Analysis
-
max time kernel
50s -
max time network
83s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/03/2024, 16:30
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win11-20240221-en
Behavioral task
behavioral2
Sample
Updater.exe
Resource
win11-20240221-en
Behavioral task
behavioral3
Sample
javaws.jar
Resource
win11-20240221-en
General
-
Target
Updater.exe
-
Size
5.6MB
-
MD5
eb0f3744f86799012349cf61ee039141
-
SHA1
8dbaf2e29b16786e17887852d423d56a10bff3df
-
SHA256
679519fc079ccf78798bba9565460f88d2364befde6ea3df516362610ad101ad
-
SHA512
da4ef89d4facbbb3351fe16c5cc9916670f9d8d5ad412d823c1a1be31fb10763d1f4c83be65d68240b2ffcda01b68908981f27f078c69d3ae0cdc76cfde08224
-
SSDEEP
98304:Ek959SSvUqRJWjnjd03dBPVGKOYjHImtXkKKfWmRlHgASXtdGnPVW2:EUSSvIjnOBPV4WtXkEmYtkntT
Malware Config
Signatures
-
XMRig Miner payload 7 IoCs
resource yara_rule behavioral2/memory/2228-72-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/2228-73-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/2228-75-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/2228-76-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/2228-77-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/2228-78-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/2228-79-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Creates new service(s) 1 TTPs
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts Updater.exe File created C:\Windows\system32\drivers\etc\hosts Updater.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 4332 Updater.exe -
resource yara_rule behavioral2/memory/2228-67-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2228-68-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2228-69-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2228-70-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2228-71-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2228-72-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2228-73-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2228-75-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2228-76-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2228-77-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2228-78-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/2228-79-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe Updater.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe Updater.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4332 set thread context of 848 4332 Updater.exe 133 PID 4332 set thread context of 2228 4332 Updater.exe 138 -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4356 sc.exe 2856 sc.exe 3288 sc.exe 3240 sc.exe 2160 sc.exe 4440 sc.exe 1664 sc.exe 4100 sc.exe 1372 sc.exe 1488 sc.exe 4128 sc.exe 924 sc.exe 4136 sc.exe 4072 sc.exe -
Modifies data under HKEY_USERS 50 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4172 Updater.exe 2200 powershell.exe 2200 powershell.exe 4172 Updater.exe 4172 Updater.exe 4172 Updater.exe 4172 Updater.exe 4172 Updater.exe 4172 Updater.exe 4172 Updater.exe 4172 Updater.exe 4172 Updater.exe 4172 Updater.exe 4172 Updater.exe 4172 Updater.exe 4172 Updater.exe 4172 Updater.exe 4332 Updater.exe 3744 powershell.exe 3744 powershell.exe 4332 Updater.exe 4332 Updater.exe 4332 Updater.exe 4332 Updater.exe 4332 Updater.exe 4332 Updater.exe 4332 Updater.exe 4332 Updater.exe 4332 Updater.exe 4332 Updater.exe 4332 Updater.exe 4332 Updater.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 676 Process not Found -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2200 powershell.exe Token: SeShutdownPrivilege 3960 powercfg.exe Token: SeCreatePagefilePrivilege 3960 powercfg.exe Token: SeShutdownPrivilege 8 powercfg.exe Token: SeCreatePagefilePrivilege 8 powercfg.exe Token: SeShutdownPrivilege 3164 powercfg.exe Token: SeCreatePagefilePrivilege 3164 powercfg.exe Token: SeShutdownPrivilege 4620 powercfg.exe Token: SeCreatePagefilePrivilege 4620 powercfg.exe Token: SeDebugPrivilege 3744 powershell.exe Token: SeShutdownPrivilege 4124 powercfg.exe Token: SeCreatePagefilePrivilege 4124 powercfg.exe Token: SeShutdownPrivilege 1840 powercfg.exe Token: SeCreatePagefilePrivilege 1840 powercfg.exe Token: SeShutdownPrivilege 3780 powercfg.exe Token: SeCreatePagefilePrivilege 3780 powercfg.exe Token: SeShutdownPrivilege 252 powercfg.exe Token: SeCreatePagefilePrivilege 252 powercfg.exe Token: SeLockMemoryPrivilege 2228 explorer.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4656 wrote to memory of 4132 4656 cmd.exe 89 PID 4656 wrote to memory of 4132 4656 cmd.exe 89 PID 2868 wrote to memory of 1376 2868 cmd.exe 122 PID 2868 wrote to memory of 1376 2868 cmd.exe 122 PID 4332 wrote to memory of 848 4332 Updater.exe 133 PID 4332 wrote to memory of 848 4332 Updater.exe 133 PID 4332 wrote to memory of 848 4332 Updater.exe 133 PID 4332 wrote to memory of 848 4332 Updater.exe 133 PID 4332 wrote to memory of 848 4332 Updater.exe 133 PID 4332 wrote to memory of 848 4332 Updater.exe 133 PID 4332 wrote to memory of 848 4332 Updater.exe 133 PID 4332 wrote to memory of 848 4332 Updater.exe 133 PID 4332 wrote to memory of 848 4332 Updater.exe 133 PID 4332 wrote to memory of 2228 4332 Updater.exe 138 PID 4332 wrote to memory of 2228 4332 Updater.exe 138 PID 4332 wrote to memory of 2228 4332 Updater.exe 138 PID 4332 wrote to memory of 2228 4332 Updater.exe 138 PID 4332 wrote to memory of 2228 4332 Updater.exe 138
Processes
-
C:\Users\Admin\AppData\Local\Temp\Updater.exe"C:\Users\Admin\AppData\Local\Temp\Updater.exe"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4172 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:4132
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:4356
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:1488
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:4128
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:2856
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:924
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:4620
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:3960
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:8
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"2⤵
- Launches sc.exe
PID:4100
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"2⤵
- Launches sc.exe
PID:3288
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog2⤵
- Launches sc.exe
PID:3240
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"2⤵
- Launches sc.exe
PID:1372
-
-
C:\ProgramData\GoogleUP\Chrome\Updater.exeC:\ProgramData\GoogleUP\Chrome\Updater.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:1376
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:4136
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2160
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:4440
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:1664
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:4072
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:3780
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:4124
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:252
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:848
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.6MB
MD5eb0f3744f86799012349cf61ee039141
SHA18dbaf2e29b16786e17887852d423d56a10bff3df
SHA256679519fc079ccf78798bba9565460f88d2364befde6ea3df516362610ad101ad
SHA512da4ef89d4facbbb3351fe16c5cc9916670f9d8d5ad412d823c1a1be31fb10763d1f4c83be65d68240b2ffcda01b68908981f27f078c69d3ae0cdc76cfde08224
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62