darkcomet | a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693

Analysis

max time kernel
154s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Size

594KB
MD5

f792868a671695eb5ff716c774ab4474
SHA1

cd6964165c397f984de85ee9cc3ef80a4b23ea7f
SHA256

a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693
SHA512

b4a41326705fbe908f4fd6485eaf8b1b409acd5feaf1baa8d9f3eb8f2b4c912ab82e1a712e6cf8db7baa664dba0ff9570fec790819aea24023caaf68801e7545
SSDEEP

12288:g9Zu42qMifMb9yXf1J9pOxsrC3uQOJdy9rHCbLutbK8dTHK/73cI6j:g9ZDy6Mb9ydTpOKCvHCboWiTHx

Score

10^/10

darkcomet new1 evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

new1

banrutero.duckdns.org:3462

chapinmaster.aidyn.net:3462

Mutex

DC_MUTEX-UYTP5W4

Attributes

InstallPath
Winlogon.exe
gencode
kCVib9BZgqVh
install
true
offline_keylogger
true
password
22617
persistence
true
reg_key
MicroUpdates

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Winlogon.exe"	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe

Executes dropped EXE 4 IoCs

Processes:

csrss.exea0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exea0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.execsrss.exe

pid	process
4728	csrss.exe
4588	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
4628	csrss.exe

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

936 attrib.exe
840 attrib.exe

pid	process
936	attrib.exe
840	attrib.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/508-136-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/508-137-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/508-138-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/508-140-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/508-141-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/508-142-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/508-143-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/508-151-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/912-162-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/912-163-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/912-170-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/912-171-0x0000000000400000-0x00000000004E8000-memory.dmp	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.execsrss.exea0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exea0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exea0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdates = "C:\\Windows\\system32\\Winlogon.exe"	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdates = "C:\\Windows\\system32\\Winlogon.exe"	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe

Drops file in System32 directory 3 IoCs

Processes:

a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Winlogon.exe	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
File opened for modification	C:\Windows\SysWOW64\Winlogon.exe	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
File opened for modification	C:\Windows\SysWOW64\	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exea0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe

description	pid	process	target process
PID 1312 set thread context of 508	1312	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
PID 4588 set thread context of 912	4588	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

csrss.execsrss.exe

pid	process
4728	csrss.exe
4728	csrss.exe
4728	csrss.exe
4728	csrss.exe
4728	csrss.exe
4728	csrss.exe
4728	csrss.exe
4728	csrss.exe
4728	csrss.exe
4728	csrss.exe
4728	csrss.exe
4728	csrss.exe
4728	csrss.exe
4728	csrss.exe
4728	csrss.exe
4728	csrss.exe
4728	csrss.exe
4728	csrss.exe
4728	csrss.exe
4728	csrss.exe
4728	csrss.exe
4728	csrss.exe
4728	csrss.exe
4728	csrss.exe
4728	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe
4628	csrss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe

pid process

912 a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe

pid	process
912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.execsrss.exea0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.execsrss.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeSecurityPrivilege	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeTakeOwnershipPrivilege	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeLoadDriverPrivilege	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeSystemProfilePrivilege	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeSystemtimePrivilege	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeProfSingleProcessPrivilege	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeIncBasePriorityPrivilege	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeCreatePagefilePrivilege	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeBackupPrivilege	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeRestorePrivilege	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeShutdownPrivilege	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeDebugPrivilege	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeSystemEnvironmentPrivilege	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeChangeNotifyPrivilege	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeRemoteShutdownPrivilege	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeUndockPrivilege	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeManageVolumePrivilege	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeImpersonatePrivilege	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeCreateGlobalPrivilege	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: 33	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: 34	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: 35	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: 36	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeDebugPrivilege	4728	csrss.exe
Token: SeIncreaseQuotaPrivilege	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeSecurityPrivilege	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeTakeOwnershipPrivilege	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeLoadDriverPrivilege	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeSystemProfilePrivilege	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeSystemtimePrivilege	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeProfSingleProcessPrivilege	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeIncBasePriorityPrivilege	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeCreatePagefilePrivilege	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeBackupPrivilege	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeRestorePrivilege	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeShutdownPrivilege	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeDebugPrivilege	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeSystemEnvironmentPrivilege	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeChangeNotifyPrivilege	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeRemoteShutdownPrivilege	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeUndockPrivilege	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeManageVolumePrivilege	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeImpersonatePrivilege	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeCreateGlobalPrivilege	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: 33	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: 34	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: 35	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: 36	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Token: SeDebugPrivilege	4628	csrss.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe

pid process

912 a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe

pid	process
912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exea0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.execmd.execmd.execsrss.exea0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exea0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe

description	pid	process	target process
PID 1312 wrote to memory of 508	1312	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
PID 1312 wrote to memory of 508	1312	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
PID 1312 wrote to memory of 508	1312	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
PID 1312 wrote to memory of 508	1312	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
PID 1312 wrote to memory of 508	1312	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
PID 1312 wrote to memory of 508	1312	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
PID 1312 wrote to memory of 508	1312	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
PID 1312 wrote to memory of 508	1312	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
PID 508 wrote to memory of 3688	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	cmd.exe
PID 508 wrote to memory of 3688	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	cmd.exe
PID 508 wrote to memory of 3688	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	cmd.exe
PID 1312 wrote to memory of 4728	1312	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	csrss.exe
PID 1312 wrote to memory of 4728	1312	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	csrss.exe
PID 1312 wrote to memory of 4728	1312	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	csrss.exe
PID 508 wrote to memory of 1232	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	cmd.exe
PID 508 wrote to memory of 1232	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	cmd.exe
PID 508 wrote to memory of 1232	508	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	cmd.exe
PID 3688 wrote to memory of 936	3688	cmd.exe	attrib.exe
PID 3688 wrote to memory of 936	3688	cmd.exe	attrib.exe
PID 3688 wrote to memory of 936	3688	cmd.exe	attrib.exe
PID 1232 wrote to memory of 840	1232	cmd.exe	attrib.exe
PID 1232 wrote to memory of 840	1232	cmd.exe	attrib.exe
PID 1232 wrote to memory of 840	1232	cmd.exe	attrib.exe
PID 4728 wrote to memory of 4588	4728	csrss.exe	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
PID 4728 wrote to memory of 4588	4728	csrss.exe	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
PID 4728 wrote to memory of 4588	4728	csrss.exe	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
PID 4588 wrote to memory of 912	4588	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
PID 4588 wrote to memory of 912	4588	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
PID 4588 wrote to memory of 912	4588	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
PID 4588 wrote to memory of 912	4588	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
PID 4588 wrote to memory of 912	4588	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
PID 4588 wrote to memory of 912	4588	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
PID 4588 wrote to memory of 912	4588	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
PID 4588 wrote to memory of 912	4588	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
PID 912 wrote to memory of 4732	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	notepad.exe
PID 912 wrote to memory of 4732	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	notepad.exe
PID 912 wrote to memory of 4732	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	notepad.exe
PID 912 wrote to memory of 4732	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	notepad.exe
PID 912 wrote to memory of 4732	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	notepad.exe
PID 912 wrote to memory of 4732	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	notepad.exe
PID 912 wrote to memory of 4732	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	notepad.exe
PID 912 wrote to memory of 4732	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	notepad.exe
PID 912 wrote to memory of 4732	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	notepad.exe
PID 912 wrote to memory of 4732	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	notepad.exe
PID 912 wrote to memory of 4732	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	notepad.exe
PID 912 wrote to memory of 4732	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	notepad.exe
PID 912 wrote to memory of 4732	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	notepad.exe
PID 912 wrote to memory of 4732	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	notepad.exe
PID 912 wrote to memory of 4732	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	notepad.exe
PID 912 wrote to memory of 4732	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	notepad.exe
PID 912 wrote to memory of 4732	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	notepad.exe
PID 912 wrote to memory of 4732	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	notepad.exe
PID 912 wrote to memory of 4732	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	notepad.exe
PID 912 wrote to memory of 4732	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	notepad.exe
PID 912 wrote to memory of 4732	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	notepad.exe
PID 912 wrote to memory of 4732	912	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	notepad.exe
PID 4588 wrote to memory of 4628	4588	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	csrss.exe
PID 4588 wrote to memory of 4628	4588	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	csrss.exe
PID 4588 wrote to memory of 4628	4588	a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe	csrss.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

936 attrib.exe
840 attrib.exe

pid	process
936	attrib.exe
840	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
"C:\Users\Admin\AppData\Local\Temp\a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Local\Temp\a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
"C:\Users\Admin\AppData\Local\Temp\a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe"
2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:840

C:\Users\Admin\AppData\Local\Temp\csrss.exe
"C:\Users\Admin\AppData\Local\Temp\csrss.exe" -keyhide -prochide 508 -reg C:\Users\Admin\AppData\Local\Temp\a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe -proc 508 C:\Users\Admin\AppData\Local\Temp\a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4728

C:\Users\Admin\AppData\Local\Temp\a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
"C:\Users\Admin\AppData\Local\Temp\a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4588

C:\Users\Admin\AppData\Local\Temp\a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
"C:\Users\Admin\AppData\Local\Temp\a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe"
4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\csrss.exe
"C:\Users\Admin\AppData\Local\Temp\csrss.exe" -keyhide -prochide 912 -reg C:\Users\Admin\AppData\Local\Temp\a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe -proc 912 C:\Users\Admin\AppData\Local\Temp\a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe.log
Filesize
410B

MD5
51b5bb76cd86bea0070ea505175e7a55

SHA1
bf367dd1367188563d01ab7452a384d40c3f8c8c

SHA256
c9cfa1c48e1d7c1426404c747d82a3ff22c7d2d659e2a0ac96f2d1a60e85a39a

SHA512
3b19aed680aaed4b6449e15f33510ef0e840feb2810d41d57e27d058cd176cecac6783f7a2c52459a88ba1ec0037dbb3b052071d3114f0988ce11ed0a9c432f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\csrss.exe.log
Filesize
410B

MD5
51b5bb76cd86bea0070ea505175e7a55

SHA1
bf367dd1367188563d01ab7452a384d40c3f8c8c

SHA256
c9cfa1c48e1d7c1426404c747d82a3ff22c7d2d659e2a0ac96f2d1a60e85a39a

SHA512
3b19aed680aaed4b6449e15f33510ef0e840feb2810d41d57e27d058cd176cecac6783f7a2c52459a88ba1ec0037dbb3b052071d3114f0988ce11ed0a9c432f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Filesize
594KB

MD5
f792868a671695eb5ff716c774ab4474

SHA1
cd6964165c397f984de85ee9cc3ef80a4b23ea7f

SHA256
a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693

SHA512
b4a41326705fbe908f4fd6485eaf8b1b409acd5feaf1baa8d9f3eb8f2b4c912ab82e1a712e6cf8db7baa664dba0ff9570fec790819aea24023caaf68801e7545

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693.exe
Filesize
594KB

MD5
f792868a671695eb5ff716c774ab4474

SHA1
cd6964165c397f984de85ee9cc3ef80a4b23ea7f

SHA256
a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693

SHA512
b4a41326705fbe908f4fd6485eaf8b1b409acd5feaf1baa8d9f3eb8f2b4c912ab82e1a712e6cf8db7baa664dba0ff9570fec790819aea24023caaf68801e7545

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe
Filesize
594KB

MD5
f792868a671695eb5ff716c774ab4474

SHA1
cd6964165c397f984de85ee9cc3ef80a4b23ea7f

SHA256
a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693

SHA512
b4a41326705fbe908f4fd6485eaf8b1b409acd5feaf1baa8d9f3eb8f2b4c912ab82e1a712e6cf8db7baa664dba0ff9570fec790819aea24023caaf68801e7545

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe
Filesize
594KB

MD5
f792868a671695eb5ff716c774ab4474

SHA1
cd6964165c397f984de85ee9cc3ef80a4b23ea7f

SHA256
a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693

SHA512
b4a41326705fbe908f4fd6485eaf8b1b409acd5feaf1baa8d9f3eb8f2b4c912ab82e1a712e6cf8db7baa664dba0ff9570fec790819aea24023caaf68801e7545

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe
Filesize
594KB

MD5
f792868a671695eb5ff716c774ab4474

SHA1
cd6964165c397f984de85ee9cc3ef80a4b23ea7f

SHA256
a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693

SHA512
b4a41326705fbe908f4fd6485eaf8b1b409acd5feaf1baa8d9f3eb8f2b4c912ab82e1a712e6cf8db7baa664dba0ff9570fec790819aea24023caaf68801e7545

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe
Filesize
594KB

MD5
f792868a671695eb5ff716c774ab4474

SHA1
cd6964165c397f984de85ee9cc3ef80a4b23ea7f

SHA256
a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693

SHA512
b4a41326705fbe908f4fd6485eaf8b1b409acd5feaf1baa8d9f3eb8f2b4c912ab82e1a712e6cf8db7baa664dba0ff9570fec790819aea24023caaf68801e7545

Download Submit
C:\Windows\SysWOW64\Winlogon.exe
Filesize
594KB

MD5
f792868a671695eb5ff716c774ab4474

SHA1
cd6964165c397f984de85ee9cc3ef80a4b23ea7f

SHA256
a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693

SHA512
b4a41326705fbe908f4fd6485eaf8b1b409acd5feaf1baa8d9f3eb8f2b4c912ab82e1a712e6cf8db7baa664dba0ff9570fec790819aea24023caaf68801e7545

Download Submit
memory/508-136-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/508-143-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/508-142-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/508-141-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/508-140-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/508-138-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/508-137-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/508-135-0x0000000000000000-mapping.dmp

Download
memory/508-151-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/840-150-0x0000000000000000-mapping.dmp

Download
memory/912-162-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/912-155-0x0000000000000000-mapping.dmp

Download
memory/912-163-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/912-171-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/912-170-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/936-149-0x0000000000000000-mapping.dmp

Download
memory/1232-148-0x0000000000000000-mapping.dmp

Download
memory/1312-134-0x0000000005520000-0x00000000055B2000-memory.dmp

Filesize
584KB

Download
memory/1312-132-0x0000000000BA0000-0x0000000000C3A000-memory.dmp

Filesize
616KB

Download
memory/1312-133-0x0000000005930000-0x0000000005ED4000-memory.dmp

Filesize
5.6MB

Download
memory/3688-144-0x0000000000000000-mapping.dmp

Download
memory/4588-152-0x0000000000000000-mapping.dmp

Download
memory/4628-166-0x0000000000000000-mapping.dmp

Download
memory/4728-145-0x0000000000000000-mapping.dmp

Download
memory/4732-165-0x0000000000000000-mapping.dmp

Download