The malware checks to see if a given PID is winlogon.exe.
Winlogon.exe is the process injected.
The DLL sfc_os.dll will be used to disable Windows File Protection.
The fourth argument passed to
CreateRemoteThread is a
function pointer to an unnamed ordinal 2 (
SfcTerminateWatcherThread) of sfc_os.dll.
The malware drops a binary from its resource section and overwrites the old Windows Update binary (wupdmgr.exe) with it. Before overwriting the real wupdmgr.exe, the malware copies it to the %TEMP% directory for later usage.
The malware injects a remote thread into winlogon.exe and calls a
function exported by sfc_os.dll, ordinal 2 (
SfcTerminateWatcherThread), to disable Windows File Protection until the next reboot. The ...