darkcomet | d31b4b000ea53806260be91ca05b91bfcb04c56bd68ed457109e5cab14914587

Analysis

max time kernel
150s
max time network
120s
resource
win7v191014
submitted
09-12-2019 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0004 Spec Orede Req.pdf.exe
Size

1.8MB
MD5

d7ee787127e8a5727dd90434f6941a2d
SHA1

aec8070aeba0d4177476494336d6cccb752d83e6
SHA256

d31b4b000ea53806260be91ca05b91bfcb04c56bd68ed457109e5cab14914587
SHA512

57936249eea46d8af818e01e21017e3563223b1fb8c63cc5d4af95e1a5a3be6e446de01f3bf149d0a512585d6cf24dbb2557a4df382a46d0a0dc66ef06d9e5cf

Score

10^/10

darkcomet 3-october 2019 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

3-OCTOBER 2019

timmy77.ddns.net:13251

Mutex

DC_MUTEX-AZAG0NH

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
EsnagdjpAd20
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

ikennaman.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	ikennaman.exe

Executes dropped EXE 4 IoCs

Processes:

ikennaman.exeikennaman.exemsdcsc.exeikennaman.exe

pid process

1400 ikennaman.exe
820 ikennaman.exe
1388 msdcsc.exe
292 ikennaman.exe
Loads dropped DLL 5 IoCs

Processes:

cmd.exeikennaman.exeikennaman.execmd.exeikennaman.exe

pid process

1272 cmd.exe
1400 ikennaman.exe
820 ikennaman.exe
1948 cmd.exe
292 ikennaman.exe

pid	process
1400	ikennaman.exe
820	ikennaman.exe
1388	msdcsc.exe
292	ikennaman.exe

pid	process
1272	cmd.exe
1400	ikennaman.exe
820	ikennaman.exe
1948	cmd.exe
292	ikennaman.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ikennaman.exeikennaman.exeikennaman.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Windows\CurrentVersion\Run\Onydika = "C:\\Users\\Admin\\Documents\\ikennaman.exe"	ikennaman.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	ikennaman.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Windows\CurrentVersion\Run\Onydika = "C:\\Users\\Admin\\Documents\\ikennaman.exe"	ikennaman.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ikennaman.exe

description pid process target process

PID 1400 set thread context of 820 1400 ikennaman.exe ikennaman.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1400 set thread context of 820	1400	ikennaman.exe	ikennaman.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009aa4f4faf1a8e341b8de4356d522d0ee00000000020000000000106600000001000020000000bcc5b16d587c56d36bcf2436e95a4270cd501c1a030095425260056900797ee2000000000e800000000200002000000008c70e8b8f414227297206c32940ec1a4214537ea44e2bd1af5778db0ac5a461200000004025c19e116ee0fb20cbc9b9654a1c58f50eee1afda882f096a4596dcf165c6c4000000060af8aed3850890f46da83130853c9905f5ce3905642aa0e4ee8f2d1c9242cf0bec89e7b937bfcbc9ffde847e9b761d82cd6a86cd6803e49255bfb47a072475c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f084d7708aaed501	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009aa4f4faf1a8e341b8de4356d522d0ee00000000020000000000106600000001000020000000adb6f47af40340ecdc8d5fad3b042437218ed3332096023e6ba824670ee29b66000000000e80000000020000200000002d4c2dec0fffb36c53202da181fa1a5efae365b76b71f1b61665d4b0cd2329eb900000009237278fe436e74286e10881d7c04f962daa540cbc0c88865d5909eb47c6b3494609de1caf50efea9cb4bd1a6d326ef0e066b4b0c7353e1bafba0acf58a9e57623c8126917c01b15481fe2aac88ab4aea87f06acdf9451823c9b3f87efae0af57327b9f10a638963edff4eac58948fa464a6a50168e6d84a567375ec8442668371c3bf92277afbcb160e3f263be3bb87400000002e0ba139aba6c4c02823902b4cc88be6e1f873f826a2f51ccc43327a9d70efd1a3235840e2982fc8bed03281b290a02eb022ea983d13483ac3a401f3fc43bac8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{99EDEB91-1A7D-11EA-9705-DEEA98545C14} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

NTFS ADS 7 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.exeikennaman.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Documents\MSDCSC\msdcsc.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\Documents\ikennaman.exe\:Zone.Identifier:$DATA	cmd.exe
File opened for modification	C:\Users\Admin\Documents\ikennaman.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\Temp\0004 Spec Orede Req.pdf.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\Documents\ikennaman.exe\:Zone.Identifier:$DATA	cmd.exe
File opened for modification	C:\Users\Admin\Documents\ikennaman.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\Documents\MSDCSC\msdcsc.exe\:Zone.Identifier:$DATA	ikennaman.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

0004 Spec Orede Req.pdf.exeikennaman.exeikennaman.exemsdcsc.exeikennaman.exe

description	pid	process
Token: SeDebugPrivilege	1436	0004 Spec Orede Req.pdf.exe
Token: SeDebugPrivilege	1400	ikennaman.exe
Token: SeIncreaseQuotaPrivilege	820	ikennaman.exe
Token: SeSecurityPrivilege	820	ikennaman.exe
Token: SeTakeOwnershipPrivilege	820	ikennaman.exe
Token: SeLoadDriverPrivilege	820	ikennaman.exe
Token: SeSystemProfilePrivilege	820	ikennaman.exe
Token: SeSystemtimePrivilege	820	ikennaman.exe
Token: SeProfSingleProcessPrivilege	820	ikennaman.exe
Token: SeIncBasePriorityPrivilege	820	ikennaman.exe
Token: SeCreatePagefilePrivilege	820	ikennaman.exe
Token: SeBackupPrivilege	820	ikennaman.exe
Token: SeRestorePrivilege	820	ikennaman.exe
Token: SeShutdownPrivilege	820	ikennaman.exe
Token: SeDebugPrivilege	820	ikennaman.exe
Token: SeSystemEnvironmentPrivilege	820	ikennaman.exe
Token: SeChangeNotifyPrivilege	820	ikennaman.exe
Token: SeRemoteShutdownPrivilege	820	ikennaman.exe
Token: SeUndockPrivilege	820	ikennaman.exe
Token: SeManageVolumePrivilege	820	ikennaman.exe
Token: SeImpersonatePrivilege	820	ikennaman.exe
Token: SeCreateGlobalPrivilege	820	ikennaman.exe
Token: 33	820	ikennaman.exe
Token: 34	820	ikennaman.exe
Token: 35	820	ikennaman.exe
Token: SeDebugPrivilege	1388	msdcsc.exe
Token: SeDebugPrivilege	292	ikennaman.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

268 iexplore.exe

pid	process
268	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

conhost.execonhost.execonhost.execonhost.execonhost.exeiexplore.exeIEXPLORE.EXEconhost.execonhost.execonhost.exe

pid	process
1064	conhost.exe
1996	conhost.exe
1440	conhost.exe
2004	conhost.exe
1976	conhost.exe
268	iexplore.exe
268	iexplore.exe
1788	IEXPLORE.EXE
1788	IEXPLORE.EXE
1788	IEXPLORE.EXE
1788	IEXPLORE.EXE
512	conhost.exe
1104	conhost.exe
1840	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0004 Spec Orede Req.pdf.execmd.exeikennaman.exeikennaman.exemsdcsc.exeiexplore.execmd.exeikennaman.exe

description	pid	process	target process
PID 1436 wrote to memory of 1104	1436	0004 Spec Orede Req.pdf.exe	cmd.exe
PID 1436 wrote to memory of 1104	1436	0004 Spec Orede Req.pdf.exe	cmd.exe
PID 1436 wrote to memory of 1104	1436	0004 Spec Orede Req.pdf.exe	cmd.exe
PID 1436 wrote to memory of 1104	1436	0004 Spec Orede Req.pdf.exe	cmd.exe
PID 1436 wrote to memory of 1948	1436	0004 Spec Orede Req.pdf.exe	cmd.exe
PID 1436 wrote to memory of 1948	1436	0004 Spec Orede Req.pdf.exe	cmd.exe
PID 1436 wrote to memory of 1948	1436	0004 Spec Orede Req.pdf.exe	cmd.exe
PID 1436 wrote to memory of 1948	1436	0004 Spec Orede Req.pdf.exe	cmd.exe
PID 1436 wrote to memory of 1272	1436	0004 Spec Orede Req.pdf.exe	cmd.exe
PID 1436 wrote to memory of 1272	1436	0004 Spec Orede Req.pdf.exe	cmd.exe
PID 1436 wrote to memory of 1272	1436	0004 Spec Orede Req.pdf.exe	cmd.exe
PID 1436 wrote to memory of 1272	1436	0004 Spec Orede Req.pdf.exe	cmd.exe
PID 1272 wrote to memory of 1400	1272	cmd.exe	ikennaman.exe
PID 1272 wrote to memory of 1400	1272	cmd.exe	ikennaman.exe
PID 1272 wrote to memory of 1400	1272	cmd.exe	ikennaman.exe
PID 1272 wrote to memory of 1400	1272	cmd.exe	ikennaman.exe
PID 1400 wrote to memory of 1900	1400	ikennaman.exe	cmd.exe
PID 1400 wrote to memory of 1900	1400	ikennaman.exe	cmd.exe
PID 1400 wrote to memory of 1900	1400	ikennaman.exe	cmd.exe
PID 1400 wrote to memory of 1900	1400	ikennaman.exe	cmd.exe
PID 1400 wrote to memory of 820	1400	ikennaman.exe	ikennaman.exe
PID 1400 wrote to memory of 820	1400	ikennaman.exe	ikennaman.exe
PID 1400 wrote to memory of 820	1400	ikennaman.exe	ikennaman.exe
PID 1400 wrote to memory of 820	1400	ikennaman.exe	ikennaman.exe
PID 1400 wrote to memory of 820	1400	ikennaman.exe	ikennaman.exe
PID 1400 wrote to memory of 820	1400	ikennaman.exe	ikennaman.exe
PID 1400 wrote to memory of 820	1400	ikennaman.exe	ikennaman.exe
PID 1400 wrote to memory of 820	1400	ikennaman.exe	ikennaman.exe
PID 1400 wrote to memory of 820	1400	ikennaman.exe	ikennaman.exe
PID 1400 wrote to memory of 820	1400	ikennaman.exe	ikennaman.exe
PID 1400 wrote to memory of 820	1400	ikennaman.exe	ikennaman.exe
PID 1400 wrote to memory of 820	1400	ikennaman.exe	ikennaman.exe
PID 1400 wrote to memory of 820	1400	ikennaman.exe	ikennaman.exe
PID 820 wrote to memory of 1388	820	ikennaman.exe	msdcsc.exe
PID 820 wrote to memory of 1388	820	ikennaman.exe	msdcsc.exe
PID 820 wrote to memory of 1388	820	ikennaman.exe	msdcsc.exe
PID 820 wrote to memory of 1388	820	ikennaman.exe	msdcsc.exe
PID 1388 wrote to memory of 1908	1388	msdcsc.exe	cmd.exe
PID 1388 wrote to memory of 1908	1388	msdcsc.exe	cmd.exe
PID 1388 wrote to memory of 1908	1388	msdcsc.exe	cmd.exe
PID 1388 wrote to memory of 1908	1388	msdcsc.exe	cmd.exe
PID 268 wrote to memory of 1788	268	iexplore.exe	IEXPLORE.EXE
PID 268 wrote to memory of 1788	268	iexplore.exe	IEXPLORE.EXE
PID 268 wrote to memory of 1788	268	iexplore.exe	IEXPLORE.EXE
PID 268 wrote to memory of 1788	268	iexplore.exe	IEXPLORE.EXE
PID 1388 wrote to memory of 1652	1388	msdcsc.exe	cmd.exe
PID 1388 wrote to memory of 1652	1388	msdcsc.exe	cmd.exe
PID 1388 wrote to memory of 1652	1388	msdcsc.exe	cmd.exe
PID 1388 wrote to memory of 1652	1388	msdcsc.exe	cmd.exe
PID 1388 wrote to memory of 1948	1388	msdcsc.exe	cmd.exe
PID 1388 wrote to memory of 1948	1388	msdcsc.exe	cmd.exe
PID 1388 wrote to memory of 1948	1388	msdcsc.exe	cmd.exe
PID 1388 wrote to memory of 1948	1388	msdcsc.exe	cmd.exe
PID 1948 wrote to memory of 292	1948	cmd.exe	ikennaman.exe
PID 1948 wrote to memory of 292	1948	cmd.exe	ikennaman.exe
PID 1948 wrote to memory of 292	1948	cmd.exe	ikennaman.exe
PID 1948 wrote to memory of 292	1948	cmd.exe	ikennaman.exe
PID 292 wrote to memory of 1816	292	ikennaman.exe	cmd.exe
PID 292 wrote to memory of 1816	292	ikennaman.exe	cmd.exe
PID 292 wrote to memory of 1816	292	ikennaman.exe	cmd.exe
PID 292 wrote to memory of 1816	292	ikennaman.exe	cmd.exe
PID 292 wrote to memory of 1308	292	ikennaman.exe	ikennaman.exe
PID 292 wrote to memory of 1308	292	ikennaman.exe	ikennaman.exe
PID 292 wrote to memory of 1308	292	ikennaman.exe	ikennaman.exe

C:\Users\Admin\AppData\Local\Temp\0004 Spec Orede Req.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\0004 Spec Orede Req.pdf.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\0004 Spec Orede Req.pdf.exe:Zone.Identifier"
2⤵
- NTFS ADS
PID:1104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\0004 Spec Orede Req.pdf.exe" "C:\Users\Admin\Documents\ikennaman.exe"
2⤵
- NTFS ADS
PID:1948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\Documents\ikennaman.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\Documents\ikennaman.exe
"C:\Users\Admin\Documents\ikennaman.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\Documents\ikennaman.exe:Zone.Identifier"
4⤵
- NTFS ADS
PID:1900

C:\Users\Admin\Documents\ikennaman.exe
"C:\Users\Admin\Documents\ikennaman.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe:Zone.Identifier"
6⤵
- NTFS ADS
PID:1908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe" "C:\Users\Admin\Documents\ikennaman.exe"
6⤵
- NTFS ADS
PID:1652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\Documents\ikennaman.exe"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\Documents\ikennaman.exe
"C:\Users\Admin\Documents\ikennaman.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\Documents\ikennaman.exe:Zone.Identifier"
8⤵
- NTFS ADS
PID:1816

C:\Users\Admin\Documents\ikennaman.exe
"C:\Users\Admin\Documents\ikennaman.exe"
8⤵
PID:1308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1010190574-19306643031201772696-479661271629380329-88839335-56182350-1854666663"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18877333342121077671-32986627217281529731441664872-1224166189-1359231791340653324"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17103742281970428864498262941485421965-319806093-1833030653342908077-369505471"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1440

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-351915668-4643431551599520625-16775027021472016181434867546804104328756503124"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-338958324-153429051-12518768742158176311861201306-1977452897359669055-723358965"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1976

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ResetDebug.gif
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:268

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:268 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12102349762000764541-303424282373893510921921233789155383-1114823417-1968114298"
1⤵
- Suspicious use of SetWindowsHookEx
PID:512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1479270697-1865237355667818184-1504945063-1186951168-200311465210596603421632206077"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1104

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1612297499-2034988396-14530177242867497921604357608-979210886-2111656523-1578860347"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1840

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
MD5
d7ee787127e8a5727dd90434f6941a2d

SHA1
aec8070aeba0d4177476494336d6cccb752d83e6

SHA256
d31b4b000ea53806260be91ca05b91bfcb04c56bd68ed457109e5cab14914587

SHA512
57936249eea46d8af818e01e21017e3563223b1fb8c63cc5d4af95e1a5a3be6e446de01f3bf149d0a512585d6cf24dbb2557a4df382a46d0a0dc66ef06d9e5cf

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
MD5
d7ee787127e8a5727dd90434f6941a2d

SHA1
aec8070aeba0d4177476494336d6cccb752d83e6

SHA256
d31b4b000ea53806260be91ca05b91bfcb04c56bd68ed457109e5cab14914587

SHA512
57936249eea46d8af818e01e21017e3563223b1fb8c63cc5d4af95e1a5a3be6e446de01f3bf149d0a512585d6cf24dbb2557a4df382a46d0a0dc66ef06d9e5cf

Download Submit
C:\Users\Admin\Documents\ikennaman.exe
MD5
d7ee787127e8a5727dd90434f6941a2d

SHA1
aec8070aeba0d4177476494336d6cccb752d83e6

SHA256
d31b4b000ea53806260be91ca05b91bfcb04c56bd68ed457109e5cab14914587

SHA512
57936249eea46d8af818e01e21017e3563223b1fb8c63cc5d4af95e1a5a3be6e446de01f3bf149d0a512585d6cf24dbb2557a4df382a46d0a0dc66ef06d9e5cf

Download Submit
C:\Users\Admin\Documents\ikennaman.exe
MD5
d7ee787127e8a5727dd90434f6941a2d

SHA1
aec8070aeba0d4177476494336d6cccb752d83e6

SHA256
d31b4b000ea53806260be91ca05b91bfcb04c56bd68ed457109e5cab14914587

SHA512
57936249eea46d8af818e01e21017e3563223b1fb8c63cc5d4af95e1a5a3be6e446de01f3bf149d0a512585d6cf24dbb2557a4df382a46d0a0dc66ef06d9e5cf

Download Submit
C:\Users\Admin\Documents\ikennaman.exe
MD5
d7ee787127e8a5727dd90434f6941a2d

SHA1
aec8070aeba0d4177476494336d6cccb752d83e6

SHA256
d31b4b000ea53806260be91ca05b91bfcb04c56bd68ed457109e5cab14914587

SHA512
57936249eea46d8af818e01e21017e3563223b1fb8c63cc5d4af95e1a5a3be6e446de01f3bf149d0a512585d6cf24dbb2557a4df382a46d0a0dc66ef06d9e5cf

Download Submit
C:\Users\Admin\Documents\ikennaman.exe
MD5
d7ee787127e8a5727dd90434f6941a2d

SHA1
aec8070aeba0d4177476494336d6cccb752d83e6

SHA256
d31b4b000ea53806260be91ca05b91bfcb04c56bd68ed457109e5cab14914587

SHA512
57936249eea46d8af818e01e21017e3563223b1fb8c63cc5d4af95e1a5a3be6e446de01f3bf149d0a512585d6cf24dbb2557a4df382a46d0a0dc66ef06d9e5cf

Download Submit
C:\Users\Admin\Documents\ikennaman.exe
MD5
d7ee787127e8a5727dd90434f6941a2d

SHA1
aec8070aeba0d4177476494336d6cccb752d83e6

SHA256
d31b4b000ea53806260be91ca05b91bfcb04c56bd68ed457109e5cab14914587

SHA512
57936249eea46d8af818e01e21017e3563223b1fb8c63cc5d4af95e1a5a3be6e446de01f3bf149d0a512585d6cf24dbb2557a4df382a46d0a0dc66ef06d9e5cf

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
MD5
d7ee787127e8a5727dd90434f6941a2d

SHA1
aec8070aeba0d4177476494336d6cccb752d83e6

SHA256
d31b4b000ea53806260be91ca05b91bfcb04c56bd68ed457109e5cab14914587

SHA512
57936249eea46d8af818e01e21017e3563223b1fb8c63cc5d4af95e1a5a3be6e446de01f3bf149d0a512585d6cf24dbb2557a4df382a46d0a0dc66ef06d9e5cf

Download Submit
\Users\Admin\Documents\ikennaman.exe
MD5
d7ee787127e8a5727dd90434f6941a2d

SHA1
aec8070aeba0d4177476494336d6cccb752d83e6

SHA256
d31b4b000ea53806260be91ca05b91bfcb04c56bd68ed457109e5cab14914587

SHA512
57936249eea46d8af818e01e21017e3563223b1fb8c63cc5d4af95e1a5a3be6e446de01f3bf149d0a512585d6cf24dbb2557a4df382a46d0a0dc66ef06d9e5cf

Download Submit
\Users\Admin\Documents\ikennaman.exe
MD5
d7ee787127e8a5727dd90434f6941a2d

SHA1
aec8070aeba0d4177476494336d6cccb752d83e6

SHA256
d31b4b000ea53806260be91ca05b91bfcb04c56bd68ed457109e5cab14914587

SHA512
57936249eea46d8af818e01e21017e3563223b1fb8c63cc5d4af95e1a5a3be6e446de01f3bf149d0a512585d6cf24dbb2557a4df382a46d0a0dc66ef06d9e5cf

Download Submit
\Users\Admin\Documents\ikennaman.exe
MD5
d7ee787127e8a5727dd90434f6941a2d

SHA1
aec8070aeba0d4177476494336d6cccb752d83e6

SHA256
d31b4b000ea53806260be91ca05b91bfcb04c56bd68ed457109e5cab14914587

SHA512
57936249eea46d8af818e01e21017e3563223b1fb8c63cc5d4af95e1a5a3be6e446de01f3bf149d0a512585d6cf24dbb2557a4df382a46d0a0dc66ef06d9e5cf

Download Submit
\Users\Admin\Documents\ikennaman.exe
MD5
d7ee787127e8a5727dd90434f6941a2d

SHA1
aec8070aeba0d4177476494336d6cccb752d83e6

SHA256
d31b4b000ea53806260be91ca05b91bfcb04c56bd68ed457109e5cab14914587

SHA512
57936249eea46d8af818e01e21017e3563223b1fb8c63cc5d4af95e1a5a3be6e446de01f3bf149d0a512585d6cf24dbb2557a4df382a46d0a0dc66ef06d9e5cf

Download Submit
memory/820-14-0x0000000003920000-0x0000000003921000-memory.dmp

Filesize
4KB

Download
memory/820-12-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/820-10-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1436-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads