Analysis
-
max time kernel
130s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 06:27
Static task
static1
Behavioral task
behavioral1
Sample
e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
Resource
win10v2004-20220901-en
General
-
Target
e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
-
Size
1.1MB
-
MD5
49357de181571d86ef91c9225b95b474
-
SHA1
8f74e682dfe7072d026d88ef84f32dadaa977461
-
SHA256
e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
-
SHA512
56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723
-
SSDEEP
24576:8MwVW5oFASygtv2/ryWLivEDT00MVq3UHr2BlKVb:8OoFASyg92T/oEDT9MVQU8ib
Malware Config
Extracted
darkcomet
Securityy ;3
89.215.253.73:1605
DCMIN_MUTEX-V730MT7
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
jmPfYy0Z7wHy
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\DCSCMIN\\IMDCSC.exe" e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe -
Executes dropped EXE 2 IoCs
pid Process 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 1700 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe -
Loads dropped DLL 4 IoCs
pid Process 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 1700 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 1700 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\DCSCMIN\\IMDCSC.exe" e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1940 set thread context of 996 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 29 PID 1940 set thread context of 1756 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 31 PID 1756 set thread context of 1776 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 33 PID 1756 set thread context of 1700 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372247756" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5329AE00-494C-11ED-B390-DA7E66F9F45D} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4F60DE61-494C-11ED-B390-DA7E66F9F45D} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1700 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeSecurityPrivilege 1700 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeTakeOwnershipPrivilege 1700 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeLoadDriverPrivilege 1700 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeSystemProfilePrivilege 1700 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeSystemtimePrivilege 1700 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeProfSingleProcessPrivilege 1700 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeIncBasePriorityPrivilege 1700 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeCreatePagefilePrivilege 1700 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeBackupPrivilege 1700 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeRestorePrivilege 1700 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeShutdownPrivilege 1700 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeDebugPrivilege 1700 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeSystemEnvironmentPrivilege 1700 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeChangeNotifyPrivilege 1700 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeRemoteShutdownPrivilege 1700 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeUndockPrivilege 1700 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeManageVolumePrivilege 1700 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeImpersonatePrivilege 1700 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: SeCreateGlobalPrivilege 1700 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: 33 1700 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: 34 1700 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe Token: 35 1700 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 996 iexplore.exe 1776 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 996 iexplore.exe 996 iexplore.exe 1776 iexplore.exe 1776 iexplore.exe 2020 IEXPLORE.EXE 2020 IEXPLORE.EXE 1908 IEXPLORE.EXE 1908 IEXPLORE.EXE 2020 IEXPLORE.EXE 2020 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1940 wrote to memory of 1488 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 27 PID 1940 wrote to memory of 1488 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 27 PID 1940 wrote to memory of 1488 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 27 PID 1940 wrote to memory of 1488 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 27 PID 1940 wrote to memory of 996 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 29 PID 1940 wrote to memory of 996 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 29 PID 1940 wrote to memory of 996 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 29 PID 1940 wrote to memory of 996 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 29 PID 1940 wrote to memory of 996 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 29 PID 1940 wrote to memory of 996 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 29 PID 1940 wrote to memory of 996 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 29 PID 1940 wrote to memory of 996 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 29 PID 1940 wrote to memory of 996 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 29 PID 1488 wrote to memory of 1476 1488 cmd.exe 30 PID 1488 wrote to memory of 1476 1488 cmd.exe 30 PID 1488 wrote to memory of 1476 1488 cmd.exe 30 PID 1488 wrote to memory of 1476 1488 cmd.exe 30 PID 1940 wrote to memory of 1756 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 31 PID 1940 wrote to memory of 1756 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 31 PID 1940 wrote to memory of 1756 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 31 PID 1940 wrote to memory of 1756 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 31 PID 1940 wrote to memory of 1756 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 31 PID 1940 wrote to memory of 1756 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 31 PID 1940 wrote to memory of 1756 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 31 PID 1940 wrote to memory of 1756 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 31 PID 1940 wrote to memory of 1756 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 31 PID 1940 wrote to memory of 1756 1940 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 31 PID 1756 wrote to memory of 2008 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 32 PID 1756 wrote to memory of 2008 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 32 PID 1756 wrote to memory of 2008 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 32 PID 1756 wrote to memory of 2008 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 32 PID 1756 wrote to memory of 1776 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 33 PID 1756 wrote to memory of 1776 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 33 PID 1756 wrote to memory of 1776 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 33 PID 1756 wrote to memory of 1776 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 33 PID 1756 wrote to memory of 1776 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 33 PID 1756 wrote to memory of 1776 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 33 PID 1756 wrote to memory of 1776 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 33 PID 1756 wrote to memory of 1776 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 33 PID 1756 wrote to memory of 1776 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 33 PID 1756 wrote to memory of 1776 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 33 PID 1756 wrote to memory of 1776 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 33 PID 1756 wrote to memory of 1776 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 33 PID 2008 wrote to memory of 1684 2008 cmd.exe 35 PID 2008 wrote to memory of 1684 2008 cmd.exe 35 PID 2008 wrote to memory of 1684 2008 cmd.exe 35 PID 2008 wrote to memory of 1684 2008 cmd.exe 35 PID 1756 wrote to memory of 1700 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 36 PID 1756 wrote to memory of 1700 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 36 PID 1756 wrote to memory of 1700 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 36 PID 1756 wrote to memory of 1700 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 36 PID 1756 wrote to memory of 1700 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 36 PID 1756 wrote to memory of 1700 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 36 PID 1756 wrote to memory of 1700 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 36 PID 1756 wrote to memory of 1700 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 36 PID 1756 wrote to memory of 1700 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 36 PID 1756 wrote to memory of 1700 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 36 PID 1756 wrote to memory of 1700 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 36 PID 1756 wrote to memory of 1700 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 36 PID 1756 wrote to memory of 1700 1756 e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe 36 PID 1684 wrote to memory of 1828 1684 net.exe 37 PID 1684 wrote to memory of 1828 1684 net.exe 37 PID 1684 wrote to memory of 1828 1684 net.exe 37 PID 1684 wrote to memory of 1828 1684 net.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe"C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc2⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵PID:1476
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵PID:1920
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:996 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:996 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1908
-
-
-
C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exeC:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc3⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\net.exenet stop MpsSvc4⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc5⤵PID:1828
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1776 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1776 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2020
-
-
-
C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exeC:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1700 -
C:\DCSCMIN\IMDCSC.exe"C:\DCSCMIN\IMDCSC.exe"4⤵PID:808
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4F60DE61-494C-11ED-B390-DA7E66F9F45D}.dat
Filesize5KB
MD5c90caf548ac0d2da88241a29c62882fc
SHA1ed991c35d69fbbfd3231da0de2923e036fb9a4eb
SHA256394bffb11ce581027681f2f05f6f5823bf76538e47aed5a5dacec31f79f5e7ee
SHA512771e2974bd6dc98cee73ea5a6d5dbe4b421dcdf3efec9ba62ec4e1a696ca96eb0594326a07b3c13c1c53ea464b97bfacf0c60cbbe926ef26b1e42186d62ce3ee
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5329AE00-494C-11ED-B390-DA7E66F9F45D}.dat
Filesize3KB
MD591d21db0e0cafda9d5475f5fb6627408
SHA1420766a367195062b1fcfca05922f2dd5eaa9aab
SHA256e6415d9835ccafc6ae361c9f941d726954570abd113270aa3be24c50204b6d39
SHA5120eee044b3e658db66bfd38fe302518ff8f428227b631985c5d8036121565330fde2a1ac56f2a7f92435720e5289173ea6b95209aeb239d93dabfcc51fe554879
-
C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
Filesize1.1MB
MD549357de181571d86ef91c9225b95b474
SHA18f74e682dfe7072d026d88ef84f32dadaa977461
SHA256e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA51256482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723
-
C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
Filesize1.1MB
MD549357de181571d86ef91c9225b95b474
SHA18f74e682dfe7072d026d88ef84f32dadaa977461
SHA256e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA51256482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723
-
Filesize
1.1MB
MD549357de181571d86ef91c9225b95b474
SHA18f74e682dfe7072d026d88ef84f32dadaa977461
SHA256e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA51256482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723
-
Filesize
603B
MD5101a22a401f33e942d75e2cdd46b380b
SHA1c39dccb7d5942dad34d08875df1c81f8901660be
SHA256191be43a8b2c3b38c4b0cc43b4acff30c417f2b047acbf3325e136f5aaa21fbf
SHA512eabaa97fda457dab702ed002e950a80cfda04e8b965ec2ba51c82cb95398c552c737f0b9c85a09635e6fcb53a2aaa6b0e025e991831b7cf03ff4aae562b9ae0a
-
Filesize
1.1MB
MD549357de181571d86ef91c9225b95b474
SHA18f74e682dfe7072d026d88ef84f32dadaa977461
SHA256e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA51256482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723
-
Filesize
1.1MB
MD549357de181571d86ef91c9225b95b474
SHA18f74e682dfe7072d026d88ef84f32dadaa977461
SHA256e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA51256482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723
-
\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
Filesize1.1MB
MD549357de181571d86ef91c9225b95b474
SHA18f74e682dfe7072d026d88ef84f32dadaa977461
SHA256e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA51256482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723
-
\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
Filesize1.1MB
MD549357de181571d86ef91c9225b95b474
SHA18f74e682dfe7072d026d88ef84f32dadaa977461
SHA256e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec
SHA51256482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723