darkcomet | efdc86c63c05a02f553e73da1eddf2d667e53e0819337a57bf7f7b8185e54659

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
21/03/2025, 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Size

344KB
MD5

84f2342f2061bbe1da030929bf0dc911
SHA1

d4ac598006268e6fbbab0b26eff64660218048ed
SHA256

efdc86c63c05a02f553e73da1eddf2d667e53e0819337a57bf7f7b8185e54659
SHA512

bf6e71ce4130a487c93cb9adfe62e3264bc360b58c4d4a2ddb4f576e9fae9a19ad2ba31af59a1432310097189eb9c537c5e9223912d14c07fc5a63535f8d36ce
SSDEEP

6144:7MgRwm0+zrZT/lfBtreOTj2klHbCroPeUpW5I2oHplSZkOiu9PZ/p:7MewEzRnWkl70oBUZoYNVR

Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

hostmee.no-ip.org:1604

Mutex

DC_MUTEX-2MXHG58

Attributes

InstallPath
Windupdt\winupdate.exe
gencode
g�hlPa%NHGlb
install
true
offline_keylogger
false
persistence
false
reg_key
winupdater

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 24 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Sets file to hidden 1 TTPs 24 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2944	attrib.exe
5832	attrib.exe
3612	attrib.exe
1576	attrib.exe
4280	attrib.exe
3580	attrib.exe
3008	attrib.exe
1176	attrib.exe
2612	attrib.exe
964	attrib.exe
2348	attrib.exe
4868	attrib.exe
5408	attrib.exe
3624	attrib.exe
1668	attrib.exe
5652	attrib.exe
544	attrib.exe
5352	attrib.exe
6132	attrib.exe
5704	attrib.exe
6060	attrib.exe
6132	attrib.exe
2708	attrib.exe
1680	attrib.exe

Checks computer location settings 2 TTPs 23 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	winupdate.exe

Executes dropped EXE 23 IoCs

pid	Process
4872	winupdate.exe
1176	winupdate.exe
5732	winupdate.exe
1244	winupdate.exe
1412	winupdate.exe
2872	winupdate.exe
4868	winupdate.exe
5940	winupdate.exe
2796	winupdate.exe
4056	winupdate.exe
548	winupdate.exe
5944	winupdate.exe
4584	winupdate.exe
6088	winupdate.exe
4616	winupdate.exe
6084	winupdate.exe
4276	winupdate.exe
1896	winupdate.exe
328	winupdate.exe
4064	winupdate.exe
5368	winupdate.exe
1160	winupdate.exe
3652	winupdate.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1228-0-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/files/0x00070000000241f6-7.dat	upx
behavioral2/memory/1228-36-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/4872-40-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/5732-42-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/1176-44-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/5732-47-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/1244-50-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/1412-53-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/2872-55-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/4868-58-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/5940-61-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/2796-64-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/4056-67-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/548-70-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/5944-73-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/4584-76-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/6088-79-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/4616-82-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/6084-85-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/4276-88-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/1896-90-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/328-93-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/4064-96-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/5368-99-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/1160-102-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/3652-103-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral2/memory/3652-106-0x0000000000400000-0x00000000004EB000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 48 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
6024	cmd.exe
1628	cmd.exe
2084	cmd.exe
2388	cmd.exe
3668	PING.EXE
4796	cmd.exe
4208	cmd.exe
5964	PING.EXE
6096	PING.EXE
4408	PING.EXE
4060	cmd.exe
1724	PING.EXE
5732	PING.EXE
4032	cmd.exe
1312	cmd.exe
3668	cmd.exe
5220	cmd.exe
3252	PING.EXE
2564	cmd.exe
5664	cmd.exe
2044	PING.EXE
5672	PING.EXE
1220	PING.EXE
1048	cmd.exe
4452	cmd.exe
548	PING.EXE
5992	cmd.exe
4352	PING.EXE
4764	cmd.exe
5216	PING.EXE
5048	cmd.exe
5196	PING.EXE
5572	PING.EXE
732	PING.EXE
3648	PING.EXE
2444	cmd.exe
2320	cmd.exe
4052	PING.EXE
6128	cmd.exe
4768	PING.EXE
3288	cmd.exe
2464	PING.EXE
5296	PING.EXE
3372	PING.EXE
1228	PING.EXE
5756	cmd.exe
2384	PING.EXE
2000	cmd.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe

Runs ping.exe 1 TTPs 24 IoCs

Remote System Discovery

T1018

pid	Process
5296	PING.EXE
5672	PING.EXE
5732	PING.EXE
1228	PING.EXE
4408	PING.EXE
4352	PING.EXE
3668	PING.EXE
4768	PING.EXE
5964	PING.EXE
6096	PING.EXE
1220	PING.EXE
4052	PING.EXE
732	PING.EXE
2044	PING.EXE
3372	PING.EXE
548	PING.EXE
5196	PING.EXE
5572	PING.EXE
2384	PING.EXE
1724	PING.EXE
5216	PING.EXE
3648	PING.EXE
3252	PING.EXE
2464	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Token: SeSecurityPrivilege	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Token: SeTakeOwnershipPrivilege	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Token: SeLoadDriverPrivilege	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Token: SeSystemProfilePrivilege	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Token: SeSystemtimePrivilege	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Token: SeProfSingleProcessPrivilege	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Token: SeIncBasePriorityPrivilege	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Token: SeCreatePagefilePrivilege	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Token: SeBackupPrivilege	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Token: SeRestorePrivilege	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Token: SeShutdownPrivilege	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Token: SeDebugPrivilege	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Token: SeSystemEnvironmentPrivilege	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Token: SeChangeNotifyPrivilege	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Token: SeRemoteShutdownPrivilege	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Token: SeUndockPrivilege	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Token: SeManageVolumePrivilege	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Token: SeImpersonatePrivilege	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Token: SeCreateGlobalPrivilege	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Token: 33	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Token: 34	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Token: 35	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Token: 36	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
Token: SeIncreaseQuotaPrivilege	4872	winupdate.exe
Token: SeSecurityPrivilege	4872	winupdate.exe
Token: SeTakeOwnershipPrivilege	4872	winupdate.exe
Token: SeLoadDriverPrivilege	4872	winupdate.exe
Token: SeSystemProfilePrivilege	4872	winupdate.exe
Token: SeSystemtimePrivilege	4872	winupdate.exe
Token: SeProfSingleProcessPrivilege	4872	winupdate.exe
Token: SeIncBasePriorityPrivilege	4872	winupdate.exe
Token: SeCreatePagefilePrivilege	4872	winupdate.exe
Token: SeBackupPrivilege	4872	winupdate.exe
Token: SeRestorePrivilege	4872	winupdate.exe
Token: SeShutdownPrivilege	4872	winupdate.exe
Token: SeDebugPrivilege	4872	winupdate.exe
Token: SeSystemEnvironmentPrivilege	4872	winupdate.exe
Token: SeChangeNotifyPrivilege	4872	winupdate.exe
Token: SeRemoteShutdownPrivilege	4872	winupdate.exe
Token: SeUndockPrivilege	4872	winupdate.exe
Token: SeManageVolumePrivilege	4872	winupdate.exe
Token: SeImpersonatePrivilege	4872	winupdate.exe
Token: SeCreateGlobalPrivilege	4872	winupdate.exe
Token: 33	4872	winupdate.exe
Token: 34	4872	winupdate.exe
Token: 35	4872	winupdate.exe
Token: 36	4872	winupdate.exe
Token: SeIncreaseQuotaPrivilege	1176	winupdate.exe
Token: SeSecurityPrivilege	1176	winupdate.exe
Token: SeTakeOwnershipPrivilege	1176	winupdate.exe
Token: SeLoadDriverPrivilege	1176	winupdate.exe
Token: SeSystemProfilePrivilege	1176	winupdate.exe
Token: SeSystemtimePrivilege	1176	winupdate.exe
Token: SeProfSingleProcessPrivilege	1176	winupdate.exe
Token: SeIncBasePriorityPrivilege	1176	winupdate.exe
Token: SeCreatePagefilePrivilege	1176	winupdate.exe
Token: SeBackupPrivilege	1176	winupdate.exe
Token: SeRestorePrivilege	1176	winupdate.exe
Token: SeShutdownPrivilege	1176	winupdate.exe
Token: SeDebugPrivilege	1176	winupdate.exe
Token: SeSystemEnvironmentPrivilege	1176	winupdate.exe
Token: SeChangeNotifyPrivilege	1176	winupdate.exe
Token: SeRemoteShutdownPrivilege	1176	winupdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 3704	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe	92
PID 1228 wrote to memory of 3704	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe	92
PID 1228 wrote to memory of 3704	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe	92
PID 1228 wrote to memory of 4060	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe	94
PID 1228 wrote to memory of 4060	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe	94
PID 1228 wrote to memory of 4060	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe	94
PID 3704 wrote to memory of 5832	3704	cmd.exe	96
PID 3704 wrote to memory of 5832	3704	cmd.exe	96
PID 3704 wrote to memory of 5832	3704	cmd.exe	96
PID 4060 wrote to memory of 732	4060	cmd.exe	97
PID 4060 wrote to memory of 732	4060	cmd.exe	97
PID 4060 wrote to memory of 732	4060	cmd.exe	97
PID 1228 wrote to memory of 4872	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe	98
PID 1228 wrote to memory of 4872	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe	98
PID 1228 wrote to memory of 4872	1228	JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe	98
PID 4872 wrote to memory of 3772	4872	winupdate.exe	102
PID 4872 wrote to memory of 3772	4872	winupdate.exe	102
PID 4872 wrote to memory of 3772	4872	winupdate.exe	102
PID 4872 wrote to memory of 3288	4872	winupdate.exe	103
PID 4872 wrote to memory of 3288	4872	winupdate.exe	103
PID 4872 wrote to memory of 3288	4872	winupdate.exe	103
PID 3772 wrote to memory of 5352	3772	cmd.exe	106
PID 3772 wrote to memory of 5352	3772	cmd.exe	106
PID 3772 wrote to memory of 5352	3772	cmd.exe	106
PID 3288 wrote to memory of 2384	3288	cmd.exe	107
PID 3288 wrote to memory of 2384	3288	cmd.exe	107
PID 3288 wrote to memory of 2384	3288	cmd.exe	107
PID 4872 wrote to memory of 1176	4872	winupdate.exe	108
PID 4872 wrote to memory of 1176	4872	winupdate.exe	108
PID 4872 wrote to memory of 1176	4872	winupdate.exe	108
PID 1176 wrote to memory of 4364	1176	winupdate.exe	111
PID 1176 wrote to memory of 4364	1176	winupdate.exe	111
PID 1176 wrote to memory of 4364	1176	winupdate.exe	111
PID 1176 wrote to memory of 4208	1176	winupdate.exe	112
PID 1176 wrote to memory of 4208	1176	winupdate.exe	112
PID 1176 wrote to memory of 4208	1176	winupdate.exe	112
PID 4364 wrote to memory of 5408	4364	cmd.exe	115
PID 4364 wrote to memory of 5408	4364	cmd.exe	115
PID 4364 wrote to memory of 5408	4364	cmd.exe	115
PID 4208 wrote to memory of 3252	4208	cmd.exe	116
PID 4208 wrote to memory of 3252	4208	cmd.exe	116
PID 4208 wrote to memory of 3252	4208	cmd.exe	116
PID 1176 wrote to memory of 5732	1176	winupdate.exe	117
PID 1176 wrote to memory of 5732	1176	winupdate.exe	117
PID 1176 wrote to memory of 5732	1176	winupdate.exe	117
PID 5732 wrote to memory of 728	5732	winupdate.exe	118
PID 5732 wrote to memory of 728	5732	winupdate.exe	118
PID 5732 wrote to memory of 728	5732	winupdate.exe	118
PID 5732 wrote to memory of 2000	5732	winupdate.exe	119
PID 5732 wrote to memory of 2000	5732	winupdate.exe	119
PID 5732 wrote to memory of 2000	5732	winupdate.exe	119
PID 728 wrote to memory of 3612	728	cmd.exe	122
PID 728 wrote to memory of 3612	728	cmd.exe	122
PID 728 wrote to memory of 3612	728	cmd.exe	122
PID 2000 wrote to memory of 1724	2000	cmd.exe	123
PID 2000 wrote to memory of 1724	2000	cmd.exe	123
PID 2000 wrote to memory of 1724	2000	cmd.exe	123
PID 5732 wrote to memory of 1244	5732	winupdate.exe	124
PID 5732 wrote to memory of 1244	5732	winupdate.exe	124
PID 5732 wrote to memory of 1244	5732	winupdate.exe	124
PID 1244 wrote to memory of 2716	1244	winupdate.exe	126
PID 1244 wrote to memory of 2716	1244	winupdate.exe	126
PID 1244 wrote to memory of 2716	1244	winupdate.exe	126
PID 1244 wrote to memory of 6024	1244	winupdate.exe	128

Views/modifies file attributes 1 TTPs 24 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5652	attrib.exe
5408	attrib.exe
6132	attrib.exe
3008	attrib.exe
1176	attrib.exe
2708	attrib.exe
1668	attrib.exe
5832	attrib.exe
5352	attrib.exe
1576	attrib.exe
4280	attrib.exe
5704	attrib.exe
6060	attrib.exe
2348	attrib.exe
2612	attrib.exe
3612	attrib.exe
964	attrib.exe
3580	attrib.exe
544	attrib.exe
1680	attrib.exe
4868	attrib.exe
2944	attrib.exe
3624	attrib.exe
6132	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:5832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84f2342f2061bbe1da030929bf0dc911.exe"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:732
- C:\Windows\SysWOW64\Windupdt\winupdate.exe
  "C:\Windows\system32\Windupdt\winupdate.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3772
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      Views/modifies file attributes
      PID:5352
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 5
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2384
- - C:\Windows\SysWOW64\Windupdt\winupdate.exe
    "C:\Windows\system32\Windupdt\winupdate.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:5408
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:4208
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 5
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3252
  - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
      "C:\Windows\system32\Windupdt\winupdate.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5732
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:728
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        6⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3612
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2000
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 5
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1724
    - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1244
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        7⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1576
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6024
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 5
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2464
      - C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        6⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        7⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        8⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 5
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5296
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        7⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        9⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:6132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 5
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5216
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        8⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        9⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        10⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5664
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 5
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2044
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        9⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        11⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:5704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 5
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5672
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        10⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        12⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5048
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 5
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5732
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        11⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        12⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        13⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 5
        13⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3648
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        12⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        14⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        13⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4032
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 5
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3372
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        13⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        15⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 5
        15⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3668
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        14⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        16⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:6132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6128
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 5
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4768
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        15⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:5244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        17⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 5
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1228
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        16⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        17⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        18⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        17⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 5
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5964
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        17⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        19⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 5
        19⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6096
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        18⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        20⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        19⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5756
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 5
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1220
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        19⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        20⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        21⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:5652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1312
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 5
        21⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:548
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        20⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        21⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        22⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 5
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5196
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        21⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        22⤵
        
        PID:640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        23⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3668
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 5
        23⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4408
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        22⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        23⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        24⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 5
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5572
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        23⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        25⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 5
        25⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4352
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        24⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        25⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        26⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5&del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 5
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4052
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        25⤵
        
        PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
344KB

MD5
84f2342f2061bbe1da030929bf0dc911

SHA1
d4ac598006268e6fbbab0b26eff64660218048ed

SHA256
efdc86c63c05a02f553e73da1eddf2d667e53e0819337a57bf7f7b8185e54659

SHA512
bf6e71ce4130a487c93cb9adfe62e3264bc360b58c4d4a2ddb4f576e9fae9a19ad2ba31af59a1432310097189eb9c537c5e9223912d14c07fc5a63535f8d36ce

Download Submit
memory/328-93-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/548-70-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1160-102-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1176-44-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1228-0-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1228-1-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/1228-36-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1244-50-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1412-53-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1896-90-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2796-64-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2872-55-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3652-106-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3652-103-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4056-67-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4064-96-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4276-88-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4584-76-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4616-82-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4868-58-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4872-40-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4872-37-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/5368-99-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/5732-42-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/5732-47-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/5940-61-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/5944-73-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/6084-85-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/6088-79-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads