Analysis
-
max time kernel
52s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 21:47
Static task
static1
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
Loader.exe
Resource
win10v2004-20241007-en
General
-
Target
Loader.exe
-
Size
3.9MB
-
MD5
47a3da93e56b32634ef75d89326eddfd
-
SHA1
c713ae03c5ca84d5b9d00c3766976a80ff4870f9
-
SHA256
9da77aa713f1d8a0c0491326e6b187f57c59a9ac9988765913ad837b59dd0687
-
SHA512
94a936ed621f8aee938bd9e58827723243519c282591d00713f5825c465d2e68b8598911bba712d1a62795d380e4c19b04449a4333983484b03f051fdad18ad6
-
SSDEEP
98304:Nk1zJMJNrH1Z236EYzNVGm+xI7jfg/7KlTrzTGnI4A/z1Vre:q1zJSVHD236JXjY/7KFKnCz1Ze
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
193.161.193.99:53757
qfufsslmpoqmfov
-
delay
1
-
install
true
-
install_file
Runtime Broker.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 14 IoCs
Processes:
1028vcpu.exeupdater.exedescription pid Process procid_target PID 2984 created 1188 2984 1028vcpu.exe 21 PID 2984 created 1188 2984 1028vcpu.exe 21 PID 2984 created 1188 2984 1028vcpu.exe 21 PID 2984 created 1188 2984 1028vcpu.exe 21 PID 2984 created 1188 2984 1028vcpu.exe 21 PID 2984 created 1188 2984 1028vcpu.exe 21 PID 2984 created 1188 2984 1028vcpu.exe 21 PID 2928 created 1188 2928 updater.exe 21 PID 2928 created 1188 2928 updater.exe 21 PID 2928 created 1188 2928 updater.exe 21 PID 2928 created 1188 2928 updater.exe 21 PID 2928 created 1188 2928 updater.exe 21 PID 2928 created 1188 2928 updater.exe 21 PID 2928 created 1188 2928 updater.exe 21 -
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x0004000000004ed7-9.dat family_asyncrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid Process 2784 powershell.exe 1892 powershell.exe -
Executes dropped EXE 3 IoCs
Processes:
Runtime Broker.exe1028vcpu.exeupdater.exepid Process 2804 Runtime Broker.exe 2984 1028vcpu.exe 2928 updater.exe -
Loads dropped DLL 2 IoCs
Processes:
Loader.exeservices.exepid Process 2064 Loader.exe 472 services.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Power Settings 1 TTPs 10 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exepowercfg.execmd.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execmd.exepid Process 2456 powercfg.exe 3020 powercfg.exe 2124 powercfg.exe 1032 cmd.exe 2964 powercfg.exe 2388 powercfg.exe 2592 powercfg.exe 2044 powercfg.exe 1008 powercfg.exe 1072 cmd.exe -
Drops file in System32 directory 6 IoCs
Processes:
services.exepowershell.exepowershell.exesvchost.exedescription ioc Process File opened for modification C:\Windows\system32\logfiles\scm\699dd95e-cbfb-44c8-bf55-c9df6f5bc114 services.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC svchost.exe File opened for modification C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC svchost.exe File created C:\Windows\system32\logfiles\scm\699dd95e-cbfb-44c8-bf55-c9df6f5bc114 services.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
1028vcpu.exeupdater.exedescription pid Process procid_target PID 2984 set thread context of 1232 2984 1028vcpu.exe 45 PID 2928 set thread context of 2424 2928 updater.exe 68 PID 2928 set thread context of 940 2928 updater.exe 75 PID 2928 set thread context of 584 2928 updater.exe 76 -
Drops file in Program Files directory 1 IoCs
Processes:
1028vcpu.exedescription ioc Process File created C:\Program Files\Google\Chrome\updater.exe 1028vcpu.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc Process File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf svchost.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid Process 2816 sc.exe 2252 sc.exe 824 sc.exe 2316 sc.exe 1036 sc.exe 2588 sc.exe 480 sc.exe 2220 sc.exe 1612 sc.exe 2244 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
powershell.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 40b6e419f132db01 powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 2576 schtasks.exe 1920 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1028vcpu.exepowershell.exedialer.exepid Process 2984 1028vcpu.exe 2984 1028vcpu.exe 2784 powershell.exe 2984 1028vcpu.exe 2984 1028vcpu.exe 2984 1028vcpu.exe 2984 1028vcpu.exe 2984 1028vcpu.exe 2984 1028vcpu.exe 2984 1028vcpu.exe 2984 1028vcpu.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 2984 1028vcpu.exe 2984 1028vcpu.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 2984 1028vcpu.exe 2984 1028vcpu.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe 1232 dialer.exe -
Suspicious use of AdjustPrivilegeToken 55 IoCs
Processes:
Loader.exeRuntime Broker.exepowershell.exedialer.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exepowershell.exedialer.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exedescription pid Process Token: SeDebugPrivilege 2064 Loader.exe Token: SeDebugPrivilege 2804 Runtime Broker.exe Token: SeIncreaseQuotaPrivilege 2804 Runtime Broker.exe Token: SeSecurityPrivilege 2804 Runtime Broker.exe Token: SeTakeOwnershipPrivilege 2804 Runtime Broker.exe Token: SeLoadDriverPrivilege 2804 Runtime Broker.exe Token: SeSystemProfilePrivilege 2804 Runtime Broker.exe Token: SeSystemtimePrivilege 2804 Runtime Broker.exe Token: SeProfSingleProcessPrivilege 2804 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 2804 Runtime Broker.exe Token: SeCreatePagefilePrivilege 2804 Runtime Broker.exe Token: SeBackupPrivilege 2804 Runtime Broker.exe Token: SeRestorePrivilege 2804 Runtime Broker.exe Token: SeShutdownPrivilege 2804 Runtime Broker.exe Token: SeDebugPrivilege 2804 Runtime Broker.exe Token: SeSystemEnvironmentPrivilege 2804 Runtime Broker.exe Token: SeRemoteShutdownPrivilege 2804 Runtime Broker.exe Token: SeUndockPrivilege 2804 Runtime Broker.exe Token: SeManageVolumePrivilege 2804 Runtime Broker.exe Token: 33 2804 Runtime Broker.exe Token: 34 2804 Runtime Broker.exe Token: 35 2804 Runtime Broker.exe Token: SeIncreaseQuotaPrivilege 2804 Runtime Broker.exe Token: SeSecurityPrivilege 2804 Runtime Broker.exe Token: SeTakeOwnershipPrivilege 2804 Runtime Broker.exe Token: SeLoadDriverPrivilege 2804 Runtime Broker.exe Token: SeSystemProfilePrivilege 2804 Runtime Broker.exe Token: SeSystemtimePrivilege 2804 Runtime Broker.exe Token: SeProfSingleProcessPrivilege 2804 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 2804 Runtime Broker.exe Token: SeCreatePagefilePrivilege 2804 Runtime Broker.exe Token: SeBackupPrivilege 2804 Runtime Broker.exe Token: SeRestorePrivilege 2804 Runtime Broker.exe Token: SeShutdownPrivilege 2804 Runtime Broker.exe Token: SeDebugPrivilege 2804 Runtime Broker.exe Token: SeSystemEnvironmentPrivilege 2804 Runtime Broker.exe Token: SeRemoteShutdownPrivilege 2804 Runtime Broker.exe Token: SeUndockPrivilege 2804 Runtime Broker.exe Token: SeManageVolumePrivilege 2804 Runtime Broker.exe Token: 33 2804 Runtime Broker.exe Token: 34 2804 Runtime Broker.exe Token: 35 2804 Runtime Broker.exe Token: SeDebugPrivilege 2784 powershell.exe Token: SeDebugPrivilege 1232 dialer.exe Token: SeShutdownPrivilege 2044 powercfg.exe Token: SeShutdownPrivilege 2388 powercfg.exe Token: SeShutdownPrivilege 2964 powercfg.exe Token: SeShutdownPrivilege 1008 powercfg.exe Token: SeAuditPrivilege 856 svchost.exe Token: SeDebugPrivilege 1892 powershell.exe Token: SeDebugPrivilege 2424 dialer.exe Token: SeShutdownPrivilege 2456 powercfg.exe Token: SeShutdownPrivilege 3020 powercfg.exe Token: SeShutdownPrivilege 2592 powercfg.exe Token: SeShutdownPrivilege 2124 powercfg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Loader.execmd.exe1028vcpu.exedialer.execmd.exedescription pid Process procid_target PID 2064 wrote to memory of 2804 2064 Loader.exe 32 PID 2064 wrote to memory of 2804 2064 Loader.exe 32 PID 2064 wrote to memory of 2804 2064 Loader.exe 32 PID 2064 wrote to memory of 2984 2064 Loader.exe 33 PID 2064 wrote to memory of 2984 2064 Loader.exe 33 PID 2064 wrote to memory of 2984 2064 Loader.exe 33 PID 2716 wrote to memory of 2816 2716 cmd.exe 38 PID 2716 wrote to memory of 2816 2716 cmd.exe 38 PID 2716 wrote to memory of 2816 2716 cmd.exe 38 PID 2716 wrote to memory of 1036 2716 cmd.exe 39 PID 2716 wrote to memory of 1036 2716 cmd.exe 39 PID 2716 wrote to memory of 1036 2716 cmd.exe 39 PID 2716 wrote to memory of 2588 2716 cmd.exe 40 PID 2716 wrote to memory of 2588 2716 cmd.exe 40 PID 2716 wrote to memory of 2588 2716 cmd.exe 40 PID 2716 wrote to memory of 480 2716 cmd.exe 41 PID 2716 wrote to memory of 480 2716 cmd.exe 41 PID 2716 wrote to memory of 480 2716 cmd.exe 41 PID 2716 wrote to memory of 2220 2716 cmd.exe 42 PID 2716 wrote to memory of 2220 2716 cmd.exe 42 PID 2716 wrote to memory of 2220 2716 cmd.exe 42 PID 2984 wrote to memory of 1232 2984 1028vcpu.exe 45 PID 1232 wrote to memory of 428 1232 dialer.exe 5 PID 1232 wrote to memory of 472 1232 dialer.exe 6 PID 1232 wrote to memory of 488 1232 dialer.exe 7 PID 1232 wrote to memory of 496 1232 dialer.exe 8 PID 1232 wrote to memory of 604 1232 dialer.exe 9 PID 1232 wrote to memory of 688 1232 dialer.exe 10 PID 1032 wrote to memory of 2044 1032 cmd.exe 48 PID 1032 wrote to memory of 2044 1032 cmd.exe 48 PID 1032 wrote to memory of 2044 1032 cmd.exe 48 PID 1232 wrote to memory of 768 1232 dialer.exe 11 PID 1232 wrote to memory of 828 1232 dialer.exe 12 PID 1232 wrote to memory of 856 1232 dialer.exe 13 PID 1232 wrote to memory of 976 1232 dialer.exe 15 PID 1232 wrote to memory of 284 1232 dialer.exe 16 PID 1232 wrote to memory of 956 1232 dialer.exe 17 PID 1232 wrote to memory of 1080 1232 dialer.exe 18 PID 1232 wrote to memory of 1096 1232 dialer.exe 19 PID 1232 wrote to memory of 1160 1232 dialer.exe 20 PID 1232 wrote to memory of 1188 1232 dialer.exe 21 PID 1232 wrote to memory of 1608 1232 dialer.exe 23 PID 1232 wrote to memory of 1660 1232 dialer.exe 24 PID 1232 wrote to memory of 552 1232 dialer.exe 25 PID 1232 wrote to memory of 2876 1232 dialer.exe 26 PID 1232 wrote to memory of 1524 1232 dialer.exe 27 PID 1232 wrote to memory of 1936 1232 dialer.exe 30 PID 1232 wrote to memory of 2804 1232 dialer.exe 32 PID 1232 wrote to memory of 2984 1232 dialer.exe 33 PID 1232 wrote to memory of 1032 1232 dialer.exe 43 PID 1232 wrote to memory of 1732 1232 dialer.exe 44 PID 1232 wrote to memory of 620 1232 dialer.exe 46 PID 1232 wrote to memory of 3016 1232 dialer.exe 47 PID 1032 wrote to memory of 2388 1032 cmd.exe 49 PID 1032 wrote to memory of 2388 1032 cmd.exe 49 PID 1032 wrote to memory of 2388 1032 cmd.exe 49 PID 1232 wrote to memory of 2388 1232 dialer.exe 49 PID 1032 wrote to memory of 2964 1032 cmd.exe 50 PID 1032 wrote to memory of 2964 1032 cmd.exe 50 PID 1032 wrote to memory of 2964 1032 cmd.exe 50 PID 1232 wrote to memory of 2964 1232 dialer.exe 50 PID 1232 wrote to memory of 2964 1232 dialer.exe 50 PID 1232 wrote to memory of 2576 1232 dialer.exe 51 PID 1032 wrote to memory of 1008 1032 cmd.exe 53 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:428
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:472 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:604
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe3⤵PID:1660
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}3⤵PID:552
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding3⤵PID:1936
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:688
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:768
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:828
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵PID:1160
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:856
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:976
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:284
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:956
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1080
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1096
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"2⤵PID:1608
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:2876
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:1524
