darkcomet | 5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6

General

Target

5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
Size

1.6MB
MD5

0620050df2e5a15c53b9035407c4cfbf
SHA1

5a7cfa25d0c9e1ce1838310c450a5d3c1a81e62f
SHA256

5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6
SHA512

1f88713ff76982305fac2ced56f838ab36721e25c6589934cd25489ae8eb149555d8004c96a36aa9e8429cdfb69aeb59a91e8a660618799115bf146084cc8816
SSDEEP

24576:WF14CROX4GLhHexsQ8XqlAzpGNQUlFTH0dxXc/2hAqT9MI8SqVb8JNPTEJaE53:WF1pR4LhusCAF2d8dikAu9MzgzE4C

Score

10^/10

darkcomet bndbt evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

bndbt

C2

imouttahere.no-ip.biz:1605

Mutex

DC_MUTEX-PPBR4G6

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
xPKZmVuPN7gy
install
true
offline_keylogger
true
password
aerohigh
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe

Executes dropped EXE 3 IoCs

Processes:

msdcsc.exemsdcsc.exemsdcsc.exe

pid process

1688 msdcsc.exe
1928 msdcsc.exe
1988 msdcsc.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

804 attrib.exe
700 attrib.exe
Loads dropped DLL 1 IoCs

Processes:

5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe

pid process

680 5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe

pid	process
1688	msdcsc.exe
1928	msdcsc.exe
1988	msdcsc.exe

pid	process
804	attrib.exe
700	attrib.exe

pid	process
680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exemsdcsc.exemsdcsc.exe

description	pid	process	target process
PID 1156 set thread context of 832	1156	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
PID 832 set thread context of 680	832	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
PID 1688 set thread context of 1928	1688	msdcsc.exe	msdcsc.exe
PID 1928 set thread context of 1988	1928	msdcsc.exe	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exemsdcsc.exe

description	pid	process
Token: SeDebugPrivilege	1156	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
Token: SeIncreaseQuotaPrivilege	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
Token: SeSecurityPrivilege	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
Token: SeTakeOwnershipPrivilege	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
Token: SeLoadDriverPrivilege	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
Token: SeSystemProfilePrivilege	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
Token: SeSystemtimePrivilege	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
Token: SeProfSingleProcessPrivilege	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
Token: SeIncBasePriorityPrivilege	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
Token: SeCreatePagefilePrivilege	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
Token: SeBackupPrivilege	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
Token: SeRestorePrivilege	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
Token: SeShutdownPrivilege	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
Token: SeDebugPrivilege	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
Token: SeSystemEnvironmentPrivilege	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
Token: SeChangeNotifyPrivilege	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
Token: SeRemoteShutdownPrivilege	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
Token: SeUndockPrivilege	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
Token: SeManageVolumePrivilege	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
Token: SeImpersonatePrivilege	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
Token: SeCreateGlobalPrivilege	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
Token: 33	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
Token: 34	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
Token: 35	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
Token: SeDebugPrivilege	1688	msdcsc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exemsdcsc.exe

pid process

832 5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
1928 msdcsc.exe

pid	process
832	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
1928	msdcsc.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.execmd.execmd.exemsdcsc.exemsdcsc.exe

description	pid	process	target process
PID 1156 wrote to memory of 832	1156	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
PID 1156 wrote to memory of 832	1156	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
PID 1156 wrote to memory of 832	1156	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
PID 1156 wrote to memory of 832	1156	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
PID 1156 wrote to memory of 832	1156	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
PID 1156 wrote to memory of 832	1156	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
PID 1156 wrote to memory of 832	1156	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
PID 1156 wrote to memory of 832	1156	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
PID 1156 wrote to memory of 832	1156	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
PID 832 wrote to memory of 680	832	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
PID 832 wrote to memory of 680	832	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
PID 832 wrote to memory of 680	832	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
PID 832 wrote to memory of 680	832	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
PID 832 wrote to memory of 680	832	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
PID 832 wrote to memory of 680	832	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
PID 832 wrote to memory of 680	832	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
PID 832 wrote to memory of 680	832	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
PID 832 wrote to memory of 680	832	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
PID 832 wrote to memory of 680	832	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
PID 832 wrote to memory of 680	832	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
PID 832 wrote to memory of 680	832	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
PID 832 wrote to memory of 680	832	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
PID 680 wrote to memory of 1964	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	cmd.exe
PID 680 wrote to memory of 1964	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	cmd.exe
PID 680 wrote to memory of 1964	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	cmd.exe
PID 680 wrote to memory of 1964	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	cmd.exe
PID 680 wrote to memory of 1652	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	cmd.exe
PID 680 wrote to memory of 1652	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	cmd.exe
PID 680 wrote to memory of 1652	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	cmd.exe
PID 680 wrote to memory of 1652	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	cmd.exe
PID 1964 wrote to memory of 804	1964	cmd.exe	attrib.exe
PID 1964 wrote to memory of 804	1964	cmd.exe	attrib.exe
PID 1964 wrote to memory of 804	1964	cmd.exe	attrib.exe
PID 1964 wrote to memory of 804	1964	cmd.exe	attrib.exe
PID 1652 wrote to memory of 700	1652	cmd.exe	attrib.exe
PID 1652 wrote to memory of 700	1652	cmd.exe	attrib.exe
PID 1652 wrote to memory of 700	1652	cmd.exe	attrib.exe
PID 1652 wrote to memory of 700	1652	cmd.exe	attrib.exe
PID 680 wrote to memory of 1688	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	msdcsc.exe
PID 680 wrote to memory of 1688	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	msdcsc.exe
PID 680 wrote to memory of 1688	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	msdcsc.exe
PID 680 wrote to memory of 1688	680	5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe	msdcsc.exe
PID 1688 wrote to memory of 1928	1688	msdcsc.exe	msdcsc.exe
PID 1688 wrote to memory of 1928	1688	msdcsc.exe	msdcsc.exe
PID 1688 wrote to memory of 1928	1688	msdcsc.exe	msdcsc.exe
PID 1688 wrote to memory of 1928	1688	msdcsc.exe	msdcsc.exe
PID 1688 wrote to memory of 1928	1688	msdcsc.exe	msdcsc.exe
PID 1688 wrote to memory of 1928	1688	msdcsc.exe	msdcsc.exe
PID 1688 wrote to memory of 1928	1688	msdcsc.exe	msdcsc.exe
PID 1688 wrote to memory of 1928	1688	msdcsc.exe	msdcsc.exe
PID 1688 wrote to memory of 1928	1688	msdcsc.exe	msdcsc.exe
PID 1928 wrote to memory of 1988	1928	msdcsc.exe	msdcsc.exe
PID 1928 wrote to memory of 1988	1928	msdcsc.exe	msdcsc.exe
PID 1928 wrote to memory of 1988	1928	msdcsc.exe	msdcsc.exe
PID 1928 wrote to memory of 1988	1928	msdcsc.exe	msdcsc.exe
PID 1928 wrote to memory of 1988	1928	msdcsc.exe	msdcsc.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

804 attrib.exe
700 attrib.exe

pid	process
804	attrib.exe
700	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
"C:\Users\Admin\AppData\Local\Temp\5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Local\Temp\5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
C:\Users\Admin\AppData\Local\Temp\5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:832

C:\Users\Admin\AppData\Local\Temp\5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe
"C:\Users\Admin\AppData\Local\Temp\5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe"
3⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe" +s +h
4⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6.exe" +s +h
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:700

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
6⤵
- Executes dropped EXE
PID:1988

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
1.6MB

MD5
0620050df2e5a15c53b9035407c4cfbf

SHA1
5a7cfa25d0c9e1ce1838310c450a5d3c1a81e62f

SHA256
5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6

SHA512
1f88713ff76982305fac2ced56f838ab36721e25c6589934cd25489ae8eb149555d8004c96a36aa9e8429cdfb69aeb59a91e8a660618799115bf146084cc8816

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
1.6MB

MD5
0620050df2e5a15c53b9035407c4cfbf

SHA1
5a7cfa25d0c9e1ce1838310c450a5d3c1a81e62f

SHA256
5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6

SHA512
1f88713ff76982305fac2ced56f838ab36721e25c6589934cd25489ae8eb149555d8004c96a36aa9e8429cdfb69aeb59a91e8a660618799115bf146084cc8816

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
1.6MB

MD5
0620050df2e5a15c53b9035407c4cfbf

SHA1
5a7cfa25d0c9e1ce1838310c450a5d3c1a81e62f

SHA256
5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6

SHA512
1f88713ff76982305fac2ced56f838ab36721e25c6589934cd25489ae8eb149555d8004c96a36aa9e8429cdfb69aeb59a91e8a660618799115bf146084cc8816

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
1.6MB

MD5
0620050df2e5a15c53b9035407c4cfbf

SHA1
5a7cfa25d0c9e1ce1838310c450a5d3c1a81e62f

SHA256
5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6

SHA512
1f88713ff76982305fac2ced56f838ab36721e25c6589934cd25489ae8eb149555d8004c96a36aa9e8429cdfb69aeb59a91e8a660618799115bf146084cc8816

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
1.6MB

MD5
0620050df2e5a15c53b9035407c4cfbf

SHA1
5a7cfa25d0c9e1ce1838310c450a5d3c1a81e62f

SHA256
5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6

SHA512
1f88713ff76982305fac2ced56f838ab36721e25c6589934cd25489ae8eb149555d8004c96a36aa9e8429cdfb69aeb59a91e8a660618799115bf146084cc8816

Download Submit
memory/680-88-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-68-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-70-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-76-0x000000000048F888-mapping.dmp

Download
memory/680-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-77-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-61-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-79-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/680-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-81-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/700-85-0x0000000000000000-mapping.dmp

Download
memory/804-84-0x0000000000000000-mapping.dmp

Download
memory/832-78-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/832-56-0x00000000004010B8-mapping.dmp

Download
memory/832-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/832-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1156-54-0x0000000001330000-0x000000000142E000-memory.dmp

Filesize
1016KB

Download
memory/1652-83-0x0000000000000000-mapping.dmp

Download
memory/1688-87-0x0000000000000000-mapping.dmp

Download
memory/1688-91-0x0000000000280000-0x000000000037E000-memory.dmp

Filesize
1016KB

Download
memory/1928-93-0x00000000004010B8-mapping.dmp

Download
memory/1928-102-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1964-82-0x0000000000000000-mapping.dmp

Download
memory/1988-100-0x000000000048F888-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads