Analysis
-
max time kernel
155s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 21:27
Static task
static1
Behavioral task
behavioral1
Sample
82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe
Resource
win7-20221111-en
General
-
Target
82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe
-
Size
1.4MB
-
MD5
c160cd6bca4c3830a6724e9025679917
-
SHA1
490377dd2e7b4ac5a3beb76aeb8d4ccbe2a5a3c7
-
SHA256
82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4
-
SHA512
e40ea4781822eea6118c46f5b8dc6c11ef2bb9cccbd2a283f31dfa35c1a81654ee263867eba27637f584e70289d17293c617b270ebbdf20b295e146b5dd4fbeb
-
SSDEEP
24576:Gg7XAzwtfPsTlwpF3DYpdhupEZF/FtKddBXjpOlu/c5Sg7VP5o6/pFxH:f7XAzwtfc2pDYA67KdxOlu/c5SiN6aBH
Malware Config
Extracted
darkcomet
Server
lifefornoobs.no-ip.org:23697
9485kM24
-
gencode
cKpULmvnfG1r
-
install
false
-
offline_keylogger
true
-
password
123123
-
persistence
false
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
csrss.exenvvsvc.execsrss.exenvvsvc.exepid process 3508 csrss.exe 4156 nvvsvc.exe 3976 csrss.exe 4376 nvvsvc.exe -
Processes:
resource yara_rule behavioral2/memory/3976-150-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/3976-153-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/4376-155-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3976-157-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/4376-158-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3976-159-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/4376-160-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4376-161-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4376-162-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3976-176-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/4376-177-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4376-178-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exeWScript.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csrss.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvvsvc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nvvsvc.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.execsrss.exenvvsvc.exedescription pid process target process PID 2732 set thread context of 5032 2732 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe PID 3508 set thread context of 3976 3508 csrss.exe csrss.exe PID 4156 set thread context of 4376 4156 nvvsvc.exe nvvsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 36 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
PaintStudio.View.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A PaintStudio.View.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 PaintStudio.View.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C PaintStudio.View.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A PaintStudio.View.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 PaintStudio.View.exe -
Modifies registry class 17 IoCs
Processes:
PaintStudio.View.exe82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1" PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheVersion = "1" PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheVersion = "1" PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheVersion = "1" PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\MuiCache PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200" PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History PaintStudio.View.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
PaintStudio.View.exepid process 2444 PaintStudio.View.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mspaint.exepid process 1864 mspaint.exe 1864 mspaint.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
nvvsvc.exePaintStudio.View.exedescription pid process Token: SeIncreaseQuotaPrivilege 4376 nvvsvc.exe Token: SeSecurityPrivilege 4376 nvvsvc.exe Token: SeTakeOwnershipPrivilege 4376 nvvsvc.exe Token: SeLoadDriverPrivilege 4376 nvvsvc.exe Token: SeSystemProfilePrivilege 4376 nvvsvc.exe Token: SeSystemtimePrivilege 4376 nvvsvc.exe Token: SeProfSingleProcessPrivilege 4376 nvvsvc.exe Token: SeIncBasePriorityPrivilege 4376 nvvsvc.exe Token: SeCreatePagefilePrivilege 4376 nvvsvc.exe Token: SeBackupPrivilege 4376 nvvsvc.exe Token: SeRestorePrivilege 4376 nvvsvc.exe Token: SeShutdownPrivilege 4376 nvvsvc.exe Token: SeDebugPrivilege 4376 nvvsvc.exe Token: SeSystemEnvironmentPrivilege 4376 nvvsvc.exe Token: SeChangeNotifyPrivilege 4376 nvvsvc.exe Token: SeRemoteShutdownPrivilege 4376 nvvsvc.exe Token: SeUndockPrivilege 4376 nvvsvc.exe Token: SeManageVolumePrivilege 4376 nvvsvc.exe Token: SeImpersonatePrivilege 4376 nvvsvc.exe Token: SeCreateGlobalPrivilege 4376 nvvsvc.exe Token: 33 4376 nvvsvc.exe Token: 34 4376 nvvsvc.exe Token: 35 4376 nvvsvc.exe Token: 36 4376 nvvsvc.exe Token: SeDebugPrivilege 2444 PaintStudio.View.exe Token: SeDebugPrivilege 2444 PaintStudio.View.exe Token: SeDebugPrivilege 2444 PaintStudio.View.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.execsrss.exenvvsvc.exenvvsvc.exemspaint.exePaintStudio.View.exepid process 2732 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe 3508 csrss.exe 4156 nvvsvc.exe 4376 nvvsvc.exe 1864 mspaint.exe 2444 PaintStudio.View.exe -
Suspicious use of WriteProcessMemory 53 IoCs
Processes:
82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.execsrss.exenvvsvc.exeWScript.exeWScript.execmd.execmd.exedescription pid process target process PID 2732 wrote to memory of 5032 2732 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe PID 2732 wrote to memory of 5032 2732 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe PID 2732 wrote to memory of 5032 2732 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe PID 2732 wrote to memory of 5032 2732 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe PID 2732 wrote to memory of 5032 2732 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe PID 2732 wrote to memory of 5032 2732 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe PID 2732 wrote to memory of 5032 2732 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe PID 2732 wrote to memory of 5032 2732 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe PID 2732 wrote to memory of 5032 2732 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe PID 2732 wrote to memory of 5032 2732 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe PID 2732 wrote to memory of 5032 2732 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe PID 2732 wrote to memory of 5032 2732 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe PID 5032 wrote to memory of 3508 5032 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe csrss.exe PID 5032 wrote to memory of 3508 5032 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe csrss.exe PID 5032 wrote to memory of 3508 5032 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe csrss.exe PID 5032 wrote to memory of 4156 5032 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe nvvsvc.exe PID 5032 wrote to memory of 4156 5032 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe nvvsvc.exe PID 5032 wrote to memory of 4156 5032 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe nvvsvc.exe PID 3508 wrote to memory of 3976 3508 csrss.exe csrss.exe PID 3508 wrote to memory of 3976 3508 csrss.exe csrss.exe PID 3508 wrote to memory of 3976 3508 csrss.exe csrss.exe PID 3508 wrote to memory of 3976 3508 csrss.exe csrss.exe PID 3508 wrote to memory of 3976 3508 csrss.exe csrss.exe PID 3508 wrote to memory of 3976 3508 csrss.exe csrss.exe PID 3508 wrote to memory of 3976 3508 csrss.exe csrss.exe PID 4156 wrote to memory of 4376 4156 nvvsvc.exe nvvsvc.exe PID 4156 wrote to memory of 4376 4156 nvvsvc.exe nvvsvc.exe PID 4156 wrote to memory of 4376 4156 nvvsvc.exe nvvsvc.exe PID 4156 wrote to memory of 4376 4156 nvvsvc.exe nvvsvc.exe PID 4156 wrote to memory of 4376 4156 nvvsvc.exe nvvsvc.exe PID 4156 wrote to memory of 4376 4156 nvvsvc.exe nvvsvc.exe PID 4156 wrote to memory of 4376 4156 nvvsvc.exe nvvsvc.exe PID 5032 wrote to memory of 1864 5032 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe mspaint.exe PID 5032 wrote to memory of 1864 5032 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe mspaint.exe PID 5032 wrote to memory of 1864 5032 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe mspaint.exe PID 5032 wrote to memory of 1604 5032 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe WScript.exe PID 5032 wrote to memory of 1604 5032 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe WScript.exe PID 5032 wrote to memory of 1604 5032 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe WScript.exe PID 5032 wrote to memory of 8 5032 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe WScript.exe PID 5032 wrote to memory of 8 5032 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe WScript.exe PID 5032 wrote to memory of 8 5032 82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe WScript.exe PID 1604 wrote to memory of 3556 1604 WScript.exe cmd.exe PID 1604 wrote to memory of 3556 1604 WScript.exe cmd.exe PID 1604 wrote to memory of 3556 1604 WScript.exe cmd.exe PID 8 wrote to memory of 3724 8 WScript.exe cmd.exe PID 8 wrote to memory of 3724 8 WScript.exe cmd.exe PID 8 wrote to memory of 3724 8 WScript.exe cmd.exe PID 3556 wrote to memory of 4820 3556 cmd.exe reg.exe PID 3556 wrote to memory of 4820 3556 cmd.exe reg.exe PID 3556 wrote to memory of 4820 3556 cmd.exe reg.exe PID 3724 wrote to memory of 4980 3724 cmd.exe reg.exe PID 3724 wrote to memory of 4980 3724 cmd.exe reg.exe PID 3724 wrote to memory of 4980 3724 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe"C:\Users\Admin\AppData\Local\Temp\82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe"C:\Users\Admin\AppData\Local\Temp\82534de56cd3119a15d6a90c454655dcf067f2b53bcd7d81c980660b3d63a2d4.exe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\csrss.exe"C:\Users\Admin\AppData\Local\Temp\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\csrss.exe"C:\Users\Admin\AppData\Local\Temp\csrss.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\nvvsvc.exe"C:\Users\Admin\AppData\Local\Temp\nvvsvc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nvvsvc.exe"C:\Users\Admin\AppData\Local\Temp\nvvsvc.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\PHOTO_377.jpg" /ForceBootstrapPaint3D3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\pyt.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pyt.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "csrss" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe" /f5⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dc.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "nvvsvc" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\nvvsvc.exe" /f5⤵
- Adds Run key to start application
-
C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\csrss.exeFilesize
380KB
MD543ae58eec11c99f805d518745ae66ed2
SHA1eb63531821176b3c86850f35b97bb67258814cc6
SHA256db761ed0a642c862363f361b039f7130ae5b4c5f732ae16f10a5ce1cf6d713b9
SHA5123e7f41d9b2df9bb637faf71e6cfe364c6eec6a2fd6a80619025599259ca8377fc1deb7eb2a63a484c66f30948ec72aee8f1d0fb2b5b2c1b54bfda19ae6fb6fae
-
C:\Users\Admin\AppData\Local\Temp\csrss.exeFilesize
380KB
MD543ae58eec11c99f805d518745ae66ed2
SHA1eb63531821176b3c86850f35b97bb67258814cc6
SHA256db761ed0a642c862363f361b039f7130ae5b4c5f732ae16f10a5ce1cf6d713b9
SHA5123e7f41d9b2df9bb637faf71e6cfe364c6eec6a2fd6a80619025599259ca8377fc1deb7eb2a63a484c66f30948ec72aee8f1d0fb2b5b2c1b54bfda19ae6fb6fae
-
C:\Users\Admin\AppData\Local\Temp\csrss.exeFilesize
380KB
MD543ae58eec11c99f805d518745ae66ed2
SHA1eb63531821176b3c86850f35b97bb67258814cc6
SHA256db761ed0a642c862363f361b039f7130ae5b4c5f732ae16f10a5ce1cf6d713b9
SHA5123e7f41d9b2df9bb637faf71e6cfe364c6eec6a2fd6a80619025599259ca8377fc1deb7eb2a63a484c66f30948ec72aee8f1d0fb2b5b2c1b54bfda19ae6fb6fae
-
C:\Users\Admin\AppData\Local\Temp\dc.batFilesize
131B
MD5df2fe85f4bcf1fa75ae5dca9264d229e
SHA16ef8ca26f4e08ed85f8d5678581ea777bc735779
SHA256fa25835a8fd15b62cd1ebc5b90e1b5955e49da318ef74674f74b9b28689397f0
SHA5121f259cb3c9e1f64b2c50a1ec3273ff98164c997e3f1ad05ba832d72507f98fef0962259f88011c6e1c3f1ceb375fbf3b6cbc2c35522b6e93fd6fbd58865911f6
-
C:\Users\Admin\AppData\Local\Temp\dc.vbsFilesize
105B
MD56f84dc948b82ffec7dc6f5b53347983d
SHA1477208432c5b789680dfe63a66efb60bfd8a61a7
SHA256c2cdc803127faa2435d054d4f2f8e7cda405f93e8f640bb7bbc33c99132de1b6
SHA5122a2e2d0bbbe20f92f7945d7653790e1f4ee42abe1b283d9861b82ed7450fefae0e7da62560da5e7d9c30f0e1024df7e2db4c63ce99f354993891f9a6334456d9
-
C:\Users\Admin\AppData\Local\Temp\nvvsvc.exeFilesize
588KB
MD56750fb6ee5a6b47c404736f29f021377
SHA1ac25c9f3ff0865a08922071ccca328a1d0e30cda
SHA2562d69be52fe32d73008a25813094f75555eeba3746639a27607818f873a726fc9
SHA512c20d00f14ced46f14cc183cf186a92b639649333a1fd54b71d32b7a4c0709ebbf9cd03dd4bf2fe566c95abaf393ed0807c308c5badc10d1d71ad301d513201da
-
C:\Users\Admin\AppData\Local\Temp\nvvsvc.exeFilesize
588KB
MD56750fb6ee5a6b47c404736f29f021377
SHA1ac25c9f3ff0865a08922071ccca328a1d0e30cda
SHA2562d69be52fe32d73008a25813094f75555eeba3746639a27607818f873a726fc9
SHA512c20d00f14ced46f14cc183cf186a92b639649333a1fd54b71d32b7a4c0709ebbf9cd03dd4bf2fe566c95abaf393ed0807c308c5badc10d1d71ad301d513201da
-
C:\Users\Admin\AppData\Local\Temp\nvvsvc.exeFilesize
588KB
MD56750fb6ee5a6b47c404736f29f021377
SHA1ac25c9f3ff0865a08922071ccca328a1d0e30cda
SHA2562d69be52fe32d73008a25813094f75555eeba3746639a27607818f873a726fc9
SHA512c20d00f14ced46f14cc183cf186a92b639649333a1fd54b71d32b7a4c0709ebbf9cd03dd4bf2fe566c95abaf393ed0807c308c5badc10d1d71ad301d513201da
-
C:\Users\Admin\AppData\Local\Temp\pyt.batFilesize
129B
MD5d9c99c3e40b4608bf2b27b610d31cd1f
SHA1703154038806a0ed3c5482132ea4bb84b3d01063
SHA256957e85c8c1cb9372672fdfa1e0b792e22edf4243d1a6e6b226e879c7f862b79a
SHA512eace32b06e46ff91a3e1547a31df84a4f7d12bc30a8ca2f5e2460e9d9d758e21b670178b3d977096b6d9b4a79ba66ad2a9da16964e5a69c7798b4e18c7d26566
-
C:\Users\Admin\AppData\Local\Temp\pyt.vbsFilesize
106B
MD5b4b20425f7e2fd50862eb8942aad8d46
SHA1b064d29ceeabf60453e27adafef610a48d65616a
SHA256821fc60d73a4e2339b293761a673eff820bdbc7df1981b5703b86466670fbe57
SHA51223c4a9edb0224e8a588f3dee3d5b405ae867d5748a65ce3b83072b4bf695ca1edcfefec74a83e5d1a08241c9c2e38b0f54c2430071b9b6f88837b056d2f58260
-
memory/8-165-0x0000000000000000-mapping.dmp
-
memory/1604-164-0x0000000000000000-mapping.dmp
-
memory/1864-163-0x0000000000000000-mapping.dmp
-
memory/3508-139-0x0000000000000000-mapping.dmp
-
memory/3556-172-0x0000000000000000-mapping.dmp
-
memory/3724-173-0x0000000000000000-mapping.dmp
-
memory/3976-159-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3976-153-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3976-157-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3976-176-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3976-149-0x0000000000000000-mapping.dmp
-
memory/3976-150-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4156-144-0x0000000000000000-mapping.dmp
-
memory/4376-162-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4376-154-0x0000000000000000-mapping.dmp
-
memory/4376-161-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4376-160-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4376-155-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4376-178-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4376-177-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4376-158-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4820-174-0x0000000000000000-mapping.dmp
-
memory/4980-175-0x0000000000000000-mapping.dmp
-
memory/5032-166-0x0000000000400000-0x000000000050D000-memory.dmpFilesize
1.1MB
-
memory/5032-135-0x0000000000400000-0x000000000050D000-memory.dmpFilesize
1.1MB
-
memory/5032-136-0x0000000000400000-0x000000000050D000-memory.dmpFilesize
1.1MB
-
memory/5032-137-0x0000000000400000-0x000000000050D000-memory.dmpFilesize
1.1MB
-
memory/5032-138-0x0000000000400000-0x000000000050D000-memory.dmpFilesize
1.1MB
-
memory/5032-169-0x0000000000400000-0x000000000050D000-memory.dmpFilesize
1.1MB
-
memory/5032-134-0x0000000000000000-mapping.dmp