d17cd401364d1ae642d731d07487cdb22cf65ece55659dac69ca085bdbf2e5c5

Analysis

max time kernel
91s
max time network
89s
platform
windows10-1703_x64
resource
win10-20230915-de
resource tags

arch:x64arch:x86image:win10-20230915-delocale:de-deos:windows10-1703-x64systemwindows
submitted
14/10/2023, 17:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1updater.exe
Size

5.4MB
MD5

6b186608ae3467e83e87954d8c8ce06e
SHA1

3bcfc7969c0376f96c30f2b7dd69ffefb6300316
SHA256

d17cd401364d1ae642d731d07487cdb22cf65ece55659dac69ca085bdbf2e5c5
SHA512

89f0b8e3c963ecd6ddbc68a879d29ff298f636670ec4eb837c50e0762bd472d7cf8b108003a86669a494662e955c9348b5778913b5c63c85f7719430c6be7a42
SSDEEP

98304:boeztU1HO7vybyLn5s9TP6FGS7IY8uhv88+MHLQTJUGuMoNPDtxCnQWUpUstI:U9CKbyLnK9T1PYLh881HOUZpNbGRULu

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4472 created 3224	4472	1updater.exe	27

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1148	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4472	1updater.exe
4472	1updater.exe
68	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	68	powershell.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3224
- C:\Users\Admin\AppData\Local\Temp\1updater.exe
  "C:\Users\Admin\AppData\Local\Temp\1updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  PID:4472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:68
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2484
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:2400
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:3168
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:4760
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:4464
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:384
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:4532
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\aojtapvupood.xml"
  2⤵
  - Creates scheduled task(s)
  PID:1148
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:3388

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
3.2MB

MD5
9f9736902ade7da518ad4ed62af2ea61

SHA1
2adeacfe582829cf2410e08980c9c9d2828cf38b

SHA256
bba84e6650301ba3bbe4c976eaf0d46405edb9d9c999492acc4de083c515e1e9

SHA512
465c2608284997c612662ce7fa984089ff07d9edde727a78efee4307472e8f59cf77e475613772bce3e7ad7ca606d8a6d11fcda89fda5cfaf4eb5fb5ac03333f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nzzuz04l.j1w.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aojtapvupood.xml

