darkcomet | 53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd

General

Target

53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Size

2.5MB
MD5

b85bd40c70b5913df16cac41feae9949
SHA1

88139dbe95928614ab375ef0e3257a925dff0bb7
SHA256

53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd
SHA512

4c57449a1afe32959c5b9760ad065392e4e0b29f3f2323202b4649393a764b71dff03af9aa02a7154f0c24e1855b97eb1b32994aa2b692f0844bd29a1d63535d
SSDEEP

49152:7JZoQrbTFZY1iaJag33A46NOBLtCaW/sXdkWQe9D+nwOWYcu2I7RTp/PwWUlLmY6:7trbTA19as3l8OBL+I7D+nwcP3tY6

Score

10^/10

darkcomet victime evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Victime

C2

shytoos.ddns.net:1604

Mutex

DC_MUTEX-Z8X4H3R

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
JJ52hfcLdTnD
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

msdcsc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe

Executes dropped EXE 4 IoCs

Processes:

bnd.exemsdcsc.exebnd.exemsdcsc.exe

pid process

4656 bnd.exe
3548 msdcsc.exe
960 bnd.exe
720 msdcsc.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

3792 attrib.exe
2148 attrib.exe

pid	process
4656	bnd.exe
3548	msdcsc.exe
960	bnd.exe
720	msdcsc.exe

pid	process
3792	attrib.exe
2148	attrib.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exemsdcsc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	msdcsc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe	autoit_exe
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe	autoit_exe
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exemsdcsc.exe

description	pid	process	target process
PID 2412 set thread context of 1284	2412	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 3548 set thread context of 720	3548	msdcsc.exe	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeSecurityPrivilege	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeTakeOwnershipPrivilege	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeLoadDriverPrivilege	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeSystemProfilePrivilege	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeSystemtimePrivilege	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeProfSingleProcessPrivilege	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeIncBasePriorityPrivilege	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeCreatePagefilePrivilege	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeBackupPrivilege	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeRestorePrivilege	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeShutdownPrivilege	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeDebugPrivilege	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeSystemEnvironmentPrivilege	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeChangeNotifyPrivilege	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeRemoteShutdownPrivilege	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeUndockPrivilege	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeManageVolumePrivilege	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeImpersonatePrivilege	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeCreateGlobalPrivilege	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: 33	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: 34	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: 35	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: 36	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
Token: SeIncreaseQuotaPrivilege	720	msdcsc.exe
Token: SeSecurityPrivilege	720	msdcsc.exe
Token: SeTakeOwnershipPrivilege	720	msdcsc.exe
Token: SeLoadDriverPrivilege	720	msdcsc.exe
Token: SeSystemProfilePrivilege	720	msdcsc.exe
Token: SeSystemtimePrivilege	720	msdcsc.exe
Token: SeProfSingleProcessPrivilege	720	msdcsc.exe
Token: SeIncBasePriorityPrivilege	720	msdcsc.exe
Token: SeCreatePagefilePrivilege	720	msdcsc.exe
Token: SeBackupPrivilege	720	msdcsc.exe
Token: SeRestorePrivilege	720	msdcsc.exe
Token: SeShutdownPrivilege	720	msdcsc.exe
Token: SeDebugPrivilege	720	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	720	msdcsc.exe
Token: SeChangeNotifyPrivilege	720	msdcsc.exe
Token: SeRemoteShutdownPrivilege	720	msdcsc.exe
Token: SeUndockPrivilege	720	msdcsc.exe
Token: SeManageVolumePrivilege	720	msdcsc.exe
Token: SeImpersonatePrivilege	720	msdcsc.exe
Token: SeCreateGlobalPrivilege	720	msdcsc.exe
Token: 33	720	msdcsc.exe
Token: 34	720	msdcsc.exe
Token: 35	720	msdcsc.exe
Token: 36	720	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

720 msdcsc.exe

pid	process
720	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.execmd.execmd.exemsdcsc.exe

description	pid	process	target process
PID 2412 wrote to memory of 4656	2412	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	bnd.exe
PID 2412 wrote to memory of 4656	2412	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	bnd.exe
PID 2412 wrote to memory of 4656	2412	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	bnd.exe
PID 2412 wrote to memory of 1284	2412	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 2412 wrote to memory of 1284	2412	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 2412 wrote to memory of 1284	2412	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 2412 wrote to memory of 1284	2412	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 2412 wrote to memory of 1284	2412	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 2412 wrote to memory of 1284	2412	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 2412 wrote to memory of 1284	2412	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 2412 wrote to memory of 1284	2412	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 2412 wrote to memory of 1284	2412	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 2412 wrote to memory of 1284	2412	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 2412 wrote to memory of 1284	2412	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 2412 wrote to memory of 1284	2412	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 2412 wrote to memory of 1284	2412	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 2412 wrote to memory of 1284	2412	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
PID 1284 wrote to memory of 236	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	cmd.exe
PID 1284 wrote to memory of 236	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	cmd.exe
PID 1284 wrote to memory of 236	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	cmd.exe
PID 1284 wrote to memory of 220	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	cmd.exe
PID 1284 wrote to memory of 220	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	cmd.exe
PID 1284 wrote to memory of 220	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	cmd.exe
PID 1284 wrote to memory of 364	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1284 wrote to memory of 364	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1284 wrote to memory of 364	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1284 wrote to memory of 364	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1284 wrote to memory of 364	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1284 wrote to memory of 364	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1284 wrote to memory of 364	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1284 wrote to memory of 364	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1284 wrote to memory of 364	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1284 wrote to memory of 364	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1284 wrote to memory of 364	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1284 wrote to memory of 364	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1284 wrote to memory of 364	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1284 wrote to memory of 364	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1284 wrote to memory of 364	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1284 wrote to memory of 364	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 1284 wrote to memory of 364	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	notepad.exe
PID 236 wrote to memory of 3792	236	cmd.exe	attrib.exe
PID 236 wrote to memory of 3792	236	cmd.exe	attrib.exe
PID 236 wrote to memory of 3792	236	cmd.exe	attrib.exe
PID 220 wrote to memory of 2148	220	cmd.exe	attrib.exe
PID 220 wrote to memory of 2148	220	cmd.exe	attrib.exe
PID 220 wrote to memory of 2148	220	cmd.exe	attrib.exe
PID 1284 wrote to memory of 3548	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	msdcsc.exe
PID 1284 wrote to memory of 3548	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	msdcsc.exe
PID 1284 wrote to memory of 3548	1284	53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe	msdcsc.exe
PID 3548 wrote to memory of 960	3548	msdcsc.exe	bnd.exe
PID 3548 wrote to memory of 960	3548	msdcsc.exe	bnd.exe
PID 3548 wrote to memory of 960	3548	msdcsc.exe	bnd.exe
PID 3548 wrote to memory of 720	3548	msdcsc.exe	msdcsc.exe
PID 3548 wrote to memory of 720	3548	msdcsc.exe	msdcsc.exe
PID 3548 wrote to memory of 720	3548	msdcsc.exe	msdcsc.exe
PID 3548 wrote to memory of 720	3548	msdcsc.exe	msdcsc.exe
PID 3548 wrote to memory of 720	3548	msdcsc.exe	msdcsc.exe
PID 3548 wrote to memory of 720	3548	msdcsc.exe	msdcsc.exe
PID 3548 wrote to memory of 720	3548	msdcsc.exe	msdcsc.exe
PID 3548 wrote to memory of 720	3548	msdcsc.exe	msdcsc.exe
PID 3548 wrote to memory of 720	3548	msdcsc.exe	msdcsc.exe
PID 3548 wrote to memory of 720	3548	msdcsc.exe	msdcsc.exe
PID 3548 wrote to memory of 720	3548	msdcsc.exe	msdcsc.exe
PID 3548 wrote to memory of 720	3548	msdcsc.exe	msdcsc.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

3792 attrib.exe
2148 attrib.exe

pid	process
3792	attrib.exe
2148	attrib.exe

C:\Users\Admin\AppData\Local\Temp\53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
"C:\Users\Admin\AppData\Local\Temp\53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2412

C:\Users\Admin\AppData\Local\Temp\bnd.exe
"C:\Users\Admin\AppData\Local\Temp\bnd.exe"
2⤵
- Executes dropped EXE
PID:4656

C:\Users\Admin\AppData\Local\Temp\53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe
"C:\Users\Admin\AppData\Local\Temp\53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe"
2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:236

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2148

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:364

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3548

C:\Users\Admin\AppData\Local\Temp\bnd.exe
"C:\Users\Admin\AppData\Local\Temp\bnd.exe"
4⤵
- Executes dropped EXE
PID:960

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:720

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:2948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Modify Existing Service

1

T1031

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Hidden Files and Directories

2

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bnd.exe
Filesize
199KB

MD5
59cb3eb306b317261d85b4d0bd5eb432

SHA1
31c11cf8b4e8c65287e7a246ec691c9d044a22ca

SHA256
9e5b15cce11d51b0157c84a720932e30fc5e1dd1b76ca86dd65fe2fa9028c19d

SHA512
ed5b1acb320f395ac966dd456e8ff4668413283bb1c6dc4d7086c1f8cc1e244ffcbd1f356987e9b1d9c6d9f1123ffdba80a226f2ff7351dbbea714bf9a59ea36

Download Submit
C:\Users\Admin\AppData\Local\Temp\bnd.exe
Filesize
199KB

MD5
59cb3eb306b317261d85b4d0bd5eb432

SHA1
31c11cf8b4e8c65287e7a246ec691c9d044a22ca

SHA256
9e5b15cce11d51b0157c84a720932e30fc5e1dd1b76ca86dd65fe2fa9028c19d

SHA512
ed5b1acb320f395ac966dd456e8ff4668413283bb1c6dc4d7086c1f8cc1e244ffcbd1f356987e9b1d9c6d9f1123ffdba80a226f2ff7351dbbea714bf9a59ea36

Download Submit
C:\Users\Admin\AppData\Local\Temp\bnd.exe
Filesize
199KB

MD5
59cb3eb306b317261d85b4d0bd5eb432

SHA1
31c11cf8b4e8c65287e7a246ec691c9d044a22ca

SHA256
9e5b15cce11d51b0157c84a720932e30fc5e1dd1b76ca86dd65fe2fa9028c19d

SHA512
ed5b1acb320f395ac966dd456e8ff4668413283bb1c6dc4d7086c1f8cc1e244ffcbd1f356987e9b1d9c6d9f1123ffdba80a226f2ff7351dbbea714bf9a59ea36

Download Submit
C:\Users\Admin\AppData\Local\Temp\sse.png
Filesize
659KB

MD5
506319032d04373381f748aa2af026f8

SHA1
a0822f9afd1d1feeb3240d0e7414ec3f76d4c704

SHA256
8834285f04a20ce9bd17e1e6c69250c7b14ad1d217fa77f510a11084396a6077

SHA512
2d89e307151241f325bd2677ece48072e679be93945cb31db194fae64a31e25ff11e32c698d87dc68b5885f0dc8ae17fde09312ffef0252364721eb50f705010

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
2.5MB

MD5
b85bd40c70b5913df16cac41feae9949

SHA1
88139dbe95928614ab375ef0e3257a925dff0bb7

SHA256
53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd

SHA512
4c57449a1afe32959c5b9760ad065392e4e0b29f3f2323202b4649393a764b71dff03af9aa02a7154f0c24e1855b97eb1b32994aa2b692f0844bd29a1d63535d

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
2.5MB

MD5
b85bd40c70b5913df16cac41feae9949

SHA1
88139dbe95928614ab375ef0e3257a925dff0bb7

SHA256
53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd

SHA512
4c57449a1afe32959c5b9760ad065392e4e0b29f3f2323202b4649393a764b71dff03af9aa02a7154f0c24e1855b97eb1b32994aa2b692f0844bd29a1d63535d

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
2.5MB

MD5
b85bd40c70b5913df16cac41feae9949

SHA1
88139dbe95928614ab375ef0e3257a925dff0bb7

SHA256
53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd

SHA512
4c57449a1afe32959c5b9760ad065392e4e0b29f3f2323202b4649393a764b71dff03af9aa02a7154f0c24e1855b97eb1b32994aa2b692f0844bd29a1d63535d

Download Submit
memory/220-146-0x0000000000000000-mapping.dmp

Download
memory/236-145-0x0000000000000000-mapping.dmp

Download
memory/364-147-0x0000000000000000-mapping.dmp

Download
memory/720-157-0x0000000000000000-mapping.dmp

Download
memory/720-161-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/720-164-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/720-163-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/960-154-0x0000000000000000-mapping.dmp

Download
memory/1284-144-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1284-149-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1284-141-0x0000000000000000-mapping.dmp

Download
memory/1284-143-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1284-142-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2148-150-0x0000000000000000-mapping.dmp

Download
memory/2948-162-0x0000000000000000-mapping.dmp

Download
memory/3548-151-0x0000000000000000-mapping.dmp

Download
memory/3792-148-0x0000000000000000-mapping.dmp

Download
memory/4656-136-0x00000000056F0000-0x000000000578C000-memory.dmp

Filesize
624KB

Download
memory/4656-137-0x0000000005D40000-0x00000000062E4000-memory.dmp

Filesize
5.6MB

Download
memory/4656-138-0x0000000005830000-0x00000000058C2000-memory.dmp

Filesize
584KB

Download
memory/4656-135-0x0000000000D40000-0x0000000000D7A000-memory.dmp

Filesize
232KB

Download
memory/4656-139-0x00000000057B0000-0x00000000057BA000-memory.dmp

Filesize
40KB

Download
memory/4656-132-0x0000000000000000-mapping.dmp

Download
memory/4656-140-0x00000000059C0000-0x0000000005A16000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads