ffba2de6237d1542f5b596e5f44be49ea9183253193d598ff0ca328ad6131d1a

Analysis

max time kernel
142s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

systemuser32.exe
Size

20.6MB
MD5

e481a457b7e963581ea60a9cff53f150
SHA1

71c44a94492747a651c6cee7e99cade3ae314dc4
SHA256

ffba2de6237d1542f5b596e5f44be49ea9183253193d598ff0ca328ad6131d1a
SHA512

dcb9f4321281b291c96798a5e04b7e2b9fca4c1f6720387b047440f484757008d7b3cfa16c2ad2f8758a5e2fd204e20b5f94252772a0a31fd265be98233e5103
SSDEEP

393216:ZVIREJbgCTGGATTgGO09XCrgBIPg17XmH65jivecT/h41Sba:ZVIREJbgCSGKkGfXxIY17e65evbhKi

Score

10^/10

discovery execution pyinstaller

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

systemuser.exeupdater.exe

description	pid	process	target process
PID 2580 created 1116	2580	systemuser.exe	Explorer.EXE
PID 2580 created 1116	2580	systemuser.exe	Explorer.EXE
PID 2332 created 1116	2332	updater.exe	Explorer.EXE
PID 2332 created 1116	2332	updater.exe	Explorer.EXE

Executes dropped EXE 6 IoCs

Processes:

MSUpdate.exeChromeUpdate.exesystemuser.exeMSUpdate.exeExplorer.EXEupdater.exe

pid process

1908 MSUpdate.exe
2196 ChromeUpdate.exe
2580 systemuser.exe
2180 MSUpdate.exe
1116 Explorer.EXE
2332 updater.exe
Loads dropped DLL 6 IoCs

Processes:

systemuser32.exeChromeUpdate.exeMSUpdate.exeExplorer.EXEtaskeng.exe

pid process

2844 systemuser32.exe
2844 systemuser32.exe
2196 ChromeUpdate.exe
2180 MSUpdate.exe
1116 Explorer.EXE
1664 taskeng.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1792 powershell.exe
2308 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

6 raw.githubusercontent.com
7 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

pid	process
1908	MSUpdate.exe
2196	ChromeUpdate.exe
2580	systemuser.exe
2180	MSUpdate.exe
1116	Explorer.EXE
2332	updater.exe

pid	process
2844	systemuser32.exe
2844	systemuser32.exe
2196	ChromeUpdate.exe
2180	MSUpdate.exe
1116	Explorer.EXE
1664	taskeng.exe

pid	process
1792	powershell.exe
2308	powershell.exe

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

flow	ioc
4	ip-api.com

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates processes with tasklist 1 TTPs 13 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
1220	tasklist.exe
2104	tasklist.exe
2972	tasklist.exe
2948	tasklist.exe
2900	tasklist.exe
1260	tasklist.exe
2736	tasklist.exe
968	tasklist.exe
2984	tasklist.exe
1240	tasklist.exe
2092	tasklist.exe
2644	tasklist.exe
2584	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

updater.exe

description pid process target process

PID 2332 set thread context of 2904 2332 updater.exe conhost.exe

description	pid	process	target process
PID 2332 set thread context of 2904	2332	updater.exe	conhost.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\MSUpdate.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 12 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
324	timeout.exe
2636	timeout.exe
1696	timeout.exe
912	timeout.exe
3020	timeout.exe
564	timeout.exe
1240	timeout.exe
3056	timeout.exe
2272	timeout.exe
2780	timeout.exe
976	timeout.exe
1452	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

564 schtasks.exe
2260 schtasks.exe

pid	process
564	schtasks.exe
2260	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

ChromeUpdate.exesystemuser.exepowershell.exeupdater.exepowershell.exe

pid	process
2196	ChromeUpdate.exe
2196	ChromeUpdate.exe
2196	ChromeUpdate.exe
2580	systemuser.exe
2580	systemuser.exe
1792	powershell.exe
2580	systemuser.exe
2580	systemuser.exe
2332	updater.exe
2332	updater.exe
2308	powershell.exe
2332	updater.exe
2332	updater.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

ChromeUpdate.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2196	ChromeUpdate.exe
Token: SeDebugPrivilege	1220	tasklist.exe
Token: SeDebugPrivilege	2104	tasklist.exe
Token: SeDebugPrivilege	968	tasklist.exe
Token: SeDebugPrivilege	2972	tasklist.exe
Token: SeDebugPrivilege	2948	tasklist.exe
Token: SeDebugPrivilege	2984	tasklist.exe
Token: SeDebugPrivilege	2900	tasklist.exe
Token: SeDebugPrivilege	1260	tasklist.exe
Token: SeDebugPrivilege	2736	tasklist.exe
Token: SeDebugPrivilege	1240	tasklist.exe
Token: SeDebugPrivilege	2092	tasklist.exe
Token: SeDebugPrivilege	2644	tasklist.exe
Token: SeDebugPrivilege	2584	tasklist.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

systemuser32.exeMSUpdate.exeChromeUpdate.execmd.exe

description	pid	process	target process
PID 2844 wrote to memory of 1908	2844	systemuser32.exe	MSUpdate.exe
PID 2844 wrote to memory of 1908	2844	systemuser32.exe	MSUpdate.exe
PID 2844 wrote to memory of 1908	2844	systemuser32.exe	MSUpdate.exe
PID 2844 wrote to memory of 2196	2844	systemuser32.exe	ChromeUpdate.exe
PID 2844 wrote to memory of 2196	2844	systemuser32.exe	ChromeUpdate.exe
PID 2844 wrote to memory of 2196	2844	systemuser32.exe	ChromeUpdate.exe
PID 2844 wrote to memory of 2580	2844	systemuser32.exe	systemuser.exe
PID 2844 wrote to memory of 2580	2844	systemuser32.exe	systemuser.exe
PID 2844 wrote to memory of 2580	2844	systemuser32.exe	systemuser.exe
PID 1908 wrote to memory of 2180	1908	MSUpdate.exe	MSUpdate.exe
PID 1908 wrote to memory of 2180	1908	MSUpdate.exe	MSUpdate.exe
PID 1908 wrote to memory of 2180	1908	MSUpdate.exe	MSUpdate.exe
PID 2196 wrote to memory of 2408	2196	ChromeUpdate.exe	cmd.exe
PID 2196 wrote to memory of 2408	2196	ChromeUpdate.exe	cmd.exe
PID 2196 wrote to memory of 2408	2196	ChromeUpdate.exe	cmd.exe
PID 2408 wrote to memory of 2084	2408	cmd.exe	chcp.com
PID 2408 wrote to memory of 2084	2408	cmd.exe	chcp.com
PID 2408 wrote to memory of 2084	2408	cmd.exe	chcp.com
PID 2408 wrote to memory of 1220	2408	cmd.exe	tasklist.exe
PID 2408 wrote to memory of 1220	2408	cmd.exe	tasklist.exe
PID 2408 wrote to memory of 1220	2408	cmd.exe	tasklist.exe
PID 2408 wrote to memory of 1208	2408	cmd.exe	find.exe
PID 2408 wrote to memory of 1208	2408	cmd.exe	find.exe
PID 2408 wrote to memory of 1208	2408	cmd.exe	find.exe
PID 2408 wrote to memory of 1696	2408	cmd.exe	timeout.exe
PID 2408 wrote to memory of 1696	2408	cmd.exe	timeout.exe
PID 2408 wrote to memory of 1696	2408	cmd.exe	timeout.exe
PID 2408 wrote to memory of 2104	2408	cmd.exe	tasklist.exe
PID 2408 wrote to memory of 2104	2408	cmd.exe	tasklist.exe
PID 2408 wrote to memory of 2104	2408	cmd.exe	tasklist.exe
PID 2408 wrote to memory of 1452	2408	cmd.exe	find.exe
PID 2408 wrote to memory of 1452	2408	cmd.exe	find.exe
PID 2408 wrote to memory of 1452	2408	cmd.exe	find.exe
PID 2408 wrote to memory of 912	2408	cmd.exe	timeout.exe
PID 2408 wrote to memory of 912	2408	cmd.exe	timeout.exe
PID 2408 wrote to memory of 912	2408	cmd.exe	timeout.exe
PID 2408 wrote to memory of 968	2408	cmd.exe	tasklist.exe
PID 2408 wrote to memory of 968	2408	cmd.exe	tasklist.exe
PID 2408 wrote to memory of 968	2408	cmd.exe	tasklist.exe
PID 2408 wrote to memory of 700	2408	cmd.exe	find.exe
PID 2408 wrote to memory of 700	2408	cmd.exe	find.exe
PID 2408 wrote to memory of 700	2408	cmd.exe	find.exe
PID 2408 wrote to memory of 324	2408	cmd.exe	timeout.exe
PID 2408 wrote to memory of 324	2408	cmd.exe	timeout.exe
PID 2408 wrote to memory of 324	2408	cmd.exe	timeout.exe
PID 2408 wrote to memory of 2972	2408	cmd.exe	tasklist.exe
PID 2408 wrote to memory of 2972	2408	cmd.exe	tasklist.exe
PID 2408 wrote to memory of 2972	2408	cmd.exe	tasklist.exe
PID 2408 wrote to memory of 1464	2408	cmd.exe	find.exe
PID 2408 wrote to memory of 1464	2408	cmd.exe	find.exe
PID 2408 wrote to memory of 1464	2408	cmd.exe	find.exe
PID 2408 wrote to memory of 3020	2408	cmd.exe	timeout.exe
PID 2408 wrote to memory of 3020	2408	cmd.exe	timeout.exe
PID 2408 wrote to memory of 3020	2408	cmd.exe	timeout.exe
PID 2408 wrote to memory of 2948	2408	cmd.exe	tasklist.exe
PID 2408 wrote to memory of 2948	2408	cmd.exe	tasklist.exe
PID 2408 wrote to memory of 2948	2408	cmd.exe	tasklist.exe
PID 2408 wrote to memory of 2960	2408	cmd.exe	find.exe
PID 2408 wrote to memory of 2960	2408	cmd.exe	find.exe
PID 2408 wrote to memory of 2960	2408	cmd.exe	find.exe
PID 2408 wrote to memory of 564	2408	cmd.exe	timeout.exe
PID 2408 wrote to memory of 564	2408	cmd.exe	timeout.exe
PID 2408 wrote to memory of 564	2408	cmd.exe	timeout.exe
PID 2408 wrote to memory of 2984	2408	cmd.exe	tasklist.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1116
- C:\Users\Admin\AppData\Local\Temp\systemuser32.exe
  "C:\Users\Admin\AppData\Local\Temp\systemuser32.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Users\Admin\AppData\Roaming\MSUpdate.exe
    "C:\Users\Admin\AppData\Roaming\MSUpdate.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Users\Admin\AppData\Roaming\MSUpdate.exe
      "C:\Users\Admin\AppData\Roaming\MSUpdate.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2180
- - C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe
    "C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpAA82.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpAA82.tmp.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2084
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2196"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1208
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1696
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2196"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1452
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:912
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2196"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:700
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:324
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2196"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1464
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3020
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2196"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2960
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:564
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2196"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1500
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1240
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2196"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1696
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3056
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2196"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:852
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2272
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2196"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2720
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2780
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2196"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:588
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:976
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2196"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2672
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2636
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2196"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1356
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1452
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2196"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2196
- - C:\Users\Admin\AppData\Roaming\systemuser.exe
    "C:\Users\Admin\AppData\Roaming\systemuser.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ikwps#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:564
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ikwps#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2260
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:2904

C:\Windows\system32\taskeng.exe
taskeng.exe {4AC8D07D-52F7-498B-A3D6-9D194BA999A4} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
PID:1664
- C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
  C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI19082\python312.dll

Filesize
6.6MB

MD5
b243d61f4248909bc721674d70a633de

SHA1
1d2fb44b29c4ac3cfd5a7437038a0c541fce82fc

SHA256
93488fa7e631cc0a2bd808b9eee8617280ee9b6ff499ab424a1a1cbf24d77dc7

SHA512
10460c443c7b9a6d7e39ad6e2421b8ca4d8329f1c4a0ff5b71ce73352d2e9438d45f7d59edb13ce30fad3b4f260bd843f4d9b48522d448310d43e0988e075fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAA82.tmp.bat

Filesize
286B

MD5
b77807bd44bf844325cf3ad282ff6394

SHA1
ff71cfa52687236b340f51b99ba0b14d23444d5d

SHA256
bd8cd7ed03dfdfc712cc4e0dcf089d7db41896327e109a746e17e49ae419728d

SHA512
757eceac51fa5d39537bd9af3fcb40c95d129cdcc9384bee5a618bfcc16550fe29a307dc366d58eee5a885340b384d6c27532f2ad200945cf8dd08f698d57815

Download Submit
C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe

Filesize
5.6MB

MD5
13165ad820f4c960ca30489c75eaec42

SHA1
224d3c7b789cab09bf2204301019679e74741843

SHA256
f7e01a09ea6ec0deb57329451fba093f42fda8852189fde628da155a841761e7

SHA512
d6b350c4a000a3b29ebf2e649696e71f4e5d7a796636643354534a2911b5e73a8721ad8bf1d37cb990fb1d5c760c23b2db6550cd48e2d7c756c08753b8c15be7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bc3c55cb3e22c99d447126b6a26ff676

SHA1
e5ccd8249ea75df8a159fb9bc269f23610a26ea0

SHA256
8bb354f659b47a3bf7f9dba668653a0ceb27505fd78858e2e42ed3a4e0c57b7f

SHA512
08c444ee392045e958c67021265527967a2afe5e82d2c849b7ea61887f2b7b6253618f057b5b338f6cfed7d5391f14cc9e0ebd733e654981bf1874c988ba829d

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
\Users\Admin\AppData\Roaming\MSUpdate.exe

Filesize
10.5MB

MD5
79d19e7b20c0a9f3ac172041dcf84c97

SHA1
2e8a9c7d1aac017c1fabae50677e5bedea55c16d

SHA256
6080208516fa0312f72202ff528cf3ae055fcec32049191c8b4043bdb52bf072

SHA512
1d3fa42566c332501300da43e462a68341f9fc5aa5328d1b57cbb947e9b3e3eaa86d3368f52e82e3294fff63dc53587fda070967fa9a533dc4f9497a71e72e35

Download Submit
\Users\Admin\AppData\Roaming\systemuser.exe

Filesize
4.5MB

MD5
d62541056c52c0e1c88554fc7c58bd14

SHA1
4528261354cba0ef81a61ca2d7bc550fc5553f45

SHA256
6b02de0fe2eb386db9a8fcb66b29a1ffd6116a525d4b27afb45e274c0e0d8a90

SHA512
75c34e0a08bb06c2a8ca4418d8510e122c980a5da57cb8ffb24611020ef383d8abb05645f4564d137320afe78cecded3444d67896a4592943199c0244339ffc3

Download Submit
memory/1792-1928-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/1792-1927-0x000000001B3A0000-0x000000001B682000-memory.dmp

Filesize
2.9MB

Download
memory/2196-183-0x0000000000E80000-0x0000000001422000-memory.dmp

Filesize
5.6MB

Download
memory/2196-374-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp

Filesize
9.9MB

Download
memory/2196-976-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp

Filesize
9.9MB

Download
memory/2196-252-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp

Filesize
9.9MB

Download
memory/2308-1945-0x0000000001D50000-0x0000000001D58000-memory.dmp

Filesize
32KB

Download
memory/2308-1944-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/2332-1935-0x000000013F8D0000-0x000000013FD4D000-memory.dmp

Filesize
4.5MB

Download
memory/2332-1948-0x000000013F8D0000-0x000000013FD4D000-memory.dmp

Filesize
4.5MB

Download
memory/2580-977-0x000000013F8E0000-0x000000013FD5D000-memory.dmp

Filesize
4.5MB

Download
memory/2580-1931-0x000000013F8E0000-0x000000013FD5D000-memory.dmp

Filesize
4.5MB

Download
memory/2844-0-0x000007FEF5CC3000-0x000007FEF5CC4000-memory.dmp

Filesize
4KB

Download
memory/2844-1-0x0000000000BB0000-0x0000000002054000-memory.dmp

Filesize
20.6MB

Download
memory/2904-1949-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download