darkcomet | 53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Size

2.5MB
MD5

b85bd40c70b5913df16cac41feae9949
SHA1

88139dbe95928614ab375ef0e3257a925dff0bb7
SHA256

53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd
SHA512

4c57449a1afe32959c5b9760ad065392e4e0b29f3f2323202b4649393a764b71dff03af9aa02a7154f0c24e1855b97eb1b32994aa2b692f0844bd29a1d63535d
SSDEEP

49152:7JZoQrbTFZY1iaJag33A46NOBLtCaW/sXdkWQe9D+nwOWYcu2I7RTp/PwWUlLmY6:7trbTA19as3l8OBL+I7D+nwcP3tY6

Score

10^/10

darkcomet victime evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Victime

shytoos.ddns.net:1604

Mutex

DC_MUTEX-Z8X4H3R

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
JJ52hfcLdTnD
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe

Executes dropped EXE 3 IoCs

Processes:

bnd.exemsdcsc.exebnd.exe

pid process

1692 bnd.exe
304 msdcsc.exe
1092 bnd.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

384 attrib.exe
532 attrib.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1780 notepad.exe

pid	process
1692	bnd.exe
304	msdcsc.exe
1092	bnd.exe

pid	process
384	attrib.exe
532	attrib.exe

pid	process
1780	notepad.exe

Loads dropped DLL 16 IoCs

Processes:

53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exemsdcsc.exeWerFault.exe

pid	process
1340	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
1340	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
1340	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
1340	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
1340	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
304	msdcsc.exe
304	msdcsc.exe
304	msdcsc.exe
304	msdcsc.exe
304	msdcsc.exe
836	WerFault.exe
836	WerFault.exe
836	WerFault.exe
836	WerFault.exe
836	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe

AutoIT Executable 8 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\Documents\MSDCSC\msdcsc.exe	autoit_exe
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe	autoit_exe
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe	autoit_exe
\Users\Admin\Documents\MSDCSC\msdcsc.exe	autoit_exe
\Users\Admin\Documents\MSDCSC\msdcsc.exe	autoit_exe
\Users\Admin\Documents\MSDCSC\msdcsc.exe	autoit_exe
\Users\Admin\Documents\MSDCSC\msdcsc.exe	autoit_exe
\Users\Admin\Documents\MSDCSC\msdcsc.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe

description	pid	process	target process
PID 1340 set thread context of 1320	1340	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

836 304 WerFault.exe msdcsc.exe

pid	pid_target	process	target process
836	304	WerFault.exe	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeSecurityPrivilege	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeTakeOwnershipPrivilege	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeLoadDriverPrivilege	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeSystemProfilePrivilege	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeSystemtimePrivilege	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeProfSingleProcessPrivilege	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeIncBasePriorityPrivilege	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeCreatePagefilePrivilege	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeBackupPrivilege	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeRestorePrivilege	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeShutdownPrivilege	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeDebugPrivilege	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeSystemEnvironmentPrivilege	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeChangeNotifyPrivilege	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeRemoteShutdownPrivilege	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeUndockPrivilege	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeManageVolumePrivilege	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeImpersonatePrivilege	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeCreateGlobalPrivilege	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: 33	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: 34	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: 35	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.execmd.execmd.exemsdcsc.exe

description	pid	process	target process
PID 1340 wrote to memory of 1692	1340	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	bnd.exe
PID 1340 wrote to memory of 1692	1340	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	bnd.exe
PID 1340 wrote to memory of 1692	1340	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	bnd.exe
PID 1340 wrote to memory of 1692	1340	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	bnd.exe
PID 1340 wrote to memory of 1320	1340	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 1340 wrote to memory of 1320	1340	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 1340 wrote to memory of 1320	1340	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 1340 wrote to memory of 1320	1340	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 1340 wrote to memory of 1320	1340	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 1340 wrote to memory of 1320	1340	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 1340 wrote to memory of 1320	1340	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 1340 wrote to memory of 1320	1340	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 1340 wrote to memory of 1320	1340	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 1340 wrote to memory of 1320	1340	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 1340 wrote to memory of 1320	1340	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 1340 wrote to memory of 1320	1340	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 1340 wrote to memory of 1320	1340	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 1320 wrote to memory of 792	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	cmd.exe
PID 1320 wrote to memory of 792	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	cmd.exe
PID 1320 wrote to memory of 792	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	cmd.exe
PID 1320 wrote to memory of 792	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	cmd.exe
PID 1320 wrote to memory of 752	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	cmd.exe
PID 1320 wrote to memory of 752	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	cmd.exe
PID 1320 wrote to memory of 752	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	cmd.exe
PID 1320 wrote to memory of 752	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	cmd.exe
PID 1320 wrote to memory of 1780	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1320 wrote to memory of 1780	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1320 wrote to memory of 1780	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1320 wrote to memory of 1780	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 792 wrote to memory of 384	792	cmd.exe	attrib.exe
PID 792 wrote to memory of 384	792	cmd.exe	attrib.exe
PID 792 wrote to memory of 384	792	cmd.exe	attrib.exe
PID 792 wrote to memory of 384	792	cmd.exe	attrib.exe
PID 1320 wrote to memory of 1780	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1320 wrote to memory of 1780	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1320 wrote to memory of 1780	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1320 wrote to memory of 1780	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1320 wrote to memory of 1780	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1320 wrote to memory of 1780	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1320 wrote to memory of 1780	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1320 wrote to memory of 1780	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1320 wrote to memory of 1780	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1320 wrote to memory of 1780	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1320 wrote to memory of 1780	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1320 wrote to memory of 1780	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1320 wrote to memory of 1780	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1320 wrote to memory of 1780	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 752 wrote to memory of 532	752	cmd.exe	attrib.exe
PID 752 wrote to memory of 532	752	cmd.exe	attrib.exe
PID 752 wrote to memory of 532	752	cmd.exe	attrib.exe
PID 752 wrote to memory of 532	752	cmd.exe	attrib.exe
PID 1320 wrote to memory of 304	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	msdcsc.exe
PID 1320 wrote to memory of 304	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	msdcsc.exe
PID 1320 wrote to memory of 304	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	msdcsc.exe
PID 1320 wrote to memory of 304	1320	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	msdcsc.exe
PID 304 wrote to memory of 1092	304	msdcsc.exe	bnd.exe
PID 304 wrote to memory of 1092	304	msdcsc.exe	bnd.exe
PID 304 wrote to memory of 1092	304	msdcsc.exe	bnd.exe
PID 304 wrote to memory of 1092	304	msdcsc.exe	bnd.exe
PID 304 wrote to memory of 836	304	msdcsc.exe	WerFault.exe
PID 304 wrote to memory of 836	304	msdcsc.exe	WerFault.exe
PID 304 wrote to memory of 836	304	msdcsc.exe	WerFault.exe
PID 304 wrote to memory of 836	304	msdcsc.exe	WerFault.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

532 attrib.exe
384 attrib.exe

pid	process
532	attrib.exe
384	attrib.exe

C:\Users\Admin\AppData\Local\Temp\53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
"C:\Users\Admin\AppData\Local\Temp\53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1340

C:\Users\Admin\AppData\Local\Temp\bnd.exe
"C:\Users\Admin\AppData\Local\Temp\bnd.exe"
2⤵
- Executes dropped EXE
PID:1692

C:\Users\Admin\AppData\Local\Temp\53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
"C:\Users\Admin\AppData\Local\Temp\53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:532

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
- Deletes itself
PID:1780

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:304

C:\Users\Admin\AppData\Local\Temp\bnd.exe
"C:\Users\Admin\AppData\Local\Temp\bnd.exe"
4⤵
- Executes dropped EXE
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 304 -s 376
4⤵
- Loads dropped DLL
- Program crash
PID:836

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bnd.exe
Filesize
199KB

MD5
59cb3eb306b317261d85b4d0bd5eb432

SHA1
31c11cf8b4e8c65287e7a246ec691c9d044a22ca

SHA256
9e5b15cce11d51b0157c84a720932e30fc5e1dd1b76ca86dd65fe2fa9028c19d

SHA512
ed5b1acb320f395ac966dd456e8ff4668413283bb1c6dc4d7086c1f8cc1e244ffcbd1f356987e9b1d9c6d9f1123ffdba80a226f2ff7351dbbea714bf9a59ea36

Download Submit
C:\Users\Admin\AppData\Local\Temp\bnd.exe
Filesize
199KB

MD5
59cb3eb306b317261d85b4d0bd5eb432

SHA1
31c11cf8b4e8c65287e7a246ec691c9d044a22ca

SHA256
9e5b15cce11d51b0157c84a720932e30fc5e1dd1b76ca86dd65fe2fa9028c19d

SHA512
ed5b1acb320f395ac966dd456e8ff4668413283bb1c6dc4d7086c1f8cc1e244ffcbd1f356987e9b1d9c6d9f1123ffdba80a226f2ff7351dbbea714bf9a59ea36

Download Submit
C:\Users\Admin\AppData\Local\Temp\bnd.exe
Filesize
199KB

MD5
59cb3eb306b317261d85b4d0bd5eb432

SHA1
31c11cf8b4e8c65287e7a246ec691c9d044a22ca

SHA256
9e5b15cce11d51b0157c84a720932e30fc5e1dd1b76ca86dd65fe2fa9028c19d

SHA512
ed5b1acb320f395ac966dd456e8ff4668413283bb1c6dc4d7086c1f8cc1e244ffcbd1f356987e9b1d9c6d9f1123ffdba80a226f2ff7351dbbea714bf9a59ea36

Download Submit
C:\Users\Admin\AppData\Local\Temp\sse.png
Filesize
659KB

MD5
506319032d04373381f748aa2af026f8

SHA1
a0822f9afd1d1feeb3240d0e7414ec3f76d4c704

SHA256
8834285f04a20ce9bd17e1e6c69250c7b14ad1d217fa77f510a11084396a6077

SHA512
2d89e307151241f325bd2677ece48072e679be93945cb31db194fae64a31e25ff11e32c698d87dc68b5885f0dc8ae17fde09312ffef0252364721eb50f705010

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
2.5MB

MD5
b85bd40c70b5913df16cac41feae9949

SHA1
88139dbe95928614ab375ef0e3257a925dff0bb7

SHA256
53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd

SHA512
4c57449a1afe32959c5b9760ad065392e4e0b29f3f2323202b4649393a764b71dff03af9aa02a7154f0c24e1855b97eb1b32994aa2b692f0844bd29a1d63535d

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
2.5MB

MD5
b85bd40c70b5913df16cac41feae9949

SHA1
88139dbe95928614ab375ef0e3257a925dff0bb7

SHA256
53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd

SHA512
4c57449a1afe32959c5b9760ad065392e4e0b29f3f2323202b4649393a764b71dff03af9aa02a7154f0c24e1855b97eb1b32994aa2b692f0844bd29a1d63535d

Download Submit
\Users\Admin\AppData\Local\Temp\bnd.exe
Filesize
199KB

MD5
59cb3eb306b317261d85b4d0bd5eb432

SHA1
31c11cf8b4e8c65287e7a246ec691c9d044a22ca

SHA256
9e5b15cce11d51b0157c84a720932e30fc5e1dd1b76ca86dd65fe2fa9028c19d

SHA512
ed5b1acb320f395ac966dd456e8ff4668413283bb1c6dc4d7086c1f8cc1e244ffcbd1f356987e9b1d9c6d9f1123ffdba80a226f2ff7351dbbea714bf9a59ea36

Download Submit
\Users\Admin\AppData\Local\Temp\bnd.exe
Filesize
199KB

MD5
59cb3eb306b317261d85b4d0bd5eb432

SHA1
31c11cf8b4e8c65287e7a246ec691c9d044a22ca

SHA256
9e5b15cce11d51b0157c84a720932e30fc5e1dd1b76ca86dd65fe2fa9028c19d

SHA512
ed5b1acb320f395ac966dd456e8ff4668413283bb1c6dc4d7086c1f8cc1e244ffcbd1f356987e9b1d9c6d9f1123ffdba80a226f2ff7351dbbea714bf9a59ea36

Download Submit
\Users\Admin\AppData\Local\Temp\bnd.exe
Filesize
199KB

MD5
59cb3eb306b317261d85b4d0bd5eb432

SHA1
31c11cf8b4e8c65287e7a246ec691c9d044a22ca

SHA256
9e5b15cce11d51b0157c84a720932e30fc5e1dd1b76ca86dd65fe2fa9028c19d

SHA512
ed5b1acb320f395ac966dd456e8ff4668413283bb1c6dc4d7086c1f8cc1e244ffcbd1f356987e9b1d9c6d9f1123ffdba80a226f2ff7351dbbea714bf9a59ea36

Download Submit
\Users\Admin\AppData\Local\Temp\bnd.exe
Filesize
199KB

MD5
59cb3eb306b317261d85b4d0bd5eb432

SHA1
31c11cf8b4e8c65287e7a246ec691c9d044a22ca

SHA256
9e5b15cce11d51b0157c84a720932e30fc5e1dd1b76ca86dd65fe2fa9028c19d

SHA512
ed5b1acb320f395ac966dd456e8ff4668413283bb1c6dc4d7086c1f8cc1e244ffcbd1f356987e9b1d9c6d9f1123ffdba80a226f2ff7351dbbea714bf9a59ea36

Download Submit
\Users\Admin\AppData\Local\Temp\bnd.exe
Filesize
199KB

MD5
59cb3eb306b317261d85b4d0bd5eb432

SHA1
31c11cf8b4e8c65287e7a246ec691c9d044a22ca

SHA256
9e5b15cce11d51b0157c84a720932e30fc5e1dd1b76ca86dd65fe2fa9028c19d

SHA512
ed5b1acb320f395ac966dd456e8ff4668413283bb1c6dc4d7086c1f8cc1e244ffcbd1f356987e9b1d9c6d9f1123ffdba80a226f2ff7351dbbea714bf9a59ea36

Download Submit
\Users\Admin\AppData\Local\Temp\bnd.exe
Filesize
199KB

MD5
59cb3eb306b317261d85b4d0bd5eb432

SHA1
31c11cf8b4e8c65287e7a246ec691c9d044a22ca

SHA256
9e5b15cce11d51b0157c84a720932e30fc5e1dd1b76ca86dd65fe2fa9028c19d

SHA512
ed5b1acb320f395ac966dd456e8ff4668413283bb1c6dc4d7086c1f8cc1e244ffcbd1f356987e9b1d9c6d9f1123ffdba80a226f2ff7351dbbea714bf9a59ea36

Download Submit
\Users\Admin\AppData\Local\Temp\bnd.exe
Filesize
199KB

MD5
59cb3eb306b317261d85b4d0bd5eb432

SHA1
31c11cf8b4e8c65287e7a246ec691c9d044a22ca

SHA256
9e5b15cce11d51b0157c84a720932e30fc5e1dd1b76ca86dd65fe2fa9028c19d

SHA512
ed5b1acb320f395ac966dd456e8ff4668413283bb1c6dc4d7086c1f8cc1e244ffcbd1f356987e9b1d9c6d9f1123ffdba80a226f2ff7351dbbea714bf9a59ea36

Download Submit
\Users\Admin\AppData\Local\Temp\bnd.exe
Filesize
199KB

MD5
59cb3eb306b317261d85b4d0bd5eb432

SHA1
31c11cf8b4e8c65287e7a246ec691c9d044a22ca

SHA256
9e5b15cce11d51b0157c84a720932e30fc5e1dd1b76ca86dd65fe2fa9028c19d

SHA512
ed5b1acb320f395ac966dd456e8ff4668413283bb1c6dc4d7086c1f8cc1e244ffcbd1f356987e9b1d9c6d9f1123ffdba80a226f2ff7351dbbea714bf9a59ea36

Download Submit
\Users\Admin\AppData\Local\Temp\bnd.exe
Filesize
199KB

MD5
59cb3eb306b317261d85b4d0bd5eb432

SHA1
31c11cf8b4e8c65287e7a246ec691c9d044a22ca

SHA256
9e5b15cce11d51b0157c84a720932e30fc5e1dd1b76ca86dd65fe2fa9028c19d

SHA512
ed5b1acb320f395ac966dd456e8ff4668413283bb1c6dc4d7086c1f8cc1e244ffcbd1f356987e9b1d9c6d9f1123ffdba80a226f2ff7351dbbea714bf9a59ea36

Download Submit
\Users\Admin\AppData\Local\Temp\bnd.exe
Filesize
199KB

MD5
59cb3eb306b317261d85b4d0bd5eb432

SHA1
31c11cf8b4e8c65287e7a246ec691c9d044a22ca

SHA256
9e5b15cce11d51b0157c84a720932e30fc5e1dd1b76ca86dd65fe2fa9028c19d

SHA512
ed5b1acb320f395ac966dd456e8ff4668413283bb1c6dc4d7086c1f8cc1e244ffcbd1f356987e9b1d9c6d9f1123ffdba80a226f2ff7351dbbea714bf9a59ea36

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
2.5MB

MD5
b85bd40c70b5913df16cac41feae9949

SHA1
88139dbe95928614ab375ef0e3257a925dff0bb7

SHA256
53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd

SHA512
4c57449a1afe32959c5b9760ad065392e4e0b29f3f2323202b4649393a764b71dff03af9aa02a7154f0c24e1855b97eb1b32994aa2b692f0844bd29a1d63535d

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
2.5MB

MD5
b85bd40c70b5913df16cac41feae9949

SHA1
88139dbe95928614ab375ef0e3257a925dff0bb7

SHA256
53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd

SHA512
4c57449a1afe32959c5b9760ad065392e4e0b29f3f2323202b4649393a764b71dff03af9aa02a7154f0c24e1855b97eb1b32994aa2b692f0844bd29a1d63535d

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
2.5MB

MD5
b85bd40c70b5913df16cac41feae9949

SHA1
88139dbe95928614ab375ef0e3257a925dff0bb7

SHA256
53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd

SHA512
4c57449a1afe32959c5b9760ad065392e4e0b29f3f2323202b4649393a764b71dff03af9aa02a7154f0c24e1855b97eb1b32994aa2b692f0844bd29a1d63535d

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
2.5MB

MD5
b85bd40c70b5913df16cac41feae9949

SHA1
88139dbe95928614ab375ef0e3257a925dff0bb7

SHA256
53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd

SHA512
4c57449a1afe32959c5b9760ad065392e4e0b29f3f2323202b4649393a764b71dff03af9aa02a7154f0c24e1855b97eb1b32994aa2b692f0844bd29a1d63535d

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
2.5MB

MD5
b85bd40c70b5913df16cac41feae9949

SHA1
88139dbe95928614ab375ef0e3257a925dff0bb7

SHA256
53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd

SHA512
4c57449a1afe32959c5b9760ad065392e4e0b29f3f2323202b4649393a764b71dff03af9aa02a7154f0c24e1855b97eb1b32994aa2b692f0844bd29a1d63535d

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
2.5MB

MD5
b85bd40c70b5913df16cac41feae9949

SHA1
88139dbe95928614ab375ef0e3257a925dff0bb7

SHA256
53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd

SHA512
4c57449a1afe32959c5b9760ad065392e4e0b29f3f2323202b4649393a764b71dff03af9aa02a7154f0c24e1855b97eb1b32994aa2b692f0844bd29a1d63535d

Download Submit
memory/304-92-0x0000000000000000-mapping.dmp

Download
memory/384-88-0x0000000000000000-mapping.dmp

Download
memory/532-90-0x0000000000000000-mapping.dmp

Download
memory/752-85-0x0000000000000000-mapping.dmp

Download
memory/792-84-0x0000000000000000-mapping.dmp

Download
memory/836-107-0x0000000000000000-mapping.dmp

Download
memory/1092-112-0x0000000004AC5000-0x0000000004AD6000-memory.dmp

Filesize
68KB

Download
memory/1092-103-0x0000000000000000-mapping.dmp

Download
memory/1320-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1320-76-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1320-96-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1320-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1320-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1320-82-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1320-80-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1320-79-0x000000000048F888-mapping.dmp

Download
memory/1320-78-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1320-87-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1320-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1320-74-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1320-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1320-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1340-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1692-97-0x0000000004D95000-0x0000000004DA6000-memory.dmp

Filesize
68KB

Download
memory/1692-63-0x0000000000110000-0x000000000014A000-memory.dmp

Filesize
232KB

Download
memory/1692-60-0x0000000000000000-mapping.dmp

Download
memory/1780-86-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads