metasploit | e4090ff6201a856768d2dad36fc7438d905bb6c035596991a6a3c2e6d9caffd6

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcf664e1805af14d5ada38f294f8bfea_JaffaCakes118.exe
Size

604KB
MD5

dcf664e1805af14d5ada38f294f8bfea
SHA1

df33f33e17d1f9679d0a16f302a41f7c7f44409e
SHA256

e4090ff6201a856768d2dad36fc7438d905bb6c035596991a6a3c2e6d9caffd6
SHA512

f7282d689f57d7afba161af8d5f82ab8ec2061d91a1bde15adc58c95b1d27377dc8f21e1dd0edcba6cde889ad0469b249538d51cdc8cbb9c6654948991d02933
SSDEEP

12288:unb0x0YtqvWlZCCiDGRRDpJO+c5fNjI+zZQKhvUzUd/LdB:XntqvWlZCALu+c5fZI+3aIb

Score

10^/10

metasploit backdoor discovery evasion trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies security service 2 TTPs 20 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe

Executes dropped EXE 11 IoCs

pid	Process
2872	2.exe
752	updates.exe
2264	updates.exe
1588	updates.exe
2916	updates.exe
2412	updates.exe
2656	updates.exe
1516	updates.exe
844	updates.exe
2972	updates.exe
2064	updates.exe

Loads dropped DLL 40 IoCs

pid	Process
2872	2.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
2264	updates.exe
2264	updates.exe
2264	updates.exe
2264	updates.exe
1588	updates.exe
1588	updates.exe
1588	updates.exe
1588	updates.exe
2916	updates.exe
2916	updates.exe
2916	updates.exe
2916	updates.exe
2412	updates.exe
2412	updates.exe
2412	updates.exe
2412	updates.exe
2656	updates.exe
2656	updates.exe
2656	updates.exe
2656	updates.exe
1516	updates.exe
1516	updates.exe
1516	updates.exe
1516	updates.exe
844	updates.exe
844	updates.exe
844	updates.exe
844	updates.exe
2972	updates.exe
2972	updates.exe
2972	updates.exe
2972	updates.exe
2064	updates.exe
2064	updates.exe
2064	updates.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\updates.exe	updates.exe
File opened for modification	C:\Windows\SysWOW64\updates.exe	updates.exe
File created	C:\Windows\SysWOW64\updates.exe	updates.exe
File opened for modification	C:\Windows\SysWOW64\updates.exe	updates.exe
File created	C:\Windows\SysWOW64\updates.exe	updates.exe
File opened for modification	C:\Windows\SysWOW64\updates.exe	updates.exe
File created	C:\Windows\SysWOW64\updates.exe	updates.exe
File created	C:\Windows\SysWOW64\updates.exe	updates.exe
File created	C:\Windows\SysWOW64\updates.exe	updates.exe
File opened for modification	C:\Windows\SysWOW64\updates.exe	updates.exe
File created	C:\Windows\SysWOW64\updates.exe	updates.exe
File opened for modification	C:\Windows\SysWOW64\updates.exe	updates.exe
File created	C:\Windows\SysWOW64\updates.exe	2.exe
File opened for modification	C:\Windows\SysWOW64\updates.exe	updates.exe
File created	C:\Windows\SysWOW64\updates.exe	updates.exe
File opened for modification	C:\Windows\SysWOW64\updates.exe	updates.exe
File created	C:\Windows\SysWOW64\updates.exe	updates.exe
File opened for modification	C:\Windows\SysWOW64\updates.exe	updates.exe
File opened for modification	C:\Windows\SysWOW64\updates.exe	updates.exe
File created	C:\Windows\SysWOW64\updates.exe	updates.exe
File opened for modification	C:\Windows\SysWOW64\updates.exe	2.exe
File created	C:\Windows\SysWOW64\updates.exe	updates.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updates.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updates.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updates.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updates.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updates.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updates.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updates.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updates.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updates.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updates.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs .reg file with regedit 10 IoCs

pid	Process
576	regedit.exe
2868	regedit.exe
1048	regedit.exe
1344	regedit.exe
2900	regedit.exe
1952	regedit.exe
1728	regedit.exe
2924	regedit.exe
1056	regedit.exe
2780	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2872	2.exe
2872	2.exe
2872	2.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe
752	updates.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2872	1980	dcf664e1805af14d5ada38f294f8bfea_JaffaCakes118.exe	33
PID 1980 wrote to memory of 2872	1980	dcf664e1805af14d5ada38f294f8bfea_JaffaCakes118.exe	33
PID 1980 wrote to memory of 2872	1980	dcf664e1805af14d5ada38f294f8bfea_JaffaCakes118.exe	33
PID 1980 wrote to memory of 2872	1980	dcf664e1805af14d5ada38f294f8bfea_JaffaCakes118.exe	33
PID 2872 wrote to memory of 812	2872	2.exe	34
PID 2872 wrote to memory of 812	2872	2.exe	34
PID 2872 wrote to memory of 812	2872	2.exe	34
PID 2872 wrote to memory of 812	2872	2.exe	34
PID 2872 wrote to memory of 752	2872	2.exe	36
PID 2872 wrote to memory of 752	2872	2.exe	36
PID 2872 wrote to memory of 752	2872	2.exe	36
PID 2872 wrote to memory of 752	2872	2.exe	36
PID 2872 wrote to memory of 752	2872	2.exe	36
PID 2872 wrote to memory of 752	2872	2.exe	36
PID 2872 wrote to memory of 752	2872	2.exe	36
PID 812 wrote to memory of 576	812	cmd.exe	35
PID 812 wrote to memory of 576	812	cmd.exe	35
PID 812 wrote to memory of 576	812	cmd.exe	35
PID 812 wrote to memory of 576	812	cmd.exe	35
PID 752 wrote to memory of 2264	752	updates.exe	37
PID 752 wrote to memory of 2264	752	updates.exe	37
PID 752 wrote to memory of 2264	752	updates.exe	37
PID 752 wrote to memory of 2264	752	updates.exe	37
PID 752 wrote to memory of 2264	752	updates.exe	37
PID 752 wrote to memory of 2264	752	updates.exe	37
PID 752 wrote to memory of 2264	752	updates.exe	37
PID 2264 wrote to memory of 3048	2264	updates.exe	38
PID 2264 wrote to memory of 3048	2264	updates.exe	38
PID 2264 wrote to memory of 3048	2264	updates.exe	38
PID 2264 wrote to memory of 3048	2264	updates.exe	38
PID 2264 wrote to memory of 3048	2264	updates.exe	38
PID 2264 wrote to memory of 3048	2264	updates.exe	38
PID 2264 wrote to memory of 3048	2264	updates.exe	38
PID 3048 wrote to memory of 1728	3048	cmd.exe	39
PID 3048 wrote to memory of 1728	3048	cmd.exe	39
PID 3048 wrote to memory of 1728	3048	cmd.exe	39
PID 3048 wrote to memory of 1728	3048	cmd.exe	39
PID 3048 wrote to memory of 1728	3048	cmd.exe	39
PID 3048 wrote to memory of 1728	3048	cmd.exe	39
PID 3048 wrote to memory of 1728	3048	cmd.exe	39
PID 2264 wrote to memory of 1588	2264	updates.exe	40
PID 2264 wrote to memory of 1588	2264	updates.exe	40
PID 2264 wrote to memory of 1588	2264	updates.exe	40
PID 2264 wrote to memory of 1588	2264	updates.exe	40
PID 2264 wrote to memory of 1588	2264	updates.exe	40
PID 2264 wrote to memory of 1588	2264	updates.exe	40
PID 2264 wrote to memory of 1588	2264	updates.exe	40
PID 1588 wrote to memory of 2820	1588	updates.exe	41
PID 1588 wrote to memory of 2820	1588	updates.exe	41
PID 1588 wrote to memory of 2820	1588	updates.exe	41
PID 1588 wrote to memory of 2820	1588	updates.exe	41
PID 1588 wrote to memory of 2820	1588	updates.exe	41
PID 1588 wrote to memory of 2820	1588	updates.exe	41
PID 1588 wrote to memory of 2820	1588	updates.exe	41
PID 2820 wrote to memory of 2924	2820	cmd.exe	42
PID 2820 wrote to memory of 2924	2820	cmd.exe	42
PID 2820 wrote to memory of 2924	2820	cmd.exe	42
PID 2820 wrote to memory of 2924	2820	cmd.exe	42
PID 2820 wrote to memory of 2924	2820	cmd.exe	42
PID 2820 wrote to memory of 2924	2820	cmd.exe	42
PID 2820 wrote to memory of 2924	2820	cmd.exe	42
PID 1588 wrote to memory of 2916	1588	updates.exe	43
PID 1588 wrote to memory of 2916	1588	updates.exe	43
PID 1588 wrote to memory of 2916	1588	updates.exe	43

C:\Users\Admin\AppData\Local\Temp\dcf664e1805af14d5ada38f294f8bfea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dcf664e1805af14d5ada38f294f8bfea_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\a.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:812
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
      4⤵
      Modifies security service
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:576
- - C:\Windows\SysWOW64\updates.exe
    C:\Windows\system32\updates.exe 500 "C:\Users\Admin\AppData\Local\Temp\2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\SysWOW64\updates.exe
      C:\Windows\system32\updates.exe 1160 "C:\Windows\SysWOW64\updates.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3048
      - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        6⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1728
    - - C:\Windows\SysWOW64\updates.exe
        
        C:\Windows\system32\updates.exe 1168 "C:\Windows\SysWOW64\updates.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1588
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        7⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2924
      - C:\Windows\SysWOW64\updates.exe
        
        C:\Windows\system32\updates.exe 1172 "C:\Windows\SysWOW64\updates.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        8⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1056
        
        C:\Windows\SysWOW64\updates.exe
        
        C:\Windows\system32\updates.exe 1176 "C:\Windows\SysWOW64\updates.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        9⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2780
        
        C:\Windows\SysWOW64\updates.exe
        
        C:\Windows\system32\updates.exe 1184 "C:\Windows\SysWOW64\updates.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        10⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1048
        
        C:\Windows\SysWOW64\updates.exe
        
        C:\Windows\system32\updates.exe 1188 "C:\Windows\SysWOW64\updates.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        11⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1344
        
        C:\Windows\SysWOW64\updates.exe
        
        C:\Windows\system32\updates.exe 1192 "C:\Windows\SysWOW64\updates.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        12⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2868
        
        C:\Windows\SysWOW64\updates.exe
        
        C:\Windows\system32\updates.exe 1180 "C:\Windows\SysWOW64\updates.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        13⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2900
        
        C:\Windows\SysWOW64\updates.exe
        
        C:\Windows\system32\updates.exe 1200 "C:\Windows\SysWOW64\updates.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        14⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
c2d6056624c1d37b1baf4445d8705378

SHA1
90c0b48eca9016a7d07248ecdb7b93bf3e2f1a83

SHA256
3c20257f9e5c689af57f1dbfb8106351bf4cdfbbb922cf0beff34a2ca14f5a96

SHA512
d199ce15627b85d75c9c3ec5c91fa15b2f799975034e0bd0526c096f41afea4ff6d191a106f626044fbfae264e2b0f3776fde326fc0c2d0dc8d83de66adc7c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1024B

MD5
159bb1d34a927f58fc851798c7c09b58

SHA1
c3a26565004531f3a93e29eabb0f9a196b4c1ba2

SHA256
53b81439ff38712958d57d158f1402a299c3a131d521c3a7a4a30c56542db7bd

SHA512
b6f9a3d1cb628b79ca97a65645618190b20bfbddee0ceecea710c802d3d92cee3d1e3e675b5fb9ac994a0abb3f0681ed28abbab2fe61f4b54a0fb5d7a7f0034b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
e2d37af73d5fe4a504db3f8c0d560e3d

SHA1
88c6bf5b485dd9c79283ccb5d2546ffbb95e563d

SHA256
e615959931f345e611ac44be7534d697c1495c641d13e50ae919a7807c8ff008

SHA512
8cb17131326361071a3ae2997cdfaa316ce10c481f48af23fa526380daffa39b2538251cbaa4cf3bd9a9c0014a9184be5a13a44cf45fb93591ba3180670ddb89

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
63ff40a70037650fd0acfd68314ffc94

SHA1
1ab29adec6714edf286485ac5889fddb1d092e93

SHA256
1e607f10a90fdbaffe26e81c9a5f320fb9c954391d2adcc55fdfdfca1601714b

SHA512
2b41ce69cd1541897fbae5497f06779ac8182ff84fbf29ac29b7c2b234753fe44e7dfc6e4c257af222d466536fa4e50e247dcb68a9e1ad7766245dedfcfb6fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
b79d7c7385eb2936ecd5681762227a9b

SHA1
c2a21fb49bd3cc8be9baac1bf6f6389453ad785d

SHA256
fd1be29f1f4b9fc4a8d9b583c4d2114f17c062998c833b2085960ac02ef82019

SHA512
7ea049afca363ff483f57b9fff1e213006d689eb4406cefe7f1e096c46b41e7908f1e4d69e1411ae56eb1c4e19489c9322176ffdd8ea2f1c37213eb51f03ef5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
47985593a44ee38c64665b04cbd4b84c

SHA1
84900c2b2e116a7b744730733f63f2a38b4eb76e

SHA256
4a62e43cadba3b8fa2ebead61f9509107d8453a6d66917aad5efab391a8f8e70

SHA512
abdd7f2f701a5572fd6b8b73ff4a013c1f9b157b20f4e193f9d1ed2b3ac4911fa36ffc84ca62d2ceea752a65af34ec77e3766e97e396a8470031990faff1a269

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
f708dcfd087b5b3763678cfb8d63735e

SHA1
a38fa7fa516c1402762425176ff1b607db36c752

SHA256
abf4c5f7dbed40d58dc982256535a56128f86d5eaf163d634037ae2b61027a10

SHA512
fa0e84032b88e19fc67c5be846983cf89c8ba021351a0aa9cab0162ea27a3933dade0b78146b2230b0c57f218b18da52a5ce1d04b6f9746b21e4285e2540049c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
752fd85212d47da8f0adc29004a573b2

SHA1
fa8fe3ff766601db46412879dc13dbec8d055965

SHA256
9faa69e9dabfb4beb40790bf12d0ae2ac0a879fb045e38c03b9e4d0ab569636e

SHA512
d7bbadb2ed764717dc01b012832e5c1debd6615bbdc121b5954e61d6364a03b2dd03718bdea26c5c2a6dbb6e33c5a7657c76862f6d8c0a916f7a0f9f8dd3b209

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
3bd23392c6fcc866c4561388c1dc72ac

SHA1
c4b1462473f1d97fed434014532ea344b8fc05c1

SHA256
696a382790ee24d6256b3618b1431eaf14c510a12ff2585edfeae430024c7a43

SHA512
15b3a33bb5d5d6e6b149773ff47ade4f22271264f058ad8439403df71d6ecfaa2729ef48487f43d68b517b15efed587b368bc6c5df549983de410ec23b55adb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
d085cde42c14e8ee2a5e8870d08aee42

SHA1
c8e967f1d301f97dbcf252d7e1677e590126f994

SHA256
a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f

SHA512
de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
5e073629d751540b3512a229a7c56baf

SHA1
8d384f06bf3fe00d178514990ae39fc54d4e3941

SHA256
2039732d26af5a0d4db7bda4a781967a0e0e4543dea9838690219e3cb688449e

SHA512
84fc0d818ecd5706904b5918170436820ffc78c894cbe549a4f5b04b5c9832e3d709c98d56c8522b55a98cd9db8ec04aeaa020e9162e8a35503597ca580126fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
748bce4dacebbbd388af154a1df22078

SHA1
0eeeb108678f819cd437d53b927feedf36aabc64

SHA256
1585c9ef77c37c064003bd746cd0a8da2523c99a10c3fb6eabd546e2a343646a

SHA512
d9756851b4aa1108416b7a77f0c6b84b599d695850d704a094a1f83b322d892ab6706001d5322e876b93935b830bcb52a951b4c69004ea2be338f64b85be2ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
e6d8af5aed642209c88269bf56af50ae

SHA1
633d40da997074dc0ed10938ebc49a3aeb3a7fc8

SHA256
550abc09abce5b065d360dfea741ab7dd8abbe2ea11cd46b093632860775baec

SHA512
6949fc255c1abf009ecbe0591fb6dbfd96409ee98ae438dbac8945684ccf694c046d5b51d2bf7679c1e02f42e8f32e8e29a9b7bdbc84442bec0497b64dfa84cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
872656500ddac1ddd91d10aba3a8df96

SHA1
ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc

SHA256
d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8

SHA512
e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
298B

MD5
4117e5a9c995bab9cd3bce3fc2b99a46

SHA1
80144ccbad81c2efb1df64e13d3d5f59ca4486da

SHA256
37b58c2d66ab2f896316ee0cdba30dcc9aac15a51995b8ba6c143c8ba34bf292

SHA512
bdb721bd3dea641a9b1f26b46311c05199de01c6b0d7ea2b973aa71a4f796b292a6964ddef32ba9dfc4a545768943d105f110c5d60716e0ff6f82914affb507c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
584f47a0068747b3295751a0d591f4ee

SHA1
7886a90e507c56d3a6105ecdfd9ff77939afa56f

SHA256
927fd19c24f20ac1dff028de9d73094b2591842248c95a20a8264abf1333aea5

SHA512
ca945aad3c2d9ecadff2bc30cf23902b1254cffdf572ff9d4e7c94659255fc3467899053e4a45d3b155900c7b5b91abedf03d31af7e39870015c85e424d04257

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
54ca6e3ef1c12b994043e85a8c9895f0

SHA1
5eaccfb482cbe24cf5c3203ffdc926184097427e

SHA256
0db388471ad17c9c9b4a0a40b2536b7a6f27b8cc96775812d48d7009acb418c0

SHA512
925615f057558a00fb0ed3f9faeee2b70f3dd5469376de9381a387b3666c230fc0bb5b83fd3acf0169872e3c5f747cbdaff473d7fa389a5848f3828916680626

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
ff6c57e8ec2b96b8da7fe900f1f3da1c

SHA1
a6f0dc2e2a0a46e1031017b81825173054bf76ae

SHA256
ad103027edabf24721c50018ae32c2b34872f7f63a352d31591a2cd7174008d6

SHA512
c0069e816bdf494c149e6bc278dc63ad58e348ec90d9bf161f2558bea03e9622e4b0c03b1a6b2517e87ef4e748d4aac36fb853f70180b55521e56c9c4960babc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
449KB

MD5
bde687e65dd8e326ce7af6e6f6eab4ff

SHA1
e4f4c6727fb923a02896ea5f0fe601099df4b0cb

SHA256
f3f0f418082bc8283f0b8505e1167a34c5bbe98230308a3f6dab424df7d8c9d3

SHA512
bac2aee89729543d5ee6b6845bb8f00264a5eca16398fc0d7fb838ee7d9134b2b34e1f4ec0619b4be493e549537eddc4f3c50fa39c44ddf43f683f29ebcf0479

Download Submit
C:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
memory/1980-5-0x0000000000CF0000-0x0000000000D00000-memory.dmp

Filesize
64KB

Download
memory/1980-0-0x000007FEF55EE000-0x000007FEF55EF000-memory.dmp

Filesize
4KB

Download
memory/1980-3-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/1980-4-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/1980-19-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download