metasploit | 1a21900711d1c7aea1cf027f5e7d7eca6ebe0c9c0b2100ef3fbc24c2d5e53654

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe
Size

372KB
MD5

f6a79d205ab0a22ade3bdd8b2d4ac144
SHA1

8dbb5444c6eeb67c8777444ece18105f97f8b77a
SHA256

1a21900711d1c7aea1cf027f5e7d7eca6ebe0c9c0b2100ef3fbc24c2d5e53654
SHA512

be977e40f0cbb8330713ebf87fde6343ac76816b4c0417594ea744ef0d244fd201b5c00c308ff90f9b3ddad887d3ea237688595b59957c31ce5e02ba075a3ab4
SSDEEP

6144:5hM68UIbBvo7vKwegve2Hbc/ywcUMvwDqbrnnfwFqsohT+5+W/v1n6OS0JJ:5hqUWvo7/jY/yHs4fVskTfW/9n6

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 20 IoCs

pid	Process
2640	windowsupdate.exe
2660	windowsupdate.exe
2240	windowsupdate.exe
2160	windowsupdate.exe
2592	windowsupdate.exe
2008	windowsupdate.exe
2180	windowsupdate.exe
2236	windowsupdate.exe
700	windowsupdate.exe
3056	windowsupdate.exe
2456	windowsupdate.exe
2348	windowsupdate.exe
2672	windowsupdate.exe
3044	windowsupdate.exe
2880	windowsupdate.exe
2712	windowsupdate.exe
2344	windowsupdate.exe
1672	windowsupdate.exe
3000	windowsupdate.exe
1100	windowsupdate.exe

Loads dropped DLL 64 IoCs

pid	Process
2664	f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe
2640	windowsupdate.exe
2640	windowsupdate.exe
2640	windowsupdate.exe
2640	windowsupdate.exe
2660	windowsupdate.exe
2660	windowsupdate.exe
2660	windowsupdate.exe
2660	windowsupdate.exe
2240	windowsupdate.exe
2240	windowsupdate.exe
2240	windowsupdate.exe
2240	windowsupdate.exe
2160	windowsupdate.exe
2160	windowsupdate.exe
2160	windowsupdate.exe
2160	windowsupdate.exe
2592	windowsupdate.exe
2592	windowsupdate.exe
2592	windowsupdate.exe
2592	windowsupdate.exe
2008	windowsupdate.exe
2008	windowsupdate.exe
2008	windowsupdate.exe
2008	windowsupdate.exe
2180	windowsupdate.exe
2180	windowsupdate.exe
2180	windowsupdate.exe
2180	windowsupdate.exe
2236	windowsupdate.exe
2236	windowsupdate.exe
2236	windowsupdate.exe
2236	windowsupdate.exe
700	windowsupdate.exe
700	windowsupdate.exe
700	windowsupdate.exe
700	windowsupdate.exe
3056	windowsupdate.exe
3056	windowsupdate.exe
3056	windowsupdate.exe
3056	windowsupdate.exe
2456	windowsupdate.exe
2456	windowsupdate.exe
2456	windowsupdate.exe
2456	windowsupdate.exe
2348	windowsupdate.exe
2348	windowsupdate.exe
2348	windowsupdate.exe
2348	windowsupdate.exe
2672	windowsupdate.exe
2672	windowsupdate.exe
2672	windowsupdate.exe
2672	windowsupdate.exe
3044	windowsupdate.exe
3044	windowsupdate.exe
3044	windowsupdate.exe
3044	windowsupdate.exe
2880	windowsupdate.exe
2880	windowsupdate.exe
2880	windowsupdate.exe
2880	windowsupdate.exe
2712	windowsupdate.exe
2712	windowsupdate.exe
2712	windowsupdate.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\windowsupdate.exe	f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File created	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File opened for modification	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File created	C:\Windows\SysWOW64\windowsupdate.exe	f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File opened for modification	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File created	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File opened for modification	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File opened for modification	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File created	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File created	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File opened for modification	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File created	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File created	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File created	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File opened for modification	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File created	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File opened for modification	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File created	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File opened for modification	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File opened for modification	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 2616 set thread context of 2664	2616	f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe	30
PID 2640 set thread context of 2660	2640	windowsupdate.exe	32
PID 2240 set thread context of 2160	2240	windowsupdate.exe	34
PID 2592 set thread context of 2008	2592	windowsupdate.exe	36
PID 2180 set thread context of 2236	2180	windowsupdate.exe	38
PID 700 set thread context of 3056	700	windowsupdate.exe	40
PID 2456 set thread context of 2348	2456	windowsupdate.exe	43
PID 2672 set thread context of 3044	2672	windowsupdate.exe	45
PID 2880 set thread context of 2712	2880	windowsupdate.exe	47
PID 2344 set thread context of 1672	2344	windowsupdate.exe	49
PID 3000 set thread context of 1100	3000	windowsupdate.exe	51

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2616	f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe
2640	windowsupdate.exe
2240	windowsupdate.exe
2592	windowsupdate.exe
2180	windowsupdate.exe
700	windowsupdate.exe
2456	windowsupdate.exe
2672	windowsupdate.exe
2880	windowsupdate.exe
2344	windowsupdate.exe
3000	windowsupdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2664	2616	f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe	30
PID 2616 wrote to memory of 2664	2616	f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe	30
PID 2616 wrote to memory of 2664	2616	f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe	30
PID 2616 wrote to memory of 2664	2616	f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe	30
PID 2616 wrote to memory of 2664	2616	f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe	30
PID 2616 wrote to memory of 2664	2616	f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe	30
PID 2616 wrote to memory of 2664	2616	f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe	30
PID 2616 wrote to memory of 2664	2616	f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe	30
PID 2616 wrote to memory of 2664	2616	f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe	30
PID 2616 wrote to memory of 2664	2616	f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe	30
PID 2616 wrote to memory of 2664	2616	f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe	30
PID 2616 wrote to memory of 2664	2616	f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe	30
PID 2664 wrote to memory of 2640	2664	f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2640	2664	f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2640	2664	f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2640	2664	f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2640	2664	f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2640	2664	f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2640	2664	f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe	31
PID 2640 wrote to memory of 2660	2640	windowsupdate.exe	32
PID 2640 wrote to memory of 2660	2640	windowsupdate.exe	32
PID 2640 wrote to memory of 2660	2640	windowsupdate.exe	32
PID 2640 wrote to memory of 2660	2640	windowsupdate.exe	32
PID 2640 wrote to memory of 2660	2640	windowsupdate.exe	32
PID 2640 wrote to memory of 2660	2640	windowsupdate.exe	32
PID 2640 wrote to memory of 2660	2640	windowsupdate.exe	32
PID 2640 wrote to memory of 2660	2640	windowsupdate.exe	32
PID 2640 wrote to memory of 2660	2640	windowsupdate.exe	32
PID 2640 wrote to memory of 2660	2640	windowsupdate.exe	32
PID 2640 wrote to memory of 2660	2640	windowsupdate.exe	32
PID 2640 wrote to memory of 2660	2640	windowsupdate.exe	32
PID 2640 wrote to memory of 2660	2640	windowsupdate.exe	32
PID 2640 wrote to memory of 2660	2640	windowsupdate.exe	32
PID 2640 wrote to memory of 2660	2640	windowsupdate.exe	32
PID 2660 wrote to memory of 2240	2660	windowsupdate.exe	33
PID 2660 wrote to memory of 2240	2660	windowsupdate.exe	33
PID 2660 wrote to memory of 2240	2660	windowsupdate.exe	33
PID 2660 wrote to memory of 2240	2660	windowsupdate.exe	33
PID 2660 wrote to memory of 2240	2660	windowsupdate.exe	33
PID 2660 wrote to memory of 2240	2660	windowsupdate.exe	33
PID 2660 wrote to memory of 2240	2660	windowsupdate.exe	33
PID 2240 wrote to memory of 2160	2240	windowsupdate.exe	34
PID 2240 wrote to memory of 2160	2240	windowsupdate.exe	34
PID 2240 wrote to memory of 2160	2240	windowsupdate.exe	34
PID 2240 wrote to memory of 2160	2240	windowsupdate.exe	34
PID 2240 wrote to memory of 2160	2240	windowsupdate.exe	34
PID 2240 wrote to memory of 2160	2240	windowsupdate.exe	34
PID 2240 wrote to memory of 2160	2240	windowsupdate.exe	34
PID 2240 wrote to memory of 2160	2240	windowsupdate.exe	34
PID 2240 wrote to memory of 2160	2240	windowsupdate.exe	34
PID 2240 wrote to memory of 2160	2240	windowsupdate.exe	34
PID 2240 wrote to memory of 2160	2240	windowsupdate.exe	34
PID 2240 wrote to memory of 2160	2240	windowsupdate.exe	34
PID 2240 wrote to memory of 2160	2240	windowsupdate.exe	34
PID 2240 wrote to memory of 2160	2240	windowsupdate.exe	34
PID 2240 wrote to memory of 2160	2240	windowsupdate.exe	34
PID 2160 wrote to memory of 2592	2160	windowsupdate.exe	35
PID 2160 wrote to memory of 2592	2160	windowsupdate.exe	35
PID 2160 wrote to memory of 2592	2160	windowsupdate.exe	35
PID 2160 wrote to memory of 2592	2160	windowsupdate.exe	35
PID 2160 wrote to memory of 2592	2160	windowsupdate.exe	35
PID 2160 wrote to memory of 2592	2160	windowsupdate.exe	35
PID 2160 wrote to memory of 2592	2160	windowsupdate.exe	35
PID 2592 wrote to memory of 2008	2592	windowsupdate.exe	36

C:\Users\Admin\AppData\Local\Temp\f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Users\Admin\AppData\Local\Temp\f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\windowsupdate.exe
    C:\Windows\system32\windowsupdate.exe 448 "C:\Users\Admin\AppData\Local\Temp\f6a79d205ab0a22ade3bdd8b2d4ac144_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\windowsupdate.exe
      C:\Windows\SysWOW64\windowsupdate.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\SysWOW64\windowsupdate.exe
        
        C:\Windows\system32\windowsupdate.exe 576 "C:\Windows\SysWOW64\windowsupdate.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2240
      - C:\Windows\SysWOW64\windowsupdate.exe
        
        C:\Windows\SysWOW64\windowsupdate.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\windowsupdate.exe
        
        C:\Windows\system32\windowsupdate.exe 576 "C:\Windows\SysWOW64\windowsupdate.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\windowsupdate.exe
        
        C:\Windows\SysWOW64\windowsupdate.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\windowsupdate.exe
        
        C:\Windows\system32\windowsupdate.exe 576 "C:\Windows\SysWOW64\windowsupdate.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        C:\Windows\SysWOW64\windowsupdate.exe
        
        C:\Windows\SysWOW64\windowsupdate.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\windowsupdate.exe
        
        C:\Windows\system32\windowsupdate.exe 576 "C:\Windows\SysWOW64\windowsupdate.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:700
        
        C:\Windows\SysWOW64\windowsupdate.exe
        
        C:\Windows\SysWOW64\windowsupdate.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\windowsupdate.exe
        
        C:\Windows\system32\windowsupdate.exe 576 "C:\Windows\SysWOW64\windowsupdate.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2456
        
        C:\Windows\SysWOW64\windowsupdate.exe
        
        C:\Windows\SysWOW64\windowsupdate.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\windowsupdate.exe
        
        C:\Windows\system32\windowsupdate.exe 576 "C:\Windows\SysWOW64\windowsupdate.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2672
        
        C:\Windows\SysWOW64\windowsupdate.exe
        
        C:\Windows\SysWOW64\windowsupdate.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\windowsupdate.exe
        
        C:\Windows\system32\windowsupdate.exe 592 "C:\Windows\SysWOW64\windowsupdate.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2880
        
        C:\Windows\SysWOW64\windowsupdate.exe
        
        C:\Windows\SysWOW64\windowsupdate.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\windowsupdate.exe
        
        C:\Windows\system32\windowsupdate.exe 584 "C:\Windows\SysWOW64\windowsupdate.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2344
        
        C:\Windows\SysWOW64\windowsupdate.exe
        
        C:\Windows\SysWOW64\windowsupdate.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\windowsupdate.exe
        
        C:\Windows\system32\windowsupdate.exe 576 "C:\Windows\SysWOW64\windowsupdate.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3000
        
        C:\Windows\SysWOW64\windowsupdate.exe
        
        C:\Windows\SysWOW64\windowsupdate.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\windowsupdate.exe

Filesize
372KB

MD5
f6a79d205ab0a22ade3bdd8b2d4ac144

SHA1
8dbb5444c6eeb67c8777444ece18105f97f8b77a

SHA256
1a21900711d1c7aea1cf027f5e7d7eca6ebe0c9c0b2100ef3fbc24c2d5e53654

SHA512
be977e40f0cbb8330713ebf87fde6343ac76816b4c0417594ea744ef0d244fd201b5c00c308ff90f9b3ddad887d3ea237688595b59957c31ce5e02ba075a3ab4

Download Submit
memory/2660-67-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2660-56-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2664-18-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2664-16-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2664-23-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2664-12-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2664-14-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2664-6-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2664-2-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2664-5-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2664-65-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2664-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2664-9-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download