darkcomet | 2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1

Analysis

max time kernel
151s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
Size

1.0MB
MD5

d7dbd0670862cfb5eaca24c091ce6cdd
SHA1

754e3f28386a95391f8dc5f9eb51b176e23f4242
SHA256

2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1
SHA512

1cbb39991c836f2bc9557f1f051b01df2b040db7f7c6541b3a8a687f994e361f90a7e7c7cd2d231b9ee986816d48cc4071568f0c2ee106a1c10ee434d8510e12
SSDEEP

24576:O9poYtYhCNrGgKb6Z9pe7d+U0c/d4WwnB5UYh:O9p6xb09qdht/6zl

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

custumes.no-ip.biz:6712

Mutex

DC_MUTEX-4FXVAGJ

Attributes

gencode
aRxiGL6irJ3D
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 3 IoCs

Processes:

IpOverUsbSvrc.exeAcctres.exeIpOverUsbSvrc.exe

pid process

1088 IpOverUsbSvrc.exe
1528 Acctres.exe
1568 IpOverUsbSvrc.exe
Loads dropped DLL 3 IoCs

Processes:

2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exeIpOverUsbSvrc.exeAcctres.exe

pid process

1416 2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1088 IpOverUsbSvrc.exe
1528 Acctres.exe

pid	process
1088	IpOverUsbSvrc.exe
1528	Acctres.exe
1568	IpOverUsbSvrc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IpOverUsbSvrc.exeIpOverUsbSvrc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exeAcctres.exe

description	pid	process	target process
PID 1416 set thread context of 1892	1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe	AppLaunch.exe
PID 1528 set thread context of 1168	1528	Acctres.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exeIpOverUsbSvrc.exeAcctres.exe

pid	process
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1088	IpOverUsbSvrc.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1088	IpOverUsbSvrc.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1088	IpOverUsbSvrc.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1088	IpOverUsbSvrc.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1088	IpOverUsbSvrc.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
1088	IpOverUsbSvrc.exe
1528	Acctres.exe
1528	Acctres.exe
1528	Acctres.exe
1528	Acctres.exe
1528	Acctres.exe
1528	Acctres.exe
1528	Acctres.exe
1528	Acctres.exe
1528	Acctres.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exeAppLaunch.exeIpOverUsbSvrc.exeAcctres.exeAppLaunch.exeIpOverUsbSvrc.exe

description	pid	process
Token: SeDebugPrivilege	1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
Token: SeIncreaseQuotaPrivilege	1892	AppLaunch.exe
Token: SeSecurityPrivilege	1892	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	1892	AppLaunch.exe
Token: SeLoadDriverPrivilege	1892	AppLaunch.exe
Token: SeSystemProfilePrivilege	1892	AppLaunch.exe
Token: SeSystemtimePrivilege	1892	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	1892	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	1892	AppLaunch.exe
Token: SeCreatePagefilePrivilege	1892	AppLaunch.exe
Token: SeBackupPrivilege	1892	AppLaunch.exe
Token: SeRestorePrivilege	1892	AppLaunch.exe
Token: SeShutdownPrivilege	1892	AppLaunch.exe
Token: SeDebugPrivilege	1892	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	1892	AppLaunch.exe
Token: SeChangeNotifyPrivilege	1892	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	1892	AppLaunch.exe
Token: SeUndockPrivilege	1892	AppLaunch.exe
Token: SeManageVolumePrivilege	1892	AppLaunch.exe
Token: SeImpersonatePrivilege	1892	AppLaunch.exe
Token: SeCreateGlobalPrivilege	1892	AppLaunch.exe
Token: 33	1892	AppLaunch.exe
Token: 34	1892	AppLaunch.exe
Token: 35	1892	AppLaunch.exe
Token: SeDebugPrivilege	1088	IpOverUsbSvrc.exe
Token: SeDebugPrivilege	1528	Acctres.exe
Token: SeIncreaseQuotaPrivilege	1168	AppLaunch.exe
Token: SeSecurityPrivilege	1168	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	1168	AppLaunch.exe
Token: SeLoadDriverPrivilege	1168	AppLaunch.exe
Token: SeSystemProfilePrivilege	1168	AppLaunch.exe
Token: SeSystemtimePrivilege	1168	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	1168	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	1168	AppLaunch.exe
Token: SeCreatePagefilePrivilege	1168	AppLaunch.exe
Token: SeBackupPrivilege	1168	AppLaunch.exe
Token: SeRestorePrivilege	1168	AppLaunch.exe
Token: SeShutdownPrivilege	1168	AppLaunch.exe
Token: SeDebugPrivilege	1168	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	1168	AppLaunch.exe
Token: SeChangeNotifyPrivilege	1168	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	1168	AppLaunch.exe
Token: SeUndockPrivilege	1168	AppLaunch.exe
Token: SeManageVolumePrivilege	1168	AppLaunch.exe
Token: SeImpersonatePrivilege	1168	AppLaunch.exe
Token: SeCreateGlobalPrivilege	1168	AppLaunch.exe
Token: 33	1168	AppLaunch.exe
Token: 34	1168	AppLaunch.exe
Token: 35	1168	AppLaunch.exe
Token: SeDebugPrivilege	1568	IpOverUsbSvrc.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AcroRd32.exeAppLaunch.exe

pid process

1912 AcroRd32.exe
1892 AppLaunch.exe
1912 AcroRd32.exe
1912 AcroRd32.exe
1912 AcroRd32.exe

pid	process
1912	AcroRd32.exe
1892	AppLaunch.exe
1912	AcroRd32.exe
1912	AcroRd32.exe
1912	AcroRd32.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exeIpOverUsbSvrc.exeAcctres.exe

description	pid	process	target process
PID 1416 wrote to memory of 1912	1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe	AcroRd32.exe
PID 1416 wrote to memory of 1912	1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe	AcroRd32.exe
PID 1416 wrote to memory of 1912	1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe	AcroRd32.exe
PID 1416 wrote to memory of 1912	1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe	AcroRd32.exe
PID 1416 wrote to memory of 1892	1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe	AppLaunch.exe
PID 1416 wrote to memory of 1892	1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe	AppLaunch.exe
PID 1416 wrote to memory of 1892	1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe	AppLaunch.exe
PID 1416 wrote to memory of 1892	1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe	AppLaunch.exe
PID 1416 wrote to memory of 1892	1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe	AppLaunch.exe
PID 1416 wrote to memory of 1892	1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe	AppLaunch.exe
PID 1416 wrote to memory of 1892	1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe	AppLaunch.exe
PID 1416 wrote to memory of 1892	1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe	AppLaunch.exe
PID 1416 wrote to memory of 1892	1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe	AppLaunch.exe
PID 1416 wrote to memory of 1892	1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe	AppLaunch.exe
PID 1416 wrote to memory of 1892	1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe	AppLaunch.exe
PID 1416 wrote to memory of 1892	1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe	AppLaunch.exe
PID 1416 wrote to memory of 1892	1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe	AppLaunch.exe
PID 1416 wrote to memory of 1892	1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe	AppLaunch.exe
PID 1416 wrote to memory of 1892	1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe	AppLaunch.exe
PID 1416 wrote to memory of 1892	1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe	AppLaunch.exe
PID 1416 wrote to memory of 1088	1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe	IpOverUsbSvrc.exe
PID 1416 wrote to memory of 1088	1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe	IpOverUsbSvrc.exe
PID 1416 wrote to memory of 1088	1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe	IpOverUsbSvrc.exe
PID 1416 wrote to memory of 1088	1416	2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe	IpOverUsbSvrc.exe
PID 1088 wrote to memory of 1528	1088	IpOverUsbSvrc.exe	Acctres.exe
PID 1088 wrote to memory of 1528	1088	IpOverUsbSvrc.exe	Acctres.exe
PID 1088 wrote to memory of 1528	1088	IpOverUsbSvrc.exe	Acctres.exe
PID 1088 wrote to memory of 1528	1088	IpOverUsbSvrc.exe	Acctres.exe
PID 1528 wrote to memory of 1168	1528	Acctres.exe	AppLaunch.exe
PID 1528 wrote to memory of 1168	1528	Acctres.exe	AppLaunch.exe
PID 1528 wrote to memory of 1168	1528	Acctres.exe	AppLaunch.exe
PID 1528 wrote to memory of 1168	1528	Acctres.exe	AppLaunch.exe
PID 1528 wrote to memory of 1168	1528	Acctres.exe	AppLaunch.exe
PID 1528 wrote to memory of 1168	1528	Acctres.exe	AppLaunch.exe
PID 1528 wrote to memory of 1168	1528	Acctres.exe	AppLaunch.exe
PID 1528 wrote to memory of 1168	1528	Acctres.exe	AppLaunch.exe
PID 1528 wrote to memory of 1168	1528	Acctres.exe	AppLaunch.exe
PID 1528 wrote to memory of 1168	1528	Acctres.exe	AppLaunch.exe
PID 1528 wrote to memory of 1168	1528	Acctres.exe	AppLaunch.exe
PID 1528 wrote to memory of 1168	1528	Acctres.exe	AppLaunch.exe
PID 1528 wrote to memory of 1168	1528	Acctres.exe	AppLaunch.exe
PID 1528 wrote to memory of 1168	1528	Acctres.exe	AppLaunch.exe
PID 1528 wrote to memory of 1168	1528	Acctres.exe	AppLaunch.exe
PID 1528 wrote to memory of 1168	1528	Acctres.exe	AppLaunch.exe
PID 1528 wrote to memory of 1568	1528	Acctres.exe	IpOverUsbSvrc.exe
PID 1528 wrote to memory of 1568	1528	Acctres.exe	IpOverUsbSvrc.exe
PID 1528 wrote to memory of 1568	1528	Acctres.exe	IpOverUsbSvrc.exe
PID 1528 wrote to memory of 1568	1528	Acctres.exe	IpOverUsbSvrc.exe

C:\Users\Admin\AppData\Local\Temp\2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe
"C:\Users\Admin\AppData\Local\Temp\2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\checklistMRD.pdf"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1912

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1892

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
Filesize
1.0MB

MD5
d7dbd0670862cfb5eaca24c091ce6cdd

SHA1
754e3f28386a95391f8dc5f9eb51b176e23f4242

SHA256
2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1

SHA512
1cbb39991c836f2bc9557f1f051b01df2b040db7f7c6541b3a8a687f994e361f90a7e7c7cd2d231b9ee986816d48cc4071568f0c2ee106a1c10ee434d8510e12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
Filesize
1.0MB

MD5
d7dbd0670862cfb5eaca24c091ce6cdd

SHA1
754e3f28386a95391f8dc5f9eb51b176e23f4242

SHA256
2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1

SHA512
1cbb39991c836f2bc9557f1f051b01df2b040db7f7c6541b3a8a687f994e361f90a7e7c7cd2d231b9ee986816d48cc4071568f0c2ee106a1c10ee434d8510e12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
17KB

MD5
d38438b149f0be1d52d06fb1442c6975

SHA1
c8d2013661c84c362c840203b0ff82de67311eaf

SHA256
307de44bf0495d1d75a9adefc32fce14abe910ddb8a30861575314eb37ed0907

SHA512
cc9cf8b99b86735a49bf5e6a85de83de204e238c88d1a4deba60c6307039c0dd782ae43f2ebe84d5287a534e01b29b800c7a49f5286294503afcccfd468670f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
17KB

MD5
d38438b149f0be1d52d06fb1442c6975

SHA1
c8d2013661c84c362c840203b0ff82de67311eaf

SHA256
307de44bf0495d1d75a9adefc32fce14abe910ddb8a30861575314eb37ed0907

SHA512
cc9cf8b99b86735a49bf5e6a85de83de204e238c88d1a4deba60c6307039c0dd782ae43f2ebe84d5287a534e01b29b800c7a49f5286294503afcccfd468670f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
17KB

MD5
d38438b149f0be1d52d06fb1442c6975

SHA1
c8d2013661c84c362c840203b0ff82de67311eaf

SHA256
307de44bf0495d1d75a9adefc32fce14abe910ddb8a30861575314eb37ed0907

SHA512
cc9cf8b99b86735a49bf5e6a85de83de204e238c88d1a4deba60c6307039c0dd782ae43f2ebe84d5287a534e01b29b800c7a49f5286294503afcccfd468670f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
17KB

MD5
d38438b149f0be1d52d06fb1442c6975

SHA1
c8d2013661c84c362c840203b0ff82de67311eaf

SHA256
307de44bf0495d1d75a9adefc32fce14abe910ddb8a30861575314eb37ed0907

SHA512
cc9cf8b99b86735a49bf5e6a85de83de204e238c88d1a4deba60c6307039c0dd782ae43f2ebe84d5287a534e01b29b800c7a49f5286294503afcccfd468670f2

Download Submit
C:\Users\Admin\Desktop\checklistMRD.pdf
Filesize
99KB

MD5
63938183c27d586a9213827ece182bed

SHA1
343338bc14182f771a75be2b7839aca54f8f55f1

SHA256
4cb2c05e6540b4c2ae621586b5e5f4688761961809a126ee1aff119808812213

SHA512
9e3fb68c3e717573f7056e0ab25c10322decdc15b974f348bff9c26ced389761d2eabaf996f30cd5765f1cc1e29194e66b5e56db82a92ed01783805716890552

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
Filesize
1.0MB

MD5
d7dbd0670862cfb5eaca24c091ce6cdd

SHA1
754e3f28386a95391f8dc5f9eb51b176e23f4242

SHA256
2c7ec6ddbff93364c2f96227bc804da29826cfc10ff32b80b1d12a1acaf081f1

SHA512
1cbb39991c836f2bc9557f1f051b01df2b040db7f7c6541b3a8a687f994e361f90a7e7c7cd2d231b9ee986816d48cc4071568f0c2ee106a1c10ee434d8510e12

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
17KB

MD5
d38438b149f0be1d52d06fb1442c6975

SHA1
c8d2013661c84c362c840203b0ff82de67311eaf

SHA256
307de44bf0495d1d75a9adefc32fce14abe910ddb8a30861575314eb37ed0907

SHA512
cc9cf8b99b86735a49bf5e6a85de83de204e238c88d1a4deba60c6307039c0dd782ae43f2ebe84d5287a534e01b29b800c7a49f5286294503afcccfd468670f2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
17KB

MD5
d38438b149f0be1d52d06fb1442c6975

SHA1
c8d2013661c84c362c840203b0ff82de67311eaf

SHA256
307de44bf0495d1d75a9adefc32fce14abe910ddb8a30861575314eb37ed0907

SHA512
cc9cf8b99b86735a49bf5e6a85de83de204e238c88d1a4deba60c6307039c0dd782ae43f2ebe84d5287a534e01b29b800c7a49f5286294503afcccfd468670f2

Download Submit
memory/1088-88-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1088-86-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1088-78-0x0000000000000000-mapping.dmp

Download
memory/1088-98-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1168-123-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1168-114-0x000000000048F888-mapping.dmp

Download
memory/1168-127-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1416-97-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1416-54-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download
memory/1416-56-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1416-55-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1528-96-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1528-95-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1528-92-0x0000000000000000-mapping.dmp

Download
memory/1568-121-0x0000000000000000-mapping.dmp

Download
memory/1568-126-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1568-128-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1892-68-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1892-89-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1892-87-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1892-84-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1892-82-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1892-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1892-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1892-74-0x000000000048F888-mapping.dmp

Download
memory/1892-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1892-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1892-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1892-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1892-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1892-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1892-59-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1912-57-0x0000000000000000-mapping.dmp

Download