darkcomet | b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
17-10-2022 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
Size

28.3MB
MD5

a8c3d088e1c5ca58a0f31a08138fac05
SHA1

efc36b45cf34404dcab19e2e4d4d7073432ff546
SHA256

b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408
SHA512

e722588f9bdf7a3319b67c09316c10f8368d99f414194cfa914fefd7fbc628dd3500fd1d86169f216baf1840a4cc52b759324a82cd00f4d052a20f0fe60fc4d1
SSDEEP

786432:Y5NgWSIq8kjHIVkNXqp5jIqsL9wMkuhVGxxGM+LePAREz+UNKf:Yvp9GHIVkNap5jFC+Mkuh+GJLexTm

Score

10^/10

darkcomet sazan evasion persistence rat trojan vmprotect

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

46.1.103.13:1604

Mutex

DC_MUTEX-78WFCKJ

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
9znNAlkh1dw0
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

msdcsc.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	msdcsc.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Executes dropped EXE 3 IoCs

Processes:

CG_LOADER.EXEmsdcsc.exeCG_LOADER.EXE

pid process

1752 CG_LOADER.EXE
1068 msdcsc.exe
1196 CG_LOADER.EXE
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1492 attrib.exe

pid	process
1752	CG_LOADER.EXE
1068	msdcsc.exe
1196	CG_LOADER.EXE

pid	process
1492	attrib.exe

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\CG_LOADER.EXE	vmprotect
C:\Users\Admin\AppData\Local\Temp\CG_LOADER.EXE	vmprotect
C:\Users\Admin\AppData\Local\Temp\CG_LOADER.EXE	vmprotect
behavioral1/memory/1752-61-0x0000000000C10000-0x000000000279C000-memory.dmp	vmprotect
\Users\Admin\AppData\Local\Temp\CG_LOADER.EXE	vmprotect
C:\Users\Admin\AppData\Local\Temp\CG_LOADER.EXE	vmprotect

Loads dropped DLL 4 IoCs

Processes:

b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exemsdcsc.exe

pid	process
1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
1068	msdcsc.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Drops file in System32 directory 3 IoCs

Processes:

b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

CG_LOADER.EXECG_LOADER.EXEchrome.exechrome.exe

pid process

1752 CG_LOADER.EXE
1196 CG_LOADER.EXE
692 chrome.exe
2012 chrome.exe
2012 chrome.exe

pid	process
1752	CG_LOADER.EXE
1196	CG_LOADER.EXE
692	chrome.exe
2012	chrome.exe
2012	chrome.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exemsdcsc.exeCG_LOADER.EXECG_LOADER.EXE

description	pid	process
Token: SeIncreaseQuotaPrivilege	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
Token: SeSecurityPrivilege	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
Token: SeTakeOwnershipPrivilege	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
Token: SeLoadDriverPrivilege	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
Token: SeSystemProfilePrivilege	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
Token: SeSystemtimePrivilege	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
Token: SeProfSingleProcessPrivilege	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
Token: SeIncBasePriorityPrivilege	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
Token: SeCreatePagefilePrivilege	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
Token: SeBackupPrivilege	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
Token: SeRestorePrivilege	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
Token: SeShutdownPrivilege	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
Token: SeDebugPrivilege	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
Token: SeSystemEnvironmentPrivilege	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
Token: SeChangeNotifyPrivilege	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
Token: SeRemoteShutdownPrivilege	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
Token: SeUndockPrivilege	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
Token: SeManageVolumePrivilege	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
Token: SeImpersonatePrivilege	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
Token: SeCreateGlobalPrivilege	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
Token: 33	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
Token: 34	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
Token: 35	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
Token: SeIncreaseQuotaPrivilege	1068	msdcsc.exe
Token: SeSecurityPrivilege	1068	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1068	msdcsc.exe
Token: SeLoadDriverPrivilege	1068	msdcsc.exe
Token: SeSystemProfilePrivilege	1068	msdcsc.exe
Token: SeSystemtimePrivilege	1068	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1068	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1068	msdcsc.exe
Token: SeCreatePagefilePrivilege	1068	msdcsc.exe
Token: SeBackupPrivilege	1068	msdcsc.exe
Token: SeRestorePrivilege	1068	msdcsc.exe
Token: SeShutdownPrivilege	1068	msdcsc.exe
Token: SeDebugPrivilege	1068	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1068	msdcsc.exe
Token: SeChangeNotifyPrivilege	1068	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1068	msdcsc.exe
Token: SeUndockPrivilege	1068	msdcsc.exe
Token: SeManageVolumePrivilege	1068	msdcsc.exe
Token: SeImpersonatePrivilege	1068	msdcsc.exe
Token: SeCreateGlobalPrivilege	1068	msdcsc.exe
Token: 33	1068	msdcsc.exe
Token: 34	1068	msdcsc.exe
Token: 35	1068	msdcsc.exe
Token: SeDebugPrivilege	1752	CG_LOADER.EXE
Token: SeDebugPrivilege	1196	CG_LOADER.EXE

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

1068 msdcsc.exe

pid	process
1068	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.execmd.exemsdcsc.exechrome.exe

description	pid	process	target process
PID 1280 wrote to memory of 2008	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe	cmd.exe
PID 1280 wrote to memory of 2008	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe	cmd.exe
PID 1280 wrote to memory of 2008	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe	cmd.exe
PID 1280 wrote to memory of 2008	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe	cmd.exe
PID 2008 wrote to memory of 1492	2008	cmd.exe	attrib.exe
PID 2008 wrote to memory of 1492	2008	cmd.exe	attrib.exe
PID 2008 wrote to memory of 1492	2008	cmd.exe	attrib.exe
PID 2008 wrote to memory of 1492	2008	cmd.exe	attrib.exe
PID 1280 wrote to memory of 1752	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe	CG_LOADER.EXE
PID 1280 wrote to memory of 1752	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe	CG_LOADER.EXE
PID 1280 wrote to memory of 1752	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe	CG_LOADER.EXE
PID 1280 wrote to memory of 1752	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe	CG_LOADER.EXE
PID 1280 wrote to memory of 1068	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe	msdcsc.exe
PID 1280 wrote to memory of 1068	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe	msdcsc.exe
PID 1280 wrote to memory of 1068	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe	msdcsc.exe
PID 1280 wrote to memory of 1068	1280	b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe	msdcsc.exe
PID 1068 wrote to memory of 1196	1068	msdcsc.exe	CG_LOADER.EXE
PID 1068 wrote to memory of 1196	1068	msdcsc.exe	CG_LOADER.EXE
PID 1068 wrote to memory of 1196	1068	msdcsc.exe	CG_LOADER.EXE
PID 1068 wrote to memory of 1196	1068	msdcsc.exe	CG_LOADER.EXE
PID 1068 wrote to memory of 584	1068	msdcsc.exe	notepad.exe
PID 1068 wrote to memory of 584	1068	msdcsc.exe	notepad.exe
PID 1068 wrote to memory of 584	1068	msdcsc.exe	notepad.exe
PID 1068 wrote to memory of 584	1068	msdcsc.exe	notepad.exe
PID 1068 wrote to memory of 584	1068	msdcsc.exe	notepad.exe
PID 1068 wrote to memory of 584	1068	msdcsc.exe	notepad.exe
PID 1068 wrote to memory of 584	1068	msdcsc.exe	notepad.exe
PID 1068 wrote to memory of 584	1068	msdcsc.exe	notepad.exe
PID 1068 wrote to memory of 584	1068	msdcsc.exe	notepad.exe
PID 1068 wrote to memory of 584	1068	msdcsc.exe	notepad.exe
PID 1068 wrote to memory of 584	1068	msdcsc.exe	notepad.exe
PID 1068 wrote to memory of 584	1068	msdcsc.exe	notepad.exe
PID 1068 wrote to memory of 584	1068	msdcsc.exe	notepad.exe
PID 1068 wrote to memory of 584	1068	msdcsc.exe	notepad.exe
PID 1068 wrote to memory of 584	1068	msdcsc.exe	notepad.exe
PID 1068 wrote to memory of 584	1068	msdcsc.exe	notepad.exe
PID 1068 wrote to memory of 584	1068	msdcsc.exe	notepad.exe
PID 1068 wrote to memory of 584	1068	msdcsc.exe	notepad.exe
PID 1068 wrote to memory of 584	1068	msdcsc.exe	notepad.exe
PID 1068 wrote to memory of 584	1068	msdcsc.exe	notepad.exe
PID 1068 wrote to memory of 584	1068	msdcsc.exe	notepad.exe
PID 1068 wrote to memory of 584	1068	msdcsc.exe	notepad.exe
PID 1068 wrote to memory of 584	1068	msdcsc.exe	notepad.exe
PID 2012 wrote to memory of 816	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 816	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 816	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 316	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 316	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 316	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 316	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 316	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 316	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 316	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 316	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 316	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 316	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 316	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 316	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 316	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 316	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 316	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 316	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 316	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 316	2012	chrome.exe	chrome.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1492 attrib.exe

pid	process
1492	attrib.exe

C:\Users\Admin\AppData\Local\Temp\b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe
"C:\Users\Admin\AppData\Local\Temp\b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1492

C:\Users\Admin\AppData\Local\Temp\CG_LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\CG_LOADER.EXE"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
2⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1068

C:\Users\Admin\AppData\Local\Temp\CG_LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\CG_LOADER.EXE"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefad34f50,0x7fefad34f60,0x7fefad34f70
2⤵
PID:816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1120,7957142101695089007,13098222275248961871,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1128 /prefetch:2
2⤵
PID:316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1120,7957142101695089007,13098222275248961871,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1272 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1120,7957142101695089007,13098222275248961871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1676 /prefetch:8
2⤵
PID:1604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,7957142101695089007,13098222275248961871,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2000 /prefetch:1
2⤵
PID:1756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,7957142101695089007,13098222275248961871,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2168 /prefetch:1
2⤵
PID:1624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1120,7957142101695089007,13098222275248961871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
2⤵
PID:2016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1120,7957142101695089007,13098222275248961871,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3268 /prefetch:2
2⤵
PID:1228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1120,7957142101695089007,13098222275248961871,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
2⤵
PID:1424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1120,7957142101695089007,13098222275248961871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3396 /prefetch:8
2⤵
PID:2100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1120,7957142101695089007,13098222275248961871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3600 /prefetch:8
2⤵
PID:2108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1120,7957142101695089007,13098222275248961871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1508 /prefetch:8
2⤵
PID:2232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1120,7957142101695089007,13098222275248961871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:8
2⤵
PID:2304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CG_LOADER.EXE
Filesize
27.6MB

MD5
345fc46071de77ab039482051ef3fcff

SHA1
e9e3ace58241d3c4531ac0093579c99a88276751

SHA256
6f956e7712bbe4387bb2d7b5028bd7cae4927cf3212b98e3a8cce127cd4e9cb0

SHA512
a6d11fab37c1e464f9a9e10324456b20da72cbb74079983919d4f27fd8b750233af03ef46677f6b85aa0a8fe7f15c4688e7883903e345da044055f3b68097081

Download Submit
C:\Users\Admin\AppData\Local\Temp\CG_LOADER.EXE
Filesize
27.6MB

MD5
345fc46071de77ab039482051ef3fcff

SHA1
e9e3ace58241d3c4531ac0093579c99a88276751

SHA256
6f956e7712bbe4387bb2d7b5028bd7cae4927cf3212b98e3a8cce127cd4e9cb0

SHA512
a6d11fab37c1e464f9a9e10324456b20da72cbb74079983919d4f27fd8b750233af03ef46677f6b85aa0a8fe7f15c4688e7883903e345da044055f3b68097081

Download Submit
C:\Users\Admin\AppData\Local\Temp\CG_LOADER.EXE
Filesize
27.6MB

MD5
345fc46071de77ab039482051ef3fcff

SHA1
e9e3ace58241d3c4531ac0093579c99a88276751

SHA256
6f956e7712bbe4387bb2d7b5028bd7cae4927cf3212b98e3a8cce127cd4e9cb0

SHA512
a6d11fab37c1e464f9a9e10324456b20da72cbb74079983919d4f27fd8b750233af03ef46677f6b85aa0a8fe7f15c4688e7883903e345da044055f3b68097081

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
28.3MB

MD5
a8c3d088e1c5ca58a0f31a08138fac05

SHA1
efc36b45cf34404dcab19e2e4d4d7073432ff546

SHA256
b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408

SHA512
e722588f9bdf7a3319b67c09316c10f8368d99f414194cfa914fefd7fbc628dd3500fd1d86169f216baf1840a4cc52b759324a82cd00f4d052a20f0fe60fc4d1

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
28.3MB

MD5
a8c3d088e1c5ca58a0f31a08138fac05

SHA1
efc36b45cf34404dcab19e2e4d4d7073432ff546

SHA256
b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408

SHA512
e722588f9bdf7a3319b67c09316c10f8368d99f414194cfa914fefd7fbc628dd3500fd1d86169f216baf1840a4cc52b759324a82cd00f4d052a20f0fe60fc4d1

Download Submit
\??\pipe\crashpad_2012_ZBLKTTQJKANXMHAV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\CG_LOADER.EXE
Filesize
27.6MB

MD5
345fc46071de77ab039482051ef3fcff

SHA1
e9e3ace58241d3c4531ac0093579c99a88276751

SHA256
6f956e7712bbe4387bb2d7b5028bd7cae4927cf3212b98e3a8cce127cd4e9cb0

SHA512
a6d11fab37c1e464f9a9e10324456b20da72cbb74079983919d4f27fd8b750233af03ef46677f6b85aa0a8fe7f15c4688e7883903e345da044055f3b68097081

Download Submit
\Users\Admin\AppData\Local\Temp\CG_LOADER.EXE
Filesize
27.6MB

MD5
345fc46071de77ab039482051ef3fcff

SHA1
e9e3ace58241d3c4531ac0093579c99a88276751

SHA256
6f956e7712bbe4387bb2d7b5028bd7cae4927cf3212b98e3a8cce127cd4e9cb0

SHA512
a6d11fab37c1e464f9a9e10324456b20da72cbb74079983919d4f27fd8b750233af03ef46677f6b85aa0a8fe7f15c4688e7883903e345da044055f3b68097081

Download Submit
\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
28.3MB

MD5
a8c3d088e1c5ca58a0f31a08138fac05

SHA1
efc36b45cf34404dcab19e2e4d4d7073432ff546

SHA256
b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408

SHA512
e722588f9bdf7a3319b67c09316c10f8368d99f414194cfa914fefd7fbc628dd3500fd1d86169f216baf1840a4cc52b759324a82cd00f4d052a20f0fe60fc4d1

Download Submit
\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
28.3MB

MD5
a8c3d088e1c5ca58a0f31a08138fac05

SHA1
efc36b45cf34404dcab19e2e4d4d7073432ff546

SHA256
b6e8f0a74f60902d4704b8ffc1809eef7d8a6b84b3115567d279ce05d2b94408

SHA512
e722588f9bdf7a3319b67c09316c10f8368d99f414194cfa914fefd7fbc628dd3500fd1d86169f216baf1840a4cc52b759324a82cd00f4d052a20f0fe60fc4d1

Download Submit
memory/584-71-0x0000000000000000-mapping.dmp

Download
memory/1068-64-0x0000000000000000-mapping.dmp

Download
memory/1196-69-0x0000000000000000-mapping.dmp

Download
memory/1196-75-0x0000000006F00000-0x0000000007C78000-memory.dmp

Filesize
13.5MB

Download
memory/1196-77-0x0000000000570000-0x00000000005B4000-memory.dmp

Filesize
272KB

Download
memory/1280-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1492-56-0x0000000000000000-mapping.dmp

Download
memory/1752-61-0x0000000000C10000-0x000000000279C000-memory.dmp

Filesize
27.5MB

Download
memory/1752-58-0x0000000000000000-mapping.dmp

Download
memory/1752-76-0x0000000009D30000-0x000000000AAAA000-memory.dmp

Filesize
13.5MB

Download
memory/2008-55-0x0000000000000000-mapping.dmp

Download