Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
18/04/2025, 03:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
22 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe
Resource
win11-20250410-en
windows11-21h2-x64
21 signatures
150 seconds
General
-
Target
JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe
-
Size
792KB
-
MD5
bc5e9d6c42c4a7a8f3e399628b35edc6
-
SHA1
89467555b70aa69a09f2a9b6068d851bc6da3730
-
SHA256
37f71d92f06d6db3a5660d2029e0828277f5970942554372c0405eeb5daec278
-
SHA512
f85ba3ccf4a76412a53d286b8dd6ab02feca4736c27e2b5a6ed6b158543bf5780ceef3c213613727f0b9ddeb267bb5ad1bb79fc70ecc5c2610c7b0ec9624d5ff
-
SSDEEP
24576:XlvYrG9qagUztjgUVWdxfYEbKQZ87bqeA4L9j/A:eK9qagUO2wO7bXA4
Malware Config
Extracted
Family
darkcomet
Botnet
Mooose
C2
masha.zapto.org:1604
Mutex
DC_MUTEX-9HH2WSZ
Attributes
-
InstallPath
Windupdt\winupdate.exe
-
gencode
iUjv.BRt=lEN
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
winupdater
rc4.plain
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\Windupdt\\winupdate.exe" JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winupdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winupdate.exe -
Windows security bypass 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winupdate.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe -
Executes dropped EXE 4 IoCs
pid Process 1128 winupdate.exe 5988 winupdate.exe 2112 winupdate.exe 5096 winupdate.exe -
Windows security modification 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winupdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Users\\Admin\\Documents\\Windupdt\\winupdate.exe" JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 6016 set thread context of 3836 6016 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 78 PID 1128 set thread context of 2112 1128 winupdate.exe 83 PID 5988 set thread context of 5096 5988 winupdate.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4904 PING.EXE -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4904 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2112 winupdate.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeSecurityPrivilege 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeTakeOwnershipPrivilege 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeLoadDriverPrivilege 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeSystemProfilePrivilege 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeSystemtimePrivilege 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeProfSingleProcessPrivilege 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeIncBasePriorityPrivilege 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeCreatePagefilePrivilege 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeBackupPrivilege 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeRestorePrivilege 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeShutdownPrivilege 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeDebugPrivilege 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeSystemEnvironmentPrivilege 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeChangeNotifyPrivilege 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeRemoteShutdownPrivilege 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeUndockPrivilege 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeManageVolumePrivilege 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeImpersonatePrivilege 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeCreateGlobalPrivilege 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: 33 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: 34 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: 35 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: 36 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe Token: SeIncreaseQuotaPrivilege 2112 winupdate.exe Token: SeSecurityPrivilege 2112 winupdate.exe Token: SeTakeOwnershipPrivilege 2112 winupdate.exe Token: SeLoadDriverPrivilege 2112 winupdate.exe Token: SeSystemProfilePrivilege 2112 winupdate.exe Token: SeSystemtimePrivilege 2112 winupdate.exe Token: SeProfSingleProcessPrivilege 2112 winupdate.exe Token: SeIncBasePriorityPrivilege 2112 winupdate.exe Token: SeCreatePagefilePrivilege 2112 winupdate.exe Token: SeBackupPrivilege 2112 winupdate.exe Token: SeRestorePrivilege 2112 winupdate.exe Token: SeShutdownPrivilege 2112 winupdate.exe Token: SeDebugPrivilege 2112 winupdate.exe Token: SeSystemEnvironmentPrivilege 2112 winupdate.exe Token: SeChangeNotifyPrivilege 2112 winupdate.exe Token: SeRemoteShutdownPrivilege 2112 winupdate.exe Token: SeUndockPrivilege 2112 winupdate.exe Token: SeManageVolumePrivilege 2112 winupdate.exe Token: SeImpersonatePrivilege 2112 winupdate.exe Token: SeCreateGlobalPrivilege 2112 winupdate.exe Token: 33 2112 winupdate.exe Token: 34 2112 winupdate.exe Token: 35 2112 winupdate.exe Token: 36 2112 winupdate.exe Token: SeIncreaseQuotaPrivilege 5096 winupdate.exe Token: SeSecurityPrivilege 5096 winupdate.exe Token: SeTakeOwnershipPrivilege 5096 winupdate.exe Token: SeLoadDriverPrivilege 5096 winupdate.exe Token: SeSystemProfilePrivilege 5096 winupdate.exe Token: SeSystemtimePrivilege 5096 winupdate.exe Token: SeProfSingleProcessPrivilege 5096 winupdate.exe Token: SeIncBasePriorityPrivilege 5096 winupdate.exe Token: SeCreatePagefilePrivilege 5096 winupdate.exe Token: SeBackupPrivilege 5096 winupdate.exe Token: SeRestorePrivilege 5096 winupdate.exe Token: SeShutdownPrivilege 5096 winupdate.exe Token: SeDebugPrivilege 5096 winupdate.exe Token: SeSystemEnvironmentPrivilege 5096 winupdate.exe Token: SeChangeNotifyPrivilege 5096 winupdate.exe Token: SeRemoteShutdownPrivilege 5096 winupdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2112 winupdate.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 6016 wrote to memory of 3836 6016 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 78 PID 6016 wrote to memory of 3836 6016 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 78 PID 6016 wrote to memory of 3836 6016 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 78 PID 6016 wrote to memory of 3836 6016 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 78 PID 6016 wrote to memory of 3836 6016 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 78 PID 6016 wrote to memory of 3836 6016 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 78 PID 6016 wrote to memory of 3836 6016 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 78 PID 6016 wrote to memory of 3836 6016 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 78 PID 6016 wrote to memory of 3836 6016 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 78 PID 6016 wrote to memory of 3836 6016 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 78 PID 6016 wrote to memory of 3836 6016 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 78 PID 6016 wrote to memory of 3836 6016 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 78 PID 6016 wrote to memory of 3836 6016 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 78 PID 6016 wrote to memory of 3836 6016 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 78 PID 2884 wrote to memory of 1128 2884 cmd.exe 81 PID 2884 wrote to memory of 1128 2884 cmd.exe 81 PID 2884 wrote to memory of 1128 2884 cmd.exe 81 PID 3836 wrote to memory of 5988 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 82 PID 3836 wrote to memory of 5988 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 82 PID 3836 wrote to memory of 5988 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 82 PID 1128 wrote to memory of 2112 1128 winupdate.exe 83 PID 1128 wrote to memory of 2112 1128 winupdate.exe 83 PID 1128 wrote to memory of 2112 1128 winupdate.exe 83 PID 1128 wrote to memory of 2112 1128 winupdate.exe 83 PID 1128 wrote to memory of 2112 1128 winupdate.exe 83 PID 1128 wrote to memory of 2112 1128 winupdate.exe 83 PID 1128 wrote to memory of 2112 1128 winupdate.exe 83 PID 1128 wrote to memory of 2112 1128 winupdate.exe 83 PID 1128 wrote to memory of 2112 1128 winupdate.exe 83 PID 1128 wrote to memory of 2112 1128 winupdate.exe 83 PID 1128 wrote to memory of 2112 1128 winupdate.exe 83 PID 1128 wrote to memory of 2112 1128 winupdate.exe 83 PID 1128 wrote to memory of 2112 1128 winupdate.exe 83 PID 1128 wrote to memory of 2112 1128 winupdate.exe 83 PID 3836 wrote to memory of 3888 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 84 PID 3836 wrote to memory of 3888 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 84 PID 3836 wrote to memory of 3888 3836 JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe 84 PID 3888 wrote to memory of 4904 3888 cmd.exe 86 PID 3888 wrote to memory of 4904 3888 cmd.exe 86 PID 3888 wrote to memory of 4904 3888 cmd.exe 86 PID 5988 wrote to memory of 5096 5988 winupdate.exe 87 PID 5988 wrote to memory of 5096 5988 winupdate.exe 87 PID 5988 wrote to memory of 5096 5988 winupdate.exe 87 PID 5988 wrote to memory of 5096 5988 winupdate.exe 87 PID 5988 wrote to memory of 5096 5988 winupdate.exe 87 PID 5988 wrote to memory of 5096 5988 winupdate.exe 87 PID 5988 wrote to memory of 5096 5988 winupdate.exe 87 PID 5988 wrote to memory of 5096 5988 winupdate.exe 87 PID 5988 wrote to memory of 5096 5988 winupdate.exe 87 PID 5988 wrote to memory of 5096 5988 winupdate.exe 87 PID 5988 wrote to memory of 5096 5988 winupdate.exe 87 PID 5988 wrote to memory of 5096 5988 winupdate.exe 87 PID 5988 wrote to memory of 5096 5988 winupdate.exe 87 PID 5988 wrote to memory of 5096 5988 winupdate.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6016 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Users\Admin\Documents\Windupdt\winupdate.exe"C:\Users\Admin\Documents\Windupdt\winupdate.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5988 -
C:\Users\Admin\Documents\Windupdt\winupdate.exe"C:\Users\Admin\Documents\Windupdt\winupdate.exe"4⤵
- Modifies firewall policy service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 24⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4904
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\Windupdt\winupdate.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\Documents\Windupdt\winupdate.exeC:\Users\Admin\Documents\Windupdt\winupdate.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Users\Admin\Documents\Windupdt\winupdate.exeC:\Users\Admin\Documents\Windupdt\winupdate.exe3⤵
- Modifies firewall policy service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2112
-
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
119B
MD5760784e390ae008a654e492285f01072
SHA18c524fdd6567eae87d811b681098193dcdeff6c3
SHA256eb80e56c9bead57fd9305f00357547afae43beac03d41f6f60a73001f1bb88f9
SHA512478302a4d38cc154f4ed328b3c63b492a9c302803b4485a443b4eacb7987d4f57ac51d1e34e8a4ed7a8dd0e34b58a589eac2835353c18e24d3f055055835033b
-
Filesize
792KB
MD5bc5e9d6c42c4a7a8f3e399628b35edc6
SHA189467555b70aa69a09f2a9b6068d851bc6da3730
SHA25637f71d92f06d6db3a5660d2029e0828277f5970942554372c0405eeb5daec278
SHA512f85ba3ccf4a76412a53d286b8dd6ab02feca4736c27e2b5a6ed6b158543bf5780ceef3c213613727f0b9ddeb267bb5ad1bb79fc70ecc5c2610c7b0ec9624d5ff