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2928
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:488
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵PID:496
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Users\Admin\AppData\Local\Temp\1028vcpu.exe"C:\Users\Admin\AppData\Local\Temp\1028vcpu.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2984
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2816
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1036
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2588
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:480
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2220
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1008
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"2⤵PID:620
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xdzcihgbspge.xml"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2576
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:2016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:1888
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2252
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:824
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1612
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2244
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2316
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Power Settings
PID:1072 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xdzcihgbspge.xml"2⤵
- Scheduled Task/Job: Scheduled Task
PID:1920
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:940
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:584
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "494496191318555972-1738869403-1869498514-12689121811072265180-12174978162029514293"1⤵PID:1732
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2084177344-808535898737400982-1722346883-917344898786564855-717977791-1369285479"1⤵PID:3016
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-769525399-37710208820061186592020407174-169253292514626033-18192214481360851352"1⤵PID:1144
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1587951643221127978-18434015711051289986-1163394789-1193287312-6766688541835914138"1⤵PID:2892
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "609843865-60587387-1302059031500626100850730787-170157551-1457115141587697297"1⤵PID:904
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1768143594-482197904-908122162-10868169948681070491950405799768953578523075794"1⤵PID:2460
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-13622785671720907004-1667832532815739943-1846038395-966259376-1955261934-231314931"1⤵PID:1364
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-144064352918495135352143255852-617084331-1353230321-11612669222144278232-264733511"1⤵PID:1620
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
1Windows Service
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD564c25e40b34077521c03f110c6e94d2c
SHA1a4667123f6a1fa9ca8759590efe9bb44bff217a0
SHA256f17d6b33fa63c6aecbb4d313a2230359c04e294ccf699a78b3a581abb84b197d
SHA512d8c48bc095ccc794d6eb788d13d81d05d02eb7ddd2f9f2f063ffa9db48158da59d3061d9d50182f1007d443e13aae20aa5506daa6cb04565a13de2964657c14b
-
Filesize
1KB
MD5546d67a48ff2bf7682cea9fac07b942e
SHA1a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA51210d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe
-
Filesize
2KB
MD5358e489c69a8521a66a403c7ad542b9c
SHA11377e6114996ec394de1045e6807f297e0879358
SHA256a15b2504490e51391c99243904d37c299cb5aeab207b41c5463195ad4321dc75
SHA512ac86aea08341604c8d9b9f0361b41dcae8c24aaef512b48e0ec9834a7c18ca8a21a885040c5ff397c015c8b74948fdc6771c10c807238a4947bdddae8daaa5bc
-
Filesize
5.4MB
MD587ac8e9f1ea0e0117272a7f77354bdfd
SHA165803c76e14f7a18a9e633885fa52fc6f68c19e0
SHA2568b65c3e8a8c9ba6d705ff09b0149fe9fa1b6160e891cb5aefc9d10839fdf1bfb
SHA5128faff8921a6e46782a285bb50334021ab51e168346e40b38606957a43f9ffb9a6749a4f19fe088576c043b2c8f4adc9de9e575f99a5d51bbcc70a044e3b5bad3