Filesize
1KB

MD5
546d67a48ff2bf7682cea9fac07b942e

SHA1
a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90

SHA256
eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a

SHA512
10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

Download Submit
memory/68-16-0x000001FC67B00000-0x000001FC67C04000-memory.dmp

Filesize
1.0MB

Download
memory/68-36-0x000001FC68060000-0x000001FC680AA000-memory.dmp

Filesize
296KB

Download
memory/68-13-0x000001FC67860000-0x000001FC678E6000-memory.dmp

Filesize
536KB

Download
memory/68-18-0x00007FFA58650000-0x00007FFA5903C000-memory.dmp

Filesize
9.9MB

Download
memory/68-20-0x000001FC4F1D0000-0x000001FC4F1E0000-memory.dmp

Filesize
64KB

Download
memory/68-21-0x000001FC4F1D0000-0x000001FC4F1E0000-memory.dmp

Filesize
64KB

Download
memory/68-22-0x000001FC67C90000-0x000001FC67D06000-memory.dmp

Filesize
472KB

Download
memory/68-14-0x000001FC677F0000-0x000001FC67800000-memory.dmp

Filesize
64KB

Download
memory/68-35-0x000001FC4F1D0000-0x000001FC4F1E0000-memory.dmp

Filesize
64KB

Download
memory/68-15-0x000001FC67830000-0x000001FC67852000-memory.dmp

Filesize
136KB

Download
memory/68-57-0x000001FC68030000-0x000001FC6804E000-memory.dmp

Filesize
120KB

Download
memory/68-60-0x000001FC4F1D0000-0x000001FC4F1E0000-memory.dmp

Filesize
64KB

Download
memory/68-64-0x00007FFA58650000-0x00007FFA5903C000-memory.dmp

Filesize
9.9MB

Download
memory/328-99-0x0000025844680000-0x00000258446AB000-memory.dmp

Filesize
172KB

Download
memory/328-101-0x00007FFA34430000-0x00007FFA34440000-memory.dmp

Filesize
64KB

Download
memory/388-107-0x00007FFA34430000-0x00007FFA34440000-memory.dmp

Filesize
64KB

Download
memory/388-103-0x000001EB18D50000-0x000001EB18D7B000-memory.dmp

Filesize
172KB

Download
memory/416-112-0x00007FFA34430000-0x00007FFA34440000-memory.dmp

Filesize
64KB

Download
memory/416-110-0x00000262712F0000-0x000002627131B000-memory.dmp

Filesize
172KB

Download
memory/588-80-0x00007FFA74445000-0x00007FFA74446000-memory.dmp

Filesize
4KB

Download
memory/588-78-0x000001C35C270000-0x000001C35C29B000-memory.dmp

Filesize
172KB

Download
memory/588-133-0x000001C35C270000-0x000001C35C29B000-memory.dmp

Filesize
172KB

Download
memory/588-75-0x000001C35BE80000-0x000001C35BEA4000-memory.dmp

Filesize
144KB

Download
memory/656-79-0x0000024B26380000-0x0000024B263AB000-memory.dmp

Filesize
172KB

Download
memory/656-84-0x00007FFA74445000-0x00007FFA74446000-memory.dmp

Filesize
4KB

Download
memory/656-82-0x0000024B26380000-0x0000024B263AB000-memory.dmp

Filesize
172KB

Download
memory/656-81-0x00007FFA34430000-0x00007FFA34440000-memory.dmp

Filesize
64KB

Download
memory/756-91-0x00007FFA34430000-0x00007FFA34440000-memory.dmp

Filesize
64KB

Download
memory/756-87-0x000001DB25D30000-0x000001DB25D5B000-memory.dmp

Filesize
172KB

Download
memory/928-94-0x00007FFA34430000-0x00007FFA34440000-memory.dmp

Filesize
64KB

Download
memory/928-90-0x00000255B17C0000-0x00000255B17EB000-memory.dmp

Filesize
172KB

Download
memory/1008-95-0x0000028311310000-0x000002831133B000-memory.dmp

Filesize
172KB

Download
memory/1052-121-0x00007FFA34430000-0x00007FFA34440000-memory.dmp

Filesize
64KB

Download
memory/1052-115-0x000002A164A60000-0x000002A164A8B000-memory.dmp

Filesize
172KB

Download
memory/1084-122-0x00007FFA34430000-0x00007FFA34440000-memory.dmp

Filesize
64KB

Download
memory/1084-117-0x000002510B800000-0x000002510B82B000-memory.dmp

Filesize
172KB

Download
memory/1096-123-0x00007FFA34430000-0x00007FFA34440000-memory.dmp

Filesize
64KB

Download
memory/1096-120-0x0000023F2C630000-0x0000023F2C65B000-memory.dmp

Filesize
172KB

Download
memory/1152-126-0x000002D91EC90000-0x000002D91ECBB000-memory.dmp

Filesize
172KB

Download
memory/1152-136-0x00007FFA34430000-0x00007FFA34440000-memory.dmp

Filesize
64KB

Download
memory/1160-134-0x00000213EA330000-0x00000213EA35B000-memory.dmp

Filesize
172KB

Download
memory/4472-74-0x00007FF70E8F0000-0x00007FF70EE56000-memory.dmp

Filesize
5.4MB

Download
memory/4472-8-0x00007FF70E8F0000-0x00007FF70EE56000-memory.dmp

Filesize
5.4MB

Download
memory/4472-0-0x00007FF70E8F0000-0x00007FF70EE56000-memory.dmp

Filesize
5.4MB

Download
memory/4532-106-0x00007FFA743A0000-0x00007FFA7457B000-memory.dmp

Filesize
1.9MB

Download
memory/4532-68-0x00007FFA743A0000-0x00007FFA7457B000-memory.dmp

Filesize
1.9MB

Download
memory/4532-70-0x00007FFA74080000-0x00007FFA7412E000-memory.dmp

Filesize
696KB

Download