Analysis

  • max time kernel
    27s
  • max time network
    1691s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    30/06/2024, 19:33 UTC

General

  • Target

    https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex

Score
6/10

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7069758,0x7fef7069768,0x7fef7069778
      2⤵
        PID:1916
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1188 --field-trial-handle=1240,i,4003180202197776528,11918568453820280261,131072 /prefetch:2
        2⤵
          PID:2628
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1240,i,4003180202197776528,11918568453820280261,131072 /prefetch:8
          2⤵
            PID:2600
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1240,i,4003180202197776528,11918568453820280261,131072 /prefetch:8
            2⤵
              PID:2676
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2284 --field-trial-handle=1240,i,4003180202197776528,11918568453820280261,131072 /prefetch:1
              2⤵
                PID:2664
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1240,i,4003180202197776528,11918568453820280261,131072 /prefetch:1
                2⤵
                  PID:2472
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1476 --field-trial-handle=1240,i,4003180202197776528,11918568453820280261,131072 /prefetch:2
                  2⤵
                    PID:2084
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1472 --field-trial-handle=1240,i,4003180202197776528,11918568453820280261,131072 /prefetch:1
                    2⤵
                      PID:2844
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3412 --field-trial-handle=1240,i,4003180202197776528,11918568453820280261,131072 /prefetch:8
                      2⤵
                        PID:1604
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3564 --field-trial-handle=1240,i,4003180202197776528,11918568453820280261,131072 /prefetch:1
                        2⤵
                          PID:1708
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2460 --field-trial-handle=1240,i,4003180202197776528,11918568453820280261,131072 /prefetch:1
                          2⤵
                            PID:1248
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2344 --field-trial-handle=1240,i,4003180202197776528,11918568453820280261,131072 /prefetch:8
                            2⤵
                              PID:1716
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3872 --field-trial-handle=1240,i,4003180202197776528,11918568453820280261,131072 /prefetch:8
                              2⤵
                                PID:2088
                            • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                              "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                              1⤵
                                PID:568

                              Network

                              • flag-us
                                DNS
                                raw.githubusercontent.com
                                chrome.exe
                                Remote address:
                                8.8.8.8:53
                                Request
                                raw.githubusercontent.com
                                IN A
                                Response
                                raw.githubusercontent.com
                                IN A
                                185.199.108.133
                                raw.githubusercontent.com
                                IN A
                                185.199.109.133
                                raw.githubusercontent.com
                                IN A
                                185.199.110.133
                                raw.githubusercontent.com
                                IN A
                                185.199.111.133
                              • flag-gb
                                GET
                                http://www.gstatic.com/generate_204
                                chrome.exe
                                Remote address:
                                216.58.212.195:80
                                Request
                                GET /generate_204 HTTP/1.1
                                Host: www.gstatic.com
                                Connection: keep-alive
                                Pragma: no-cache
                                Cache-Control: no-cache
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
                                Accept-Encoding: gzip, deflate
                                Accept-Language: en-US,en;q=0.9
                                Response
                                HTTP/1.1 204 No Content
                                Content-Length: 0
                                Cross-Origin-Resource-Policy: cross-origin
                                Date: Sun, 30 Jun 2024 19:33:50 GMT
                              • flag-us
                                DNS
                                www.google.com
                                chrome.exe
                                Remote address:
                                8.8.8.8:53
                                Request
                                www.google.com
                                IN A
                                Response
                                www.google.com
                                IN A
                                142.250.187.196
                              • flag-us
                                DNS
                                apis.google.com
                                chrome.exe
                                Remote address:
                                8.8.8.8:53
                                Request
                                apis.google.com
                                IN A
                                Response
                                apis.google.com
                                IN CNAME
                                plus.l.google.com
                                plus.l.google.com
                                IN A
                                142.250.200.14
                              • flag-us
                                DNS
                                apis.google.com
                                chrome.exe
                                Remote address:
                                8.8.8.8:53
                                Request
                                apis.google.com
                                IN A
                              • flag-us
                                DNS
                                play.google.com
                                chrome.exe
                                Remote address:
                                8.8.8.8:53
                                Request
                                play.google.com
                                IN A
                                Response
                                play.google.com
                                IN A
                                172.217.169.46
                              • 185.199.108.133:443
                                raw.githubusercontent.com
                                tls
                                chrome.exe
                                1.0kB
                                4.8kB
                                10
                                10
                              • 185.199.108.133:443
                                raw.githubusercontent.com
                                tls
                                chrome.exe
                                1.0kB
                                4.8kB
                                10
                                10
                              • 216.58.212.195:80
                                http://www.gstatic.com/generate_204
                                http
                                chrome.exe
                                867 B
                                726 B
                                12
                                10

                                HTTP Request

                                GET http://www.gstatic.com/generate_204

                                HTTP Response

                                204
                              • 142.250.187.196:443
                                www.google.com
                                tls
                                chrome.exe
                                953 B
                                4.6kB
                                8
                                9
                              • 8.8.8.8:53
                                raw.githubusercontent.com
                                dns
                                chrome.exe
                                71 B
                                135 B
                                1
                                1

                                DNS Request

                                raw.githubusercontent.com

                                DNS Response

                                185.199.108.133
                                185.199.109.133
                                185.199.110.133
                                185.199.111.133

                              • 224.0.0.251:5353
                                chrome.exe
                                204 B
                                3
                              • 8.8.8.8:53
                                www.google.com
                                dns
                                chrome.exe
                                60 B
                                76 B
                                1
                                1

                                DNS Request

                                www.google.com

                                DNS Response

                                142.250.187.196

                              • 142.250.187.196:443
                                www.google.com
                                https
                                chrome.exe
                                5.4kB
                                47.6kB
                                37
                                47
                              • 8.8.8.8:53
                                apis.google.com
                                dns
                                chrome.exe
                                122 B
                                98 B
                                2
                                1

                                DNS Request

                                apis.google.com

                                DNS Request

                                apis.google.com

                                DNS Response

                                142.250.200.14

                              • 8.8.8.8:53
                                play.google.com
                                dns
                                chrome.exe
                                61 B
                                77 B
                                1
                                1

                                DNS Request

                                play.google.com

                                DNS Response

                                172.217.169.46

                              • 172.217.169.46:443
                                play.google.com
                                https
                                chrome.exe
                                4.7kB
                                7.7kB
                                11
                                11
                              • 142.250.200.14:443
                                apis.google.com
                                https
                                chrome.exe
                                4.8kB
                                52.2kB
                                27
                                45

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

                                Filesize

                                264KB

                                MD5

                                f50f89a0a91564d0b8a211f8921aa7de

                                SHA1

                                112403a17dd69d5b9018b8cede023cb3b54eab7d

                                SHA256

                                b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                SHA512

                                bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                4KB

                                MD5

                                59371578eeb620f971489711a87fc53e

                                SHA1

                                fc8729f07decd0b3b39439a5fb83e9b55af36ad1

                                SHA256

                                e60fa919b26eaf9dd87421881b08b1cb716a59990c9eb4c027d28028bf0680bd

                                SHA512

                                4b7b5ba64b17173b93d0f8b0b68a655f2bc7de9422bdcd7243d735ee4cde99ba8b9c8a463105e5242fed07fe340e882d3128568b91fc145329c3b0edd095123c

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                4KB

                                MD5

                                7efb63e1c28955bfc51297041578854b

                                SHA1

                                f824953458cfda08e06341285297d44d1455eb9f

                                SHA256

                                a29246351323cf5985410564a5d70f8263e1dfc5e74b48ff55795fa53842ff04

                                SHA512

                                0e319ad6a0ebb265c5c86a7abcd4a1964742f44f6860a6ce1c9c949a98f087fbef5095f4c462fefe08a7e52610faabb2c453805d767deb265db019fa09e50c8d

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

                                Filesize

                                16B

                                MD5

                                18e723571b00fb1694a3bad6c78e4054

                                SHA1

                                afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                                SHA256

                                8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                                SHA512

                                43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                              • C:\Users\Admin\AppData\Local\Temp\CabA343.tmp

                                Filesize

                                70KB

                                MD5

                                49aebf8cbd62d92ac215b2923fb1b9f5

                                SHA1

                                1723be06719828dda65ad804298d0431f6aff976

                                SHA256

                                b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                SHA512

                                bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                              • C:\Users\Admin\AppData\Local\Temp\TarA385.tmp

                                Filesize

                                181KB

                                MD5

                                4ea6026cf93ec6338144661bf1202cd1

                                SHA1

                                a1dec9044f750ad887935a01430bf49322fbdcb7

                                SHA256

                                8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                SHA512

                                6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                              We care about your privacy.

                              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.