a532ef74cfbe55a5d4cba2e9407ea4951328797d94e30c4160664d3536cb13d2

Analysis

max time kernel
43s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

StopUpdates10 Win10Զ¹رչ_v3.1.101 Я/stop-gwx-from-startup.bat
Size

1KB
MD5

4b724372b80e66b4f7747aa7a4dd82fa
SHA1

74a7972fb13bb80530fde331bc0de6df18405834
SHA256

9580a95c5cd25d960232af7c8042c0c89aeddfb2a7db009f9080241190f8bccd
SHA512

caf6c95820094a9b600fbed64d53179ebf6b397301b060d6731b6de922c59ef3e9e3bacfce771cdc4fd5a0a33332a69eedb099edbe3daaf6b185af7d88221c45

Score

1^/10

Malware Config

Signatures

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

880 taskkill.exe
1904 taskkill.exe
968 taskkill.exe
1444 taskkill.exe

pid	process
880	taskkill.exe
1904	taskkill.exe
968	taskkill.exe
1444	taskkill.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	968	taskkill.exe
Token: SeDebugPrivilege	1444	taskkill.exe
Token: SeDebugPrivilege	880	taskkill.exe
Token: SeDebugPrivilege	1904	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1064 wrote to memory of 968	1064	cmd.exe	taskkill.exe
PID 1064 wrote to memory of 968	1064	cmd.exe	taskkill.exe
PID 1064 wrote to memory of 968	1064	cmd.exe	taskkill.exe
PID 1064 wrote to memory of 1444	1064	cmd.exe	taskkill.exe
PID 1064 wrote to memory of 1444	1064	cmd.exe	taskkill.exe
PID 1064 wrote to memory of 1444	1064	cmd.exe	taskkill.exe
PID 1064 wrote to memory of 516	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 516	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 516	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1760	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1760	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1760	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1556	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1556	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1556	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1240	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1240	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1240	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1528	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1528	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1528	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 592	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 592	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 592	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1180	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1180	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1180	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1952	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1952	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1952	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1396	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1396	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1396	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1688	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1688	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1688	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 280	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 280	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 280	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1752	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1752	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1752	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 2032	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 2032	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 2032	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1368	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1368	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1368	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 2020	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 2020	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 2020	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1764	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1764	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1764	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 732	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 732	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 732	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1720	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1720	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1720	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1808	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1808	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1808	1064	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1924	1064	cmd.exe	schtasks.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\StopUpdates10 Win10Զ¹رչ_v3.1.101 Я\stop-gwx-from-startup.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\system32\taskkill.exe
taskkill /f /IM gwxdetector.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\system32\taskkill.exe
taskkill /f /IM gwx.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\system32\schtasks.exe
schtasks /end /tn "microsoft\windows\setup\gwx\launchtrayprocess"
2⤵
PID:516

C:\Windows\system32\schtasks.exe
schtasks /end /tn "microsoft\windows\setup\gwx\refreshgwxconfig"
2⤵
PID:1760

C:\Windows\system32\schtasks.exe
schtasks /end /tn "microsoft\windows\setup\gwx\refreshgwxcontent"
2⤵
PID:1556

C:\Windows\system32\schtasks.exe
schtasks /end /tn "microsoft\windows\setup\gwx\runappraiser"
2⤵
PID:1240

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\gwx\launchtrayprocess" /DISABLE
2⤵
PID:1528

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\gwx\refreshgwxconfig" /DISABLE
2⤵
PID:592

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\gwx\refreshgwxcontent" /DISABLE
2⤵
PID:1180

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\gwx\refreshgwxconfigandcontent" /DISABLE
2⤵
PID:1952

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\gwx\runappraiser" /DISABLE
2⤵
PID:1396

C:\Windows\system32\schtasks.exe
schtasks /end /tn "microsoft\windows\setup\GWXTriggers\Logon"
2⤵
PID:1688

C:\Windows\system32\schtasks.exe
schtasks /end /tn "microsoft\windows\setup\GWXTriggers\OutOfIdle"
2⤵
PID:280

C:\Windows\system32\schtasks.exe
schtasks /end /tn "microsoft\windows\setup\GWXTriggers\refreshgwxconfig-B"
2⤵
PID:1752

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\GWXTriggers\Logon" /DISABLE
2⤵
PID:2032

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\GWXTriggers\OutOfIdle" /DISABLE
2⤵
PID:1368

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\GWXTriggers\refreshgwxconfig-B" /DISABLE
2⤵
PID:2020

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\GWXTriggers\Logon-5d" /DISABLE
2⤵
PID:1764

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\GWXTriggers\MachineUnlock-5d" /DISABLE
2⤵
PID:732

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\GWXTriggers\OutOfIdle-5d" /DISABLE
2⤵
PID:1720

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\GWXTriggers\OutOfSleep-5d" /DISABLE
2⤵
PID:1808

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\GWXTriggers\Time-5d" /DISABLE
2⤵
PID:1924

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\GWXTriggers\ScheduleUpgradeReminderTime" /DISABLE
2⤵
PID:1940

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\GWXTriggers\ScheduleUpgradeTime" /DISABLE
2⤵
PID:2000

C:\Windows\system32\taskkill.exe
taskkill /f /IM gwxdetector.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:880

C:\Windows\system32\taskkill.exe
taskkill /f /IM gwx.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1904

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/280-66-0x0000000000000000-mapping.dmp

Download
memory/516-56-0x0000000000000000-mapping.dmp

Download
memory/592-61-0x0000000000000000-mapping.dmp

Download
memory/732-72-0x0000000000000000-mapping.dmp

Download
memory/880-78-0x0000000000000000-mapping.dmp

Download
memory/968-54-0x0000000000000000-mapping.dmp

Download
memory/1180-62-0x0000000000000000-mapping.dmp

Download
memory/1240-59-0x0000000000000000-mapping.dmp

Download
memory/1368-69-0x0000000000000000-mapping.dmp

Download
memory/1396-64-0x0000000000000000-mapping.dmp

Download
memory/1444-55-0x0000000000000000-mapping.dmp

Download
memory/1528-60-0x0000000000000000-mapping.dmp

Download
memory/1556-58-0x0000000000000000-mapping.dmp

Download
memory/1688-65-0x0000000000000000-mapping.dmp

Download
memory/1720-73-0x0000000000000000-mapping.dmp

Download
memory/1752-67-0x0000000000000000-mapping.dmp

Download
memory/1760-57-0x0000000000000000-mapping.dmp

Download
memory/1764-71-0x0000000000000000-mapping.dmp

Download
memory/1808-74-0x0000000000000000-mapping.dmp

Download
memory/1904-79-0x0000000000000000-mapping.dmp

Download
memory/1924-75-0x0000000000000000-mapping.dmp

Download
memory/1940-76-0x0000000000000000-mapping.dmp

Download
memory/1952-63-0x0000000000000000-mapping.dmp

Download
memory/2000-77-0x0000000000000000-mapping.dmp

Download
memory/2020-70-0x0000000000000000-mapping.dmp

Download
memory/2032-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads