darkcomet | 8f130ed18524730bdeab3cb340518acddaa6fb8ed2947bcbf902b2b94b2cdb69

Analysis

max time kernel
146s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-02-2023 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

A1DB2DK7S9.CNT.exe
Size

2.1MB
MD5

9cb1667d78bac6997eefe37a44397558
SHA1

992651316c65ac2f6e0bd301543bea6c6cc507b1
SHA256

8f130ed18524730bdeab3cb340518acddaa6fb8ed2947bcbf902b2b94b2cdb69
SHA512

21e73434d0ba367f6eb45fd92b24f3d1567ef6aaccee2871620cf311f698b8ec3ac22261c95931f6a998ba1e3f8f3bc06b119d8164ddd2e4d376edb00c933a69
SSDEEP

24576:RUMPXPReQkyrfVQHxsvw2HuSOVyrGYZF0CV8twiylCS9u+cY7KPJ+HlD9IExKMac:3pe9qNQHxfwGUlype8+cY7KUx3

Score

10^/10

darkcomet nanocore febeuary 2023 evasion keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

darkcomet

Botnet

FEBEUARY 2023

timmy08.ddns.net:39399

Mutex

DC_MUTEX-Q2S9RDY

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
uwAzfkQN5QEN
install
true
offline_keylogger
true
persistence
true
reg_key
chrome

Extracted

Family

nanocore

Version

1.2.2.0

timmy06.ddns.net:28289

timmy08.ddns.net:28289

Mutex

62f06349-2bb0-4c20-ac84-f82ad01a1521

Attributes

activate_away_mode
false
backup_connection_host
timmy08.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-12-01T20:37:32.816492236Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
28289
default_group
FEBRUARY 2023
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
62f06349-2bb0-4c20-ac84-f82ad01a1521
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
timmy06.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

A1DB2DK7S9.CNT.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	A1DB2DK7S9.CNT.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1988 attrib.exe
1736 attrib.exe
Executes dropped EXE 1 IoCs

Processes:

STUB 003.EXE

pid process

1876 STUB 003.EXE
Loads dropped DLL 2 IoCs

Processes:

A1DB2DK7S9.CNT.exe

pid process

1572 A1DB2DK7S9.CNT.exe
1572 A1DB2DK7S9.CNT.exe

pid	process
1988	attrib.exe
1736	attrib.exe

pid	process
1876	STUB 003.EXE

pid	process
1572	A1DB2DK7S9.CNT.exe
1572	A1DB2DK7S9.CNT.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

A1DB2DK7S9.CNT.exeSTUB 003.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	A1DB2DK7S9.CNT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Monitor = "C:\\Program Files (x86)\\UDP Monitor\\udpmon.exe"	STUB 003.EXE

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

STUB 003.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA STUB 003.EXE
Suspicious use of SetThreadContext 1 IoCs

Processes:

A1DB2DK7S9.CNT.exe

description pid process target process

PID 1948 set thread context of 1572 1948 A1DB2DK7S9.CNT.exe A1DB2DK7S9.CNT.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	STUB 003.EXE

description	pid	process	target process
PID 1948 set thread context of 1572	1948	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe

Drops file in Program Files directory 2 IoCs

Processes:

STUB 003.EXE

description	ioc	process
File created	C:\Program Files (x86)\UDP Monitor\udpmon.exe	STUB 003.EXE
File opened for modification	C:\Program Files (x86)\UDP Monitor\udpmon.exe	STUB 003.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1352 schtasks.exe
1092 schtasks.exe
1608 schtasks.exe

pid	process
1352	schtasks.exe
1092	schtasks.exe
1608	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

A1DB2DK7S9.CNT.exepowershell.exepowershell.exeSTUB 003.EXE

pid	process
1948	A1DB2DK7S9.CNT.exe
1948	A1DB2DK7S9.CNT.exe
1948	A1DB2DK7S9.CNT.exe
1948	A1DB2DK7S9.CNT.exe
1948	A1DB2DK7S9.CNT.exe
1948	A1DB2DK7S9.CNT.exe
1948	A1DB2DK7S9.CNT.exe
796	powershell.exe
1296	powershell.exe
1948	A1DB2DK7S9.CNT.exe
1876	STUB 003.EXE
1876	STUB 003.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

STUB 003.EXE

pid process

1876 STUB 003.EXE

pid	process
1876	STUB 003.EXE

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

A1DB2DK7S9.CNT.exepowershell.exepowershell.exeA1DB2DK7S9.CNT.exeSTUB 003.EXE

description	pid	process
Token: SeDebugPrivilege	1948	A1DB2DK7S9.CNT.exe
Token: SeDebugPrivilege	796	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeIncreaseQuotaPrivilege	1572	A1DB2DK7S9.CNT.exe
Token: SeSecurityPrivilege	1572	A1DB2DK7S9.CNT.exe
Token: SeTakeOwnershipPrivilege	1572	A1DB2DK7S9.CNT.exe
Token: SeLoadDriverPrivilege	1572	A1DB2DK7S9.CNT.exe
Token: SeSystemProfilePrivilege	1572	A1DB2DK7S9.CNT.exe
Token: SeSystemtimePrivilege	1572	A1DB2DK7S9.CNT.exe
Token: SeProfSingleProcessPrivilege	1572	A1DB2DK7S9.CNT.exe
Token: SeIncBasePriorityPrivilege	1572	A1DB2DK7S9.CNT.exe
Token: SeCreatePagefilePrivilege	1572	A1DB2DK7S9.CNT.exe
Token: SeBackupPrivilege	1572	A1DB2DK7S9.CNT.exe
Token: SeRestorePrivilege	1572	A1DB2DK7S9.CNT.exe
Token: SeShutdownPrivilege	1572	A1DB2DK7S9.CNT.exe
Token: SeDebugPrivilege	1572	A1DB2DK7S9.CNT.exe
Token: SeSystemEnvironmentPrivilege	1572	A1DB2DK7S9.CNT.exe
Token: SeChangeNotifyPrivilege	1572	A1DB2DK7S9.CNT.exe
Token: SeRemoteShutdownPrivilege	1572	A1DB2DK7S9.CNT.exe
Token: SeUndockPrivilege	1572	A1DB2DK7S9.CNT.exe
Token: SeManageVolumePrivilege	1572	A1DB2DK7S9.CNT.exe
Token: SeImpersonatePrivilege	1572	A1DB2DK7S9.CNT.exe
Token: SeCreateGlobalPrivilege	1572	A1DB2DK7S9.CNT.exe
Token: 33	1572	A1DB2DK7S9.CNT.exe
Token: 34	1572	A1DB2DK7S9.CNT.exe
Token: 35	1572	A1DB2DK7S9.CNT.exe
Token: SeDebugPrivilege	1876	STUB 003.EXE

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

A1DB2DK7S9.CNT.exeA1DB2DK7S9.CNT.execmd.execmd.exeSTUB 003.EXE

description	pid	process	target process
PID 1948 wrote to memory of 1296	1948	A1DB2DK7S9.CNT.exe	powershell.exe
PID 1948 wrote to memory of 1296	1948	A1DB2DK7S9.CNT.exe	powershell.exe
PID 1948 wrote to memory of 1296	1948	A1DB2DK7S9.CNT.exe	powershell.exe
PID 1948 wrote to memory of 1296	1948	A1DB2DK7S9.CNT.exe	powershell.exe
PID 1948 wrote to memory of 796	1948	A1DB2DK7S9.CNT.exe	powershell.exe
PID 1948 wrote to memory of 796	1948	A1DB2DK7S9.CNT.exe	powershell.exe
PID 1948 wrote to memory of 796	1948	A1DB2DK7S9.CNT.exe	powershell.exe
PID 1948 wrote to memory of 796	1948	A1DB2DK7S9.CNT.exe	powershell.exe
PID 1948 wrote to memory of 1352	1948	A1DB2DK7S9.CNT.exe	schtasks.exe
PID 1948 wrote to memory of 1352	1948	A1DB2DK7S9.CNT.exe	schtasks.exe
PID 1948 wrote to memory of 1352	1948	A1DB2DK7S9.CNT.exe	schtasks.exe
PID 1948 wrote to memory of 1352	1948	A1DB2DK7S9.CNT.exe	schtasks.exe
PID 1948 wrote to memory of 1572	1948	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1948 wrote to memory of 1572	1948	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1948 wrote to memory of 1572	1948	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1948 wrote to memory of 1572	1948	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1948 wrote to memory of 1572	1948	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1948 wrote to memory of 1572	1948	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1948 wrote to memory of 1572	1948	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1948 wrote to memory of 1572	1948	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1948 wrote to memory of 1572	1948	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1948 wrote to memory of 1572	1948	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1948 wrote to memory of 1572	1948	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1948 wrote to memory of 1572	1948	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1948 wrote to memory of 1572	1948	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1572 wrote to memory of 1544	1572	A1DB2DK7S9.CNT.exe	cmd.exe
PID 1572 wrote to memory of 1544	1572	A1DB2DK7S9.CNT.exe	cmd.exe
PID 1572 wrote to memory of 1544	1572	A1DB2DK7S9.CNT.exe	cmd.exe
PID 1572 wrote to memory of 1544	1572	A1DB2DK7S9.CNT.exe	cmd.exe
PID 1572 wrote to memory of 2024	1572	A1DB2DK7S9.CNT.exe	cmd.exe
PID 1572 wrote to memory of 2024	1572	A1DB2DK7S9.CNT.exe	cmd.exe
PID 1572 wrote to memory of 2024	1572	A1DB2DK7S9.CNT.exe	cmd.exe
PID 1572 wrote to memory of 2024	1572	A1DB2DK7S9.CNT.exe	cmd.exe
PID 1572 wrote to memory of 1876	1572	A1DB2DK7S9.CNT.exe	STUB 003.EXE
PID 1572 wrote to memory of 1876	1572	A1DB2DK7S9.CNT.exe	STUB 003.EXE
PID 1572 wrote to memory of 1876	1572	A1DB2DK7S9.CNT.exe	STUB 003.EXE
PID 1572 wrote to memory of 1876	1572	A1DB2DK7S9.CNT.exe	STUB 003.EXE
PID 1544 wrote to memory of 1988	1544	cmd.exe	attrib.exe
PID 1544 wrote to memory of 1988	1544	cmd.exe	attrib.exe
PID 1544 wrote to memory of 1988	1544	cmd.exe	attrib.exe
PID 1544 wrote to memory of 1988	1544	cmd.exe	attrib.exe
PID 2024 wrote to memory of 1736	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 1736	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 1736	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 1736	2024	cmd.exe	attrib.exe
PID 1876 wrote to memory of 1092	1876	STUB 003.EXE	schtasks.exe
PID 1876 wrote to memory of 1092	1876	STUB 003.EXE	schtasks.exe
PID 1876 wrote to memory of 1092	1876	STUB 003.EXE	schtasks.exe
PID 1876 wrote to memory of 1092	1876	STUB 003.EXE	schtasks.exe
PID 1572 wrote to memory of 1844	1572	A1DB2DK7S9.CNT.exe	notepad.exe
PID 1572 wrote to memory of 1844	1572	A1DB2DK7S9.CNT.exe	notepad.exe
PID 1572 wrote to memory of 1844	1572	A1DB2DK7S9.CNT.exe	notepad.exe
PID 1572 wrote to memory of 1844	1572	A1DB2DK7S9.CNT.exe	notepad.exe
PID 1572 wrote to memory of 1844	1572	A1DB2DK7S9.CNT.exe	notepad.exe
PID 1572 wrote to memory of 1844	1572	A1DB2DK7S9.CNT.exe	notepad.exe
PID 1876 wrote to memory of 1608	1876	STUB 003.EXE	schtasks.exe
PID 1876 wrote to memory of 1608	1876	STUB 003.EXE	schtasks.exe
PID 1876 wrote to memory of 1608	1876	STUB 003.EXE	schtasks.exe
PID 1876 wrote to memory of 1608	1876	STUB 003.EXE	schtasks.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1988 attrib.exe
1736 attrib.exe

pid	process
1988	attrib.exe
1736	attrib.exe

C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe
"C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vWYrDTb.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vWYrDTb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp50DF.tmp"
2⤵
- Creates scheduled task(s)
PID:1352

C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe
"C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1988

C:\Users\Admin\AppData\Local\Temp\STUB 003.EXE
"C:\Users\Admin\AppData\Local\Temp\STUB 003.EXE"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "UDP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5D1F.tmp"
4⤵
- Creates scheduled task(s)
PID:1092

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "UDP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5F61.tmp"
4⤵
- Creates scheduled task(s)
PID:1608

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:1844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\STUB 003.EXE
Filesize
203KB

MD5
ae5db5e672d91fb0f29857489c2a8cd3

SHA1
44067b00925afebb56a2b88489aa94aa25a4453e

SHA256
e6d99a83c9a9f307f08de2bd237b3d9ad6a104ec8901341943f5d92ebdd48587

SHA512
ff0853ee40d58154b06d0b7d2cc6d5896d1f4f5d2070660aa587872349f9b0ad553f693ad49ff8f9ce614fd31f0dc6fefc0f22cc09fea4537287b73272dccd5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\STUB 003.EXE
Filesize
203KB

MD5
ae5db5e672d91fb0f29857489c2a8cd3

SHA1
44067b00925afebb56a2b88489aa94aa25a4453e

SHA256
e6d99a83c9a9f307f08de2bd237b3d9ad6a104ec8901341943f5d92ebdd48587

SHA512
ff0853ee40d58154b06d0b7d2cc6d5896d1f4f5d2070660aa587872349f9b0ad553f693ad49ff8f9ce614fd31f0dc6fefc0f22cc09fea4537287b73272dccd5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\STUB 003.EXE
Filesize
203KB

MD5
ae5db5e672d91fb0f29857489c2a8cd3

SHA1
44067b00925afebb56a2b88489aa94aa25a4453e

SHA256
e6d99a83c9a9f307f08de2bd237b3d9ad6a104ec8901341943f5d92ebdd48587

SHA512
ff0853ee40d58154b06d0b7d2cc6d5896d1f4f5d2070660aa587872349f9b0ad553f693ad49ff8f9ce614fd31f0dc6fefc0f22cc09fea4537287b73272dccd5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp50DF.tmp
Filesize
1KB

MD5
23bb64f5c847ef63391abed8ba583e18

SHA1
555aa88b315986b2a00cbb2e07090dfab145b80e

SHA256
18eeae4e52d2a23d4fde243a2dbd432f31b7bd718391c38e43fa6fe6da200595

SHA512
6bf10bfd6f18b9b6625063cafda9740bfba7f325bc4cd1bd77144e6126fd2de60308c15ee787f0b083fb5b1bfed1bd3d1a2676ef5350fb48666264c421506038

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5D1F.tmp
Filesize
1KB

MD5
bee7e3f58413577299b5b7131a33fa4c

SHA1
9e4f8c4ea7777c026e0cef09b9b154440074faa7

SHA256
ba85fd61d6c18e39b83ba2fd82d3859bbde7c082ddf95c8ea1cf9aff1d1e9402

SHA512
8241b56d56e1ea61648039a17de400c2263875f742038f22c7f87b7470d2b4d45c4d289d967f09fef9d05f1e1af3145723b49d8bac3f4a23e4cb810d3d84e94a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5F61.tmp
Filesize
1KB

MD5
179f6a368194b3d8490223f22126274b

SHA1
cc2997c7fde3cfe0dcf267bf3b6338a7e2ecf2d0

SHA256
cdfb59fb9dabcedf57f84d9b3ea596f6ce26f8c559b503b6980a42738cf2f4d8

SHA512
8b1c1b2a8db227db2e741171c29e4bfcaad2919665cde77eb5b4058b45fe7c78b46e2ef1bc5b896aa0e172219c4a43b647d68b62db39c8f51ac0ed159e4f042b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
53770e1b4b09b92899b06c8e89c74d47

SHA1
acfbfe65f514cd8b468808900be4259791bbcfdc

SHA256
d7aff5b8675a347aa1810ca18ad675622b1ff97115bf01aba4cc7d9d3b883075

SHA512
05e14651f20b742c27a4ca07d99fe40df7fc787ab247567531705953fc502bce4e3f2a162f35d5027c70d27becc225e341c126cef56b9a9e14c2c024e9e0517e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
53770e1b4b09b92899b06c8e89c74d47

SHA1
acfbfe65f514cd8b468808900be4259791bbcfdc

SHA256
d7aff5b8675a347aa1810ca18ad675622b1ff97115bf01aba4cc7d9d3b883075

SHA512
05e14651f20b742c27a4ca07d99fe40df7fc787ab247567531705953fc502bce4e3f2a162f35d5027c70d27becc225e341c126cef56b9a9e14c2c024e9e0517e

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
2.1MB

MD5
9cb1667d78bac6997eefe37a44397558

SHA1
992651316c65ac2f6e0bd301543bea6c6cc507b1

SHA256
8f130ed18524730bdeab3cb340518acddaa6fb8ed2947bcbf902b2b94b2cdb69

SHA512
21e73434d0ba367f6eb45fd92b24f3d1567ef6aaccee2871620cf311f698b8ec3ac22261c95931f6a998ba1e3f8f3bc06b119d8164ddd2e4d376edb00c933a69

Download Submit
\Users\Admin\AppData\Local\Temp\STUB 003.EXE
Filesize
203KB

MD5
ae5db5e672d91fb0f29857489c2a8cd3

SHA1
44067b00925afebb56a2b88489aa94aa25a4453e

SHA256
e6d99a83c9a9f307f08de2bd237b3d9ad6a104ec8901341943f5d92ebdd48587

SHA512
ff0853ee40d58154b06d0b7d2cc6d5896d1f4f5d2070660aa587872349f9b0ad553f693ad49ff8f9ce614fd31f0dc6fefc0f22cc09fea4537287b73272dccd5d

Download Submit
\Users\Admin\AppData\Local\Temp\STUB 003.EXE
Filesize
203KB

MD5
ae5db5e672d91fb0f29857489c2a8cd3

SHA1
44067b00925afebb56a2b88489aa94aa25a4453e

SHA256
e6d99a83c9a9f307f08de2bd237b3d9ad6a104ec8901341943f5d92ebdd48587

SHA512
ff0853ee40d58154b06d0b7d2cc6d5896d1f4f5d2070660aa587872349f9b0ad553f693ad49ff8f9ce614fd31f0dc6fefc0f22cc09fea4537287b73272dccd5d

Download Submit
memory/796-84-0x0000000002090000-0x00000000020D0000-memory.dmp

Filesize
256KB

Download
memory/796-89-0x0000000002090000-0x00000000020D0000-memory.dmp

Filesize
256KB

Download
memory/796-87-0x0000000002090000-0x00000000020D0000-memory.dmp

Filesize
256KB

Download
memory/1296-90-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1296-88-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1296-85-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1572-73-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1572-74-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1572-81-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1572-83-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1572-80-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1572-79-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1572-86-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1572-78-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1572-77-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1572-76-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1572-75-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1572-82-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1572-111-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1572-110-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1844-106-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1876-109-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/1876-116-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/1948-59-0x0000000005BC0000-0x0000000005D2A000-memory.dmp

Filesize
1.4MB

Download
memory/1948-58-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/1948-57-0x0000000000640000-0x0000000000680000-memory.dmp

Filesize
256KB

Download
memory/1948-72-0x00000000084B0000-0x0000000008598000-memory.dmp

Filesize
928KB

Download
memory/1948-54-0x00000000008C0000-0x0000000000ADE000-memory.dmp

Filesize
2.1MB

Download
memory/1948-56-0x0000000000530000-0x0000000000544000-memory.dmp

Filesize
80KB

Download
memory/1948-55-0x0000000000640000-0x0000000000680000-memory.dmp

Filesize
256KB

Download