darkcomet | cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520

Analysis

max time kernel
191s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Size

717KB
MD5

7ee9e4b9d2802572b2d75480856b9f36
SHA1

c901cc47c59a82950dde33e792aafe4b951a884f
SHA256

cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520
SHA512

7d4e6f2c75ffbb62e3418731e4370e3476e44b610d386fe249b08bee440576814fe17189d12046bcee40f0c2bf9356957ed0264abf29c76d8d9c14632de13bde
SSDEEP

12288:2l8E4w5huat7UovONzbXw8QeDRFr4LlcTO3HdEnNoa56Y55YB2vHqytk+b:sdhHwNzbXJrTONYBku57aS

Score

10^/10

darkcomet kingcrackzzz evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

kingcrackzzz

kingcrackzzz.no-ip.biz:6885

Mutex

DC_MUTEX-ERXUPQB

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
f1rWBr8TZa1l
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\MSDCSC\\msdcsc.exe"	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

msdcsc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

msdcsc.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

msdcsc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	msdcsc.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

Processes:

cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe

Executes dropped EXE 4 IoCs

Processes:

STEAM.EXEmsdcsc.exeSTEAMTmp.exeSTEAM.exe

pid process

3760 STEAM.EXE
3436 msdcsc.exe
4624 STEAMTmp.exe
2664 STEAM.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

3744 attrib.exe
752 attrib.exe

pid	process
3744	attrib.exe
752	attrib.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4908-132-0x0000000000400000-0x00000000005EA000-memory.dmp	upx
behavioral2/memory/4908-133-0x0000000000400000-0x00000000005EA000-memory.dmp	upx
C:\Windows\MSDCSC\msdcsc.exe	upx
C:\Windows\MSDCSC\msdcsc.exe	upx
behavioral2/memory/4908-144-0x0000000000400000-0x00000000005EA000-memory.dmp	upx
behavioral2/memory/3436-147-0x0000000000400000-0x00000000005EA000-memory.dmp	upx
behavioral2/memory/3436-148-0x0000000000400000-0x00000000005EA000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe

Loads dropped DLL 1 IoCs

Processes:

STEAM.exe

pid process

2664 STEAM.exe

pid	process
2664	STEAM.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\MSDCSC\\msdcsc.exe"	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Drops file in Windows directory 3 IoCs

Processes:

cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe

description	ioc	process
File created	C:\Windows\MSDCSC\msdcsc.exe	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
File opened for modification	C:\Windows\MSDCSC\msdcsc.exe	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
File opened for modification	C:\Windows\MSDCSC\	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

STEAM.exe

pid process

2664 STEAM.exe
2664 STEAM.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msdcsc.exe

pid process

3436 msdcsc.exe

pid	process
2664	STEAM.exe
2664	STEAM.exe

pid	process
3436	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Token: SeSecurityPrivilege	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Token: SeTakeOwnershipPrivilege	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Token: SeLoadDriverPrivilege	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Token: SeSystemProfilePrivilege	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Token: SeSystemtimePrivilege	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Token: SeProfSingleProcessPrivilege	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Token: SeIncBasePriorityPrivilege	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Token: SeCreatePagefilePrivilege	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Token: SeBackupPrivilege	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Token: SeRestorePrivilege	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Token: SeShutdownPrivilege	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Token: SeDebugPrivilege	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Token: SeSystemEnvironmentPrivilege	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Token: SeChangeNotifyPrivilege	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Token: SeRemoteShutdownPrivilege	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Token: SeUndockPrivilege	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Token: SeManageVolumePrivilege	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Token: SeImpersonatePrivilege	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Token: SeCreateGlobalPrivilege	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Token: 33	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Token: 34	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Token: 35	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Token: 36	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Token: SeIncreaseQuotaPrivilege	3436	msdcsc.exe
Token: SeSecurityPrivilege	3436	msdcsc.exe
Token: SeTakeOwnershipPrivilege	3436	msdcsc.exe
Token: SeLoadDriverPrivilege	3436	msdcsc.exe
Token: SeSystemProfilePrivilege	3436	msdcsc.exe
Token: SeSystemtimePrivilege	3436	msdcsc.exe
Token: SeProfSingleProcessPrivilege	3436	msdcsc.exe
Token: SeIncBasePriorityPrivilege	3436	msdcsc.exe
Token: SeCreatePagefilePrivilege	3436	msdcsc.exe
Token: SeBackupPrivilege	3436	msdcsc.exe
Token: SeRestorePrivilege	3436	msdcsc.exe
Token: SeShutdownPrivilege	3436	msdcsc.exe
Token: SeDebugPrivilege	3436	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	3436	msdcsc.exe
Token: SeChangeNotifyPrivilege	3436	msdcsc.exe
Token: SeRemoteShutdownPrivilege	3436	msdcsc.exe
Token: SeUndockPrivilege	3436	msdcsc.exe
Token: SeManageVolumePrivilege	3436	msdcsc.exe
Token: SeImpersonatePrivilege	3436	msdcsc.exe
Token: SeCreateGlobalPrivilege	3436	msdcsc.exe
Token: 33	3436	msdcsc.exe
Token: 34	3436	msdcsc.exe
Token: 35	3436	msdcsc.exe
Token: 36	3436	msdcsc.exe

