asyncrat | c2187e67fa488c35774a01ad87eeed302ea8ac0553155cae33b044d34455882f

Analysis

max time kernel
139s
max time network
159s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
19-07-2022 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DARKCOMET 5.3.1 Fixed/DARKCOMET 5.3.1/DarkCometRat.exe
Size

12.1MB
MD5

c8c39c4d8cdfa38169be4057a70e04f2
SHA1

ceddeda4a89ad8c0fc1765511ef9da9696803f9f
SHA256

62f21406a307e447db6f0c2d91c626d947544effd6f56800c5e2e1beea18375c
SHA512

ab21a5273e481cce2173ea6ee5d450a28f5ab1411699500f62d2c4e1b35dd5fc825931a0cd8cca9da4e92f5e2e06784e3f14006e1d76b8e197baf02ff22f0a30

Score

10^/10

asyncrat darkcomet default guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

susiahat24199a.ddns.net:6606

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
JavaCrashHandle.exe
install_folder
%AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

Guest16

sussysdfffdfff343.duckdns.org:1604

Mutex

DC_MUTEX-QH9A6P4

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
YBnxcFaotAui
install
true
offline_keylogger
true
persistence
true
reg_key
JavaUpdater

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

HAXIMIZE-V2.0 CRACKED.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	HAXIMIZE-V2.0 CRACKED.EXE

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

msdcsc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

msdcsc.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	msdcsc.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Async RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\DARKCOMETRATLAUNCHER.EXE	asyncrat
C:\Users\Admin\AppData\Local\Temp\DARKCOMETRATLAUNCHER.EXE	asyncrat
C:\Users\Admin\AppData\Local\Temp\DARKCOMETRATLAUNCHER.EXE	asyncrat
behavioral3/memory/1640-70-0x0000000000DA0000-0x0000000000DC6000-memory.dmp	asyncrat
\Users\Admin\AppData\Roaming\JavaCrashHandle.exe	asyncrat
C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exe	asyncrat
behavioral3/memory/1716-98-0x0000000000F50000-0x0000000000F76000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exe	asyncrat

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

msdcsc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	msdcsc.exe

Executes dropped EXE 5 IoCs

Processes:

DARKCOMET.EXEDARKCOMETRATLAUNCHER.EXEHAXIMIZE-V2.0 CRACKED.EXEmsdcsc.exeJavaCrashHandle.exe

pid process

2012 DARKCOMET.EXE
1640 DARKCOMETRATLAUNCHER.EXE
1408 HAXIMIZE-V2.0 CRACKED.EXE
1692 msdcsc.exe
1716 JavaCrashHandle.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1872 attrib.exe
1500 attrib.exe

pid	process
2012	DARKCOMET.EXE
1640	DARKCOMETRATLAUNCHER.EXE
1408	HAXIMIZE-V2.0 CRACKED.EXE
1692	msdcsc.exe
1716	JavaCrashHandle.exe

pid	process
1872	attrib.exe
1500	attrib.exe

Loads dropped DLL 7 IoCs

Processes:

DarkCometRat.exeHAXIMIZE-V2.0 CRACKED.EXEcmd.exe

pid	process
1952	DarkCometRat.exe
1952	DarkCometRat.exe
1952	DarkCometRat.exe
1952	DarkCometRat.exe
1408	HAXIMIZE-V2.0 CRACKED.EXE
1408	HAXIMIZE-V2.0 CRACKED.EXE
1164	cmd.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HAXIMIZE-V2.0 CRACKED.EXEmsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	HAXIMIZE-V2.0 CRACKED.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

580 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2004 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

DARKCOMETRATLAUNCHER.EXE

pid process

1640 DARKCOMETRATLAUNCHER.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msdcsc.exe

pid process

1692 msdcsc.exe

pid	process
580	schtasks.exe

pid	process
2004	timeout.exe

pid	process
1640	DARKCOMETRATLAUNCHER.EXE

pid	process
1692	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

HAXIMIZE-V2.0 CRACKED.EXEmsdcsc.exeDARKCOMETRATLAUNCHER.EXEJavaCrashHandle.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1408	HAXIMIZE-V2.0 CRACKED.EXE
Token: SeSecurityPrivilege	1408	HAXIMIZE-V2.0 CRACKED.EXE
Token: SeTakeOwnershipPrivilege	1408	HAXIMIZE-V2.0 CRACKED.EXE
Token: SeLoadDriverPrivilege	1408	HAXIMIZE-V2.0 CRACKED.EXE
Token: SeSystemProfilePrivilege	1408	HAXIMIZE-V2.0 CRACKED.EXE
Token: SeSystemtimePrivilege	1408	HAXIMIZE-V2.0 CRACKED.EXE
Token: SeProfSingleProcessPrivilege	1408	HAXIMIZE-V2.0 CRACKED.EXE
Token: SeIncBasePriorityPrivilege	1408	HAXIMIZE-V2.0 CRACKED.EXE
Token: SeCreatePagefilePrivilege	1408	HAXIMIZE-V2.0 CRACKED.EXE
Token: SeBackupPrivilege	1408	HAXIMIZE-V2.0 CRACKED.EXE
Token: SeRestorePrivilege	1408	HAXIMIZE-V2.0 CRACKED.EXE
Token: SeShutdownPrivilege	1408	HAXIMIZE-V2.0 CRACKED.EXE
Token: SeDebugPrivilege	1408	HAXIMIZE-V2.0 CRACKED.EXE
Token: SeSystemEnvironmentPrivilege	1408	HAXIMIZE-V2.0 CRACKED.EXE
Token: SeChangeNotifyPrivilege	1408	HAXIMIZE-V2.0 CRACKED.EXE
Token: SeRemoteShutdownPrivilege	1408	HAXIMIZE-V2.0 CRACKED.EXE
Token: SeUndockPrivilege	1408	HAXIMIZE-V2.0 CRACKED.EXE
Token: SeManageVolumePrivilege	1408	HAXIMIZE-V2.0 CRACKED.EXE
Token: SeImpersonatePrivilege	1408	HAXIMIZE-V2.0 CRACKED.EXE
Token: SeCreateGlobalPrivilege	1408	HAXIMIZE-V2.0 CRACKED.EXE
Token: 33	1408	HAXIMIZE-V2.0 CRACKED.EXE
Token: 34	1408	HAXIMIZE-V2.0 CRACKED.EXE
Token: 35	1408	HAXIMIZE-V2.0 CRACKED.EXE
Token: SeIncreaseQuotaPrivilege	1692	msdcsc.exe
Token: SeSecurityPrivilege	1692	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1692	msdcsc.exe
Token: SeLoadDriverPrivilege	1692	msdcsc.exe
Token: SeSystemProfilePrivilege	1692	msdcsc.exe
Token: SeSystemtimePrivilege	1692	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1692	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1692	msdcsc.exe
Token: SeCreatePagefilePrivilege	1692	msdcsc.exe
Token: SeBackupPrivilege	1692	msdcsc.exe
Token: SeRestorePrivilege	1692	msdcsc.exe
Token: SeShutdownPrivilege	1692	msdcsc.exe
Token: SeDebugPrivilege	1692	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1692	msdcsc.exe
Token: SeChangeNotifyPrivilege	1692	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1692	msdcsc.exe
Token: SeUndockPrivilege	1692	msdcsc.exe
Token: SeManageVolumePrivilege	1692	msdcsc.exe
Token: SeImpersonatePrivilege	1692	msdcsc.exe
Token: SeCreateGlobalPrivilege	1692	msdcsc.exe
Token: 33	1692	msdcsc.exe
Token: 34	1692	msdcsc.exe
Token: 35	1692	msdcsc.exe
Token: SeDebugPrivilege	1640	DARKCOMETRATLAUNCHER.EXE
Token: SeDebugPrivilege	1716	JavaCrashHandle.exe
Token: SeDebugPrivilege	1716	JavaCrashHandle.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

DARKCOMET.EXE

pid process

2012 DARKCOMET.EXE
2012 DARKCOMET.EXE
2012 DARKCOMET.EXE
2012 DARKCOMET.EXE
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

DARKCOMET.EXE

pid process

2012 DARKCOMET.EXE
2012 DARKCOMET.EXE
2012 DARKCOMET.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

DARKCOMET.EXEmsdcsc.exe

pid process

2012 DARKCOMET.EXE
1692 msdcsc.exe

pid	process
2012	DARKCOMET.EXE
2012	DARKCOMET.EXE
2012	DARKCOMET.EXE
2012	DARKCOMET.EXE

pid	process
2012	DARKCOMET.EXE
2012	DARKCOMET.EXE
2012	DARKCOMET.EXE

pid	process
2012	DARKCOMET.EXE
1692	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

DarkCometRat.exeHAXIMIZE-V2.0 CRACKED.EXEcmd.execmd.exemsdcsc.exe

description	pid	process	target process
PID 1952 wrote to memory of 2012	1952	DarkCometRat.exe	DARKCOMET.EXE
PID 1952 wrote to memory of 2012	1952	DarkCometRat.exe	DARKCOMET.EXE
PID 1952 wrote to memory of 2012	1952	DarkCometRat.exe	DARKCOMET.EXE
PID 1952 wrote to memory of 2012	1952	DarkCometRat.exe	DARKCOMET.EXE
PID 1952 wrote to memory of 1640	1952	DarkCometRat.exe	DARKCOMETRATLAUNCHER.EXE
PID 1952 wrote to memory of 1640	1952	DarkCometRat.exe	DARKCOMETRATLAUNCHER.EXE
PID 1952 wrote to memory of 1640	1952	DarkCometRat.exe	DARKCOMETRATLAUNCHER.EXE
PID 1952 wrote to memory of 1640	1952	DarkCometRat.exe	DARKCOMETRATLAUNCHER.EXE
PID 1952 wrote to memory of 1640	1952	DarkCometRat.exe	DARKCOMETRATLAUNCHER.EXE
PID 1952 wrote to memory of 1640	1952	DarkCometRat.exe	DARKCOMETRATLAUNCHER.EXE
PID 1952 wrote to memory of 1640	1952	DarkCometRat.exe	DARKCOMETRATLAUNCHER.EXE
PID 1952 wrote to memory of 1408	1952	DarkCometRat.exe	HAXIMIZE-V2.0 CRACKED.EXE
PID 1952 wrote to memory of 1408	1952	DarkCometRat.exe	HAXIMIZE-V2.0 CRACKED.EXE
PID 1952 wrote to memory of 1408	1952	DarkCometRat.exe	HAXIMIZE-V2.0 CRACKED.EXE
PID 1952 wrote to memory of 1408	1952	DarkCometRat.exe	HAXIMIZE-V2.0 CRACKED.EXE
PID 1408 wrote to memory of 940	1408	HAXIMIZE-V2.0 CRACKED.EXE	cmd.exe
PID 1408 wrote to memory of 940	1408	HAXIMIZE-V2.0 CRACKED.EXE	cmd.exe
PID 1408 wrote to memory of 940	1408	HAXIMIZE-V2.0 CRACKED.EXE	cmd.exe
PID 1408 wrote to memory of 940	1408	HAXIMIZE-V2.0 CRACKED.EXE	cmd.exe
PID 1408 wrote to memory of 1096	1408	HAXIMIZE-V2.0 CRACKED.EXE	cmd.exe
PID 1408 wrote to memory of 1096	1408	HAXIMIZE-V2.0 CRACKED.EXE	cmd.exe
PID 1408 wrote to memory of 1096	1408	HAXIMIZE-V2.0 CRACKED.EXE	cmd.exe
PID 1408 wrote to memory of 1096	1408	HAXIMIZE-V2.0 CRACKED.EXE	cmd.exe
PID 940 wrote to memory of 1872	940	cmd.exe	attrib.exe
PID 940 wrote to memory of 1872	940	cmd.exe	attrib.exe
PID 940 wrote to memory of 1872	940	cmd.exe	attrib.exe
PID 940 wrote to memory of 1872	940	cmd.exe	attrib.exe
PID 1096 wrote to memory of 1500	1096	cmd.exe	attrib.exe
PID 1096 wrote to memory of 1500	1096	cmd.exe	attrib.exe
PID 1096 wrote to memory of 1500	1096	cmd.exe	attrib.exe
PID 1096 wrote to memory of 1500	1096	cmd.exe	attrib.exe
PID 1408 wrote to memory of 1692	1408	HAXIMIZE-V2.0 CRACKED.EXE	msdcsc.exe
PID 1408 wrote to memory of 1692	1408	HAXIMIZE-V2.0 CRACKED.EXE	msdcsc.exe
PID 1408 wrote to memory of 1692	1408	HAXIMIZE-V2.0 CRACKED.EXE	msdcsc.exe
PID 1408 wrote to memory of 1692	1408	HAXIMIZE-V2.0 CRACKED.EXE	msdcsc.exe
PID 1692 wrote to memory of 1920	1692	msdcsc.exe	iexplore.exe
PID 1692 wrote to memory of 1920	1692	msdcsc.exe	iexplore.exe
PID 1692 wrote to memory of 1920	1692	msdcsc.exe	iexplore.exe
PID 1692 wrote to memory of 1920	1692	msdcsc.exe	iexplore.exe
PID 1692 wrote to memory of 948	1692	msdcsc.exe	explorer.exe
PID 1692 wrote to memory of 948	1692	msdcsc.exe	explorer.exe
PID 1692 wrote to memory of 948	1692	msdcsc.exe	explorer.exe
PID 1692 wrote to memory of 948	1692	msdcsc.exe	explorer.exe
PID 1692 wrote to memory of 268	1692	msdcsc.exe	notepad.exe
PID 1692 wrote to memory of 268	1692	msdcsc.exe	notepad.exe
PID 1692 wrote to memory of 268	1692	msdcsc.exe	notepad.exe
PID 1692 wrote to memory of 268	1692	msdcsc.exe	notepad.exe
PID 1692 wrote to memory of 268	1692	msdcsc.exe	notepad.exe
PID 1692 wrote to memory of 268	1692	msdcsc.exe	notepad.exe
PID 1692 wrote to memory of 268	1692	msdcsc.exe	notepad.exe
PID 1692 wrote to memory of 268	1692	msdcsc.exe	notepad.exe
PID 1692 wrote to memory of 268	1692	msdcsc.exe	notepad.exe
PID 1692 wrote to memory of 268	1692	msdcsc.exe	notepad.exe
PID 1692 wrote to memory of 268	1692	msdcsc.exe	notepad.exe
PID 1692 wrote to memory of 268	1692	msdcsc.exe	notepad.exe
PID 1692 wrote to memory of 268	1692	msdcsc.exe	notepad.exe
PID 1692 wrote to memory of 268	1692	msdcsc.exe	notepad.exe
PID 1692 wrote to memory of 268	1692	msdcsc.exe	notepad.exe
PID 1692 wrote to memory of 268	1692	msdcsc.exe	notepad.exe
PID 1692 wrote to memory of 268	1692	msdcsc.exe	notepad.exe
PID 1692 wrote to memory of 268	1692	msdcsc.exe	notepad.exe
PID 1692 wrote to memory of 268	1692	msdcsc.exe	notepad.exe
PID 1692 wrote to memory of 268	1692	msdcsc.exe	notepad.exe
PID 1692 wrote to memory of 268	1692	msdcsc.exe	notepad.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1500 attrib.exe
1872 attrib.exe

pid	process
1500	attrib.exe
1872	attrib.exe

C:\Users\Admin\AppData\Local\Temp\DARKCOMET 5.3.1 Fixed\DARKCOMET 5.3.1\DarkCometRat.exe
"C:\Users\Admin\AppData\Local\Temp\DARKCOMET 5.3.1 Fixed\DARKCOMET 5.3.1\DarkCometRat.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\AppData\Local\Temp\DARKCOMET.EXE
"C:\Users\Admin\AppData\Local\Temp\DARKCOMET.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXE
"C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXE"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXE" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\DARKCOMETRATLAUNCHER.EXE
"C:\Users\Admin\AppData\Local\Temp\DARKCOMETRATLAUNCHER.EXE"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3074.tmp.bat""
3⤵
- Loads dropped DLL
PID:1164

C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exe
"C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "JavaCrashHandle" /tr '"C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exe"' & exit
3⤵
PID:920

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXE" +s +h
1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1872

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1500

C:\Windows\SysWOW64\notepad.exe
notepad
1⤵
PID:268

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:948

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
1⤵
PID:1920

C:\Windows\SysWOW64\timeout.exe
timeout 3
1⤵
- Delays execution with timeout.exe
PID:2004

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "JavaCrashHandle" /tr '"C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exe"'
1⤵
- Creates scheduled task(s)
PID:580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DARKCOMET.EXE
Filesize
11.3MB

MD5
d761f3aa64064a706a521ba14d0f8741

SHA1
ab7382bcfdf494d0327fccce9c884592bcc1adeb

SHA256
21ca06b18698d14154a45822aaae1e3837d168cc7630bcd3ec3d8c68aaa959e6

SHA512
d2274c03f805a5cd62104492e154fc225c3f6997091accb2f4bff165308fc82ba0d9adf185ec744222bcb4ece08d1ba754a35a2d88c10c5743f4d2e66494377f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DARKCOMETRATLAUNCHER.EXE
Filesize
126KB

MD5
3c9ca31b4d07143cc51a965fa8cd7ee8

SHA1
f1b83c2ba9955c15d2620b73a42ed92db8b49d49

SHA256
605264d2d678094d93a7b38c4539cd940fadd22dfd3b79b03a66ba763a6b6e83

SHA512
6fad52177e472ed144f1be46a4e5729f04e42774d92531e091f5c99246f170c9057566caa8302f6dd19d1184f1a5073acd0fee952a0ac6b47e21de26611cef1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DARKCOMETRATLAUNCHER.EXE
Filesize
126KB

MD5
3c9ca31b4d07143cc51a965fa8cd7ee8

SHA1
f1b83c2ba9955c15d2620b73a42ed92db8b49d49

SHA256
605264d2d678094d93a7b38c4539cd940fadd22dfd3b79b03a66ba763a6b6e83

SHA512
6fad52177e472ed144f1be46a4e5729f04e42774d92531e091f5c99246f170c9057566caa8302f6dd19d1184f1a5073acd0fee952a0ac6b47e21de26611cef1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXE
Filesize
658KB

MD5
efa6a56bc92b0d9e88d95bdeae626fca

SHA1
99a1864c799f9c79ac646c9bdab868ba55fc7029

SHA256
d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6

SHA512
439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXE
Filesize
658KB

MD5
efa6a56bc92b0d9e88d95bdeae626fca

SHA1
99a1864c799f9c79ac646c9bdab868ba55fc7029

SHA256
d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6

SHA512
439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3074.tmp.bat
Filesize
159B

MD5
0176c432d416a259afed3c69b18f27b9

SHA1
bc3e50ee96ec112c8eeff70026d94ab259ff465d

SHA256
ee39fc029f3a70b5d59ff830d8cb01d4f64d55dbb44be687158797bc1371983a

SHA512
aa840f80da20a190f7fbd2f095a3a8491f2e06fbbb71ac37b668818611b1808d442fd1665eb47305a2d648b06d7d9bab1e06c08acde28654ac91e5ad02a59c89

Download Submit
C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exe
Filesize
126KB

MD5
3c9ca31b4d07143cc51a965fa8cd7ee8

SHA1
f1b83c2ba9955c15d2620b73a42ed92db8b49d49

SHA256
605264d2d678094d93a7b38c4539cd940fadd22dfd3b79b03a66ba763a6b6e83

SHA512
6fad52177e472ed144f1be46a4e5729f04e42774d92531e091f5c99246f170c9057566caa8302f6dd19d1184f1a5073acd0fee952a0ac6b47e21de26611cef1d

Download Submit
C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exe
Filesize
126KB

MD5
3c9ca31b4d07143cc51a965fa8cd7ee8

SHA1
f1b83c2ba9955c15d2620b73a42ed92db8b49d49

SHA256
605264d2d678094d93a7b38c4539cd940fadd22dfd3b79b03a66ba763a6b6e83

SHA512
6fad52177e472ed144f1be46a4e5729f04e42774d92531e091f5c99246f170c9057566caa8302f6dd19d1184f1a5073acd0fee952a0ac6b47e21de26611cef1d

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
658KB

MD5
efa6a56bc92b0d9e88d95bdeae626fca

SHA1
99a1864c799f9c79ac646c9bdab868ba55fc7029

SHA256
d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6

SHA512
439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
658KB

MD5
efa6a56bc92b0d9e88d95bdeae626fca

SHA1
99a1864c799f9c79ac646c9bdab868ba55fc7029

SHA256
d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6

SHA512
439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0

Download Submit
\Users\Admin\AppData\Local\Temp\DARKCOMET.EXE
Filesize
11.3MB

MD5
d761f3aa64064a706a521ba14d0f8741

SHA1
ab7382bcfdf494d0327fccce9c884592bcc1adeb

SHA256
21ca06b18698d14154a45822aaae1e3837d168cc7630bcd3ec3d8c68aaa959e6

SHA512
d2274c03f805a5cd62104492e154fc225c3f6997091accb2f4bff165308fc82ba0d9adf185ec744222bcb4ece08d1ba754a35a2d88c10c5743f4d2e66494377f

Download Submit
\Users\Admin\AppData\Local\Temp\DARKCOMETRATLAUNCHER.EXE
Filesize
126KB

MD5
3c9ca31b4d07143cc51a965fa8cd7ee8

SHA1
f1b83c2ba9955c15d2620b73a42ed92db8b49d49

SHA256
605264d2d678094d93a7b38c4539cd940fadd22dfd3b79b03a66ba763a6b6e83

SHA512
6fad52177e472ed144f1be46a4e5729f04e42774d92531e091f5c99246f170c9057566caa8302f6dd19d1184f1a5073acd0fee952a0ac6b47e21de26611cef1d

Download Submit
\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXE
Filesize
658KB

MD5
efa6a56bc92b0d9e88d95bdeae626fca

SHA1
99a1864c799f9c79ac646c9bdab868ba55fc7029

SHA256
d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6

SHA512
439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0

Download Submit
\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXE
Filesize
658KB

MD5
efa6a56bc92b0d9e88d95bdeae626fca

SHA1
99a1864c799f9c79ac646c9bdab868ba55fc7029

SHA256
d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6

SHA512
439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0

Download Submit
\Users\Admin\AppData\Roaming\JavaCrashHandle.exe
Filesize
126KB

MD5
3c9ca31b4d07143cc51a965fa8cd7ee8

SHA1
f1b83c2ba9955c15d2620b73a42ed92db8b49d49

SHA256
605264d2d678094d93a7b38c4539cd940fadd22dfd3b79b03a66ba763a6b6e83

SHA512
6fad52177e472ed144f1be46a4e5729f04e42774d92531e091f5c99246f170c9057566caa8302f6dd19d1184f1a5073acd0fee952a0ac6b47e21de26611cef1d

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
658KB

MD5
efa6a56bc92b0d9e88d95bdeae626fca

SHA1
99a1864c799f9c79ac646c9bdab868ba55fc7029

SHA256
d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6

SHA512
439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
658KB

MD5
efa6a56bc92b0d9e88d95bdeae626fca

SHA1
99a1864c799f9c79ac646c9bdab868ba55fc7029

SHA256
d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6

SHA512
439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0

Download Submit
memory/268-82-0x0000000000000000-mapping.dmp

Download
memory/580-89-0x0000000000000000-mapping.dmp

Download
memory/920-84-0x0000000000000000-mapping.dmp

Download
memory/940-72-0x0000000000000000-mapping.dmp

Download
memory/1096-73-0x0000000000000000-mapping.dmp

Download
memory/1164-85-0x0000000000000000-mapping.dmp

Download
memory/1408-66-0x0000000000000000-mapping.dmp

Download
memory/1500-75-0x0000000000000000-mapping.dmp

Download
memory/1640-70-0x0000000000DA0000-0x0000000000DC6000-memory.dmp

Filesize
152KB

Download
memory/1640-60-0x0000000000000000-mapping.dmp

Download
memory/1692-78-0x0000000000000000-mapping.dmp

Download
memory/1716-98-0x0000000000F50000-0x0000000000F76000-memory.dmp

Filesize
152KB

Download
memory/1716-95-0x0000000000000000-mapping.dmp

Download
memory/1872-74-0x0000000000000000-mapping.dmp

Download
memory/1952-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/2004-90-0x0000000000000000-mapping.dmp

Download
memory/2012-69-0x00000000744B1000-0x00000000744B3000-memory.dmp

Filesize
8KB

Download
memory/2012-56-0x0000000000000000-mapping.dmp

Download