revengerat | 1ee3e5b5f7b2deb6182a591e94890786e404054e536dc468960d941c733d1e00

General

Target

e18ec27f09521152664d6a5aad14f03e.exe
Size

173KB
MD5

e18ec27f09521152664d6a5aad14f03e
SHA1

747bbc767b7a4aedc13a6b2d2f0a8a63363fc91c
SHA256

1ee3e5b5f7b2deb6182a591e94890786e404054e536dc468960d941c733d1e00
SHA512

3180a6de45526927ea7099b52a7c191ac1e4e6bff1fb55f1e03f7369ef6a316ff7a93ee533aa587c0ecb03e3f604e449ae8fd8547bd99aff7ea8382e98d4138b
SSDEEP

3072:YWzzzZKkF8xgsfifWFDZxbvPtj006jxyLNPs4EzhiXJbH5HGWSu9igjc:FDQg8uFUlxbvVjqjNuJbH5Hyn

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe	revengerat

Drops file in Drivers directory 13 IoCs

Processes:

Update.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Update.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Update.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Update.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Update.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Update.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Update.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Update.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Update.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Update.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Update.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Update.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Update.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Update.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Update.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exee18ec27f09521152664d6a5aad14f03e.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	e18ec27f09521152664d6a5aad14f03e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Update.exe

Executes dropped EXE 15 IoCs

Processes:

Update.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exe

pid	process
4912	Update.exe
416	Update.exe
4228	Update.exe
2452	Update.exe
4352	Update.exe
3332	Update.exe
1976	Update.exe
936	Update.exe
2340	Update.exe
804	Update.exe
4772	Update.exe
1808	Update.exe
4016	Update.exe
3924	Update.exe
3940	Update.exe

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Update.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft\\Update.exe\""	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft\\Update.exe\""	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft\\Update.exe\""	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft\\Update.exe\""	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft\\Update.exe\""	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft\\Update.exe\""	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft\\Update.exe\""	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft\\Update.exe\""	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft\\Update.exe\""	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft\\Update.exe\""	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft\\Update.exe\""	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft\\Update.exe\""	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft\\Update.exe\""	Update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4756	schtasks.exe
3344	schtasks.exe
2456	schtasks.exe
804	schtasks.exe
4404	schtasks.exe
4532	schtasks.exe
440	schtasks.exe
4048	schtasks.exe
1108	schtasks.exe
2988	schtasks.exe
1632	schtasks.exe
4260	schtasks.exe
2536	schtasks.exe

Modifies registry class 62 IoCs

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\mscfile\Shell\Open\command\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\ms-settings\Shell	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e18ec27f09521152664d6a5aad14f03e.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exe

pid	process
4928	e18ec27f09521152664d6a5aad14f03e.exe
4912	Update.exe
4912	Update.exe
4912	Update.exe
4912	Update.exe
4912	Update.exe
4912	Update.exe
4912	Update.exe
4912	Update.exe
4912	Update.exe
4912	Update.exe
4912	Update.exe
4912	Update.exe
416	Update.exe
416	Update.exe
416	Update.exe
416	Update.exe
416	Update.exe
416	Update.exe
416	Update.exe
416	Update.exe
416	Update.exe
416	Update.exe
416	Update.exe
416	Update.exe
416	Update.exe
4228	Update.exe
4228	Update.exe
4228	Update.exe
4228	Update.exe
4228	Update.exe
4228	Update.exe
4228	Update.exe
4228	Update.exe
4228	Update.exe
4228	Update.exe
4228	Update.exe
4228	Update.exe
4228	Update.exe
2452	Update.exe
2452	Update.exe
2452	Update.exe
2452	Update.exe
2452	Update.exe
2452	Update.exe
2452	Update.exe
2452	Update.exe
2452	Update.exe
2452	Update.exe
2452	Update.exe
2452	Update.exe
2452	Update.exe
2452	Update.exe
4352	Update.exe
4352	Update.exe
4352	Update.exe
4352	Update.exe
4352	Update.exe
4352	Update.exe
4352	Update.exe
4352	Update.exe
4352	Update.exe
4352	Update.exe
4352	Update.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

e18ec27f09521152664d6a5aad14f03e.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exe

description	pid	process
Token: SeDebugPrivilege	4928	e18ec27f09521152664d6a5aad14f03e.exe
Token: SeDebugPrivilege	4912	Update.exe
Token: SeDebugPrivilege	416	Update.exe
Token: SeDebugPrivilege	4228	Update.exe
Token: SeDebugPrivilege	2452	Update.exe
Token: SeDebugPrivilege	4352	Update.exe
Token: SeDebugPrivilege	3332	Update.exe
Token: SeDebugPrivilege	1976	Update.exe
Token: SeDebugPrivilege	936	Update.exe
Token: SeDebugPrivilege	2340	Update.exe
Token: SeDebugPrivilege	804	Update.exe
Token: SeDebugPrivilege	4772	Update.exe
Token: SeDebugPrivilege	1808	Update.exe
Token: SeDebugPrivilege	4016	Update.exe
Token: SeDebugPrivilege	3924	Update.exe
Token: SeDebugPrivilege	3940	Update.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

Update.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exe

pid	process
4912	Update.exe
416	Update.exe
4228	Update.exe
2452	Update.exe
4352	Update.exe
1976	Update.exe
936	Update.exe
2340	Update.exe
804	Update.exe
4772	Update.exe
4016	Update.exe
3924	Update.exe
3940	Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e18ec27f09521152664d6a5aad14f03e.exeUpdate.execmd.execmd.execmd.execmd.execmd.execmd.exeUpdate.execmd.execmd.execmd.exeUpdate.execmd.execmd.execmd.exeUpdate.exe

description	pid	process	target process
PID 4928 wrote to memory of 552	4928	e18ec27f09521152664d6a5aad14f03e.exe	cmd.exe
PID 4928 wrote to memory of 552	4928	e18ec27f09521152664d6a5aad14f03e.exe	cmd.exe
PID 4928 wrote to memory of 3532	4928	e18ec27f09521152664d6a5aad14f03e.exe	cmd.exe
PID 4928 wrote to memory of 3532	4928	e18ec27f09521152664d6a5aad14f03e.exe	cmd.exe
PID 4928 wrote to memory of 3032	4928	e18ec27f09521152664d6a5aad14f03e.exe	cmd.exe
PID 4928 wrote to memory of 3032	4928	e18ec27f09521152664d6a5aad14f03e.exe	cmd.exe
PID 4928 wrote to memory of 4912	4928	e18ec27f09521152664d6a5aad14f03e.exe	Update.exe
PID 4928 wrote to memory of 4912	4928	e18ec27f09521152664d6a5aad14f03e.exe	Update.exe
PID 4912 wrote to memory of 4976	4912	Update.exe	cmd.exe
PID 4912 wrote to memory of 4976	4912	Update.exe	cmd.exe
PID 4912 wrote to memory of 4148	4912	Update.exe	cmd.exe
PID 4912 wrote to memory of 4148	4912	Update.exe	cmd.exe
PID 4912 wrote to memory of 3888	4912	Update.exe	cmd.exe
PID 4912 wrote to memory of 3888	4912	Update.exe	cmd.exe
PID 4912 wrote to memory of 1632	4912	Update.exe	schtasks.exe
PID 4912 wrote to memory of 1632	4912	Update.exe	schtasks.exe
PID 552 wrote to memory of 4868	552	cmd.exe	reg.exe
PID 552 wrote to memory of 4868	552	cmd.exe	reg.exe
PID 3532 wrote to memory of 1604	3532	cmd.exe	reg.exe
PID 3532 wrote to memory of 1604	3532	cmd.exe	reg.exe
PID 3032 wrote to memory of 3720	3032	cmd.exe	reg.exe
PID 3032 wrote to memory of 3720	3032	cmd.exe	reg.exe
PID 3888 wrote to memory of 1968	3888	cmd.exe	reg.exe
PID 3888 wrote to memory of 1968	3888	cmd.exe	reg.exe
PID 4148 wrote to memory of 3480	4148	cmd.exe	reg.exe
PID 4148 wrote to memory of 3480	4148	cmd.exe	reg.exe
PID 4976 wrote to memory of 1660	4976	cmd.exe	reg.exe
PID 4976 wrote to memory of 1660	4976	cmd.exe	reg.exe
PID 4912 wrote to memory of 416	4912	Update.exe	Update.exe
PID 4912 wrote to memory of 416	4912	Update.exe	Update.exe
PID 416 wrote to memory of 4208	416	Update.exe	cmd.exe
PID 416 wrote to memory of 4208	416	Update.exe	cmd.exe
PID 416 wrote to memory of 4836	416	Update.exe	cmd.exe
PID 416 wrote to memory of 4836	416	Update.exe	cmd.exe
PID 416 wrote to memory of 2204	416	Update.exe	cmd.exe
PID 416 wrote to memory of 2204	416	Update.exe	cmd.exe
PID 416 wrote to memory of 4260	416	Update.exe	schtasks.exe
PID 416 wrote to memory of 4260	416	Update.exe	schtasks.exe
PID 2204 wrote to memory of 4316	2204	cmd.exe	reg.exe
PID 2204 wrote to memory of 4316	2204	cmd.exe	reg.exe
PID 4208 wrote to memory of 1096	4208	cmd.exe	reg.exe
PID 4208 wrote to memory of 1096	4208	cmd.exe	reg.exe
PID 4836 wrote to memory of 2292	4836	cmd.exe	reg.exe
PID 4836 wrote to memory of 2292	4836	cmd.exe	reg.exe
PID 416 wrote to memory of 4228	416	Update.exe	Update.exe
PID 416 wrote to memory of 4228	416	Update.exe	Update.exe
PID 4228 wrote to memory of 2712	4228	Update.exe	cmd.exe
PID 4228 wrote to memory of 2712	4228	Update.exe	cmd.exe
PID 4228 wrote to memory of 1632	4228	Update.exe	cmd.exe
PID 4228 wrote to memory of 1632	4228	Update.exe	cmd.exe
PID 4228 wrote to memory of 3268	4228	Update.exe	cmd.exe
PID 4228 wrote to memory of 3268	4228	Update.exe	cmd.exe
PID 4228 wrote to memory of 2536	4228	Update.exe	schtasks.exe
PID 4228 wrote to memory of 2536	4228	Update.exe	schtasks.exe
PID 3268 wrote to memory of 232	3268	cmd.exe	reg.exe
PID 3268 wrote to memory of 232	3268	cmd.exe	reg.exe
PID 2712 wrote to memory of 3976	2712	cmd.exe	reg.exe
PID 2712 wrote to memory of 3976	2712	cmd.exe	reg.exe
PID 1632 wrote to memory of 4076	1632	cmd.exe	reg.exe
PID 1632 wrote to memory of 4076	1632	cmd.exe	reg.exe
PID 4228 wrote to memory of 2452	4228	Update.exe	Update.exe
PID 4228 wrote to memory of 2452	4228	Update.exe	Update.exe
PID 2452 wrote to memory of 1812	2452	Update.exe	cmd.exe
PID 2452 wrote to memory of 1812	2452	Update.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e18ec27f09521152664d6a5aad14f03e.exe
"C:\Users\Admin\AppData\Local\Temp\e18ec27f09521152664d6a5aad14f03e.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
2⤵
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
3⤵
- Modifies registry class
PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
2⤵
- Suspicious use of WriteProcessMemory
PID:3532

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
3⤵
- Modifies registry class
PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
2⤵
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\system32\reg.exe
REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
3⤵
PID:3720

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe"
2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
3⤵
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
4⤵
- Modifies registry class
PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
3⤵
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
4⤵
- Modifies registry class
PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
3⤵
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\system32\reg.exe
REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
4⤵
PID:1968

C:\Windows\system32\schtasks.exe
C:\Windows\system32\schtasks.exe /create /tn WindowsUpdateIt /tr "\"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe\" " /sc minute /f
3⤵
- Creates scheduled task(s)
PID:1632

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe"
3⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
4⤵
- Suspicious use of WriteProcessMemory
PID:4208

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
5⤵
- Modifies registry class
PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
4⤵
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
5⤵
- Modifies registry class
PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
4⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\system32\reg.exe
REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
5⤵
PID:4316

C:\Windows\system32\schtasks.exe
C:\Windows\system32\schtasks.exe /create /tn WindowsUpdateIt /tr "\"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe\" " /sc minute /f
4⤵
- Creates scheduled task(s)
PID:4260

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe"
4⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
5⤵
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
6⤵
- Modifies registry class
PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
5⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
6⤵
- Modifies registry class
PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
5⤵
- Suspicious use of WriteProcessMemory
PID:3268

C:\Windows\system32\reg.exe
REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
6⤵
PID:232

C:\Windows\system32\schtasks.exe
C:\Windows\system32\schtasks.exe /create /tn WindowsUpdateIt /tr "\"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe\" " /sc minute /f
5⤵
- Creates scheduled task(s)
PID:2536

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe"
5⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
6⤵
PID:1812

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
7⤵
- Modifies registry class
PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
6⤵
PID:644

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
7⤵
- Modifies registry class
PID:3332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
6⤵
PID:2184

C:\Windows\system32\reg.exe
REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
7⤵
PID:3896

C:\Windows\system32\schtasks.exe
C:\Windows\system32\schtasks.exe /create /tn WindowsUpdateIt /tr "\"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe\" " /sc minute /f
6⤵
- Creates scheduled task(s)
PID:4756

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe"
6⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
7⤵
PID:4992

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
8⤵
- Modifies registry class
PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
7⤵
PID:3948

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
8⤵
- Modifies registry class
PID:1252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
7⤵
PID:5004

C:\Windows\system32\reg.exe
REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
8⤵
PID:3724

C:\Windows\system32\schtasks.exe
C:\Windows\system32\schtasks.exe /create /tn WindowsUpdateIt /tr "\"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe\" " /sc minute /f
7⤵
- Creates scheduled task(s)
PID:804

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe"
7⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
8⤵
PID:3924

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
9⤵
- Modifies registry class
PID:3208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
8⤵
PID:4192

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
9⤵
- Modifies registry class
PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
8⤵
PID:4756

C:\Windows\system32\reg.exe
REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
9⤵
PID:2052

C:\Windows\system32\schtasks.exe
C:\Windows\system32\schtasks.exe /create /tn WindowsUpdateIt /tr "\"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe\" " /sc minute /f
8⤵
- Creates scheduled task(s)
PID:4532

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe"
8⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
9⤵
PID:2948

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
10⤵
- Modifies registry class
PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
9⤵
PID:2604

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
10⤵
- Modifies registry class
PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
9⤵
PID:1992

C:\Windows\system32\reg.exe
REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
10⤵
PID:2500

C:\Windows\system32\schtasks.exe
C:\Windows\system32\schtasks.exe /create /tn WindowsUpdateIt /tr "\"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe\" " /sc minute /f
9⤵
- Creates scheduled task(s)
PID:4404

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe"
9⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
10⤵
PID:5020

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
11⤵
- Modifies registry class
PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
10⤵
PID:4924

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
11⤵
- Modifies registry class
PID:4168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
10⤵
PID:3592

C:\Windows\system32\reg.exe
REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
11⤵
PID:1908

C:\Windows\system32\schtasks.exe
C:\Windows\system32\schtasks.exe /create /tn WindowsUpdateIt /tr "\"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe\" " /sc minute /f
10⤵
- Creates scheduled task(s)
PID:440

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe"
10⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
11⤵
PID:4852

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
12⤵
- Modifies registry class
PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
11⤵
PID:912

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
12⤵
- Modifies registry class
PID:3548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
11⤵
PID:3488

C:\Windows\system32\reg.exe
REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
12⤵
PID:3984

C:\Windows\system32\schtasks.exe
C:\Windows\system32\schtasks.exe /create /tn WindowsUpdateIt /tr "\"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe\" " /sc minute /f
11⤵
- Creates scheduled task(s)
PID:4048

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe"
11⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
12⤵
PID:4380

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
13⤵
- Modifies registry class
PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
12⤵
PID:1500

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
13⤵
- Modifies registry class
PID:1000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
12⤵
PID:2604

C:\Windows\system32\reg.exe
REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
13⤵
PID:4748

C:\Windows\system32\schtasks.exe
C:\Windows\system32\schtasks.exe /create /tn WindowsUpdateIt /tr "\"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe\" " /sc minute /f
12⤵
- Creates scheduled task(s)
PID:1108

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe"
12⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
13⤵
PID:5064

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
14⤵
- Modifies registry class
PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
13⤵
PID:4788

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
14⤵
- Modifies registry class
PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
13⤵
PID:2732

C:\Windows\system32\reg.exe
REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
14⤵
PID:3668

C:\Windows\system32\schtasks.exe
C:\Windows\system32\schtasks.exe /create /tn WindowsUpdateIt /tr "\"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe\" " /sc minute /f
13⤵
- Creates scheduled task(s)
PID:3344

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe"
13⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
14⤵
PID:2340

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
15⤵
- Modifies registry class
PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
14⤵
PID:3116

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
15⤵
- Modifies registry class
PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
14⤵
PID:4008

C:\Windows\system32\reg.exe
REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
15⤵
PID:2664

C:\Windows\system32\schtasks.exe
C:\Windows\system32\schtasks.exe /create /tn WindowsUpdateIt /tr "\"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe\" " /sc minute /f
14⤵
- Creates scheduled task(s)
PID:2456

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe"
14⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
15⤵
PID:1032

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\mscfile\Shell\Open\command /t REG_SZ /f /d "
16⤵
- Modifies registry class
PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
15⤵
PID:700

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /t REG_SZ /f /d "
16⤵
- Modifies registry class
PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
15⤵
PID:2172

C:\Windows\system32\reg.exe
REG delete HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command /f /v DelegateExecute
16⤵
PID:4176

C:\Windows\system32\schtasks.exe
C:\Windows\system32\schtasks.exe /create /tn WindowsUpdateIt /tr "\"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe\" " /sc minute /f
15⤵
- Creates scheduled task(s)
PID:2988

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3332

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1808

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Update.exe.log
Filesize
1KB

MD5
f6d83cb3ec0cf035c26b86a8009ab714

SHA1
9c2d16be04908f2d28ce66b41ca4487b618534b3

SHA256
2abe8a8f5bc11a760fed80a31be099fc4ffe88cf786ccec2d6b0610877910212

SHA512
9f94dfc2f18ab2130698724a6a6e54c3ddb4f7695b60e71eaee9b2ed0ca09fdc30830bf70de450814260c771674988999b8b94bf78dec6cbb068c8bd073b1696

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft\Update.exe
Filesize
173KB

MD5
e18ec27f09521152664d6a5aad14f03e

SHA1
747bbc767b7a4aedc13a6b2d2f0a8a63363fc91c

SHA256
1ee3e5b5f7b2deb6182a591e94890786e404054e536dc468960d941c733d1e00

SHA512
3180a6de45526927ea7099b52a7c191ac1e4e6bff1fb55f1e03f7369ef6a316ff7a93ee533aa587c0ecb03e3f604e449ae8fd8547bd99aff7ea8382e98d4138b

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
214B

MD5
1d5b73b1aba270a6b6d36aefea898e01

SHA1
dec93ea81f69e1ff12d93cd40d76a1c339430bbc

SHA256
4799790bae91e31f69bb8148df60c8b2c28cd85fde380b1789f43d0686725b11

SHA512
51c8cc15b0cc4766353c7852ea78a56b8a23adbc189cb73cbb2c3198a0c29f3c9746411a313715756edc83331d13e238ae72c2f377c554edb3a36a49c870f285

Download Submit
memory/416-40-0x0000028974860000-0x0000028974960000-memory.dmp

Filesize
1024KB

Download
memory/416-39-0x0000028974460000-0x0000028974470000-memory.dmp

Filesize
64KB

Download
memory/416-38-0x0000028974460000-0x0000028974470000-memory.dmp

Filesize
64KB

Download
memory/416-41-0x00007FFAC7BF0000-0x00007FFAC86B1000-memory.dmp

Filesize
10.8MB

Download
memory/416-43-0x0000028974860000-0x0000028974960000-memory.dmp

Filesize
1024KB

Download
memory/416-37-0x0000028974460000-0x0000028974470000-memory.dmp

Filesize
64KB

Download
memory/416-42-0x0000028974860000-0x0000028974960000-memory.dmp

Filesize
1024KB

Download
memory/416-32-0x00007FFAC7BF0000-0x00007FFAC86B1000-memory.dmp

Filesize
10.8MB

Download
memory/416-34-0x0000028974460000-0x0000028974470000-memory.dmp

Filesize
64KB

Download
memory/416-33-0x000002895A320000-0x000002895A336000-memory.dmp

Filesize
88KB

Download
memory/416-45-0x00007FFAC7BF0000-0x00007FFAC86B1000-memory.dmp

Filesize
10.8MB

Download
memory/2452-70-0x000002F42EF20000-0x000002F42F020000-memory.dmp

Filesize
1024KB

Download
memory/2452-60-0x00007FFAC7BF0000-0x00007FFAC86B1000-memory.dmp

Filesize
10.8MB

Download
memory/2452-61-0x000002F42ECB0000-0x000002F42ECC0000-memory.dmp

Filesize
64KB

Download
memory/2452-64-0x000002F42ECB0000-0x000002F42ECC0000-memory.dmp

Filesize
64KB

Download
memory/2452-65-0x000002F42ECB0000-0x000002F42ECC0000-memory.dmp

Filesize
64KB

Download
memory/2452-66-0x000002F42ECB0000-0x000002F42ECC0000-memory.dmp

Filesize
64KB

Download
memory/2452-67-0x000002F42EF20000-0x000002F42F020000-memory.dmp

Filesize
1024KB

Download
memory/2452-68-0x000002F42EF20000-0x000002F42F020000-memory.dmp

Filesize
1024KB

Download
memory/2452-69-0x00007FFAC7BF0000-0x00007FFAC86B1000-memory.dmp

Filesize
10.8MB

Download
memory/2452-71-0x000002F42EF20000-0x000002F42F020000-memory.dmp

Filesize
1024KB

Download
memory/2452-73-0x00007FFAC7BF0000-0x00007FFAC86B1000-memory.dmp

Filesize
10.8MB

Download
memory/3332-85-0x00007FFAC7BF0000-0x00007FFAC86B1000-memory.dmp

Filesize
10.8MB

Download
memory/3332-86-0x000001D2C5E90000-0x000001D2C5EA0000-memory.dmp

Filesize
64KB

Download
memory/3332-87-0x00007FFAC7BF0000-0x00007FFAC86B1000-memory.dmp

Filesize
10.8MB

Download
memory/4228-50-0x0000028CCE030000-0x0000028CCE040000-memory.dmp

Filesize
64KB

Download
memory/4228-57-0x0000028CE85C0000-0x0000028CE86C0000-memory.dmp

Filesize
1024KB

Download
memory/4228-46-0x00007FFAC7BF0000-0x00007FFAC86B1000-memory.dmp

Filesize
10.8MB

Download
memory/4228-47-0x0000028CCE030000-0x0000028CCE040000-memory.dmp

Filesize
64KB

Download
memory/4228-59-0x00007FFAC7BF0000-0x00007FFAC86B1000-memory.dmp

Filesize
10.8MB

Download
memory/4228-51-0x0000028CCE030000-0x0000028CCE040000-memory.dmp

Filesize
64KB

Download
memory/4228-52-0x0000028CCE030000-0x0000028CCE040000-memory.dmp

Filesize
64KB

Download
memory/4228-53-0x0000028CCE030000-0x0000028CCE040000-memory.dmp

Filesize
64KB

Download
memory/4228-54-0x0000028CCE030000-0x0000028CCE040000-memory.dmp

Filesize
64KB

Download
memory/4228-55-0x0000028CE85C0000-0x0000028CE86C0000-memory.dmp

Filesize
1024KB

Download
memory/4228-56-0x0000028CE85C0000-0x0000028CE86C0000-memory.dmp

Filesize
1024KB

Download
memory/4352-80-0x0000010FCC1B0000-0x0000010FCC1C0000-memory.dmp

Filesize
64KB

Download
memory/4352-82-0x0000010FCC1B0000-0x0000010FCC1C0000-memory.dmp

Filesize
64KB

Download
memory/4352-92-0x00007FFAC7BF0000-0x00007FFAC86B1000-memory.dmp

Filesize
10.8MB

Download
memory/4352-90-0x0000010FCC4F0000-0x0000010FCC5F0000-memory.dmp

Filesize
1024KB

Download
memory/4352-89-0x00007FFAC7BF0000-0x00007FFAC86B1000-memory.dmp

Filesize
10.8MB

Download
memory/4352-88-0x0000010FCC4F0000-0x0000010FCC5F0000-memory.dmp

Filesize
1024KB

Download
memory/4352-83-0x0000010FCC4F0000-0x0000010FCC5F0000-memory.dmp

Filesize
1024KB

Download
memory/4352-81-0x0000010FCC1B0000-0x0000010FCC1C0000-memory.dmp

Filesize
64KB

Download
memory/4352-79-0x0000010FCC1B0000-0x0000010FCC1C0000-memory.dmp

Filesize
64KB

Download
memory/4352-78-0x0000010FCC1B0000-0x0000010FCC1C0000-memory.dmp

Filesize
64KB

Download
memory/4352-75-0x0000010FCC1B0000-0x0000010FCC1C0000-memory.dmp

Filesize
64KB

Download
memory/4352-74-0x00007FFAC7BF0000-0x00007FFAC86B1000-memory.dmp

Filesize
10.8MB

Download
memory/4912-23-0x000001F54B2F0000-0x000001F54B300000-memory.dmp

Filesize
64KB

Download
memory/4912-24-0x000001F54B2F0000-0x000001F54B300000-memory.dmp

Filesize
64KB

Download
memory/4912-27-0x000001F5646E0000-0x000001F5647E0000-memory.dmp

Filesize
1024KB

Download
memory/4912-19-0x00007FFAC7BF0000-0x00007FFAC86B1000-memory.dmp

Filesize
10.8MB

Download
memory/4912-26-0x000001F5646E0000-0x000001F5647E0000-memory.dmp

Filesize
1024KB

Download
memory/4912-31-0x00007FFAC7BF0000-0x00007FFAC86B1000-memory.dmp

Filesize
10.8MB

Download
memory/4912-25-0x000001F5646E0000-0x000001F5647E0000-memory.dmp

Filesize
1024KB

Download
memory/4912-22-0x000001F54B2F0000-0x000001F54B300000-memory.dmp

Filesize
64KB

Download
memory/4912-20-0x000001F54B2F0000-0x000001F54B300000-memory.dmp

Filesize
64KB

Download
memory/4928-4-0x000001E8F65A0000-0x000001E8F65AC000-memory.dmp

Filesize
48KB

Download
memory/4928-3-0x00007FFAC7BF0000-0x00007FFAC86B1000-memory.dmp

Filesize
10.8MB

Download
memory/4928-1-0x000001E8F6580000-0x000001E8F6590000-memory.dmp

Filesize
64KB

Download
memory/4928-2-0x000001E8F6590000-0x000001E8F65A6000-memory.dmp

Filesize
88KB

Download
memory/4928-5-0x000001E8F6570000-0x000001E8F6580000-memory.dmp

Filesize
64KB

Download
memory/4928-0-0x000001E8F4830000-0x000001E8F4862000-memory.dmp

Filesize
200KB

Download
memory/4928-18-0x00007FFAC7BF0000-0x00007FFAC86B1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads