darkcomet | 0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99

General

Target

0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
Size

1.7MB
MD5

c153e9b64b8bf151054c7fe36d74b188
SHA1

8d5105e4984e229c9abaaa83451c84d73f32c78a
SHA256

0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99
SHA512

2f2245c764cdc05d2cbdb51ad60a7b642b1071f569fafe79b7c37f534276fd9a3982395dc5658876c8a23ce54287bec9275d255a108de34b4ab9628d4b7d5fc8
SSDEEP

24576:bUX29rltyl8zqDeLU+YLeO7HxCbQuHouKeMzzlkj1KNT9XAa1Efll7y4LE8oS1/d:bUXoatERYTETO/lia1i+Hq4CFH

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Minecraft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\u00ad\\Start Menu\\Programs\\Startup\\Minecraft.exe"	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe

description	pid	process	target process
PID 904 set thread context of 2008	904	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
PID 2008 set thread context of 1760	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0d2f6320c02d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376282856"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068d7e0aa40fd8840ad9ea37f5da8e44c000000000200000000001066000000010000200000006b4ea968138cc7ed8c750161237cde326a358e2139e01ea67467cd434c80a22d000000000e8000000002000020000000e5736c2eae7cc54568e6f0f0365ac80bc31dccdea26caaabd11ec5ba5c64e040900000008b8d7bd4be3bf8a081510b94cff14687adb23e9bf786a157960dbdc36a39b67bff6de557afa1f917adfd8ccdd9bb7da988094d53ca48ad25f64c1369aaa85d5accbf11188138c932ac0ad4ea39498f51ca7f2c7331ed12d63f0d33b147025cb56990117e6abaae852d9df9bcb0fca4fbde01675b8c00d8899d7271ba671fb5f6f39fd4f6245a7601b2834f2608904681400000001b8b1948ae3b79075b99d97068e02e5945c329b1570896e4ae86d32ea11050bfa334247352f816ae897b460f098f88fe684d7bdcdbb905923e43fae66778972b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068d7e0aa40fd8840ad9ea37f5da8e44c00000000020000000000106600000001000020000000e36e344e971bd598c22f0a0cd79807c3e70e8ac1b6a6c4efa9416e584124e7ad000000000e8000000002000020000000edad8155f9100f829686ce2a1bb68a04ca9aa2773796f5a90934f391fe51a1f020000000475496c84820e3b773529e594dac573a02e7d07d4d26da054c3a4d2a478f9dcd40000000652eaa343c03ffb7e08c4a75efd7a72fd6c9a9be4ada7e498ae671dcb5ba815dfe19bc588a6737f7312917b9c177c6f3f51b5c05816b6c14cb8117acca109105	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4C4110B0-6DFF-11ED-B390-DA7E66F9F45D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe

pid	process
904	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
904	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe

description	pid	process
Token: SeDebugPrivilege	904	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
Token: SeIncreaseQuotaPrivilege	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
Token: SeSecurityPrivilege	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
Token: SeTakeOwnershipPrivilege	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
Token: SeLoadDriverPrivilege	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
Token: SeSystemProfilePrivilege	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
Token: SeSystemtimePrivilege	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
Token: SeProfSingleProcessPrivilege	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
Token: SeIncBasePriorityPrivilege	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
Token: SeCreatePagefilePrivilege	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
Token: SeBackupPrivilege	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
Token: SeRestorePrivilege	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
Token: SeShutdownPrivilege	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
Token: SeDebugPrivilege	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
Token: SeSystemEnvironmentPrivilege	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
Token: SeChangeNotifyPrivilege	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
Token: SeRemoteShutdownPrivilege	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
Token: SeUndockPrivilege	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
Token: SeManageVolumePrivilege	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
Token: SeImpersonatePrivilege	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
Token: SeCreateGlobalPrivilege	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
Token: 33	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
Token: 34	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
Token: 35	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1416 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

javaw.exeiexplore.exeIEXPLORE.EXE

pid process

1736 javaw.exe
1416 iexplore.exe
1416 iexplore.exe
872 IEXPLORE.EXE
872 IEXPLORE.EXE
1736 javaw.exe

pid	process
1416	iexplore.exe

pid	process
1736	javaw.exe
1416	iexplore.exe
1416	iexplore.exe
872	IEXPLORE.EXE
872	IEXPLORE.EXE
1736	javaw.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 904 wrote to memory of 1976	904	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
PID 904 wrote to memory of 1976	904	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
PID 904 wrote to memory of 1976	904	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
PID 904 wrote to memory of 1976	904	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
PID 904 wrote to memory of 2008	904	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
PID 904 wrote to memory of 2008	904	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
PID 904 wrote to memory of 2008	904	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
PID 904 wrote to memory of 2008	904	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
PID 904 wrote to memory of 2008	904	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
PID 904 wrote to memory of 2008	904	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
PID 904 wrote to memory of 2008	904	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
PID 904 wrote to memory of 2008	904	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
PID 904 wrote to memory of 2008	904	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
PID 904 wrote to memory of 2008	904	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
PID 904 wrote to memory of 2008	904	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
PID 904 wrote to memory of 2008	904	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
PID 904 wrote to memory of 2008	904	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
PID 2008 wrote to memory of 1736	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	javaw.exe
PID 2008 wrote to memory of 1736	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	javaw.exe
PID 2008 wrote to memory of 1736	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	javaw.exe
PID 2008 wrote to memory of 1736	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	javaw.exe
PID 2008 wrote to memory of 1760	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	iexplore.exe
PID 2008 wrote to memory of 1760	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	iexplore.exe
PID 2008 wrote to memory of 1760	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	iexplore.exe
PID 2008 wrote to memory of 1760	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	iexplore.exe
PID 2008 wrote to memory of 1760	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	iexplore.exe
PID 2008 wrote to memory of 1760	2008	0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe	iexplore.exe
PID 1760 wrote to memory of 1416	1760	iexplore.exe	iexplore.exe
PID 1760 wrote to memory of 1416	1760	iexplore.exe	iexplore.exe
PID 1760 wrote to memory of 1416	1760	iexplore.exe	iexplore.exe
PID 1760 wrote to memory of 1416	1760	iexplore.exe	iexplore.exe
PID 1416 wrote to memory of 872	1416	iexplore.exe	IEXPLORE.EXE
PID 1416 wrote to memory of 872	1416	iexplore.exe	IEXPLORE.EXE
PID 1416 wrote to memory of 872	1416	iexplore.exe	IEXPLORE.EXE
PID 1416 wrote to memory of 872	1416	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
"C:\Users\Admin\AppData\Local\Temp\0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904

C:\Users\Admin\AppData\Local\Temp\0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
C:\Users\Admin\AppData\Local\Temp\0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\ACCOUNT SCRAPER BY KLINTOS.JAR"
3⤵
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1416

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1416 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:872

C:\Users\Admin\AppData\Local\Temp\0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
C:\Users\Admin\AppData\Local\Temp\0ce255ff615580522fb9530352f0ecb101ae6192c09a042026801dc11a219a99.exe
2⤵
PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ACCOUNT SCRAPER BY KLINTOS.JAR
Filesize
206KB

MD5
c26c14e22e8e6fe057d9b87b01dc31fb

SHA1
be4bf40f253ddb9dc8ddbb71c9f7cabe8636b260

SHA256
6f5188b893fca1dd3f70f1e947a87699c6227886bf1f63b559e9fdadcc51e275

SHA512
ce7c3bc64c60e3c2799318403e66039d38961282b7c88de8523221360c91e248ff17e11ebcabad5b6cafbd262daff4d1836cdc40a5652790ce3e902127ca57e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\054QQKOM.txt
Filesize
603B

MD5
19de18f2e27f95757114b3c683ea3a00

SHA1
3326aea5fc7d462fbc28750fb97c13f3bc8b98b8

SHA256
8820f366a6ad54e0a328c988c685b15ccf449b1fef2b80d4124f7f3e02576e99

SHA512
62cc40da6c05cb240486d9e2e8630c07330e8b37bdc729a32233ff1382cc9397ee1042fdcaa8d782f1a76a9d0974367b1e115dc101c14139c4db63ddd62726cf

Download Submit
memory/904-91-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/904-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/904-75-0x0000000002016000-0x0000000002027000-memory.dmp

Filesize
68KB

Download
memory/904-94-0x0000000002016000-0x0000000002027000-memory.dmp

Filesize
68KB

Download
memory/904-55-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/1736-77-0x0000000000000000-mapping.dmp

Download
memory/1736-96-0x0000000002130000-0x0000000005130000-memory.dmp

Filesize
48.0MB

Download
memory/1736-102-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/1736-101-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/1736-98-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/1736-97-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/1736-78-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp

Filesize
8KB

Download
memory/1736-85-0x0000000002130000-0x0000000005130000-memory.dmp

Filesize
48.0MB

Download
memory/2008-76-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2008-63-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2008-65-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2008-59-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2008-84-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2008-61-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2008-57-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2008-66-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2008-74-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2008-70-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2008-71-0x000000000048C87C-mapping.dmp

Download
memory/2008-72-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2008-68-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2008-56-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads