darkcomet | ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832

Processes:

ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\WinUpdater.exe"	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

Modify Existing Service

T1031

Processes:

WinUpdater.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	WinUpdater.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	WinUpdater.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	WinUpdater.exe

Executes dropped EXE 2 IoCs

Processes:

WinUpdater.exeWinUpdater.exe

pid process

3508 WinUpdater.exe
2416 WinUpdater.exe

pid	process
3508	WinUpdater.exe
2416	WinUpdater.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exeWinUpdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WinUpdater.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

notepad.exeba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win Updater = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\WinUpdater.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win Updater = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\WinUpdater.exe"	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exeba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exeWinUpdater.exe

description	pid	process	target process
PID 3756 set thread context of 4144	3756	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 4144 set thread context of 3636	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	explorer.exe
PID 3508 set thread context of 2416	3508	WinUpdater.exe	WinUpdater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exeWinUpdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WinUpdater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WinUpdater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WinUpdater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WinUpdater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exeWinUpdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	WinUpdater.exe

Modifies registry class 1 IoCs

Processes:

ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exeWinUpdater.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeSecurityPrivilege	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeTakeOwnershipPrivilege	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeLoadDriverPrivilege	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeSystemProfilePrivilege	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeSystemtimePrivilege	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeProfSingleProcessPrivilege	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeIncBasePriorityPrivilege	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeCreatePagefilePrivilege	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeBackupPrivilege	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeRestorePrivilege	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeShutdownPrivilege	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeDebugPrivilege	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeSystemEnvironmentPrivilege	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeChangeNotifyPrivilege	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeRemoteShutdownPrivilege	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeUndockPrivilege	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeManageVolumePrivilege	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeImpersonatePrivilege	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeCreateGlobalPrivilege	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: 33	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: 34	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: 35	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: 36	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
Token: SeIncreaseQuotaPrivilege	2416	WinUpdater.exe
Token: SeSecurityPrivilege	2416	WinUpdater.exe
Token: SeTakeOwnershipPrivilege	2416	WinUpdater.exe
Token: SeLoadDriverPrivilege	2416	WinUpdater.exe
Token: SeSystemProfilePrivilege	2416	WinUpdater.exe
Token: SeSystemtimePrivilege	2416	WinUpdater.exe
Token: SeProfSingleProcessPrivilege	2416	WinUpdater.exe
Token: SeIncBasePriorityPrivilege	2416	WinUpdater.exe
Token: SeCreatePagefilePrivilege	2416	WinUpdater.exe
Token: SeBackupPrivilege	2416	WinUpdater.exe
Token: SeRestorePrivilege	2416	WinUpdater.exe
Token: SeShutdownPrivilege	2416	WinUpdater.exe
Token: SeDebugPrivilege	2416	WinUpdater.exe
Token: SeSystemEnvironmentPrivilege	2416	WinUpdater.exe
Token: SeChangeNotifyPrivilege	2416	WinUpdater.exe
Token: SeRemoteShutdownPrivilege	2416	WinUpdater.exe
Token: SeUndockPrivilege	2416	WinUpdater.exe
Token: SeManageVolumePrivilege	2416	WinUpdater.exe
Token: SeImpersonatePrivilege	2416	WinUpdater.exe
Token: SeCreateGlobalPrivilege	2416	WinUpdater.exe
Token: 33	2416	WinUpdater.exe
Token: 34	2416	WinUpdater.exe
Token: 35	2416	WinUpdater.exe
Token: 36	2416	WinUpdater.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exeba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exeWinUpdater.exe

description	pid	process	target process
PID 3756 wrote to memory of 4144	3756	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 3756 wrote to memory of 4144	3756	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 3756 wrote to memory of 4144	3756	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 3756 wrote to memory of 4144	3756	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 3756 wrote to memory of 4144	3756	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 3756 wrote to memory of 4144	3756	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 3756 wrote to memory of 4144	3756	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 3756 wrote to memory of 4144	3756	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 3756 wrote to memory of 4144	3756	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 3756 wrote to memory of 4144	3756	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 3756 wrote to memory of 4144	3756	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 3756 wrote to memory of 4144	3756	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 3756 wrote to memory of 4144	3756	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 3756 wrote to memory of 4144	3756	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
PID 4144 wrote to memory of 2520	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 4144 wrote to memory of 2520	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 4144 wrote to memory of 2520	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 4144 wrote to memory of 2520	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 4144 wrote to memory of 2520	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 4144 wrote to memory of 2520	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 4144 wrote to memory of 2520	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 4144 wrote to memory of 2520	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 4144 wrote to memory of 2520	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 4144 wrote to memory of 2520	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 4144 wrote to memory of 2520	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 4144 wrote to memory of 2520	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 4144 wrote to memory of 2520	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 4144 wrote to memory of 2520	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 4144 wrote to memory of 2520	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 4144 wrote to memory of 2520	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 4144 wrote to memory of 2520	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 4144 wrote to memory of 2520	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 4144 wrote to memory of 2520	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 4144 wrote to memory of 2520	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 4144 wrote to memory of 2520	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 4144 wrote to memory of 2520	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 4144 wrote to memory of 2520	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	notepad.exe
PID 4144 wrote to memory of 3636	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	explorer.exe
PID 4144 wrote to memory of 3636	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	explorer.exe
PID 4144 wrote to memory of 3636	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	explorer.exe
PID 4144 wrote to memory of 3636	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	explorer.exe
PID 4144 wrote to memory of 3636	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	explorer.exe
PID 4144 wrote to memory of 3508	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	WinUpdater.exe
PID 4144 wrote to memory of 3508	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	WinUpdater.exe
PID 4144 wrote to memory of 3508	4144	ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe	WinUpdater.exe
PID 3508 wrote to memory of 2416	3508	WinUpdater.exe	WinUpdater.exe
PID 3508 wrote to memory of 2416	3508	WinUpdater.exe	WinUpdater.exe
PID 3508 wrote to memory of 2416	3508	WinUpdater.exe	WinUpdater.exe
PID 3508 wrote to memory of 2416	3508	WinUpdater.exe	WinUpdater.exe
PID 3508 wrote to memory of 2416	3508	WinUpdater.exe	WinUpdater.exe
PID 3508 wrote to memory of 2416	3508	WinUpdater.exe	WinUpdater.exe
PID 3508 wrote to memory of 2416	3508	WinUpdater.exe	WinUpdater.exe
PID 3508 wrote to memory of 2416	3508	WinUpdater.exe	WinUpdater.exe
PID 3508 wrote to memory of 2416	3508	WinUpdater.exe	WinUpdater.exe
PID 3508 wrote to memory of 2416	3508	WinUpdater.exe	WinUpdater.exe
PID 3508 wrote to memory of 2416	3508	WinUpdater.exe	WinUpdater.exe
PID 3508 wrote to memory of 2416	3508	WinUpdater.exe	WinUpdater.exe
PID 3508 wrote to memory of 2416	3508	WinUpdater.exe	WinUpdater.exe
PID 3508 wrote to memory of 2416	3508	WinUpdater.exe	WinUpdater.exe

C:\Users\Admin\AppData\Local\Temp\ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
"C:\Users\Admin\AppData\Local\Temp\ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3756

C:\Users\Admin\AppData\Local\Temp\ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
"C:\Users\Admin\AppData\Local\Temp\ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe"
2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4144

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
- Adds Run key to start application
PID:2520

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
PID:3636

C:\Users\Admin\AppData\Roaming\Microsoft\WinUpdater.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\WinUpdater.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3508

C:\Users\Admin\AppData\Roaming\Microsoft\WinUpdater.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\WinUpdater.exe"
4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

3

Credential Access

Discovery

Query Registry

4

System Information Discovery

5