stealc | 68137be68173e0258cabb670f93c1ce81669acd367119e268568d5781496ca61

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2024 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f33c7b978d078a797f2ee0d6d0783682.exe
Size

382KB
MD5

f33c7b978d078a797f2ee0d6d0783682
SHA1

83efd5987a1874bc00cbab51bbcbe00dba1f1b39
SHA256

68137be68173e0258cabb670f93c1ce81669acd367119e268568d5781496ca61
SHA512

bcf4808d5d4af377b3e90e0ea09383465d26d99a354e87edcfe8967c712f1f98236e1789b14f5a3d64c77c69084587364dd7bc6b085833d29ab1ccd44f2e3fb1
SSDEEP

3072:VUVF4fI95c1wYBcG9N8c8lk+J76sw30WF2ozwPAPnJOVGXagKW1ZJOTxx5P/u5ls:VqKwYBfnw5WFd9PEoZe/o7A4XXJ

Score

10^/10

stealc xmrig logsdiller credential_access discovery evasion execution miner persistence spyware stealer themida trojan

Malware Config

Extracted

Family

stealc

Botnet

LogsDiller

http://185.201.252.118

Attributes

url_path
/ef952bc0f542da4b.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

CGDGHCBGDH.exeupdater.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CGDGHCBGDH.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe

XMRig Miner payload 18 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1120-160-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1120-161-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1120-174-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1120-173-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1120-172-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1120-171-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1120-165-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1120-163-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1120-162-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1120-159-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1120-175-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1120-167-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1120-164-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1120-158-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1120-176-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1120-178-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1120-179-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1120-180-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

5108 powershell.exe
988 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Drops file in Drivers directory 2 IoCs

Processes:

CGDGHCBGDH.exeupdater.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts CGDGHCBGDH.exe
File created C:\Windows\system32\drivers\etc\hosts updater.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
5108	powershell.exe
988	powershell.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	CGDGHCBGDH.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CGDGHCBGDH.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CGDGHCBGDH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CGDGHCBGDH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f33c7b978d078a797f2ee0d6d0783682.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	f33c7b978d078a797f2ee0d6d0783682.exe

Executes dropped EXE 2 IoCs

Processes:

CGDGHCBGDH.exeupdater.exe

pid process

3432 CGDGHCBGDH.exe
1432 updater.exe
Loads dropped DLL 2 IoCs

Processes:

f33c7b978d078a797f2ee0d6d0783682.exe

pid process

3972 f33c7b978d078a797f2ee0d6d0783682.exe
3972 f33c7b978d078a797f2ee0d6d0783682.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
3432	CGDGHCBGDH.exe
1432	updater.exe

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\ProgramData\CGDGHCBGDH.exe	themida
behavioral2/memory/3432-84-0x00007FF77F6C0000-0x00007FF7805EF000-memory.dmp	themida
behavioral2/memory/3432-83-0x00007FF77F6C0000-0x00007FF7805EF000-memory.dmp	themida
behavioral2/memory/3432-87-0x00007FF77F6C0000-0x00007FF7805EF000-memory.dmp	themida
behavioral2/memory/3432-88-0x00007FF77F6C0000-0x00007FF7805EF000-memory.dmp	themida
behavioral2/memory/3432-91-0x00007FF77F6C0000-0x00007FF7805EF000-memory.dmp	themida
behavioral2/memory/3432-111-0x00007FF77F6C0000-0x00007FF7805EF000-memory.dmp	themida
behavioral2/memory/1432-114-0x00007FF6476F0000-0x00007FF64861F000-memory.dmp	themida
behavioral2/memory/1432-115-0x00007FF6476F0000-0x00007FF64861F000-memory.dmp	themida
behavioral2/memory/1432-116-0x00007FF6476F0000-0x00007FF64861F000-memory.dmp	themida
behavioral2/memory/1432-117-0x00007FF6476F0000-0x00007FF64861F000-memory.dmp	themida
behavioral2/memory/1432-170-0x00007FF6476F0000-0x00007FF64861F000-memory.dmp	themida

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

CGDGHCBGDH.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CGDGHCBGDH.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

Power Settings
T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

4992 powercfg.exe
3308 powercfg.exe
2020 powercfg.exe
608 powercfg.exe
992 powercfg.exe
3924 powercfg.exe
5108 powercfg.exe
2236 powercfg.exe

pid	process
4992	powercfg.exe
3308	powercfg.exe
2020	powercfg.exe
608	powercfg.exe
992	powercfg.exe
3924	powercfg.exe
5108	powercfg.exe
2236	powercfg.exe

Drops file in System32 directory 4 IoCs

Processes:

updater.exeCGDGHCBGDH.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	updater.exe
File opened for modification	C:\Windows\system32\MRT.exe	CGDGHCBGDH.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

CGDGHCBGDH.exeupdater.exe

pid process

3432 CGDGHCBGDH.exe
1432 updater.exe

pid	process
3432	CGDGHCBGDH.exe
1432	updater.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 1432 set thread context of 4236	1432	updater.exe	conhost.exe
PID 1432 set thread context of 1120	1432	updater.exe	explorer.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
2892	sc.exe
2612	sc.exe
4540	sc.exe
4052	sc.exe
4824	sc.exe
3864	sc.exe
2548	sc.exe
4860	sc.exe
1088	sc.exe
2128	sc.exe
3920	sc.exe
4600	sc.exe
2220	sc.exe
2268	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

384 3972 WerFault.exe f33c7b978d078a797f2ee0d6d0783682.exe

pid	pid_target	process	target process
384	3972	WerFault.exe	f33c7b978d078a797f2ee0d6d0783682.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f33c7b978d078a797f2ee0d6d0783682.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f33c7b978d078a797f2ee0d6d0783682.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f33c7b978d078a797f2ee0d6d0783682.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f33c7b978d078a797f2ee0d6d0783682.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f33c7b978d078a797f2ee0d6d0783682.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f33c7b978d078a797f2ee0d6d0783682.exeCGDGHCBGDH.exepowershell.exeupdater.exepowershell.exeexplorer.exe

pid	process
3972	f33c7b978d078a797f2ee0d6d0783682.exe
3972	f33c7b978d078a797f2ee0d6d0783682.exe
3972	f33c7b978d078a797f2ee0d6d0783682.exe
3972	f33c7b978d078a797f2ee0d6d0783682.exe
3432	CGDGHCBGDH.exe
5108	powershell.exe
5108	powershell.exe
3432	CGDGHCBGDH.exe
3432	CGDGHCBGDH.exe
3432	CGDGHCBGDH.exe
3432	CGDGHCBGDH.exe
3432	CGDGHCBGDH.exe
3432	CGDGHCBGDH.exe
3432	CGDGHCBGDH.exe
3432	CGDGHCBGDH.exe
3432	CGDGHCBGDH.exe
3432	CGDGHCBGDH.exe
3432	CGDGHCBGDH.exe
3432	CGDGHCBGDH.exe
3432	CGDGHCBGDH.exe
3432	CGDGHCBGDH.exe
1432	updater.exe
988	powershell.exe
988	powershell.exe
1432	updater.exe
1432	updater.exe
1432	updater.exe
1432	updater.exe
1432	updater.exe
1432	updater.exe
1432	updater.exe
1432	updater.exe
1432	updater.exe
1432	updater.exe
1432	updater.exe
1432	updater.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe
1120	explorer.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeShutdownPrivilege	608	powercfg.exe
Token: SeCreatePagefilePrivilege	608	powercfg.exe
Token: SeShutdownPrivilege	3308	powercfg.exe
Token: SeCreatePagefilePrivilege	3308	powercfg.exe
Token: SeShutdownPrivilege	992	powercfg.exe
Token: SeCreatePagefilePrivilege	992	powercfg.exe
Token: SeShutdownPrivilege	2020	powercfg.exe
Token: SeCreatePagefilePrivilege	2020	powercfg.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeShutdownPrivilege	3924	powercfg.exe
Token: SeCreatePagefilePrivilege	3924	powercfg.exe
Token: SeShutdownPrivilege	4992	powercfg.exe
Token: SeCreatePagefilePrivilege	4992	powercfg.exe
Token: SeShutdownPrivilege	2236	powercfg.exe
Token: SeCreatePagefilePrivilege	2236	powercfg.exe
Token: SeShutdownPrivilege	5108	powercfg.exe
Token: SeCreatePagefilePrivilege	5108	powercfg.exe
Token: SeLockMemoryPrivilege	1120	explorer.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

f33c7b978d078a797f2ee0d6d0783682.execmd.execmd.execmd.exeupdater.exe

description	pid	process	target process
PID 3972 wrote to memory of 1660	3972	f33c7b978d078a797f2ee0d6d0783682.exe	cmd.exe
PID 3972 wrote to memory of 1660	3972	f33c7b978d078a797f2ee0d6d0783682.exe	cmd.exe
PID 3972 wrote to memory of 1660	3972	f33c7b978d078a797f2ee0d6d0783682.exe	cmd.exe
PID 1660 wrote to memory of 3432	1660	cmd.exe	CGDGHCBGDH.exe
PID 1660 wrote to memory of 3432	1660	cmd.exe	CGDGHCBGDH.exe
PID 756 wrote to memory of 2028	756	cmd.exe	wusa.exe
PID 756 wrote to memory of 2028	756	cmd.exe	wusa.exe
PID 4888 wrote to memory of 1828	4888	cmd.exe	wusa.exe
PID 4888 wrote to memory of 1828	4888	cmd.exe	wusa.exe
PID 1432 wrote to memory of 4236	1432	updater.exe	conhost.exe
PID 1432 wrote to memory of 4236	1432	updater.exe	conhost.exe
PID 1432 wrote to memory of 4236	1432	updater.exe	conhost.exe
PID 1432 wrote to memory of 4236	1432	updater.exe	conhost.exe
PID 1432 wrote to memory of 4236	1432	updater.exe	conhost.exe
PID 1432 wrote to memory of 4236	1432	updater.exe	conhost.exe
PID 1432 wrote to memory of 4236	1432	updater.exe	conhost.exe
PID 1432 wrote to memory of 4236	1432	updater.exe	conhost.exe
PID 1432 wrote to memory of 4236	1432	updater.exe	conhost.exe
PID 1432 wrote to memory of 1120	1432	updater.exe	explorer.exe
PID 1432 wrote to memory of 1120	1432	updater.exe	explorer.exe
PID 1432 wrote to memory of 1120	1432	updater.exe	explorer.exe
PID 1432 wrote to memory of 1120	1432	updater.exe	explorer.exe
PID 1432 wrote to memory of 1120	1432	updater.exe	explorer.exe
PID 1432 wrote to memory of 1120	1432	updater.exe	explorer.exe
PID 1432 wrote to memory of 1120	1432	updater.exe	explorer.exe
PID 1432 wrote to memory of 1120	1432	updater.exe	explorer.exe
PID 1432 wrote to memory of 1120	1432	updater.exe	explorer.exe
PID 1432 wrote to memory of 1120	1432	updater.exe	explorer.exe
PID 1432 wrote to memory of 1120	1432	updater.exe	explorer.exe
PID 1432 wrote to memory of 1120	1432	updater.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\f33c7b978d078a797f2ee0d6d0783682.exe
"C:\Users\Admin\AppData\Local\Temp\f33c7b978d078a797f2ee0d6d0783682.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\CGDGHCBGDH.exe"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660

C:\ProgramData\CGDGHCBGDH.exe
"C:\ProgramData\CGDGHCBGDH.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3432

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
4⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:2028

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
4⤵
- Launches sc.exe
PID:4860

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1088

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
4⤵
- Launches sc.exe
PID:4052

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
4⤵
- Launches sc.exe
PID:4824

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
4⤵
- Launches sc.exe
PID:2128

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3308

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
4⤵
- Launches sc.exe
PID:3920

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
4⤵
- Launches sc.exe
PID:2220

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:2892

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
4⤵
- Launches sc.exe
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 2820
2⤵
- Program crash
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3972 -ip 3972
1⤵
PID:3088

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:1828

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:3864

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:2612

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:4540

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:2548

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:2268

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:4236

C:\Windows\explorer.exe
explorer.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CGDGHCBGDH.exe

Filesize
8.2MB

MD5
c4a1368749a5ea69504c36431734c231

SHA1
45c70aa850d55a404f771c5dbc9f5d790c3fb1ea

SHA256
b4900787a4ded9b363b551b33f927b73e52eae1edf891faacde88b17bbcab7ac

SHA512
45b35dfc9e57798b073a09c72272b74c699898610a2637554cc3ae02c7637915e11e5cd085e62853f9bb468f28eea5994dd26c57b9e2e02e453ad298f6c1c7e9

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dn3ezmgi.os4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
memory/988-143-0x000001BC5B8F0000-0x000001BC5B8F6000-memory.dmp

Filesize
24KB

Download
memory/988-144-0x000001BC5B900000-0x000001BC5B90A000-memory.dmp

Filesize
40KB

Download
memory/988-142-0x000001BC5B8C0000-0x000001BC5B8C8000-memory.dmp

Filesize
32KB

Download
memory/988-141-0x000001BC5B910000-0x000001BC5B92A000-memory.dmp

Filesize
104KB

Download
memory/988-140-0x000001BC5B8B0000-0x000001BC5B8BA000-memory.dmp

Filesize
40KB

Download
memory/988-139-0x000001BC5B8D0000-0x000001BC5B8EC000-memory.dmp

Filesize
112KB

Download
memory/988-138-0x000001BC5B440000-0x000001BC5B44A000-memory.dmp

Filesize
40KB

Download
memory/988-137-0x000001BC5B6B0000-0x000001BC5B765000-memory.dmp

Filesize
724KB

Download
memory/988-136-0x000001BC5B690000-0x000001BC5B6AC000-memory.dmp

Filesize
112KB

Download
memory/1120-173-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1120-157-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1120-180-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1120-179-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1120-178-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1120-176-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1120-158-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1120-164-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1120-161-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1120-174-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1120-172-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1120-171-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1120-167-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1120-160-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1120-175-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1120-159-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1120-162-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1120-163-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1120-165-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1120-168-0x00000000008F0000-0x0000000000910000-memory.dmp

Filesize
128KB

Download
memory/1432-117-0x00007FF6476F0000-0x00007FF64861F000-memory.dmp

Filesize
15.2MB

Download
memory/1432-116-0x00007FF6476F0000-0x00007FF64861F000-memory.dmp

Filesize
15.2MB

Download
memory/1432-115-0x00007FF6476F0000-0x00007FF64861F000-memory.dmp

Filesize
15.2MB

Download
memory/1432-170-0x00007FF6476F0000-0x00007FF64861F000-memory.dmp

Filesize
15.2MB

Download
memory/1432-114-0x00007FF6476F0000-0x00007FF64861F000-memory.dmp

Filesize
15.2MB

Download
memory/3432-88-0x00007FF77F6C0000-0x00007FF7805EF000-memory.dmp

Filesize
15.2MB

Download
memory/3432-84-0x00007FF77F6C0000-0x00007FF7805EF000-memory.dmp

Filesize
15.2MB

Download
memory/3432-91-0x00007FF77F6C0000-0x00007FF7805EF000-memory.dmp

Filesize
15.2MB

Download
memory/3432-111-0x00007FF77F6C0000-0x00007FF7805EF000-memory.dmp

Filesize
15.2MB

Download
memory/3432-87-0x00007FF77F6C0000-0x00007FF7805EF000-memory.dmp

Filesize
15.2MB

Download
memory/3432-83-0x00007FF77F6C0000-0x00007FF7805EF000-memory.dmp

Filesize
15.2MB

Download
memory/3432-86-0x00007FFA9F4B0000-0x00007FFA9F4B2000-memory.dmp

Filesize
8KB

Download
memory/3972-2-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/3972-89-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/3972-1-0x00000000009C0000-0x0000000000AC0000-memory.dmp

Filesize
1024KB

Download
memory/3972-3-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3972-81-0x00000000009C0000-0x0000000000AC0000-memory.dmp

Filesize
1024KB

Download
memory/3972-85-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/4236-152-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4236-153-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4236-149-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4236-151-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4236-150-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4236-156-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5108-104-0x00007FFA9F410000-0x00007FFA9F605000-memory.dmp

Filesize
2.0MB

Download
memory/5108-108-0x00007FFA9F410000-0x00007FFA9F605000-memory.dmp

Filesize
2.0MB

Download
memory/5108-93-0x00007FFA9F410000-0x00007FFA9F605000-memory.dmp

Filesize
2.0MB

Download
memory/5108-105-0x0000024E31CC0000-0x0000024E31CE2000-memory.dmp

Filesize
136KB

Download
memory/5108-100-0x00007FFA9F410000-0x00007FFA9F605000-memory.dmp

Filesize
2.0MB

Download