darkcomet | 0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48

Analysis

max time kernel
39s
max time network
40s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Blackkomet.exe
Size

756KB
MD5

c7dcd585b7e8b046f209052bcd6dd84b
SHA1

604dcfae9eed4f65c80a4a39454db409291e08fa
SHA256

0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48
SHA512

c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2
SSDEEP

12288:XOANXryu1S69QwWBIlVi4o858nFBKgmvtOwUATgDQ3:eANOCS6qwWB0V5o8mnqvtrdgDQ3

Score

10^/10

darkcomet evasion persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Blackkomet.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Sets file to hidden 1 TTPs 58 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	Process
5904	attrib.exe
5048	attrib.exe
3152	attrib.exe
5864	attrib.exe
564	attrib.exe
3888	attrib.exe
3692	attrib.exe
4248	attrib.exe
5316	attrib.exe
5856	attrib.exe
6064	attrib.exe
5408	attrib.exe
4972	attrib.exe
5256	attrib.exe
6324	attrib.exe
4320	attrib.exe
4404	attrib.exe
2612	attrib.exe
1004	attrib.exe
3532	attrib.exe
3164	attrib.exe
560	attrib.exe
5060	attrib.exe
5324	attrib.exe
6056	attrib.exe
1884	attrib.exe
1188	attrib.exe
4088	attrib.exe
5588	attrib.exe
3992	attrib.exe
5808	attrib.exe
4076	attrib.exe
4340	attrib.exe
4788	attrib.exe
4892	attrib.exe
5596	attrib.exe
6032	attrib.exe
5808	attrib.exe
6332	attrib.exe
3528	attrib.exe
332	attrib.exe
4292	attrib.exe
1212	attrib.exe
4764	attrib.exe
1192	attrib.exe
2600	attrib.exe
5972	attrib.exe
3884	attrib.exe
5928	attrib.exe
2568	attrib.exe
3384	attrib.exe
3948	attrib.exe
1212	attrib.exe
5412	attrib.exe
6132	attrib.exe
6068	attrib.exe
3692	attrib.exe
5112	attrib.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winupdate.exeBlackkomet.exewinupdate.exewinupdate.exewinupdate.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Blackkomet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	winupdate.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid	Process
4424	notepad.exe

Executes dropped EXE 4 IoCs

Processes:

winupdate.exewinupdate.exewinupdate.exewinupdate.exe

pid	Process
3132	winupdate.exe
2704	winupdate.exe
4224	winupdate.exe
1316	winupdate.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Blackkomet.exewinupdate.exenotepad.exenotepad.exewinupdate.exenotepad.exewinupdate.exenotepad.exewinupdate.exenotepad.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe

Drops file in System32 directory 28 IoCs

Processes:

Blackkomet.exewinupdate.exewinupdate.exeattrib.exeattrib.exeattrib.exenotepad.exeattrib.exenotepad.exeattrib.exenotepad.exewinupdate.exenotepad.exeattrib.exeattrib.exenotepad.exewinupdate.exeattrib.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Windupdt\	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
6212	5968	WerFault.exe	292
6220	2604	WerFault.exe	290

Modifies registry class 5 IoCs

Processes:

winupdate.exewinupdate.exeBlackkomet.exewinupdate.exewinupdate.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Blackkomet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Blackkomet.exewinupdate.exewinupdate.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3588	Blackkomet.exe
Token: SeSecurityPrivilege	3588	Blackkomet.exe
Token: SeTakeOwnershipPrivilege	3588	Blackkomet.exe
Token: SeLoadDriverPrivilege	3588	Blackkomet.exe
Token: SeSystemProfilePrivilege	3588	Blackkomet.exe
Token: SeSystemtimePrivilege	3588	Blackkomet.exe
Token: SeProfSingleProcessPrivilege	3588	Blackkomet.exe
Token: SeIncBasePriorityPrivilege	3588	Blackkomet.exe
Token: SeCreatePagefilePrivilege	3588	Blackkomet.exe
Token: SeBackupPrivilege	3588	Blackkomet.exe
Token: SeRestorePrivilege	3588	Blackkomet.exe
Token: SeShutdownPrivilege	3588	Blackkomet.exe
Token: SeDebugPrivilege	3588	Blackkomet.exe
Token: SeSystemEnvironmentPrivilege	3588	Blackkomet.exe
Token: SeChangeNotifyPrivilege	3588	Blackkomet.exe
Token: SeRemoteShutdownPrivilege	3588	Blackkomet.exe
Token: SeUndockPrivilege	3588	Blackkomet.exe
Token: SeManageVolumePrivilege	3588	Blackkomet.exe
Token: SeImpersonatePrivilege	3588	Blackkomet.exe
Token: SeCreateGlobalPrivilege	3588	Blackkomet.exe
Token: 33	3588	Blackkomet.exe
Token: 34	3588	Blackkomet.exe
Token: 35	3588	Blackkomet.exe
Token: 36	3588	Blackkomet.exe
Token: SeIncreaseQuotaPrivilege	3132	winupdate.exe
Token: SeSecurityPrivilege	3132	winupdate.exe
Token: SeTakeOwnershipPrivilege	3132	winupdate.exe
Token: SeLoadDriverPrivilege	3132	winupdate.exe
Token: SeSystemProfilePrivilege	3132	winupdate.exe
Token: SeSystemtimePrivilege	3132	winupdate.exe
Token: SeProfSingleProcessPrivilege	3132	winupdate.exe
Token: SeIncBasePriorityPrivilege	3132	winupdate.exe
Token: SeCreatePagefilePrivilege	3132	winupdate.exe
Token: SeBackupPrivilege	3132	winupdate.exe
Token: SeRestorePrivilege	3132	winupdate.exe
Token: SeShutdownPrivilege	3132	winupdate.exe
Token: SeDebugPrivilege	3132	winupdate.exe
Token: SeSystemEnvironmentPrivilege	3132	winupdate.exe
Token: SeChangeNotifyPrivilege	3132	winupdate.exe
Token: SeRemoteShutdownPrivilege	3132	winupdate.exe
Token: SeUndockPrivilege	3132	winupdate.exe
Token: SeManageVolumePrivilege	3132	winupdate.exe
Token: SeImpersonatePrivilege	3132	winupdate.exe
Token: SeCreateGlobalPrivilege	3132	winupdate.exe
Token: 33	3132	winupdate.exe
Token: 34	3132	winupdate.exe
Token: 35	3132	winupdate.exe
Token: 36	3132	winupdate.exe
Token: SeIncreaseQuotaPrivilege	2704	winupdate.exe
Token: SeSecurityPrivilege	2704	winupdate.exe
Token: SeTakeOwnershipPrivilege	2704	winupdate.exe
Token: SeLoadDriverPrivilege	2704	winupdate.exe
Token: SeSystemProfilePrivilege	2704	winupdate.exe
Token: SeSystemtimePrivilege	2704	winupdate.exe
Token: SeProfSingleProcessPrivilege	2704	winupdate.exe
Token: SeIncBasePriorityPrivilege	2704	winupdate.exe
Token: SeCreatePagefilePrivilege	2704	winupdate.exe
Token: SeBackupPrivilege	2704	winupdate.exe
Token: SeRestorePrivilege	2704	winupdate.exe
Token: SeShutdownPrivilege	2704	winupdate.exe
Token: SeDebugPrivilege	2704	winupdate.exe
Token: SeSystemEnvironmentPrivilege	2704	winupdate.exe
Token: SeChangeNotifyPrivilege	2704	winupdate.exe
Token: SeRemoteShutdownPrivilege	2704	winupdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Blackkomet.exewinupdate.exe

description	pid	Process	procid_target
PID 3588 wrote to memory of 4976	3588	Blackkomet.exe	92
PID 3588 wrote to memory of 4976	3588	Blackkomet.exe	92
PID 3588 wrote to memory of 4976	3588	Blackkomet.exe	92
PID 3588 wrote to memory of 4976	3588	Blackkomet.exe	92
PID 3588 wrote to memory of 4976	3588	Blackkomet.exe	92
PID 3588 wrote to memory of 4976	3588	Blackkomet.exe	92
PID 3588 wrote to memory of 4976	3588	Blackkomet.exe	92
PID 3588 wrote to memory of 4976	3588	Blackkomet.exe	92
PID 3588 wrote to memory of 4976	3588	Blackkomet.exe	92
PID 3588 wrote to memory of 4976	3588	Blackkomet.exe	92
PID 3588 wrote to memory of 4976	3588	Blackkomet.exe	92
PID 3588 wrote to memory of 4976	3588	Blackkomet.exe	92
PID 3588 wrote to memory of 4976	3588	Blackkomet.exe	92
PID 3588 wrote to memory of 4976	3588	Blackkomet.exe	92
PID 3588 wrote to memory of 4976	3588	Blackkomet.exe	92
PID 3588 wrote to memory of 4976	3588	Blackkomet.exe	92
PID 3588 wrote to memory of 4976	3588	Blackkomet.exe	92
PID 3588 wrote to memory of 4976	3588	Blackkomet.exe	92
PID 3588 wrote to memory of 4976	3588	Blackkomet.exe	92
PID 3588 wrote to memory of 4976	3588	Blackkomet.exe	92
PID 3588 wrote to memory of 4976	3588	Blackkomet.exe	92
PID 3588 wrote to memory of 4976	3588	Blackkomet.exe	92
PID 3588 wrote to memory of 4976	3588	Blackkomet.exe	92
PID 3588 wrote to memory of 3528	3588	Blackkomet.exe	93
PID 3588 wrote to memory of 3528	3588	Blackkomet.exe	93
PID 3588 wrote to memory of 3528	3588	Blackkomet.exe	93
PID 3588 wrote to memory of 3992	3588	Blackkomet.exe	94
PID 3588 wrote to memory of 3992	3588	Blackkomet.exe	94
PID 3588 wrote to memory of 3992	3588	Blackkomet.exe	94
PID 3588 wrote to memory of 3132	3588	Blackkomet.exe	97
PID 3588 wrote to memory of 3132	3588	Blackkomet.exe	97
PID 3588 wrote to memory of 3132	3588	Blackkomet.exe	97
PID 3588 wrote to memory of 4424	3588	Blackkomet.exe	98
PID 3588 wrote to memory of 4424	3588	Blackkomet.exe	98
PID 3588 wrote to memory of 4424	3588	Blackkomet.exe	98
PID 3588 wrote to memory of 4424	3588	Blackkomet.exe	98
PID 3588 wrote to memory of 4424	3588	Blackkomet.exe	98
PID 3588 wrote to memory of 4424	3588	Blackkomet.exe	98
PID 3588 wrote to memory of 4424	3588	Blackkomet.exe	98
PID 3588 wrote to memory of 4424	3588	Blackkomet.exe	98
PID 3588 wrote to memory of 4424	3588	Blackkomet.exe	98
PID 3588 wrote to memory of 4424	3588	Blackkomet.exe	98
PID 3588 wrote to memory of 4424	3588	Blackkomet.exe	98
PID 3588 wrote to memory of 4424	3588	Blackkomet.exe	98
PID 3588 wrote to memory of 4424	3588	Blackkomet.exe	98
PID 3588 wrote to memory of 4424	3588	Blackkomet.exe	98
PID 3588 wrote to memory of 4424	3588	Blackkomet.exe	98
PID 3588 wrote to memory of 4424	3588	Blackkomet.exe	98
PID 3588 wrote to memory of 4424	3588	Blackkomet.exe	98
PID 3132 wrote to memory of 3180	3132	winupdate.exe	99
PID 3132 wrote to memory of 3180	3132	winupdate.exe	99
PID 3132 wrote to memory of 3180	3132	winupdate.exe	99
PID 3132 wrote to memory of 3180	3132	winupdate.exe	99
PID 3132 wrote to memory of 3180	3132	winupdate.exe	99
PID 3132 wrote to memory of 3180	3132	winupdate.exe	99
PID 3132 wrote to memory of 3180	3132	winupdate.exe	99
PID 3132 wrote to memory of 3180	3132	winupdate.exe	99
PID 3132 wrote to memory of 3180	3132	winupdate.exe	99
PID 3132 wrote to memory of 3180	3132	winupdate.exe	99
PID 3132 wrote to memory of 3180	3132	winupdate.exe	99
PID 3132 wrote to memory of 3180	3132	winupdate.exe	99
PID 3132 wrote to memory of 3180	3132	winupdate.exe	99
PID 3132 wrote to memory of 3180	3132	winupdate.exe	99
PID 3132 wrote to memory of 3180	3132	winupdate.exe	99

Views/modifies file attributes 1 TTPs 58 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

pid	Process
1188	attrib.exe
2568	attrib.exe
5412	attrib.exe
4972	attrib.exe
5112	attrib.exe
3152	attrib.exe
6064	attrib.exe
3528	attrib.exe
5588	attrib.exe
4764	attrib.exe
3948	attrib.exe
2612	attrib.exe
5324	attrib.exe
5864	attrib.exe
1192	attrib.exe
4076	attrib.exe
5808	attrib.exe
332	attrib.exe
5060	attrib.exe
6132	attrib.exe
5256	attrib.exe
6332	attrib.exe
3384	attrib.exe
4788	attrib.exe
5408	attrib.exe
5972	attrib.exe
4340	attrib.exe
2600	attrib.exe
3164	attrib.exe
3884	attrib.exe
3888	attrib.exe
5316	attrib.exe
5596	attrib.exe
1884	attrib.exe
4088	attrib.exe
3692	attrib.exe
3532	attrib.exe
4892	attrib.exe
1004	attrib.exe
6068	attrib.exe
3692	attrib.exe
564	attrib.exe
5048	attrib.exe
5856	attrib.exe
6056	attrib.exe
5904	attrib.exe
6324	attrib.exe
4248	attrib.exe
560	attrib.exe
1212	attrib.exe
6032	attrib.exe
4320	attrib.exe
5808	attrib.exe
1212	attrib.exe
4404	attrib.exe
5928	attrib.exe
4292	attrib.exe
3992	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Blackkomet.exe
"C:\Users\Admin\AppData\Local\Temp\Blackkomet.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\SysWOW64\notepad.exe
  notepad
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  PID:4976
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Users\Admin\AppData\Local\Temp\Blackkomet.exe" +s +h
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:3528
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:3992
- C:\Windows\SysWOW64\Windupdt\winupdate.exe
  "C:\Windows\system32\Windupdt\winupdate.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - Adds Run key to start application
    - Drops file in System32 directory
    PID:3180
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:1212
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\Windupdt" +s +h
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:3384
- - C:\Windows\SysWOW64\Windupdt\winupdate.exe
    "C:\Windows\system32\Windupdt\winupdate.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      Adds Run key to start application
      Drops file in System32 directory
      PID:4924
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      Views/modifies file attributes
      PID:1884
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\Windupdt" +s +h
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      Views/modifies file attributes
      PID:4972
  - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
      "C:\Windows\system32\Windupdt\winupdate.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Modifies registry class
      PID:4224
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4612
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:4404
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:3884
    - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:1316
      - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        6⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2164
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        6⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:564
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        6⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:3164
      - C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        6⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3532
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        7⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        8⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        8⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        8⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3888
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        8⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        9⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3692
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        9⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        10⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        10⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        10⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1192
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        10⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        11⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        11⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        11⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4248
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        11⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        12⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        12⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        12⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5112
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        12⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        13⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        13⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        13⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2568
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        13⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        14⤵
        
        PID:404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        14⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        14⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3948
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        14⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        15⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        15⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        15⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4892
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        15⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        16⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        16⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        16⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1004
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        16⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        17⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        17⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        17⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5060
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        17⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        18⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        18⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        18⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5324
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        18⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        19⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        19⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        19⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5596
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        19⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        20⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        20⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        20⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5864
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        20⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        21⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        21⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        21⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6064
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        21⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        22⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        22⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        22⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5408
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        22⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        23⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        23⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        23⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5904
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        23⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        24⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        24⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        24⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4292
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        24⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        25⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        25⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        25⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6132
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        25⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        26⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        26⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        26⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6032
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        26⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        27⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        27⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        27⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4320
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        27⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        28⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        28⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        28⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4076
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        28⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        29⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 416
        30⤵
        Program crash
        
        PID:6212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        29⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        29⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5808
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        29⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        30⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        30⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        30⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6332
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        30⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        30⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        29⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        28⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 196
        29⤵
        Program crash
        
        PID:6220
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        27⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        26⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        25⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        24⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        23⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        22⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        21⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        20⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        19⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        18⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        17⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        16⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        15⤵
        
        PID:772
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        14⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        13⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        12⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        11⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        10⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        9⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        8⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        7⤵
        
        PID:1556
      - C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        6⤵
        
        PID:4512
    - - C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        5⤵
        
        PID:3392
  - - C:\Windows\SysWOW64\notepad.exe
      C:\Windows\SysWOW64\notepad.exe
      4⤵
      PID:1768
- - C:\Windows\SysWOW64\notepad.exe
    C:\Windows\SysWOW64\notepad.exe
    3⤵
    PID:2856
- C:\Windows\SysWOW64\notepad.exe
  C:\Windows\SysWOW64\notepad.exe
  2⤵
  - Deletes itself
  PID:4424

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 1894b6be7a5151bfe2161b376572ca17 kmhooMnpHES564NUJPBMMw.0.1.0.0.0
1⤵
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5968 -ip 5968
1⤵
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2604 -ip 2604
1⤵
PID:6148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
128KB

MD5
efd77fe811540752799ccb4fb7d99115

SHA1
5e625631793c90b07e39b10f0b7bceea3207d2f4

SHA256
453d83f98f2a9ff482943e53f08b9a87b35fec69c56bdc7b0106ae6f98d9099b

SHA512
ba3a82c08d0b690848c10ce126845b60bf33b9c1bcc264e048f412010437ba8cffd6a686a0c5001e13e7929f0a35c51b7585f91ccccfe3abf27515e77e584c0b

Download Submit
C:\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
756KB

MD5
c7dcd585b7e8b046f209052bcd6dd84b

SHA1
604dcfae9eed4f65c80a4a39454db409291e08fa

SHA256
0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48

SHA512
c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2

Download Submit
memory/1272-58-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/1316-54-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/2704-46-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3132-42-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3348-118-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3548-94-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3580-69-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3588-37-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3588-0-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3624-90-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3656-78-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3712-62-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3728-86-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3780-82-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3984-98-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/4024-66-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/4224-50-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/4424-35-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/4976-2-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/5076-74-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/5236-102-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/5520-106-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/5772-110-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/5988-114-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download