darkcomet | a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
21-04-2024 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
Size

3.2MB
MD5

30b37fdccf6fa1a0fd3a2a28de5f5674
SHA1

728d5c15472088326ecc57c78a544f78bf0ddc6a
SHA256

a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149
SHA512

fa25884a25b6f20325d7fc70b2ba83f65eb3f5110f6ea085c74bbed1d56070de05b238f85f3140715a4fb6c299be0c068ee2e2231dcc157b1a3aa502233a65a1
SSDEEP

98304:f2UcwExvvlQH4d7FwlRqIQQrh6GGFdS0RECc9v:OUcwaI4dhwlRqQroBFEx9

Score

10^/10

darkcomet 01082013 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

01082013

ubervps.no-ip.biz:28324

Mutex

DC_MUTEX-ABV02TU

Attributes

gencode
dwKuEj1qEjbE
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 5 IoCs

Processes:

KMSpico_setup.exeKMSpico_setup.tmpmfcmifc.exenapsnap.exemfcmifc.exe

pid	Process
2736	KMSpico_setup.exe
2684	KMSpico_setup.tmp
3048	mfcmifc.exe
108	napsnap.exe
1964	mfcmifc.exe

Loads dropped DLL 7 IoCs

Processes:

a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exeKMSpico_setup.exeKMSpico_setup.tmpmfcmifc.exenapsnap.exe

pid	Process
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2736	KMSpico_setup.exe
2684	KMSpico_setup.tmp
2684	KMSpico_setup.tmp
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
3048	mfcmifc.exe
108	napsnap.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

mfcmifc.exemfcmifc.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\MFC Managed Interfaces Library = "C:\\Users\\Admin\\Videos\\mfcmifc.exe"	mfcmifc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\MFC Managed Interfaces Library = "C:\\Users\\Admin\\Videos\\mfcmifc.exe"	mfcmifc.exe

Drops file in System32 directory 2 IoCs

Processes:

a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\KMSpico_setup.exe	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
File opened for modification	C:\Windows\SysWOW64\KMSpico_setup.exe	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe

Suspicious use of SetThreadContext 20 IoCs

Processes:

a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exenapsnap.exe

description	pid	Process	procid_target
PID 2220 set thread context of 2516	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	30
PID 108 set thread context of 2808	108	napsnap.exe	35
PID 108 set thread context of 1408	108	napsnap.exe	37
PID 108 set thread context of 1988	108	napsnap.exe	38
PID 108 set thread context of 2008	108	napsnap.exe	39
PID 108 set thread context of 3064	108	napsnap.exe	40
PID 108 set thread context of 292	108	napsnap.exe	41
PID 108 set thread context of 2664	108	napsnap.exe	42
PID 108 set thread context of 2508	108	napsnap.exe	43
PID 108 set thread context of 2920	108	napsnap.exe	44
PID 108 set thread context of 1200	108	napsnap.exe	45
PID 108 set thread context of 2116	108	napsnap.exe	46
PID 108 set thread context of 2540	108	napsnap.exe	47
PID 108 set thread context of 1996	108	napsnap.exe	48
PID 108 set thread context of 1412	108	napsnap.exe	49
PID 108 set thread context of 2948	108	napsnap.exe	50
PID 108 set thread context of 2160	108	napsnap.exe	51
PID 108 set thread context of 1732	108	napsnap.exe	52
PID 108 set thread context of 2980	108	napsnap.exe	53
PID 108 set thread context of 1536	108	napsnap.exe	54

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe

pid	Process
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

KMSpico_setup.tmp

pid	Process
2684	KMSpico_setup.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exeAppLaunch.exemfcmifc.exenapsnap.exeAppLaunch.exeAppLaunch.exe

description	pid	Process
Token: SeDebugPrivilege	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
Token: SeIncreaseQuotaPrivilege	2516	AppLaunch.exe
Token: SeSecurityPrivilege	2516	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	2516	AppLaunch.exe
Token: SeLoadDriverPrivilege	2516	AppLaunch.exe
Token: SeSystemProfilePrivilege	2516	AppLaunch.exe
Token: SeSystemtimePrivilege	2516	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	2516	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	2516	AppLaunch.exe
Token: SeCreatePagefilePrivilege	2516	AppLaunch.exe
Token: SeBackupPrivilege	2516	AppLaunch.exe
Token: SeRestorePrivilege	2516	AppLaunch.exe
Token: SeShutdownPrivilege	2516	AppLaunch.exe
Token: SeDebugPrivilege	2516	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	2516	AppLaunch.exe
Token: SeChangeNotifyPrivilege	2516	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	2516	AppLaunch.exe
Token: SeUndockPrivilege	2516	AppLaunch.exe
Token: SeManageVolumePrivilege	2516	AppLaunch.exe
Token: SeImpersonatePrivilege	2516	AppLaunch.exe
Token: SeCreateGlobalPrivilege	2516	AppLaunch.exe
Token: 33	2516	AppLaunch.exe
Token: 34	2516	AppLaunch.exe
Token: 35	2516	AppLaunch.exe
Token: SeDebugPrivilege	3048	mfcmifc.exe
Token: SeDebugPrivilege	108	napsnap.exe
Token: SeIncreaseQuotaPrivilege	2808	AppLaunch.exe
Token: SeSecurityPrivilege	2808	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	2808	AppLaunch.exe
Token: SeLoadDriverPrivilege	2808	AppLaunch.exe
Token: SeSystemProfilePrivilege	2808	AppLaunch.exe
Token: SeSystemtimePrivilege	2808	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	2808	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	2808	AppLaunch.exe
Token: SeCreatePagefilePrivilege	2808	AppLaunch.exe
Token: SeBackupPrivilege	2808	AppLaunch.exe
Token: SeRestorePrivilege	2808	AppLaunch.exe
Token: SeShutdownPrivilege	2808	AppLaunch.exe
Token: SeDebugPrivilege	2808	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	2808	AppLaunch.exe
Token: SeChangeNotifyPrivilege	2808	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	2808	AppLaunch.exe
Token: SeUndockPrivilege	2808	AppLaunch.exe
Token: SeManageVolumePrivilege	2808	AppLaunch.exe
Token: SeImpersonatePrivilege	2808	AppLaunch.exe
Token: SeCreateGlobalPrivilege	2808	AppLaunch.exe
Token: 33	2808	AppLaunch.exe
Token: 34	2808	AppLaunch.exe
Token: 35	2808	AppLaunch.exe
Token: SeIncreaseQuotaPrivilege	1408	AppLaunch.exe
Token: SeSecurityPrivilege	1408	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	1408	AppLaunch.exe
Token: SeLoadDriverPrivilege	1408	AppLaunch.exe
Token: SeSystemProfilePrivilege	1408	AppLaunch.exe
Token: SeSystemtimePrivilege	1408	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	1408	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	1408	AppLaunch.exe
Token: SeCreatePagefilePrivilege	1408	AppLaunch.exe
Token: SeBackupPrivilege	1408	AppLaunch.exe
Token: SeRestorePrivilege	1408	AppLaunch.exe
Token: SeShutdownPrivilege	1408	AppLaunch.exe
Token: SeDebugPrivilege	1408	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	1408	AppLaunch.exe
Token: SeChangeNotifyPrivilege	1408	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AppLaunch.exe

pid	Process
2516	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exeKMSpico_setup.exemfcmifc.exenapsnap.exe

description	pid	Process	procid_target
PID 2220 wrote to memory of 2736	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	28
PID 2220 wrote to memory of 2736	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	28
PID 2220 wrote to memory of 2736	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	28
PID 2220 wrote to memory of 2736	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	28
PID 2220 wrote to memory of 2736	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	28
PID 2220 wrote to memory of 2736	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	28
PID 2220 wrote to memory of 2736	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	28
PID 2736 wrote to memory of 2684	2736	KMSpico_setup.exe	29
PID 2736 wrote to memory of 2684	2736	KMSpico_setup.exe	29
PID 2736 wrote to memory of 2684	2736	KMSpico_setup.exe	29
PID 2736 wrote to memory of 2684	2736	KMSpico_setup.exe	29
PID 2736 wrote to memory of 2684	2736	KMSpico_setup.exe	29
PID 2736 wrote to memory of 2684	2736	KMSpico_setup.exe	29
PID 2736 wrote to memory of 2684	2736	KMSpico_setup.exe	29
PID 2220 wrote to memory of 2516	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	30
PID 2220 wrote to memory of 2516	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	30
PID 2220 wrote to memory of 2516	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	30
PID 2220 wrote to memory of 2516	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	30
PID 2220 wrote to memory of 2516	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	30
PID 2220 wrote to memory of 2516	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	30
PID 2220 wrote to memory of 2516	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	30
PID 2220 wrote to memory of 2516	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	30
PID 2220 wrote to memory of 2516	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	30
PID 2220 wrote to memory of 2516	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	30
PID 2220 wrote to memory of 2516	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	30
PID 2220 wrote to memory of 2516	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	30
PID 2220 wrote to memory of 2516	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	30
PID 2220 wrote to memory of 2516	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	30
PID 2220 wrote to memory of 2516	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	30
PID 2220 wrote to memory of 2516	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	30
PID 2220 wrote to memory of 3048	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	31
PID 2220 wrote to memory of 3048	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	31
PID 2220 wrote to memory of 3048	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	31
PID 2220 wrote to memory of 3048	2220	a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe	31
PID 3048 wrote to memory of 108	3048	mfcmifc.exe	32
PID 3048 wrote to memory of 108	3048	mfcmifc.exe	32
PID 3048 wrote to memory of 108	3048	mfcmifc.exe	32
PID 3048 wrote to memory of 108	3048	mfcmifc.exe	32
PID 108 wrote to memory of 2808	108	napsnap.exe	35
PID 108 wrote to memory of 2808	108	napsnap.exe	35
PID 108 wrote to memory of 2808	108	napsnap.exe	35
PID 108 wrote to memory of 2808	108	napsnap.exe	35
PID 108 wrote to memory of 2808	108	napsnap.exe	35
PID 108 wrote to memory of 2808	108	napsnap.exe	35
PID 108 wrote to memory of 2808	108	napsnap.exe	35
PID 108 wrote to memory of 2808	108	napsnap.exe	35
PID 108 wrote to memory of 2808	108	napsnap.exe	35
PID 108 wrote to memory of 2808	108	napsnap.exe	35
PID 108 wrote to memory of 2808	108	napsnap.exe	35
PID 108 wrote to memory of 2808	108	napsnap.exe	35
PID 108 wrote to memory of 2808	108	napsnap.exe	35
PID 108 wrote to memory of 2808	108	napsnap.exe	35
PID 108 wrote to memory of 2808	108	napsnap.exe	35
PID 108 wrote to memory of 2808	108	napsnap.exe	35
PID 108 wrote to memory of 1964	108	napsnap.exe	36
PID 108 wrote to memory of 1964	108	napsnap.exe	36
PID 108 wrote to memory of 1964	108	napsnap.exe	36
PID 108 wrote to memory of 1964	108	napsnap.exe	36
PID 108 wrote to memory of 1408	108	napsnap.exe	37
PID 108 wrote to memory of 1408	108	napsnap.exe	37
PID 108 wrote to memory of 1408	108	napsnap.exe	37
PID 108 wrote to memory of 1408	108	napsnap.exe	37
PID 108 wrote to memory of 1408	108	napsnap.exe	37
PID 108 wrote to memory of 1408	108	napsnap.exe	37

C:\Users\Admin\AppData\Local\Temp\a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe
"C:\Users\Admin\AppData\Local\Temp\a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\KMSpico_setup.exe
  "C:\Windows\system32\KMSpico_setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\is-9PBO0.tmp\KMSpico_setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-9PBO0.tmp\KMSpico_setup.tmp" /SL5="$6015E,2273272,69120,C:\Windows\SysWOW64\KMSpico_setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2684
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2516
- C:\Users\Admin\Videos\mfcmifc.exe
  "C:\Users\Admin\Videos\mfcmifc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Users\Admin\Videos\napsnap.exe
    "C:\Users\Admin\Videos\napsnap.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:108
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2808
  - - C:\Users\Admin\Videos\mfcmifc.exe
      "C:\Users\Admin\Videos\mfcmifc.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:1964
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1408
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      4⤵
      PID:1988
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      4⤵
      PID:2008
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      4⤵
      PID:3064
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      4⤵
      PID:292
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      4⤵
      PID:2664
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      4⤵
      PID:2508
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      4⤵
      PID:2920
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      4⤵
      PID:1200
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      4⤵
      PID:2116
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      4⤵
      PID:2540
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      4⤵
      PID:1996
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      4⤵
      PID:1412
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      4⤵
      PID:2948
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      4⤵
      PID:2160
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      4⤵
      PID:1732
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      4⤵
      PID:2980
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      4⤵
      PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Videos\napsnap.exe

Filesize
3.2MB

MD5
30b37fdccf6fa1a0fd3a2a28de5f5674

SHA1
728d5c15472088326ecc57c78a544f78bf0ddc6a

SHA256
a0b1a71bbd44c9138e47c9600e7b1f74891f096dfd6d3feecfe549e0ef89a149

SHA512
fa25884a25b6f20325d7fc70b2ba83f65eb3f5110f6ea085c74bbed1d56070de05b238f85f3140715a4fb6c299be0c068ee2e2231dcc157b1a3aa502233a65a1

Download Submit
\Users\Admin\AppData\Local\Temp\is-9PBO0.tmp\KMSpico_setup.tmp

Filesize
702KB

MD5
7060027eb4044b1d80c19f47cc87cdc7

SHA1
c8aaf8b8191ebbf65069feb78748369fbca11eec

SHA256
383d09d76bdfe36c4cd700a70d985d568be66c54c3b15e53670cd646074f2383

SHA512
b6aa6aaf795ff17c15b8f3d3194d3023535e3e7ee996087001de11ae3ca8de188b956d8784ca5532889ab088e356a0db5bb488f87c4edc441223b2bf92982db6

Download Submit
\Users\Admin\AppData\Local\Temp\is-LKC2V.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\Videos\mfcmifc.exe

Filesize
16KB

MD5
e835e6ccf8a639cd6146b6dd98a040dc

SHA1
c8ca7882e075b470386ca793f0d5f1d963a9eab5

SHA256
240b6ca9e43599e7af04c6d49073c9f914459ec3a39d2fcd7e173f0bc306a3ad

SHA512
529ad75067c28f05048c7759be57fd4e62bf55febd1a5529cdb9c74230ec09b1e107a6d58c5c1bb32db5794418cdf4a8c0f5b2115c373f7f24c7054e08bacc67

Download Submit
\Windows\SysWOW64\KMSpico_setup.exe

Filesize
2.5MB

MD5
6e2a517787795763a24e9697daa654f9

SHA1
dcd30afe8ce2f337009aade63ab90b34be5be4b8

SHA256
fffe6ac8fc3e0a58974c2e396f53690b917e70342ad426957a06e57b271839ca

SHA512
619402c2a0ce4f19625a335fd4965d14f050eb98cb9a9272f4f198f2e8116a8438885b364d1caf8e5f74470bbfd0e85e763ee7b7abe3c949e18064abf10a2f80

Download Submit
memory/108-70-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/108-69-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/108-106-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/108-104-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/292-208-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/292-207-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1200-286-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1200-287-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1408-129-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1408-128-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1536-466-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1536-467-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1732-427-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1732-426-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1964-168-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/1964-108-0x0000000000650000-0x0000000000690000-memory.dmp

Filesize
256KB

Download
memory/1964-107-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/1964-110-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/1964-169-0x0000000000650000-0x0000000000690000-memory.dmp

Filesize
256KB

Download
memory/1988-149-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1988-150-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1996-350-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1996-349-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2116-309-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2116-308-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2160-408-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2220-77-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-15-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-4-0x0000000002390000-0x00000000023D0000-memory.dmp

Filesize
256KB

Download
memory/2220-3-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-2-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-0-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-1-0x0000000002390000-0x00000000023D0000-memory.dmp

Filesize
256KB

Download
memory/2508-247-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2508-246-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2516-76-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2516-37-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2516-24-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2516-35-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2516-36-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2516-33-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2516-39-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2516-41-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2516-63-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2516-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2516-43-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2516-59-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2516-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2516-47-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2516-48-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2516-54-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2540-329-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2540-328-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2664-290-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2664-228-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2684-71-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2684-25-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2684-65-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2736-12-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2736-17-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2736-64-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2808-109-0x0000000000401000-0x000000000048F000-memory.dmp

Filesize
568KB

Download
memory/2920-331-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2920-268-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2948-388-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2948-387-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2980-448-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2980-447-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3048-78-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/3048-74-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/3048-75-0x0000000000630000-0x0000000000670000-memory.dmp

Filesize
256KB

Download
memory/3048-58-0x0000000000630000-0x0000000000670000-memory.dmp

Filesize
256KB

Download
memory/3048-60-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/3048-56-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/3064-189-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3064-250-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download