xmrig | ba817cb32d8ca5da7e0f06d24ce357b0752224348fbafced1ac67925b1d6b8f3

Analysis

max time kernel
128s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win64.Evo-gen.17020.exe
Size

8.1MB
MD5

fa94ea96b0b895aade4512affe650771
SHA1

6917a096d6d8e48895d652297989efe295ce2fd2
SHA256

ba817cb32d8ca5da7e0f06d24ce357b0752224348fbafced1ac67925b1d6b8f3
SHA512

ef1dbc49db6dfc6b5f53b4401ea63cfa1dceac24f0e1fa240547012b77e7663d86fe9494efcaa1592f79c984c72823d8447c67d6b40e2a1376571a6bfe630078
SSDEEP

196608:fk9fK0qOIrMSef5U93u0NBwaQry6UWEuvSG69myxStH:fMpQ+f5U91fQGVRytH

Score

10^/10

xmrig evasion miner persistence themida trojan upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SecuriteInfo.com.Win64.Evo-gen.17020.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe

XMRig Miner payload 17 IoCs

miner

resource	yara_rule
behavioral2/memory/2668-86-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2668-87-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2668-89-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2668-90-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2668-91-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2668-93-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2668-92-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2668-94-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2668-95-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2668-96-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2668-97-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2668-98-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2668-99-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2668-100-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2668-102-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2668-101-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2668-103-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	SecuriteInfo.com.Win64.Evo-gen.17020.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SecuriteInfo.com.Win64.Evo-gen.17020.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SecuriteInfo.com.Win64.Evo-gen.17020.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe

Executes dropped EXE 1 IoCs

pid	Process
1992	updater.exe

Themida packer 14 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/3140-0-0x00007FF7A1FE0000-0x00007FF7A2D86000-memory.dmp	themida
behavioral2/memory/3140-1-0x00007FF7A1FE0000-0x00007FF7A2D86000-memory.dmp	themida
behavioral2/memory/3140-3-0x00007FF7A1FE0000-0x00007FF7A2D86000-memory.dmp	themida
behavioral2/memory/3140-4-0x00007FF7A1FE0000-0x00007FF7A2D86000-memory.dmp	themida
behavioral2/memory/3140-5-0x00007FF7A1FE0000-0x00007FF7A2D86000-memory.dmp	themida
behavioral2/memory/3140-19-0x00007FF7A1FE0000-0x00007FF7A2D86000-memory.dmp	themida
behavioral2/memory/3140-26-0x00007FF7A1FE0000-0x00007FF7A2D86000-memory.dmp	themida
behavioral2/files/0x0006000000023233-29.dat	themida
behavioral2/files/0x0006000000023233-28.dat	themida
behavioral2/memory/1992-31-0x00007FF6EAE60000-0x00007FF6EBC06000-memory.dmp	themida
behavioral2/memory/1992-30-0x00007FF6EAE60000-0x00007FF6EBC06000-memory.dmp	themida
behavioral2/memory/1992-33-0x00007FF6EAE60000-0x00007FF6EBC06000-memory.dmp	themida
behavioral2/memory/1992-34-0x00007FF6EAE60000-0x00007FF6EBC06000-memory.dmp	themida
behavioral2/memory/1992-82-0x00007FF6EAE60000-0x00007FF6EBC06000-memory.dmp	themida

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2668-79-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2668-80-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2668-81-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2668-83-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2668-84-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2668-86-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2668-87-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2668-89-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2668-90-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2668-91-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2668-93-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2668-92-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2668-94-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2668-95-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2668-96-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2668-97-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2668-98-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2668-99-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2668-100-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2668-102-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2668-101-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2668-103-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SecuriteInfo.com.Win64.Evo-gen.17020.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	updater.exe
File opened for modification	C:\Windows\system32\MRT.exe	SecuriteInfo.com.Win64.Evo-gen.17020.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3140	SecuriteInfo.com.Win64.Evo-gen.17020.exe
1992	updater.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1992 set thread context of 3888	1992	updater.exe	140
PID 1992 set thread context of 2668	1992	updater.exe	137

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3348	sc.exe
4060	sc.exe
1532	sc.exe
2648	sc.exe
644	sc.exe
1480	sc.exe
3644	sc.exe
3476	sc.exe
2668	sc.exe
1496	sc.exe
5052	sc.exe
4444	sc.exe
4988	sc.exe
1072	sc.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3140	SecuriteInfo.com.Win64.Evo-gen.17020.exe
4776	powershell.exe
4776	powershell.exe
3140	SecuriteInfo.com.Win64.Evo-gen.17020.exe
3140	SecuriteInfo.com.Win64.Evo-gen.17020.exe
3140	SecuriteInfo.com.Win64.Evo-gen.17020.exe
3140	SecuriteInfo.com.Win64.Evo-gen.17020.exe
3140	SecuriteInfo.com.Win64.Evo-gen.17020.exe
3140	SecuriteInfo.com.Win64.Evo-gen.17020.exe
3140	SecuriteInfo.com.Win64.Evo-gen.17020.exe
3140	SecuriteInfo.com.Win64.Evo-gen.17020.exe
3140	SecuriteInfo.com.Win64.Evo-gen.17020.exe
3140	SecuriteInfo.com.Win64.Evo-gen.17020.exe
3140	SecuriteInfo.com.Win64.Evo-gen.17020.exe
3140	SecuriteInfo.com.Win64.Evo-gen.17020.exe
3140	SecuriteInfo.com.Win64.Evo-gen.17020.exe
3140	SecuriteInfo.com.Win64.Evo-gen.17020.exe
1992	updater.exe
3472	powershell.exe
3472	powershell.exe
1992	updater.exe
1992	updater.exe
1992	updater.exe
1992	updater.exe
1992	updater.exe
1992	updater.exe
1992	updater.exe
1992	updater.exe
1992	updater.exe
1992	updater.exe
1992	updater.exe
1992	updater.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
672	Process not Found

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeShutdownPrivilege	940	powercfg.exe
Token: SeCreatePagefilePrivilege	940	powercfg.exe
Token: SeShutdownPrivilege	1116	powercfg.exe
Token: SeCreatePagefilePrivilege	1116	powercfg.exe
Token: SeShutdownPrivilege	4616	powercfg.exe
Token: SeCreatePagefilePrivilege	4616	powercfg.exe
Token: SeShutdownPrivilege	216	powercfg.exe
Token: SeCreatePagefilePrivilege	216	powercfg.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeShutdownPrivilege	4152	powercfg.exe
Token: SeCreatePagefilePrivilege	4152	powercfg.exe
Token: SeShutdownPrivilege	4048	powercfg.exe
Token: SeCreatePagefilePrivilege	4048	powercfg.exe
Token: SeShutdownPrivilege	3728	powercfg.exe
Token: SeCreatePagefilePrivilege	3728	powercfg.exe
Token: SeShutdownPrivilege	4652	powercfg.exe
Token: SeCreatePagefilePrivilege	4652	powercfg.exe
Token: SeLockMemoryPrivilege	2668	explorer.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 3656	4140	cmd.exe	98
PID 4140 wrote to memory of 3656	4140	cmd.exe	98
PID 640 wrote to memory of 3060	640	cmd.exe	149
PID 640 wrote to memory of 3060	640	cmd.exe	149
PID 1992 wrote to memory of 3888	1992	updater.exe	140
PID 1992 wrote to memory of 3888	1992	updater.exe	140
PID 1992 wrote to memory of 3888	1992	updater.exe	140
PID 1992 wrote to memory of 3888	1992	updater.exe	140
PID 1992 wrote to memory of 3888	1992	updater.exe	140
PID 1992 wrote to memory of 3888	1992	updater.exe	140
PID 1992 wrote to memory of 3888	1992	updater.exe	140
PID 1992 wrote to memory of 3888	1992	updater.exe	140
PID 1992 wrote to memory of 3888	1992	updater.exe	140
PID 1992 wrote to memory of 2668	1992	updater.exe	137
PID 1992 wrote to memory of 2668	1992	updater.exe	137
PID 1992 wrote to memory of 2668	1992	updater.exe	137
PID 1992 wrote to memory of 2668	1992	updater.exe	137
PID 1992 wrote to memory of 2668	1992	updater.exe	137

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.17020.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.17020.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3140
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4776
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:3476
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2668
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4988
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:644
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4140
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
  2⤵
  - Launches sc.exe
  PID:5052
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:216
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4616
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1116
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
  2⤵
  - Launches sc.exe
  PID:1480
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:3348
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:4444
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:940

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:3656

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3472
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4060
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1532
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4152
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3888
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4652
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3728
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4048
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1072
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2648
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:640

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Google\Chrome\updater.exe

Filesize
234KB

MD5
ed461bec967e5bd270c829c1be187894

SHA1
9852675089cd101e24347b69ec7c58b1d5c69e06

SHA256
97bd04630de80a849cd418fc51b7faa284da658229fb57bfeda9de783b1b49f5

SHA512
2f949d5ed9fb6101879814608c79b1e57a6b5bd6998ab163c14ba25efe810cece30060c0f07c8073bda9e8e6cbc87f18537b05849dc65c5ab6f3820876aee567

Download Submit
C:\ProgramData\Google\Chrome\updater.exe

Filesize
430KB

MD5
36a2d7839d2d23e6f79898811d17aacf

SHA1
a2e94a2d69050a2c852820fa1a40b43c9220e93a

SHA256
90ec7710b8ee5d1508776b83b3ae1b1d21d9f92bb44d281f2a9e8925e1c296b9

SHA512
c5e4b6b5f1ec5bb0be1126a471ee9c7d63a05dee3d308e433e593308d7b9bf26c5651aa0ddc0899b8958c113308131fbc3a9f8418c88bfc0e9c38bb77e3e3a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jnkxyepw.qtn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
2d29fd3ae57f422e2b2121141dc82253

SHA1
c2464c857779c0ab4f5e766f5028fcc651a6c6b7

SHA256
80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4

SHA512
077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

Download Submit
memory/1992-85-0x00007FF9F22D0000-0x00007FF9F24C5000-memory.dmp

Filesize
2.0MB

Download
memory/1992-82-0x00007FF6EAE60000-0x00007FF6EBC06000-memory.dmp

Filesize
13.6MB

Download
memory/1992-34-0x00007FF6EAE60000-0x00007FF6EBC06000-memory.dmp

Filesize
13.6MB

Download
memory/1992-33-0x00007FF6EAE60000-0x00007FF6EBC06000-memory.dmp

Filesize
13.6MB

Download
memory/1992-30-0x00007FF6EAE60000-0x00007FF6EBC06000-memory.dmp

Filesize
13.6MB

Download
memory/1992-32-0x00007FF9F22D0000-0x00007FF9F24C5000-memory.dmp

Filesize
2.0MB

Download
memory/1992-31-0x00007FF6EAE60000-0x00007FF6EBC06000-memory.dmp

Filesize
13.6MB

Download
memory/2668-88-0x00000000011D0000-0x00000000011F0000-memory.dmp

Filesize
128KB

Download
memory/2668-94-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2668-103-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2668-80-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2668-79-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2668-83-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2668-101-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2668-102-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2668-100-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2668-99-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2668-84-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2668-86-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2668-98-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2668-97-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2668-96-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2668-87-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2668-95-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2668-81-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2668-92-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2668-93-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2668-91-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2668-90-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2668-89-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3140-20-0x00007FF9F22D0000-0x00007FF9F24C5000-memory.dmp

Filesize
2.0MB

Download
memory/3140-0-0x00007FF7A1FE0000-0x00007FF7A2D86000-memory.dmp

Filesize
13.6MB

Download
memory/3140-4-0x00007FF7A1FE0000-0x00007FF7A2D86000-memory.dmp

Filesize
13.6MB

Download
memory/3140-5-0x00007FF7A1FE0000-0x00007FF7A2D86000-memory.dmp

Filesize
13.6MB

Download
memory/3140-19-0x00007FF7A1FE0000-0x00007FF7A2D86000-memory.dmp

Filesize
13.6MB

Download
memory/3140-1-0x00007FF7A1FE0000-0x00007FF7A2D86000-memory.dmp

Filesize
13.6MB

Download
memory/3140-2-0x00007FF9F22D0000-0x00007FF9F24C5000-memory.dmp

Filesize
2.0MB

Download
memory/3140-27-0x00007FF9F22D0000-0x00007FF9F24C5000-memory.dmp

Filesize
2.0MB

Download
memory/3140-26-0x00007FF7A1FE0000-0x00007FF7A2D86000-memory.dmp

Filesize
13.6MB

Download
memory/3140-3-0x00007FF7A1FE0000-0x00007FF7A2D86000-memory.dmp

Filesize
13.6MB

Download
memory/3472-56-0x000001AEE2330000-0x000001AEE234C000-memory.dmp

Filesize
112KB

Download
memory/3472-59-0x000001AEE2570000-0x000001AEE258C000-memory.dmp

Filesize
112KB

Download
memory/3472-44-0x00007FF9D37F0000-0x00007FF9D42B1000-memory.dmp

Filesize
10.8MB

Download
memory/3472-45-0x000001AEDFE90000-0x000001AEDFEA0000-memory.dmp

Filesize
64KB

Download
memory/3472-46-0x000001AEDFE90000-0x000001AEDFEA0000-memory.dmp

Filesize
64KB

Download
memory/3472-57-0x000001AEE2350000-0x000001AEE2405000-memory.dmp

Filesize
724KB

Download
memory/3472-58-0x000001AEE2320000-0x000001AEE232A000-memory.dmp

Filesize
40KB

Download
memory/3472-65-0x000001AEDFE90000-0x000001AEDFEA0000-memory.dmp

Filesize
64KB

Download
memory/3472-63-0x000001AEE2590000-0x000001AEE2596000-memory.dmp

Filesize
24KB

Download
memory/3472-64-0x000001AEE25A0000-0x000001AEE25AA000-memory.dmp

Filesize
40KB

Download
memory/3472-62-0x000001AEE2560000-0x000001AEE2568000-memory.dmp

Filesize
32KB

Download
memory/3472-61-0x000001AEE25B0000-0x000001AEE25CA000-memory.dmp

Filesize
104KB

Download
memory/3472-60-0x000001AEE2550000-0x000001AEE255A000-memory.dmp

Filesize
40KB

Download
memory/3472-68-0x00007FF9D37F0000-0x00007FF9D42B1000-memory.dmp

Filesize
10.8MB

Download
memory/3888-72-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3888-71-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3888-74-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3888-75-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3888-73-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3888-78-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4776-6-0x0000018548340000-0x0000018548362000-memory.dmp

Filesize
136KB

Download
memory/4776-16-0x00007FF9D2380000-0x00007FF9D2E41000-memory.dmp

Filesize
10.8MB

Download
memory/4776-18-0x0000018548300000-0x0000018548310000-memory.dmp

Filesize
64KB

Download
memory/4776-17-0x0000018548300000-0x0000018548310000-memory.dmp

Filesize
64KB

Download
memory/4776-23-0x00007FF9D2380000-0x00007FF9D2E41000-memory.dmp

Filesize
10.8MB

Download