Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 10:38
Static task
static1
Behavioral task
behavioral1
Sample
59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe
Resource
win7-20220812-en
General
-
Target
59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe
-
Size
1.2MB
-
MD5
3e7390c3eeeb28cb18eaa5b7f682b0da
-
SHA1
9d8401994e982e037a4e395faf1597cb76470171
-
SHA256
59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04
-
SHA512
4cc01a3b5629a8d029ebcda3f5f514f4da235edd554306640d200eb522c5909c7a2944fb85993ebfd2d4a63451507a32b4907c15551ffe0b0820fe0d1c8d65fc
-
SSDEEP
24576:I0QtqBorTlYWBhE+V3mO20zwt/l1SRKgZ2eS:I7tqFWM4mNWI
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
nickflip2009@gmail.com - Password:
nick5501
Extracted
darkcomet
Slaves
nickflip2015.no-ip.org:1604
10.0.0.75:1604
DC_MUTEX-D8AZQWD
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
HhJKioBtXipk
-
install
true
-
offline_keylogger
false
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
EBFile_1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" EBFile_1.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe -
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/1108-77-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/1108-76-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1108-82-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1108-85-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1108-89-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 5 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1880-90-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1880-91-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral1/memory/1880-94-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1880-95-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1880-99-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 10 IoCs
Processes:
resource yara_rule behavioral1/memory/1108-77-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/1108-76-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1108-82-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1108-85-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1108-89-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1880-90-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1880-91-0x0000000000442628-mapping.dmp Nirsoft behavioral1/memory/1880-94-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1880-95-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1880-99-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Disables RegEdit via registry modification 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
EBFile_1.exemsdcsc.exepid process 1144 EBFile_1.exe 1772 msdcsc.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe upx \Users\Admin\AppData\Local\Temp\EBFile_1.exe upx \Users\Admin\AppData\Local\Temp\EBFile_1.exe upx behavioral1/memory/1144-66-0x0000000000400000-0x00000000004B7000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe upx \Users\Admin\Documents\MSDCSC\msdcsc.exe upx \Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx behavioral1/memory/1772-84-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1144-86-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1772-100-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Loads dropped DLL 4 IoCs
Processes:
59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exeEBFile_1.exepid process 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1144 EBFile_1.exe 1144 EBFile_1.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
EBFile_1.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" EBFile_1.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 whatismyipaddress.com 6 whatismyipaddress.com 3 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exedescription pid process target process PID 1088 set thread context of 1108 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe vbc.exe PID 1088 set thread context of 1880 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exepid process 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exeEBFile_1.exemsdcsc.exedescription pid process Token: SeDebugPrivilege 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe Token: SeIncreaseQuotaPrivilege 1144 EBFile_1.exe Token: SeSecurityPrivilege 1144 EBFile_1.exe Token: SeTakeOwnershipPrivilege 1144 EBFile_1.exe Token: SeLoadDriverPrivilege 1144 EBFile_1.exe Token: SeSystemProfilePrivilege 1144 EBFile_1.exe Token: SeSystemtimePrivilege 1144 EBFile_1.exe Token: SeProfSingleProcessPrivilege 1144 EBFile_1.exe Token: SeIncBasePriorityPrivilege 1144 EBFile_1.exe Token: SeCreatePagefilePrivilege 1144 EBFile_1.exe Token: SeBackupPrivilege 1144 EBFile_1.exe Token: SeRestorePrivilege 1144 EBFile_1.exe Token: SeShutdownPrivilege 1144 EBFile_1.exe Token: SeDebugPrivilege 1144 EBFile_1.exe Token: SeSystemEnvironmentPrivilege 1144 EBFile_1.exe Token: SeChangeNotifyPrivilege 1144 EBFile_1.exe Token: SeRemoteShutdownPrivilege 1144 EBFile_1.exe Token: SeUndockPrivilege 1144 EBFile_1.exe Token: SeManageVolumePrivilege 1144 EBFile_1.exe Token: SeImpersonatePrivilege 1144 EBFile_1.exe Token: SeCreateGlobalPrivilege 1144 EBFile_1.exe Token: 33 1144 EBFile_1.exe Token: 34 1144 EBFile_1.exe Token: 35 1144 EBFile_1.exe Token: SeIncreaseQuotaPrivilege 1772 msdcsc.exe Token: SeSecurityPrivilege 1772 msdcsc.exe Token: SeTakeOwnershipPrivilege 1772 msdcsc.exe Token: SeLoadDriverPrivilege 1772 msdcsc.exe Token: SeSystemProfilePrivilege 1772 msdcsc.exe Token: SeSystemtimePrivilege 1772 msdcsc.exe Token: SeProfSingleProcessPrivilege 1772 msdcsc.exe Token: SeIncBasePriorityPrivilege 1772 msdcsc.exe Token: SeCreatePagefilePrivilege 1772 msdcsc.exe Token: SeBackupPrivilege 1772 msdcsc.exe Token: SeRestorePrivilege 1772 msdcsc.exe Token: SeShutdownPrivilege 1772 msdcsc.exe Token: SeDebugPrivilege 1772 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1772 msdcsc.exe Token: SeChangeNotifyPrivilege 1772 msdcsc.exe Token: SeRemoteShutdownPrivilege 1772 msdcsc.exe Token: SeUndockPrivilege 1772 msdcsc.exe Token: SeManageVolumePrivilege 1772 msdcsc.exe Token: SeImpersonatePrivilege 1772 msdcsc.exe Token: SeCreateGlobalPrivilege 1772 msdcsc.exe Token: 33 1772 msdcsc.exe Token: 34 1772 msdcsc.exe Token: 35 1772 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exepid process 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exeEBFile_1.exemsdcsc.exedescription pid process target process PID 1088 wrote to memory of 1144 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe EBFile_1.exe PID 1088 wrote to memory of 1144 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe EBFile_1.exe PID 1088 wrote to memory of 1144 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe EBFile_1.exe PID 1088 wrote to memory of 1144 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe EBFile_1.exe PID 1088 wrote to memory of 1700 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe cmd.exe PID 1088 wrote to memory of 1700 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe cmd.exe PID 1088 wrote to memory of 1700 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe cmd.exe PID 1088 wrote to memory of 1700 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe cmd.exe PID 1144 wrote to memory of 1180 1144 EBFile_1.exe cmd.exe PID 1144 wrote to memory of 1180 1144 EBFile_1.exe cmd.exe PID 1144 wrote to memory of 1180 1144 EBFile_1.exe cmd.exe PID 1144 wrote to memory of 1180 1144 EBFile_1.exe cmd.exe PID 1144 wrote to memory of 1772 1144 EBFile_1.exe msdcsc.exe PID 1144 wrote to memory of 1772 1144 EBFile_1.exe msdcsc.exe PID 1144 wrote to memory of 1772 1144 EBFile_1.exe msdcsc.exe PID 1144 wrote to memory of 1772 1144 EBFile_1.exe msdcsc.exe PID 1088 wrote to memory of 1108 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe vbc.exe PID 1088 wrote to memory of 1108 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe vbc.exe PID 1088 wrote to memory of 1108 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe vbc.exe PID 1088 wrote to memory of 1108 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe vbc.exe PID 1088 wrote to memory of 1108 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe vbc.exe PID 1088 wrote to memory of 1108 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe vbc.exe PID 1088 wrote to memory of 1108 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe vbc.exe PID 1088 wrote to memory of 1108 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe vbc.exe PID 1088 wrote to memory of 1108 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe vbc.exe PID 1088 wrote to memory of 1108 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe vbc.exe PID 1772 wrote to memory of 584 1772 msdcsc.exe cmd.exe PID 1772 wrote to memory of 584 1772 msdcsc.exe cmd.exe PID 1772 wrote to memory of 584 1772 msdcsc.exe cmd.exe PID 1772 wrote to memory of 584 1772 msdcsc.exe cmd.exe PID 1772 wrote to memory of 852 1772 msdcsc.exe notepad.exe PID 1772 wrote to memory of 852 1772 msdcsc.exe notepad.exe PID 1772 wrote to memory of 852 1772 msdcsc.exe notepad.exe PID 1772 wrote to memory of 852 1772 msdcsc.exe notepad.exe PID 1772 wrote to memory of 852 1772 msdcsc.exe notepad.exe PID 1772 wrote to memory of 852 1772 msdcsc.exe notepad.exe PID 1772 wrote to memory of 852 1772 msdcsc.exe notepad.exe PID 1772 wrote to memory of 852 1772 msdcsc.exe notepad.exe PID 1772 wrote to memory of 852 1772 msdcsc.exe notepad.exe PID 1772 wrote to memory of 852 1772 msdcsc.exe notepad.exe PID 1772 wrote to memory of 852 1772 msdcsc.exe notepad.exe PID 1772 wrote to memory of 852 1772 msdcsc.exe notepad.exe PID 1772 wrote to memory of 852 1772 msdcsc.exe notepad.exe PID 1772 wrote to memory of 852 1772 msdcsc.exe notepad.exe PID 1772 wrote to memory of 852 1772 msdcsc.exe notepad.exe PID 1772 wrote to memory of 852 1772 msdcsc.exe notepad.exe PID 1772 wrote to memory of 852 1772 msdcsc.exe notepad.exe PID 1772 wrote to memory of 852 1772 msdcsc.exe notepad.exe PID 1772 wrote to memory of 852 1772 msdcsc.exe notepad.exe PID 1772 wrote to memory of 852 1772 msdcsc.exe notepad.exe PID 1772 wrote to memory of 852 1772 msdcsc.exe notepad.exe PID 1772 wrote to memory of 852 1772 msdcsc.exe notepad.exe PID 1772 wrote to memory of 852 1772 msdcsc.exe notepad.exe PID 1088 wrote to memory of 1880 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe vbc.exe PID 1088 wrote to memory of 1880 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe vbc.exe PID 1088 wrote to memory of 1880 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe vbc.exe PID 1088 wrote to memory of 1880 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe vbc.exe PID 1088 wrote to memory of 1880 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe vbc.exe PID 1088 wrote to memory of 1880 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe vbc.exe PID 1088 wrote to memory of 1880 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe vbc.exe PID 1088 wrote to memory of 1880 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe vbc.exe PID 1088 wrote to memory of 1880 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe vbc.exe PID 1088 wrote to memory of 1880 1088 59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe"C:\Users\Admin\AppData\Local\Temp\59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe"C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\EXECUTE.BAT" "3⤵
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\EXECUTE.BAT" "4⤵
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BFile_2.bat" "2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"2⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BFile_2.batFilesize
2KB
MD54897f02d43de8724cd2f12370e148b8b
SHA1be7e9a497f9f965004fcbcbcd8d292530a801aa0
SHA256a7db7db9e13649d68104fae690602b8e49f9f3a8c27ce26b5f8785d8c16e3733
SHA5120308159206d77cfec9e0f859a5d8880772ffd8ef8a32460e708dee8f9017b0dadfca04b06fb3a89b5772bc4a6e95f05d730877a60d8a4cb00311becfd9d5347e
-
C:\Users\Admin\AppData\Local\Temp\EBFile_1.exeFilesize
252KB
MD587f28094def9f264ba3afab60c1f2691
SHA116725fdf1ac2f1d62b1d6e01c336727bd0be7b72
SHA2567c034f6c3abf1a84cf1fb1fd13c42cc7f47ccfd19e431df033378ee47355aca6
SHA5120e47f746d03dacafc7c3b11d1ed6637b300eff7b0dddf43f237ea0997060312de4e905353f14ae5ccf21d18ecda7d77fa243bdf9a14cbf5f0b869d9755108ece
-
C:\Users\Admin\AppData\Local\Temp\EBFile_1.exeFilesize
252KB
MD587f28094def9f264ba3afab60c1f2691
SHA116725fdf1ac2f1d62b1d6e01c336727bd0be7b72
SHA2567c034f6c3abf1a84cf1fb1fd13c42cc7f47ccfd19e431df033378ee47355aca6
SHA5120e47f746d03dacafc7c3b11d1ed6637b300eff7b0dddf43f237ea0997060312de4e905353f14ae5ccf21d18ecda7d77fa243bdf9a14cbf5f0b869d9755108ece
-
C:\Users\Admin\AppData\Local\Temp\EXECUTE.BATFilesize
2KB
MD54897f02d43de8724cd2f12370e148b8b
SHA1be7e9a497f9f965004fcbcbcd8d292530a801aa0
SHA256a7db7db9e13649d68104fae690602b8e49f9f3a8c27ce26b5f8785d8c16e3733
SHA5120308159206d77cfec9e0f859a5d8880772ffd8ef8a32460e708dee8f9017b0dadfca04b06fb3a89b5772bc4a6e95f05d730877a60d8a4cb00311becfd9d5347e
-
C:\Users\Admin\AppData\Local\Temp\EXECUTE.BATFilesize
2KB
MD54897f02d43de8724cd2f12370e148b8b
SHA1be7e9a497f9f965004fcbcbcd8d292530a801aa0
SHA256a7db7db9e13649d68104fae690602b8e49f9f3a8c27ce26b5f8785d8c16e3733
SHA5120308159206d77cfec9e0f859a5d8880772ffd8ef8a32460e708dee8f9017b0dadfca04b06fb3a89b5772bc4a6e95f05d730877a60d8a4cb00311becfd9d5347e
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
252KB
MD587f28094def9f264ba3afab60c1f2691
SHA116725fdf1ac2f1d62b1d6e01c336727bd0be7b72
SHA2567c034f6c3abf1a84cf1fb1fd13c42cc7f47ccfd19e431df033378ee47355aca6
SHA5120e47f746d03dacafc7c3b11d1ed6637b300eff7b0dddf43f237ea0997060312de4e905353f14ae5ccf21d18ecda7d77fa243bdf9a14cbf5f0b869d9755108ece
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
252KB
MD587f28094def9f264ba3afab60c1f2691
SHA116725fdf1ac2f1d62b1d6e01c336727bd0be7b72
SHA2567c034f6c3abf1a84cf1fb1fd13c42cc7f47ccfd19e431df033378ee47355aca6
SHA5120e47f746d03dacafc7c3b11d1ed6637b300eff7b0dddf43f237ea0997060312de4e905353f14ae5ccf21d18ecda7d77fa243bdf9a14cbf5f0b869d9755108ece
-
\Users\Admin\AppData\Local\Temp\EBFile_1.exeFilesize
252KB
MD587f28094def9f264ba3afab60c1f2691
SHA116725fdf1ac2f1d62b1d6e01c336727bd0be7b72
SHA2567c034f6c3abf1a84cf1fb1fd13c42cc7f47ccfd19e431df033378ee47355aca6
SHA5120e47f746d03dacafc7c3b11d1ed6637b300eff7b0dddf43f237ea0997060312de4e905353f14ae5ccf21d18ecda7d77fa243bdf9a14cbf5f0b869d9755108ece
-
\Users\Admin\AppData\Local\Temp\EBFile_1.exeFilesize
252KB
MD587f28094def9f264ba3afab60c1f2691
SHA116725fdf1ac2f1d62b1d6e01c336727bd0be7b72
SHA2567c034f6c3abf1a84cf1fb1fd13c42cc7f47ccfd19e431df033378ee47355aca6
SHA5120e47f746d03dacafc7c3b11d1ed6637b300eff7b0dddf43f237ea0997060312de4e905353f14ae5ccf21d18ecda7d77fa243bdf9a14cbf5f0b869d9755108ece
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
252KB
MD587f28094def9f264ba3afab60c1f2691
SHA116725fdf1ac2f1d62b1d6e01c336727bd0be7b72
SHA2567c034f6c3abf1a84cf1fb1fd13c42cc7f47ccfd19e431df033378ee47355aca6
SHA5120e47f746d03dacafc7c3b11d1ed6637b300eff7b0dddf43f237ea0997060312de4e905353f14ae5ccf21d18ecda7d77fa243bdf9a14cbf5f0b869d9755108ece
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
252KB
MD587f28094def9f264ba3afab60c1f2691
SHA116725fdf1ac2f1d62b1d6e01c336727bd0be7b72
SHA2567c034f6c3abf1a84cf1fb1fd13c42cc7f47ccfd19e431df033378ee47355aca6
SHA5120e47f746d03dacafc7c3b11d1ed6637b300eff7b0dddf43f237ea0997060312de4e905353f14ae5ccf21d18ecda7d77fa243bdf9a14cbf5f0b869d9755108ece
-
memory/584-79-0x0000000000000000-mapping.dmp
-
memory/852-87-0x0000000000000000-mapping.dmp
-
memory/1088-64-0x0000000008B40000-0x0000000008BF7000-memory.dmpFilesize
732KB
-
memory/1088-63-0x0000000008B40000-0x0000000008BF7000-memory.dmpFilesize
732KB
-
memory/1088-96-0x0000000008B40000-0x0000000008BF7000-memory.dmpFilesize
732KB
-
memory/1088-97-0x0000000008B40000-0x0000000008BF7000-memory.dmpFilesize
732KB
-
memory/1088-56-0x0000000074B80000-0x000000007512B000-memory.dmpFilesize
5.7MB
-
memory/1088-55-0x0000000074B80000-0x000000007512B000-memory.dmpFilesize
5.7MB
-
memory/1088-54-0x0000000076681000-0x0000000076683000-memory.dmpFilesize
8KB
-
memory/1108-76-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1108-82-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1108-77-0x0000000000411654-mapping.dmp
-
memory/1108-85-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1108-89-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1144-66-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1144-59-0x0000000000000000-mapping.dmp
-
memory/1144-83-0x0000000003250000-0x0000000003307000-memory.dmpFilesize
732KB
-
memory/1144-86-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1180-68-0x0000000000000000-mapping.dmp
-
memory/1700-61-0x0000000000000000-mapping.dmp
-
memory/1772-84-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1772-72-0x0000000000000000-mapping.dmp
-
memory/1772-100-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1880-94-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1880-95-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1880-91-0x0000000000442628-mapping.dmp
-
memory/1880-90-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1880-99-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB