darkcomet | a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac

General

Target

a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
Size

784KB
MD5

0d564e476fc7812db303da40e79697d0
SHA1

9b9ae661a250966a18e72ad98abf3d6e0e0d1e8b
SHA256

a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac
SHA512

98a1747d2688cfeed81e4cfb461b7b4a55cd4943afa81169c8341f98c06846615c95dad82bd1d48f2434230c83faac6ea13f7bacafffcf9aca264ed25da84c4f
SSDEEP

12288:4cW7KEZlPzCy37/J1lrOfUkKlKVWetkuk2QOXAdn8/b5ZdKebJ:0KiRzC01dtIVWetkuk9Owdn8lO

Score

10^/10

darkcomet guest16 persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

192.168.30.128:1604

Mutex

DC_MUTEX-888FBA9

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
p5UHrgxwHf0b
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

3768 msdcsc.exe

pid	process
3768	msdcsc.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4264-132-0x0000000000400000-0x0000000000559000-memory.dmp	upx
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe	upx
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe	upx
behavioral2/memory/3768-137-0x0000000000400000-0x0000000000559000-memory.dmp	upx
behavioral2/memory/4264-138-0x0000000000400000-0x0000000000559000-memory.dmp	upx
behavioral2/memory/3768-142-0x0000000000400000-0x0000000000559000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

AcroRd32.exe

pid	process
3756	AcroRd32.exe
3756	AcroRd32.exe
3756	AcroRd32.exe
3756	AcroRd32.exe
3756	AcroRd32.exe
3756	AcroRd32.exe
3756	AcroRd32.exe
3756	AcroRd32.exe
3756	AcroRd32.exe
3756	AcroRd32.exe
3756	AcroRd32.exe
3756	AcroRd32.exe
3756	AcroRd32.exe
3756	AcroRd32.exe
3756	AcroRd32.exe
3756	AcroRd32.exe
3756	AcroRd32.exe
3756	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
Token: SeSecurityPrivilege	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
Token: SeTakeOwnershipPrivilege	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
Token: SeLoadDriverPrivilege	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
Token: SeSystemProfilePrivilege	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
Token: SeSystemtimePrivilege	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
Token: SeProfSingleProcessPrivilege	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
Token: SeIncBasePriorityPrivilege	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
Token: SeCreatePagefilePrivilege	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
Token: SeBackupPrivilege	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
Token: SeRestorePrivilege	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
Token: SeShutdownPrivilege	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
Token: SeDebugPrivilege	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
Token: SeSystemEnvironmentPrivilege	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
Token: SeChangeNotifyPrivilege	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
Token: SeRemoteShutdownPrivilege	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
Token: SeUndockPrivilege	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
Token: SeManageVolumePrivilege	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
Token: SeImpersonatePrivilege	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
Token: SeCreateGlobalPrivilege	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
Token: 33	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
Token: 34	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
Token: 35	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
Token: 36	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
Token: SeIncreaseQuotaPrivilege	3768	msdcsc.exe
Token: SeSecurityPrivilege	3768	msdcsc.exe
Token: SeTakeOwnershipPrivilege	3768	msdcsc.exe
Token: SeLoadDriverPrivilege	3768	msdcsc.exe
Token: SeSystemProfilePrivilege	3768	msdcsc.exe
Token: SeSystemtimePrivilege	3768	msdcsc.exe
Token: SeProfSingleProcessPrivilege	3768	msdcsc.exe
Token: SeIncBasePriorityPrivilege	3768	msdcsc.exe
Token: SeCreatePagefilePrivilege	3768	msdcsc.exe
Token: SeBackupPrivilege	3768	msdcsc.exe
Token: SeRestorePrivilege	3768	msdcsc.exe
Token: SeShutdownPrivilege	3768	msdcsc.exe
Token: SeDebugPrivilege	3768	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	3768	msdcsc.exe
Token: SeChangeNotifyPrivilege	3768	msdcsc.exe
Token: SeRemoteShutdownPrivilege	3768	msdcsc.exe
Token: SeUndockPrivilege	3768	msdcsc.exe
Token: SeManageVolumePrivilege	3768	msdcsc.exe
Token: SeImpersonatePrivilege	3768	msdcsc.exe
Token: SeCreateGlobalPrivilege	3768	msdcsc.exe
Token: 33	3768	msdcsc.exe
Token: 34	3768	msdcsc.exe
Token: 35	3768	msdcsc.exe
Token: 36	3768	msdcsc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3756 AcroRd32.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

msdcsc.exeAcroRd32.exe

pid process

3768 msdcsc.exe
3756 AcroRd32.exe
3756 AcroRd32.exe
3756 AcroRd32.exe
3756 AcroRd32.exe
3756 AcroRd32.exe
3756 AcroRd32.exe

pid	process
3768	msdcsc.exe
3756	AcroRd32.exe
3756	AcroRd32.exe
3756	AcroRd32.exe
3756	AcroRd32.exe
3756	AcroRd32.exe
3756	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4264 wrote to memory of 3756	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe	AcroRd32.exe
PID 4264 wrote to memory of 3756	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe	AcroRd32.exe
PID 4264 wrote to memory of 3756	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe	AcroRd32.exe
PID 4264 wrote to memory of 3768	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe	msdcsc.exe
PID 4264 wrote to memory of 3768	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe	msdcsc.exe
PID 4264 wrote to memory of 3768	4264	a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe	msdcsc.exe
PID 3756 wrote to memory of 3040	3756	AcroRd32.exe	RdrCEF.exe
PID 3756 wrote to memory of 3040	3756	AcroRd32.exe	RdrCEF.exe
PID 3756 wrote to memory of 3040	3756	AcroRd32.exe	RdrCEF.exe
PID 3756 wrote to memory of 3196	3756	AcroRd32.exe	RdrCEF.exe
PID 3756 wrote to memory of 3196	3756	AcroRd32.exe	RdrCEF.exe
PID 3756 wrote to memory of 3196	3756	AcroRd32.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 3508	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 2708	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 2708	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 2708	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 2708	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 2708	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 2708	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 2708	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 2708	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 2708	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 2708	3040	RdrCEF.exe	RdrCEF.exe
PID 3040 wrote to memory of 2708	3040	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe
"C:\Users\Admin\AppData\Local\Temp\a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\LABORATORIO MODULO 2 INFORMATION GATHERING.PDF"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3756

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- Suspicious use of WriteProcessMemory
PID:3040

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1D25D30F5A33BD0EC714DAF26FFB2795 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3508

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8F5B414A37AF432C6A5CC297A87E5F5A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8F5B414A37AF432C6A5CC297A87E5F5A --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
4⤵
PID:2708

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=CA6FD45996DF72F7949A53A738A29CDE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=CA6FD45996DF72F7949A53A738A29CDE --renderer-client-id=4 --mojo-platform-channel-handle=2180 --allow-no-sandbox-job /prefetch:1
4⤵
PID:4352

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E5CEACAF3E45D28D88689E81E871C4BE --mojo-platform-channel-handle=1812 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4308

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6580838B51FEA8B4FC6C2A4243438414 --mojo-platform-channel-handle=2684 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2320

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D6AECC217511156FF73669E0B1E39846 --mojo-platform-channel-handle=2664 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:1896

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
PID:3196

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LABORATORIO MODULO 2 INFORMATION GATHERING.PDF
Filesize
450KB

MD5
444a1cbd3faa9c90d236295b0650e289

SHA1
e6f6869dd333b41dcc02268ca92e08ad3df3987e

SHA256
c483b276ae3bf9d48183e20a16675074884af61d0a684fdc71be9c74be50864d

SHA512
b0e4eb5dbc22bfabb7e4f3fe2c1ae0d74d98fc6054975172848d936c37070a32e222c37718c5671ea423a1c57c298054d218844f5d84b31f67e1ad7b249f3f1c

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
784KB

MD5
0d564e476fc7812db303da40e79697d0

SHA1
9b9ae661a250966a18e72ad98abf3d6e0e0d1e8b

SHA256
a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac

SHA512
98a1747d2688cfeed81e4cfb461b7b4a55cd4943afa81169c8341f98c06846615c95dad82bd1d48f2434230c83faac6ea13f7bacafffcf9aca264ed25da84c4f

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
784KB

MD5
0d564e476fc7812db303da40e79697d0

SHA1
9b9ae661a250966a18e72ad98abf3d6e0e0d1e8b

SHA256
a79f889518c35f593e27b1eab59a066fe953196cddc0b9ac4114d966e3b596ac

SHA512
98a1747d2688cfeed81e4cfb461b7b4a55cd4943afa81169c8341f98c06846615c95dad82bd1d48f2434230c83faac6ea13f7bacafffcf9aca264ed25da84c4f

Download Submit
memory/1896-163-0x0000000000000000-mapping.dmp

Download
memory/2320-160-0x0000000000000000-mapping.dmp

Download
memory/2708-147-0x0000000000000000-mapping.dmp

Download
memory/3040-140-0x0000000000000000-mapping.dmp

Download
memory/3196-141-0x0000000000000000-mapping.dmp

Download
memory/3508-144-0x0000000000000000-mapping.dmp

Download
memory/3756-133-0x0000000000000000-mapping.dmp

Download
memory/3768-137-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3768-142-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3768-134-0x0000000000000000-mapping.dmp

Download
memory/4264-138-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4264-132-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4308-157-0x0000000000000000-mapping.dmp

Download
memory/4352-152-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads