Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
16/07/2024, 10:40
Static task
static1
Behavioral task
behavioral1
Sample
4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
4df4bc013741f7da95435c1c30cd2fc5
-
SHA1
8a98e07431b9997734e67537cb3ebc257759c8f1
-
SHA256
9306d0e0b32e1d6d5676704ca163f09f7660987d1dfdd4e74e46271bc2af1b87
-
SHA512
fde7d1d7c30257db06e6ee5d3b94531a9cb594016df5290cc33565434096fd3db567ec2e9cf04e820aafffc8f9d93f592b4b19a1a8cee1649409f9d9da3a0134
-
SSDEEP
12288:XOhIFzU/bZ4ziPnVG8UmWa6eZNoCrVhSQr8Qoa+/MHLcwe4qoNTUsBGulHHYp1yh:XOhiwOiPVnVvHxr3DHFeMFhHiG
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate\\WindowsUpdate.exe" 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile WindowsUpdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" WindowsUpdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" WindowsUpdate.exe -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" WindowsUpdate.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WindowsUpdate.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WindowsUpdate.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate WindowsUpdate.exe -
Executes dropped EXE 2 IoCs
pid Process 2736 WindowsUpdate.exe 2252 WindowsUpdate.exe -
Loads dropped DLL 8 IoCs
pid Process 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 2736 WindowsUpdate.exe 2736 WindowsUpdate.exe 2736 WindowsUpdate.exe 2736 WindowsUpdate.exe 2252 WindowsUpdate.exe 2252 WindowsUpdate.exe 2252 WindowsUpdate.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WindowsUpdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate\\WindowsUpdate.exe" 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate\\WindowsUpdate.exe" notepad.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2420 set thread context of 2776 2420 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 30 PID 2776 set thread context of 3028 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 32 PID 3028 set thread context of 2032 3028 explorer.exe 33 PID 2736 set thread context of 2252 2736 WindowsUpdate.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 WindowsUpdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WindowsUpdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WindowsUpdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WindowsUpdate.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier WindowsUpdate.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2032 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Token: SeSecurityPrivilege 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Token: SeSystemtimePrivilege 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Token: SeBackupPrivilege 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Token: SeRestorePrivilege 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Token: SeShutdownPrivilege 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Token: SeDebugPrivilege 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Token: SeUndockPrivilege 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Token: SeManageVolumePrivilege 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Token: SeImpersonatePrivilege 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Token: 33 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Token: 34 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Token: 35 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2032 explorer.exe Token: SeSecurityPrivilege 2032 explorer.exe Token: SeTakeOwnershipPrivilege 2032 explorer.exe Token: SeLoadDriverPrivilege 2032 explorer.exe Token: SeSystemProfilePrivilege 2032 explorer.exe Token: SeSystemtimePrivilege 2032 explorer.exe Token: SeProfSingleProcessPrivilege 2032 explorer.exe Token: SeIncBasePriorityPrivilege 2032 explorer.exe Token: SeCreatePagefilePrivilege 2032 explorer.exe Token: SeBackupPrivilege 2032 explorer.exe Token: SeRestorePrivilege 2032 explorer.exe Token: SeShutdownPrivilege 2032 explorer.exe Token: SeDebugPrivilege 2032 explorer.exe Token: SeSystemEnvironmentPrivilege 2032 explorer.exe Token: SeChangeNotifyPrivilege 2032 explorer.exe Token: SeRemoteShutdownPrivilege 2032 explorer.exe Token: SeUndockPrivilege 2032 explorer.exe Token: SeManageVolumePrivilege 2032 explorer.exe Token: SeImpersonatePrivilege 2032 explorer.exe Token: SeCreateGlobalPrivilege 2032 explorer.exe Token: 33 2032 explorer.exe Token: 34 2032 explorer.exe Token: 35 2032 explorer.exe Token: SeIncreaseQuotaPrivilege 2252 WindowsUpdate.exe Token: SeSecurityPrivilege 2252 WindowsUpdate.exe Token: SeTakeOwnershipPrivilege 2252 WindowsUpdate.exe Token: SeLoadDriverPrivilege 2252 WindowsUpdate.exe Token: SeSystemProfilePrivilege 2252 WindowsUpdate.exe Token: SeSystemtimePrivilege 2252 WindowsUpdate.exe Token: SeProfSingleProcessPrivilege 2252 WindowsUpdate.exe Token: SeIncBasePriorityPrivilege 2252 WindowsUpdate.exe Token: SeCreatePagefilePrivilege 2252 WindowsUpdate.exe Token: SeBackupPrivilege 2252 WindowsUpdate.exe Token: SeRestorePrivilege 2252 WindowsUpdate.exe Token: SeShutdownPrivilege 2252 WindowsUpdate.exe Token: SeDebugPrivilege 2252 WindowsUpdate.exe Token: SeSystemEnvironmentPrivilege 2252 WindowsUpdate.exe Token: SeChangeNotifyPrivilege 2252 WindowsUpdate.exe Token: SeRemoteShutdownPrivilege 2252 WindowsUpdate.exe Token: SeUndockPrivilege 2252 WindowsUpdate.exe Token: SeManageVolumePrivilege 2252 WindowsUpdate.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2420 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 3028 explorer.exe 2736 WindowsUpdate.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2776 2420 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2776 2420 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2776 2420 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2776 2420 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2776 2420 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2776 2420 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2776 2420 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2776 2420 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2776 2420 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2776 2420 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2776 2420 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2776 2420 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2776 2420 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2776 2420 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2776 2420 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 30 PID 2776 wrote to memory of 2680 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 31 PID 2776 wrote to memory of 2680 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 31 PID 2776 wrote to memory of 2680 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 31 PID 2776 wrote to memory of 2680 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 31 PID 2776 wrote to memory of 2680 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 31 PID 2776 wrote to memory of 2680 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 31 PID 2776 wrote to memory of 2680 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 31 PID 2776 wrote to memory of 2680 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 31 PID 2776 wrote to memory of 2680 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 31 PID 2776 wrote to memory of 2680 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 31 PID 2776 wrote to memory of 2680 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 31 PID 2776 wrote to memory of 2680 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 31 PID 2776 wrote to memory of 2680 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 31 PID 2776 wrote to memory of 2680 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 31 PID 2776 wrote to memory of 2680 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 31 PID 2776 wrote to memory of 2680 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 31 PID 2776 wrote to memory of 2680 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 31 PID 2776 wrote to memory of 2680 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 31 PID 2776 wrote to memory of 2680 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 31 PID 2776 wrote to memory of 2680 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 31 PID 2776 wrote to memory of 2680 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 31 PID 2776 wrote to memory of 2680 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 31 PID 2776 wrote to memory of 2680 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 31 PID 2776 wrote to memory of 2680 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 31 PID 2776 wrote to memory of 3028 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 32 PID 2776 wrote to memory of 3028 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 32 PID 2776 wrote to memory of 3028 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 32 PID 2776 wrote to memory of 3028 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 32 PID 2776 wrote to memory of 3028 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 32 PID 2776 wrote to memory of 3028 2776 4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe 32 PID 3028 wrote to memory of 2032 3028 explorer.exe 33 PID 3028 wrote to memory of 2032 3028 explorer.exe 33 PID 3028 wrote to memory of 2032 3028 explorer.exe 33 PID 3028 wrote to memory of 2032 3028 explorer.exe 33 PID 3028 wrote to memory of 2032 3028 explorer.exe 33 PID 3028 wrote to memory of 2032 3028 explorer.exe 33 PID 3028 wrote to memory of 2032 3028 explorer.exe 33 PID 3028 wrote to memory of 2032 3028 explorer.exe 33 PID 3028 wrote to memory of 2032 3028 explorer.exe 33 PID 3028 wrote to memory of 2032 3028 explorer.exe 33 PID 3028 wrote to memory of 2032 3028 explorer.exe 33 PID 3028 wrote to memory of 2032 3028 explorer.exe 33 PID 3028 wrote to memory of 2032 3028 explorer.exe 33 PID 3028 wrote to memory of 2032 3028 explorer.exe 33 PID 3028 wrote to memory of 2032 3028 explorer.exe 33 PID 2032 wrote to memory of 2108 2032 explorer.exe 34 PID 2032 wrote to memory of 2108 2032 explorer.exe 34 PID 2032 wrote to memory of 2108 2032 explorer.exe 34 PID 2032 wrote to memory of 2108 2032 explorer.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Adds Run key to start application
PID:2680
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe5⤵PID:2108
-
-
-
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate\WindowsUpdate.exe"C:\Users\Admin\AppData\Roaming\WindowsUpdate\WindowsUpdate.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2736 -
C:\Users\Admin\AppData\Roaming\WindowsUpdate\WindowsUpdate.exeC:\Users\Admin\AppData\Roaming\WindowsUpdate\WindowsUpdate.exe4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD54df4bc013741f7da95435c1c30cd2fc5
SHA18a98e07431b9997734e67537cb3ebc257759c8f1
SHA2569306d0e0b32e1d6d5676704ca163f09f7660987d1dfdd4e74e46271bc2af1b87
SHA512fde7d1d7c30257db06e6ee5d3b94531a9cb594016df5290cc33565434096fd3db567ec2e9cf04e820aafffc8f9d93f592b4b19a1a8cee1649409f9d9da3a0134