Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 00:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
218189c3a94be13dc3fc46ce0583159aa4e4f57f136b3283435d70890e2dacefN.exe
Resource
win7-20241010-en
windows7-x64
22 signatures
120 seconds
General
-
Target
218189c3a94be13dc3fc46ce0583159aa4e4f57f136b3283435d70890e2dacefN.exe
-
Size
966KB
-
MD5
6c3c1088500350d9ff8c0869177ef5f0
-
SHA1
3da4fdd97fe1264bf1da9c14b24abdad3bc741ce
-
SHA256
218189c3a94be13dc3fc46ce0583159aa4e4f57f136b3283435d70890e2dacef
-
SHA512
52425e86bc82802c858a5ae954aeafb47f4f6dafbcf8c5aecc40ce560007de090a02a8ca5a83dfbaca396428f852022d07bed08419183a0a9a62c1d30e5b16dd
-
SSDEEP
12288:N3TD4DnRfwKl+znaNpofSsa9Pi+W9iXqpea3wJWIfBT3PGUE0/DrRrPGVz:FTQuKl+zsUC6J9i+3wJRT3PI0/xGx
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
74.65.183.83:1604
74.65.183.83:25565
74.65.183.83:1122
74.65.183.83:100
Mutex
DC_MUTEX-XH87550
Attributes
-
InstallPath
WindowsUpdate.exe
-
gencode
MwBxQSYoXbQb
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
WindoesUpdate.dll
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\WindowsUpdate.exe" BlackWidowV4CrackedBySkullTeam.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" WindowsUpdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" WindowsUpdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile WindowsUpdate.exe -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" WindowsUpdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WindowsUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WindowsUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WindowsUpdate.exe -
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1428 attrib.exe 648 attrib.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 218189c3a94be13dc3fc46ce0583159aa4e4f57f136b3283435d70890e2dacefN.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation BlackWidowV4CrackedBySkullTeam.sfx.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation BlackWidowV4CrackedBySkullTeam.exe -
Executes dropped EXE 3 IoCs
pid Process 2760 BlackWidowV4CrackedBySkullTeam.sfx.exe 4000 BlackWidowV4CrackedBySkullTeam.exe 1208 WindowsUpdate.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WindowsUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WindowsUpdate.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindoesUpdate.dll = "C:\\WindowsUpdate.exe" WindowsUpdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindoesUpdate.dll = "C:\\WindowsUpdate.exe" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindoesUpdate.dll = "C:\\WindowsUpdate.exe" BlackWidowV4CrackedBySkullTeam.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1208 set thread context of 3472 1208 WindowsUpdate.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 218189c3a94be13dc3fc46ce0583159aa4e4f57f136b3283435d70890e2dacefN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BlackWidowV4CrackedBySkullTeam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BlackWidowV4CrackedBySkullTeam.sfx.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3472 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4000 BlackWidowV4CrackedBySkullTeam.exe Token: SeSecurityPrivilege 4000 BlackWidowV4CrackedBySkullTeam.exe Token: SeTakeOwnershipPrivilege 4000 BlackWidowV4CrackedBySkullTeam.exe Token: SeLoadDriverPrivilege 4000 BlackWidowV4CrackedBySkullTeam.exe Token: SeSystemProfilePrivilege 4000 BlackWidowV4CrackedBySkullTeam.exe Token: SeSystemtimePrivilege 4000 BlackWidowV4CrackedBySkullTeam.exe Token: SeProfSingleProcessPrivilege 4000 BlackWidowV4CrackedBySkullTeam.exe Token: SeIncBasePriorityPrivilege 4000 BlackWidowV4CrackedBySkullTeam.exe Token: SeCreatePagefilePrivilege 4000 BlackWidowV4CrackedBySkullTeam.exe Token: SeBackupPrivilege 4000 BlackWidowV4CrackedBySkullTeam.exe Token: SeRestorePrivilege 4000 BlackWidowV4CrackedBySkullTeam.exe Token: SeShutdownPrivilege 4000 BlackWidowV4CrackedBySkullTeam.exe Token: SeDebugPrivilege 4000 BlackWidowV4CrackedBySkullTeam.exe Token: SeSystemEnvironmentPrivilege 4000 BlackWidowV4CrackedBySkullTeam.exe Token: SeChangeNotifyPrivilege 4000 BlackWidowV4CrackedBySkullTeam.exe Token: SeRemoteShutdownPrivilege 4000 BlackWidowV4CrackedBySkullTeam.exe Token: SeUndockPrivilege 4000 BlackWidowV4CrackedBySkullTeam.exe Token: SeManageVolumePrivilege 4000 BlackWidowV4CrackedBySkullTeam.exe Token: SeImpersonatePrivilege 4000 BlackWidowV4CrackedBySkullTeam.exe Token: SeCreateGlobalPrivilege 4000 BlackWidowV4CrackedBySkullTeam.exe Token: 33 4000 BlackWidowV4CrackedBySkullTeam.exe Token: 34 4000 BlackWidowV4CrackedBySkullTeam.exe Token: 35 4000 BlackWidowV4CrackedBySkullTeam.exe Token: 36 4000 BlackWidowV4CrackedBySkullTeam.exe Token: SeIncreaseQuotaPrivilege 1208 WindowsUpdate.exe Token: SeSecurityPrivilege 1208 WindowsUpdate.exe Token: SeTakeOwnershipPrivilege 1208 WindowsUpdate.exe Token: SeLoadDriverPrivilege 1208 WindowsUpdate.exe Token: SeSystemProfilePrivilege 1208 WindowsUpdate.exe Token: SeSystemtimePrivilege 1208 WindowsUpdate.exe Token: SeProfSingleProcessPrivilege 1208 WindowsUpdate.exe Token: SeIncBasePriorityPrivilege 1208 WindowsUpdate.exe Token: SeCreatePagefilePrivilege 1208 WindowsUpdate.exe Token: SeBackupPrivilege 1208 WindowsUpdate.exe Token: SeRestorePrivilege 1208 WindowsUpdate.exe Token: SeShutdownPrivilege 1208 WindowsUpdate.exe Token: SeDebugPrivilege 1208 WindowsUpdate.exe Token: SeSystemEnvironmentPrivilege 1208 WindowsUpdate.exe Token: SeChangeNotifyPrivilege 1208 WindowsUpdate.exe Token: SeRemoteShutdownPrivilege 1208 WindowsUpdate.exe Token: SeUndockPrivilege 1208 WindowsUpdate.exe Token: SeManageVolumePrivilege 1208 WindowsUpdate.exe Token: SeImpersonatePrivilege 1208 WindowsUpdate.exe Token: SeCreateGlobalPrivilege 1208 WindowsUpdate.exe Token: 33 1208 WindowsUpdate.exe Token: 34 1208 WindowsUpdate.exe Token: 35 1208 WindowsUpdate.exe Token: 36 1208 WindowsUpdate.exe Token: SeIncreaseQuotaPrivilege 3472 iexplore.exe Token: SeSecurityPrivilege 3472 iexplore.exe Token: SeTakeOwnershipPrivilege 3472 iexplore.exe Token: SeLoadDriverPrivilege 3472 iexplore.exe Token: SeSystemProfilePrivilege 3472 iexplore.exe Token: SeSystemtimePrivilege 3472 iexplore.exe Token: SeProfSingleProcessPrivilege 3472 iexplore.exe Token: SeIncBasePriorityPrivilege 3472 iexplore.exe Token: SeCreatePagefilePrivilege 3472 iexplore.exe Token: SeBackupPrivilege 3472 iexplore.exe Token: SeRestorePrivilege 3472 iexplore.exe Token: SeShutdownPrivilege 3472 iexplore.exe Token: SeDebugPrivilege 3472 iexplore.exe Token: SeSystemEnvironmentPrivilege 3472 iexplore.exe Token: SeChangeNotifyPrivilege 3472 iexplore.exe Token: SeRemoteShutdownPrivilege 3472 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3472 iexplore.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3020 wrote to memory of 4432 3020 218189c3a94be13dc3fc46ce0583159aa4e4f57f136b3283435d70890e2dacefN.exe 82 PID 3020 wrote to memory of 4432 3020 218189c3a94be13dc3fc46ce0583159aa4e4f57f136b3283435d70890e2dacefN.exe 82 PID 3020 wrote to memory of 4432 3020 218189c3a94be13dc3fc46ce0583159aa4e4f57f136b3283435d70890e2dacefN.exe 82 PID 4432 wrote to memory of 2760 4432 cmd.exe 85 PID 4432 wrote to memory of 2760 4432 cmd.exe 85 PID 4432 wrote to memory of 2760 4432 cmd.exe 85 PID 2760 wrote to memory of 4000 2760 BlackWidowV4CrackedBySkullTeam.sfx.exe 86 PID 2760 wrote to memory of 4000 2760 BlackWidowV4CrackedBySkullTeam.sfx.exe 86 PID 2760 wrote to memory of 4000 2760 BlackWidowV4CrackedBySkullTeam.sfx.exe 86 PID 4000 wrote to memory of 208 4000 BlackWidowV4CrackedBySkullTeam.exe 87 PID 4000 wrote to memory of 208 4000 BlackWidowV4CrackedBySkullTeam.exe 87 PID 4000 wrote to memory of 208 4000 BlackWidowV4CrackedBySkullTeam.exe 87 PID 4000 wrote to memory of 180 4000 BlackWidowV4CrackedBySkullTeam.exe 88 PID 4000 wrote to memory of 180 4000 BlackWidowV4CrackedBySkullTeam.exe 88 PID 4000 wrote to memory of 180 4000 BlackWidowV4CrackedBySkullTeam.exe 88 PID 4000 wrote to memory of 2188 4000 BlackWidowV4CrackedBySkullTeam.exe 90 PID 4000 wrote to memory of 2188 4000 BlackWidowV4CrackedBySkullTeam.exe 90 PID 4000 wrote to memory of 2188 4000 BlackWidowV4CrackedBySkullTeam.exe 90 PID 4000 wrote to memory of 2188 4000 BlackWidowV4CrackedBySkullTeam.exe 90 PID 4000 wrote to memory of 2188 4000 BlackWidowV4CrackedBySkullTeam.exe 90 PID 4000 wrote to memory of 2188 4000 BlackWidowV4CrackedBySkullTeam.exe 90 PID 4000 wrote to memory of 2188 4000 BlackWidowV4CrackedBySkullTeam.exe 90 PID 4000 wrote to memory of 2188 4000 BlackWidowV4CrackedBySkullTeam.exe 90 PID 4000 wrote to memory of 2188 4000 BlackWidowV4CrackedBySkullTeam.exe 90 PID 4000 wrote to memory of 2188 4000 BlackWidowV4CrackedBySkullTeam.exe 90 PID 4000 wrote to memory of 2188 4000 BlackWidowV4CrackedBySkullTeam.exe 90 PID 4000 wrote to memory of 2188 4000 BlackWidowV4CrackedBySkullTeam.exe 90 PID 4000 wrote to memory of 2188 4000 BlackWidowV4CrackedBySkullTeam.exe 90 PID 4000 wrote to memory of 2188 4000 BlackWidowV4CrackedBySkullTeam.exe 90 PID 4000 wrote to memory of 2188 4000 BlackWidowV4CrackedBySkullTeam.exe 90 PID 4000 wrote to memory of 2188 4000 BlackWidowV4CrackedBySkullTeam.exe 90 PID 4000 wrote to memory of 2188 4000 BlackWidowV4CrackedBySkullTeam.exe 90 PID 4000 wrote to memory of 1208 4000 BlackWidowV4CrackedBySkullTeam.exe 92 PID 4000 wrote to memory of 1208 4000 BlackWidowV4CrackedBySkullTeam.exe 92 PID 4000 wrote to memory of 1208 4000 BlackWidowV4CrackedBySkullTeam.exe 92 PID 1208 wrote to memory of 3472 1208 WindowsUpdate.exe 93 PID 1208 wrote to memory of 3472 1208 WindowsUpdate.exe 93 PID 1208 wrote to memory of 3472 1208 WindowsUpdate.exe 93 PID 1208 wrote to memory of 3472 1208 WindowsUpdate.exe 93 PID 1208 wrote to memory of 3472 1208 WindowsUpdate.exe 93 PID 208 wrote to memory of 1428 208 cmd.exe 94 PID 208 wrote to memory of 1428 208 cmd.exe 94 PID 208 wrote to memory of 1428 208 cmd.exe 94 PID 3472 wrote to memory of 4676 3472 iexplore.exe 95 PID 3472 wrote to memory of 4676 3472 iexplore.exe 95 PID 3472 wrote to memory of 4676 3472 iexplore.exe 95 PID 3472 wrote to memory of 4676 3472 iexplore.exe 95 PID 3472 wrote to memory of 4676 3472 iexplore.exe 95 PID 3472 wrote to memory of 4676 3472 iexplore.exe 95 PID 3472 wrote to memory of 4676 3472 iexplore.exe 95 PID 3472 wrote to memory of 4676 3472 iexplore.exe 95 PID 3472 wrote to memory of 4676 3472 iexplore.exe 95 PID 3472 wrote to memory of 4676 3472 iexplore.exe 95 PID 3472 wrote to memory of 4676 3472 iexplore.exe 95 PID 3472 wrote to memory of 4676 3472 iexplore.exe 95 PID 3472 wrote to memory of 4676 3472 iexplore.exe 95 PID 3472 wrote to memory of 4676 3472 iexplore.exe 95 PID 3472 wrote to memory of 4676 3472 iexplore.exe 95 PID 3472 wrote to memory of 4676 3472 iexplore.exe 95 PID 3472 wrote to memory of 4676 3472 iexplore.exe 95 PID 3472 wrote to memory of 4676 3472 iexplore.exe 95 PID 3472 wrote to memory of 4676 3472 iexplore.exe 95 PID 3472 wrote to memory of 4676 3472 iexplore.exe 95 PID 3472 wrote to memory of 4676 3472 iexplore.exe 95 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion WindowsUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern WindowsUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" WindowsUpdate.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1428 attrib.exe 648 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\218189c3a94be13dc3fc46ce0583159aa4e4f57f136b3283435d70890e2dacefN.exe"C:\Users\Admin\AppData\Local\Temp\218189c3a94be13dc3fc46ce0583159aa4e4f57f136b3283435d70890e2dacefN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\dll.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\BlackWidowV4CrackedBySkullTeam.sfx.exeBlackWidowV4CrackedBySkullTeam.sfx -parrow1998 -dC:\Users\Admin\AppData\Roaming3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\BlackWidowV4CrackedBySkullTeam.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BlackWidowV4CrackedBySkullTeam.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\RarSFX1\BlackWidowV4CrackedBySkullTeam.exe" +s +h5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\RarSFX1\BlackWidowV4CrackedBySkullTeam.exe" +s +h6⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1428
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\RarSFX1" +s +h5⤵
- System Location Discovery: System Language Discovery
PID:180 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\RarSFX1" +s +h6⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:648
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
- System Location Discovery: System Language Discovery
PID:2188
-
-
C:\WindowsUpdate.exe"C:\WindowsUpdate.exe"5⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1208 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"6⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\notepad.exenotepad7⤵
- System Location Discovery: System Language Discovery
PID:4676
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
519KB
MD54b7cf29e9744da36f072c88a9372395a
SHA1c9e206d3d81c8b604860c3dd379ee059676aa409
SHA25600f0d8dd7eb761c34048df8706a526963150d95f592ef7e9bb4caa93947114bb
SHA512418be4347a2cc3a50059d707a5a438f707c1385b013a7409d95139b6b8f22f1416d576c6d1c44eea4e930803a50888e0a109c4b2b23c40c4f96f84e5d6a7e303
-
Filesize
58B
MD5d2f7f27d6885c2afea6c3ad5bc6c1190
SHA1f2b23abe2f2d90ca61b1b356e7e125b1f7d41798
SHA2561c4d169e0bb2016066e4e545c89426addb0aaaf58240d2740be8d85753b94261
SHA51235d50b0c23725d40b15e0b7627e8228f02cd26b606c1d2815d1f2ff03ee5098877ab52d8527987b46d425ea34ea258d4710a7f48555a70b8afce5863c1442caa
-
Filesize
1004KB
MD5997c248b8c1ff1e99aaa40e8384331f4
SHA1ca765e630e0fb9ab4837ea0389c012cf12da02f6
SHA2563a4da5311a97fa8a4e8142b6e4847e9effd69b3d6abe7c3bd0a5922cf1bc3cf2
SHA51219a98ba43953fdb7acd721b1fdc3ee96d6964820b04cea6538fe835d0d0047d38ff76f11d9525eb339c9e489e55c0d752ab6cc2eddf1cd7336772dfb00a90166