d77625702dfab61237a811787615d8876d7e428f8565e4b5bb94aa8570aba91e

Analysis

max time kernel
138s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/09/2024, 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e15d691eae219c7ad805822744986514_JaffaCakes118.exe
Size

148KB
MD5

e15d691eae219c7ad805822744986514
SHA1

b00169c8a10fc4da4187f4a324c17005a4cbbb30
SHA256

d77625702dfab61237a811787615d8876d7e428f8565e4b5bb94aa8570aba91e
SHA512

9bf7532f7ab5b04d86d8749de49d869ddef1ba5e27b52b08ae878f7e1f353239836b02cf5d407142b897eeff57b82c290b4ea4ce8bf5d0d02d57e8bfb97fee95
SSDEEP

3072:DMtxw9P+lOi1qNoLC6Rz4nAsJmySXsJjzYIFe2kmY4u:2xi+lz1qSdz41JSmzY32A4u

Score

10^/10

discovery evasion

Malware Config

Signatures

Modifies security service 2 TTPs 20 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe

Executes dropped EXE 20 IoCs

pid	Process
1096	msupdate.exe
1892	msupdate.exe
1652	msupdate.exe
2908	msupdate.exe
2412	msupdate.exe
1820	msupdate.exe
844	msupdate.exe
2316	msupdate.exe
2240	msupdate.exe
1756	msupdate.exe
2828	msupdate.exe
2716	msupdate.exe
1908	msupdate.exe
2004	msupdate.exe
1784	msupdate.exe
2096	msupdate.exe
3064	msupdate.exe
1588	msupdate.exe
1940	msupdate.exe
1860	msupdate.exe

Loads dropped DLL 64 IoCs

pid	Process
3004	e15d691eae219c7ad805822744986514_JaffaCakes118.exe
1096	msupdate.exe
1096	msupdate.exe
1096	msupdate.exe
1096	msupdate.exe
1892	msupdate.exe
1892	msupdate.exe
1892	msupdate.exe
1892	msupdate.exe
1652	msupdate.exe
1652	msupdate.exe
1652	msupdate.exe
1652	msupdate.exe
2908	msupdate.exe
2908	msupdate.exe
2908	msupdate.exe
2908	msupdate.exe
2412	msupdate.exe
2412	msupdate.exe
2412	msupdate.exe
2412	msupdate.exe
1820	msupdate.exe
1820	msupdate.exe
1820	msupdate.exe
1820	msupdate.exe
844	msupdate.exe
844	msupdate.exe
844	msupdate.exe
844	msupdate.exe
2316	msupdate.exe
2316	msupdate.exe
2316	msupdate.exe
2316	msupdate.exe
2240	msupdate.exe
2240	msupdate.exe
2240	msupdate.exe
2240	msupdate.exe
1756	msupdate.exe
1756	msupdate.exe
1756	msupdate.exe
1756	msupdate.exe
2828	msupdate.exe
2828	msupdate.exe
2828	msupdate.exe
2828	msupdate.exe
2716	msupdate.exe
2716	msupdate.exe
2716	msupdate.exe
2716	msupdate.exe
1908	msupdate.exe
1908	msupdate.exe
1908	msupdate.exe
1908	msupdate.exe
2004	msupdate.exe
2004	msupdate.exe
2004	msupdate.exe
2004	msupdate.exe
1784	msupdate.exe
1784	msupdate.exe
1784	msupdate.exe
1784	msupdate.exe
2096	msupdate.exe
2096	msupdate.exe
2096	msupdate.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msupdate.exe	msupdate.exe
File created	C:\Windows\SysWOW64\msupdate.exe	msupdate.exe
File opened for modification	C:\Windows\SysWOW64\msupdate.exe	msupdate.exe
File created	C:\Windows\SysWOW64\msupdate.exe	msupdate.exe
File created	C:\Windows\SysWOW64\msupdate.exe	msupdate.exe
File created	C:\Windows\SysWOW64\msupdate.exe	e15d691eae219c7ad805822744986514_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msupdate.exe	msupdate.exe
File opened for modification	C:\Windows\SysWOW64\msupdate.exe	e15d691eae219c7ad805822744986514_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msupdate.exe	msupdate.exe
File created	C:\Windows\SysWOW64\msupdate.exe	msupdate.exe
File opened for modification	C:\Windows\SysWOW64\msupdate.exe	msupdate.exe
File opened for modification	C:\Windows\SysWOW64\msupdate.exe	msupdate.exe
File created	C:\Windows\SysWOW64\msupdate.exe	msupdate.exe
File opened for modification	C:\Windows\SysWOW64\msupdate.exe	msupdate.exe
File created	C:\Windows\SysWOW64\msupdate.exe	msupdate.exe
File opened for modification	C:\Windows\SysWOW64\msupdate.exe	msupdate.exe
File opened for modification	C:\Windows\SysWOW64\msupdate.exe	msupdate.exe
File opened for modification	C:\Windows\SysWOW64\msupdate.exe	msupdate.exe
File created	C:\Windows\SysWOW64\msupdate.exe	msupdate.exe
File opened for modification	C:\Windows\SysWOW64\msupdate.exe	msupdate.exe
File opened for modification	C:\Windows\SysWOW64\msupdate.exe	msupdate.exe
File created	C:\Windows\SysWOW64\msupdate.exe	msupdate.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 2900 set thread context of 3004	2900	e15d691eae219c7ad805822744986514_JaffaCakes118.exe	30
PID 1096 set thread context of 1892	1096	msupdate.exe	34
PID 1652 set thread context of 2908	1652	msupdate.exe	37
PID 2412 set thread context of 1820	2412	msupdate.exe	41
PID 844 set thread context of 2316	844	msupdate.exe	45
PID 2240 set thread context of 1756	2240	msupdate.exe	49
PID 2828 set thread context of 2716	2828	msupdate.exe	53
PID 1908 set thread context of 2004	1908	msupdate.exe	57
PID 1784 set thread context of 2096	1784	msupdate.exe	61
PID 3064 set thread context of 1588	3064	msupdate.exe	65
PID 1940 set thread context of 1860	1940	msupdate.exe	69

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e15d691eae219c7ad805822744986514_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e15d691eae219c7ad805822744986514_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Runs .reg file with regedit 10 IoCs

pid	Process
272	regedit.exe
1152	regedit.exe
2404	regedit.exe
1728	regedit.exe
2944	regedit.exe
2188	regedit.exe
760	regedit.exe
1708	regedit.exe
2712	regedit.exe
2684	regedit.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2900	e15d691eae219c7ad805822744986514_JaffaCakes118.exe
1096	msupdate.exe
1652	msupdate.exe
2412	msupdate.exe
844	msupdate.exe
2240	msupdate.exe
2828	msupdate.exe
1908	msupdate.exe
1784	msupdate.exe
3064	msupdate.exe
1940	msupdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 3004	2900	e15d691eae219c7ad805822744986514_JaffaCakes118.exe	30
PID 2900 wrote to memory of 3004	2900	e15d691eae219c7ad805822744986514_JaffaCakes118.exe	30
PID 2900 wrote to memory of 3004	2900	e15d691eae219c7ad805822744986514_JaffaCakes118.exe	30
PID 2900 wrote to memory of 3004	2900	e15d691eae219c7ad805822744986514_JaffaCakes118.exe	30
PID 2900 wrote to memory of 3004	2900	e15d691eae219c7ad805822744986514_JaffaCakes118.exe	30
PID 2900 wrote to memory of 3004	2900	e15d691eae219c7ad805822744986514_JaffaCakes118.exe	30
PID 3004 wrote to memory of 2312	3004	e15d691eae219c7ad805822744986514_JaffaCakes118.exe	31
PID 3004 wrote to memory of 2312	3004	e15d691eae219c7ad805822744986514_JaffaCakes118.exe	31
PID 3004 wrote to memory of 2312	3004	e15d691eae219c7ad805822744986514_JaffaCakes118.exe	31
PID 3004 wrote to memory of 2312	3004	e15d691eae219c7ad805822744986514_JaffaCakes118.exe	31
PID 2312 wrote to memory of 272	2312	cmd.exe	32
PID 2312 wrote to memory of 272	2312	cmd.exe	32
PID 2312 wrote to memory of 272	2312	cmd.exe	32
PID 2312 wrote to memory of 272	2312	cmd.exe	32
PID 3004 wrote to memory of 1096	3004	e15d691eae219c7ad805822744986514_JaffaCakes118.exe	33
PID 3004 wrote to memory of 1096	3004	e15d691eae219c7ad805822744986514_JaffaCakes118.exe	33
PID 3004 wrote to memory of 1096	3004	e15d691eae219c7ad805822744986514_JaffaCakes118.exe	33
PID 3004 wrote to memory of 1096	3004	e15d691eae219c7ad805822744986514_JaffaCakes118.exe	33
PID 3004 wrote to memory of 1096	3004	e15d691eae219c7ad805822744986514_JaffaCakes118.exe	33
PID 3004 wrote to memory of 1096	3004	e15d691eae219c7ad805822744986514_JaffaCakes118.exe	33
PID 3004 wrote to memory of 1096	3004	e15d691eae219c7ad805822744986514_JaffaCakes118.exe	33
PID 1096 wrote to memory of 1892	1096	msupdate.exe	34
PID 1096 wrote to memory of 1892	1096	msupdate.exe	34
PID 1096 wrote to memory of 1892	1096	msupdate.exe	34
PID 1096 wrote to memory of 1892	1096	msupdate.exe	34
PID 1096 wrote to memory of 1892	1096	msupdate.exe	34
PID 1096 wrote to memory of 1892	1096	msupdate.exe	34
PID 1096 wrote to memory of 1892	1096	msupdate.exe	34
PID 1096 wrote to memory of 1892	1096	msupdate.exe	34
PID 1096 wrote to memory of 1892	1096	msupdate.exe	34
PID 1892 wrote to memory of 1652	1892	msupdate.exe	36
PID 1892 wrote to memory of 1652	1892	msupdate.exe	36
PID 1892 wrote to memory of 1652	1892	msupdate.exe	36
PID 1892 wrote to memory of 1652	1892	msupdate.exe	36
PID 1892 wrote to memory of 1652	1892	msupdate.exe	36
PID 1892 wrote to memory of 1652	1892	msupdate.exe	36
PID 1892 wrote to memory of 1652	1892	msupdate.exe	36
PID 1652 wrote to memory of 2908	1652	msupdate.exe	37
PID 1652 wrote to memory of 2908	1652	msupdate.exe	37
PID 1652 wrote to memory of 2908	1652	msupdate.exe	37
PID 1652 wrote to memory of 2908	1652	msupdate.exe	37
PID 1652 wrote to memory of 2908	1652	msupdate.exe	37
PID 1652 wrote to memory of 2908	1652	msupdate.exe	37
PID 1652 wrote to memory of 2908	1652	msupdate.exe	37
PID 1652 wrote to memory of 2908	1652	msupdate.exe	37
PID 1652 wrote to memory of 2908	1652	msupdate.exe	37
PID 2908 wrote to memory of 2448	2908	msupdate.exe	38
PID 2908 wrote to memory of 2448	2908	msupdate.exe	38
PID 2908 wrote to memory of 2448	2908	msupdate.exe	38
PID 2908 wrote to memory of 2448	2908	msupdate.exe	38
PID 2908 wrote to memory of 2448	2908	msupdate.exe	38
PID 2908 wrote to memory of 2448	2908	msupdate.exe	38
PID 2908 wrote to memory of 2448	2908	msupdate.exe	38
PID 2448 wrote to memory of 1152	2448	cmd.exe	39
PID 2448 wrote to memory of 1152	2448	cmd.exe	39
PID 2448 wrote to memory of 1152	2448	cmd.exe	39
PID 2448 wrote to memory of 1152	2448	cmd.exe	39
PID 2448 wrote to memory of 1152	2448	cmd.exe	39
PID 2448 wrote to memory of 1152	2448	cmd.exe	39
PID 2448 wrote to memory of 1152	2448	cmd.exe	39
PID 2908 wrote to memory of 2412	2908	msupdate.exe	40
PID 2908 wrote to memory of 2412	2908	msupdate.exe	40
PID 2908 wrote to memory of 2412	2908	msupdate.exe	40
PID 2908 wrote to memory of 2412	2908	msupdate.exe	40

C:\Users\Admin\AppData\Local\Temp\e15d691eae219c7ad805822744986514_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e15d691eae219c7ad805822744986514_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\e15d691eae219c7ad805822744986514_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e15d691eae219c7ad805822744986514_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\a.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
      4⤵
      Modifies security service
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:272
- - C:\Windows\SysWOW64\msupdate.exe
    C:\Windows\system32\msupdate.exe 492 "C:\Users\Admin\AppData\Local\Temp\e15d691eae219c7ad805822744986514_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Windows\SysWOW64\msupdate.exe
      492 C:\Users\Admin\AppData\Local\Temp\e15d691eae219c7ad805822744986514_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1892
    - - C:\Windows\SysWOW64\msupdate.exe
        
        C:\Windows\system32\msupdate.exe 600 "C:\Windows\SysWOW64\msupdate.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1652
      - C:\Windows\SysWOW64\msupdate.exe
        
        600 C:\Windows\SysWOW64\msupdate.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        8⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1152
        
        C:\Windows\SysWOW64\msupdate.exe
        
        C:\Windows\system32\msupdate.exe 596 "C:\Windows\SysWOW64\msupdate.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2412
        
        C:\Windows\SysWOW64\msupdate.exe
        
        596 C:\Windows\SysWOW64\msupdate.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        10⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2404
        
        C:\Windows\SysWOW64\msupdate.exe
        
        C:\Windows\system32\msupdate.exe 596 "C:\Windows\SysWOW64\msupdate.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:844
        
        C:\Windows\SysWOW64\msupdate.exe
        
        596 C:\Windows\SysWOW64\msupdate.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        12⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1728
        
        C:\Windows\SysWOW64\msupdate.exe
        
        C:\Windows\system32\msupdate.exe 596 "C:\Windows\SysWOW64\msupdate.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2240
        
        C:\Windows\SysWOW64\msupdate.exe
        
        596 C:\Windows\SysWOW64\msupdate.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        14⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2944
        
        C:\Windows\SysWOW64\msupdate.exe
        
        C:\Windows\system32\msupdate.exe 596 "C:\Windows\SysWOW64\msupdate.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2828
        
        C:\Windows\SysWOW64\msupdate.exe
        
        596 C:\Windows\SysWOW64\msupdate.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        16⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2188
        
        C:\Windows\SysWOW64\msupdate.exe
        
        C:\Windows\system32\msupdate.exe 596 "C:\Windows\SysWOW64\msupdate.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1908
        
        C:\Windows\SysWOW64\msupdate.exe
        
        596 C:\Windows\SysWOW64\msupdate.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        18⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2684
        
        C:\Windows\SysWOW64\msupdate.exe
        
        C:\Windows\system32\msupdate.exe 596 "C:\Windows\SysWOW64\msupdate.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1784
        
        C:\Windows\SysWOW64\msupdate.exe
        
        596 C:\Windows\SysWOW64\msupdate.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        20⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:760
        
        C:\Windows\SysWOW64\msupdate.exe
        
        C:\Windows\system32\msupdate.exe 600 "C:\Windows\SysWOW64\msupdate.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3064
        
        C:\Windows\SysWOW64\msupdate.exe
        
        600 C:\Windows\SysWOW64\msupdate.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        22⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1708
        
        C:\Windows\SysWOW64\msupdate.exe
        
        C:\Windows\system32\msupdate.exe 596 "C:\Windows\SysWOW64\msupdate.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1940
        
        C:\Windows\SysWOW64\msupdate.exe
        
        596 C:\Windows\SysWOW64\msupdate.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        24⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
d085cde42c14e8ee2a5e8870d08aee42

SHA1
c8e967f1d301f97dbcf252d7e1677e590126f994

SHA256
a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f

SHA512
de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
0a839c0e3eb1ed25e6211159e43f4df1

SHA1
a227a9322f58b8f40b2f6f326dca58145f599587

SHA256
717a2b81d076586548a0387c97d2dc31337a03763c6e7acb642c3e46ec94d6f0

SHA512
bd2b99fb43ccd1676f69752c1a295d1da0db2cb0310c8b097b4b5b91d76cff12b433f47af02b5f7d0dd5f8f16624b0c20294eebf5c6a7959b2b5d6fe2b34e508

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
815B

MD5
fadf3805f68986d2ee9c82f560a564e4

SHA1
87bcab6ab1fb66ace98eb1d36e54eb9c11628aa6

SHA256
d6e4760c4554b061363e89648dc4144f8a9ba8a300dde1a1621f22ecc62ab759

SHA512
e3e495385da6d181a2411554a61b27c480ff31fa49225e8b2dc46b9ec4f618343475a8d189786b956c91efc65bfb05be19065bfdf3288eb011c5ec427e764cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1011B

MD5
5088b4be1b90717121e76c1fc33c033a

SHA1
090676b012c30e6b0d6493ca1e9a31f3093cad6f

SHA256
d1d8c8ac4136082ac60938e8148c43d81fa91a124eccf34048e629d22daeef3a

SHA512
0cac2dcf138b1a66f857a54c92afe467ef7544655cd1c4aec3b4084c92c9186d9ba10e0e74a54a6e43e676068d3747f668f7286d44fcefce7ee4d385a3a96962

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
989c5352030fafd44b92adf4d4164738

SHA1
e02985c15eb20682115e3fc343f829e28770ed6c

SHA256
248c7793d113ca762bbe56b974f4c5902339dacb0b47ddd7c412340a623dfe38

SHA512
9ebcfc38952d968d608d68b2e8fbb56f5d02ed03e0e2d02661caeb50f804404d95fc45f22a8376ca88b69548c89c22b6c6a9acbb7fdcb5f6f906bd871b3465f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
872656500ddac1ddd91d10aba3a8df96

SHA1
ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc

SHA256
d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8

SHA512
e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9

Download Submit
C:\Windows\SysWOW64\msupdate.exe

Filesize
148KB

MD5
e15d691eae219c7ad805822744986514

SHA1
b00169c8a10fc4da4187f4a324c17005a4cbbb30

SHA256
d77625702dfab61237a811787615d8876d7e428f8565e4b5bb94aa8570aba91e

SHA512
9bf7532f7ab5b04d86d8749de49d869ddef1ba5e27b52b08ae878f7e1f353239836b02cf5d407142b897eeff57b82c290b4ea4ce8bf5d0d02d57e8bfb97fee95

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
memory/844-419-0x0000000010000000-0x000000001002DCEC-memory.dmp

Filesize
183KB

Download
memory/1096-138-0x0000000010000000-0x000000001002DCEC-memory.dmp

Filesize
183KB

Download
memory/1652-156-0x0000000010000000-0x000000001002DCEC-memory.dmp

Filesize
183KB

Download
memory/1784-919-0x0000000010000000-0x000000001002DCEC-memory.dmp

Filesize
183KB

Download
memory/1892-135-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1908-800-0x0000000010000000-0x000000001002DCEC-memory.dmp

Filesize
183KB

Download
memory/2240-551-0x0000000010000000-0x000000001002DCEC-memory.dmp

Filesize
183KB

Download
memory/2412-287-0x0000000010000000-0x000000001002DCEC-memory.dmp

Filesize
183KB

Download
memory/2828-679-0x0000000010000000-0x000000001002DCEC-memory.dmp

Filesize
183KB

Download
memory/2900-4-0x0000000010000000-0x000000001002DCEC-memory.dmp

Filesize
183KB

Download
memory/3004-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3004-0-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/3004-3-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/3004-6-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download