darkcomet | cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72

Analysis

max time kernel
144s
max time network
196s
platform
windows7_x64
resource
win7v20210408
submitted
08-09-2021 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe
Size

1.3MB
MD5

50889863763dec84072482d72d257a5a
SHA1

ee585ed89df214b743ceb8fe2cf85999e6013806
SHA256

cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72
SHA512

4fb2c1a727d4b703e0e88eef85b4d57f181f9a0658219e493f3a3435c98defb0dc845c3d07b5be1d0bac5357f3e2a5b03e38b696fa846e8e17b4fc50f5c5d5eb

Score

10^/10

darkcomet m2 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

127.0.0.1:1604

laylaylom15975300.freeddns.org:1604

Mutex

DC_MUTEX-J1SBQ5X

Attributes

InstallPath
MSDCSC\iexplorer.exe
gencode
bTMSQkMKM11U
install
true
offline_keylogger
true
persistence
true
reg_key
Windows Defender

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

BOARDMT2 TICARET HACK V2.3.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\iexplorer.exe"	BOARDMT2 TICARET HACK V2.3.EXE

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

iexplorer.exeiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	iexplorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	iexplore.exe

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 3 IoCs

Processes:

BOARDMT2 TICARET HACK V2.3.EXESERVER.EXEiexplorer.exe

pid process

1300 BOARDMT2 TICARET HACK V2.3.EXE
688 SERVER.EXE
1292 iexplorer.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

pid	process
1300	BOARDMT2 TICARET HACK V2.3.EXE
688	SERVER.EXE
1292	iexplorer.exe

Loads dropped DLL 5 IoCs

Processes:

cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exeBOARDMT2 TICARET HACK V2.3.EXE

pid	process
1984	cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe
1984	cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe
1984	cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe
1300	BOARDMT2 TICARET HACK V2.3.EXE
1300	BOARDMT2 TICARET HACK V2.3.EXE

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

SERVER.EXE

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" SERVER.EXE

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	SERVER.EXE

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

BOARDMT2 TICARET HACK V2.3.EXESERVER.EXEiexplorer.exeiexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\Documents\\MSDCSC\\iexplorer.exe"	BOARDMT2 TICARET HACK V2.3.EXE
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	SERVER.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	SERVER.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mscvin = "C:\\Windows\\Mscvin.exe"	SERVER.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\Documents\\MSDCSC\\iexplorer.exe"	iexplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\Documents\\MSDCSC\\iexplorer.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

SERVER.EXE

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SERVER.EXE
Suspicious use of SetThreadContext 1 IoCs

Processes:

iexplorer.exe

description pid process target process

PID 1292 set thread context of 908 1292 iexplorer.exe iexplore.exe
Drops file in Windows directory 2 IoCs

Processes:

SERVER.EXE

description ioc process

File created C:\Windows\Mscvin.exe SERVER.EXE
File opened for modification C:\Windows\Mscvin.exe SERVER.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SERVER.EXE

description	pid	process	target process
PID 1292 set thread context of 908	1292	iexplorer.exe	iexplore.exe

description	ioc	process
File created	C:\Windows\Mscvin.exe	SERVER.EXE
File opened for modification	C:\Windows\Mscvin.exe	SERVER.EXE

Modifies registry class 3 IoCs

Processes:

SERVER.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database	SERVER.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	SERVER.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	SERVER.EXE

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1132 PING.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

908 iexplore.exe

pid	process
1132	PING.EXE

pid	process
908	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SERVER.EXEBOARDMT2 TICARET HACK V2.3.EXEiexplorer.exeiexplore.exe

description	pid	process
Token: SeBackupPrivilege	688	SERVER.EXE
Token: SeIncreaseQuotaPrivilege	1300	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeSecurityPrivilege	1300	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeTakeOwnershipPrivilege	1300	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeLoadDriverPrivilege	1300	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeSystemProfilePrivilege	1300	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeSystemtimePrivilege	1300	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeProfSingleProcessPrivilege	1300	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeIncBasePriorityPrivilege	1300	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeCreatePagefilePrivilege	1300	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeBackupPrivilege	1300	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeRestorePrivilege	1300	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeShutdownPrivilege	1300	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeDebugPrivilege	1300	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeSystemEnvironmentPrivilege	1300	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeChangeNotifyPrivilege	1300	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeRemoteShutdownPrivilege	1300	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeUndockPrivilege	1300	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeManageVolumePrivilege	1300	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeImpersonatePrivilege	1300	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeCreateGlobalPrivilege	1300	BOARDMT2 TICARET HACK V2.3.EXE
Token: 33	1300	BOARDMT2 TICARET HACK V2.3.EXE
Token: 34	1300	BOARDMT2 TICARET HACK V2.3.EXE
Token: 35	1300	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeIncreaseQuotaPrivilege	1292	iexplorer.exe
Token: SeSecurityPrivilege	1292	iexplorer.exe
Token: SeTakeOwnershipPrivilege	1292	iexplorer.exe
Token: SeLoadDriverPrivilege	1292	iexplorer.exe
Token: SeSystemProfilePrivilege	1292	iexplorer.exe
Token: SeSystemtimePrivilege	1292	iexplorer.exe
Token: SeProfSingleProcessPrivilege	1292	iexplorer.exe
Token: SeIncBasePriorityPrivilege	1292	iexplorer.exe
Token: SeCreatePagefilePrivilege	1292	iexplorer.exe
Token: SeBackupPrivilege	1292	iexplorer.exe
Token: SeRestorePrivilege	1292	iexplorer.exe
Token: SeShutdownPrivilege	1292	iexplorer.exe
Token: SeDebugPrivilege	1292	iexplorer.exe
Token: SeSystemEnvironmentPrivilege	1292	iexplorer.exe
Token: SeChangeNotifyPrivilege	1292	iexplorer.exe
Token: SeRemoteShutdownPrivilege	1292	iexplorer.exe
Token: SeUndockPrivilege	1292	iexplorer.exe
Token: SeManageVolumePrivilege	1292	iexplorer.exe
Token: SeImpersonatePrivilege	1292	iexplorer.exe
Token: SeCreateGlobalPrivilege	1292	iexplorer.exe
Token: 33	1292	iexplorer.exe
Token: 34	1292	iexplorer.exe
Token: 35	1292	iexplorer.exe
Token: SeIncreaseQuotaPrivilege	908	iexplore.exe
Token: SeSecurityPrivilege	908	iexplore.exe
Token: SeTakeOwnershipPrivilege	908	iexplore.exe
Token: SeLoadDriverPrivilege	908	iexplore.exe
Token: SeSystemProfilePrivilege	908	iexplore.exe
Token: SeSystemtimePrivilege	908	iexplore.exe
Token: SeProfSingleProcessPrivilege	908	iexplore.exe
Token: SeIncBasePriorityPrivilege	908	iexplore.exe
Token: SeCreatePagefilePrivilege	908	iexplore.exe
Token: SeBackupPrivilege	908	iexplore.exe
Token: SeRestorePrivilege	908	iexplore.exe
Token: SeShutdownPrivilege	908	iexplore.exe
Token: SeDebugPrivilege	908	iexplore.exe
Token: SeSystemEnvironmentPrivilege	908	iexplore.exe
Token: SeChangeNotifyPrivilege	908	iexplore.exe
Token: SeRemoteShutdownPrivilege	908	iexplore.exe
Token: SeUndockPrivilege	908	iexplore.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

SERVER.EXEiexplore.exe

pid process

688 SERVER.EXE
908 iexplore.exe
688 SERVER.EXE

pid	process
688	SERVER.EXE
908	iexplore.exe
688	SERVER.EXE

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exeSERVER.EXEnet.exenet.exeBOARDMT2 TICARET HACK V2.3.EXEcmd.execmd.execmd.exeiexplorer.exe

description	pid	process	target process
PID 1984 wrote to memory of 1300	1984	cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe	BOARDMT2 TICARET HACK V2.3.EXE
PID 1984 wrote to memory of 1300	1984	cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe	BOARDMT2 TICARET HACK V2.3.EXE
PID 1984 wrote to memory of 1300	1984	cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe	BOARDMT2 TICARET HACK V2.3.EXE
PID 1984 wrote to memory of 1300	1984	cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe	BOARDMT2 TICARET HACK V2.3.EXE
PID 1984 wrote to memory of 688	1984	cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe	SERVER.EXE
PID 1984 wrote to memory of 688	1984	cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe	SERVER.EXE
PID 1984 wrote to memory of 688	1984	cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe	SERVER.EXE
PID 1984 wrote to memory of 688	1984	cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe	SERVER.EXE
PID 688 wrote to memory of 1108	688	SERVER.EXE	netsh.exe
PID 688 wrote to memory of 1108	688	SERVER.EXE	netsh.exe
PID 688 wrote to memory of 1108	688	SERVER.EXE	netsh.exe
PID 688 wrote to memory of 1108	688	SERVER.EXE	netsh.exe
PID 688 wrote to memory of 1644	688	SERVER.EXE	net.exe
PID 688 wrote to memory of 1644	688	SERVER.EXE	net.exe
PID 688 wrote to memory of 1644	688	SERVER.EXE	net.exe
PID 688 wrote to memory of 1644	688	SERVER.EXE	net.exe
PID 688 wrote to memory of 572	688	SERVER.EXE	net.exe
PID 688 wrote to memory of 572	688	SERVER.EXE	net.exe
PID 688 wrote to memory of 572	688	SERVER.EXE	net.exe
PID 688 wrote to memory of 572	688	SERVER.EXE	net.exe
PID 572 wrote to memory of 2028	572	net.exe	net1.exe
PID 572 wrote to memory of 2028	572	net.exe	net1.exe
PID 572 wrote to memory of 2028	572	net.exe	net1.exe
PID 572 wrote to memory of 2028	572	net.exe	net1.exe
PID 1644 wrote to memory of 1840	1644	net.exe	net1.exe
PID 1644 wrote to memory of 1840	1644	net.exe	net1.exe
PID 1644 wrote to memory of 1840	1644	net.exe	net1.exe
PID 1644 wrote to memory of 1840	1644	net.exe	net1.exe
PID 1300 wrote to memory of 1488	1300	BOARDMT2 TICARET HACK V2.3.EXE	cmd.exe
PID 1300 wrote to memory of 1488	1300	BOARDMT2 TICARET HACK V2.3.EXE	cmd.exe
PID 1300 wrote to memory of 1488	1300	BOARDMT2 TICARET HACK V2.3.EXE	cmd.exe
PID 1300 wrote to memory of 1488	1300	BOARDMT2 TICARET HACK V2.3.EXE	cmd.exe
PID 1300 wrote to memory of 592	1300	BOARDMT2 TICARET HACK V2.3.EXE	cmd.exe
PID 1300 wrote to memory of 592	1300	BOARDMT2 TICARET HACK V2.3.EXE	cmd.exe
PID 1300 wrote to memory of 592	1300	BOARDMT2 TICARET HACK V2.3.EXE	cmd.exe
PID 1300 wrote to memory of 592	1300	BOARDMT2 TICARET HACK V2.3.EXE	cmd.exe
PID 1300 wrote to memory of 296	1300	BOARDMT2 TICARET HACK V2.3.EXE	cmd.exe
PID 1300 wrote to memory of 296	1300	BOARDMT2 TICARET HACK V2.3.EXE	cmd.exe
PID 1300 wrote to memory of 296	1300	BOARDMT2 TICARET HACK V2.3.EXE	cmd.exe
PID 1300 wrote to memory of 296	1300	BOARDMT2 TICARET HACK V2.3.EXE	cmd.exe
PID 1488 wrote to memory of 1700	1488	cmd.exe	attrib.exe
PID 1488 wrote to memory of 1700	1488	cmd.exe	attrib.exe
PID 1488 wrote to memory of 1700	1488	cmd.exe	attrib.exe
PID 1488 wrote to memory of 1700	1488	cmd.exe	attrib.exe
PID 592 wrote to memory of 1224	592	cmd.exe	attrib.exe
PID 592 wrote to memory of 1224	592	cmd.exe	attrib.exe
PID 592 wrote to memory of 1224	592	cmd.exe	attrib.exe
PID 592 wrote to memory of 1224	592	cmd.exe	attrib.exe
PID 296 wrote to memory of 1132	296	cmd.exe	PING.EXE
PID 296 wrote to memory of 1132	296	cmd.exe	PING.EXE
PID 296 wrote to memory of 1132	296	cmd.exe	PING.EXE
PID 296 wrote to memory of 1132	296	cmd.exe	PING.EXE
PID 1300 wrote to memory of 1292	1300	BOARDMT2 TICARET HACK V2.3.EXE	iexplorer.exe
PID 1300 wrote to memory of 1292	1300	BOARDMT2 TICARET HACK V2.3.EXE	iexplorer.exe
PID 1300 wrote to memory of 1292	1300	BOARDMT2 TICARET HACK V2.3.EXE	iexplorer.exe
PID 1300 wrote to memory of 1292	1300	BOARDMT2 TICARET HACK V2.3.EXE	iexplorer.exe
PID 1292 wrote to memory of 908	1292	iexplorer.exe	iexplore.exe
PID 1292 wrote to memory of 908	1292	iexplorer.exe	iexplore.exe
PID 1292 wrote to memory of 908	1292	iexplorer.exe	iexplore.exe
PID 1292 wrote to memory of 908	1292	iexplorer.exe	iexplore.exe
PID 1292 wrote to memory of 908	1292	iexplorer.exe	iexplore.exe
PID 1292 wrote to memory of 908	1292	iexplorer.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

SERVER.EXE

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SERVER.EXE
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1700 attrib.exe
1224 attrib.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SERVER.EXE

pid	process
1700	attrib.exe
1224	attrib.exe

C:\Users\Admin\AppData\Local\Temp\cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe
"C:\Users\Admin\AppData\Local\Temp\cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\BOARDMT2 TICARET HACK V2.3.EXE
"C:\Users\Admin\AppData\Local\Temp\BOARDMT2 TICARET HACK V2.3.EXE"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\BOARDMT2 TICARET HACK V2.3.EXE" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\BOARDMT2 TICARET HACK V2.3.EXE" +s +h
4⤵
- Views/modifies file attributes
PID:1700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Views/modifies file attributes
PID:1224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\BOARDMT2 TICARET HACK V2.3.EXE"
3⤵
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
4⤵
- Runs ping.exe
PID:1132

C:\Users\Admin\Documents\MSDCSC\iexplorer.exe
"C:\Users\Admin\Documents\MSDCSC\iexplorer.exe"
3⤵
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
4⤵
- Modifies security service
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:908

C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
"C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"
2⤵
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:688

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode disable
3⤵
PID:1108

C:\Windows\SysWOW64\net.exe
net stop security center
3⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop security center
4⤵
PID:1840

C:\Windows\SysWOW64\net.exe
net stop WinDefend
3⤵
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WinDefend
4⤵
PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BOARDMT2 TICARET HACK V2.3.EXE
MD5
d0f41de7eda6ce2fb63d6c5ac6001fcb

SHA1
16abb264aa6b79af9223ae6d7aa81339ca162b5e

SHA256
be057f7bcba4b31d044caae8050e7b4c6c881d8d960aa445b59b88452a40b061

SHA512
d99732ac0b7449528fa6718f4bd9ab8e9597be37f8aa48a196c43117b68e85d435e409b99af9150c99d9331e6159163614e87a9dffad5964250f6a4ba5135c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\BOARDMT2 TICARET HACK V2.3.EXE
MD5
d0f41de7eda6ce2fb63d6c5ac6001fcb

SHA1
16abb264aa6b79af9223ae6d7aa81339ca162b5e

SHA256
be057f7bcba4b31d044caae8050e7b4c6c881d8d960aa445b59b88452a40b061

SHA512
d99732ac0b7449528fa6718f4bd9ab8e9597be37f8aa48a196c43117b68e85d435e409b99af9150c99d9331e6159163614e87a9dffad5964250f6a4ba5135c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
MD5
a454bd820334bca76e08d2c7cb098a4d

SHA1
b18d57bce32f06eb79f9b47e8005d27f8a3dd409

SHA256
e0b6ef70abcf5bddf4b078c4e4e2e61ad00b739b10a3658fd257c6ff5186fd91

SHA512
519cbbbe7368f625c37ece181b1dbf7614ef5707ba7e4173e465afa712e4b0285add0d3f3d0153146eb0070fc1b5a67d28a49b5ea88cf50342186cd0a9b80ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVER.exe
MD5
a454bd820334bca76e08d2c7cb098a4d

SHA1
b18d57bce32f06eb79f9b47e8005d27f8a3dd409

SHA256
e0b6ef70abcf5bddf4b078c4e4e2e61ad00b739b10a3658fd257c6ff5186fd91

SHA512
519cbbbe7368f625c37ece181b1dbf7614ef5707ba7e4173e465afa712e4b0285add0d3f3d0153146eb0070fc1b5a67d28a49b5ea88cf50342186cd0a9b80ed2

Download Submit
C:\Users\Admin\Documents\MSDCSC\iexplorer.exe
MD5
d0f41de7eda6ce2fb63d6c5ac6001fcb

SHA1
16abb264aa6b79af9223ae6d7aa81339ca162b5e

SHA256
be057f7bcba4b31d044caae8050e7b4c6c881d8d960aa445b59b88452a40b061

SHA512
d99732ac0b7449528fa6718f4bd9ab8e9597be37f8aa48a196c43117b68e85d435e409b99af9150c99d9331e6159163614e87a9dffad5964250f6a4ba5135c83

Download Submit
C:\Users\Admin\Documents\MSDCSC\iexplorer.exe
MD5
d0f41de7eda6ce2fb63d6c5ac6001fcb

SHA1
16abb264aa6b79af9223ae6d7aa81339ca162b5e

SHA256
be057f7bcba4b31d044caae8050e7b4c6c881d8d960aa445b59b88452a40b061

SHA512
d99732ac0b7449528fa6718f4bd9ab8e9597be37f8aa48a196c43117b68e85d435e409b99af9150c99d9331e6159163614e87a9dffad5964250f6a4ba5135c83

Download Submit
\Users\Admin\AppData\Local\Temp\BOARDMT2 TICARET HACK V2.3.EXE
MD5
d0f41de7eda6ce2fb63d6c5ac6001fcb

SHA1
16abb264aa6b79af9223ae6d7aa81339ca162b5e

SHA256
be057f7bcba4b31d044caae8050e7b4c6c881d8d960aa445b59b88452a40b061

SHA512
d99732ac0b7449528fa6718f4bd9ab8e9597be37f8aa48a196c43117b68e85d435e409b99af9150c99d9331e6159163614e87a9dffad5964250f6a4ba5135c83

Download Submit
\Users\Admin\AppData\Local\Temp\BOARDMT2 TICARET HACK V2.3.EXE
MD5
d0f41de7eda6ce2fb63d6c5ac6001fcb

SHA1
16abb264aa6b79af9223ae6d7aa81339ca162b5e

SHA256
be057f7bcba4b31d044caae8050e7b4c6c881d8d960aa445b59b88452a40b061

SHA512
d99732ac0b7449528fa6718f4bd9ab8e9597be37f8aa48a196c43117b68e85d435e409b99af9150c99d9331e6159163614e87a9dffad5964250f6a4ba5135c83

Download Submit
\Users\Admin\AppData\Local\Temp\SERVER.EXE
MD5
a454bd820334bca76e08d2c7cb098a4d

SHA1
b18d57bce32f06eb79f9b47e8005d27f8a3dd409

SHA256
e0b6ef70abcf5bddf4b078c4e4e2e61ad00b739b10a3658fd257c6ff5186fd91

SHA512
519cbbbe7368f625c37ece181b1dbf7614ef5707ba7e4173e465afa712e4b0285add0d3f3d0153146eb0070fc1b5a67d28a49b5ea88cf50342186cd0a9b80ed2

Download Submit
\Users\Admin\Documents\MSDCSC\iexplorer.exe
MD5
d0f41de7eda6ce2fb63d6c5ac6001fcb

SHA1
16abb264aa6b79af9223ae6d7aa81339ca162b5e

SHA256
be057f7bcba4b31d044caae8050e7b4c6c881d8d960aa445b59b88452a40b061

SHA512
d99732ac0b7449528fa6718f4bd9ab8e9597be37f8aa48a196c43117b68e85d435e409b99af9150c99d9331e6159163614e87a9dffad5964250f6a4ba5135c83

Download Submit
\Users\Admin\Documents\MSDCSC\iexplorer.exe
MD5
d0f41de7eda6ce2fb63d6c5ac6001fcb

SHA1
16abb264aa6b79af9223ae6d7aa81339ca162b5e

SHA256
be057f7bcba4b31d044caae8050e7b4c6c881d8d960aa445b59b88452a40b061

SHA512
d99732ac0b7449528fa6718f4bd9ab8e9597be37f8aa48a196c43117b68e85d435e409b99af9150c99d9331e6159163614e87a9dffad5964250f6a4ba5135c83

Download Submit
memory/296-81-0x0000000000000000-mapping.dmp

Download
memory/572-73-0x0000000000000000-mapping.dmp

Download
memory/592-80-0x0000000000000000-mapping.dmp

Download
memory/688-66-0x0000000000000000-mapping.dmp

Download
memory/908-93-0x000000000048D888-mapping.dmp

Download
memory/908-92-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1108-71-0x0000000000000000-mapping.dmp

Download
memory/1132-84-0x0000000000000000-mapping.dmp

Download
memory/1224-83-0x0000000000000000-mapping.dmp

Download
memory/1292-88-0x0000000000000000-mapping.dmp

Download
memory/1292-95-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1300-78-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1300-62-0x0000000000000000-mapping.dmp

Download
memory/1488-79-0x0000000000000000-mapping.dmp

Download
memory/1644-72-0x0000000000000000-mapping.dmp

Download
memory/1700-82-0x0000000000000000-mapping.dmp

Download
memory/1840-77-0x0000000000000000-mapping.dmp

Download
memory/1984-59-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/2028-76-0x0000000000000000-mapping.dmp

Download