darkcomet | edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d

Analysis

max time kernel
96s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2022 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Size

772KB
MD5

a1613b044cd3b96c095bb159d974fdd0
SHA1

a00a19578d0ce9b20c41b286710ea23119c73dd5
SHA256

edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d
SHA512

8271a6d7523f8ab73e41d9beae3cef90aeb17c5be12f8f85a5505acd4ddc70d5a1496481a231dc213bacb2d6b3c5a7e39d5e50009ed8529468cd37e3fde71a0d
SSDEEP

12288:2aQX8+MJfkLHpEs4HUY7jYrFOzUnEPO4hYMaEw8HEPvoSrtrcL0Sn39K8AhHCBw:hQX8idEsSlzUnEPOc/wyEPTBc344

Score

10^/10

darkcomet guest persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest

poorme.no-ip.biz:2000

Mutex

DC_MUTEX-V7D2UFA

Attributes

InstallPath
MSDCSC\Nod32.exe
gencode
1DkFyWqFtAml
install
true
offline_keylogger
false
persistence
true
reg_key
cmD

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\Nod32.exe,C:\\Windows\\system32\\MSDCSC\\1DkFyWqFtAml\\Nod32.exe,C:\\Windows\\system32\\MSDCSC\\1DkFyWqFtAml\\1DkFyWqFtAml\\Nod32.exe,C:\\Windows\\system32\\MSDCSC\\1DkFyWqFtAml\\Nod32.exe"	Nod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\Nod32.exe,C:\\Windows\\system32\\MSDCSC\\1DkFyWqFtAml\\Nod32.exe,C:\\Windows\\system32\\MSDCSC\\1DkFyWqFtAml\\1DkFyWqFtAml\\Nod32.exe,C:\\Windows\\system32\\MSDCSC\\1DkFyWqFtAml\\Nod32.exe,C:\\Windows\\system32\\MSDCSC\\1DkFyWqFtAml\\1DkFyWqFtAml\\Nod32.exe"	Nod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\Nod32.exe"	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\Nod32.exe,C:\\Windows\\system32\\MSDCSC\\1DkFyWqFtAml\\Nod32.exe"	Nod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\Nod32.exe,C:\\Windows\\system32\\MSDCSC\\1DkFyWqFtAml\\Nod32.exe,C:\\Windows\\system32\\MSDCSC\\1DkFyWqFtAml\\1DkFyWqFtAml\\Nod32.exe"	Nod32.exe

Executes dropped EXE 10 IoCs

pid	Process
4988	ANTIDOTE8VX_PATCHER.EXE
3208	Nod32.exe
1328	ANTIDOTE8VX_PATCHER.EXE
1140	Nod32.exe
3552	ANTIDOTE8VX_PATCHER.EXE
3728	Nod32.exe
1852	ANTIDOTE8VX_PATCHER.EXE
532	Nod32.exe
1028	ANTIDOTE8VX_PATCHER.EXE
216	Nod32.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Nod32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Nod32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Nod32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Nod32.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmD = "C:\\Windows\\system32\\MSDCSC\\1DkFyWqFtAml\\Nod32.exe"	Nod32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmD = "C:\\Windows\\system32\\MSDCSC\\1DkFyWqFtAml\\1DkFyWqFtAml\\Nod32.exe"	Nod32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmD = "C:\\Windows\\system32\\MSDCSC\\1DkFyWqFtAml\\Nod32.exe"	Nod32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmD = "C:\\Windows\\system32\\MSDCSC\\1DkFyWqFtAml\\1DkFyWqFtAml\\Nod32.exe"	Nod32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmD = "C:\\Windows\\system32\\MSDCSC\\Nod32.exe"	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MSDCSC\Nod32.exe	Nod32.exe
File created	C:\Windows\SysWOW64\MSDCSC\1DkFyWqFtAml\Nod32.exe	Nod32.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\1DkFyWqFtAml\	Nod32.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\1DkFyWqFtAml\Nod32.exe	Nod32.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\1DkFyWqFtAml\	Nod32.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\1DkFyWqFtAml\1DkFyWqFtAml\Nod32.exe	Nod32.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\1DkFyWqFtAml\1DkFyWqFtAml\	Nod32.exe
File created	C:\Windows\SysWOW64\MSDCSC\Nod32.exe	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\1DkFyWqFtAml\Nod32.exe	Nod32.exe
File created	C:\Windows\SysWOW64\MSDCSC\1DkFyWqFtAml\Nod32.exe	Nod32.exe
File created	C:\Windows\SysWOW64\MSDCSC\1DkFyWqFtAml\1DkFyWqFtAml\Nod32.exe	Nod32.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\1DkFyWqFtAml\1DkFyWqFtAml\	Nod32.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\1DkFyWqFtAml\1DkFyWqFtAml\Nod32.exe	Nod32.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Nod32.exe	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
File created	C:\Windows\SysWOW64\MSDCSC\1DkFyWqFtAml\Nod32.exe	Nod32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Nod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Nod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Nod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Nod32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Token: SeSecurityPrivilege	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Token: SeTakeOwnershipPrivilege	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Token: SeLoadDriverPrivilege	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Token: SeSystemProfilePrivilege	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Token: SeSystemtimePrivilege	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Token: SeProfSingleProcessPrivilege	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Token: SeIncBasePriorityPrivilege	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Token: SeCreatePagefilePrivilege	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Token: SeBackupPrivilege	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Token: SeRestorePrivilege	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Token: SeShutdownPrivilege	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Token: SeDebugPrivilege	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Token: SeSystemEnvironmentPrivilege	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Token: SeChangeNotifyPrivilege	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Token: SeRemoteShutdownPrivilege	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Token: SeUndockPrivilege	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Token: SeManageVolumePrivilege	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Token: SeImpersonatePrivilege	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Token: SeCreateGlobalPrivilege	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Token: 33	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Token: 34	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Token: 35	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Token: 36	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
Token: SeIncreaseQuotaPrivilege	3208	Nod32.exe
Token: SeSecurityPrivilege	3208	Nod32.exe
Token: SeTakeOwnershipPrivilege	3208	Nod32.exe
Token: SeLoadDriverPrivilege	3208	Nod32.exe
Token: SeSystemProfilePrivilege	3208	Nod32.exe
Token: SeSystemtimePrivilege	3208	Nod32.exe
Token: SeProfSingleProcessPrivilege	3208	Nod32.exe
Token: SeIncBasePriorityPrivilege	3208	Nod32.exe
Token: SeCreatePagefilePrivilege	3208	Nod32.exe
Token: SeBackupPrivilege	3208	Nod32.exe
Token: SeRestorePrivilege	3208	Nod32.exe
Token: SeShutdownPrivilege	3208	Nod32.exe
Token: SeDebugPrivilege	3208	Nod32.exe
Token: SeSystemEnvironmentPrivilege	3208	Nod32.exe
Token: SeChangeNotifyPrivilege	3208	Nod32.exe
Token: SeRemoteShutdownPrivilege	3208	Nod32.exe
Token: SeUndockPrivilege	3208	Nod32.exe
Token: SeManageVolumePrivilege	3208	Nod32.exe
Token: SeImpersonatePrivilege	3208	Nod32.exe
Token: SeCreateGlobalPrivilege	3208	Nod32.exe
Token: 33	3208	Nod32.exe
Token: 34	3208	Nod32.exe
Token: 35	3208	Nod32.exe
Token: 36	3208	Nod32.exe
Token: SeIncreaseQuotaPrivilege	1140	Nod32.exe
Token: SeSecurityPrivilege	1140	Nod32.exe
Token: SeTakeOwnershipPrivilege	1140	Nod32.exe
Token: SeLoadDriverPrivilege	1140	Nod32.exe
Token: SeSystemProfilePrivilege	1140	Nod32.exe
Token: SeSystemtimePrivilege	1140	Nod32.exe
Token: SeProfSingleProcessPrivilege	1140	Nod32.exe
Token: SeIncBasePriorityPrivilege	1140	Nod32.exe
Token: SeCreatePagefilePrivilege	1140	Nod32.exe
Token: SeBackupPrivilege	1140	Nod32.exe
Token: SeRestorePrivilege	1140	Nod32.exe
Token: SeShutdownPrivilege	1140	Nod32.exe
Token: SeDebugPrivilege	1140	Nod32.exe
Token: SeSystemEnvironmentPrivilege	1140	Nod32.exe
Token: SeChangeNotifyPrivilege	1140	Nod32.exe
Token: SeRemoteShutdownPrivilege	1140	Nod32.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4988	ANTIDOTE8VX_PATCHER.EXE
4988	ANTIDOTE8VX_PATCHER.EXE
1328	ANTIDOTE8VX_PATCHER.EXE
1328	ANTIDOTE8VX_PATCHER.EXE
3552	ANTIDOTE8VX_PATCHER.EXE
3552	ANTIDOTE8VX_PATCHER.EXE
1852	ANTIDOTE8VX_PATCHER.EXE
1852	ANTIDOTE8VX_PATCHER.EXE
1028	ANTIDOTE8VX_PATCHER.EXE
1028	ANTIDOTE8VX_PATCHER.EXE

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 4988	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe	81
PID 4920 wrote to memory of 4988	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe	81
PID 4920 wrote to memory of 4988	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe	81
PID 4920 wrote to memory of 3208	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe	82
PID 4920 wrote to memory of 3208	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe	82
PID 4920 wrote to memory of 3208	4920	edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe	82
PID 3208 wrote to memory of 1328	3208	Nod32.exe	83
PID 3208 wrote to memory of 1328	3208	Nod32.exe	83
PID 3208 wrote to memory of 1328	3208	Nod32.exe	83
PID 3208 wrote to memory of 1140	3208	Nod32.exe	84
PID 3208 wrote to memory of 1140	3208	Nod32.exe	84
PID 3208 wrote to memory of 1140	3208	Nod32.exe	84
PID 1140 wrote to memory of 3552	1140	Nod32.exe	85
PID 1140 wrote to memory of 3552	1140	Nod32.exe	85
PID 1140 wrote to memory of 3552	1140	Nod32.exe	85
PID 1140 wrote to memory of 3728	1140	Nod32.exe	86
PID 1140 wrote to memory of 3728	1140	Nod32.exe	86
PID 1140 wrote to memory of 3728	1140	Nod32.exe	86
PID 3728 wrote to memory of 1852	3728	Nod32.exe	87
PID 3728 wrote to memory of 1852	3728	Nod32.exe	87
PID 3728 wrote to memory of 1852	3728	Nod32.exe	87
PID 3728 wrote to memory of 532	3728	Nod32.exe	88
PID 3728 wrote to memory of 532	3728	Nod32.exe	88
PID 3728 wrote to memory of 532	3728	Nod32.exe	88
PID 532 wrote to memory of 1028	532	Nod32.exe	89
PID 532 wrote to memory of 1028	532	Nod32.exe	89
PID 532 wrote to memory of 1028	532	Nod32.exe	89
PID 532 wrote to memory of 216	532	Nod32.exe	90
PID 532 wrote to memory of 216	532	Nod32.exe	90
PID 532 wrote to memory of 216	532	Nod32.exe	90

C:\Users\Admin\AppData\Local\Temp\edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe
"C:\Users\Admin\AppData\Local\Temp\edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Users\Admin\AppData\Local\Temp\ANTIDOTE8VX_PATCHER.EXE
  "C:\Users\Admin\AppData\Local\Temp\ANTIDOTE8VX_PATCHER.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4988
- C:\Windows\SysWOW64\MSDCSC\Nod32.exe
  "C:\Windows\system32\MSDCSC\Nod32.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Users\Admin\AppData\Local\Temp\ANTIDOTE8VX_PATCHER.EXE
    "C:\Users\Admin\AppData\Local\Temp\ANTIDOTE8VX_PATCHER.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1328
- - C:\Windows\SysWOW64\MSDCSC\1DkFyWqFtAml\Nod32.exe
    "C:\Windows\system32\MSDCSC\1DkFyWqFtAml\Nod32.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\ANTIDOTE8VX_PATCHER.EXE
      "C:\Users\Admin\AppData\Local\Temp\ANTIDOTE8VX_PATCHER.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3552
  - - C:\Windows\SysWOW64\MSDCSC\1DkFyWqFtAml\1DkFyWqFtAml\Nod32.exe
      "C:\Windows\system32\MSDCSC\1DkFyWqFtAml\1DkFyWqFtAml\Nod32.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Checks computer location settings
      Adds Run key to start application
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3728
    - - C:\Users\Admin\AppData\Local\Temp\ANTIDOTE8VX_PATCHER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\ANTIDOTE8VX_PATCHER.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1852
    - - C:\Windows\SysWOW64\MSDCSC\1DkFyWqFtAml\Nod32.exe
        
        "C:\Windows\system32\MSDCSC\1DkFyWqFtAml\Nod32.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:532
      - C:\Users\Admin\AppData\Local\Temp\ANTIDOTE8VX_PATCHER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\ANTIDOTE8VX_PATCHER.EXE"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1028
      - C:\Windows\SysWOW64\MSDCSC\1DkFyWqFtAml\1DkFyWqFtAml\Nod32.exe
        
        "C:\Windows\system32\MSDCSC\1DkFyWqFtAml\1DkFyWqFtAml\Nod32.exe"
        6⤵
        Executes dropped EXE
        
        PID:216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jI82l\PCG.LI6

Filesize
3KB

MD5
0e37efe3dd0d40f2f325cf64d43b279b

SHA1
d1cc2705c793e04705daca62f8abd3edd9d9e75a

SHA256
752d40695f51ebb9902e16e168fc276ce3671f1b0b14c03880b277089a323691

SHA512
049fc00585ee4dc9e33956d34f6ec2033c746b6f5bbd3bc00a51dc3d669a5ea311eecf33a28b37e6547ddbc8968754c58a082c65b272b34b9c9eb483ae663123

Download Submit
C:\ProgramData\jI82l\PCG.LI6

Filesize
3KB

MD5
20ac0ea76bf5a021978c4cc3f124c94f

SHA1
00d69458067fef3a46436c7c0a7701f2d3bf04a9

SHA256
0888d61b6d9ef3f7d47bc6a7f2f32bb01cafb4ecaaab49e15188358874d9122d

SHA512
6bad601f21da1a087529df99e4a8b560c1b7e6df9408c83b241f16d55093310a8e74147a10dacfaccbc2ff0c4339aec5ae5bacb653eaf2785223ed2f4c186eb8

Download Submit
C:\ProgramData\jI82l\PCG.LI6

Filesize
3KB

MD5
5dee61be6bc4a65d8f3e3eda0bd63971

SHA1
66df401fb4e8b623853416fb9b99cd0e56fbb62e

SHA256
f246f8a62a117f09c868ef93a114db44a19391941fe139b3347d2ee70c765f78

SHA512
fee48127b67f20423b8120bbd776c1f1dd5885418b0fb64b9aba5c4ba0bdcffe88cdfc5fbf736cd88d9ecf150ef04ba98b187a10beae3544ee30948dec786d26

Download Submit
C:\ProgramData\jI82l\PCG.LI6

Filesize
3KB

MD5
f33780f7e55f2d4b49602c961d26f015

SHA1
c77defa8e1c1a66f1d71f71a7c6cd370f1163618

SHA256
3a7d9333291a9d97125024c03a4c2d27492a37be9ed2cd1edffee077ec094816

SHA512
df51af42ec4da739cad0436a02df2135f0575a485137c8d7449250e31a184ef5ab74dfbb6cfe44bba8a0db85178d7252becd4c8e2ff55813dff1f4e54a8d808c

Download Submit
C:\ProgramData\jI82l\PCG.LI6

Filesize
3KB

MD5
cee2696ec2a99388cebeaddd38c42be8

SHA1
2bd7ea2f0c300fafc0350ec080d2b1d5cdc28eb9

SHA256
93da069f8433c7a7f5fc79b045e459558da073500e08c5789b674814b3b827b5

SHA512
7e2aaa83eb2058a727cdf7fbeae1a4ccfb0b1edb759d4f81ab62b1eccc8252dd14fef1454ae8dc9bd81ef30058e8ced07e7adc095f6dfc2181383d491e569ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANTIDOTE8VX_PATCHER.EXE

Filesize
12KB

MD5
18116d4edefb89dc09e4b65a861bfb17

SHA1
ff7ebd5221868e7f1bdf78340cae7d45af1c2cb6

SHA256
a3e8b7f48d25c8060ec90122c2c60ffc445c2f8e3976431012dba42de001ea01

SHA512
39262dfd2f4f8d3a55252f186b18319cab0d5b21402e5f13fe4e22eaa58ad954700cff957012f7cba8ed1b055d39a34477d8dc2646b5ddbd03bc2de52c2301b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANTIDOTE8VX_PATCHER.EXE

Filesize
12KB

MD5
18116d4edefb89dc09e4b65a861bfb17

SHA1
ff7ebd5221868e7f1bdf78340cae7d45af1c2cb6

SHA256
a3e8b7f48d25c8060ec90122c2c60ffc445c2f8e3976431012dba42de001ea01

SHA512
39262dfd2f4f8d3a55252f186b18319cab0d5b21402e5f13fe4e22eaa58ad954700cff957012f7cba8ed1b055d39a34477d8dc2646b5ddbd03bc2de52c2301b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANTIDOTE8VX_PATCHER.EXE

Filesize
12KB

MD5
18116d4edefb89dc09e4b65a861bfb17

SHA1
ff7ebd5221868e7f1bdf78340cae7d45af1c2cb6

SHA256
a3e8b7f48d25c8060ec90122c2c60ffc445c2f8e3976431012dba42de001ea01

SHA512
39262dfd2f4f8d3a55252f186b18319cab0d5b21402e5f13fe4e22eaa58ad954700cff957012f7cba8ed1b055d39a34477d8dc2646b5ddbd03bc2de52c2301b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANTIDOTE8VX_PATCHER.EXE

Filesize
12KB

MD5
18116d4edefb89dc09e4b65a861bfb17

SHA1
ff7ebd5221868e7f1bdf78340cae7d45af1c2cb6

SHA256
a3e8b7f48d25c8060ec90122c2c60ffc445c2f8e3976431012dba42de001ea01

SHA512
39262dfd2f4f8d3a55252f186b18319cab0d5b21402e5f13fe4e22eaa58ad954700cff957012f7cba8ed1b055d39a34477d8dc2646b5ddbd03bc2de52c2301b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANTIDOTE8VX_PATCHER.EXE

Filesize
12KB

MD5
18116d4edefb89dc09e4b65a861bfb17

SHA1
ff7ebd5221868e7f1bdf78340cae7d45af1c2cb6

SHA256
a3e8b7f48d25c8060ec90122c2c60ffc445c2f8e3976431012dba42de001ea01

SHA512
39262dfd2f4f8d3a55252f186b18319cab0d5b21402e5f13fe4e22eaa58ad954700cff957012f7cba8ed1b055d39a34477d8dc2646b5ddbd03bc2de52c2301b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANTIDOTE8VX_PATCHER.EXE

Filesize
12KB

MD5
18116d4edefb89dc09e4b65a861bfb17

SHA1
ff7ebd5221868e7f1bdf78340cae7d45af1c2cb6

SHA256
a3e8b7f48d25c8060ec90122c2c60ffc445c2f8e3976431012dba42de001ea01

SHA512
39262dfd2f4f8d3a55252f186b18319cab0d5b21402e5f13fe4e22eaa58ad954700cff957012f7cba8ed1b055d39a34477d8dc2646b5ddbd03bc2de52c2301b6

Download Submit
C:\Windows\SysWOW64\MSDCSC\1DkFyWqFtAml\1DkFyWqFtAml\Nod32.exe

Filesize
772KB

MD5
a1613b044cd3b96c095bb159d974fdd0

SHA1
a00a19578d0ce9b20c41b286710ea23119c73dd5

SHA256
edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d

SHA512
8271a6d7523f8ab73e41d9beae3cef90aeb17c5be12f8f85a5505acd4ddc70d5a1496481a231dc213bacb2d6b3c5a7e39d5e50009ed8529468cd37e3fde71a0d

Download Submit
C:\Windows\SysWOW64\MSDCSC\1DkFyWqFtAml\1DkFyWqFtAml\Nod32.exe

Filesize
772KB

MD5
a1613b044cd3b96c095bb159d974fdd0

SHA1
a00a19578d0ce9b20c41b286710ea23119c73dd5

SHA256
edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d

SHA512
8271a6d7523f8ab73e41d9beae3cef90aeb17c5be12f8f85a5505acd4ddc70d5a1496481a231dc213bacb2d6b3c5a7e39d5e50009ed8529468cd37e3fde71a0d

Download Submit
C:\Windows\SysWOW64\MSDCSC\1DkFyWqFtAml\1DkFyWqFtAml\Nod32.exe

Filesize
772KB

MD5
a1613b044cd3b96c095bb159d974fdd0

SHA1
a00a19578d0ce9b20c41b286710ea23119c73dd5

SHA256
edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d

SHA512
8271a6d7523f8ab73e41d9beae3cef90aeb17c5be12f8f85a5505acd4ddc70d5a1496481a231dc213bacb2d6b3c5a7e39d5e50009ed8529468cd37e3fde71a0d

Download Submit
C:\Windows\SysWOW64\MSDCSC\1DkFyWqFtAml\Nod32.exe

Filesize
772KB

MD5
a1613b044cd3b96c095bb159d974fdd0

SHA1
a00a19578d0ce9b20c41b286710ea23119c73dd5

SHA256
edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d

SHA512
8271a6d7523f8ab73e41d9beae3cef90aeb17c5be12f8f85a5505acd4ddc70d5a1496481a231dc213bacb2d6b3c5a7e39d5e50009ed8529468cd37e3fde71a0d

Download Submit
C:\Windows\SysWOW64\MSDCSC\1DkFyWqFtAml\Nod32.exe

Filesize
772KB

MD5
a1613b044cd3b96c095bb159d974fdd0

SHA1
a00a19578d0ce9b20c41b286710ea23119c73dd5

SHA256
edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d

SHA512
8271a6d7523f8ab73e41d9beae3cef90aeb17c5be12f8f85a5505acd4ddc70d5a1496481a231dc213bacb2d6b3c5a7e39d5e50009ed8529468cd37e3fde71a0d

Download Submit
C:\Windows\SysWOW64\MSDCSC\1DkFyWqFtAml\Nod32.exe

Filesize
772KB

MD5
a1613b044cd3b96c095bb159d974fdd0

SHA1
a00a19578d0ce9b20c41b286710ea23119c73dd5

SHA256
edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d

SHA512
8271a6d7523f8ab73e41d9beae3cef90aeb17c5be12f8f85a5505acd4ddc70d5a1496481a231dc213bacb2d6b3c5a7e39d5e50009ed8529468cd37e3fde71a0d

Download Submit
C:\Windows\SysWOW64\MSDCSC\1DkFyWqFtAml\Nod32.exe

Filesize
772KB

MD5
a1613b044cd3b96c095bb159d974fdd0

SHA1
a00a19578d0ce9b20c41b286710ea23119c73dd5

SHA256
edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d

SHA512
8271a6d7523f8ab73e41d9beae3cef90aeb17c5be12f8f85a5505acd4ddc70d5a1496481a231dc213bacb2d6b3c5a7e39d5e50009ed8529468cd37e3fde71a0d

Download Submit
C:\Windows\SysWOW64\MSDCSC\Nod32.exe

Filesize
772KB

MD5
a1613b044cd3b96c095bb159d974fdd0

SHA1
a00a19578d0ce9b20c41b286710ea23119c73dd5

SHA256
edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d

SHA512
8271a6d7523f8ab73e41d9beae3cef90aeb17c5be12f8f85a5505acd4ddc70d5a1496481a231dc213bacb2d6b3c5a7e39d5e50009ed8529468cd37e3fde71a0d

Download Submit
C:\Windows\SysWOW64\MSDCSC\Nod32.exe

Filesize
772KB

MD5
a1613b044cd3b96c095bb159d974fdd0

SHA1
a00a19578d0ce9b20c41b286710ea23119c73dd5

SHA256
edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d

SHA512
8271a6d7523f8ab73e41d9beae3cef90aeb17c5be12f8f85a5505acd4ddc70d5a1496481a231dc213bacb2d6b3c5a7e39d5e50009ed8529468cd37e3fde71a0d

Download Submit
memory/216-172-0x0000000000000000-mapping.dmp

Download
memory/216-176-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/216-180-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/532-167-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/532-163-0x0000000000000000-mapping.dmp

Download
memory/532-174-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/1028-182-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1028-169-0x0000000000000000-mapping.dmp

Download
memory/1028-171-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1140-157-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/1140-153-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/1140-146-0x0000000000000000-mapping.dmp

Download
memory/1328-142-0x0000000000000000-mapping.dmp

Download
memory/1328-144-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1328-178-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1852-159-0x0000000000000000-mapping.dmp

Download
memory/1852-181-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1852-161-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3208-137-0x0000000000000000-mapping.dmp

Download
memory/3208-145-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/3552-150-0x0000000000000000-mapping.dmp

Download
memory/3552-179-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3552-152-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3728-154-0x0000000000000000-mapping.dmp

Download
memory/3728-165-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/3728-162-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/4920-132-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/4920-140-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/4988-136-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4988-177-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4988-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads