Malware Analysis Report

2025-04-13 23:18

Sample ID 240224-g547gabh35
Target a12a55725a718d2a60609ee4abbbb445
SHA256 8928b45380323bdcfd83430c2f76bd5ea9b5d011b4b3c4e575dc13d98cb04f5d
Tags
darkcomet 1.2 persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8928b45380323bdcfd83430c2f76bd5ea9b5d011b4b3c4e575dc13d98cb04f5d

Threat Level: Known bad

The file a12a55725a718d2a60609ee4abbbb445 was found to be: Known bad.

Malicious Activity Summary

darkcomet 1.2 persistence rat trojan

Darkcomet

Loads dropped DLL

Drops startup file

Uses the VBS compiler for execution

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-24 06:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-24 06:24

Reported

2024-02-24 06:26

Platform

win7-20240220-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe"

Signatures

Darkcomet

trojan rat darkcomet

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftUpdate.exe C:\Users\Admin\AppData\Roaming\a12a55725a718d2a60609ee4abbbb4451.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftUpdate.exe C:\Users\Admin\AppData\Roaming\a12a55725a718d2a60609ee4abbbb4451.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MicrosoftUpdate.exe" C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2552 set thread context of 2512 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2552 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2552 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2552 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2552 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2552 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2552 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2552 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2552 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2552 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2552 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2552 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2552 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2552 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2552 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2552 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2552 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2552 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2408 wrote to memory of 2372 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2408 wrote to memory of 2372 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2408 wrote to memory of 2372 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2408 wrote to memory of 2372 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2552 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Roaming\a12a55725a718d2a60609ee4abbbb4451.exe
PID 2552 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Roaming\a12a55725a718d2a60609ee4abbbb4451.exe
PID 2552 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Roaming\a12a55725a718d2a60609ee4abbbb4451.exe
PID 2552 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Roaming\a12a55725a718d2a60609ee4abbbb4451.exe
PID 2552 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1800 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1800 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1800 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe

"C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe"

C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe

"C:\Users\Admin\AppData\Local\Temp\\plugtemp\Microsoft Office.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\brs23-ga.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES17A7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc17A6.tmp"

C:\Users\Admin\AppData\Roaming\a12a55725a718d2a60609ee4abbbb4451.exe

"C:\Users\Admin\AppData\Roaming\a12a55725a718d2a60609ee4abbbb4451.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 3000

Network

Country Destination Domain Proto
US 8.8.8.8:53 ahmedb123.no-ip.info udp

Files

memory/2552-0-0x0000000074EC0000-0x000000007546B000-memory.dmp

memory/2552-1-0x0000000074EC0000-0x000000007546B000-memory.dmp

memory/2552-2-0x0000000000AD0000-0x0000000000B10000-memory.dmp

\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe

MD5 34aa912defa18c2c129f1e09d75c1d7e
SHA1 9c3046324657505a30ecd9b1fdb46c05bde7d470
SHA256 6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512 d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

memory/2512-8-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-10-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-12-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-14-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-16-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-18-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-20-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-22-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2512-26-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-28-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-29-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-31-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-30-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-33-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-32-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-35-0x0000000000280000-0x0000000000281000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\brs23-ga.cmdline

MD5 7b4b2d9f5b0e3ea6f2c4fb3fcdbdff95
SHA1 0755e1e459638b74d367e69a9859372310e63b37
SHA256 3f1ab6e67d51ec8fcb1943bfe559b16cb169865eaeaee50b4e7a6fee3087b70f
SHA512 2798cc1146bc01517eb83fb0946df3b3a2cce386e30b9bb7b144cddc6c28d177c15379b7276a5ab73ac9cd748f7d4df2a485a0a56c83894fc4aa915d3d6e64d1

C:\Users\Admin\AppData\Local\Temp\brs23-ga.0.vb

MD5 c2252ef57f687d457944080f94288704
SHA1 eb46293069494d72dd95cc1a94a0d8b9637ead05
SHA256 bfe7a40827afd7051edc6dc0262ef77d99ef437783b621cae8874d132898cd45
SHA512 ea57e6f61171cbee3f73ef0ef350db9e4ddfce44cc513c1b1dde8bb4e7007bdf2a29754a9fe279398fbd188dcc0fe278525733dbc74fa4e5474fe384bf9f429b

memory/2408-40-0x0000000001EF0000-0x0000000001F30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbc17A6.tmp

MD5 1a72a5149e0b64b0dec97862c05507f9
SHA1 daf3596436d8fc0870276d2db1e7c4411f85bc12
SHA256 7e67b10eaad4f0ef01f9d1f7e24e33ed4d03559434545fc350b8f4905c398984
SHA512 cda0d39904a285fac076e7acec7982a5c5b950b3ca92352a5b9e3802054fb8dd80c68c80408cda306d439bd5cca5071d7b865745e98c4887303873e87326f298

C:\Users\Admin\AppData\Local\Temp\RES17A7.tmp

MD5 a8c43f6c3303e85813ad456c50734074
SHA1 f622d952d843d1da77b3a078203e20721dd11e0b
SHA256 d0a82ad3ec98957cf626ec3a513a09947b97a874c64edb4052f54e080ed74bb9
SHA512 b0a78d5357de8a3c550fa7ba125a4c03eb44b7efad44eef61c853f4db6dd638def2982d68bf4163af21c5439555e4429558d69e43351b4fd1d18187648865136

C:\Users\Admin\AppData\Roaming\a12a55725a718d2a60609ee4abbbb4451.exe

MD5 ca46e339b8d38edcc5d34ef61b8fac3d
SHA1 61323d491cad81f8dfdec83dd30c13e01cbc2572
SHA256 57aa3b6858347dcd8b247c1b68473657f8bfd2e733d22cdca01a571c6ac32101
SHA512 246ae3e0114b81718424dff3ffcad5bc47eb3f02d2ac3ffba94a1a1f36d4dd9d5da7c71a2ac5fa000cd8cf422bab6e261f759e0c8ec04cfe4f4ed3a5c1f8d74d

memory/2488-54-0x0000000074EC0000-0x000000007546B000-memory.dmp

C:\Users\Admin\AppData\Roaming\a12a55725a718d2a60609ee4abbbb445.exe

MD5 a12a55725a718d2a60609ee4abbbb445
SHA1 d429ca448c7ac0363280c10d82e36f92beff2614
SHA256 8928b45380323bdcfd83430c2f76bd5ea9b5d011b4b3c4e575dc13d98cb04f5d
SHA512 71730d78380a1bc455ec3e0eceb191041b8e64e8abf400f02b898e995d8f89574751c69ab8c4a42527469b78f661271aad652cfc063688401257a129c54cbe90

memory/2488-55-0x00000000005C0000-0x0000000000600000-memory.dmp

memory/2488-58-0x0000000074EC0000-0x000000007546B000-memory.dmp

memory/2488-60-0x0000000074EC0000-0x000000007546B000-memory.dmp

memory/2552-61-0x0000000074EC0000-0x000000007546B000-memory.dmp

memory/2512-62-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-63-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-64-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-65-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-66-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-67-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-68-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-69-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-70-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-71-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-72-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-73-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-74-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-75-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2512-76-0x0000000000400000-0x00000000004B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-24 06:24

Reported

2024-02-24 06:26

Platform

win10v2004-20240221-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe"

Signatures

Darkcomet

trojan rat darkcomet

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftUpdate.exe C:\Users\Admin\AppData\Roaming\a12a55725a718d2a60609ee4abbbb4451.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftUpdate.exe C:\Users\Admin\AppData\Roaming\a12a55725a718d2a60609ee4abbbb4451.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MicrosoftUpdate.exe" C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2860 set thread context of 868 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2860 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2860 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2860 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2860 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2860 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2860 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2860 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2860 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2860 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2860 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2860 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2860 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2860 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe
PID 2860 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3168 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3168 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3168 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2860 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Roaming\a12a55725a718d2a60609ee4abbbb4451.exe
PID 2860 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Roaming\a12a55725a718d2a60609ee4abbbb4451.exe
PID 2860 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Users\Admin\AppData\Roaming\a12a55725a718d2a60609ee4abbbb4451.exe
PID 2860 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2584 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2584 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe

"C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe"

C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe

"C:\Users\Admin\AppData\Local\Temp\\plugtemp\Microsoft Office.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pq92skjx.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6EA8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc89BD032B62EB4EBF8E7DE94FE74E14B5.TMP"

C:\Users\Admin\AppData\Roaming\a12a55725a718d2a60609ee4abbbb4451.exe

"C:\Users\Admin\AppData\Roaming\a12a55725a718d2a60609ee4abbbb4451.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 3000

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 ahmedb123.no-ip.info udp

Files

memory/2860-0-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/2860-2-0x00000000010F0000-0x0000000001100000-memory.dmp

memory/2860-1-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/868-6-0x0000000000400000-0x00000000004B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe

MD5 d881de17aa8f2e2c08cbb7b265f928f9
SHA1 08936aebc87decf0af6e8eada191062b5e65ac2a
SHA256 b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA512 5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

memory/868-9-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/868-10-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/868-12-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/868-15-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/868-14-0x0000000002280000-0x0000000002281000-memory.dmp

memory/868-19-0x0000000000400000-0x00000000004B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pq92skjx.cmdline

MD5 1034477c1b5be2dfb055e2099f1652ff
SHA1 a37ef8d38e80839d1f27edf2ab500e07f0ad85d1
SHA256 0e6b23b64974e5b725196b3029d73d46a4ab58210e62f54b17c419b90af3df06
SHA512 e15d1e97da005f174f105c896888790f4b0b390c75b4a40550f4cf416542ff676459b267f680aa7b7c827aa57ca624f839274f788c190941c99de43d7e1be59a

memory/3168-21-0x0000000002300000-0x0000000002310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pq92skjx.0.vb

MD5 c2252ef57f687d457944080f94288704
SHA1 eb46293069494d72dd95cc1a94a0d8b9637ead05
SHA256 bfe7a40827afd7051edc6dc0262ef77d99ef437783b621cae8874d132898cd45
SHA512 ea57e6f61171cbee3f73ef0ef350db9e4ddfce44cc513c1b1dde8bb4e7007bdf2a29754a9fe279398fbd188dcc0fe278525733dbc74fa4e5474fe384bf9f429b

C:\Users\Admin\AppData\Local\Temp\vbc89BD032B62EB4EBF8E7DE94FE74E14B5.TMP

MD5 1a72a5149e0b64b0dec97862c05507f9
SHA1 daf3596436d8fc0870276d2db1e7c4411f85bc12
SHA256 7e67b10eaad4f0ef01f9d1f7e24e33ed4d03559434545fc350b8f4905c398984
SHA512 cda0d39904a285fac076e7acec7982a5c5b950b3ca92352a5b9e3802054fb8dd80c68c80408cda306d439bd5cca5071d7b865745e98c4887303873e87326f298

C:\Users\Admin\AppData\Local\Temp\RES6EA8.tmp

MD5 675d49b973583edba9076b9a6fd024f7
SHA1 885e5e27f90555d11ae30670dd962d3072fb9e78
SHA256 a2500bc9b5ba2012d769954cd68249d44238d7d03309edcf283275c8876e8b82
SHA512 cc53b9d9d0485f6729b27ef304dc0e07e3ac5de1722f7723a73c45f22d90392f2733a612335ab486ef71cf641c61d800fee6515e5af43c8dd83a6af00f3015b7

C:\Users\Admin\AppData\Roaming\a12a55725a718d2a60609ee4abbbb4451.exe

MD5 b8d4e4655a5b96d1d4bbef121c4cad6c
SHA1 0732100715de94800f43b1f161c09a39141a8bdc
SHA256 0dded2fdd38a2881c575befeaea84fa981ef7e6a54f308079345db9485f032ac
SHA512 53d7d58d85278dd709e1b51e1e4c64da1956966eb4d8ba8306ff9e3f5d34b38d250fc2311e06cdae9699090731ca9fe36807c3a62944f568a54c85f4c3566d12

C:\Users\Admin\AppData\Roaming\a12a55725a718d2a60609ee4abbbb445.exe

MD5 a12a55725a718d2a60609ee4abbbb445
SHA1 d429ca448c7ac0363280c10d82e36f92beff2614
SHA256 8928b45380323bdcfd83430c2f76bd5ea9b5d011b4b3c4e575dc13d98cb04f5d
SHA512 71730d78380a1bc455ec3e0eceb191041b8e64e8abf400f02b898e995d8f89574751c69ab8c4a42527469b78f661271aad652cfc063688401257a129c54cbe90

memory/4796-36-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/4796-37-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/2860-40-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/868-41-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/868-42-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/868-43-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/868-44-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/868-45-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/868-46-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/868-47-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/868-48-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/868-49-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/868-50-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/868-51-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/868-52-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/868-53-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/868-54-0x0000000000400000-0x00000000004B0000-memory.dmp