darkcomet | cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72

General

Target

cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe
Size

1.3MB
MD5

50889863763dec84072482d72d257a5a
SHA1

ee585ed89df214b743ceb8fe2cf85999e6013806
SHA256

cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72
SHA512

4fb2c1a727d4b703e0e88eef85b4d57f181f9a0658219e493f3a3435c98defb0dc845c3d07b5be1d0bac5357f3e2a5b03e38b696fa846e8e17b4fc50f5c5d5eb

Score

10^/10

darkcomet m2 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

m2

C2

127.0.0.1:1604

laylaylom15975300.freeddns.org:1604

Mutex

DC_MUTEX-J1SBQ5X

Attributes

InstallPath
MSDCSC\iexplorer.exe
gencode
bTMSQkMKM11U
install
true
offline_keylogger
true
persistence
true
reg_key
Windows Defender

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

BOARDMT2 TICARET HACK V2.3.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\iexplorer.exe"	BOARDMT2 TICARET HACK V2.3.EXE

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

iexplorer.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplorer.exe
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 3 IoCs

Processes:

BOARDMT2 TICARET HACK V2.3.EXESERVER.EXEiexplorer.exe

pid process

2248 BOARDMT2 TICARET HACK V2.3.EXE
2516 SERVER.EXE
4204 iexplorer.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	iexplorer.exe

pid	process
2248	BOARDMT2 TICARET HACK V2.3.EXE
2516	SERVER.EXE
4204	iexplorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BOARDMT2 TICARET HACK V2.3.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation	BOARDMT2 TICARET HACK V2.3.EXE

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

SERVER.EXE

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" SERVER.EXE

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	SERVER.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

BOARDMT2 TICARET HACK V2.3.EXESERVER.EXEiexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\Documents\\MSDCSC\\iexplorer.exe"	BOARDMT2 TICARET HACK V2.3.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	SERVER.EXE
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run	SERVER.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mscvin = "C:\\Windows\\Mscvin.exe"	SERVER.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\Documents\\MSDCSC\\iexplorer.exe"	iexplorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

SERVER.EXE

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SERVER.EXE
Drops file in Windows directory 2 IoCs

Processes:

SERVER.EXE

description ioc process

File created C:\Windows\Mscvin.exe SERVER.EXE
File opened for modification C:\Windows\Mscvin.exe SERVER.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SERVER.EXE

description	ioc	process
File created	C:\Windows\Mscvin.exe	SERVER.EXE
File opened for modification	C:\Windows\Mscvin.exe	SERVER.EXE

Modifies registry class 4 IoCs

Processes:

BOARDMT2 TICARET HACK V2.3.EXESERVER.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	BOARDMT2 TICARET HACK V2.3.EXE
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\MIME\Database	SERVER.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	SERVER.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	SERVER.EXE

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4184 PING.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplorer.exe

pid process

4204 iexplorer.exe

pid	process
4184	PING.EXE

pid	process
4204	iexplorer.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

SERVER.EXEBOARDMT2 TICARET HACK V2.3.EXEiexplorer.exe

description	pid	process
Token: SeBackupPrivilege	2516	SERVER.EXE
Token: SeIncreaseQuotaPrivilege	2248	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeSecurityPrivilege	2248	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeTakeOwnershipPrivilege	2248	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeLoadDriverPrivilege	2248	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeSystemProfilePrivilege	2248	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeSystemtimePrivilege	2248	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeProfSingleProcessPrivilege	2248	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeIncBasePriorityPrivilege	2248	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeCreatePagefilePrivilege	2248	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeBackupPrivilege	2248	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeRestorePrivilege	2248	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeShutdownPrivilege	2248	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeDebugPrivilege	2248	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeSystemEnvironmentPrivilege	2248	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeChangeNotifyPrivilege	2248	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeRemoteShutdownPrivilege	2248	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeUndockPrivilege	2248	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeManageVolumePrivilege	2248	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeImpersonatePrivilege	2248	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeCreateGlobalPrivilege	2248	BOARDMT2 TICARET HACK V2.3.EXE
Token: 33	2248	BOARDMT2 TICARET HACK V2.3.EXE
Token: 34	2248	BOARDMT2 TICARET HACK V2.3.EXE
Token: 35	2248	BOARDMT2 TICARET HACK V2.3.EXE
Token: 36	2248	BOARDMT2 TICARET HACK V2.3.EXE
Token: SeIncreaseQuotaPrivilege	4204	iexplorer.exe
Token: SeSecurityPrivilege	4204	iexplorer.exe
Token: SeTakeOwnershipPrivilege	4204	iexplorer.exe
Token: SeLoadDriverPrivilege	4204	iexplorer.exe
Token: SeSystemProfilePrivilege	4204	iexplorer.exe
Token: SeSystemtimePrivilege	4204	iexplorer.exe
Token: SeProfSingleProcessPrivilege	4204	iexplorer.exe
Token: SeIncBasePriorityPrivilege	4204	iexplorer.exe
Token: SeCreatePagefilePrivilege	4204	iexplorer.exe
Token: SeBackupPrivilege	4204	iexplorer.exe
Token: SeRestorePrivilege	4204	iexplorer.exe
Token: SeShutdownPrivilege	4204	iexplorer.exe
Token: SeDebugPrivilege	4204	iexplorer.exe
Token: SeSystemEnvironmentPrivilege	4204	iexplorer.exe
Token: SeChangeNotifyPrivilege	4204	iexplorer.exe
Token: SeRemoteShutdownPrivilege	4204	iexplorer.exe
Token: SeUndockPrivilege	4204	iexplorer.exe
Token: SeManageVolumePrivilege	4204	iexplorer.exe
Token: SeImpersonatePrivilege	4204	iexplorer.exe
Token: SeCreateGlobalPrivilege	4204	iexplorer.exe
Token: 33	4204	iexplorer.exe
Token: 34	4204	iexplorer.exe
Token: 35	4204	iexplorer.exe
Token: 36	4204	iexplorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

SERVER.EXEiexplorer.exe

pid process

2516 SERVER.EXE
4204 iexplorer.exe
2516 SERVER.EXE

pid	process
2516	SERVER.EXE
4204	iexplorer.exe
2516	SERVER.EXE

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exeSERVER.EXEBOARDMT2 TICARET HACK V2.3.EXEnet.exenet.execmd.execmd.execmd.exeiexplorer.exeWinMail.exe

description	pid	process	target process
PID 3332 wrote to memory of 2248	3332	cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe	BOARDMT2 TICARET HACK V2.3.EXE
PID 3332 wrote to memory of 2248	3332	cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe	BOARDMT2 TICARET HACK V2.3.EXE
PID 3332 wrote to memory of 2248	3332	cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe	BOARDMT2 TICARET HACK V2.3.EXE
PID 3332 wrote to memory of 2516	3332	cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe	SERVER.EXE
PID 3332 wrote to memory of 2516	3332	cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe	SERVER.EXE
PID 3332 wrote to memory of 2516	3332	cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe	SERVER.EXE
PID 2516 wrote to memory of 3740	2516	SERVER.EXE	netsh.exe
PID 2516 wrote to memory of 3740	2516	SERVER.EXE	netsh.exe
PID 2516 wrote to memory of 3740	2516	SERVER.EXE	netsh.exe
PID 2516 wrote to memory of 1444	2516	SERVER.EXE	net.exe
PID 2516 wrote to memory of 1444	2516	SERVER.EXE	net.exe
PID 2516 wrote to memory of 1444	2516	SERVER.EXE	net.exe
PID 2516 wrote to memory of 3272	2516	SERVER.EXE	net.exe
PID 2516 wrote to memory of 3272	2516	SERVER.EXE	net.exe
PID 2516 wrote to memory of 3272	2516	SERVER.EXE	net.exe
PID 2248 wrote to memory of 3812	2248	BOARDMT2 TICARET HACK V2.3.EXE	cmd.exe
PID 2248 wrote to memory of 3812	2248	BOARDMT2 TICARET HACK V2.3.EXE	cmd.exe
PID 2248 wrote to memory of 3812	2248	BOARDMT2 TICARET HACK V2.3.EXE	cmd.exe
PID 2248 wrote to memory of 3864	2248	BOARDMT2 TICARET HACK V2.3.EXE	cmd.exe
PID 2248 wrote to memory of 3864	2248	BOARDMT2 TICARET HACK V2.3.EXE	cmd.exe
PID 2248 wrote to memory of 3864	2248	BOARDMT2 TICARET HACK V2.3.EXE	cmd.exe
PID 2248 wrote to memory of 3848	2248	BOARDMT2 TICARET HACK V2.3.EXE	cmd.exe
PID 2248 wrote to memory of 3848	2248	BOARDMT2 TICARET HACK V2.3.EXE	cmd.exe
PID 2248 wrote to memory of 3848	2248	BOARDMT2 TICARET HACK V2.3.EXE	cmd.exe
PID 1444 wrote to memory of 1868	1444	net.exe	net1.exe
PID 1444 wrote to memory of 1868	1444	net.exe	net1.exe
PID 1444 wrote to memory of 1868	1444	net.exe	net1.exe
PID 3272 wrote to memory of 2244	3272	net.exe	net1.exe
PID 3272 wrote to memory of 2244	3272	net.exe	net1.exe
PID 3272 wrote to memory of 2244	3272	net.exe	net1.exe
PID 3812 wrote to memory of 4124	3812	cmd.exe	attrib.exe
PID 3812 wrote to memory of 4124	3812	cmd.exe	attrib.exe
PID 3812 wrote to memory of 4124	3812	cmd.exe	attrib.exe
PID 3864 wrote to memory of 4164	3864	cmd.exe	attrib.exe
PID 3864 wrote to memory of 4164	3864	cmd.exe	attrib.exe
PID 3864 wrote to memory of 4164	3864	cmd.exe	attrib.exe
PID 3848 wrote to memory of 4184	3848	cmd.exe	PING.EXE
PID 3848 wrote to memory of 4184	3848	cmd.exe	PING.EXE
PID 3848 wrote to memory of 4184	3848	cmd.exe	PING.EXE
PID 2248 wrote to memory of 4204	2248	BOARDMT2 TICARET HACK V2.3.EXE	iexplorer.exe
PID 2248 wrote to memory of 4204	2248	BOARDMT2 TICARET HACK V2.3.EXE	iexplorer.exe
PID 2248 wrote to memory of 4204	2248	BOARDMT2 TICARET HACK V2.3.EXE	iexplorer.exe
PID 4204 wrote to memory of 4280	4204	iexplorer.exe	iexplore.exe
PID 4204 wrote to memory of 4280	4204	iexplorer.exe	iexplore.exe
PID 4204 wrote to memory of 4280	4204	iexplorer.exe	iexplore.exe
PID 4204 wrote to memory of 4288	4204	iexplorer.exe	explorer.exe
PID 4204 wrote to memory of 4288	4204	iexplorer.exe	explorer.exe
PID 2516 wrote to memory of 4416	2516	SERVER.EXE	WinMail.exe
PID 2516 wrote to memory of 4416	2516	SERVER.EXE	WinMail.exe
PID 2516 wrote to memory of 4416	2516	SERVER.EXE	WinMail.exe
PID 4416 wrote to memory of 4436	4416	WinMail.exe	WinMail.exe
PID 4416 wrote to memory of 4436	4416	WinMail.exe	WinMail.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

SERVER.EXE

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SERVER.EXE
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4124 attrib.exe
4164 attrib.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SERVER.EXE

pid	process
4124	attrib.exe
4164	attrib.exe

C:\Users\Admin\AppData\Local\Temp\cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe
"C:\Users\Admin\AppData\Local\Temp\cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3332

C:\Users\Admin\AppData\Local\Temp\BOARDMT2 TICARET HACK V2.3.EXE
"C:\Users\Admin\AppData\Local\Temp\BOARDMT2 TICARET HACK V2.3.EXE"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\BOARDMT2 TICARET HACK V2.3.EXE" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:3812

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\BOARDMT2 TICARET HACK V2.3.EXE" +s +h
4⤵
- Views/modifies file attributes
PID:4124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\BOARDMT2 TICARET HACK V2.3.EXE"
3⤵
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
4⤵
- Runs ping.exe
PID:4184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:3864

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Views/modifies file attributes
PID:4164

C:\Users\Admin\Documents\MSDCSC\iexplorer.exe
"C:\Users\Admin\Documents\MSDCSC\iexplorer.exe"
3⤵
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4204

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
4⤵
PID:4280

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
4⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
"C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"
2⤵
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2516

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode disable
3⤵
PID:3740

C:\Windows\SysWOW64\net.exe
net stop security center
3⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop security center
4⤵
PID:1868

C:\Windows\SysWOW64\net.exe
net stop WinDefend
3⤵
- Suspicious use of WriteProcessMemory
PID:3272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WinDefend
4⤵
PID:2244

C:\Program Files (x86)\Windows Mail\WinMail.exe
"C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
3⤵
- Suspicious use of WriteProcessMemory
PID:4416

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
4⤵
PID:4436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Modify Existing Service

2

T1031

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

7

T1112

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Hidden Files and Directories

2

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BOARDMT2 TICARET HACK V2.3.EXE
MD5
d0f41de7eda6ce2fb63d6c5ac6001fcb

SHA1
16abb264aa6b79af9223ae6d7aa81339ca162b5e

SHA256
be057f7bcba4b31d044caae8050e7b4c6c881d8d960aa445b59b88452a40b061

SHA512
d99732ac0b7449528fa6718f4bd9ab8e9597be37f8aa48a196c43117b68e85d435e409b99af9150c99d9331e6159163614e87a9dffad5964250f6a4ba5135c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\BOARDMT2 TICARET HACK V2.3.EXE
MD5
d0f41de7eda6ce2fb63d6c5ac6001fcb

SHA1
16abb264aa6b79af9223ae6d7aa81339ca162b5e

SHA256
be057f7bcba4b31d044caae8050e7b4c6c881d8d960aa445b59b88452a40b061

SHA512
d99732ac0b7449528fa6718f4bd9ab8e9597be37f8aa48a196c43117b68e85d435e409b99af9150c99d9331e6159163614e87a9dffad5964250f6a4ba5135c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
MD5
a454bd820334bca76e08d2c7cb098a4d

SHA1
b18d57bce32f06eb79f9b47e8005d27f8a3dd409

SHA256
e0b6ef70abcf5bddf4b078c4e4e2e61ad00b739b10a3658fd257c6ff5186fd91

SHA512
519cbbbe7368f625c37ece181b1dbf7614ef5707ba7e4173e465afa712e4b0285add0d3f3d0153146eb0070fc1b5a67d28a49b5ea88cf50342186cd0a9b80ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
MD5
a454bd820334bca76e08d2c7cb098a4d

SHA1
b18d57bce32f06eb79f9b47e8005d27f8a3dd409

SHA256
e0b6ef70abcf5bddf4b078c4e4e2e61ad00b739b10a3658fd257c6ff5186fd91

SHA512
519cbbbe7368f625c37ece181b1dbf7614ef5707ba7e4173e465afa712e4b0285add0d3f3d0153146eb0070fc1b5a67d28a49b5ea88cf50342186cd0a9b80ed2

Download Submit
C:\Users\Admin\Documents\MSDCSC\iexplorer.exe
MD5
d0f41de7eda6ce2fb63d6c5ac6001fcb

SHA1
16abb264aa6b79af9223ae6d7aa81339ca162b5e

SHA256
be057f7bcba4b31d044caae8050e7b4c6c881d8d960aa445b59b88452a40b061

SHA512
d99732ac0b7449528fa6718f4bd9ab8e9597be37f8aa48a196c43117b68e85d435e409b99af9150c99d9331e6159163614e87a9dffad5964250f6a4ba5135c83

Download Submit
C:\Users\Admin\Documents\MSDCSC\iexplorer.exe
MD5
d0f41de7eda6ce2fb63d6c5ac6001fcb

SHA1
16abb264aa6b79af9223ae6d7aa81339ca162b5e

SHA256
be057f7bcba4b31d044caae8050e7b4c6c881d8d960aa445b59b88452a40b061

SHA512
d99732ac0b7449528fa6718f4bd9ab8e9597be37f8aa48a196c43117b68e85d435e409b99af9150c99d9331e6159163614e87a9dffad5964250f6a4ba5135c83

Download Submit
memory/1444-124-0x0000000000000000-mapping.dmp

Download
memory/1868-130-0x0000000000000000-mapping.dmp

Download
memory/2244-131-0x0000000000000000-mapping.dmp

Download
memory/2248-115-0x0000000000000000-mapping.dmp

Download
memory/2248-127-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/2516-118-0x0000000000000000-mapping.dmp

Download
memory/3272-125-0x0000000000000000-mapping.dmp

Download
memory/3740-123-0x0000000000000000-mapping.dmp

Download
memory/3812-126-0x0000000000000000-mapping.dmp

Download
memory/3848-129-0x0000000000000000-mapping.dmp

Download
memory/3864-128-0x0000000000000000-mapping.dmp

Download
memory/4124-132-0x0000000000000000-mapping.dmp

Download
memory/4164-133-0x0000000000000000-mapping.dmp

Download
memory/4184-134-0x0000000000000000-mapping.dmp

Download
memory/4204-135-0x0000000000000000-mapping.dmp

Download
memory/4204-138-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4416-139-0x0000000000000000-mapping.dmp

Download
memory/4436-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads