Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
18/04/2025, 03:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
22 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe
Resource
win11-20250410-en
windows11-21h2-x64
21 signatures
150 seconds
General
-
Target
JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe
-
Size
792KB
-
MD5
bc5e9d6c42c4a7a8f3e399628b35edc6
-
SHA1
89467555b70aa69a09f2a9b6068d851bc6da3730
-
SHA256
37f71d92f06d6db3a5660d2029e0828277f5970942554372c0405eeb5daec278
-
SHA512
f85ba3ccf4a76412a53d286b8dd6ab02feca4736c27e2b5a6ed6b158543bf5780ceef3c213613727f0b9ddeb267bb5ad1bb79fc70ecc5c2610c7b0ec9624d5ff
-
SSDEEP
24576:XlvYrG9qagUztjgUVWdxfYEbKQZ87bqeA4L9j/A:eK9qagUO2wO7bXA4
Malware Config
Extracted
Family
darkcomet
Botnet
Mooose
C2
masha.zapto.org:1604
Mutex
DC_MUTEX-9HH2WSZ
Attributes
-
InstallPath
Windupdt\winupdate.exe
-
gencode
iUjv.BRt=lEN
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
winupdater
rc4.plain
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\Windupdt\\winupdate.exe" JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winupdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winupdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe -
Windows security bypass 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winupdate.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe -
Executes dropped EXE 4 IoCs
pid Process 3248 winupdate.exe 1508 winupdate.exe 1208 winupdate.exe 4904 winupdate.exe -
Windows security modification 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Users\\Admin\\Documents\\Windupdt\\winupdate.exe" JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3140 set thread context of 1960 3140 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 89 PID 3248 set thread context of 1208 3248 winupdate.exe 94 PID 1508 set thread context of 4904 1508 winupdate.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4692 PING.EXE -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4692 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1208 winupdate.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeSecurityPrivilege 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeTakeOwnershipPrivilege 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeLoadDriverPrivilege 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeSystemProfilePrivilege 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeSystemtimePrivilege 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeProfSingleProcessPrivilege 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeIncBasePriorityPrivilege 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeCreatePagefilePrivilege 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeBackupPrivilege 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeRestorePrivilege 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeShutdownPrivilege 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeDebugPrivilege 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeSystemEnvironmentPrivilege 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeChangeNotifyPrivilege 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeRemoteShutdownPrivilege 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeUndockPrivilege 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeManageVolumePrivilege 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeImpersonatePrivilege 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeCreateGlobalPrivilege 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: 33 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: 34 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: 35 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: 36 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeIncreaseQuotaPrivilege 1208 winupdate.exe Token: SeSecurityPrivilege 1208 winupdate.exe Token: SeTakeOwnershipPrivilege 1208 winupdate.exe Token: SeLoadDriverPrivilege 1208 winupdate.exe Token: SeSystemProfilePrivilege 1208 winupdate.exe Token: SeSystemtimePrivilege 1208 winupdate.exe Token: SeProfSingleProcessPrivilege 1208 winupdate.exe Token: SeIncBasePriorityPrivilege 1208 winupdate.exe Token: SeCreatePagefilePrivilege 1208 winupdate.exe Token: SeBackupPrivilege 1208 winupdate.exe Token: SeRestorePrivilege 1208 winupdate.exe Token: SeShutdownPrivilege 1208 winupdate.exe Token: SeDebugPrivilege 1208 winupdate.exe Token: SeSystemEnvironmentPrivilege 1208 winupdate.exe Token: SeChangeNotifyPrivilege 1208 winupdate.exe Token: SeRemoteShutdownPrivilege 1208 winupdate.exe Token: SeUndockPrivilege 1208 winupdate.exe Token: SeManageVolumePrivilege 1208 winupdate.exe Token: SeImpersonatePrivilege 1208 winupdate.exe Token: SeCreateGlobalPrivilege 1208 winupdate.exe Token: 33 1208 winupdate.exe Token: 34 1208 winupdate.exe Token: 35 1208 winupdate.exe Token: 36 1208 winupdate.exe Token: SeIncreaseQuotaPrivilege 4904 winupdate.exe Token: SeSecurityPrivilege 4904 winupdate.exe Token: SeTakeOwnershipPrivilege 4904 winupdate.exe Token: SeLoadDriverPrivilege 4904 winupdate.exe Token: SeSystemProfilePrivilege 4904 winupdate.exe Token: SeSystemtimePrivilege 4904 winupdate.exe Token: SeProfSingleProcessPrivilege 4904 winupdate.exe Token: SeIncBasePriorityPrivilege 4904 winupdate.exe Token: SeCreatePagefilePrivilege 4904 winupdate.exe Token: SeBackupPrivilege 4904 winupdate.exe Token: SeRestorePrivilege 4904 winupdate.exe Token: SeShutdownPrivilege 4904 winupdate.exe Token: SeDebugPrivilege 4904 winupdate.exe Token: SeSystemEnvironmentPrivilege 4904 winupdate.exe Token: SeChangeNotifyPrivilege 4904 winupdate.exe Token: SeRemoteShutdownPrivilege 4904 winupdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1208 winupdate.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 3140 wrote to memory of 1960 3140 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 89 PID 3140 wrote to memory of 1960 3140 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 89 PID 3140 wrote to memory of 1960 3140 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 89 PID 3140 wrote to memory of 1960 3140 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 89 PID 3140 wrote to memory of 1960 3140 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 89 PID 3140 wrote to memory of 1960 3140 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 89 PID 3140 wrote to memory of 1960 3140 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 89 PID 3140 wrote to memory of 1960 3140 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 89 PID 3140 wrote to memory of 1960 3140 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 89 PID 3140 wrote to memory of 1960 3140 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 89 PID 3140 wrote to memory of 1960 3140 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 89 PID 3140 wrote to memory of 1960 3140 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 89 PID 3140 wrote to memory of 1960 3140 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 89 PID 3140 wrote to memory of 1960 3140 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 89 PID 3168 wrote to memory of 3248 3168 cmd.exe 92 PID 3168 wrote to memory of 3248 3168 cmd.exe 92 PID 3168 wrote to memory of 3248 3168 cmd.exe 92 PID 1960 wrote to memory of 1508 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 93 PID 1960 wrote to memory of 1508 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 93 PID 1960 wrote to memory of 1508 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 93 PID 3248 wrote to memory of 1208 3248 winupdate.exe 94 PID 3248 wrote to memory of 1208 3248 winupdate.exe 94 PID 3248 wrote to memory of 1208 3248 winupdate.exe 94 PID 3248 wrote to memory of 1208 3248 winupdate.exe 94 PID 3248 wrote to memory of 1208 3248 winupdate.exe 94 PID 3248 wrote to memory of 1208 3248 winupdate.exe 94 PID 3248 wrote to memory of 1208 3248 winupdate.exe 94 PID 3248 wrote to memory of 1208 3248 winupdate.exe 94 PID 3248 wrote to memory of 1208 3248 winupdate.exe 94 PID 3248 wrote to memory of 1208 3248 winupdate.exe 94 PID 3248 wrote to memory of 1208 3248 winupdate.exe 94 PID 3248 wrote to memory of 1208 3248 winupdate.exe 94 PID 3248 wrote to memory of 1208 3248 winupdate.exe 94 PID 3248 wrote to memory of 1208 3248 winupdate.exe 94 PID 1960 wrote to memory of 1996 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 95 PID 1960 wrote to memory of 1996 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 95 PID 1960 wrote to memory of 1996 1960 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 95 PID 1996 wrote to memory of 4692 1996 cmd.exe 97 PID 1996 wrote to memory of 4692 1996 cmd.exe 97 PID 1996 wrote to memory of 4692 1996 cmd.exe 97 PID 1508 wrote to memory of 4904 1508 winupdate.exe 98 PID 1508 wrote to memory of 4904 1508 winupdate.exe 98 PID 1508 wrote to memory of 4904 1508 winupdate.exe 98 PID 1508 wrote to memory of 4904 1508 winupdate.exe 98 PID 1508 wrote to memory of 4904 1508 winupdate.exe 98 PID 1508 wrote to memory of 4904 1508 winupdate.exe 98 PID 1508 wrote to memory of 4904 1508 winupdate.exe 98 PID 1508 wrote to memory of 4904 1508 winupdate.exe 98 PID 1508 wrote to memory of 4904 1508 winupdate.exe 98 PID 1508 wrote to memory of 4904 1508 winupdate.exe 98 PID 1508 wrote to memory of 4904 1508 winupdate.exe 98 PID 1508 wrote to memory of 4904 1508 winupdate.exe 98 PID 1508 wrote to memory of 4904 1508 winupdate.exe 98 PID 1508 wrote to memory of 4904 1508 winupdate.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\Documents\Windupdt\winupdate.exe"C:\Users\Admin\Documents\Windupdt\winupdate.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\Documents\Windupdt\winupdate.exe"C:\Users\Admin\Documents\Windupdt\winupdate.exe"4⤵
- Modifies firewall policy service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4904
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 24⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4692
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\Windupdt\winupdate.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Users\Admin\Documents\Windupdt\winupdate.exeC:\Users\Admin\Documents\Windupdt\winupdate.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Users\Admin\Documents\Windupdt\winupdate.exeC:\Users\Admin\Documents\Windupdt\winupdate.exe3⤵
- Modifies firewall policy service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1208
-
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
119B
MD5760784e390ae008a654e492285f01072
SHA18c524fdd6567eae87d811b681098193dcdeff6c3
SHA256eb80e56c9bead57fd9305f00357547afae43beac03d41f6f60a73001f1bb88f9
SHA512478302a4d38cc154f4ed328b3c63b492a9c302803b4485a443b4eacb7987d4f57ac51d1e34e8a4ed7a8dd0e34b58a589eac2835353c18e24d3f055055835033b
-
Filesize
792KB
MD5bc5e9d6c42c4a7a8f3e399628b35edc6
SHA189467555b70aa69a09f2a9b6068d851bc6da3730
SHA25637f71d92f06d6db3a5660d2029e0828277f5970942554372c0405eeb5daec278
SHA512f85ba3ccf4a76412a53d286b8dd6ab02feca4736c27e2b5a6ed6b158543bf5780ceef3c213613727f0b9ddeb267bb5ad1bb79fc70ecc5c2610c7b0ec9624d5ff