Analysis
-
max time kernel
253s -
max time network
336s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 14:11
Behavioral task
behavioral1
Sample
cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Resource
win10v2004-20220812-en
General
-
Target
cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
-
Size
717KB
-
MD5
7ee9e4b9d2802572b2d75480856b9f36
-
SHA1
c901cc47c59a82950dde33e792aafe4b951a884f
-
SHA256
cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520
-
SHA512
7d4e6f2c75ffbb62e3418731e4370e3476e44b610d386fe249b08bee440576814fe17189d12046bcee40f0c2bf9356957ed0264abf29c76d8d9c14632de13bde
-
SSDEEP
12288:2l8E4w5huat7UovONzbXw8QeDRFr4LlcTO3HdEnNoa56Y55YB2vHqytk+b:sdhHwNzbXJrTONYBku57aS
Malware Config
Extracted
darkcomet
kingcrackzzz
kingcrackzzz.no-ip.biz:6885
DC_MUTEX-ERXUPQB
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
f1rWBr8TZa1l
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\MSDCSC\\msdcsc.exe" cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
iexplore.exemsdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" iexplore.exe -
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe -
Disables RegEdit via registry modification 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe -
Executes dropped EXE 2 IoCs
Processes:
STEAM.EXEmsdcsc.exepid process 1708 STEAM.EXE 1516 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1744 attrib.exe 1340 attrib.exe -
Processes:
resource yara_rule behavioral1/memory/772-54-0x0000000000400000-0x00000000005EA000-memory.dmp upx behavioral1/memory/772-65-0x0000000000400000-0x00000000005EA000-memory.dmp upx C:\Windows\MSDCSC\msdcsc.exe upx \Windows\MSDCSC\msdcsc.exe upx \Windows\MSDCSC\msdcsc.exe upx C:\Windows\MSDCSC\msdcsc.exe upx behavioral1/memory/1516-73-0x0000000000400000-0x00000000005EA000-memory.dmp upx -
Loads dropped DLL 3 IoCs
Processes:
cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exepid process 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
iexplore.execb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\MSDCSC\\msdcsc.exe" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\MSDCSC\\msdcsc.exe" cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 1516 set thread context of 1412 1516 msdcsc.exe iexplore.exe -
Drops file in Windows directory 3 IoCs
Processes:
cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exedescription ioc process File opened for modification C:\Windows\MSDCSC\msdcsc.exe cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe File opened for modification C:\Windows\MSDCSC\ cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe File created C:\Windows\MSDCSC\msdcsc.exe cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe Token: SeSecurityPrivilege 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe Token: SeTakeOwnershipPrivilege 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe Token: SeLoadDriverPrivilege 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe Token: SeSystemProfilePrivilege 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe Token: SeSystemtimePrivilege 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe Token: SeProfSingleProcessPrivilege 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe Token: SeIncBasePriorityPrivilege 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe Token: SeCreatePagefilePrivilege 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe Token: SeBackupPrivilege 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe Token: SeRestorePrivilege 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe Token: SeShutdownPrivilege 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe Token: SeDebugPrivilege 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe Token: SeSystemEnvironmentPrivilege 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe Token: SeChangeNotifyPrivilege 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe Token: SeRemoteShutdownPrivilege 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe Token: SeUndockPrivilege 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe Token: SeManageVolumePrivilege 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe Token: SeImpersonatePrivilege 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe Token: SeCreateGlobalPrivilege 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe Token: 33 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe Token: 34 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe Token: 35 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe Token: SeIncreaseQuotaPrivilege 1516 msdcsc.exe Token: SeSecurityPrivilege 1516 msdcsc.exe Token: SeTakeOwnershipPrivilege 1516 msdcsc.exe Token: SeLoadDriverPrivilege 1516 msdcsc.exe Token: SeSystemProfilePrivilege 1516 msdcsc.exe Token: SeSystemtimePrivilege 1516 msdcsc.exe Token: SeProfSingleProcessPrivilege 1516 msdcsc.exe Token: SeIncBasePriorityPrivilege 1516 msdcsc.exe Token: SeCreatePagefilePrivilege 1516 msdcsc.exe Token: SeBackupPrivilege 1516 msdcsc.exe Token: SeRestorePrivilege 1516 msdcsc.exe Token: SeShutdownPrivilege 1516 msdcsc.exe Token: SeDebugPrivilege 1516 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1516 msdcsc.exe Token: SeChangeNotifyPrivilege 1516 msdcsc.exe Token: SeRemoteShutdownPrivilege 1516 msdcsc.exe Token: SeUndockPrivilege 1516 msdcsc.exe Token: SeManageVolumePrivilege 1516 msdcsc.exe Token: SeImpersonatePrivilege 1516 msdcsc.exe Token: SeCreateGlobalPrivilege 1516 msdcsc.exe Token: 33 1516 msdcsc.exe Token: 34 1516 msdcsc.exe Token: 35 1516 msdcsc.exe Token: SeIncreaseQuotaPrivilege 1412 iexplore.exe Token: SeSecurityPrivilege 1412 iexplore.exe Token: SeTakeOwnershipPrivilege 1412 iexplore.exe Token: SeLoadDriverPrivilege 1412 iexplore.exe Token: SeSystemProfilePrivilege 1412 iexplore.exe Token: SeSystemtimePrivilege 1412 iexplore.exe Token: SeProfSingleProcessPrivilege 1412 iexplore.exe Token: SeIncBasePriorityPrivilege 1412 iexplore.exe Token: SeCreatePagefilePrivilege 1412 iexplore.exe Token: SeBackupPrivilege 1412 iexplore.exe Token: SeRestorePrivilege 1412 iexplore.exe Token: SeShutdownPrivilege 1412 iexplore.exe Token: SeDebugPrivilege 1412 iexplore.exe Token: SeSystemEnvironmentPrivilege 1412 iexplore.exe Token: SeChangeNotifyPrivilege 1412 iexplore.exe Token: SeRemoteShutdownPrivilege 1412 iexplore.exe Token: SeUndockPrivilege 1412 iexplore.exe Token: SeManageVolumePrivilege 1412 iexplore.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
STEAM.EXEiexplore.exepid process 1708 STEAM.EXE 1708 STEAM.EXE 1412 iexplore.exe -
Suspicious use of WriteProcessMemory 53 IoCs
Processes:
cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.execmd.execmd.exemsdcsc.exeiexplore.exedescription pid process target process PID 772 wrote to memory of 560 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe cmd.exe PID 772 wrote to memory of 560 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe cmd.exe PID 772 wrote to memory of 560 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe cmd.exe PID 772 wrote to memory of 560 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe cmd.exe PID 772 wrote to memory of 1436 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe cmd.exe PID 772 wrote to memory of 1436 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe cmd.exe PID 772 wrote to memory of 1436 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe cmd.exe PID 772 wrote to memory of 1436 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe cmd.exe PID 560 wrote to memory of 1340 560 cmd.exe attrib.exe PID 560 wrote to memory of 1340 560 cmd.exe attrib.exe PID 560 wrote to memory of 1340 560 cmd.exe attrib.exe PID 560 wrote to memory of 1340 560 cmd.exe attrib.exe PID 1436 wrote to memory of 1744 1436 cmd.exe attrib.exe PID 1436 wrote to memory of 1744 1436 cmd.exe attrib.exe PID 1436 wrote to memory of 1744 1436 cmd.exe attrib.exe PID 1436 wrote to memory of 1744 1436 cmd.exe attrib.exe PID 772 wrote to memory of 1708 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe STEAM.EXE PID 772 wrote to memory of 1708 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe STEAM.EXE PID 772 wrote to memory of 1708 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe STEAM.EXE PID 772 wrote to memory of 1708 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe STEAM.EXE PID 772 wrote to memory of 1516 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe msdcsc.exe PID 772 wrote to memory of 1516 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe msdcsc.exe PID 772 wrote to memory of 1516 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe msdcsc.exe PID 772 wrote to memory of 1516 772 cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe msdcsc.exe PID 1516 wrote to memory of 1412 1516 msdcsc.exe iexplore.exe PID 1516 wrote to memory of 1412 1516 msdcsc.exe iexplore.exe PID 1516 wrote to memory of 1412 1516 msdcsc.exe iexplore.exe PID 1516 wrote to memory of 1412 1516 msdcsc.exe iexplore.exe PID 1516 wrote to memory of 1412 1516 msdcsc.exe iexplore.exe PID 1516 wrote to memory of 1412 1516 msdcsc.exe iexplore.exe PID 1412 wrote to memory of 1752 1412 iexplore.exe notepad.exe PID 1412 wrote to memory of 1752 1412 iexplore.exe notepad.exe PID 1412 wrote to memory of 1752 1412 iexplore.exe notepad.exe PID 1412 wrote to memory of 1752 1412 iexplore.exe notepad.exe PID 1412 wrote to memory of 1752 1412 iexplore.exe notepad.exe PID 1412 wrote to memory of 1752 1412 iexplore.exe notepad.exe PID 1412 wrote to memory of 1752 1412 iexplore.exe notepad.exe PID 1412 wrote to memory of 1752 1412 iexplore.exe notepad.exe PID 1412 wrote to memory of 1752 1412 iexplore.exe notepad.exe PID 1412 wrote to memory of 1752 1412 iexplore.exe notepad.exe PID 1412 wrote to memory of 1752 1412 iexplore.exe notepad.exe PID 1412 wrote to memory of 1752 1412 iexplore.exe notepad.exe PID 1412 wrote to memory of 1752 1412 iexplore.exe notepad.exe PID 1412 wrote to memory of 1752 1412 iexplore.exe notepad.exe PID 1412 wrote to memory of 1752 1412 iexplore.exe notepad.exe PID 1412 wrote to memory of 1752 1412 iexplore.exe notepad.exe PID 1412 wrote to memory of 1752 1412 iexplore.exe notepad.exe PID 1412 wrote to memory of 1752 1412 iexplore.exe notepad.exe PID 1412 wrote to memory of 1752 1412 iexplore.exe notepad.exe PID 1412 wrote to memory of 1752 1412 iexplore.exe notepad.exe PID 1412 wrote to memory of 1752 1412 iexplore.exe notepad.exe PID 1412 wrote to memory of 1752 1412 iexplore.exe notepad.exe PID 1412 wrote to memory of 1752 1412 iexplore.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1744 attrib.exe 1340 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe"C:\Users\Admin\AppData\Local\Temp\cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\STEAM.EXE"C:\Users\Admin\AppData\Local\Temp\STEAM.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\MSDCSC\msdcsc.exe"C:\Windows\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\STEAM.EXEFilesize
1.2MB
MD567384147dd005e54d2c0a20408e28579
SHA1f7596aa720e891b43b0cb286f0e1a298a366a910
SHA256cdde5b5cabe2f452d3be50a6d55892cadaf7524769cf7ad44bd4c862cf81db42
SHA5129a65286d93ed0fae940913f360ae1d85fa7355b8e33f0423056ab9700c2c05e48338dc28fd3340b05d324020e921c9f82ba6bd3a28fdd9c4f9f676798ba476c7
-
C:\Users\Admin\AppData\Local\Temp\STEAM.EXEFilesize
1.2MB
MD567384147dd005e54d2c0a20408e28579
SHA1f7596aa720e891b43b0cb286f0e1a298a366a910
SHA256cdde5b5cabe2f452d3be50a6d55892cadaf7524769cf7ad44bd4c862cf81db42
SHA5129a65286d93ed0fae940913f360ae1d85fa7355b8e33f0423056ab9700c2c05e48338dc28fd3340b05d324020e921c9f82ba6bd3a28fdd9c4f9f676798ba476c7
-
C:\Windows\MSDCSC\msdcsc.exeFilesize
717KB
MD57ee9e4b9d2802572b2d75480856b9f36
SHA1c901cc47c59a82950dde33e792aafe4b951a884f
SHA256cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520
SHA5127d4e6f2c75ffbb62e3418731e4370e3476e44b610d386fe249b08bee440576814fe17189d12046bcee40f0c2bf9356957ed0264abf29c76d8d9c14632de13bde
-
C:\Windows\MSDCSC\msdcsc.exeFilesize
717KB
MD57ee9e4b9d2802572b2d75480856b9f36
SHA1c901cc47c59a82950dde33e792aafe4b951a884f
SHA256cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520
SHA5127d4e6f2c75ffbb62e3418731e4370e3476e44b610d386fe249b08bee440576814fe17189d12046bcee40f0c2bf9356957ed0264abf29c76d8d9c14632de13bde
-
\Users\Admin\AppData\Local\Temp\STEAM.EXEFilesize
1.2MB
MD567384147dd005e54d2c0a20408e28579
SHA1f7596aa720e891b43b0cb286f0e1a298a366a910
SHA256cdde5b5cabe2f452d3be50a6d55892cadaf7524769cf7ad44bd4c862cf81db42
SHA5129a65286d93ed0fae940913f360ae1d85fa7355b8e33f0423056ab9700c2c05e48338dc28fd3340b05d324020e921c9f82ba6bd3a28fdd9c4f9f676798ba476c7
-
\Windows\MSDCSC\msdcsc.exeFilesize
717KB
MD57ee9e4b9d2802572b2d75480856b9f36
SHA1c901cc47c59a82950dde33e792aafe4b951a884f
SHA256cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520
SHA5127d4e6f2c75ffbb62e3418731e4370e3476e44b610d386fe249b08bee440576814fe17189d12046bcee40f0c2bf9356957ed0264abf29c76d8d9c14632de13bde
-
\Windows\MSDCSC\msdcsc.exeFilesize
717KB
MD57ee9e4b9d2802572b2d75480856b9f36
SHA1c901cc47c59a82950dde33e792aafe4b951a884f
SHA256cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520
SHA5127d4e6f2c75ffbb62e3418731e4370e3476e44b610d386fe249b08bee440576814fe17189d12046bcee40f0c2bf9356957ed0264abf29c76d8d9c14632de13bde
-
memory/560-56-0x0000000000000000-mapping.dmp
-
memory/772-71-0x0000000005140000-0x000000000532A000-memory.dmpFilesize
1.9MB
-
memory/772-65-0x0000000000400000-0x00000000005EA000-memory.dmpFilesize
1.9MB
-
memory/772-54-0x0000000000400000-0x00000000005EA000-memory.dmpFilesize
1.9MB
-
memory/772-55-0x0000000076201000-0x0000000076203000-memory.dmpFilesize
8KB
-
memory/1340-58-0x0000000000000000-mapping.dmp
-
memory/1436-57-0x0000000000000000-mapping.dmp
-
memory/1516-68-0x0000000000000000-mapping.dmp
-
memory/1516-73-0x0000000000400000-0x00000000005EA000-memory.dmpFilesize
1.9MB
-
memory/1708-61-0x0000000000000000-mapping.dmp
-
memory/1744-59-0x0000000000000000-mapping.dmp
-
memory/1752-74-0x0000000000000000-mapping.dmp