/1928-112-0x000000013FF70000-0x0000000140D6A000-memory.dmp

Filesize
14.0MB

Download
memory/1928-108-0x000000013FF70000-0x0000000140D6A000-memory.dmp

Filesize
14.0MB

Download
memory/1928-96-0x000000013FF70000-0x0000000140D6A000-memory.dmp

Filesize
14.0MB

Download
memory/1928-90-0x000000013FF70000-0x0000000140D6A000-memory.dmp

Filesize
14.0MB

Download
memory/1928-91-0x000000013FF70000-0x0000000140D6A000-memory.dmp

Filesize
14.0MB

Download
memory/1928-93-0x000000013FF70000-0x0000000140D6A000-memory.dmp

Filesize
14.0MB

Download
memory/1928-94-0x000000013FF70000-0x0000000140D6A000-memory.dmp

Filesize
14.0MB

Download
memory/1928-89-0x000000013FF70000-0x0000000140D6A000-memory.dmp

Filesize
14.0MB

Download