redline | 46ef6daecec030061841713f7afb387a0a7ce913e2a5d63bc46126628daf19e1

Analysis

max time kernel
300s
max time network
298s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
09-07-2023 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46ef6daecec030061841713f7afb387a0a7ce913e2a5d63bc46126628daf19e1.exe
Size

2.6MB
MD5

65482e3a11dff25a26f8b9667999ae5f
SHA1

967455baa933e5122008db83ebf0f0be29d8afa1
SHA256

46ef6daecec030061841713f7afb387a0a7ce913e2a5d63bc46126628daf19e1
SHA512

d4475480c623ddf2a648977af78548470a56e115990018fc91b354b939949a36f7dd84822d4dee54c3a9df690b4d70deef43eb55420f38fe9186a9d26fd1c6b3
SSDEEP

49152:DLZTeIJtQrmRw7mGRPsIbGHH04cmjloa2TouNMjTuyRQeWhKIjAkSt80rY:D5IrmRwKGSTHtjWa2cbTuySeWhKCSvY

Score

10^/10

redline xmrig 090723_rc_11 evasion infostealer miner spyware themida trojan

Malware Config

Extracted

Family

redline

Botnet

090723_rc_11

rcam.tuktuk.ug:11290

Attributes

auth_value
abd581cdd66d51ad306682319cafa5a0

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 2192 created 1316	2192	chrome.exe	13
PID 2192 created 1316	2192	chrome.exe	13
PID 2192 created 1316	2192	chrome.exe	13
PID 2192 created 1316	2192	chrome.exe	13
PID 2192 created 1316	2192	chrome.exe	13
PID 2044 created 1316	2044	updater.exe	13
PID 2044 created 1316	2044	updater.exe	13
PID 2044 created 1316	2044	updater.exe	13
PID 2044 created 1316	2044	updater.exe	13
PID 2044 created 1316	2044	updater.exe	13
PID 2044 created 1316	2044	updater.exe	13

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	46ef6daecec030061841713f7afb387a0a7ce913e2a5d63bc46126628daf19e1.exe

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral1/memory/2044-165-0x000000013FEC0000-0x0000000140C96000-memory.dmp	xmrig
behavioral1/memory/2968-168-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2968-171-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2968-173-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2968-175-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2968-177-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	chrome.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	46ef6daecec030061841713f7afb387a0a7ce913e2a5d63bc46126628daf19e1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	46ef6daecec030061841713f7afb387a0a7ce913e2a5d63bc46126628daf19e1.exe

Executes dropped EXE 2 IoCs

pid	Process
2192	chrome.exe
2044	updater.exe

Loads dropped DLL 2 IoCs

pid	Process
2216	MsBuild.exe
2528	taskeng.exe

Themida packer 30 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/3012-57-0x0000000000860000-0x0000000000EAA000-memory.dmp	themida
behavioral1/memory/3012-97-0x0000000000860000-0x0000000000EAA000-memory.dmp	themida
behavioral1/files/0x000900000001429f-102.dat	themida
behavioral1/files/0x000900000001429f-103.dat	themida
behavioral1/memory/2192-105-0x000000013F890000-0x0000000140666000-memory.dmp	themida
behavioral1/memory/2192-106-0x000000013F890000-0x0000000140666000-memory.dmp	themida
behavioral1/memory/2192-107-0x000000013F890000-0x0000000140666000-memory.dmp	themida
behavioral1/memory/2192-108-0x000000013F890000-0x0000000140666000-memory.dmp	themida
behavioral1/memory/2192-109-0x000000013F890000-0x0000000140666000-memory.dmp	themida
behavioral1/memory/2192-110-0x000000013F890000-0x0000000140666000-memory.dmp	themida
behavioral1/memory/2192-111-0x000000013F890000-0x0000000140666000-memory.dmp	themida
behavioral1/memory/2192-112-0x000000013F890000-0x0000000140666000-memory.dmp	themida
behavioral1/memory/2192-113-0x000000013F890000-0x0000000140666000-memory.dmp	themida
behavioral1/memory/2888-118-0x00000000025B0000-0x0000000002630000-memory.dmp	themida
behavioral1/files/0x000900000001429f-134.dat	themida
behavioral1/memory/2192-136-0x000000013F890000-0x0000000140666000-memory.dmp	themida
behavioral1/files/0x000c0000000142ef-137.dat	themida
behavioral1/files/0x000c0000000142ef-139.dat	themida
behavioral1/files/0x000c0000000142ef-138.dat	themida
behavioral1/memory/2044-141-0x000000013FEC0000-0x0000000140C96000-memory.dmp	themida
behavioral1/memory/2044-142-0x000000013FEC0000-0x0000000140C96000-memory.dmp	themida
behavioral1/memory/2044-143-0x000000013FEC0000-0x0000000140C96000-memory.dmp	themida
behavioral1/memory/2044-144-0x000000013FEC0000-0x0000000140C96000-memory.dmp	themida
behavioral1/memory/2044-145-0x000000013FEC0000-0x0000000140C96000-memory.dmp	themida
behavioral1/memory/2044-146-0x000000013FEC0000-0x0000000140C96000-memory.dmp	themida
behavioral1/memory/2044-147-0x000000013FEC0000-0x0000000140C96000-memory.dmp	themida
behavioral1/memory/2044-148-0x000000013FEC0000-0x0000000140C96000-memory.dmp	themida
behavioral1/memory/2044-159-0x000000013FEC0000-0x0000000140C96000-memory.dmp	themida
behavioral1/files/0x000c0000000142ef-162.dat	themida
behavioral1/memory/2044-165-0x000000013FEC0000-0x0000000140C96000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	46ef6daecec030061841713f7afb387a0a7ce913e2a5d63bc46126628daf19e1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	chrome.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3012	46ef6daecec030061841713f7afb387a0a7ce913e2a5d63bc46126628daf19e1.exe
2192	chrome.exe
2044	updater.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3012 set thread context of 2216	3012	46ef6daecec030061841713f7afb387a0a7ce913e2a5d63bc46126628daf19e1.exe	28
PID 2044 set thread context of 392	2044	updater.exe	71
PID 2044 set thread context of 2968	2044	updater.exe	72

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	chrome.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2632	sc.exe
2756	sc.exe
1200	sc.exe
2504	sc.exe
2812	sc.exe
2988	sc.exe
1556	sc.exe
944	sc.exe
992	sc.exe
1856	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1648	schtasks.exe
2096	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 30d80494c1b2d901	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3012	46ef6daecec030061841713f7afb387a0a7ce913e2a5d63bc46126628daf19e1.exe
2216	MsBuild.exe
2216	MsBuild.exe
2192	chrome.exe
2192	chrome.exe
2888	powershell.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2488	powershell.exe
2192	chrome.exe
2192	chrome.exe
2044	updater.exe
2044	updater.exe
912	powershell.exe
2044	updater.exe
2044	updater.exe
2044	updater.exe
2044	updater.exe
2044	updater.exe
2044	updater.exe
2852	powershell.exe
2044	updater.exe
2044	updater.exe
2044	updater.exe
2044	updater.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	46ef6daecec030061841713f7afb387a0a7ce913e2a5d63bc46126628daf19e1.exe
Token: SeDebugPrivilege	2216	MsBuild.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeShutdownPrivilege	2992	powercfg.exe
Token: SeShutdownPrivilege	2972	powercfg.exe
Token: SeShutdownPrivilege	1924	powercfg.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeShutdownPrivilege	1488	powercfg.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeShutdownPrivilege	2256	powercfg.exe
Token: SeShutdownPrivilege	1716	powercfg.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeShutdownPrivilege	1444	powercfg.exe
Token: SeShutdownPrivilege	2100	powercfg.exe
Token: SeDebugPrivilege	2044	updater.exe
Token: SeLockMemoryPrivilege	2968	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2216	3012	46ef6daecec030061841713f7afb387a0a7ce913e2a5d63bc46126628daf19e1.exe	28
PID 3012 wrote to memory of 2216	3012	46ef6daecec030061841713f7afb387a0a7ce913e2a5d63bc46126628daf19e1.exe	28
PID 3012 wrote to memory of 2216	3012	46ef6daecec030061841713f7afb387a0a7ce913e2a5d63bc46126628daf19e1.exe	28
PID 3012 wrote to memory of 2216	3012	46ef6daecec030061841713f7afb387a0a7ce913e2a5d63bc46126628daf19e1.exe	28
PID 3012 wrote to memory of 2216	3012	46ef6daecec030061841713f7afb387a0a7ce913e2a5d63bc46126628daf19e1.exe	28
PID 3012 wrote to memory of 2216	3012	46ef6daecec030061841713f7afb387a0a7ce913e2a5d63bc46126628daf19e1.exe	28
PID 3012 wrote to memory of 2216	3012	46ef6daecec030061841713f7afb387a0a7ce913e2a5d63bc46126628daf19e1.exe	28
PID 3012 wrote to memory of 2216	3012	46ef6daecec030061841713f7afb387a0a7ce913e2a5d63bc46126628daf19e1.exe	28
PID 3012 wrote to memory of 2216	3012	46ef6daecec030061841713f7afb387a0a7ce913e2a5d63bc46126628daf19e1.exe	28
PID 2216 wrote to memory of 2192	2216	MsBuild.exe	30
PID 2216 wrote to memory of 2192	2216	MsBuild.exe	30
PID 2216 wrote to memory of 2192	2216	MsBuild.exe	30
PID 2216 wrote to memory of 2192	2216	MsBuild.exe	30
PID 2636 wrote to memory of 2504	2636	cmd.exe	35
PID 2636 wrote to memory of 2504	2636	cmd.exe	35
PID 2636 wrote to memory of 2504	2636	cmd.exe	35
PID 2636 wrote to memory of 2812	2636	cmd.exe	36
PID 2636 wrote to memory of 2812	2636	cmd.exe	36
PID 2636 wrote to memory of 2812	2636	cmd.exe	36
PID 2636 wrote to memory of 2988	2636	cmd.exe	37
PID 2636 wrote to memory of 2988	2636	cmd.exe	37
PID 2636 wrote to memory of 2988	2636	cmd.exe	37
PID 2636 wrote to memory of 2632	2636	cmd.exe	38
PID 2636 wrote to memory of 2632	2636	cmd.exe	38
PID 2636 wrote to memory of 2632	2636	cmd.exe	38
PID 2636 wrote to memory of 2756	2636	cmd.exe	39
PID 2636 wrote to memory of 2756	2636	cmd.exe	39
PID 2636 wrote to memory of 2756	2636	cmd.exe	39
PID 2456 wrote to memory of 2992	2456	cmd.exe	44
PID 2456 wrote to memory of 2992	2456	cmd.exe	44
PID 2456 wrote to memory of 2992	2456	cmd.exe	44
PID 2456 wrote to memory of 2972	2456	cmd.exe	45
PID 2456 wrote to memory of 2972	2456	cmd.exe	45
PID 2456 wrote to memory of 2972	2456	cmd.exe	45
PID 2456 wrote to memory of 1924	2456	cmd.exe	46
PID 2456 wrote to memory of 1924	2456	cmd.exe	46
PID 2456 wrote to memory of 1924	2456	cmd.exe	46
PID 2456 wrote to memory of 1488	2456	cmd.exe	47
PID 2456 wrote to memory of 1488	2456	cmd.exe	47
PID 2456 wrote to memory of 1488	2456	cmd.exe	47
PID 2488 wrote to memory of 1648	2488	powershell.exe	48
PID 2488 wrote to memory of 1648	2488	powershell.exe	48
PID 2488 wrote to memory of 1648	2488	powershell.exe	48
PID 2528 wrote to memory of 2044	2528	taskeng.exe	52
PID 2528 wrote to memory of 2044	2528	taskeng.exe	52
PID 2528 wrote to memory of 2044	2528	taskeng.exe	52
PID 1132 wrote to memory of 1556	1132	cmd.exe	57
PID 1132 wrote to memory of 1556	1132	cmd.exe	57
PID 1132 wrote to memory of 1556	1132	cmd.exe	57
PID 1132 wrote to memory of 1200	1132	cmd.exe	58
PID 1132 wrote to memory of 1200	1132	cmd.exe	58
PID 1132 wrote to memory of 1200	1132	cmd.exe	58
PID 1132 wrote to memory of 944	1132	cmd.exe	59
PID 1132 wrote to memory of 944	1132	cmd.exe	59
PID 1132 wrote to memory of 944	1132	cmd.exe	59
PID 1132 wrote to memory of 992	1132	cmd.exe	60
PID 1132 wrote to memory of 992	1132	cmd.exe	60
PID 1132 wrote to memory of 992	1132	cmd.exe	60
PID 1132 wrote to memory of 1856	1132	cmd.exe	61
PID 1132 wrote to memory of 1856	1132	cmd.exe	61
PID 1132 wrote to memory of 1856	1132	cmd.exe	61
PID 2928 wrote to memory of 2256	2928	cmd.exe	66
PID 2928 wrote to memory of 2256	2928	cmd.exe	66
PID 2928 wrote to memory of 2256	2928	cmd.exe	66

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1316
- C:\Users\Admin\AppData\Local\Temp\46ef6daecec030061841713f7afb387a0a7ce913e2a5d63bc46126628daf19e1.exe
  "C:\Users\Admin\AppData\Local\Temp\46ef6daecec030061841713f7afb387a0a7ce913e2a5d63bc46126628daf19e1.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\chrome.exe
      "C:\Users\Admin\AppData\Local\Temp\chrome.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Drops file in Drivers directory
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      PID:2192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2504
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2812
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2988
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2632
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2756
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2992
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gzjter#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1648
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:912
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1556
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1200
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:944
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:992
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1856
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1444
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gzjter#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:2096
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:392
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2968

C:\Windows\system32\taskeng.exe
taskeng.exe {2BBA80E4-E5D3-4AD6-A7DA-4B5D98791503} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
5.9MB

MD5
ac7d03c0c77846767ceba556ea0052d8

SHA1
b61a6b2fd20c8f61dd7bbd6d8e09ee8b01dbf1d6

SHA256
69f25485bc1f7993e739b0be56310db87e37aef9c5e5be208cffc5242035d4ed

SHA512
7df489190abe5b17c34494a2c7d181baf5db687c349c0311b70fef9a70af6f29c2104012db87284c4c90906efc5b129db1be2693f626420ac4db1c48b9cd6dff

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
5.9MB

MD5
ac7d03c0c77846767ceba556ea0052d8

SHA1
b61a6b2fd20c8f61dd7bbd6d8e09ee8b01dbf1d6

SHA256
69f25485bc1f7993e739b0be56310db87e37aef9c5e5be208cffc5242035d4ed

SHA512
7df489190abe5b17c34494a2c7d181baf5db687c349c0311b70fef9a70af6f29c2104012db87284c4c90906efc5b129db1be2693f626420ac4db1c48b9cd6dff

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
5.9MB

MD5
ac7d03c0c77846767ceba556ea0052d8

SHA1
b61a6b2fd20c8f61dd7bbd6d8e09ee8b01dbf1d6

SHA256
69f25485bc1f7993e739b0be56310db87e37aef9c5e5be208cffc5242035d4ed

SHA512
7df489190abe5b17c34494a2c7d181baf5db687c349c0311b70fef9a70af6f29c2104012db87284c4c90906efc5b129db1be2693f626420ac4db1c48b9cd6dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
5.9MB

MD5
ac7d03c0c77846767ceba556ea0052d8

SHA1
b61a6b2fd20c8f61dd7bbd6d8e09ee8b01dbf1d6

SHA256
69f25485bc1f7993e739b0be56310db87e37aef9c5e5be208cffc5242035d4ed

SHA512
7df489190abe5b17c34494a2c7d181baf5db687c349c0311b70fef9a70af6f29c2104012db87284c4c90906efc5b129db1be2693f626420ac4db1c48b9cd6dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
5.9MB

MD5
ac7d03c0c77846767ceba556ea0052d8

SHA1
b61a6b2fd20c8f61dd7bbd6d8e09ee8b01dbf1d6

SHA256
69f25485bc1f7993e739b0be56310db87e37aef9c5e5be208cffc5242035d4ed

SHA512
7df489190abe5b17c34494a2c7d181baf5db687c349c0311b70fef9a70af6f29c2104012db87284c4c90906efc5b129db1be2693f626420ac4db1c48b9cd6dff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4T8FH3J90E7PEHHSYY35.temp

Filesize
7KB

MD5
049c609113de190e2bd67d0135bf648f

SHA1
731a7a252de04ab4c762b485b3f23548f8b01f90

SHA256
bc498d39aebd81235ca7262549eaceed0a777b4901ff59b17fb08de66a075a3c

SHA512
40023b8dec3a56c83324866315f5b9682f4539c5b76ecf08b8790ec01dea8e10b836cb534db0a5d0f36cf9eab8225a7b029e71e4bf09351371579ba124b06f0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
049c609113de190e2bd67d0135bf648f

SHA1
731a7a252de04ab4c762b485b3f23548f8b01f90

SHA256
bc498d39aebd81235ca7262549eaceed0a777b4901ff59b17fb08de66a075a3c

SHA512
40023b8dec3a56c83324866315f5b9682f4539c5b76ecf08b8790ec01dea8e10b836cb534db0a5d0f36cf9eab8225a7b029e71e4bf09351371579ba124b06f0f

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
3e9af076957c5b2f9c9ce5ec994bea05

SHA1
a8c7326f6bceffaeed1c2bb8d7165e56497965fe

SHA256
e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

SHA512
933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
5.9MB

MD5
ac7d03c0c77846767ceba556ea0052d8

SHA1
b61a6b2fd20c8f61dd7bbd6d8e09ee8b01dbf1d6

SHA256
69f25485bc1f7993e739b0be56310db87e37aef9c5e5be208cffc5242035d4ed

SHA512
7df489190abe5b17c34494a2c7d181baf5db687c349c0311b70fef9a70af6f29c2104012db87284c4c90906efc5b129db1be2693f626420ac4db1c48b9cd6dff

Download Submit
\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
5.9MB

MD5
ac7d03c0c77846767ceba556ea0052d8

SHA1
b61a6b2fd20c8f61dd7bbd6d8e09ee8b01dbf1d6

SHA256
69f25485bc1f7993e739b0be56310db87e37aef9c5e5be208cffc5242035d4ed

SHA512
7df489190abe5b17c34494a2c7d181baf5db687c349c0311b70fef9a70af6f29c2104012db87284c4c90906efc5b129db1be2693f626420ac4db1c48b9cd6dff

Download Submit
memory/392-167-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/392-172-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/912-152-0x00000000010D0000-0x0000000001150000-memory.dmp

Filesize
512KB

Download
memory/912-153-0x00000000010DB000-0x0000000001112000-memory.dmp

Filesize
220KB

Download
memory/912-151-0x00000000010D0000-0x0000000001150000-memory.dmp

Filesize
512KB

Download
memory/912-150-0x00000000010D0000-0x0000000001150000-memory.dmp

Filesize
512KB

Download
memory/2044-142-0x000000013FEC0000-0x0000000140C96000-memory.dmp

Filesize
13.8MB

Download
memory/2044-148-0x000000013FEC0000-0x0000000140C96000-memory.dmp

Filesize
13.8MB

Download
memory/2044-141-0x000000013FEC0000-0x0000000140C96000-memory.dmp

Filesize
13.8MB

Download
memory/2044-143-0x000000013FEC0000-0x0000000140C96000-memory.dmp

Filesize
13.8MB

Download
memory/2044-144-0x000000013FEC0000-0x0000000140C96000-memory.dmp

Filesize
13.8MB

Download
memory/2044-145-0x000000013FEC0000-0x0000000140C96000-memory.dmp

Filesize
13.8MB

Download
memory/2044-165-0x000000013FEC0000-0x0000000140C96000-memory.dmp

Filesize
13.8MB

Download
memory/2044-146-0x000000013FEC0000-0x0000000140C96000-memory.dmp

Filesize
13.8MB

Download
memory/2044-147-0x000000013FEC0000-0x0000000140C96000-memory.dmp

Filesize
13.8MB

Download
memory/2044-159-0x000000013FEC0000-0x0000000140C96000-memory.dmp

Filesize
13.8MB

Download
memory/2192-113-0x000000013F890000-0x0000000140666000-memory.dmp

Filesize
13.8MB

Download
memory/2192-112-0x000000013F890000-0x0000000140666000-memory.dmp

Filesize
13.8MB

Download
memory/2192-136-0x000000013F890000-0x0000000140666000-memory.dmp

Filesize
13.8MB

Download
memory/2192-105-0x000000013F890000-0x0000000140666000-memory.dmp

Filesize
13.8MB

Download
memory/2192-106-0x000000013F890000-0x0000000140666000-memory.dmp

Filesize
13.8MB

Download
memory/2192-107-0x000000013F890000-0x0000000140666000-memory.dmp

Filesize
13.8MB

Download
memory/2192-108-0x000000013F890000-0x0000000140666000-memory.dmp

Filesize
13.8MB

Download
memory/2192-109-0x000000013F890000-0x0000000140666000-memory.dmp

Filesize
13.8MB

Download
memory/2192-110-0x000000013F890000-0x0000000140666000-memory.dmp

Filesize
13.8MB

Download
memory/2192-111-0x000000013F890000-0x0000000140666000-memory.dmp

Filesize
13.8MB

Download
memory/2216-90-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2216-89-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2216-85-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2216-86-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2216-87-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2216-88-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2216-99-0x0000000004840000-0x0000000004880000-memory.dmp

Filesize
256KB

Download
memory/2216-94-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2216-98-0x0000000004840000-0x0000000004880000-memory.dmp

Filesize
256KB

Download
memory/2216-92-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2216-96-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2488-131-0x0000000002450000-0x0000000002458000-memory.dmp

Filesize
32KB

Download
memory/2488-132-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/2488-133-0x00000000025EB000-0x0000000002622000-memory.dmp

Filesize
220KB

Download
memory/2488-130-0x000000001AF20000-0x000000001B202000-memory.dmp

Filesize
2.9MB

Download
memory/2528-140-0x000000013FEC0000-0x0000000140C96000-memory.dmp

Filesize
13.8MB

Download
memory/2528-149-0x000000013FEC0000-0x0000000140C96000-memory.dmp

Filesize
13.8MB

Download
memory/2852-157-0x0000000001124000-0x0000000001127000-memory.dmp

Filesize
12KB

Download
memory/2852-158-0x000000000112B000-0x0000000001162000-memory.dmp

Filesize
220KB

Download
memory/2888-123-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/2888-122-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/2888-121-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2888-120-0x000000001B090000-0x000000001B372000-memory.dmp

Filesize
2.9MB

Download
memory/2888-119-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/2888-118-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/2968-177-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2968-171-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2968-169-0x0000000000540000-0x0000000000560000-memory.dmp

Filesize
128KB

Download
memory/2968-173-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2968-168-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2968-166-0x0000000000540000-0x0000000000560000-memory.dmp

Filesize
128KB

Download
memory/2968-164-0x00000000001F0000-0x0000000000210000-memory.dmp

Filesize
128KB

Download
memory/2968-175-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/3012-82-0x0000000000360000-0x0000000000375000-memory.dmp

Filesize
84KB

Download
memory/3012-66-0x0000000000360000-0x0000000000375000-memory.dmp

Filesize
84KB

Download
memory/3012-68-0x0000000000360000-0x0000000000375000-memory.dmp

Filesize
84KB

Download
memory/3012-70-0x0000000000360000-0x0000000000375000-memory.dmp

Filesize
84KB

Download
memory/3012-64-0x0000000000360000-0x0000000000375000-memory.dmp

Filesize
84KB

Download
memory/3012-62-0x0000000000360000-0x0000000000375000-memory.dmp

Filesize
84KB

Download
memory/3012-72-0x0000000000360000-0x0000000000375000-memory.dmp

Filesize
84KB

Download
memory/3012-61-0x0000000000360000-0x0000000000375000-memory.dmp

Filesize
84KB

Download
memory/3012-74-0x0000000000360000-0x0000000000375000-memory.dmp

Filesize
84KB

Download
memory/3012-60-0x0000000000360000-0x000000000037C000-memory.dmp

Filesize
112KB

Download
memory/3012-76-0x0000000000360000-0x0000000000375000-memory.dmp

Filesize
84KB

Download
memory/3012-78-0x0000000000360000-0x0000000000375000-memory.dmp

Filesize
84KB

Download
memory/3012-80-0x0000000000360000-0x0000000000375000-memory.dmp

Filesize
84KB

Download
memory/3012-58-0x0000000000860000-0x0000000000EAA000-memory.dmp

Filesize
6.3MB

Download
memory/3012-84-0x0000000000360000-0x0000000000375000-memory.dmp

Filesize
84KB

Download
memory/3012-57-0x0000000000860000-0x0000000000EAA000-memory.dmp

Filesize
6.3MB

Download
memory/3012-97-0x0000000000860000-0x0000000000EAA000-memory.dmp

Filesize
6.3MB

Download