Malware Analysis Report

2024-08-06 17:51

Sample ID 240226-z67cbsgc56
Target a76146ce596e7583f86d1d13701db46b
SHA256 7d253821d0e9186d3852d6dfbdf0c10f577925210a23fa0162eb8547505a49cf
Tags
darkcomet test persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7d253821d0e9186d3852d6dfbdf0c10f577925210a23fa0162eb8547505a49cf

Threat Level: Known bad

The file a76146ce596e7583f86d1d13701db46b was found to be: Known bad.

Malicious Activity Summary

darkcomet test persistence rat trojan

Modifies WinLogon for persistence

Darkcomet

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-02-26 21:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-26 21:20

Reported

2024-02-26 21:23

Platform

win7-20240221-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\infection.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\ C:\Users\Admin\AppData\Local\Temp\infection.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe C:\Users\Admin\AppData\Local\Temp\infection.exe
PID 1612 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe C:\Users\Admin\AppData\Local\Temp\infection.exe
PID 1612 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe C:\Users\Admin\AppData\Local\Temp\infection.exe
PID 1612 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe C:\Users\Admin\AppData\Local\Temp\infection.exe
PID 1612 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\infection.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 2088 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\infection.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 2088 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\infection.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 2088 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\infection.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe

"C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe"

C:\Users\Admin\AppData\Local\Temp\infection.exe

"C:\Users\Admin\AppData\Local\Temp\infection.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\patch.bat" "

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

"C:\Windows\system32\MSDCSC\msdcsc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tester-server.zapto.org udp

Files

memory/1612-0-0x00000000010A0000-0x00000000010AC000-memory.dmp

memory/1612-1-0x0000000073EC0000-0x00000000745AE000-memory.dmp

memory/1612-2-0x0000000004D10000-0x0000000004D50000-memory.dmp

\Users\Admin\AppData\Local\Temp\infection.exe

MD5 125f4059f1674df7ea224a0c8f629e28
SHA1 027ab465dedc2bfd1b1b9c08a5d0b084004952c6
SHA256 edd998b66a23f93056ce7ec3ebfd22f2c858be634c03611f50e64be97d749a33
SHA512 8426e97e7d39cf35a6ef06875b99ab593f42de6b2f1d42338e297e425a136552d05b30c26836e6e76e096807659c858c642ca46d6399f2f558590a68fba9fbb5

C:\Users\Admin\AppData\Local\Temp\patch.bat

MD5 d70fbe28c0321dbf79f5792bf210f36c
SHA1 41e5e9ac251f53840c39e084f2b9710f413c6c23
SHA256 3f97ea84c493b5f639e122d0bbf82790074735a7461797a40405c282c32033fd
SHA512 8d2662608a1d62801890808d43c7d3f8dea8555a4825ac90034a124bf9198cdef21826797ab6fede89d49bed6507550b93ad70da570edf70065f9ae370ddc4c2

memory/1612-20-0x0000000073EC0000-0x00000000745AE000-memory.dmp

memory/2088-22-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2548-35-0x00000000001D0000-0x00000000001D1000-memory.dmp

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

MD5 f335e6e2fb3b825d1af5cc57493847c2
SHA1 f216cd43da60ee1c82d50b4920ac7a20e10143bb
SHA256 024a581336414f27776d034d1446dcfb638dfe576505989b31fb3ef359454013
SHA512 6e96816027a58a902130a69a41fa81fa7643ebfe547f3e0b55440b32c35e57c6e8bcc82c9020c022f4a6aab1debab28d1b33986edc0c0807c1ed172939c2c1c0

memory/2088-37-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2548-38-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2548-39-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2548-40-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2548-41-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2548-42-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2548-43-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2548-44-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2548-45-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2548-46-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2548-47-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2548-48-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2548-49-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2548-50-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2548-51-0x0000000000400000-0x00000000004B2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-26 21:20

Reported

2024-02-26 21:23

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\infection.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\ C:\Users\Admin\AppData\Local\Temp\infection.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\infection.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\infection.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe C:\Users\Admin\AppData\Local\Temp\infection.exe
PID 2128 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe C:\Users\Admin\AppData\Local\Temp\infection.exe
PID 2128 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe C:\Users\Admin\AppData\Local\Temp\infection.exe
PID 2128 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe C:\Windows\SysWOW64\cmd.exe
PID 3480 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\infection.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 3480 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\infection.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 3480 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\infection.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe

"C:\Users\Admin\AppData\Local\Temp\newfile\projekt.exe"

C:\Users\Admin\AppData\Local\Temp\infection.exe

"C:\Users\Admin\AppData\Local\Temp\infection.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\patch.bat" "

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

"C:\Windows\system32\MSDCSC\msdcsc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 tester-server.zapto.org udp
US 8.8.8.8:53 tester-server.zapto.org udp

Files

memory/2128-0-0x00000000000F0000-0x00000000000FC000-memory.dmp

memory/2128-1-0x0000000004A80000-0x0000000004B1C000-memory.dmp

memory/2128-2-0x0000000074FE0000-0x0000000075790000-memory.dmp

memory/2128-3-0x00000000050D0000-0x0000000005674000-memory.dmp

memory/2128-4-0x0000000004BC0000-0x0000000004C52000-memory.dmp

memory/2128-5-0x0000000004B40000-0x0000000004B50000-memory.dmp

memory/2128-6-0x0000000004BA0000-0x0000000004BAA000-memory.dmp

memory/2128-7-0x0000000004E00000-0x0000000004E56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\infection.exe

MD5 125f4059f1674df7ea224a0c8f629e28
SHA1 027ab465dedc2bfd1b1b9c08a5d0b084004952c6
SHA256 edd998b66a23f93056ce7ec3ebfd22f2c858be634c03611f50e64be97d749a33
SHA512 8426e97e7d39cf35a6ef06875b99ab593f42de6b2f1d42338e297e425a136552d05b30c26836e6e76e096807659c858c642ca46d6399f2f558590a68fba9fbb5

memory/3480-23-0x00000000022C0000-0x00000000022C1000-memory.dmp

memory/2128-22-0x0000000074FE0000-0x0000000075790000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\patch.bat

MD5 d70fbe28c0321dbf79f5792bf210f36c
SHA1 41e5e9ac251f53840c39e084f2b9710f413c6c23
SHA256 3f97ea84c493b5f639e122d0bbf82790074735a7461797a40405c282c32033fd
SHA512 8d2662608a1d62801890808d43c7d3f8dea8555a4825ac90034a124bf9198cdef21826797ab6fede89d49bed6507550b93ad70da570edf70065f9ae370ddc4c2

memory/1796-86-0x0000000002160000-0x0000000002161000-memory.dmp

memory/3480-87-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-88-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-89-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-90-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-91-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-92-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-93-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-94-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-95-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-96-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-97-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-98-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-99-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-100-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1796-101-0x0000000000400000-0x00000000004B2000-memory.dmp