Analysis
-
max time kernel
160s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-03-2024 20:49
Behavioral task
behavioral1
Sample
68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe
Resource
win7-20240221-en
General
-
Target
68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe
-
Size
283KB
-
MD5
5d3a6ff4d3968270f9f09e351c24cb3c
-
SHA1
4dbc0b4033cc9174e4fde4c382046205ac44b453
-
SHA256
68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7
-
SHA512
33904af3e7602c0c586ec1e8a4050ac3b9a5338798c42d94aa9e6317860716b74e28c13896d352a73f3ca0708959b3730dafb94121cb28bedd6424a807493e08
-
SSDEEP
6144:AcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37+:AcW7KEZlPzCy37+
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
darkcomet3.ddns.net:1604
DC_MUTEX-ZJFLPGE
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
J1Dp0ixzbN0M
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" iexplore.exe -
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe -
UPX dump on OEP (original entry point) 7 IoCs
Processes:
resource yara_rule behavioral1/memory/2496-0-0x0000000000400000-0x00000000004C7000-memory.dmp UPX C:\Users\Admin\Documents\MSDCSC\msdcsc.exe UPX behavioral1/memory/2944-35-0x0000000000400000-0x00000000004C7000-memory.dmp UPX behavioral1/memory/2496-34-0x0000000003B30000-0x0000000003BF7000-memory.dmp UPX behavioral1/memory/584-38-0x0000000000400000-0x00000000004C7000-memory.dmp UPX behavioral1/memory/2944-40-0x0000000000400000-0x00000000004C7000-memory.dmp UPX behavioral1/memory/2496-43-0x0000000000400000-0x00000000004C7000-memory.dmp UPX -
Disables RegEdit via registry modification 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2608 attrib.exe 1624 attrib.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 2680 notepad.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 2944 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exepid process 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe -
Processes:
resource yara_rule behavioral1/memory/2496-0-0x0000000000400000-0x00000000004C7000-memory.dmp upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx behavioral1/memory/2944-35-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2496-34-0x0000000003B30000-0x0000000003BF7000-memory.dmp upx behavioral1/memory/584-38-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2944-40-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2496-43-0x0000000000400000-0x00000000004C7000-memory.dmp upx -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exemsdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 2944 set thread context of 584 2944 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 584 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe Token: SeSecurityPrivilege 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe Token: SeTakeOwnershipPrivilege 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe Token: SeLoadDriverPrivilege 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe Token: SeSystemProfilePrivilege 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe Token: SeSystemtimePrivilege 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe Token: SeProfSingleProcessPrivilege 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe Token: SeIncBasePriorityPrivilege 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe Token: SeCreatePagefilePrivilege 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe Token: SeBackupPrivilege 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe Token: SeRestorePrivilege 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe Token: SeShutdownPrivilege 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe Token: SeDebugPrivilege 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe Token: SeSystemEnvironmentPrivilege 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe Token: SeChangeNotifyPrivilege 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe Token: SeRemoteShutdownPrivilege 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe Token: SeUndockPrivilege 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe Token: SeManageVolumePrivilege 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe Token: SeImpersonatePrivilege 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe Token: SeCreateGlobalPrivilege 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe Token: 33 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe Token: 34 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe Token: 35 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe Token: SeIncreaseQuotaPrivilege 2944 msdcsc.exe Token: SeSecurityPrivilege 2944 msdcsc.exe Token: SeTakeOwnershipPrivilege 2944 msdcsc.exe Token: SeLoadDriverPrivilege 2944 msdcsc.exe Token: SeSystemProfilePrivilege 2944 msdcsc.exe Token: SeSystemtimePrivilege 2944 msdcsc.exe Token: SeProfSingleProcessPrivilege 2944 msdcsc.exe Token: SeIncBasePriorityPrivilege 2944 msdcsc.exe Token: SeCreatePagefilePrivilege 2944 msdcsc.exe Token: SeBackupPrivilege 2944 msdcsc.exe Token: SeRestorePrivilege 2944 msdcsc.exe Token: SeShutdownPrivilege 2944 msdcsc.exe Token: SeDebugPrivilege 2944 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2944 msdcsc.exe Token: SeChangeNotifyPrivilege 2944 msdcsc.exe Token: SeRemoteShutdownPrivilege 2944 msdcsc.exe Token: SeUndockPrivilege 2944 msdcsc.exe Token: SeManageVolumePrivilege 2944 msdcsc.exe Token: SeImpersonatePrivilege 2944 msdcsc.exe Token: SeCreateGlobalPrivilege 2944 msdcsc.exe Token: 33 2944 msdcsc.exe Token: 34 2944 msdcsc.exe Token: 35 2944 msdcsc.exe Token: SeIncreaseQuotaPrivilege 584 iexplore.exe Token: SeSecurityPrivilege 584 iexplore.exe Token: SeTakeOwnershipPrivilege 584 iexplore.exe Token: SeLoadDriverPrivilege 584 iexplore.exe Token: SeSystemProfilePrivilege 584 iexplore.exe Token: SeSystemtimePrivilege 584 iexplore.exe Token: SeProfSingleProcessPrivilege 584 iexplore.exe Token: SeIncBasePriorityPrivilege 584 iexplore.exe Token: SeCreatePagefilePrivilege 584 iexplore.exe Token: SeBackupPrivilege 584 iexplore.exe Token: SeRestorePrivilege 584 iexplore.exe Token: SeShutdownPrivilege 584 iexplore.exe Token: SeDebugPrivilege 584 iexplore.exe Token: SeSystemEnvironmentPrivilege 584 iexplore.exe Token: SeChangeNotifyPrivilege 584 iexplore.exe Token: SeRemoteShutdownPrivilege 584 iexplore.exe Token: SeUndockPrivilege 584 iexplore.exe Token: SeManageVolumePrivilege 584 iexplore.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.execmd.execmd.exemsdcsc.exeiexplore.exedescription pid process target process PID 2496 wrote to memory of 2616 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe cmd.exe PID 2496 wrote to memory of 2616 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe cmd.exe PID 2496 wrote to memory of 2616 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe cmd.exe PID 2496 wrote to memory of 2616 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe cmd.exe PID 2496 wrote to memory of 2636 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe cmd.exe PID 2496 wrote to memory of 2636 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe cmd.exe PID 2496 wrote to memory of 2636 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe cmd.exe PID 2496 wrote to memory of 2636 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe cmd.exe PID 2496 wrote to memory of 2680 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe notepad.exe PID 2496 wrote to memory of 2680 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe notepad.exe PID 2496 wrote to memory of 2680 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe notepad.exe PID 2496 wrote to memory of 2680 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe notepad.exe PID 2496 wrote to memory of 2680 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe notepad.exe PID 2496 wrote to memory of 2680 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe notepad.exe PID 2496 wrote to memory of 2680 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe notepad.exe PID 2496 wrote to memory of 2680 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe notepad.exe PID 2616 wrote to memory of 2608 2616 cmd.exe attrib.exe PID 2616 wrote to memory of 2608 2616 cmd.exe attrib.exe PID 2616 wrote to memory of 2608 2616 cmd.exe attrib.exe PID 2616 wrote to memory of 2608 2616 cmd.exe attrib.exe PID 2496 wrote to memory of 2680 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe notepad.exe PID 2496 wrote to memory of 2680 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe notepad.exe PID 2496 wrote to memory of 2680 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe notepad.exe PID 2496 wrote to memory of 2680 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe notepad.exe PID 2496 wrote to memory of 2680 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe notepad.exe PID 2496 wrote to memory of 2680 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe notepad.exe PID 2496 wrote to memory of 2680 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe notepad.exe PID 2496 wrote to memory of 2680 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe notepad.exe PID 2496 wrote to memory of 2680 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe notepad.exe PID 2496 wrote to memory of 2680 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe notepad.exe PID 2636 wrote to memory of 1624 2636 cmd.exe attrib.exe PID 2636 wrote to memory of 1624 2636 cmd.exe attrib.exe PID 2636 wrote to memory of 1624 2636 cmd.exe attrib.exe PID 2636 wrote to memory of 1624 2636 cmd.exe attrib.exe PID 2496 wrote to memory of 2944 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe msdcsc.exe PID 2496 wrote to memory of 2944 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe msdcsc.exe PID 2496 wrote to memory of 2944 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe msdcsc.exe PID 2496 wrote to memory of 2944 2496 68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe msdcsc.exe PID 2944 wrote to memory of 584 2944 msdcsc.exe iexplore.exe PID 2944 wrote to memory of 584 2944 msdcsc.exe iexplore.exe PID 2944 wrote to memory of 584 2944 msdcsc.exe iexplore.exe PID 2944 wrote to memory of 584 2944 msdcsc.exe iexplore.exe PID 2944 wrote to memory of 584 2944 msdcsc.exe iexplore.exe PID 2944 wrote to memory of 584 2944 msdcsc.exe iexplore.exe PID 584 wrote to memory of 2492 584 iexplore.exe notepad.exe PID 584 wrote to memory of 2492 584 iexplore.exe notepad.exe PID 584 wrote to memory of 2492 584 iexplore.exe notepad.exe PID 584 wrote to memory of 2492 584 iexplore.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2608 attrib.exe 1624 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe"C:\Users\Admin\AppData\Local\Temp\68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
283KB
MD55d3a6ff4d3968270f9f09e351c24cb3c
SHA14dbc0b4033cc9174e4fde4c382046205ac44b453
SHA25668fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7
SHA51233904af3e7602c0c586ec1e8a4050ac3b9a5338798c42d94aa9e6317860716b74e28c13896d352a73f3ca0708959b3730dafb94121cb28bedd6424a807493e08
-
memory/584-38-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2496-0-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2496-1-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/2496-34-0x0000000003B30000-0x0000000003BF7000-memory.dmpFilesize
796KB
-
memory/2496-37-0x0000000003B30000-0x0000000003BF7000-memory.dmpFilesize
796KB
-
memory/2496-43-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2680-5-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/2680-25-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2944-35-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2944-39-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/2944-40-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB