Analysis
-
max time kernel
157s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 05:19
Static task
static1
Behavioral task
behavioral1
Sample
c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe
Resource
win7-20221111-en
General
-
Target
c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe
-
Size
2.7MB
-
MD5
349b587ed5fda616d179ba9a1718fb4c
-
SHA1
d503cdd4bd462f182ff328cc262ec0f99486d6f4
-
SHA256
c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101
-
SHA512
29e079f1c4449e61231f79917ea1da21991855ff3790c356f2f0a5c70474221a518a060cb0405b3d30fcdab5017b0ed1e8dcc8f89ef3502301b4bf8290f986cd
-
SSDEEP
24576:SKKTygi5eQlaRERr3Aui0K29imwteZGSzZt3cn5uXPBL7I7noV6jOIyz8+CQBKZq:+IKjOIy3DBKZFOeBYie
Malware Config
Extracted
darkcomet
PH
justfordarkcomet.zapto.org:1604
127.0.0.1:1604
192.168.0.2:1604
DC_MUTEX-E6M25ZF
-
gencode
ytR7Ej1ChUCo
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile vbc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" vbc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" vbc.exe -
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vbc.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
vbc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vbc.exe -
Executes dropped EXE 3 IoCs
Processes:
Call Of duty 2 wh.exeWLIDSCV.exeNBfjzsAMLEadIpfE.exepid process 4932 Call Of duty 2 wh.exe 2140 WLIDSCV.exe 4284 NBfjzsAMLEadIpfE.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2844 attrib.exe 3688 attrib.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exeWLIDSCV.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation WLIDSCV.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
vbc.exevbc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nixXXcTJlDkJiOil = "C:\\Users\\Admin\\AppData\\Roaming\\NBfjzsAMLEadIpfE.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ugtAYUTPz = "C:\\Users\\Admin\\AppData\\Roaming\\LZrWcMqIG.exe" vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exeCall Of duty 2 wh.exeNBfjzsAMLEadIpfE.exedescription pid process target process PID 1348 set thread context of 4160 1348 c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe vbc.exe PID 4932 set thread context of 4904 4932 Call Of duty 2 wh.exe vbc.exe PID 4284 set thread context of 4984 4284 NBfjzsAMLEadIpfE.exe vbc.exe -
Drops file in Windows directory 2 IoCs
Processes:
attrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377072393" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000890" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1774211343" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1805460571" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000890" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{92144B66-752D-11ED-B696-DA88DC7FA106} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000890" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1774211343" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
NTFS ADS 2 IoCs
Processes:
cmd.execmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\NBfjzsAMLEadIpfE.exe:ZONE.identifier cmd.exe File created C:\Users\Admin\AppData\Roaming\LZrWcMqIG.exe:ZONE.identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WLIDSCV.exeCall Of duty 2 wh.exeNBfjzsAMLEadIpfE.exepid process 2140 WLIDSCV.exe 2140 WLIDSCV.exe 4932 Call Of duty 2 wh.exe 2140 WLIDSCV.exe 4284 NBfjzsAMLEadIpfE.exe 2140 WLIDSCV.exe 4284 NBfjzsAMLEadIpfE.exe 2140 WLIDSCV.exe 2140 WLIDSCV.exe 4284 NBfjzsAMLEadIpfE.exe 2140 WLIDSCV.exe 2140 WLIDSCV.exe 4284 NBfjzsAMLEadIpfE.exe 2140 WLIDSCV.exe 4284 NBfjzsAMLEadIpfE.exe 2140 WLIDSCV.exe 2140 WLIDSCV.exe 4284 NBfjzsAMLEadIpfE.exe 2140 WLIDSCV.exe 2140 WLIDSCV.exe 4284 NBfjzsAMLEadIpfE.exe 2140 WLIDSCV.exe 4284 NBfjzsAMLEadIpfE.exe 2140 WLIDSCV.exe 2140 WLIDSCV.exe 4284 NBfjzsAMLEadIpfE.exe 2140 WLIDSCV.exe 2140 WLIDSCV.exe 4284 NBfjzsAMLEadIpfE.exe 2140 WLIDSCV.exe 4284 NBfjzsAMLEadIpfE.exe 2140 WLIDSCV.exe 2140 WLIDSCV.exe 4284 NBfjzsAMLEadIpfE.exe 2140 WLIDSCV.exe 2140 WLIDSCV.exe 4284 NBfjzsAMLEadIpfE.exe 2140 WLIDSCV.exe 4284 NBfjzsAMLEadIpfE.exe 4284 NBfjzsAMLEadIpfE.exe 2140 WLIDSCV.exe 2140 WLIDSCV.exe 4284 NBfjzsAMLEadIpfE.exe 2140 WLIDSCV.exe 2140 WLIDSCV.exe 4284 NBfjzsAMLEadIpfE.exe 2140 WLIDSCV.exe 4284 NBfjzsAMLEadIpfE.exe 2140 WLIDSCV.exe 2140 WLIDSCV.exe 4284 NBfjzsAMLEadIpfE.exe 2140 WLIDSCV.exe 2140 WLIDSCV.exe 4284 NBfjzsAMLEadIpfE.exe 2140 WLIDSCV.exe 4284 NBfjzsAMLEadIpfE.exe 2140 WLIDSCV.exe 2140 WLIDSCV.exe 4284 NBfjzsAMLEadIpfE.exe 2140 WLIDSCV.exe 2140 WLIDSCV.exe 4284 NBfjzsAMLEadIpfE.exe 2140 WLIDSCV.exe 4284 NBfjzsAMLEadIpfE.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
vbc.exeiexplore.exepid process 4984 vbc.exe 552 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
WLIDSCV.exeCall Of duty 2 wh.exeNBfjzsAMLEadIpfE.exevbc.exedescription pid process Token: SeDebugPrivilege 2140 WLIDSCV.exe Token: SeDebugPrivilege 4932 Call Of duty 2 wh.exe Token: SeDebugPrivilege 4284 NBfjzsAMLEadIpfE.exe Token: SeIncreaseQuotaPrivilege 4984 vbc.exe Token: SeSecurityPrivilege 4984 vbc.exe Token: SeTakeOwnershipPrivilege 4984 vbc.exe Token: SeLoadDriverPrivilege 4984 vbc.exe Token: SeSystemProfilePrivilege 4984 vbc.exe Token: SeSystemtimePrivilege 4984 vbc.exe Token: SeProfSingleProcessPrivilege 4984 vbc.exe Token: SeIncBasePriorityPrivilege 4984 vbc.exe Token: SeCreatePagefilePrivilege 4984 vbc.exe Token: SeBackupPrivilege 4984 vbc.exe Token: SeRestorePrivilege 4984 vbc.exe Token: SeShutdownPrivilege 4984 vbc.exe Token: SeDebugPrivilege 4984 vbc.exe Token: SeSystemEnvironmentPrivilege 4984 vbc.exe Token: SeChangeNotifyPrivilege 4984 vbc.exe Token: SeRemoteShutdownPrivilege 4984 vbc.exe Token: SeUndockPrivilege 4984 vbc.exe Token: SeManageVolumePrivilege 4984 vbc.exe Token: SeImpersonatePrivilege 4984 vbc.exe Token: SeCreateGlobalPrivilege 4984 vbc.exe Token: 33 4984 vbc.exe Token: 34 4984 vbc.exe Token: 35 4984 vbc.exe Token: 36 4984 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 552 iexplore.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
vbc.exevbc.exeiexplore.exeIEXPLORE.EXEvbc.exepid process 4160 vbc.exe 4904 vbc.exe 552 iexplore.exe 552 iexplore.exe 4084 IEXPLORE.EXE 4084 IEXPLORE.EXE 4984 vbc.exe 4084 IEXPLORE.EXE 4084 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exeCall Of duty 2 wh.exevbc.exevbc.exeWLIDSCV.exeiexplore.exeNBfjzsAMLEadIpfE.exevbc.exedescription pid process target process PID 1348 wrote to memory of 4160 1348 c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe vbc.exe PID 1348 wrote to memory of 4160 1348 c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe vbc.exe PID 1348 wrote to memory of 4160 1348 c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe vbc.exe PID 1348 wrote to memory of 4160 1348 c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe vbc.exe PID 1348 wrote to memory of 4160 1348 c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe vbc.exe PID 1348 wrote to memory of 4160 1348 c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe vbc.exe PID 1348 wrote to memory of 4160 1348 c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe vbc.exe PID 1348 wrote to memory of 4160 1348 c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe vbc.exe PID 1348 wrote to memory of 3756 1348 c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe cmd.exe PID 1348 wrote to memory of 3756 1348 c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe cmd.exe PID 1348 wrote to memory of 3756 1348 c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe cmd.exe PID 1348 wrote to memory of 4932 1348 c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe Call Of duty 2 wh.exe PID 1348 wrote to memory of 4932 1348 c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe Call Of duty 2 wh.exe PID 1348 wrote to memory of 4932 1348 c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe Call Of duty 2 wh.exe PID 1348 wrote to memory of 4892 1348 c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe vbc.exe PID 1348 wrote to memory of 4892 1348 c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe vbc.exe PID 1348 wrote to memory of 4892 1348 c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe vbc.exe PID 4932 wrote to memory of 4904 4932 Call Of duty 2 wh.exe vbc.exe PID 4932 wrote to memory of 4904 4932 Call Of duty 2 wh.exe vbc.exe PID 4932 wrote to memory of 4904 4932 Call Of duty 2 wh.exe vbc.exe PID 4932 wrote to memory of 4904 4932 Call Of duty 2 wh.exe vbc.exe PID 4932 wrote to memory of 4904 4932 Call Of duty 2 wh.exe vbc.exe PID 4932 wrote to memory of 4904 4932 Call Of duty 2 wh.exe vbc.exe PID 4932 wrote to memory of 4904 4932 Call Of duty 2 wh.exe vbc.exe PID 4932 wrote to memory of 4904 4932 Call Of duty 2 wh.exe vbc.exe PID 4932 wrote to memory of 1140 4932 Call Of duty 2 wh.exe cmd.exe PID 4932 wrote to memory of 1140 4932 Call Of duty 2 wh.exe cmd.exe PID 4932 wrote to memory of 1140 4932 Call Of duty 2 wh.exe cmd.exe PID 4892 wrote to memory of 2032 4892 vbc.exe cvtres.exe PID 4892 wrote to memory of 2032 4892 vbc.exe cvtres.exe PID 4892 wrote to memory of 2032 4892 vbc.exe cvtres.exe PID 4932 wrote to memory of 3360 4932 Call Of duty 2 wh.exe vbc.exe PID 4932 wrote to memory of 3360 4932 Call Of duty 2 wh.exe vbc.exe PID 4932 wrote to memory of 3360 4932 Call Of duty 2 wh.exe vbc.exe PID 1348 wrote to memory of 2140 1348 c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe WLIDSCV.exe PID 1348 wrote to memory of 2140 1348 c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe WLIDSCV.exe PID 1348 wrote to memory of 2140 1348 c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe WLIDSCV.exe PID 3360 wrote to memory of 1620 3360 vbc.exe cvtres.exe PID 3360 wrote to memory of 1620 3360 vbc.exe cvtres.exe PID 3360 wrote to memory of 1620 3360 vbc.exe cvtres.exe PID 4932 wrote to memory of 552 4932 Call Of duty 2 wh.exe iexplore.exe PID 4932 wrote to memory of 552 4932 Call Of duty 2 wh.exe iexplore.exe PID 2140 wrote to memory of 4284 2140 WLIDSCV.exe NBfjzsAMLEadIpfE.exe PID 2140 wrote to memory of 4284 2140 WLIDSCV.exe NBfjzsAMLEadIpfE.exe PID 2140 wrote to memory of 4284 2140 WLIDSCV.exe NBfjzsAMLEadIpfE.exe PID 552 wrote to memory of 4084 552 iexplore.exe IEXPLORE.EXE PID 552 wrote to memory of 4084 552 iexplore.exe IEXPLORE.EXE PID 552 wrote to memory of 4084 552 iexplore.exe IEXPLORE.EXE PID 4284 wrote to memory of 4984 4284 NBfjzsAMLEadIpfE.exe vbc.exe PID 4284 wrote to memory of 4984 4284 NBfjzsAMLEadIpfE.exe vbc.exe PID 4284 wrote to memory of 4984 4284 NBfjzsAMLEadIpfE.exe vbc.exe PID 4284 wrote to memory of 4984 4284 NBfjzsAMLEadIpfE.exe vbc.exe PID 4284 wrote to memory of 4984 4284 NBfjzsAMLEadIpfE.exe vbc.exe PID 4284 wrote to memory of 4984 4284 NBfjzsAMLEadIpfE.exe vbc.exe PID 4284 wrote to memory of 4984 4284 NBfjzsAMLEadIpfE.exe vbc.exe PID 4284 wrote to memory of 4984 4284 NBfjzsAMLEadIpfE.exe vbc.exe PID 4284 wrote to memory of 4984 4284 NBfjzsAMLEadIpfE.exe vbc.exe PID 4284 wrote to memory of 4984 4284 NBfjzsAMLEadIpfE.exe vbc.exe PID 4284 wrote to memory of 4984 4284 NBfjzsAMLEadIpfE.exe vbc.exe PID 4284 wrote to memory of 4984 4284 NBfjzsAMLEadIpfE.exe vbc.exe PID 4284 wrote to memory of 4984 4284 NBfjzsAMLEadIpfE.exe vbc.exe PID 4284 wrote to memory of 4984 4284 NBfjzsAMLEadIpfE.exe vbc.exe PID 4984 wrote to memory of 4080 4984 vbc.exe cmd.exe PID 4984 wrote to memory of 4080 4984 vbc.exe cmd.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2844 attrib.exe 3688 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe"C:\Users\Admin\AppData\Local\Temp\c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\Call Of duty 2 wh.exe"C:\Users\Admin\AppData\Roaming\Call Of duty 2 wh.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"cmd"3⤵
- NTFS ADS
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6aujngdq.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB46.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEAE8D6EEDBB548828CBE837AE315B2C0.TMP"4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:552 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_acvxrqk.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9DF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEEB977055BA748E2B929FDD6FA266411.TMP"3⤵
-
C:\Users\Admin\AppData\Roaming\WLIDSCV.exe"C:\Users\Admin\AppData\Roaming\WLIDSCV.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NBfjzsAMLEadIpfE.exe"C:\Users\Admin\AppData\Roaming\NBfjzsAMLEadIpfE.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe4⤵
- Modifies firewall policy service
- Windows security bypass
- Disables RegEdit via registry modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h6⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h6⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5ac572cbbc82d6d652cdbe2596aeac4ee
SHA1a631b27cf33fe134f42ed411d7ea06c21df41ad5
SHA25650b6d8f62150a7bd25fb3e462130e8e054a0f1fb619487e8c426a4c8bf6bdca8
SHA512070095ec83e4eeccae5dcbadcb3132f08fd0aac50badbc42cb72691236b6cfcdf14ce275fb1bf5511896bb4dd25c2121e044341003c1a507be8fabc0b2b1bfff
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
434B
MD5f390d56e5df4500f4f6856243a5a1e42
SHA1df9e375af08894bf177a362eb55fc7ec398fbb9b
SHA256ddb7923dfa6aefc149a9b40c55466e82be52ef518b144967cbfebb06dad8f869
SHA512c80b934b5d81a8543c57c3c4d007d8b1ed815ae646f13ab3818dca3e08651d5e57dc5aa2618dc1f58d59a782af65c195d23b2f3e5424b39a0a99427e4badbe72
-
C:\Users\Admin\AppData\Local\Temp\6aujngdq.0.vbFilesize
1KB
MD550c58a9068c0a03cc687dc2b4d48897b
SHA130a152329a9ec53af43ddf8b7afa7e9fa8db5137
SHA2560ba8eaadd1312856fcd44457e5ed4a1dc4e81b9730747d9386a462937396f9c8
SHA512a4f04862809b2e28af4e97e8958e2b554e1ea89abb2d697a4b0aea05946e44369ea054a51f0ea53f973cbbbd6c7e810fe799b9212f5766e85461f2b186be68d4
-
C:\Users\Admin\AppData\Local\Temp\6aujngdq.cmdlineFilesize
248B
MD5971588d50f5cffef10bb7fa78cc6c59c
SHA1d0b1f7c3ef02d2f00aee42ee54b1b09536825bd1
SHA2564d4d45f53b2ab1411aea9ab53255e78b4ee61e516bb25a5894fdaf2c48028e3e
SHA512668cfdead29c195e1fe71af29b005c8fc49650c00acb9ae384accee016380e38cd506adb63ab2ea4eedf28a3d2d8bbbb4ff80af6b436a02e18d2f3c8076ce30f
-
C:\Users\Admin\AppData\Local\Temp\RESB9DF.tmpFilesize
1KB
MD56a39283204786976d77426a4ee292d64
SHA14f0e6f72f21cdf2f036ac27b289078bfdd9cb9df
SHA25612c0a2d92faf38971a139a29331242d5b36fed686131b922894a8fd346361a43
SHA5129db90cb83123665200757003d0b2c0ebfc1696218593eb002c998df749681f60dcab34f32be5b1c52d1b6659c90893d065433a9c78fa5dc3ba4d28c691601b61
-
C:\Users\Admin\AppData\Local\Temp\RESBB46.tmpFilesize
1KB
MD52e1c8915924d27b2b42768410914b1f6
SHA16dc544f75e22cbb43d16f377005a628e15b1fd7e
SHA25693e41e59c02e7ed9d342fd1b101709ed40a73a152cb3838f95885f048936929e
SHA512a5f88cf3998d80cd2d1f0de5dd55ba16440ac085d4797f6d26910ca42c700cdfeae470b89f679704d0f35136866ea23e817669c8fd82644dcada8c479c522c2c
-
C:\Users\Admin\AppData\Local\Temp\_acvxrqk.0.vbFilesize
1KB
MD5807864bc5874b59e52fb57ad8f94cb43
SHA1ebe40463b82af606869fd9eb5fbf7a0c9e2d8eed
SHA256d0d58960f9306f7245f38e44d66f9c8f938eb0e3a3b4e6c29ba2b326ce3acf7d
SHA512ac009ba60a589ca71aace3f8321b11721d0d912c5cab4079cc6075ac607de705817b234a0429b8b4a6cd39e37c72ca755345500fd8391bfc279347e39a9452d6
-
C:\Users\Admin\AppData\Local\Temp\_acvxrqk.cmdlineFilesize
248B
MD529c4e61003a34ef1c389e1cf3115e974
SHA14a5209a5c8cfcc9c2adec8a611cac6a4e7e5ba07
SHA2564fe54a894326d1a99ff7077abdd770ffb9487f6816f92e879773de28576343fc
SHA5128c5a353b22ec992b853955c04873002ad7d8588ffce18a7ff29831b1b6d804e4c750ae50a4e326afa4bd615634f94097dbf0ccde49bfdcb289c418745e95307e
-
C:\Users\Admin\AppData\Local\Temp\vbcEAE8D6EEDBB548828CBE837AE315B2C0.TMPFilesize
644B
MD5070d19a29fd713891607e27d97ead816
SHA1e42cf75eb53e89ce253dea01274f383bc498cb3b
SHA2561ee0d7a798e175d5a7d518bb3b27d4cebff4bc1bade76f4a3e433d88ee926d1e
SHA51265a26d184056e35d15c6609bc15313742cbc77baeb0228e1081bdc96ff91631fdcf363787a1bfdfa4883155039c7ef2953ad7e4e4f20e2f71005d0bec98e27ef
-
C:\Users\Admin\AppData\Local\Temp\vbcEEB977055BA748E2B929FDD6FA266411.TMPFilesize
644B
MD5070d19a29fd713891607e27d97ead816
SHA1e42cf75eb53e89ce253dea01274f383bc498cb3b
SHA2561ee0d7a798e175d5a7d518bb3b27d4cebff4bc1bade76f4a3e433d88ee926d1e
SHA51265a26d184056e35d15c6609bc15313742cbc77baeb0228e1081bdc96ff91631fdcf363787a1bfdfa4883155039c7ef2953ad7e4e4f20e2f71005d0bec98e27ef
-
C:\Users\Admin\AppData\Roaming\Call Of duty 2 wh.exeFilesize
1.1MB
MD55161ef523bfd5701f9b5f5225f040f19
SHA118fcab853e6e475286caa4f6598aed4169223885
SHA256e00974d91ab5fd276dcfe490a261073dc00a3e9bf8b918880715db74a84d34f0
SHA512898abda2099c81800066be158118400571740c62b8349b60f5c5e724564881c2606f8d1ed70f86610c7e4d238763dc89078cbe30e2c20b3515e80ef181033ad5
-
C:\Users\Admin\AppData\Roaming\Call Of duty 2 wh.exeFilesize
1.1MB
MD55161ef523bfd5701f9b5f5225f040f19
SHA118fcab853e6e475286caa4f6598aed4169223885
SHA256e00974d91ab5fd276dcfe490a261073dc00a3e9bf8b918880715db74a84d34f0
SHA512898abda2099c81800066be158118400571740c62b8349b60f5c5e724564881c2606f8d1ed70f86610c7e4d238763dc89078cbe30e2c20b3515e80ef181033ad5
-
C:\Users\Admin\AppData\Roaming\LZrWcMqIG.exe:ZONE.identifierFilesize
27B
MD5130a75a932a2fe57bfea6a65b88da8f6
SHA1b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c
SHA256f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e
SHA5126cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed
-
C:\Users\Admin\AppData\Roaming\NBfjzsAMLEadIpfE.exeFilesize
2.7MB
MD5349b587ed5fda616d179ba9a1718fb4c
SHA1d503cdd4bd462f182ff328cc262ec0f99486d6f4
SHA256c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101
SHA51229e079f1c4449e61231f79917ea1da21991855ff3790c356f2f0a5c70474221a518a060cb0405b3d30fcdab5017b0ed1e8dcc8f89ef3502301b4bf8290f986cd
-
C:\Users\Admin\AppData\Roaming\NBfjzsAMLEadIpfE.exeFilesize
2.7MB
MD5349b587ed5fda616d179ba9a1718fb4c
SHA1d503cdd4bd462f182ff328cc262ec0f99486d6f4
SHA256c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101
SHA51229e079f1c4449e61231f79917ea1da21991855ff3790c356f2f0a5c70474221a518a060cb0405b3d30fcdab5017b0ed1e8dcc8f89ef3502301b4bf8290f986cd
-
C:\Users\Admin\AppData\Roaming\NBfjzsAMLEadIpfE.exeFilesize
2.7MB
MD5349b587ed5fda616d179ba9a1718fb4c
SHA1d503cdd4bd462f182ff328cc262ec0f99486d6f4
SHA256c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101
SHA51229e079f1c4449e61231f79917ea1da21991855ff3790c356f2f0a5c70474221a518a060cb0405b3d30fcdab5017b0ed1e8dcc8f89ef3502301b4bf8290f986cd
-
C:\Users\Admin\AppData\Roaming\WLIDSCV.exeFilesize
7KB
MD500e90e6cd098ab943b761562d1fbbee5
SHA112ea9bfd4d7f394c6021f459a1b0f364325007d8
SHA25670334556a71765f4c6fb4182e989f6bdeb3bd70ef2099d4010aed4891b49d088
SHA5126fae5eb6e616dde5271310c8c42e041bce98ff31dc151c15170218eec7a120da1eb36e74329de52331ef3d0f8a74377beda31fac3d09594d3625457389d0b813
-
C:\Users\Admin\AppData\Roaming\WLIDSCV.exeFilesize
7KB
MD500e90e6cd098ab943b761562d1fbbee5
SHA112ea9bfd4d7f394c6021f459a1b0f364325007d8
SHA25670334556a71765f4c6fb4182e989f6bdeb3bd70ef2099d4010aed4891b49d088
SHA5126fae5eb6e616dde5271310c8c42e041bce98ff31dc151c15170218eec7a120da1eb36e74329de52331ef3d0f8a74377beda31fac3d09594d3625457389d0b813
-
C:\Users\Admin\AppData\Roaming\fp.txtFilesize
138B
MD5ce5116376502f7ea74e285546554e7a7
SHA149e0d08484aff6abbc2074bb7c5c5d1771c695bc
SHA2566f50f66872b7759dba6e033ec4ebeceee513870233fa84467e52750bf8bb1ba6
SHA51206e2cf5747aaef37b9ac5750b082b6012e663367c008c51a1eab4434184e2c4b446d4bc35c98518734a998e042b51d8bbcbedaef6121986df611fd1923f6401a
-
C:\Users\Admin\AppData\Roaming\fp.txtFilesize
74B
MD598aae9187c8f33add1f036a632df36e1
SHA1e882acb6a1b6a9970b6d5f6063a955970db13d01
SHA25630f496723a7b1fc9e5e4e4dde14a0a084deac35e44f1e2c0bb88a1f884a9a67a
SHA512af94dce01956734948e2214931d3472a9f94efd3a26130e9d8242ead68d7167ab0b1eff9bd0d66244ffbb03f38a4c27801e9994a85796290212e4838a0692a0b
-
memory/1140-154-0x0000000000000000-mapping.dmp
-
memory/1348-132-0x0000000075170000-0x0000000075721000-memory.dmpFilesize
5.7MB
-
memory/1348-170-0x0000000075170000-0x0000000075721000-memory.dmpFilesize
5.7MB
-
memory/1620-168-0x0000000000000000-mapping.dmp
-
memory/2032-159-0x0000000000000000-mapping.dmp
-
memory/2140-183-0x0000000075170000-0x0000000075721000-memory.dmpFilesize
5.7MB
-
memory/2140-176-0x0000000075170000-0x0000000075721000-memory.dmpFilesize
5.7MB
-
memory/2140-164-0x0000000000000000-mapping.dmp
-
memory/2844-187-0x0000000000000000-mapping.dmp
-
memory/2864-186-0x0000000000000000-mapping.dmp
-
memory/3360-162-0x0000000000000000-mapping.dmp
-
memory/3688-188-0x0000000000000000-mapping.dmp
-
memory/3756-136-0x0000000000000000-mapping.dmp
-
memory/3980-185-0x0000000000000000-mapping.dmp
-
memory/4080-184-0x0000000000000000-mapping.dmp
-
memory/4160-133-0x0000000000000000-mapping.dmp
-
memory/4160-139-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/4160-142-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/4160-134-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/4284-189-0x0000000075170000-0x0000000075721000-memory.dmpFilesize
5.7MB
-
memory/4284-174-0x0000000000000000-mapping.dmp
-
memory/4284-181-0x0000000075170000-0x0000000075721000-memory.dmpFilesize
5.7MB
-
memory/4892-146-0x0000000000000000-mapping.dmp
-
memory/4904-147-0x0000000000000000-mapping.dmp
-
memory/4904-156-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/4932-173-0x0000000075170000-0x0000000075721000-memory.dmpFilesize
5.7MB
-
memory/4932-153-0x0000000075170000-0x0000000075721000-memory.dmpFilesize
5.7MB
-
memory/4932-143-0x0000000000000000-mapping.dmp
-
memory/4984-182-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/4984-180-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/4984-179-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/4984-178-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/4984-177-0x0000000000000000-mapping.dmp
-
memory/4984-190-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB