darkcomet | 62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5

Analysis

max time kernel
156s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe
Size

762KB
MD5

acaedef2c694bd1d58f4cb82ffb6318b
SHA1

316f234a5571b199a7d948f541ad3982536c033a
SHA256

62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5
SHA512

82f718bc54003f0537e7923285ed6d3188e458301f95029d0d273660f643755af5d2654f9acc4f23dd62e8fb15b0e114c308b7cf4dfbd673579f4f1d5b804513

Score

10^/10

darkcomet njrat hacked ×èòåð evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

×èòåð

62.33.2.50:1111

happycraft.hopto.org:1111

Mutex

DC_MUTEX-1BX3PA1

Attributes

InstallPath
temp\java.exe
gencode
6hPE8cPj7vE4
install
true
offline_keylogger
true
persistence
true
reg_key
java.exe

Extracted

Family

njrat

Version

im523

Botnet

HacKed

62.33.2.50:2222

Mutex

41aabe8f8c6d7c53ac94c0ce4c6ce249

Attributes

reg_key
41aabe8f8c6d7c53ac94c0ce4c6ce249
splitter
|'|'|

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\temp\\java.exe"	2.exe

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

java.exeiexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	java.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	java.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	java.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	iexplore.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

java.exeiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	java.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	iexplore.exe

Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 6 IoCs

Processes:

2.exe1.exe3.exejava.exesvchost.exedriver.exe

pid process

2148 2.exe
1944 1.exe
1192 3.exe
4684 java.exe
3420 svchost.exe
4716 driver.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

pid	process
2148	2.exe
1944	1.exe
1192	3.exe
4684	java.exe
3420	svchost.exe
4716	driver.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe2.exe1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	1.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\41aabe8f8c6d7c53ac94c0ce4c6ce249.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\41aabe8f8c6d7c53ac94c0ce4c6ce249.exe	svchost.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

java.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	java.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2.exejava.exeiexplore.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java.exe = "C:\\Windows\\temp\\java.exe"	2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java.exe = "C:\\Windows\\temp\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java.exe = "C:\\Windows\\temp\\java.exe"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\41aabe8f8c6d7c53ac94c0ce4c6ce249 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\41aabe8f8c6d7c53ac94c0ce4c6ce249 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091
Suspicious use of SetThreadContext 1 IoCs

Processes:

java.exe

description pid process target process

PID 4684 set thread context of 3460 4684 java.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4540 schtasks.exe

description	pid	process	target process
PID 4684 set thread context of 3460	4684	java.exe	iexplore.exe

pid	process
4540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe
3420	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exeiexplore.exe

pid process

3420 svchost.exe
3460 iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2.exejava.exeiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2148	2.exe
Token: SeSecurityPrivilege	2148	2.exe
Token: SeTakeOwnershipPrivilege	2148	2.exe
Token: SeLoadDriverPrivilege	2148	2.exe
Token: SeSystemProfilePrivilege	2148	2.exe
Token: SeSystemtimePrivilege	2148	2.exe
Token: SeProfSingleProcessPrivilege	2148	2.exe
Token: SeIncBasePriorityPrivilege	2148	2.exe
Token: SeCreatePagefilePrivilege	2148	2.exe
Token: SeBackupPrivilege	2148	2.exe
Token: SeRestorePrivilege	2148	2.exe
Token: SeShutdownPrivilege	2148	2.exe
Token: SeDebugPrivilege	2148	2.exe
Token: SeSystemEnvironmentPrivilege	2148	2.exe
Token: SeChangeNotifyPrivilege	2148	2.exe
Token: SeRemoteShutdownPrivilege	2148	2.exe
Token: SeUndockPrivilege	2148	2.exe
Token: SeManageVolumePrivilege	2148	2.exe
Token: SeImpersonatePrivilege	2148	2.exe
Token: SeCreateGlobalPrivilege	2148	2.exe
Token: 33	2148	2.exe
Token: 34	2148	2.exe
Token: 35	2148	2.exe
Token: 36	2148	2.exe
Token: SeIncreaseQuotaPrivilege	4684	java.exe
Token: SeSecurityPrivilege	4684	java.exe
Token: SeTakeOwnershipPrivilege	4684	java.exe
Token: SeLoadDriverPrivilege	4684	java.exe
Token: SeSystemProfilePrivilege	4684	java.exe
Token: SeSystemtimePrivilege	4684	java.exe
Token: SeProfSingleProcessPrivilege	4684	java.exe
Token: SeIncBasePriorityPrivilege	4684	java.exe
Token: SeCreatePagefilePrivilege	4684	java.exe
Token: SeBackupPrivilege	4684	java.exe
Token: SeRestorePrivilege	4684	java.exe
Token: SeShutdownPrivilege	4684	java.exe
Token: SeDebugPrivilege	4684	java.exe
Token: SeSystemEnvironmentPrivilege	4684	java.exe
Token: SeChangeNotifyPrivilege	4684	java.exe
Token: SeRemoteShutdownPrivilege	4684	java.exe
Token: SeUndockPrivilege	4684	java.exe
Token: SeManageVolumePrivilege	4684	java.exe
Token: SeImpersonatePrivilege	4684	java.exe
Token: SeCreateGlobalPrivilege	4684	java.exe
Token: 33	4684	java.exe
Token: 34	4684	java.exe
Token: 35	4684	java.exe
Token: 36	4684	java.exe
Token: SeIncreaseQuotaPrivilege	3460	iexplore.exe
Token: SeSecurityPrivilege	3460	iexplore.exe
Token: SeTakeOwnershipPrivilege	3460	iexplore.exe
Token: SeLoadDriverPrivilege	3460	iexplore.exe
Token: SeSystemProfilePrivilege	3460	iexplore.exe
Token: SeSystemtimePrivilege	3460	iexplore.exe
Token: SeProfSingleProcessPrivilege	3460	iexplore.exe
Token: SeIncBasePriorityPrivilege	3460	iexplore.exe
Token: SeCreatePagefilePrivilege	3460	iexplore.exe
Token: SeBackupPrivilege	3460	iexplore.exe
Token: SeRestorePrivilege	3460	iexplore.exe
Token: SeShutdownPrivilege	3460	iexplore.exe
Token: SeDebugPrivilege	3460	iexplore.exe
Token: SeSystemEnvironmentPrivilege	3460	iexplore.exe
Token: SeChangeNotifyPrivilege	3460	iexplore.exe
Token: SeRemoteShutdownPrivilege	3460	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplore.exe

pid process

3460 iexplore.exe

pid	process
3460	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe2.execmd.execmd.exejava.exeiexplore.exe

description	pid	process	target process
PID 3572 wrote to memory of 2148	3572	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe	2.exe
PID 3572 wrote to memory of 2148	3572	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe	2.exe
PID 3572 wrote to memory of 2148	3572	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe	2.exe
PID 3572 wrote to memory of 1944	3572	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe	1.exe
PID 3572 wrote to memory of 1944	3572	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe	1.exe
PID 3572 wrote to memory of 1944	3572	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe	1.exe
PID 3572 wrote to memory of 1192	3572	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe	3.exe
PID 3572 wrote to memory of 1192	3572	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe	3.exe
PID 3572 wrote to memory of 1192	3572	62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe	3.exe
PID 2148 wrote to memory of 976	2148	2.exe	cmd.exe
PID 2148 wrote to memory of 976	2148	2.exe	cmd.exe
PID 2148 wrote to memory of 976	2148	2.exe	cmd.exe
PID 2148 wrote to memory of 3112	2148	2.exe	cmd.exe
PID 2148 wrote to memory of 3112	2148	2.exe	cmd.exe
PID 2148 wrote to memory of 3112	2148	2.exe	cmd.exe
PID 2148 wrote to memory of 3000	2148	2.exe	notepad.exe
PID 2148 wrote to memory of 3000	2148	2.exe	notepad.exe
PID 2148 wrote to memory of 3000	2148	2.exe	notepad.exe
PID 2148 wrote to memory of 3000	2148	2.exe	notepad.exe
PID 2148 wrote to memory of 3000	2148	2.exe	notepad.exe
PID 2148 wrote to memory of 3000	2148	2.exe	notepad.exe
PID 2148 wrote to memory of 3000	2148	2.exe	notepad.exe
PID 2148 wrote to memory of 3000	2148	2.exe	notepad.exe
PID 2148 wrote to memory of 3000	2148	2.exe	notepad.exe
PID 2148 wrote to memory of 3000	2148	2.exe	notepad.exe
PID 2148 wrote to memory of 3000	2148	2.exe	notepad.exe
PID 2148 wrote to memory of 3000	2148	2.exe	notepad.exe
PID 2148 wrote to memory of 3000	2148	2.exe	notepad.exe
PID 2148 wrote to memory of 3000	2148	2.exe	notepad.exe
PID 2148 wrote to memory of 3000	2148	2.exe	notepad.exe
PID 2148 wrote to memory of 3000	2148	2.exe	notepad.exe
PID 2148 wrote to memory of 3000	2148	2.exe	notepad.exe
PID 3112 wrote to memory of 4640	3112	cmd.exe	attrib.exe
PID 3112 wrote to memory of 4640	3112	cmd.exe	attrib.exe
PID 3112 wrote to memory of 4640	3112	cmd.exe	attrib.exe
PID 976 wrote to memory of 4580	976	cmd.exe	attrib.exe
PID 976 wrote to memory of 4580	976	cmd.exe	attrib.exe
PID 976 wrote to memory of 4580	976	cmd.exe	attrib.exe
PID 2148 wrote to memory of 4684	2148	2.exe	java.exe
PID 2148 wrote to memory of 4684	2148	2.exe	java.exe
PID 2148 wrote to memory of 4684	2148	2.exe	java.exe
PID 4684 wrote to memory of 3460	4684	java.exe	iexplore.exe
PID 4684 wrote to memory of 3460	4684	java.exe	iexplore.exe
PID 4684 wrote to memory of 3460	4684	java.exe	iexplore.exe
PID 4684 wrote to memory of 3460	4684	java.exe	iexplore.exe
PID 4684 wrote to memory of 3460	4684	java.exe	iexplore.exe
PID 3460 wrote to memory of 3712	3460	iexplore.exe	notepad.exe
PID 3460 wrote to memory of 3712	3460	iexplore.exe	notepad.exe
PID 3460 wrote to memory of 3712	3460	iexplore.exe	notepad.exe
PID 3460 wrote to memory of 3712	3460	iexplore.exe	notepad.exe
PID 3460 wrote to memory of 3712	3460	iexplore.exe	notepad.exe
PID 3460 wrote to memory of 3712	3460	iexplore.exe	notepad.exe
PID 3460 wrote to memory of 3712	3460	iexplore.exe	notepad.exe
PID 3460 wrote to memory of 3712	3460	iexplore.exe	notepad.exe
PID 3460 wrote to memory of 3712	3460	iexplore.exe	notepad.exe
PID 3460 wrote to memory of 3712	3460	iexplore.exe	notepad.exe
PID 3460 wrote to memory of 3712	3460	iexplore.exe	notepad.exe
PID 3460 wrote to memory of 3712	3460	iexplore.exe	notepad.exe
PID 3460 wrote to memory of 3712	3460	iexplore.exe	notepad.exe
PID 3460 wrote to memory of 3712	3460	iexplore.exe	notepad.exe
PID 3460 wrote to memory of 3712	3460	iexplore.exe	notepad.exe
PID 3460 wrote to memory of 3712	3460	iexplore.exe	notepad.exe
PID 3460 wrote to memory of 3712	3460	iexplore.exe	notepad.exe
PID 3460 wrote to memory of 3712	3460	iexplore.exe	notepad.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

java.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	java.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4640 attrib.exe
4580 attrib.exe

pid	process
4640	attrib.exe
4580	attrib.exe

C:\Users\Admin\AppData\Local\Temp\62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe
"C:\Users\Admin\AppData\Local\Temp\62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3572

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\2.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\2.exe" +s +h
4⤵
- Views/modifies file attributes
PID:4580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Views/modifies file attributes
PID:4640

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:3000

C:\Windows\temp\java.exe
"C:\Windows\temp\java.exe"
3⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4684

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
4⤵
- Modifies firewall policy service
- Modifies security service
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:1944

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:3420

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
4⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
2⤵
- Executes dropped EXE
PID:1192

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\3.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4540

C:\Users\Admin\AppData\Roaming\driver\driver.exe
"C:\Users\Admin\AppData\Roaming\driver\driver.exe" -d2
3⤵
- Executes dropped EXE
PID:4716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe
Filesize
49KB

MD5
44276fd73f9654eb7aac24712b6678b3

SHA1
90adc57a4034c06f46d15cc9774502ca73d4c3b2

SHA256
dde17e40dc1453b61185a7f5c10df7dd76b097450f896a0df712b3b3f5683f4b

SHA512
1371c82ccd6202eb6359f740fb722cb40a188309d5cd6a743835d995fbb2bb29da9653d7c45f451c5148af275ba03e5bac0a17f4022216c0bc2a587b116eddf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe
Filesize
49KB

MD5
44276fd73f9654eb7aac24712b6678b3

SHA1
90adc57a4034c06f46d15cc9774502ca73d4c3b2

SHA256
dde17e40dc1453b61185a7f5c10df7dd76b097450f896a0df712b3b3f5683f4b

SHA512
1371c82ccd6202eb6359f740fb722cb40a188309d5cd6a743835d995fbb2bb29da9653d7c45f451c5148af275ba03e5bac0a17f4022216c0bc2a587b116eddf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
Filesize
690KB

MD5
0b5d0f84291ee7f1839be29234bfeb7e

SHA1
4cf56760fe279da2337cb7ee6184297dafee805a

SHA256
2a6eec17d15b5a46589afad617aa7b141e0b087baf6ae82eac2e9c1c896e59bf

SHA512
3683dcfc41e368382a8308ed3fc8e165c613badcc200016b58ec2468cc07c4b74321e15e0ea133d13695c25bec09d4e8eaa8f6a6164c6536118ae6e10fdc9a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
Filesize
690KB

MD5
0b5d0f84291ee7f1839be29234bfeb7e

SHA1
4cf56760fe279da2337cb7ee6184297dafee805a

SHA256
2a6eec17d15b5a46589afad617aa7b141e0b087baf6ae82eac2e9c1c896e59bf

SHA512
3683dcfc41e368382a8308ed3fc8e165c613badcc200016b58ec2468cc07c4b74321e15e0ea133d13695c25bec09d4e8eaa8f6a6164c6536118ae6e10fdc9a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe
Filesize
344KB

MD5
adb2eb09e5abf4b8ba14f026ed7343c4

SHA1
cbc506f1723891c458d7ccb3d135dd550a0d926e

SHA256
6be293224b4fbd57f391f449aefd1dad303e9b4c7c04da48d762c5a3933497da

SHA512
4fafad2f5d0820cdd64f13b95f6f73ea4b1646a64f8999d819a95063c00991c0de59dcc6909ffad58285d7cd430dead515c2f0cc06335226bf053e152520f7e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe
Filesize
344KB

MD5
adb2eb09e5abf4b8ba14f026ed7343c4

SHA1
cbc506f1723891c458d7ccb3d135dd550a0d926e

SHA256
6be293224b4fbd57f391f449aefd1dad303e9b4c7c04da48d762c5a3933497da

SHA512
4fafad2f5d0820cdd64f13b95f6f73ea4b1646a64f8999d819a95063c00991c0de59dcc6909ffad58285d7cd430dead515c2f0cc06335226bf053e152520f7e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
49KB

MD5
44276fd73f9654eb7aac24712b6678b3

SHA1
90adc57a4034c06f46d15cc9774502ca73d4c3b2

SHA256
dde17e40dc1453b61185a7f5c10df7dd76b097450f896a0df712b3b3f5683f4b

SHA512
1371c82ccd6202eb6359f740fb722cb40a188309d5cd6a743835d995fbb2bb29da9653d7c45f451c5148af275ba03e5bac0a17f4022216c0bc2a587b116eddf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
49KB

MD5
44276fd73f9654eb7aac24712b6678b3

SHA1
90adc57a4034c06f46d15cc9774502ca73d4c3b2

SHA256
dde17e40dc1453b61185a7f5c10df7dd76b097450f896a0df712b3b3f5683f4b

SHA512
1371c82ccd6202eb6359f740fb722cb40a188309d5cd6a743835d995fbb2bb29da9653d7c45f451c5148af275ba03e5bac0a17f4022216c0bc2a587b116eddf6

Download Submit
C:\Users\Admin\AppData\Roaming\driver\driver.exe
Filesize
344KB

MD5
adb2eb09e5abf4b8ba14f026ed7343c4

SHA1
cbc506f1723891c458d7ccb3d135dd550a0d926e

SHA256
6be293224b4fbd57f391f449aefd1dad303e9b4c7c04da48d762c5a3933497da

SHA512
4fafad2f5d0820cdd64f13b95f6f73ea4b1646a64f8999d819a95063c00991c0de59dcc6909ffad58285d7cd430dead515c2f0cc06335226bf053e152520f7e0

Download Submit
C:\Users\Admin\AppData\Roaming\driver\driver.exe
Filesize
344KB

MD5
adb2eb09e5abf4b8ba14f026ed7343c4

SHA1
cbc506f1723891c458d7ccb3d135dd550a0d926e

SHA256
6be293224b4fbd57f391f449aefd1dad303e9b4c7c04da48d762c5a3933497da

SHA512
4fafad2f5d0820cdd64f13b95f6f73ea4b1646a64f8999d819a95063c00991c0de59dcc6909ffad58285d7cd430dead515c2f0cc06335226bf053e152520f7e0

Download Submit
C:\Windows\Temp\java.exe
Filesize
690KB

MD5
0b5d0f84291ee7f1839be29234bfeb7e

SHA1
4cf56760fe279da2337cb7ee6184297dafee805a

SHA256
2a6eec17d15b5a46589afad617aa7b141e0b087baf6ae82eac2e9c1c896e59bf

SHA512
3683dcfc41e368382a8308ed3fc8e165c613badcc200016b58ec2468cc07c4b74321e15e0ea133d13695c25bec09d4e8eaa8f6a6164c6536118ae6e10fdc9a18

Download Submit
C:\Windows\temp\java.exe
Filesize
690KB

MD5
0b5d0f84291ee7f1839be29234bfeb7e

SHA1
4cf56760fe279da2337cb7ee6184297dafee805a

SHA256
2a6eec17d15b5a46589afad617aa7b141e0b087baf6ae82eac2e9c1c896e59bf

SHA512
3683dcfc41e368382a8308ed3fc8e165c613badcc200016b58ec2468cc07c4b74321e15e0ea133d13695c25bec09d4e8eaa8f6a6164c6536118ae6e10fdc9a18

Download Submit
memory/816-161-0x0000000000000000-mapping.dmp

Download
memory/976-139-0x0000000000000000-mapping.dmp

Download
memory/1192-149-0x0000000000150000-0x00000000001AA000-memory.dmp

Filesize
360KB

Download
memory/1192-160-0x0000000005370000-0x0000000005402000-memory.dmp

Filesize
584KB

Download
memory/1192-136-0x0000000000000000-mapping.dmp

Download
memory/1192-151-0x0000000005810000-0x0000000005DB4000-memory.dmp

Filesize
5.6MB

Download
memory/1192-150-0x0000000004C70000-0x0000000004CD6000-memory.dmp

Filesize
408KB

Download
memory/1944-144-0x0000000075100000-0x00000000756B1000-memory.dmp

Filesize
5.7MB

Download
memory/1944-133-0x0000000000000000-mapping.dmp

Download
memory/2148-130-0x0000000000000000-mapping.dmp

Download
memory/3000-141-0x0000000000000000-mapping.dmp

Download
memory/3112-140-0x0000000000000000-mapping.dmp

Download
memory/3420-152-0x0000000000000000-mapping.dmp

Download
memory/3420-155-0x0000000075100000-0x00000000756B1000-memory.dmp

Filesize
5.7MB

Download
memory/3712-148-0x0000000000000000-mapping.dmp

Download
memory/4540-156-0x0000000000000000-mapping.dmp

Download
memory/4580-143-0x0000000000000000-mapping.dmp

Download
memory/4640-142-0x0000000000000000-mapping.dmp

Download
memory/4684-145-0x0000000000000000-mapping.dmp

Download
memory/4716-157-0x0000000000000000-mapping.dmp

Download