Malware Analysis Report

2024-12-07 03:35

Sample ID 241113-c7fvfaveqc
Target c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74
SHA256 c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74
Tags
darkcomet privateeye discovery rat trojan upx persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74

Threat Level: Known bad

The file c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74 was found to be: Known bad.

Malicious Activity Summary

darkcomet privateeye discovery rat trojan upx persistence

Darkcomet

Darkcomet family

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

UPX packed file

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Gathers network information

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 02:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 02:42

Reported

2024-11-13 02:45

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe"

Signatures

Darkcomet

trojan rat darkcomet

Darkcomet family

darkcomet

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\ipconfig.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4956 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe
PID 4956 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe
PID 4956 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe
PID 4956 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe
PID 4956 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe
PID 4956 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe
PID 4956 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe
PID 4956 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe
PID 2164 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2164 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2164 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 4544 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 4544 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 4544 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 4544 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 4544 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 4544 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 4544 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 4544 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 4544 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 4544 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 4544 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 4544 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 4544 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 4544 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 4544 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 4544 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 4904 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4904 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4904 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4904 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4904 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe

"C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe"

C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe

"C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\system32\ipconfig.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2372 -ip 2372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 272

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp

Files

memory/4956-2-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4956-3-0x0000000000400000-0x0000000000483000-memory.dmp

memory/4956-5-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2164-9-0x0000000000400000-0x0000000000407000-memory.dmp

memory/4956-11-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4956-8-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2164-4-0x0000000000400000-0x0000000000407000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

MD5 2695ced887d528bb492e3e33ef0698e8
SHA1 78305e18b56e35a1decb8f76bc3ba637ebeda17d
SHA256 b613fb963fb6bc9fcddbb02b734aec93e27dbc9174ecf27c845b011956cafba0
SHA512 673bb6195683e156f3a98294cc407010aefaeb4fc218b7bf21069dc16a8e961359b81b70ed9fcbdd65ce110a81d9214f57169c2cb8520ac835da88c2b076264a

memory/2164-21-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2164-22-0x0000000000400000-0x0000000000407000-memory.dmp

memory/4544-24-0x0000000000400000-0x0000000000483000-memory.dmp

memory/4960-32-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4544-25-0x0000000000400000-0x0000000000483000-memory.dmp

memory/4544-33-0x0000000000400000-0x0000000000483000-memory.dmp

memory/4960-35-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4960-38-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4960-40-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4960-42-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4960-41-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4960-39-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4904-45-0x0000000000400000-0x0000000000407000-memory.dmp

memory/4960-46-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4960-47-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4960-48-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4960-49-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4960-50-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4960-52-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4960-53-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4960-54-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4960-55-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4960-56-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4960-57-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4960-58-0x0000000000400000-0x00000000004B7000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 02:42

Reported

2024-11-13 02:45

Platform

win7-20240903-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe"

Signatures

Darkcomet

trojan rat darkcomet

Darkcomet family

darkcomet

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winupd.exe -notray" C:\Windows\SysWOW64\reg.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ipconfig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe
PID 1964 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe
PID 1964 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe
PID 1964 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe
PID 1964 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe
PID 1964 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe
PID 1964 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe
PID 1964 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe
PID 1964 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe
PID 2632 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2632 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2632 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2632 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2712 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2712 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2712 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2712 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2712 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2712 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2712 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2712 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2712 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2548 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2548 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2548 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2548 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2548 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2548 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2992 wrote to memory of 1924 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 1924 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 1924 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 1924 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1924 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1924 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1924 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe

"C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe"

C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe

"C:\Users\Admin\AppData\Local\Temp\c7d4c1c411927c1392f0793ee02108c86f134b90075ee2574fd0864657725d74.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\system32\ipconfig.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HKWVWSQX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WinUpdate /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 ratblackshades.no-ip.biz udp

Files

memory/1964-2-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2632-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2632-20-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1964-19-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1964-18-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1964-16-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2632-8-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2632-6-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2632-4-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1964-3-0x0000000000400000-0x0000000000483000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

MD5 e4ef48e15883dcefc76b856acd0359aa
SHA1 13a43b3409aa2ccba636d3fe5beda2f0feb78ffb
SHA256 583ec4f9dcf6654e1c461dbaab1679e307b19f173432b760e7f1d5105c02c2a3
SHA512 0e40f27ba7a546bc96536b7c6d0f63ccbedc25b5daaa04728a07ced6a71b8f3c3a7c3fb32f9353fae71d5b4a095d013a0a2c873c3b5e6939c26019a412004cd1

memory/2712-36-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2712-48-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2520-52-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2520-61-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2632-68-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2992-72-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/2520-65-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2520-64-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2520-74-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2520-76-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2520-77-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2520-75-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2712-62-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2520-54-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2520-50-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2520-78-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2520-79-0x0000000000400000-0x00000000004B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HKWVWSQX.bat

MD5 cac890d00365d07b9ca89def17cc3a36
SHA1 6fa99679ede791c16b5d3e6d243a98e8bbdb7eab
SHA256 4f98ddee89760080a5c8a93666d2f5c97be52b741265ef4d1ce9aaebf05f12da
SHA512 124dc0b18e13425bde43bcbbe2a99005928e398bffcb458d498aac9e754bc5b92b703270667800876c60b0801343f2de8c6b9a1eebafd80bb4f6d5dc295dd9f1

memory/2548-83-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2520-84-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2520-85-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2520-86-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2520-87-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2520-88-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2520-89-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2520-90-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2520-91-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2520-92-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2520-93-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2520-94-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2520-95-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2520-96-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2520-97-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2520-98-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2520-99-0x0000000000400000-0x00000000004B7000-memory.dmp