xmrig | 54c0650089d9ffbf88d10d0d98723bcc5be9247a662c884bad8dca3008dee3df

Analysis

max time kernel
144s
max time network
146s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 15:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

54c0650089d9ffbf88d10d0d98723bcc5be9247a662c884bad8dca3008dee3df.exe
Size

10.0MB
MD5

8dfecb50ae6adc8257c3eecbf4ffca09
SHA1

33772bc03d93fe4d393d9a75025c3947c05a4e72
SHA256

54c0650089d9ffbf88d10d0d98723bcc5be9247a662c884bad8dca3008dee3df
SHA512

93334f8215b9e8a074c734abcffed377d8ec1440b2de23aea59d38339e25a87ad2822a7c2159727f2e8ced2515643f158f597f71ada8551014b9793c1d66b9ec
SSDEEP

196608:VbgRNC3l58i1x4lkqfDcKgoCqpKYUB9x2XT1gjl7/mMxP0DwMYZB9/1dZxENmuWZ:VsRNC3s4+lkJKJgYUZ2XClRP0UjDdZW+

Score

10^/10

xmrig evasion miner themida trojan

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs

description	pid	Process	procid_target
PID 2628 created 1244	2628	setup.exe	21
PID 2628 created 1244	2628	setup.exe	21
PID 2628 created 1244	2628	setup.exe	21
PID 2628 created 1244	2628	setup.exe	21
PID 2628 created 1244	2628	setup.exe	21
PID 2628 created 1244	2628	setup.exe	21
PID 1240 created 1244	1240	updater.exe	21
PID 1240 created 1244	1240	updater.exe	21
PID 1240 created 1244	1240	updater.exe	21
PID 1240 created 1244	1240	updater.exe	21
PID 1240 created 1244	1240	updater.exe	21
PID 1240 created 1244	1240	updater.exe	21

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/1356-71-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1356-73-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1356-75-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1356-77-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1356-79-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1356-81-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1356-83-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1356-85-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1356-87-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	setup.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe

Executes dropped EXE 3 IoCs

pid	Process
2628	setup.exe
464	Process not Found
1240	updater.exe

Loads dropped DLL 1 IoCs

pid	Process
2444	54c0650089d9ffbf88d10d0d98723bcc5be9247a662c884bad8dca3008dee3df.exe

Themida packer 24 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x00070000000120bd-3.dat	themida
behavioral1/files/0x00070000000120bd-7.dat	themida
behavioral1/files/0x00070000000120bd-5.dat	themida
behavioral1/memory/2444-8-0x0000000003770000-0x000000000499A000-memory.dmp	themida
behavioral1/memory/2628-11-0x000000013F180000-0x00000001403AA000-memory.dmp	themida
behavioral1/memory/2628-12-0x000000013F180000-0x00000001403AA000-memory.dmp	themida
behavioral1/memory/2628-13-0x000000013F180000-0x00000001403AA000-memory.dmp	themida
behavioral1/memory/2628-14-0x000000013F180000-0x00000001403AA000-memory.dmp	themida
behavioral1/memory/2628-15-0x000000013F180000-0x00000001403AA000-memory.dmp	themida
behavioral1/memory/2628-17-0x000000013F180000-0x00000001403AA000-memory.dmp	themida
behavioral1/memory/2628-18-0x000000013F180000-0x00000001403AA000-memory.dmp	themida
behavioral1/files/0x00070000000120bd-34.dat	themida
behavioral1/memory/2628-36-0x000000013F180000-0x00000001403AA000-memory.dmp	themida
behavioral1/files/0x001c00000000558a-37.dat	themida
behavioral1/files/0x001c00000000558a-38.dat	themida
behavioral1/memory/1240-40-0x000000013F060000-0x000000014028A000-memory.dmp	themida
behavioral1/memory/1240-42-0x000000013F060000-0x000000014028A000-memory.dmp	themida
behavioral1/memory/1240-43-0x000000013F060000-0x000000014028A000-memory.dmp	themida
behavioral1/memory/1240-44-0x000000013F060000-0x000000014028A000-memory.dmp	themida
behavioral1/memory/1240-45-0x000000013F060000-0x000000014028A000-memory.dmp	themida
behavioral1/memory/1240-46-0x000000013F060000-0x000000014028A000-memory.dmp	themida
behavioral1/memory/1240-57-0x000000013F060000-0x000000014028A000-memory.dmp	themida
behavioral1/files/0x001c00000000558a-65.dat	themida
behavioral1/memory/1240-67-0x000000013F060000-0x000000014028A000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2628	setup.exe
1240	updater.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1240 set thread context of 268	1240	updater.exe	71
PID 1240 set thread context of 1356	1240	updater.exe	72

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	setup.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3028	sc.exe
2168	sc.exe
2008	sc.exe
2052	sc.exe
2448	sc.exe
1996	sc.exe
2348	sc.exe
3036	sc.exe
1672	sc.exe
1688	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3064	schtasks.exe
1292	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 90fce50c2200da01	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2628	setup.exe
2628	setup.exe
2516	powershell.exe
2628	setup.exe
2628	setup.exe
2628	setup.exe
2628	setup.exe
2628	setup.exe
2628	setup.exe
2628	setup.exe
2628	setup.exe
2628	setup.exe
2628	setup.exe
1240	updater.exe
1240	updater.exe
2860	powershell.exe
1240	updater.exe
1240	updater.exe
1240	updater.exe
1240	updater.exe
1240	updater.exe
1240	updater.exe
1240	updater.exe
1240	updater.exe
1240	updater.exe
1240	updater.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe
1356	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeShutdownPrivilege	3016	powercfg.exe
Token: SeShutdownPrivilege	2080	powercfg.exe
Token: SeShutdownPrivilege	1972	powercfg.exe
Token: SeShutdownPrivilege	1312	powercfg.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeShutdownPrivilege	2264	powercfg.exe
Token: SeShutdownPrivilege	2088	powercfg.exe
Token: SeShutdownPrivilege	2752	powercfg.exe
Token: SeShutdownPrivilege	2216	powercfg.exe
Token: SeLockMemoryPrivilege	1356	explorer.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2628	2444	54c0650089d9ffbf88d10d0d98723bcc5be9247a662c884bad8dca3008dee3df.exe	29
PID 2444 wrote to memory of 2628	2444	54c0650089d9ffbf88d10d0d98723bcc5be9247a662c884bad8dca3008dee3df.exe	29
PID 2444 wrote to memory of 2628	2444	54c0650089d9ffbf88d10d0d98723bcc5be9247a662c884bad8dca3008dee3df.exe	29
PID 2444 wrote to memory of 2628	2444	54c0650089d9ffbf88d10d0d98723bcc5be9247a662c884bad8dca3008dee3df.exe	29
PID 2564 wrote to memory of 3028	2564	cmd.exe	34
PID 2564 wrote to memory of 3028	2564	cmd.exe	34
PID 2564 wrote to memory of 3028	2564	cmd.exe	34
PID 2564 wrote to memory of 2348	2564	cmd.exe	35
PID 2564 wrote to memory of 2348	2564	cmd.exe	35
PID 2564 wrote to memory of 2348	2564	cmd.exe	35
PID 2564 wrote to memory of 2168	2564	cmd.exe	36
PID 2564 wrote to memory of 2168	2564	cmd.exe	36
PID 2564 wrote to memory of 2168	2564	cmd.exe	36
PID 2564 wrote to memory of 3036	2564	cmd.exe	37
PID 2564 wrote to memory of 3036	2564	cmd.exe	37
PID 2564 wrote to memory of 3036	2564	cmd.exe	37
PID 2564 wrote to memory of 2008	2564	cmd.exe	38
PID 2564 wrote to memory of 2008	2564	cmd.exe	38
PID 2564 wrote to memory of 2008	2564	cmd.exe	38
PID 2552 wrote to memory of 3016	2552	cmd.exe	43
PID 2552 wrote to memory of 3016	2552	cmd.exe	43
PID 2552 wrote to memory of 3016	2552	cmd.exe	43
PID 2552 wrote to memory of 2080	2552	cmd.exe	46
PID 2552 wrote to memory of 2080	2552	cmd.exe	46
PID 2552 wrote to memory of 2080	2552	cmd.exe	46
PID 2552 wrote to memory of 1972	2552	cmd.exe	47
PID 2552 wrote to memory of 1972	2552	cmd.exe	47
PID 2552 wrote to memory of 1972	2552	cmd.exe	47
PID 2552 wrote to memory of 1312	2552	cmd.exe	48
PID 2552 wrote to memory of 1312	2552	cmd.exe	48
PID 2552 wrote to memory of 1312	2552	cmd.exe	48
PID 1872 wrote to memory of 2052	1872	cmd.exe	58
PID 1872 wrote to memory of 2052	1872	cmd.exe	58
PID 1872 wrote to memory of 2052	1872	cmd.exe	58
PID 1872 wrote to memory of 1672	1872	cmd.exe	59
PID 1872 wrote to memory of 1672	1872	cmd.exe	59
PID 1872 wrote to memory of 1672	1872	cmd.exe	59
PID 1872 wrote to memory of 1688	1872	cmd.exe	60
PID 1872 wrote to memory of 1688	1872	cmd.exe	60
PID 1872 wrote to memory of 1688	1872	cmd.exe	60
PID 1872 wrote to memory of 2448	1872	cmd.exe	61
PID 1872 wrote to memory of 2448	1872	cmd.exe	61
PID 1872 wrote to memory of 2448	1872	cmd.exe	61
PID 1872 wrote to memory of 1996	1872	cmd.exe	62
PID 1872 wrote to memory of 1996	1872	cmd.exe	62
PID 1872 wrote to memory of 1996	1872	cmd.exe	62
PID 1040 wrote to memory of 2264	1040	cmd.exe	65
PID 1040 wrote to memory of 2264	1040	cmd.exe	65
PID 1040 wrote to memory of 2264	1040	cmd.exe	65
PID 1040 wrote to memory of 2088	1040	cmd.exe	66
PID 1040 wrote to memory of 2088	1040	cmd.exe	66
PID 1040 wrote to memory of 2088	1040	cmd.exe	66
PID 1040 wrote to memory of 2752	1040	cmd.exe	67
PID 1040 wrote to memory of 2752	1040	cmd.exe	67
PID 1040 wrote to memory of 2752	1040	cmd.exe	67
PID 1040 wrote to memory of 2216	1040	cmd.exe	68
PID 1040 wrote to memory of 2216	1040	cmd.exe	68
PID 1040 wrote to memory of 2216	1040	cmd.exe	68
PID 1240 wrote to memory of 268	1240	updater.exe	71
PID 1240 wrote to memory of 1356	1240	updater.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244
- C:\Users\Admin\AppData\Local\Temp\54c0650089d9ffbf88d10d0d98723bcc5be9247a662c884bad8dca3008dee3df.exe
  "C:\Users\Admin\AppData\Local\Temp\54c0650089d9ffbf88d10d0d98723bcc5be9247a662c884bad8dca3008dee3df.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\Temp\setup.exe
    "C:\Windows\Temp\setup.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Drops file in Drivers directory
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2516
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3028
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2348
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2168
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3036
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2008
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2080
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2900
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\rukblmezqswp.xml"
  2⤵
  - Creates scheduled task(s)
  PID:3064
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2052
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1672
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1688
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2448
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1996
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2264
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\rukblmezqswp.xml"
  2⤵
  - Creates scheduled task(s)
  PID:1292
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:268
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1356

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
9.8MB

MD5
5da3e5dc1cb0239dd1e6aa649da3ef28

SHA1
4df2a9c0fe007460810a6a08a378f456dbc4f8ce

SHA256
c76fe14e1cfdd4c4fe7d5cbfb6e8d746a97932b133bebf301d75203ab67993e5

SHA512
e9945d563a0937e5e8f658b97dc59d73d0e21f6769624d121e0fd71085f71421556d091790026d055aeaa0237176d129bb0778cb426dc94860e32c3cab96ccc8

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
9.8MB

MD5
5da3e5dc1cb0239dd1e6aa649da3ef28

SHA1
4df2a9c0fe007460810a6a08a378f456dbc4f8ce

SHA256
c76fe14e1cfdd4c4fe7d5cbfb6e8d746a97932b133bebf301d75203ab67993e5

SHA512
e9945d563a0937e5e8f658b97dc59d73d0e21f6769624d121e0fd71085f71421556d091790026d055aeaa0237176d129bb0778cb426dc94860e32c3cab96ccc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rukblmezqswp.xml

Filesize
1KB

MD5
546d67a48ff2bf7682cea9fac07b942e

SHA1
a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90

SHA256
eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a

SHA512
10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
2b19df2da3af86adf584efbddd0d31c0

SHA1
f1738910789e169213611c033d83bc9577373686

SHA256
58868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd

SHA512
4a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6

Download Submit
C:\Windows\TEMP\rukblmezqswp.xml

Filesize
1KB

MD5
546d67a48ff2bf7682cea9fac07b942e

SHA1
a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90

SHA256
eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a

SHA512
10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

Download Submit
C:\Windows\Temp\setup.exe

Filesize
9.8MB

MD5
5da3e5dc1cb0239dd1e6aa649da3ef28

SHA1
4df2a9c0fe007460810a6a08a378f456dbc4f8ce

SHA256
c76fe14e1cfdd4c4fe7d5cbfb6e8d746a97932b133bebf301d75203ab67993e5

SHA512
e9945d563a0937e5e8f658b97dc59d73d0e21f6769624d121e0fd71085f71421556d091790026d055aeaa0237176d129bb0778cb426dc94860e32c3cab96ccc8

Download Submit
C:\Windows\Temp\setup.exe

Filesize
9.8MB

MD5
5da3e5dc1cb0239dd1e6aa649da3ef28

SHA1
4df2a9c0fe007460810a6a08a378f456dbc4f8ce

SHA256
c76fe14e1cfdd4c4fe7d5cbfb6e8d746a97932b133bebf301d75203ab67993e5

SHA512
e9945d563a0937e5e8f658b97dc59d73d0e21f6769624d121e0fd71085f71421556d091790026d055aeaa0237176d129bb0778cb426dc94860e32c3cab96ccc8

Download Submit
C:\Windows\Temp\setup.exe

Filesize
9.8MB

MD5
5da3e5dc1cb0239dd1e6aa649da3ef28

SHA1
4df2a9c0fe007460810a6a08a378f456dbc4f8ce

SHA256
c76fe14e1cfdd4c4fe7d5cbfb6e8d746a97932b133bebf301d75203ab67993e5

SHA512
e9945d563a0937e5e8f658b97dc59d73d0e21f6769624d121e0fd71085f71421556d091790026d055aeaa0237176d129bb0778cb426dc94860e32c3cab96ccc8

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
9.8MB

MD5
5da3e5dc1cb0239dd1e6aa649da3ef28

SHA1
4df2a9c0fe007460810a6a08a378f456dbc4f8ce

SHA256
c76fe14e1cfdd4c4fe7d5cbfb6e8d746a97932b133bebf301d75203ab67993e5

SHA512
e9945d563a0937e5e8f658b97dc59d73d0e21f6769624d121e0fd71085f71421556d091790026d055aeaa0237176d129bb0778cb426dc94860e32c3cab96ccc8

Download Submit
\Windows\Temp\setup.exe

Filesize
9.8MB

MD5
5da3e5dc1cb0239dd1e6aa649da3ef28

SHA1
4df2a9c0fe007460810a6a08a378f456dbc4f8ce

SHA256
c76fe14e1cfdd4c4fe7d5cbfb6e8d746a97932b133bebf301d75203ab67993e5

SHA512
e9945d563a0937e5e8f658b97dc59d73d0e21f6769624d121e0fd71085f71421556d091790026d055aeaa0237176d129bb0778cb426dc94860e32c3cab96ccc8

Download Submit
memory/268-70-0x0000000140000000-0x0000000140013000-memory.dmp

Filesize
76KB

Download
memory/1240-43-0x000000013F060000-0x000000014028A000-memory.dmp

Filesize
18.2MB

Download
memory/1240-57-0x000000013F060000-0x000000014028A000-memory.dmp

Filesize
18.2MB

Download
memory/1240-67-0x000000013F060000-0x000000014028A000-memory.dmp

Filesize
18.2MB

Download
memory/1240-69-0x00000000775A0000-0x0000000077749000-memory.dmp

Filesize
1.7MB

Download
memory/1240-48-0x00000000775A0000-0x0000000077749000-memory.dmp

Filesize
1.7MB

Download
memory/1240-46-0x000000013F060000-0x000000014028A000-memory.dmp

Filesize
18.2MB

Download
memory/1240-45-0x000000013F060000-0x000000014028A000-memory.dmp

Filesize
18.2MB

Download
memory/1240-44-0x000000013F060000-0x000000014028A000-memory.dmp

Filesize
18.2MB

Download
memory/1240-42-0x000000013F060000-0x000000014028A000-memory.dmp

Filesize
18.2MB

Download
memory/1240-41-0x00000000775A0000-0x0000000077749000-memory.dmp

Filesize
1.7MB

Download
memory/1240-40-0x000000013F060000-0x000000014028A000-memory.dmp

Filesize
18.2MB

Download
memory/1356-77-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1356-73-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1356-81-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1356-79-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1356-85-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1356-87-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1356-68-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/1356-71-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1356-75-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1356-83-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2444-8-0x0000000003770000-0x000000000499A000-memory.dmp

Filesize
18.2MB

Download
memory/2516-26-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/2516-27-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/2516-25-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

Filesize
9.6MB

Download
memory/2516-28-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

Filesize
9.6MB

Download
memory/2516-29-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/2516-24-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/2516-23-0x000000001B200000-0x000000001B4E2000-memory.dmp

Filesize
2.9MB

Download
memory/2516-30-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

Filesize
9.6MB

Download
memory/2628-15-0x000000013F180000-0x00000001403AA000-memory.dmp

Filesize
18.2MB

Download
memory/2628-13-0x000000013F180000-0x00000001403AA000-memory.dmp

Filesize
18.2MB

Download
memory/2628-17-0x000000013F180000-0x00000001403AA000-memory.dmp

Filesize
18.2MB

Download
memory/2628-16-0x00000000775A0000-0x0000000077749000-memory.dmp

Filesize
1.7MB

Download
memory/2628-12-0x000000013F180000-0x00000001403AA000-memory.dmp

Filesize
18.2MB

Download
memory/2628-11-0x000000013F180000-0x00000001403AA000-memory.dmp

Filesize
18.2MB

Download
memory/2628-10-0x00000000775A0000-0x0000000077749000-memory.dmp

Filesize
1.7MB

Download
memory/2628-36-0x000000013F180000-0x00000001403AA000-memory.dmp

Filesize
18.2MB

Download
memory/2628-18-0x000000013F180000-0x00000001403AA000-memory.dmp

Filesize
18.2MB

Download
memory/2628-14-0x000000013F180000-0x00000001403AA000-memory.dmp

Filesize
18.2MB

Download
memory/2628-39-0x00000000775A0000-0x0000000077749000-memory.dmp

Filesize
1.7MB

Download
memory/2860-49-0x0000000019C10000-0x0000000019EF2000-memory.dmp

Filesize
2.9MB

Download
memory/2860-50-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/2860-56-0x0000000001160000-0x00000000011E0000-memory.dmp

Filesize
512KB

Download
memory/2860-51-0x00000000008B0000-0x00000000008B8000-memory.dmp

Filesize
32KB

Download
memory/2860-53-0x0000000001160000-0x00000000011E0000-memory.dmp

Filesize
512KB

Download
memory/2860-54-0x0000000001160000-0x00000000011E0000-memory.dmp

Filesize
512KB

Download
memory/2860-52-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/2860-58-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/2860-55-0x0000000001160000-0x00000000011E0000-memory.dmp

Filesize
512KB

Download