Analysis
-
max time kernel
152s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 04:45
Static task
static1
Behavioral task
behavioral1
Sample
fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe
Resource
win7-20220812-en
General
-
Target
fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe
-
Size
759KB
-
MD5
4e58165e216a9be463352e13034e58c0
-
SHA1
b48e3c4958f83798a4dcbf96a793fbb2a5960d8f
-
SHA256
fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f
-
SHA512
c09b3bc0cd586a3327e0f2732a11d5dbb60b9007234066677fa496f54057bb0d19e86f378a472e50ae00aae2ccd755fa5f468947c94667fd65ea413f165078d8
-
SSDEEP
12288:SphltQO6QBtpRgvCUBv40cbBcHEihhcmN2FanJTz7nRcsC2wgWiVWLfq1b:SLWvCUBA0cbFihBX9msC2wgbYLSb
Malware Config
Extracted
darkcomet
Guest16
enrispony.no-ip.biz:1604
DC_MUTEX-2VS027H
-
gencode
y1yFesyf2sa7
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 960 attrib.exe 1164 attrib.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe -
Loads dropped DLL 1 IoCs
pid Process 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1096 set thread context of 760 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 28 PID 1096 set thread context of 1804 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372242560" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{355C00F1-4940-11ED-B51C-6E705F4A26E5} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Token: SeSecurityPrivilege 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Token: SeTakeOwnershipPrivilege 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Token: SeLoadDriverPrivilege 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Token: SeSystemProfilePrivilege 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Token: SeSystemtimePrivilege 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Token: SeProfSingleProcessPrivilege 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Token: SeIncBasePriorityPrivilege 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Token: SeCreatePagefilePrivilege 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Token: SeBackupPrivilege 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Token: SeRestorePrivilege 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Token: SeShutdownPrivilege 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Token: SeDebugPrivilege 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Token: SeSystemEnvironmentPrivilege 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Token: SeChangeNotifyPrivilege 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Token: SeRemoteShutdownPrivilege 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Token: SeUndockPrivilege 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Token: SeManageVolumePrivilege 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Token: SeImpersonatePrivilege 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Token: SeCreateGlobalPrivilege 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Token: 33 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Token: 34 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe Token: 35 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 760 iexplore.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 760 iexplore.exe 760 iexplore.exe 1248 IEXPLORE.EXE 1248 IEXPLORE.EXE 1248 IEXPLORE.EXE 1248 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1096 wrote to memory of 1472 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 26 PID 1096 wrote to memory of 1472 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 26 PID 1096 wrote to memory of 1472 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 26 PID 1096 wrote to memory of 1472 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 26 PID 1472 wrote to memory of 1744 1472 cmd.exe 29 PID 1472 wrote to memory of 1744 1472 cmd.exe 29 PID 1472 wrote to memory of 1744 1472 cmd.exe 29 PID 1472 wrote to memory of 1744 1472 cmd.exe 29 PID 1096 wrote to memory of 760 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 28 PID 1096 wrote to memory of 760 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 28 PID 1096 wrote to memory of 760 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 28 PID 1096 wrote to memory of 760 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 28 PID 1096 wrote to memory of 760 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 28 PID 1096 wrote to memory of 760 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 28 PID 1096 wrote to memory of 760 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 28 PID 1096 wrote to memory of 760 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 28 PID 1096 wrote to memory of 760 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 28 PID 1096 wrote to memory of 760 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 28 PID 1096 wrote to memory of 760 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 28 PID 1096 wrote to memory of 760 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 28 PID 1744 wrote to memory of 888 1744 net.exe 30 PID 1744 wrote to memory of 888 1744 net.exe 30 PID 1744 wrote to memory of 888 1744 net.exe 30 PID 1744 wrote to memory of 888 1744 net.exe 30 PID 1096 wrote to memory of 1804 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 31 PID 1096 wrote to memory of 1804 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 31 PID 1096 wrote to memory of 1804 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 31 PID 1096 wrote to memory of 1804 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 31 PID 1096 wrote to memory of 1804 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 31 PID 1096 wrote to memory of 1804 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 31 PID 1096 wrote to memory of 1804 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 31 PID 1096 wrote to memory of 1804 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 31 PID 1096 wrote to memory of 1804 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 31 PID 1096 wrote to memory of 1804 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 31 PID 1096 wrote to memory of 1804 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 31 PID 1096 wrote to memory of 1804 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 31 PID 1096 wrote to memory of 1804 1096 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 31 PID 1804 wrote to memory of 1084 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 33 PID 1804 wrote to memory of 1084 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 33 PID 1804 wrote to memory of 1084 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 33 PID 1804 wrote to memory of 1084 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 33 PID 1804 wrote to memory of 976 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 35 PID 1804 wrote to memory of 976 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 35 PID 1804 wrote to memory of 976 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 35 PID 1804 wrote to memory of 976 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 35 PID 976 wrote to memory of 960 976 cmd.exe 39 PID 976 wrote to memory of 960 976 cmd.exe 39 PID 976 wrote to memory of 960 976 cmd.exe 39 PID 976 wrote to memory of 960 976 cmd.exe 39 PID 1084 wrote to memory of 1164 1084 cmd.exe 38 PID 1084 wrote to memory of 1164 1084 cmd.exe 38 PID 1084 wrote to memory of 1164 1084 cmd.exe 38 PID 1084 wrote to memory of 1164 1084 cmd.exe 38 PID 1804 wrote to memory of 1688 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 37 PID 1804 wrote to memory of 1688 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 37 PID 1804 wrote to memory of 1688 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 37 PID 1804 wrote to memory of 1688 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 37 PID 1804 wrote to memory of 1688 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 37 PID 1804 wrote to memory of 1688 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 37 PID 1804 wrote to memory of 1688 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 37 PID 1804 wrote to memory of 1688 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 37 PID 1804 wrote to memory of 1688 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 37 PID 1804 wrote to memory of 1688 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 37 PID 1804 wrote to memory of 1688 1804 fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe 37 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 960 attrib.exe 1164 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe"C:\Users\Admin\AppData\Local\Temp\fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc2⤵
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵PID:888
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:760 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:760 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1248
-
-
-
C:\Users\Admin\AppData\Local\Temp\fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exeC:\Users\Admin\AppData\Local\Temp\fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1164
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:960
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:1688
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe
Filesize759KB
MD54e58165e216a9be463352e13034e58c0
SHA1b48e3c4958f83798a4dcbf96a793fbb2a5960d8f
SHA256fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f
SHA512c09b3bc0cd586a3327e0f2732a11d5dbb60b9007234066677fa496f54057bb0d19e86f378a472e50ae00aae2ccd755fa5f468947c94667fd65ea413f165078d8
-
Filesize
597B
MD51c0c8f90b78ce6889208b17996e83ff6
SHA1e1e8580ff0b2a7d3f846426e2a6529916767d0b6
SHA2564be9cc111a0400652520ba29d6ab22d95f88e531cc2cf29578b7ce303a64a2af
SHA512e2bf7dfbf3dd8cab8b5411cab056128f7acb994fc25036d9757b49708e872cf6430e3bef7f8f59f55a0453d1b129b7f250bed5172e7578baa6575c92ae1add5a
-
\Users\Admin\AppData\Local\Temp\fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe
Filesize759KB
MD54e58165e216a9be463352e13034e58c0
SHA1b48e3c4958f83798a4dcbf96a793fbb2a5960d8f
SHA256fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f
SHA512c09b3bc0cd586a3327e0f2732a11d5dbb60b9007234066677fa496f54057bb0d19e86f378a472e50ae00aae2ccd755fa5f468947c94667fd65ea413f165078d8