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

STEAM.EXE

pid	process
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE

Suspicious use of SendNotifyMessage 31 IoCs

Processes:

STEAM.EXE

pid	process
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE
3760	STEAM.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

STEAM.EXEmsdcsc.exeSTEAMTmp.exe

pid process

3760 STEAM.EXE
3760 STEAM.EXE
3436 msdcsc.exe
4624 STEAMTmp.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.execmd.execmd.exemsdcsc.exeSTEAM.EXESTEAMTmp.exe

description	pid	process	target process
PID 4908 wrote to memory of 3736	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe	cmd.exe
PID 4908 wrote to memory of 3736	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe	cmd.exe
PID 4908 wrote to memory of 3736	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe	cmd.exe
PID 4908 wrote to memory of 2576	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe	cmd.exe
PID 4908 wrote to memory of 2576	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe	cmd.exe
PID 4908 wrote to memory of 2576	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe	cmd.exe
PID 3736 wrote to memory of 3744	3736	cmd.exe	attrib.exe
PID 3736 wrote to memory of 3744	3736	cmd.exe	attrib.exe
PID 3736 wrote to memory of 3744	3736	cmd.exe	attrib.exe
PID 4908 wrote to memory of 3760	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe	STEAM.EXE
PID 4908 wrote to memory of 3760	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe	STEAM.EXE
PID 4908 wrote to memory of 3760	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe	STEAM.EXE
PID 2576 wrote to memory of 752	2576	cmd.exe	attrib.exe
PID 2576 wrote to memory of 752	2576	cmd.exe	attrib.exe
PID 2576 wrote to memory of 752	2576	cmd.exe	attrib.exe
PID 4908 wrote to memory of 3436	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe	msdcsc.exe
PID 4908 wrote to memory of 3436	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe	msdcsc.exe
PID 4908 wrote to memory of 3436	4908	cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe	msdcsc.exe
PID 3436 wrote to memory of 3820	3436	msdcsc.exe	iexplore.exe
PID 3436 wrote to memory of 3820	3436	msdcsc.exe	iexplore.exe
PID 3436 wrote to memory of 3820	3436	msdcsc.exe	iexplore.exe
PID 3436 wrote to memory of 4496	3436	msdcsc.exe	explorer.exe
PID 3436 wrote to memory of 4496	3436	msdcsc.exe	explorer.exe
PID 3436 wrote to memory of 2944	3436	msdcsc.exe	notepad.exe
PID 3436 wrote to memory of 2944	3436	msdcsc.exe	notepad.exe
PID 3436 wrote to memory of 2944	3436	msdcsc.exe	notepad.exe
PID 3436 wrote to memory of 2944	3436	msdcsc.exe	notepad.exe
PID 3436 wrote to memory of 2944	3436	msdcsc.exe	notepad.exe
PID 3436 wrote to memory of 2944	3436	msdcsc.exe	notepad.exe
PID 3436 wrote to memory of 2944	3436	msdcsc.exe	notepad.exe
PID 3436 wrote to memory of 2944	3436	msdcsc.exe	notepad.exe
PID 3436 wrote to memory of 2944	3436	msdcsc.exe	notepad.exe
PID 3436 wrote to memory of 2944	3436	msdcsc.exe	notepad.exe
PID 3436 wrote to memory of 2944	3436	msdcsc.exe	notepad.exe
PID 3436 wrote to memory of 2944	3436	msdcsc.exe	notepad.exe
PID 3436 wrote to memory of 2944	3436	msdcsc.exe	notepad.exe
PID 3436 wrote to memory of 2944	3436	msdcsc.exe	notepad.exe
PID 3436 wrote to memory of 2944	3436	msdcsc.exe	notepad.exe
PID 3436 wrote to memory of 2944	3436	msdcsc.exe	notepad.exe
PID 3436 wrote to memory of 2944	3436	msdcsc.exe	notepad.exe
PID 3436 wrote to memory of 2944	3436	msdcsc.exe	notepad.exe
PID 3436 wrote to memory of 2944	3436	msdcsc.exe	notepad.exe
PID 3436 wrote to memory of 2944	3436	msdcsc.exe	notepad.exe
PID 3436 wrote to memory of 2944	3436	msdcsc.exe	notepad.exe
PID 3436 wrote to memory of 2944	3436	msdcsc.exe	notepad.exe
PID 3760 wrote to memory of 4624	3760	STEAM.EXE	STEAMTmp.exe
PID 3760 wrote to memory of 4624	3760	STEAM.EXE	STEAMTmp.exe
PID 3760 wrote to memory of 4624	3760	STEAM.EXE	STEAMTmp.exe
PID 4624 wrote to memory of 2664	4624	STEAMTmp.exe	STEAM.exe
PID 4624 wrote to memory of 2664	4624	STEAMTmp.exe	STEAM.exe
PID 4624 wrote to memory of 2664	4624	STEAMTmp.exe	STEAM.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

3744 attrib.exe
752 attrib.exe

pid	process
3744	attrib.exe
752	attrib.exe

C:\Users\Admin\AppData\Local\Temp\cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
"C:\Users\Admin\AppData\Local\Temp\cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:752

C:\Users\Admin\AppData\Local\Temp\STEAM.EXE
"C:\Users\Admin\AppData\Local\Temp\STEAM.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3760

C:\Users\Admin\AppData\Local\Temp\STEAMTmp.exe
STEAMTmp.exe SelfUpdate "C:\Users\Admin\AppData\Local\Temp\STEAM.EXE" 1003
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4624

C:\Users\Admin\AppData\Local\Temp\STEAM.exe
STEAM.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2664

C:\Windows\MSDCSC\msdcsc.exe
"C:\Windows\MSDCSC\msdcsc.exe"
2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3436

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
PID:3820

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:2944

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
PID:4496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\STEAM.EXE
Filesize
1.2MB

MD5
67384147dd005e54d2c0a20408e28579

SHA1
f7596aa720e891b43b0cb286f0e1a298a366a910

SHA256
cdde5b5cabe2f452d3be50a6d55892cadaf7524769cf7ad44bd4c862cf81db42

SHA512
9a65286d93ed0fae940913f360ae1d85fa7355b8e33f0423056ab9700c2c05e48338dc28fd3340b05d324020e921c9f82ba6bd3a28fdd9c4f9f676798ba476c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\STEAM.EXE
Filesize
1.2MB

MD5
67384147dd005e54d2c0a20408e28579

SHA1
f7596aa720e891b43b0cb286f0e1a298a366a910

SHA256
cdde5b5cabe2f452d3be50a6d55892cadaf7524769cf7ad44bd4c862cf81db42

SHA512
9a65286d93ed0fae940913f360ae1d85fa7355b8e33f0423056ab9700c2c05e48338dc28fd3340b05d324020e921c9f82ba6bd3a28fdd9c4f9f676798ba476c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\STEAM.EXE
Filesize
1.5MB

MD5
7d6f3e59417caa671d73faa2d665ccc4

SHA1
73c0776c6e97bf1a28ec4e46527af0c7218c9be2

SHA256
5366685316db6efe640b09b2aa07e85b041fc3dbf7d032ef18337b18acb6346b

SHA512
e6d09c53baeab2a7b7d2ce7656181ac76aa71e4785c98475be2ad66f9f1c898e9b643bec5e4953bde875716fd5646fd25c0d0f542cd3603bc732ae5968b6d2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\STEAM.exe
Filesize
1.5MB

MD5
7d6f3e59417caa671d73faa2d665ccc4

SHA1
73c0776c6e97bf1a28ec4e46527af0c7218c9be2

SHA256
5366685316db6efe640b09b2aa07e85b041fc3dbf7d032ef18337b18acb6346b

SHA512
e6d09c53baeab2a7b7d2ce7656181ac76aa71e4785c98475be2ad66f9f1c898e9b643bec5e4953bde875716fd5646fd25c0d0f542cd3603bc732ae5968b6d2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\STEAMNew.exe
Filesize
1.5MB

MD5
7d6f3e59417caa671d73faa2d665ccc4

SHA1
73c0776c6e97bf1a28ec4e46527af0c7218c9be2

SHA256
5366685316db6efe640b09b2aa07e85b041fc3dbf7d032ef18337b18acb6346b

SHA512
e6d09c53baeab2a7b7d2ce7656181ac76aa71e4785c98475be2ad66f9f1c898e9b643bec5e4953bde875716fd5646fd25c0d0f542cd3603bc732ae5968b6d2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\STEAMTmp.exe
Filesize
1.2MB

MD5
67384147dd005e54d2c0a20408e28579

SHA1
f7596aa720e891b43b0cb286f0e1a298a366a910

SHA256
cdde5b5cabe2f452d3be50a6d55892cadaf7524769cf7ad44bd4c862cf81db42

SHA512
9a65286d93ed0fae940913f360ae1d85fa7355b8e33f0423056ab9700c2c05e48338dc28fd3340b05d324020e921c9f82ba6bd3a28fdd9c4f9f676798ba476c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\STEAMTmp.exe
Filesize
1.2MB

MD5
67384147dd005e54d2c0a20408e28579

SHA1
f7596aa720e891b43b0cb286f0e1a298a366a910

SHA256
cdde5b5cabe2f452d3be50a6d55892cadaf7524769cf7ad44bd4c862cf81db42

SHA512
9a65286d93ed0fae940913f360ae1d85fa7355b8e33f0423056ab9700c2c05e48338dc28fd3340b05d324020e921c9f82ba6bd3a28fdd9c4f9f676798ba476c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\STEAM_1003.pkg
Filesize
888KB

MD5
050159c517f899a41391e93e78d5c848

SHA1
659c4897c22c803f3de5d2b0967ebad976c8f1a1

SHA256
363403edfc1a49ed153e476ba0895f7ca7a49609e03ae98a9085677f12de3c1d

SHA512
28e45f570636cc96994ba4c3df867e4838e0f21bda156bbcdc562a1b888378a6b0d9d7d8d8d4e2915492e079b87dae0d6541329340ac59552f67e342a527fe46

Download Submit
C:\Users\Admin\AppData\Local\Temp\crashhandler.dll
Filesize
275KB

MD5
2f106dedff07c7da2e3f246d8df9ef21

SHA1
ed447b88ee870a8a89b17eaf353b63694a76cad7

SHA256
e3d9839c79f22b831978b2142f79e0eb6f0fd2d56ff387bb74b2ee74ca8ade7b

SHA512
bfee813563d3b4163c76d4c2e541076a2c4735601af0a3380b7a47b4e2f111658ef057dadd457220d57073de1a9c25f564210838b9d1a090639edea2549eb8bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\crashhandler.dll
Filesize
275KB

MD5
2f106dedff07c7da2e3f246d8df9ef21

SHA1
ed447b88ee870a8a89b17eaf353b63694a76cad7

SHA256
e3d9839c79f22b831978b2142f79e0eb6f0fd2d56ff387bb74b2ee74ca8ade7b

SHA512
bfee813563d3b4163c76d4c2e541076a2c4735601af0a3380b7a47b4e2f111658ef057dadd457220d57073de1a9c25f564210838b9d1a090639edea2549eb8bb

Download Submit
C:\Windows\MSDCSC\msdcsc.exe
Filesize
717KB

MD5
7ee9e4b9d2802572b2d75480856b9f36

SHA1
c901cc47c59a82950dde33e792aafe4b951a884f

SHA256
cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520

SHA512
7d4e6f2c75ffbb62e3418731e4370e3476e44b610d386fe249b08bee440576814fe17189d12046bcee40f0c2bf9356957ed0264abf29c76d8d9c14632de13bde

Download Submit
C:\Windows\MSDCSC\msdcsc.exe
Filesize
717KB

MD5
7ee9e4b9d2802572b2d75480856b9f36

SHA1
c901cc47c59a82950dde33e792aafe4b951a884f

SHA256
cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520

SHA512
7d4e6f2c75ffbb62e3418731e4370e3476e44b610d386fe249b08bee440576814fe17189d12046bcee40f0c2bf9356957ed0264abf29c76d8d9c14632de13bde

Download Submit
memory/752-140-0x0000000000000000-mapping.dmp

Download
memory/2576-135-0x0000000000000000-mapping.dmp

Download
memory/2664-154-0x0000000000000000-mapping.dmp

Download
memory/2944-146-0x0000000000000000-mapping.dmp

Download
memory/3436-148-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/3436-147-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/3436-141-0x0000000000000000-mapping.dmp

Download
memory/3736-134-0x0000000000000000-mapping.dmp

Download
memory/3744-136-0x0000000000000000-mapping.dmp

Download
memory/3760-137-0x0000000000000000-mapping.dmp

Download
memory/4496-145-0x0000000000000000-mapping.dmp

Download
memory/4624-149-0x0000000000000000-mapping.dmp

Download
memory/4908-132-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/4908-144-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/4908-133-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download