f3a5882037e708a07423217c13a3e2e016115faabbf5dc42397d19f49490154b

Resubmissions

15-06-2023 13:39

230615-qx8z5ahd71 7

14-06-2023 11:43

230614-nvn6tsgb87 7

Analysis

max time kernel
134s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15-06-2023 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cves_windows.exe
Size

5.8MB
MD5

41319760577a0df3145bceb010914526
SHA1

7b4828371f8d0fb7d564757f8c66197a77c3007c
SHA256

777c9220670025a487f4e853987df0482fbd545189137d58a60d4ab37c1cfbb4
SHA512

67aa1638ae3661ebceebede54116372fa9a3dfa59a2106f59c031530e731c258edb1bc2aec55d83b93f52fe84683030ecea23e91b36beeacc5f5526980a96971
SSDEEP

49152:qfUoYl63WYrb/TbvO90d7HjmAFd4A64nsfJBAmZgfk7bJsbsSQOUmzjkbsG0oq+Y:63WvAlJQSG0oGREmT

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
580	ChromeUpdateTaskMachinCore.exe
1068	tor.exe
1596	obfs4proxy.exe

Loads dropped DLL 6 IoCs

pid	Process
1052	cmd.exe
1052	cmd.exe
580	ChromeUpdateTaskMachinCore.exe
580	ChromeUpdateTaskMachinCore.exe
1068	tor.exe
1068	tor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\ChromeUpdateTaskMachinCore\ORsBHaReETgwnMypRf\data\geoip6	ChromeUpdateTaskMachinCore.exe
File created	C:\Program Files\ChromeUpdateTaskMachinCore\ORsBHaReETgwnMypRf\ORsBHaReETgwn	ChromeUpdateTaskMachinCore.exe
File created	C:\Program Files\ChromeUpdateTaskMachinCore\ORsBHaReETgwnMypRf\hs_ed25519_secret_key.tmp	tor.exe
File created	C:\Program Files\ChromeUpdateTaskMachinCore\ORsBHaReETgwnMypRf\hs_ed25519_public_key.tmp	tor.exe
File created	C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe	cves_windows.exe
File created	C:\Program Files\ChromeUpdateTaskMachinCore\ORsBHaReETgwnMypRf\data\geoip	ChromeUpdateTaskMachinCore.exe
File created	C:\Program Files\ChromeUpdateTaskMachinCore\ORsBHaReETgwnMypRf\tor\pluggable_transports\obfs4proxy.exe	ChromeUpdateTaskMachinCore.exe
File created	C:\Program Files\ChromeUpdateTaskMachinCore\ORsBHaReETgwnMypRf\tor\tor.exe	ChromeUpdateTaskMachinCore.exe
File created	C:\Program Files\ChromeUpdateTaskMachinCore\ORsBHaReETgwnMypRf\hostname.tmp	tor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cves_windows.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cves_windows.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	cves_windows.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ChromeUpdateTaskMachinCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ChromeUpdateTaskMachinCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	ChromeUpdateTaskMachinCore.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2044	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ChromeUpdateTaskMachinCore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ChromeUpdateTaskMachinCore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ChromeUpdateTaskMachinCore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	ChromeUpdateTaskMachinCore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ChromeUpdateTaskMachinCore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ChromeUpdateTaskMachinCore.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1208	cves_windows.exe
1596	obfs4proxy.exe
580	ChromeUpdateTaskMachinCore.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	240	WMIC.exe
Token: SeSecurityPrivilege	240	WMIC.exe
Token: SeTakeOwnershipPrivilege	240	WMIC.exe
Token: SeLoadDriverPrivilege	240	WMIC.exe
Token: SeSystemProfilePrivilege	240	WMIC.exe
Token: SeSystemtimePrivilege	240	WMIC.exe
Token: SeProfSingleProcessPrivilege	240	WMIC.exe
Token: SeIncBasePriorityPrivilege	240	WMIC.exe
Token: SeCreatePagefilePrivilege	240	WMIC.exe
Token: SeBackupPrivilege	240	WMIC.exe
Token: SeRestorePrivilege	240	WMIC.exe
Token: SeShutdownPrivilege	240	WMIC.exe
Token: SeDebugPrivilege	240	WMIC.exe
Token: SeSystemEnvironmentPrivilege	240	WMIC.exe
Token: SeRemoteShutdownPrivilege	240	WMIC.exe
Token: SeUndockPrivilege	240	WMIC.exe
Token: SeManageVolumePrivilege	240	WMIC.exe
Token: 33	240	WMIC.exe
Token: 34	240	WMIC.exe
Token: 35	240	WMIC.exe
Token: SeIncreaseQuotaPrivilege	240	WMIC.exe
Token: SeSecurityPrivilege	240	WMIC.exe
Token: SeTakeOwnershipPrivilege	240	WMIC.exe
Token: SeLoadDriverPrivilege	240	WMIC.exe
Token: SeSystemProfilePrivilege	240	WMIC.exe
Token: SeSystemtimePrivilege	240	WMIC.exe
Token: SeProfSingleProcessPrivilege	240	WMIC.exe
Token: SeIncBasePriorityPrivilege	240	WMIC.exe
Token: SeCreatePagefilePrivilege	240	WMIC.exe
Token: SeBackupPrivilege	240	WMIC.exe
Token: SeRestorePrivilege	240	WMIC.exe
Token: SeShutdownPrivilege	240	WMIC.exe
Token: SeDebugPrivilege	240	WMIC.exe
Token: SeSystemEnvironmentPrivilege	240	WMIC.exe
Token: SeRemoteShutdownPrivilege	240	WMIC.exe
Token: SeUndockPrivilege	240	WMIC.exe
Token: SeManageVolumePrivilege	240	WMIC.exe
Token: 33	240	WMIC.exe
Token: 34	240	WMIC.exe
Token: 35	240	WMIC.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 2044	1208	cves_windows.exe	28
PID 1208 wrote to memory of 2044	1208	cves_windows.exe	28
PID 1208 wrote to memory of 2044	1208	cves_windows.exe	28
PID 1208 wrote to memory of 1052	1208	cves_windows.exe	30
PID 1208 wrote to memory of 1052	1208	cves_windows.exe	30
PID 1208 wrote to memory of 1052	1208	cves_windows.exe	30
PID 1052 wrote to memory of 580	1052	cmd.exe	32
PID 1052 wrote to memory of 580	1052	cmd.exe	32
PID 1052 wrote to memory of 580	1052	cmd.exe	32
PID 580 wrote to memory of 1068	580	ChromeUpdateTaskMachinCore.exe	33
PID 580 wrote to memory of 1068	580	ChromeUpdateTaskMachinCore.exe	33
PID 580 wrote to memory of 1068	580	ChromeUpdateTaskMachinCore.exe	33
PID 1068 wrote to memory of 1596	1068	tor.exe	35
PID 1068 wrote to memory of 1596	1068	tor.exe	35
PID 1068 wrote to memory of 1596	1068	tor.exe	35
PID 580 wrote to memory of 240	580	ChromeUpdateTaskMachinCore.exe	37
PID 580 wrote to memory of 240	580	ChromeUpdateTaskMachinCore.exe	37
PID 580 wrote to memory of 240	580	ChromeUpdateTaskMachinCore.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cves_windows.exe
"C:\Users\Admin\AppData\Local\Temp\cves_windows.exe"
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\system32\schtasks.exe
  C:\Windows\system32\schtasks.exe /CREATE /XML C:\Users\Admin\AppData\Local\Temp\UWxmGLbNnCM /F /TN ChromeUpdateTaskMachinCore
  2⤵
  - Creates scheduled task(s)
  PID:2044
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c "C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe
    "C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Program Files\ChromeUpdateTaskMachinCore\ORsBHaReETgwnMypRf\tor\tor.exe
      "C:\Program Files\ChromeUpdateTaskMachinCore\ORsBHaReETgwnMypRf\tor\tor.exe" -f "C:\Program Files\ChromeUpdateTaskMachinCore\ORsBHaReETgwnMypRf\ORsBHaReETgwn"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:1068
    - - C:\Program Files\ChromeUpdateTaskMachinCore\ORsBHaReETgwnMypRf\tor\pluggable_transports\obfs4proxy.exe
        
        "C:\Program Files\ChromeUpdateTaskMachinCore\ORsBHaReETgwnMypRf\tor\pluggable_transports\obfs4proxy.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1596
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe computersystem get model,manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe

Filesize
5.8MB

MD5
41eb04151e6a51149856069b92e8781c

SHA1
91ad7bb1848454f59269cdda09b2748b1b8811a0

SHA256
68ce3b3f77075ca40ebaa5b7569e5360a1cfa2a8b0684262b02970fb349c52f2

SHA512
83f4b5adf7a4fbe729bd5ae3e3e3cdecf2c6cffaac7778e82d32ab56c138648f9467877e526d64bcc7ee9be8d3d686a7e0f2284102cfd735e2e0a5c62e06dad4

Download Submit
C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe

Filesize
5.8MB

MD5
41eb04151e6a51149856069b92e8781c

SHA1
91ad7bb1848454f59269cdda09b2748b1b8811a0

SHA256
68ce3b3f77075ca40ebaa5b7569e5360a1cfa2a8b0684262b02970fb349c52f2

SHA512
83f4b5adf7a4fbe729bd5ae3e3e3cdecf2c6cffaac7778e82d32ab56c138648f9467877e526d64bcc7ee9be8d3d686a7e0f2284102cfd735e2e0a5c62e06dad4

Download Submit
C:\Program Files\ChromeUpdateTaskMachinCore\ORsBHaReETgwnMypRf\ORsBHaReETgwn

Filesize
1KB

MD5
1a8dee071b86b492e029d23850f41877

SHA1
7bf53fab2e89551ea51ac7e41ce3c1d30bfd51de

SHA256
5c1ef2e158195fc490f172c7489f8185d8b4e94454829166505c8b9e1ea9c1b5

SHA512
4fee823a2e4978ce803b1ba13a20ae6409f1785a3bda1e9aee8b2990a876a9890548d95f9c6c9438221a2f1e94483c1032d50809040bb265552de7daac30e1d8

Download Submit
C:\Program Files\ChromeUpdateTaskMachinCore\ORsBHaReETgwnMypRf\hostname

Filesize
64B

MD5
688dad6b13aa297419230143a878670d

SHA1
ff0d4974fa019274794a99ac57be2e12876eb460

SHA256
a84f2a262bb55e913cd990210314119bb93b6b02e86458ef9cf824d56c4f8363

SHA512
30637ccc923738981d0b482fe3a093c81b08a3e87a1c12d3d194d273da69de9c2ac3820110edc33a69ebe6ecbd4ff717365f145b50604dc3250a2779bb5cd19b

Download Submit
C:\Program Files\ChromeUpdateTaskMachinCore\ORsBHaReETgwnMypRf\tor\pluggable_transports\obfs4proxy.exe

Filesize
6.6MB

MD5
230e3602ebdd05dcf33121eac79d1dcd

SHA1
ff93876b412e8fb026fe4bc3105f177402d9e767

SHA256
df70d273c43901f7249294ed8f66479b9f5c994db6d0efbbb9b31ad6e8211a6d

SHA512
c7f107110f54129636d7ec78ba7ea23ac7ad0e0ace14ada0e1ca3ae66a7dee33c76a8d14ff1e3e945cc47e24e67d911b5ffef45374998383b5453b576d3fde05

Download Submit
C:\Program Files\ChromeUpdateTaskMachinCore\ORsBHaReETgwnMypRf\tor\pluggable_transports\obfs4proxy.exe

Filesize
6.6MB

MD5
230e3602ebdd05dcf33121eac79d1dcd

SHA1
ff93876b412e8fb026fe4bc3105f177402d9e767

SHA256
df70d273c43901f7249294ed8f66479b9f5c994db6d0efbbb9b31ad6e8211a6d

SHA512
c7f107110f54129636d7ec78ba7ea23ac7ad0e0ace14ada0e1ca3ae66a7dee33c76a8d14ff1e3e945cc47e24e67d911b5ffef45374998383b5453b576d3fde05

Download Submit
C:\Program Files\ChromeUpdateTaskMachinCore\ORsBHaReETgwnMypRf\tor\tor.exe

Filesize
7.4MB

MD5
bdce57b5d9974d1c6a75c4529e9f2e83

SHA1
bf5125b827a3f05103e1a480b225da8e7cea7049

SHA256
6663f24897889210b68f4fcbd86a74d65c25b54c171ce29009f92bf3a8e074b1

SHA512
5ea0a7aef154fc77c0a390352bbb1e035fc3814d22327c3338030fd5bd1968496943be02931bcf322e94899f95bf6549581d9f27c66f45d661f422e7bb0139c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab26F4.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar29C9.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWxmGLbNnCM

Filesize
1KB

MD5
2ba9c3d7e012dbb3eb0e66b04c362066

SHA1
9ec5d1585cd5850de4a4c01a7e9791a5d203179a

SHA256
c553c291d148541d1c511357aa2c887552ede27d41f3ce7152554e245762607b

SHA512
1ff35330df30e113553b57e4add48a1337d01b6ff118dc775d6c987f2492ec02d621288d49cb8450a26289e46988b3e7be13aef8b36df4b395888b5007ef1f9f

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-descriptors.new

Filesize
13KB

MD5
18c170f5e84aa3d4f22978c1701b4cdf

SHA1
4c2d921a92398a3fcbb1107d99beb16976e41aa0

SHA256
a2df1469f6c761c77e9ff3a49d4604ae0de6ea95138a941ec6475742f82e4f15

SHA512
fcd3b3bae9bc59a8e2aeabcca9c94adb51258143c893c4efbee73cb2395c5abab750223222e01c8bcfc257c73f41974b7c07a01348a6b9e49eb6c29aab09e121

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
2.3MB

MD5
c7fb02ab0dd667c112847537d3127230

SHA1
f89e42cbd485144ddcd534c4d990d13006ebd983

SHA256
065f920e85885d9a42ce64453e7c9f2988f46d6b7ea1167bb46110b78a1afcbf

SHA512
61e9e403da5fec229b244a2c5e489685f7da6aa72b2b1a4d06befef7488e36439e773c6282770cc51222d41a34fd5f7c26ef240dd7ee6878020af29d92fa17f5

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
5.0MB

MD5
eee2ca8e84ada3c3690288dbcff06d94

SHA1
725f1c09b45fad1d6df4665a1710b5ae5fb2d1e1

SHA256
bd7da6dabf18cd2fecca95bbc40039fc57aa4a45e8368b99636cde125d8e3b05

SHA512
549e20fe45cea11125a6229572d14138e75c13496b9c559364bdd495d3bae04e3def1696aaeeb62bc501a3686a59393288fc708802a7e3c203c46b8d2442ee7b

Download Submit
\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe

Filesize
5.8MB

MD5
41eb04151e6a51149856069b92e8781c

SHA1
91ad7bb1848454f59269cdda09b2748b1b8811a0

SHA256
68ce3b3f77075ca40ebaa5b7569e5360a1cfa2a8b0684262b02970fb349c52f2

SHA512
83f4b5adf7a4fbe729bd5ae3e3e3cdecf2c6cffaac7778e82d32ab56c138648f9467877e526d64bcc7ee9be8d3d686a7e0f2284102cfd735e2e0a5c62e06dad4

Download Submit
\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe

Filesize
5.8MB

MD5
41eb04151e6a51149856069b92e8781c

SHA1
91ad7bb1848454f59269cdda09b2748b1b8811a0

SHA256
68ce3b3f77075ca40ebaa5b7569e5360a1cfa2a8b0684262b02970fb349c52f2

SHA512
83f4b5adf7a4fbe729bd5ae3e3e3cdecf2c6cffaac7778e82d32ab56c138648f9467877e526d64bcc7ee9be8d3d686a7e0f2284102cfd735e2e0a5c62e06dad4

Download Submit
\Program Files\ChromeUpdateTaskMachinCore\ORsBHaReETgwnMypRf\tor\pluggable_transports\obfs4proxy.exe

Filesize
6.6MB

MD5
230e3602ebdd05dcf33121eac79d1dcd

SHA1
ff93876b412e8fb026fe4bc3105f177402d9e767

SHA256
df70d273c43901f7249294ed8f66479b9f5c994db6d0efbbb9b31ad6e8211a6d

SHA512
c7f107110f54129636d7ec78ba7ea23ac7ad0e0ace14ada0e1ca3ae66a7dee33c76a8d14ff1e3e945cc47e24e67d911b5ffef45374998383b5453b576d3fde05

Download Submit
\Program Files\ChromeUpdateTaskMachinCore\ORsBHaReETgwnMypRf\tor\pluggable_transports\obfs4proxy.exe

Filesize
6.6MB

MD5
230e3602ebdd05dcf33121eac79d1dcd

SHA1
ff93876b412e8fb026fe4bc3105f177402d9e767

SHA256
df70d273c43901f7249294ed8f66479b9f5c994db6d0efbbb9b31ad6e8211a6d

SHA512
c7f107110f54129636d7ec78ba7ea23ac7ad0e0ace14ada0e1ca3ae66a7dee33c76a8d14ff1e3e945cc47e24e67d911b5ffef45374998383b5453b576d3fde05

Download Submit
\Program Files\ChromeUpdateTaskMachinCore\ORsBHaReETgwnMypRf\tor\tor.exe

Filesize
7.4MB

MD5
bdce57b5d9974d1c6a75c4529e9f2e83

SHA1
bf5125b827a3f05103e1a480b225da8e7cea7049

SHA256
6663f24897889210b68f4fcbd86a74d65c25b54c171ce29009f92bf3a8e074b1

SHA512
5ea0a7aef154fc77c0a390352bbb1e035fc3814d22327c3338030fd5bd1968496943be02931bcf322e94899f95bf6549581d9f27c66f45d661f422e7bb0139c4

Download Submit
\Program Files\ChromeUpdateTaskMachinCore\ORsBHaReETgwnMypRf\tor\tor.exe

Filesize
7.4MB

MD5
bdce57b5d9974d1c6a75c4529e9f2e83

SHA1
bf5125b827a3f05103e1a480b225da8e7cea7049

SHA256
6663f24897889210b68f4fcbd86a74d65c25b54c171ce29009f92bf3a8e074b1

SHA512
5ea0a7aef154fc77c0a390352bbb1e035fc3814d22327c3338030fd5bd1968496943be02931bcf322e94899f95bf6549581d9f27c66f45d661f422e7bb0139c4

Download Submit