af204a3b364e15c8fff9e6a1adfce189e4267ea4ff2a49c116d10ba08c4bb605

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
Size

49KB
MD5

fd0e477f26eccd783d2819b1c35e4d40
SHA1

ace074e56e7f8875405cba17cdf48d4c053b37e5
SHA256

af204a3b364e15c8fff9e6a1adfce189e4267ea4ff2a49c116d10ba08c4bb605
SHA512

5d804fe7c5b500f58c4bf37e93b4f62766da5fc058d0f0cad02fd6903491ff45c91e1c1fba119c89290fc3a4f16626a78d100c635728ae6e5fdb27ac55d80ae9
SSDEEP

1536:Rffj6lx9QTW/dfhoBbWnkYswggDwx8ltmHUr9:RffMxv/dfwbj0RDo8l7

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2512 cmd.exe

pid	process
2512	cmd.exe

Executes dropped EXE 38 IoCs

Processes:

wuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exe

pid	process
2156	wuaucldt.exe
2696	wuaucldt.exe
2776	wuaucldt.exe
2512	wuaucldt.exe
2472	wuaucldt.exe
3040	wuaucldt.exe
2864	wuaucldt.exe
1804	wuaucldt.exe
920	wuaucldt.exe
2372	wuaucldt.exe
2376	wuaucldt.exe
2132	wuaucldt.exe
2804	wuaucldt.exe
780	wuaucldt.exe
656	wuaucldt.exe
528	wuaucldt.exe
1696	wuaucldt.exe
2340	wuaucldt.exe
1868	wuaucldt.exe
1500	wuaucldt.exe
880	wuaucldt.exe
2840	wuaucldt.exe
2128	wuaucldt.exe
1564	wuaucldt.exe
1592	wuaucldt.exe
868	wuaucldt.exe
1584	wuaucldt.exe
1708	wuaucldt.exe
2668	wuaucldt.exe
2728	wuaucldt.exe
2704	wuaucldt.exe
2604	wuaucldt.exe
2756	wuaucldt.exe
2424	wuaucldt.exe
2456	wuaucldt.exe
2848	wuaucldt.exe
2228	wuaucldt.exe
1544	wuaucldt.exe

Loads dropped DLL 64 IoCs

Processes:

fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exe

pid	process
2760	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
2156	wuaucldt.exe
2156	wuaucldt.exe
2156	wuaucldt.exe
2156	wuaucldt.exe
2760	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
2696	wuaucldt.exe
2696	wuaucldt.exe
2696	wuaucldt.exe
2776	wuaucldt.exe
2776	wuaucldt.exe
2776	wuaucldt.exe
2696	wuaucldt.exe
2512	wuaucldt.exe
2512	wuaucldt.exe
2512	wuaucldt.exe
2776	wuaucldt.exe
2472	wuaucldt.exe
2472	wuaucldt.exe
2472	wuaucldt.exe
2760	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
2512	wuaucldt.exe
3040	wuaucldt.exe
3040	wuaucldt.exe
3040	wuaucldt.exe
2864	wuaucldt.exe
2864	wuaucldt.exe
2864	wuaucldt.exe
3040	wuaucldt.exe
2696	wuaucldt.exe
1804	wuaucldt.exe
1804	wuaucldt.exe
1804	wuaucldt.exe
920	wuaucldt.exe
920	wuaucldt.exe
920	wuaucldt.exe
2760	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
2372	wuaucldt.exe
2372	wuaucldt.exe
2372	wuaucldt.exe
920	wuaucldt.exe
2372	wuaucldt.exe
2376	wuaucldt.exe
2376	wuaucldt.exe
2376	wuaucldt.exe
2132	wuaucldt.exe
2132	wuaucldt.exe
2132	wuaucldt.exe
2696	wuaucldt.exe
2760	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
2804	wuaucldt.exe
2804	wuaucldt.exe
2804	wuaucldt.exe
780	wuaucldt.exe
780	wuaucldt.exe
780	wuaucldt.exe
2804	wuaucldt.exe
780	wuaucldt.exe
656	wuaucldt.exe
656	wuaucldt.exe
656	wuaucldt.exe
528	wuaucldt.exe
528	wuaucldt.exe
528	wuaucldt.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1288-0-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral1/memory/1288-8-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral1/memory/2760-10-0x0000000000400000-0x0000000000414001-memory.dmp	upx
\Windows\SysWOW64\wuaucldt.exe	upx
behavioral1/memory/2760-18-0x0000000000260000-0x0000000000275000-memory.dmp	upx
behavioral1/memory/2156-31-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral1/memory/2760-35-0x0000000000260000-0x0000000000275000-memory.dmp	upx
behavioral1/memory/2776-42-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral1/memory/2512-66-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral1/memory/2776-81-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral1/memory/2472-77-0x0000000000020000-0x0000000000035000-memory.dmp	upx
behavioral1/memory/2512-90-0x0000000000440000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2512-108-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral1/memory/3040-137-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral1/memory/2372-155-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral1/memory/920-196-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral1/memory/2372-199-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral1/memory/2472-172-0x0000000000020000-0x0000000000035000-memory.dmp	upx
behavioral1/memory/2372-151-0x0000000000020000-0x0000000000035000-memory.dmp	upx
behavioral1/memory/2804-204-0x0000000000020000-0x0000000000035000-memory.dmp	upx
behavioral1/memory/780-227-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral1/memory/656-225-0x0000000000020000-0x0000000000035000-memory.dmp	upx
behavioral1/memory/920-132-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral1/memory/2340-246-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral1/memory/1696-244-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral1/memory/2696-234-0x00000000001D0000-0x00000000001E5000-memory.dmp	upx
behavioral1/memory/780-233-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral1/memory/2804-231-0x0000000000400000-0x0000000000414001-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wuaucldt.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\windows\\system32\\wuaucldt.exe"	wuaucldt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\users\\admin\\wuaucldt.exe"	wuaucldt.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

svchost.exe

description ioc process

File opened for modification \??\PhysicalDrive0 svchost.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 13 IoCs

Processes:

wuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exefd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exe

description	ioc	process
File opened for modification	\??\c:\windows\SysWOW64\wuaucldt.exe	wuaucldt.exe
File opened for modification	\??\c:\windows\SysWOW64\wuaucldt.exe	wuaucldt.exe
File opened for modification	\??\c:\windows\SysWOW64\wuaucldt.exe	wuaucldt.exe
File opened for modification	\??\c:\windows\SysWOW64\wuaucldt.exe	wuaucldt.exe
File opened for modification	\??\c:\windows\SysWOW64\wuaucldt.exe	wuaucldt.exe
File opened for modification	\??\c:\windows\SysWOW64\wuaucldt.exe	wuaucldt.exe
File created	\??\c:\windows\SysWOW64\wuaucldt.exe	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wuaucldt.exe	wuaucldt.exe
File opened for modification	\??\c:\windows\SysWOW64\wuaucldt.exe	wuaucldt.exe
File opened for modification	\??\c:\windows\SysWOW64\wuaucldt.exe	wuaucldt.exe
File created	\??\c:\windows\SysWOW64\wuaucldt.exe	wuaucldt.exe
File opened for modification	\??\c:\windows\SysWOW64\wuaucldt.exe	wuaucldt.exe
File created	\??\c:\windows\SysWOW64\wuaucldt.exe	wuaucldt.exe

Suspicious use of SetThreadContext 21 IoCs

Processes:

description	pid	process	target process
PID 1288 set thread context of 2760	1288	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
PID 2156 set thread context of 2696	2156	wuaucldt.exe	wuaucldt.exe
PID 2776 set thread context of 2472	2776	wuaucldt.exe	wuaucldt.exe
PID 2512 set thread context of 2864	2512	wuaucldt.exe	wuaucldt.exe
PID 2472 set thread context of 552	2472	wuaucldt.exe	svchost.exe
PID 3040 set thread context of 1804	3040	wuaucldt.exe	wuaucldt.exe
PID 920 set thread context of 2376	920	wuaucldt.exe	wuaucldt.exe
PID 2372 set thread context of 2132	2372	wuaucldt.exe	wuaucldt.exe
PID 2804 set thread context of 528	2804	wuaucldt.exe	wuaucldt.exe
PID 780 set thread context of 656	780	wuaucldt.exe	wuaucldt.exe
PID 2340 set thread context of 1868	2340	wuaucldt.exe	wuaucldt.exe
PID 1696 set thread context of 1500	1696	wuaucldt.exe	wuaucldt.exe
PID 880 set thread context of 2128	880	wuaucldt.exe	wuaucldt.exe
PID 2840 set thread context of 1564	2840	wuaucldt.exe	wuaucldt.exe
PID 1592 set thread context of 1584	1592	wuaucldt.exe	wuaucldt.exe
PID 868 set thread context of 1708	868	wuaucldt.exe	wuaucldt.exe
PID 2728 set thread context of 2704	2728	wuaucldt.exe	wuaucldt.exe
PID 2668 set thread context of 2604	2668	wuaucldt.exe	wuaucldt.exe
PID 2756 set thread context of 2456	2756	wuaucldt.exe	wuaucldt.exe
PID 2424 set thread context of 2848	2424	wuaucldt.exe	wuaucldt.exe
PID 2228 set thread context of 1544	2228	wuaucldt.exe	wuaucldt.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

pid	process
1288	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
2156	wuaucldt.exe
2776	wuaucldt.exe
2512	wuaucldt.exe
3040	wuaucldt.exe
920	wuaucldt.exe
2372	wuaucldt.exe
2804	wuaucldt.exe
780	wuaucldt.exe
2340	wuaucldt.exe
1696	wuaucldt.exe
880	wuaucldt.exe
2840	wuaucldt.exe
1592	wuaucldt.exe
868	wuaucldt.exe
2728	wuaucldt.exe
2668	wuaucldt.exe
2756	wuaucldt.exe
2424	wuaucldt.exe
2228	wuaucldt.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exefd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exewuaucldt.exewuaucldt.exewuaucldt.exe

description	pid	process	target process
PID 1288 wrote to memory of 2760	1288	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
PID 1288 wrote to memory of 2760	1288	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
PID 1288 wrote to memory of 2760	1288	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
PID 1288 wrote to memory of 2760	1288	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
PID 1288 wrote to memory of 2760	1288	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
PID 1288 wrote to memory of 2760	1288	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
PID 1288 wrote to memory of 2760	1288	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
PID 1288 wrote to memory of 2760	1288	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
PID 1288 wrote to memory of 2760	1288	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
PID 1288 wrote to memory of 2760	1288	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
PID 1288 wrote to memory of 2760	1288	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
PID 1288 wrote to memory of 2760	1288	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
PID 1288 wrote to memory of 2760	1288	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
PID 2760 wrote to memory of 2156	2760	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe
PID 2760 wrote to memory of 2156	2760	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe
PID 2760 wrote to memory of 2156	2760	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe
PID 2760 wrote to memory of 2156	2760	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe
PID 2760 wrote to memory of 2156	2760	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe
PID 2760 wrote to memory of 2156	2760	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe
PID 2760 wrote to memory of 2156	2760	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe
PID 2156 wrote to memory of 2696	2156	wuaucldt.exe	wuaucldt.exe
PID 2156 wrote to memory of 2696	2156	wuaucldt.exe	wuaucldt.exe
PID 2156 wrote to memory of 2696	2156	wuaucldt.exe	wuaucldt.exe
PID 2156 wrote to memory of 2696	2156	wuaucldt.exe	wuaucldt.exe
PID 2156 wrote to memory of 2696	2156	wuaucldt.exe	wuaucldt.exe
PID 2156 wrote to memory of 2696	2156	wuaucldt.exe	wuaucldt.exe
PID 2156 wrote to memory of 2696	2156	wuaucldt.exe	wuaucldt.exe
PID 2156 wrote to memory of 2696	2156	wuaucldt.exe	wuaucldt.exe
PID 2156 wrote to memory of 2696	2156	wuaucldt.exe	wuaucldt.exe
PID 2156 wrote to memory of 2696	2156	wuaucldt.exe	wuaucldt.exe
PID 2156 wrote to memory of 2696	2156	wuaucldt.exe	wuaucldt.exe
PID 2156 wrote to memory of 2696	2156	wuaucldt.exe	wuaucldt.exe
PID 2156 wrote to memory of 2696	2156	wuaucldt.exe	wuaucldt.exe
PID 2760 wrote to memory of 2776	2760	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe
PID 2760 wrote to memory of 2776	2760	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe
PID 2760 wrote to memory of 2776	2760	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe
PID 2760 wrote to memory of 2776	2760	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe
PID 2760 wrote to memory of 2776	2760	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe
PID 2760 wrote to memory of 2776	2760	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe
PID 2760 wrote to memory of 2776	2760	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe
PID 2696 wrote to memory of 2512	2696	wuaucldt.exe	cmd.exe
PID 2696 wrote to memory of 2512	2696	wuaucldt.exe	cmd.exe
PID 2696 wrote to memory of 2512	2696	wuaucldt.exe	cmd.exe
PID 2696 wrote to memory of 2512	2696	wuaucldt.exe	cmd.exe
PID 2696 wrote to memory of 2512	2696	wuaucldt.exe	cmd.exe
PID 2696 wrote to memory of 2512	2696	wuaucldt.exe	cmd.exe
PID 2696 wrote to memory of 2512	2696	wuaucldt.exe	cmd.exe
PID 2776 wrote to memory of 2472	2776	wuaucldt.exe	wuaucldt.exe
PID 2776 wrote to memory of 2472	2776	wuaucldt.exe	wuaucldt.exe
PID 2776 wrote to memory of 2472	2776	wuaucldt.exe	wuaucldt.exe
PID 2776 wrote to memory of 2472	2776	wuaucldt.exe	wuaucldt.exe
PID 2776 wrote to memory of 2472	2776	wuaucldt.exe	wuaucldt.exe
PID 2776 wrote to memory of 2472	2776	wuaucldt.exe	wuaucldt.exe
PID 2776 wrote to memory of 2472	2776	wuaucldt.exe	wuaucldt.exe
PID 2776 wrote to memory of 2472	2776	wuaucldt.exe	wuaucldt.exe
PID 2776 wrote to memory of 2472	2776	wuaucldt.exe	wuaucldt.exe
PID 2776 wrote to memory of 2472	2776	wuaucldt.exe	wuaucldt.exe
PID 2776 wrote to memory of 2472	2776	wuaucldt.exe	wuaucldt.exe
PID 2776 wrote to memory of 2472	2776	wuaucldt.exe	wuaucldt.exe
PID 2776 wrote to memory of 2472	2776	wuaucldt.exe	wuaucldt.exe
PID 2760 wrote to memory of 3040	2760	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe
PID 2760 wrote to memory of 3040	2760	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe
PID 2760 wrote to memory of 3040	2760	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe
PID 2760 wrote to memory of 3040	2760	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe

C:\Users\Admin\AppData\Local\Temp\fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Admin\AppData\Local\Temp\fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2760

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\system32\wuaucldt.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\SysWOW64\wuaucldt.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2696

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2512

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:920

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2804

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:528

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1696

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
6⤵
- Executes dropped EXE
PID:1500

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2840

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
6⤵
- Executes dropped EXE
PID:1564

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1592

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
6⤵
- Executes dropped EXE
PID:1584

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2728

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
6⤵
- Executes dropped EXE
PID:2704

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2756

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
6⤵
- Executes dropped EXE
PID:2456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del c:\windows\syswow64\wuaucldt.exe
5⤵
PID:564

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\system32\wuaucldt.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\SysWOW64\wuaucldt.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:2472

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
- Writes to the Master Boot Record (MBR)
PID:552

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\system32\wuaucldt.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3040

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\SysWOW64\wuaucldt.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\system32\wuaucldt.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2372

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\SysWOW64\wuaucldt.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\system32\wuaucldt.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:780

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\SysWOW64\wuaucldt.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:656

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\system32\wuaucldt.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2340

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\SysWOW64\wuaucldt.exe
4⤵
- Executes dropped EXE
PID:1868

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\system32\wuaucldt.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:880

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\SysWOW64\wuaucldt.exe
4⤵
- Executes dropped EXE
PID:2128

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\system32\wuaucldt.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:868

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\SysWOW64\wuaucldt.exe
4⤵
- Executes dropped EXE
PID:1708

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\system32\wuaucldt.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2668

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\SysWOW64\wuaucldt.exe
4⤵
- Executes dropped EXE
PID:2604

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\system32\wuaucldt.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2424

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\SysWOW64\wuaucldt.exe
4⤵
- Executes dropped EXE
PID:2848

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2228

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
4⤵
- Executes dropped EXE
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del c:\users\admin\appdata\local\temp\FD0E47~1.EXE
3⤵
- Deletes itself
PID:2512

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wuaucldt.exe
Filesize
49KB

MD5
fd0e477f26eccd783d2819b1c35e4d40

SHA1
ace074e56e7f8875405cba17cdf48d4c053b37e5

SHA256
af204a3b364e15c8fff9e6a1adfce189e4267ea4ff2a49c116d10ba08c4bb605

SHA512
5d804fe7c5b500f58c4bf37e93b4f62766da5fc058d0f0cad02fd6903491ff45c91e1c1fba119c89290fc3a4f16626a78d100c635728ae6e5fdb27ac55d80ae9

Download Submit
memory/528-226-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/552-118-0x0000000000090000-0x0000000000099000-memory.dmp

Filesize
36KB

Download
memory/552-133-0x0000000000090000-0x0000000000099000-memory.dmp

Filesize
36KB

Download
memory/552-114-0x0000000000090000-0x0000000000099000-memory.dmp

Filesize
36KB

Download
memory/552-96-0x0000000000090000-0x0000000000099000-memory.dmp

Filesize
36KB

Download
memory/552-97-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/552-139-0x0000000000090000-0x0000000000099000-memory.dmp

Filesize
36KB

Download
memory/552-131-0x0000000000090000-0x0000000000099000-memory.dmp

Filesize
36KB

Download
memory/552-106-0x0000000000090000-0x0000000000099000-memory.dmp

Filesize
36KB

Download
memory/656-224-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/656-225-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/780-207-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/780-217-0x0000000000380000-0x0000000000395000-memory.dmp

Filesize
84KB

Download
memory/780-233-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/780-227-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/780-212-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/920-159-0x0000000000310000-0x0000000000325000-memory.dmp

Filesize
84KB

Download
memory/920-132-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/920-196-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/920-134-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/920-136-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/1288-0-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/1288-8-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/1288-7-0x0000000000310000-0x0000000000325000-memory.dmp

Filesize
84KB

Download
memory/1288-1-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/1288-2-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/1696-244-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/1696-235-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/1696-236-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/1804-127-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/1804-129-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/1804-130-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/2132-188-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/2156-31-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/2340-241-0x00000000001C0000-0x00000000001D5000-memory.dmp

Filesize
84KB

Download
memory/2340-246-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/2340-238-0x00000000001C0000-0x00000000001D5000-memory.dmp

Filesize
84KB

Download
memory/2372-155-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/2372-151-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/2372-199-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/2376-186-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/2376-184-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/2472-75-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/2472-78-0x0000000070000000-0x000000007000B000-memory.dmp

Filesize
44KB

Download
memory/2472-166-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/2472-169-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/2472-172-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/2472-77-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/2472-79-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/2512-66-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/2512-108-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/2512-90-0x0000000000440000-0x0000000000455000-memory.dmp

Filesize
84KB

Download
memory/2696-41-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/2696-198-0x00000000001D0000-0x00000000001E5000-memory.dmp

Filesize
84KB

Download
memory/2696-43-0x0000000070000000-0x000000007000B000-memory.dmp

Filesize
44KB

Download
memory/2696-62-0x00000000001D0000-0x00000000001E5000-memory.dmp

Filesize
84KB

Download
memory/2696-234-0x00000000001D0000-0x00000000001E5000-memory.dmp

Filesize
84KB

Download
memory/2696-148-0x00000000001D0000-0x00000000001E5000-memory.dmp

Filesize
84KB

Download
memory/2760-61-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/2760-35-0x0000000000260000-0x0000000000275000-memory.dmp

Filesize
84KB

Download
memory/2760-201-0x0000000000260000-0x0000000000275000-memory.dmp

Filesize
84KB

Download
memory/2760-5-0x0000000070000000-0x000000007000B000-memory.dmp

Filesize
44KB

Download
memory/2760-10-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/2760-190-0x0000000000260000-0x0000000000275000-memory.dmp

Filesize
84KB

Download
memory/2760-9-0x0000000070000000-0x000000007000B000-memory.dmp

Filesize
44KB

Download
memory/2760-13-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/2760-14-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/2760-12-0x0000000070000000-0x000000007000B000-memory.dmp

Filesize
44KB

Download
memory/2760-18-0x0000000000260000-0x0000000000275000-memory.dmp

Filesize
84KB

Download
memory/2760-140-0x0000000000260000-0x0000000000275000-memory.dmp

Filesize
84KB

Download
memory/2776-69-0x00000000002F0000-0x0000000000305000-memory.dmp

Filesize
84KB

Download
memory/2776-49-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/2776-42-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/2776-50-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/2776-81-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/2804-204-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/2804-231-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/2864-102-0x0000000000230000-0x0000000000245000-memory.dmp

Filesize
84KB

Download
memory/2864-105-0x0000000000230000-0x0000000000245000-memory.dmp

Filesize
84KB

Download
memory/2864-200-0x0000000000230000-0x0000000000245000-memory.dmp

Filesize
84KB

Download
memory/3040-93-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/3040-137-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download