darkcomet | ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832

Processes:

ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\WinUpdater.exe"	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

Modify Existing Service

T1031

Processes:

WinUpdater.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	WinUpdater.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	WinUpdater.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	WinUpdater.exe

Executes dropped EXE 2 IoCs

Processes:

WinUpdater.exeWinUpdater.exe

pid process

1948 WinUpdater.exe
1416 WinUpdater.exe

pid	process
1948	WinUpdater.exe
1416	WinUpdater.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exeWinUpdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WinUpdater.exe

Loads dropped DLL 8 IoCs

Processes:

ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exeWinUpdater.exeWinUpdater.exe

pid	process
1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
1948	WinUpdater.exe
1948	WinUpdater.exe
1948	WinUpdater.exe
1948	WinUpdater.exe
1416	WinUpdater.exe
1416	WinUpdater.exe
1416	WinUpdater.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exenotepad.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win Updater = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\WinUpdater.exe"	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win Updater = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\WinUpdater.exe"	notepad.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exeba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exeWinUpdater.exe

description	pid	process	target process
PID 1636 set thread context of 1724	1636	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 1724 set thread context of 1492	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	explorer.exe
PID 1948 set thread context of 1416	1948	WinUpdater.exe	WinUpdater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

WinUpdater.exeba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WinUpdater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WinUpdater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WinUpdater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WinUpdater.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exeWinUpdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	WinUpdater.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exeWinUpdater.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeSecurityPrivilege	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeTakeOwnershipPrivilege	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeLoadDriverPrivilege	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeSystemProfilePrivilege	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeSystemtimePrivilege	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeProfSingleProcessPrivilege	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeIncBasePriorityPrivilege	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeCreatePagefilePrivilege	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeBackupPrivilege	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeRestorePrivilege	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeShutdownPrivilege	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeDebugPrivilege	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeSystemEnvironmentPrivilege	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeChangeNotifyPrivilege	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeRemoteShutdownPrivilege	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeUndockPrivilege	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeManageVolumePrivilege	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeImpersonatePrivilege	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeCreateGlobalPrivilege	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: 33	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: 34	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: 35	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeIncreaseQuotaPrivilege	1416	WinUpdater.exe
Token: SeSecurityPrivilege	1416	WinUpdater.exe
Token: SeTakeOwnershipPrivilege	1416	WinUpdater.exe
Token: SeLoadDriverPrivilege	1416	WinUpdater.exe
Token: SeSystemProfilePrivilege	1416	WinUpdater.exe
Token: SeSystemtimePrivilege	1416	WinUpdater.exe
Token: SeProfSingleProcessPrivilege	1416	WinUpdater.exe
Token: SeIncBasePriorityPrivilege	1416	WinUpdater.exe
Token: SeCreatePagefilePrivilege	1416	WinUpdater.exe
Token: SeBackupPrivilege	1416	WinUpdater.exe
Token: SeRestorePrivilege	1416	WinUpdater.exe
Token: SeShutdownPrivilege	1416	WinUpdater.exe
Token: SeDebugPrivilege	1416	WinUpdater.exe
Token: SeSystemEnvironmentPrivilege	1416	WinUpdater.exe
Token: SeChangeNotifyPrivilege	1416	WinUpdater.exe
Token: SeRemoteShutdownPrivilege	1416	WinUpdater.exe
Token: SeUndockPrivilege	1416	WinUpdater.exe
Token: SeManageVolumePrivilege	1416	WinUpdater.exe
Token: SeImpersonatePrivilege	1416	WinUpdater.exe
Token: SeCreateGlobalPrivilege	1416	WinUpdater.exe
Token: 33	1416	WinUpdater.exe
Token: 34	1416	WinUpdater.exe
Token: 35	1416	WinUpdater.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exeba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exeWinUpdater.exe

description	pid	process	target process
PID 1636 wrote to memory of 1724	1636	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 1636 wrote to memory of 1724	1636	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 1636 wrote to memory of 1724	1636	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 1636 wrote to memory of 1724	1636	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 1636 wrote to memory of 1724	1636	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 1636 wrote to memory of 1724	1636	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 1636 wrote to memory of 1724	1636	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 1636 wrote to memory of 1724	1636	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 1636 wrote to memory of 1724	1636	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 1636 wrote to memory of 1724	1636	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 1636 wrote to memory of 1724	1636	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 1636 wrote to memory of 1724	1636	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 1636 wrote to memory of 1724	1636	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 1724 wrote to memory of 664	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 1724 wrote to memory of 664	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 1724 wrote to memory of 664	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 1724 wrote to memory of 664	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 1724 wrote to memory of 664	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 1724 wrote to memory of 664	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 1724 wrote to memory of 664	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 1724 wrote to memory of 664	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 1724 wrote to memory of 664	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 1724 wrote to memory of 664	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 1724 wrote to memory of 664	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 1724 wrote to memory of 664	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 1724 wrote to memory of 664	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 1724 wrote to memory of 664	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 1724 wrote to memory of 664	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 1724 wrote to memory of 664	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 1724 wrote to memory of 664	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 1724 wrote to memory of 664	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 1724 wrote to memory of 664	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 1724 wrote to memory of 664	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 1724 wrote to memory of 664	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 1724 wrote to memory of 664	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 1724 wrote to memory of 664	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 1724 wrote to memory of 664	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 1724 wrote to memory of 1492	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	explorer.exe
PID 1724 wrote to memory of 1492	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	explorer.exe
PID 1724 wrote to memory of 1492	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	explorer.exe
PID 1724 wrote to memory of 1492	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	explorer.exe
PID 1724 wrote to memory of 1492	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	explorer.exe
PID 1724 wrote to memory of 1492	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	explorer.exe
PID 1724 wrote to memory of 1948	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	WinUpdater.exe
PID 1724 wrote to memory of 1948	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	WinUpdater.exe
PID 1724 wrote to memory of 1948	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	WinUpdater.exe
PID 1724 wrote to memory of 1948	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	WinUpdater.exe
PID 1724 wrote to memory of 1948	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	WinUpdater.exe
PID 1724 wrote to memory of 1948	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	WinUpdater.exe
PID 1724 wrote to memory of 1948	1724	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	WinUpdater.exe
PID 1948 wrote to memory of 1416	1948	WinUpdater.exe	WinUpdater.exe
PID 1948 wrote to memory of 1416	1948	WinUpdater.exe	WinUpdater.exe
PID 1948 wrote to memory of 1416	1948	WinUpdater.exe	WinUpdater.exe
PID 1948 wrote to memory of 1416	1948	WinUpdater.exe	WinUpdater.exe
PID 1948 wrote to memory of 1416	1948	WinUpdater.exe	WinUpdater.exe
PID 1948 wrote to memory of 1416	1948	WinUpdater.exe	WinUpdater.exe
PID 1948 wrote to memory of 1416	1948	WinUpdater.exe	WinUpdater.exe
PID 1948 wrote to memory of 1416	1948	WinUpdater.exe	WinUpdater.exe
PID 1948 wrote to memory of 1416	1948	WinUpdater.exe	WinUpdater.exe
PID 1948 wrote to memory of 1416	1948	WinUpdater.exe	WinUpdater.exe
PID 1948 wrote to memory of 1416	1948	WinUpdater.exe	WinUpdater.exe
PID 1948 wrote to memory of 1416	1948	WinUpdater.exe	WinUpdater.exe
PID 1948 wrote to memory of 1416	1948	WinUpdater.exe	WinUpdater.exe
PID 1948 wrote to memory of 1416	1948	WinUpdater.exe	WinUpdater.exe

C:\Users\Admin\AppData\Local\Temp\ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
"C:\Users\Admin\AppData\Local\Temp\ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\Temp\ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
"C:\Users\Admin\AppData\Local\Temp\ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe"
2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
- Adds Run key to start application
PID:664

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
PID:1492

C:\Users\Admin\AppData\Roaming\Microsoft\WinUpdater.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\WinUpdater.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Roaming\Microsoft\WinUpdater.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\WinUpdater.exe"
4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery