darkcomet | 62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5

Analysis

max time kernel
153s
max time network
155s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe
Size

762KB
MD5

acaedef2c694bd1d58f4cb82ffb6318b
SHA1

316f234a5571b199a7d948f541ad3982536c033a
SHA256

62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5
SHA512

82f718bc54003f0537e7923285ed6d3188e458301f95029d0d273660f643755af5d2654f9acc4f23dd62e8fb15b0e114c308b7cf4dfbd673579f4f1d5b804513

Score

10^/10

darkcomet njrat quasar hacked ×èòåð evasion persistence rat spyware suricata trojan

Malware Config

Extracted

Family

darkcomet

Botnet

×èòåð

62.33.2.50:1111

happycraft.hopto.org:1111

Mutex

DC_MUTEX-1BX3PA1

Attributes

InstallPath
temp\java.exe
gencode
6hPE8cPj7vE4
install
true
offline_keylogger
true
persistence
true
reg_key
java.exe

Extracted

Family

njrat

Version

im523

Botnet

HacKed

62.33.2.50:2222

Mutex

41aabe8f8c6d7c53ac94c0ce4c6ce249

Attributes

reg_key
41aabe8f8c6d7c53ac94c0ce4c6ce249
splitter
|'|'|

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\temp\\java.exe"	2.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

java.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	java.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	java.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	java.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

java.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" java.exe
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata
Executes dropped EXE 6 IoCs

Processes:

2.exe1.exe3.exejava.exedriver.exesvchost.exe

pid process

1636 2.exe
580 1.exe
1168 3.exe
1740 java.exe
1124 driver.exe
1988 svchost.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	java.exe

pid	process
1636	2.exe
580	1.exe
1168	3.exe
1740	java.exe
1124	driver.exe
1988	svchost.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\41aabe8f8c6d7c53ac94c0ce4c6ce249.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\41aabe8f8c6d7c53ac94c0ce4c6ce249.exe	svchost.exe

Loads dropped DLL 10 IoCs

Processes:

62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe2.exe3.exe1.exe

pid	process
1692	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe
1692	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe
1692	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe
1692	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe
1692	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe
1636	2.exe
1636	2.exe
1168	3.exe
1168	3.exe
580	1.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

java.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe2.exejava.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\41aabe8f8c6d7c53ac94c0ce4c6ce249 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\41aabe8f8c6d7c53ac94c0ce4c6ce249 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\java.exe = "C:\\Windows\\temp\\java.exe"	2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\java.exe = "C:\\Windows\\temp\\java.exe"	java.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1896 schtasks.exe
1596 schtasks.exe

flow	ioc
2	ip-api.com

pid	process
1896	schtasks.exe
1596	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

driver.exesvchost.exe

pid	process
1124	driver.exe
1124	driver.exe
1124	driver.exe
1124	driver.exe
1124	driver.exe
1124	driver.exe
1124	driver.exe
1124	driver.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1124	driver.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1124	driver.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1124	driver.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1124	driver.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1124	driver.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1124	driver.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1124	driver.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1124	driver.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1124	driver.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1124	driver.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1124	driver.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exejava.exe

pid process

1988 svchost.exe
1740 java.exe

pid	process
1988	svchost.exe
1740	java.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2.exejava.exedriver.exesvchost.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1636	2.exe
Token: SeSecurityPrivilege	1636	2.exe
Token: SeTakeOwnershipPrivilege	1636	2.exe
Token: SeLoadDriverPrivilege	1636	2.exe
Token: SeSystemProfilePrivilege	1636	2.exe
Token: SeSystemtimePrivilege	1636	2.exe
Token: SeProfSingleProcessPrivilege	1636	2.exe
Token: SeIncBasePriorityPrivilege	1636	2.exe
Token: SeCreatePagefilePrivilege	1636	2.exe
Token: SeBackupPrivilege	1636	2.exe
Token: SeRestorePrivilege	1636	2.exe
Token: SeShutdownPrivilege	1636	2.exe
Token: SeDebugPrivilege	1636	2.exe
Token: SeSystemEnvironmentPrivilege	1636	2.exe
Token: SeChangeNotifyPrivilege	1636	2.exe
Token: SeRemoteShutdownPrivilege	1636	2.exe
Token: SeUndockPrivilege	1636	2.exe
Token: SeManageVolumePrivilege	1636	2.exe
Token: SeImpersonatePrivilege	1636	2.exe
Token: SeCreateGlobalPrivilege	1636	2.exe
Token: 33	1636	2.exe
Token: 34	1636	2.exe
Token: 35	1636	2.exe
Token: SeIncreaseQuotaPrivilege	1740	java.exe
Token: SeSecurityPrivilege	1740	java.exe
Token: SeTakeOwnershipPrivilege	1740	java.exe
Token: SeLoadDriverPrivilege	1740	java.exe
Token: SeSystemProfilePrivilege	1740	java.exe
Token: SeSystemtimePrivilege	1740	java.exe
Token: SeProfSingleProcessPrivilege	1740	java.exe
Token: SeIncBasePriorityPrivilege	1740	java.exe
Token: SeCreatePagefilePrivilege	1740	java.exe
Token: SeBackupPrivilege	1740	java.exe
Token: SeRestorePrivilege	1740	java.exe
Token: SeShutdownPrivilege	1740	java.exe
Token: SeDebugPrivilege	1740	java.exe
Token: SeSystemEnvironmentPrivilege	1740	java.exe
Token: SeChangeNotifyPrivilege	1740	java.exe
Token: SeRemoteShutdownPrivilege	1740	java.exe
Token: SeUndockPrivilege	1740	java.exe
Token: SeManageVolumePrivilege	1740	java.exe
Token: SeImpersonatePrivilege	1740	java.exe
Token: SeCreateGlobalPrivilege	1740	java.exe
Token: 33	1740	java.exe
Token: 34	1740	java.exe
Token: 35	1740	java.exe
Token: SeDebugPrivilege	1124	driver.exe
Token: SeDebugPrivilege	1988	svchost.exe
Token: 33	1988	svchost.exe
Token: SeIncBasePriorityPrivilege	1988	svchost.exe
Token: 33	1988	svchost.exe
Token: SeIncBasePriorityPrivilege	1988	svchost.exe
Token: 33	1988	svchost.exe
Token: SeIncBasePriorityPrivilege	1988	svchost.exe
Token: 33	1988	svchost.exe
Token: SeIncBasePriorityPrivilege	1988	svchost.exe
Token: 33	1988	svchost.exe
Token: SeIncBasePriorityPrivilege	1988	svchost.exe
Token: 33	1988	svchost.exe
Token: SeIncBasePriorityPrivilege	1988	svchost.exe
Token: 33	1988	svchost.exe
Token: SeIncBasePriorityPrivilege	1988	svchost.exe
Token: 33	1988	svchost.exe
Token: SeIncBasePriorityPrivilege	1988	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

java.exedriver.exe

pid process

1740 java.exe
1124 driver.exe

pid	process
1740	java.exe
1124	driver.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe2.execmd.execmd.exejava.exe

description	pid	process	target process
PID 1692 wrote to memory of 1636	1692	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe	2.exe
PID 1692 wrote to memory of 1636	1692	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe	2.exe
PID 1692 wrote to memory of 1636	1692	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe	2.exe
PID 1692 wrote to memory of 1636	1692	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe	2.exe
PID 1636 wrote to memory of 1996	1636	2.exe	cmd.exe
PID 1636 wrote to memory of 1996	1636	2.exe	cmd.exe
PID 1636 wrote to memory of 1996	1636	2.exe	cmd.exe
PID 1636 wrote to memory of 1996	1636	2.exe	cmd.exe
PID 1636 wrote to memory of 2028	1636	2.exe	cmd.exe
PID 1636 wrote to memory of 2028	1636	2.exe	cmd.exe
PID 1636 wrote to memory of 2028	1636	2.exe	cmd.exe
PID 1636 wrote to memory of 2028	1636	2.exe	cmd.exe
PID 1996 wrote to memory of 1320	1996	cmd.exe	attrib.exe
PID 1996 wrote to memory of 1320	1996	cmd.exe	attrib.exe
PID 1996 wrote to memory of 1320	1996	cmd.exe	attrib.exe
PID 1996 wrote to memory of 1320	1996	cmd.exe	attrib.exe
PID 2028 wrote to memory of 1172	2028	cmd.exe	attrib.exe
PID 2028 wrote to memory of 1172	2028	cmd.exe	attrib.exe
PID 2028 wrote to memory of 1172	2028	cmd.exe	attrib.exe
PID 2028 wrote to memory of 1172	2028	cmd.exe	attrib.exe
PID 1636 wrote to memory of 1664	1636	2.exe	notepad.exe
PID 1636 wrote to memory of 1664	1636	2.exe	notepad.exe
PID 1636 wrote to memory of 1664	1636	2.exe	notepad.exe
PID 1636 wrote to memory of 1664	1636	2.exe	notepad.exe
PID 1692 wrote to memory of 580	1692	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe	1.exe
PID 1692 wrote to memory of 580	1692	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe	1.exe
PID 1692 wrote to memory of 580	1692	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe	1.exe
PID 1692 wrote to memory of 580	1692	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe	1.exe
PID 1636 wrote to memory of 1664	1636	2.exe	notepad.exe
PID 1636 wrote to memory of 1664	1636	2.exe	notepad.exe
PID 1636 wrote to memory of 1664	1636	2.exe	notepad.exe
PID 1636 wrote to memory of 1664	1636	2.exe	notepad.exe
PID 1636 wrote to memory of 1664	1636	2.exe	notepad.exe
PID 1636 wrote to memory of 1664	1636	2.exe	notepad.exe
PID 1636 wrote to memory of 1664	1636	2.exe	notepad.exe
PID 1636 wrote to memory of 1664	1636	2.exe	notepad.exe
PID 1636 wrote to memory of 1664	1636	2.exe	notepad.exe
PID 1636 wrote to memory of 1664	1636	2.exe	notepad.exe
PID 1636 wrote to memory of 1664	1636	2.exe	notepad.exe
PID 1636 wrote to memory of 1664	1636	2.exe	notepad.exe
PID 1636 wrote to memory of 1664	1636	2.exe	notepad.exe
PID 1636 wrote to memory of 1664	1636	2.exe	notepad.exe
PID 1692 wrote to memory of 1168	1692	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe	3.exe
PID 1692 wrote to memory of 1168	1692	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe	3.exe
PID 1692 wrote to memory of 1168	1692	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe	3.exe
PID 1692 wrote to memory of 1168	1692	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe	3.exe
PID 1636 wrote to memory of 1740	1636	2.exe	java.exe
PID 1636 wrote to memory of 1740	1636	2.exe	java.exe
PID 1636 wrote to memory of 1740	1636	2.exe	java.exe
PID 1636 wrote to memory of 1740	1636	2.exe	java.exe
PID 1636 wrote to memory of 1740	1636	2.exe	java.exe
PID 1636 wrote to memory of 1740	1636	2.exe	java.exe
PID 1636 wrote to memory of 1740	1636	2.exe	java.exe
PID 1740 wrote to memory of 328	1740	java.exe	iexplore.exe
PID 1740 wrote to memory of 328	1740	java.exe	iexplore.exe
PID 1740 wrote to memory of 328	1740	java.exe	iexplore.exe
PID 1740 wrote to memory of 328	1740	java.exe	iexplore.exe
PID 1740 wrote to memory of 1040	1740	java.exe	explorer.exe
PID 1740 wrote to memory of 1040	1740	java.exe	explorer.exe
PID 1740 wrote to memory of 1040	1740	java.exe	explorer.exe
PID 1740 wrote to memory of 1040	1740	java.exe	explorer.exe
PID 1740 wrote to memory of 1808	1740	java.exe	notepad.exe
PID 1740 wrote to memory of 1808	1740	java.exe	notepad.exe
PID 1740 wrote to memory of 1808	1740	java.exe	notepad.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

java.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	java.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1320 attrib.exe
1172 attrib.exe

pid	process
1320	attrib.exe
1172	attrib.exe

C:\Users\Admin\AppData\Local\Temp\62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe
"C:\Users\Admin\AppData\Local\Temp\62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\2.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\2.exe" +s +h
4⤵
- Views/modifies file attributes
PID:1320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Views/modifies file attributes
PID:1172

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:1664

C:\Windows\temp\java.exe
"C:\Windows\temp\java.exe"
3⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1740

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
4⤵
PID:328

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
4⤵
PID:1040

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:580

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
4⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1168

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\3.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1896

C:\Users\Admin\AppData\Roaming\driver\driver.exe
"C:\Users\Admin\AppData\Roaming\driver\driver.exe" -d2
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1124

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\driver\driver.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe
Filesize
49KB

MD5
44276fd73f9654eb7aac24712b6678b3

SHA1
90adc57a4034c06f46d15cc9774502ca73d4c3b2

SHA256
dde17e40dc1453b61185a7f5c10df7dd76b097450f896a0df712b3b3f5683f4b

SHA512
1371c82ccd6202eb6359f740fb722cb40a188309d5cd6a743835d995fbb2bb29da9653d7c45f451c5148af275ba03e5bac0a17f4022216c0bc2a587b116eddf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe
Filesize
49KB

MD5
44276fd73f9654eb7aac24712b6678b3

SHA1
90adc57a4034c06f46d15cc9774502ca73d4c3b2

SHA256
dde17e40dc1453b61185a7f5c10df7dd76b097450f896a0df712b3b3f5683f4b

SHA512
1371c82ccd6202eb6359f740fb722cb40a188309d5cd6a743835d995fbb2bb29da9653d7c45f451c5148af275ba03e5bac0a17f4022216c0bc2a587b116eddf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
Filesize
690KB

MD5
0b5d0f84291ee7f1839be29234bfeb7e

SHA1
4cf56760fe279da2337cb7ee6184297dafee805a

SHA256
2a6eec17d15b5a46589afad617aa7b141e0b087baf6ae82eac2e9c1c896e59bf

SHA512
3683dcfc41e368382a8308ed3fc8e165c613badcc200016b58ec2468cc07c4b74321e15e0ea133d13695c25bec09d4e8eaa8f6a6164c6536118ae6e10fdc9a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
Filesize
690KB

MD5
0b5d0f84291ee7f1839be29234bfeb7e

SHA1
4cf56760fe279da2337cb7ee6184297dafee805a

SHA256
2a6eec17d15b5a46589afad617aa7b141e0b087baf6ae82eac2e9c1c896e59bf

SHA512
3683dcfc41e368382a8308ed3fc8e165c613badcc200016b58ec2468cc07c4b74321e15e0ea133d13695c25bec09d4e8eaa8f6a6164c6536118ae6e10fdc9a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe
Filesize
344KB

MD5
adb2eb09e5abf4b8ba14f026ed7343c4

SHA1
cbc506f1723891c458d7ccb3d135dd550a0d926e

SHA256
6be293224b4fbd57f391f449aefd1dad303e9b4c7c04da48d762c5a3933497da

SHA512
4fafad2f5d0820cdd64f13b95f6f73ea4b1646a64f8999d819a95063c00991c0de59dcc6909ffad58285d7cd430dead515c2f0cc06335226bf053e152520f7e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe
Filesize
344KB

MD5
adb2eb09e5abf4b8ba14f026ed7343c4

SHA1
cbc506f1723891c458d7ccb3d135dd550a0d926e

SHA256
6be293224b4fbd57f391f449aefd1dad303e9b4c7c04da48d762c5a3933497da

SHA512
4fafad2f5d0820cdd64f13b95f6f73ea4b1646a64f8999d819a95063c00991c0de59dcc6909ffad58285d7cd430dead515c2f0cc06335226bf053e152520f7e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
49KB

MD5
44276fd73f9654eb7aac24712b6678b3

SHA1
90adc57a4034c06f46d15cc9774502ca73d4c3b2

SHA256
dde17e40dc1453b61185a7f5c10df7dd76b097450f896a0df712b3b3f5683f4b

SHA512
1371c82ccd6202eb6359f740fb722cb40a188309d5cd6a743835d995fbb2bb29da9653d7c45f451c5148af275ba03e5bac0a17f4022216c0bc2a587b116eddf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
49KB

MD5
44276fd73f9654eb7aac24712b6678b3

SHA1
90adc57a4034c06f46d15cc9774502ca73d4c3b2

SHA256
dde17e40dc1453b61185a7f5c10df7dd76b097450f896a0df712b3b3f5683f4b

SHA512
1371c82ccd6202eb6359f740fb722cb40a188309d5cd6a743835d995fbb2bb29da9653d7c45f451c5148af275ba03e5bac0a17f4022216c0bc2a587b116eddf6

Download Submit
C:\Users\Admin\AppData\Roaming\driver\driver.exe
Filesize
344KB

MD5
adb2eb09e5abf4b8ba14f026ed7343c4

SHA1
cbc506f1723891c458d7ccb3d135dd550a0d926e

SHA256
6be293224b4fbd57f391f449aefd1dad303e9b4c7c04da48d762c5a3933497da

SHA512
4fafad2f5d0820cdd64f13b95f6f73ea4b1646a64f8999d819a95063c00991c0de59dcc6909ffad58285d7cd430dead515c2f0cc06335226bf053e152520f7e0

Download Submit
C:\Users\Admin\AppData\Roaming\driver\driver.exe
Filesize
344KB

MD5
adb2eb09e5abf4b8ba14f026ed7343c4

SHA1
cbc506f1723891c458d7ccb3d135dd550a0d926e

SHA256
6be293224b4fbd57f391f449aefd1dad303e9b4c7c04da48d762c5a3933497da

SHA512
4fafad2f5d0820cdd64f13b95f6f73ea4b1646a64f8999d819a95063c00991c0de59dcc6909ffad58285d7cd430dead515c2f0cc06335226bf053e152520f7e0

Download Submit
C:\Windows\Temp\java.exe
Filesize
690KB

MD5
0b5d0f84291ee7f1839be29234bfeb7e

SHA1
4cf56760fe279da2337cb7ee6184297dafee805a

SHA256
2a6eec17d15b5a46589afad617aa7b141e0b087baf6ae82eac2e9c1c896e59bf

SHA512
3683dcfc41e368382a8308ed3fc8e165c613badcc200016b58ec2468cc07c4b74321e15e0ea133d13695c25bec09d4e8eaa8f6a6164c6536118ae6e10fdc9a18

Download Submit
C:\Windows\temp\java.exe
Filesize
690KB

MD5
0b5d0f84291ee7f1839be29234bfeb7e

SHA1
4cf56760fe279da2337cb7ee6184297dafee805a

SHA256
2a6eec17d15b5a46589afad617aa7b141e0b087baf6ae82eac2e9c1c896e59bf

SHA512
3683dcfc41e368382a8308ed3fc8e165c613badcc200016b58ec2468cc07c4b74321e15e0ea133d13695c25bec09d4e8eaa8f6a6164c6536118ae6e10fdc9a18

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe
Filesize
49KB

MD5
44276fd73f9654eb7aac24712b6678b3

SHA1
90adc57a4034c06f46d15cc9774502ca73d4c3b2

SHA256
dde17e40dc1453b61185a7f5c10df7dd76b097450f896a0df712b3b3f5683f4b

SHA512
1371c82ccd6202eb6359f740fb722cb40a188309d5cd6a743835d995fbb2bb29da9653d7c45f451c5148af275ba03e5bac0a17f4022216c0bc2a587b116eddf6

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe
Filesize
690KB

MD5
0b5d0f84291ee7f1839be29234bfeb7e

SHA1
4cf56760fe279da2337cb7ee6184297dafee805a

SHA256
2a6eec17d15b5a46589afad617aa7b141e0b087baf6ae82eac2e9c1c896e59bf

SHA512
3683dcfc41e368382a8308ed3fc8e165c613badcc200016b58ec2468cc07c4b74321e15e0ea133d13695c25bec09d4e8eaa8f6a6164c6536118ae6e10fdc9a18

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe
Filesize
690KB

MD5
0b5d0f84291ee7f1839be29234bfeb7e

SHA1
4cf56760fe279da2337cb7ee6184297dafee805a

SHA256
2a6eec17d15b5a46589afad617aa7b141e0b087baf6ae82eac2e9c1c896e59bf

SHA512
3683dcfc41e368382a8308ed3fc8e165c613badcc200016b58ec2468cc07c4b74321e15e0ea133d13695c25bec09d4e8eaa8f6a6164c6536118ae6e10fdc9a18

Download Submit
\Users\Admin\AppData\Local\Temp\3.exe
Filesize
344KB

MD5
adb2eb09e5abf4b8ba14f026ed7343c4

SHA1
cbc506f1723891c458d7ccb3d135dd550a0d926e

SHA256
6be293224b4fbd57f391f449aefd1dad303e9b4c7c04da48d762c5a3933497da

SHA512
4fafad2f5d0820cdd64f13b95f6f73ea4b1646a64f8999d819a95063c00991c0de59dcc6909ffad58285d7cd430dead515c2f0cc06335226bf053e152520f7e0

Download Submit
\Users\Admin\AppData\Local\Temp\3.exe
Filesize
344KB

MD5
adb2eb09e5abf4b8ba14f026ed7343c4

SHA1
cbc506f1723891c458d7ccb3d135dd550a0d926e

SHA256
6be293224b4fbd57f391f449aefd1dad303e9b4c7c04da48d762c5a3933497da

SHA512
4fafad2f5d0820cdd64f13b95f6f73ea4b1646a64f8999d819a95063c00991c0de59dcc6909ffad58285d7cd430dead515c2f0cc06335226bf053e152520f7e0

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
49KB

MD5
44276fd73f9654eb7aac24712b6678b3

SHA1
90adc57a4034c06f46d15cc9774502ca73d4c3b2

SHA256
dde17e40dc1453b61185a7f5c10df7dd76b097450f896a0df712b3b3f5683f4b

SHA512
1371c82ccd6202eb6359f740fb722cb40a188309d5cd6a743835d995fbb2bb29da9653d7c45f451c5148af275ba03e5bac0a17f4022216c0bc2a587b116eddf6

Download Submit
\Users\Admin\AppData\Roaming\driver\driver.exe
Filesize
344KB

MD5
adb2eb09e5abf4b8ba14f026ed7343c4

SHA1
cbc506f1723891c458d7ccb3d135dd550a0d926e

SHA256
6be293224b4fbd57f391f449aefd1dad303e9b4c7c04da48d762c5a3933497da

SHA512
4fafad2f5d0820cdd64f13b95f6f73ea4b1646a64f8999d819a95063c00991c0de59dcc6909ffad58285d7cd430dead515c2f0cc06335226bf053e152520f7e0

Download Submit
\Users\Admin\AppData\Roaming\driver\driver.exe
Filesize
344KB

MD5
adb2eb09e5abf4b8ba14f026ed7343c4

SHA1
cbc506f1723891c458d7ccb3d135dd550a0d926e

SHA256
6be293224b4fbd57f391f449aefd1dad303e9b4c7c04da48d762c5a3933497da

SHA512
4fafad2f5d0820cdd64f13b95f6f73ea4b1646a64f8999d819a95063c00991c0de59dcc6909ffad58285d7cd430dead515c2f0cc06335226bf053e152520f7e0

Download Submit
\Windows\Temp\java.exe
Filesize
690KB

MD5
0b5d0f84291ee7f1839be29234bfeb7e

SHA1
4cf56760fe279da2337cb7ee6184297dafee805a

SHA256
2a6eec17d15b5a46589afad617aa7b141e0b087baf6ae82eac2e9c1c896e59bf

SHA512
3683dcfc41e368382a8308ed3fc8e165c613badcc200016b58ec2468cc07c4b74321e15e0ea133d13695c25bec09d4e8eaa8f6a6164c6536118ae6e10fdc9a18

Download Submit
\Windows\Temp\java.exe
Filesize
690KB

MD5
0b5d0f84291ee7f1839be29234bfeb7e

SHA1
4cf56760fe279da2337cb7ee6184297dafee805a

SHA256
2a6eec17d15b5a46589afad617aa7b141e0b087baf6ae82eac2e9c1c896e59bf

SHA512
3683dcfc41e368382a8308ed3fc8e165c613badcc200016b58ec2468cc07c4b74321e15e0ea133d13695c25bec09d4e8eaa8f6a6164c6536118ae6e10fdc9a18

Download Submit
memory/580-67-0x0000000000000000-mapping.dmp

Download
memory/580-87-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/1124-91-0x0000000000000000-mapping.dmp

Download
memory/1124-94-0x0000000000B50000-0x0000000000BAA000-memory.dmp

Filesize
360KB

Download
memory/1168-82-0x0000000000060000-0x00000000000BA000-memory.dmp

Filesize
360KB

Download
memory/1168-72-0x0000000000000000-mapping.dmp

Download
memory/1172-64-0x0000000000000000-mapping.dmp

Download
memory/1320-63-0x0000000000000000-mapping.dmp

Download
memory/1596-96-0x0000000000000000-mapping.dmp

Download
memory/1628-103-0x0000000000000000-mapping.dmp

Download
memory/1636-57-0x0000000000000000-mapping.dmp

Download
memory/1664-66-0x0000000000000000-mapping.dmp

Download
memory/1692-54-0x00000000763E1000-0x00000000763E3000-memory.dmp

Filesize
8KB

Download
memory/1740-79-0x0000000000000000-mapping.dmp

Download
memory/1808-84-0x0000000000000000-mapping.dmp

Download
memory/1896-88-0x0000000000000000-mapping.dmp

Download
memory/1988-98-0x0000000000000000-mapping.dmp

Download
memory/1988-102-0x00000000704E0000-0x0000000070A8B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-61-0x0000000000000000-mapping.dmp

Download
memory/2028-62-0x0000000000000000-mapping.dmp

Download