a532ef74cfbe55a5d4cba2e9407ea4951328797d94e30c4160664d3536cb13d2

Analysis

max time kernel
79s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

StopUpdates10 Win10Զ¹رչ_v3.1.101 Я/stop-gwx-from-startup.bat
Size

1KB
MD5

4b724372b80e66b4f7747aa7a4dd82fa
SHA1

74a7972fb13bb80530fde331bc0de6df18405834
SHA256

9580a95c5cd25d960232af7c8042c0c89aeddfb2a7db009f9080241190f8bccd
SHA512

caf6c95820094a9b600fbed64d53179ebf6b397301b060d6731b6de922c59ef3e9e3bacfce771cdc4fd5a0a33332a69eedb099edbe3daaf6b185af7d88221c45

Score

1^/10

Malware Config

Signatures

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1848 taskkill.exe
5032 taskkill.exe
440 taskkill.exe
1948 taskkill.exe

pid	process
1848	taskkill.exe
5032	taskkill.exe
440	taskkill.exe
1948	taskkill.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1848	taskkill.exe
Token: SeDebugPrivilege	5032	taskkill.exe
Token: SeDebugPrivilege	440	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 5008 wrote to memory of 1848	5008	cmd.exe	taskkill.exe
PID 5008 wrote to memory of 1848	5008	cmd.exe	taskkill.exe
PID 5008 wrote to memory of 5032	5008	cmd.exe	taskkill.exe
PID 5008 wrote to memory of 5032	5008	cmd.exe	taskkill.exe
PID 5008 wrote to memory of 1576	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 1576	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 1476	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 1476	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 1776	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 1776	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 3620	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 3620	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 2368	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 2368	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 1304	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 1304	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 2848	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 2848	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 3848	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 3848	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 216	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 216	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 2060	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 2060	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 1180	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 1180	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 3916	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 3916	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 2084	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 2084	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 2780	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 2780	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 2604	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 2604	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 1636	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 1636	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 2416	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 2416	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 1276	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 1276	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 1716	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 1716	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 2336	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 2336	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 3940	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 3940	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 1292	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 1292	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 440	5008	cmd.exe	taskkill.exe
PID 5008 wrote to memory of 440	5008	cmd.exe	taskkill.exe
PID 5008 wrote to memory of 1948	5008	cmd.exe	taskkill.exe
PID 5008 wrote to memory of 1948	5008	cmd.exe	taskkill.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\StopUpdates10 Win10Զ¹رչ_v3.1.101 Я\stop-gwx-from-startup.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\system32\taskkill.exe
taskkill /f /IM gwxdetector.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\system32\taskkill.exe
taskkill /f /IM gwx.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Windows\system32\schtasks.exe
schtasks /end /tn "microsoft\windows\setup\gwx\launchtrayprocess"
2⤵
PID:1576

C:\Windows\system32\schtasks.exe
schtasks /end /tn "microsoft\windows\setup\gwx\refreshgwxconfig"
2⤵
PID:1476

C:\Windows\system32\schtasks.exe
schtasks /end /tn "microsoft\windows\setup\gwx\refreshgwxcontent"
2⤵
PID:1776

C:\Windows\system32\schtasks.exe
schtasks /end /tn "microsoft\windows\setup\gwx\runappraiser"
2⤵
PID:3620

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\gwx\launchtrayprocess" /DISABLE
2⤵
PID:2368

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\gwx\refreshgwxconfig" /DISABLE
2⤵
PID:1304

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\gwx\refreshgwxcontent" /DISABLE
2⤵
PID:2848

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\gwx\refreshgwxconfigandcontent" /DISABLE
2⤵
PID:3848

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\gwx\runappraiser" /DISABLE
2⤵
PID:216

C:\Windows\system32\schtasks.exe
schtasks /end /tn "microsoft\windows\setup\GWXTriggers\Logon"
2⤵
PID:2060

C:\Windows\system32\schtasks.exe
schtasks /end /tn "microsoft\windows\setup\GWXTriggers\OutOfIdle"
2⤵
PID:1180

C:\Windows\system32\schtasks.exe
schtasks /end /tn "microsoft\windows\setup\GWXTriggers\refreshgwxconfig-B"
2⤵
PID:3916

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\GWXTriggers\Logon" /DISABLE
2⤵
PID:2084

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\GWXTriggers\OutOfIdle" /DISABLE
2⤵
PID:2780

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\GWXTriggers\refreshgwxconfig-B" /DISABLE
2⤵
PID:2604

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\GWXTriggers\Logon-5d" /DISABLE
2⤵
PID:1636

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\GWXTriggers\MachineUnlock-5d" /DISABLE
2⤵
PID:2416

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\GWXTriggers\OutOfIdle-5d" /DISABLE
2⤵
PID:1276

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\GWXTriggers\OutOfSleep-5d" /DISABLE
2⤵
PID:1716

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\GWXTriggers\Time-5d" /DISABLE
2⤵
PID:2336

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\GWXTriggers\ScheduleUpgradeReminderTime" /DISABLE
2⤵
PID:3940

C:\Windows\system32\schtasks.exe
schtasks /change /tn "microsoft\windows\setup\GWXTriggers\ScheduleUpgradeTime" /DISABLE
2⤵
PID:1292

C:\Windows\system32\taskkill.exe
taskkill /f /IM gwxdetector.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:440

C:\Windows\system32\taskkill.exe
taskkill /f /IM gwx.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/216-142-0x0000000000000000-mapping.dmp

Download
memory/440-156-0x0000000000000000-mapping.dmp

Download
memory/1180-144-0x0000000000000000-mapping.dmp

Download
memory/1276-151-0x0000000000000000-mapping.dmp

Download
memory/1292-155-0x0000000000000000-mapping.dmp

Download
memory/1304-139-0x0000000000000000-mapping.dmp

Download
memory/1476-135-0x0000000000000000-mapping.dmp

Download
memory/1576-134-0x0000000000000000-mapping.dmp

Download
memory/1636-149-0x0000000000000000-mapping.dmp

Download
memory/1716-152-0x0000000000000000-mapping.dmp

Download
memory/1776-136-0x0000000000000000-mapping.dmp

Download
memory/1848-132-0x0000000000000000-mapping.dmp

Download
memory/1948-157-0x0000000000000000-mapping.dmp

Download
memory/2060-143-0x0000000000000000-mapping.dmp

Download
memory/2084-146-0x0000000000000000-mapping.dmp

Download
memory/2336-153-0x0000000000000000-mapping.dmp

Download
memory/2368-138-0x0000000000000000-mapping.dmp

Download
memory/2416-150-0x0000000000000000-mapping.dmp

Download
memory/2604-148-0x0000000000000000-mapping.dmp

Download
memory/2780-147-0x0000000000000000-mapping.dmp

Download
memory/2848-140-0x0000000000000000-mapping.dmp

Download
memory/3620-137-0x0000000000000000-mapping.dmp

Download
memory/3848-141-0x0000000000000000-mapping.dmp

Download
memory/3916-145-0x0000000000000000-mapping.dmp

Download
memory/3940-154-0x0000000000000000-mapping.dmp

Download
memory/5032-133-0x0000000000000000-mapping.dmp

Download