Malware Analysis Report

2024-08-06 17:11

Sample ID 240428-xf4seaec62
Target Lucky Proxy.exe
SHA256 9eca9396e9230e5d10850f535d8c08f571e73b76794f45c12bdca8a80446314d
Tags
stealer guest16 eternity darkcomet persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9eca9396e9230e5d10850f535d8c08f571e73b76794f45c12bdca8a80446314d

Threat Level: Known bad

The file Lucky Proxy.exe was found to be: Known bad.

Malicious Activity Summary

stealer guest16 eternity darkcomet persistence rat trojan

Detects Eternity stealer

Darkcomet family

Modifies WinLogon for persistence

Eternity family

Darkcomet

Eternity

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-04-28 18:48

Signatures

Darkcomet family

darkcomet

Detects Eternity stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Eternity family

eternity

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-28 18:48

Reported

2024-04-28 18:52

Platform

win7-20240221-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe"

Signatures

Darkcomet

trojan rat darkcomet

Detects Eternity stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Eternity

eternity

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\17RYb5VUkfWF\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LUCKY CRACKED.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\STEALER.EXE N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KULO PROXY.EXE N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\msdcsc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\17RYb5VUkfWF\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\msdcsc.exe C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\ C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A
File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\ C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A
File created C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\msdcsc.exe C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\STEALER.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\msdcsc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe C:\Users\Admin\AppData\Local\Temp\LUCKY CRACKED.EXE
PID 2172 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe C:\Users\Admin\AppData\Local\Temp\LUCKY CRACKED.EXE
PID 2172 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe C:\Users\Admin\AppData\Local\Temp\LUCKY CRACKED.EXE
PID 2172 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe C:\Users\Admin\AppData\Local\Temp\LUCKY CRACKED.EXE
PID 2172 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe C:\Users\Admin\AppData\Local\Temp\STEALER.EXE
PID 2172 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe C:\Users\Admin\AppData\Local\Temp\STEALER.EXE
PID 2172 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe C:\Users\Admin\AppData\Local\Temp\STEALER.EXE
PID 2172 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe C:\Users\Admin\AppData\Local\Temp\STEALER.EXE
PID 2172 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 2172 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 2172 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 2172 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 2624 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\STEALER.EXE C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe
PID 2624 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\STEALER.EXE C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe
PID 2624 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\STEALER.EXE C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe
PID 2624 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\STEALER.EXE C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe
PID 2416 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE
PID 2416 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE
PID 2416 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE
PID 2416 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE
PID 2416 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe C:\Users\Admin\AppData\Local\Temp\KULO PROXY.EXE
PID 2416 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe C:\Users\Admin\AppData\Local\Temp\KULO PROXY.EXE
PID 2416 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe C:\Users\Admin\AppData\Local\Temp\KULO PROXY.EXE
PID 2416 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe C:\Users\Admin\AppData\Local\Temp\KULO PROXY.EXE
PID 2416 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\msdcsc.exe
PID 2416 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\msdcsc.exe
PID 2416 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\msdcsc.exe
PID 2416 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\msdcsc.exe
PID 2624 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\STEALER.EXE C:\Users\Admin\AppData\Local\Temp\dcd.exe
PID 2624 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\STEALER.EXE C:\Users\Admin\AppData\Local\Temp\dcd.exe
PID 2624 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\STEALER.EXE C:\Users\Admin\AppData\Local\Temp\dcd.exe
PID 2624 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\STEALER.EXE C:\Users\Admin\AppData\Local\Temp\dcd.exe
PID 1200 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE C:\Users\Admin\AppData\Local\Temp\dcd.exe
PID 1200 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE C:\Users\Admin\AppData\Local\Temp\dcd.exe
PID 1200 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE C:\Users\Admin\AppData\Local\Temp\dcd.exe
PID 1200 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE C:\Users\Admin\AppData\Local\Temp\dcd.exe
PID 2624 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\STEALER.EXE C:\Windows\system32\WerFault.exe
PID 2624 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\STEALER.EXE C:\Windows\system32\WerFault.exe
PID 2624 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\STEALER.EXE C:\Windows\system32\WerFault.exe
PID 1200 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE C:\Windows\system32\WerFault.exe
PID 1200 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE C:\Windows\system32\WerFault.exe
PID 1200 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe

"C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe"

C:\Users\Admin\AppData\Local\Temp\LUCKY CRACKED.EXE

"C:\Users\Admin\AppData\Local\Temp\LUCKY CRACKED.EXE"

C:\Users\Admin\AppData\Local\Temp\STEALER.EXE

"C:\Users\Admin\AppData\Local\Temp\STEALER.EXE"

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

"C:\Windows\system32\MSDCSC\msdcsc.exe"

C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe

"C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe"

C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE

"C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE"

C:\Users\Admin\AppData\Local\Temp\KULO PROXY.EXE

"C:\Users\Admin\AppData\Local\Temp\KULO PROXY.EXE"

C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\msdcsc.exe

"C:\Windows\system32\MSDCSC\17RYb5VUkfWF\msdcsc.exe"

C:\Users\Admin\AppData\Local\Temp\dcd.exe

"C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""

C:\Users\Admin\AppData\Local\Temp\dcd.exe

"C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2624 -s 1904

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1200 -s 1544

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
GB 142.250.200.46:80 google.com tcp
US 8.8.8.8:53 api.imgbb.com udp
US 104.21.20.64:443 api.imgbb.com tcp
GB 142.250.200.46:80 google.com tcp
US 104.21.20.64:443 api.imgbb.com tcp
US 8.8.8.8:53 eterprx.net udp
US 104.21.20.223:443 eterprx.net tcp
US 8.8.8.8:53 eternitypr.net udp
US 172.67.199.29:443 eternitypr.net tcp
US 104.21.20.223:443 eterprx.net tcp
US 172.67.199.29:443 eternitypr.net tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp

Files

memory/2172-0-0x00000000003F0000-0x00000000003F1000-memory.dmp

\Users\Admin\AppData\Local\Temp\LUCKY CRACKED.EXE

MD5 177146ba249a68fa55f0e0ba3889b1c6
SHA1 994d06dd75554da0024251412c318beff740b7c7
SHA256 af8ff83661fb43de992e22464533348c1aaac81e54c58357e09d0a07cd559893
SHA512 1764d9372784c7428327bb6e5b9bbb339500566f90c3c784084d8319ffdd620f4fcc81506cadf3e8009ef2cf4e7731d0702e411cdff15740f404cbd3684bb1a0

\Users\Admin\AppData\Local\Temp\STEALER.EXE

MD5 b81af4dd13f5db948ffec8b8707c2280
SHA1 f7f74d80b24ff02499be0fb46f416be14b21c287
SHA256 03fa8a7a7ac4dd4754f84f348737dc76f9102349bcac0ce64790bd20906ad21b
SHA512 0ef93304db63b84891bc7406d1a39112463600ae1bf4cc89fdb72db32d0ce237e05c84a1d31d94295c439cb4242e083ee97d44946bae61f1b5fa7319357eedde

memory/2624-15-0x0000000000CF0000-0x000000000156A000-memory.dmp

memory/2624-16-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

MD5 f9f683c1fafc61bcccc9a44bef1f2867
SHA1 464183bbe171e5b07921d293f2692c517353f6e4
SHA256 9eca9396e9230e5d10850f535d8c08f571e73b76794f45c12bdca8a80446314d
SHA512 ca6481f8b1d0d2917368f3178256c2825a4de13b5d9baa720e7fa2aa3fd214b13881cb2457af1abe75345348842ad8896e8f1962d672ffb6cddf008dcd940279

memory/2624-26-0x000000001C020000-0x000000001C428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe

MD5 afaafeb9ed3224a20c008fe4e987e0fc
SHA1 59605cdaded8aa6b009daba59056cbdfce8171d0
SHA256 f0395d96a4dae3a00181ff666507342a1b03f5e9a780d3ce8734e934eb13f90d
SHA512 747b94a51b065ad3f246a3a931dcc0c4a8b8efa6f9e996fdf63fb955e97f8cbcc45c8b2062292c3c89932df8c847d0d051e240f2903774cbae81d2ac83b8bb82

\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE

MD5 656811e5b545b83c89e9172d71a31c9d
SHA1 94dfbaf4b72bb4a627205536db953fdfb06637f4
SHA256 24e4e3268b3b2b043f1ed4ea4e564eba2b0d19824e34f4fbc077510db817eba1
SHA512 66f52fc6dd64d58d5b89628cd276f1b098f6e533f3acb6e081daa3c0ce3b9b68977ac0455deef7488d5d7e58fbeedc01691cc2c535c13e5088533dcc70e2f3de

C:\Users\Admin\AppData\Local\Temp\KULO PROXY.EXE

MD5 5846ff38efa46576737ad1b8a9246766
SHA1 36586aec663d0fcc12d0924b554ea3ce65599da5
SHA256 f6b7fdaa92f8551750fbd372a88efeda90dea586e01c75f9d463478d7752ac7b
SHA512 097058dd94a2de214ff69f56e3be54261d75d8dd7cb7b1a5ae2184cbc4bb720d09ab29defde6246939c0401bfd1171f435a86cf280642ada2578db9d30a65820

memory/1200-49-0x0000000000B60000-0x0000000000C46000-memory.dmp

memory/2172-50-0x0000000000400000-0x0000000000EC2000-memory.dmp

memory/1200-51-0x00000000002E0000-0x000000000031E000-memory.dmp

memory/2416-61-0x0000000000400000-0x00000000007D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dcd.exe

MD5 b5ac46e446cead89892628f30a253a06
SHA1 f4ad1044a7f77a1b02155c3a355a1bb4177076ca
SHA256 def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669
SHA512 bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

memory/2624-72-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

memory/2728-74-0x0000000000400000-0x00000000007D6000-memory.dmp

memory/2404-73-0x0000000000400000-0x0000000000EC2000-memory.dmp

memory/2404-75-0x0000000000400000-0x0000000000EC2000-memory.dmp

memory/2728-76-0x0000000000400000-0x00000000007D6000-memory.dmp

memory/2404-97-0x0000000000400000-0x0000000000EC2000-memory.dmp

memory/2404-99-0x0000000000400000-0x0000000000EC2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-28 18:48

Reported

2024-04-28 18:50

Platform

win10v2004-20240419-en

Max time kernel

32s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe"

Signatures

Darkcomet

trojan rat darkcomet

Detects Eternity stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Eternity

eternity

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\17RYb5VUkfWF\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\STEALER.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LUCKY CRACKED.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\STEALER.EXE N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KULO PROXY.EXE N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\msdcsc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\17RYb5VUkfWF\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\msdcsc.exe C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\ C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe N/A
File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDCSC\ C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe N/A
File created C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\msdcsc.exe C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\STEALER.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MSDCSC\msdcsc.exe N/A
N/A N/A C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\msdcsc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3272 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe C:\Users\Admin\AppData\Local\Temp\LUCKY CRACKED.EXE
PID 3272 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe C:\Users\Admin\AppData\Local\Temp\LUCKY CRACKED.EXE
PID 3272 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe C:\Users\Admin\AppData\Local\Temp\STEALER.EXE
PID 3272 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe C:\Users\Admin\AppData\Local\Temp\STEALER.EXE
PID 3272 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 3272 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 3272 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
PID 1548 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\STEALER.EXE C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe
PID 1548 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\STEALER.EXE C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe
PID 1548 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\STEALER.EXE C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe
PID 2728 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE
PID 2728 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE
PID 2728 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe C:\Users\Admin\AppData\Local\Temp\KULO PROXY.EXE
PID 2728 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe C:\Users\Admin\AppData\Local\Temp\KULO PROXY.EXE
PID 2728 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\msdcsc.exe
PID 2728 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\msdcsc.exe
PID 2728 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\msdcsc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe

"C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe"

C:\Users\Admin\AppData\Local\Temp\LUCKY CRACKED.EXE

"C:\Users\Admin\AppData\Local\Temp\LUCKY CRACKED.EXE"

C:\Users\Admin\AppData\Local\Temp\STEALER.EXE

"C:\Users\Admin\AppData\Local\Temp\STEALER.EXE"

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

"C:\Windows\system32\MSDCSC\msdcsc.exe"

C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe

"C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe"

C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE

"C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE"

C:\Users\Admin\AppData\Local\Temp\KULO PROXY.EXE

"C:\Users\Admin\AppData\Local\Temp\KULO PROXY.EXE"

C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\msdcsc.exe

"C:\Windows\system32\MSDCSC\17RYb5VUkfWF\msdcsc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 g.bing.com udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp

Files

memory/3272-0-0x00000000010A0000-0x00000000010A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LUCKY CRACKED.EXE

MD5 177146ba249a68fa55f0e0ba3889b1c6
SHA1 994d06dd75554da0024251412c318beff740b7c7
SHA256 af8ff83661fb43de992e22464533348c1aaac81e54c58357e09d0a07cd559893
SHA512 1764d9372784c7428327bb6e5b9bbb339500566f90c3c784084d8319ffdd620f4fcc81506cadf3e8009ef2cf4e7731d0702e411cdff15740f404cbd3684bb1a0

C:\Users\Admin\AppData\Local\Temp\STEALER.EXE

MD5 b81af4dd13f5db948ffec8b8707c2280
SHA1 f7f74d80b24ff02499be0fb46f416be14b21c287
SHA256 03fa8a7a7ac4dd4754f84f348737dc76f9102349bcac0ce64790bd20906ad21b
SHA512 0ef93304db63b84891bc7406d1a39112463600ae1bf4cc89fdb72db32d0ce237e05c84a1d31d94295c439cb4242e083ee97d44946bae61f1b5fa7319357eedde

memory/1548-21-0x0000000000620000-0x0000000000E9A000-memory.dmp

memory/1548-23-0x00007FFFAA950000-0x00007FFFAB411000-memory.dmp

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

MD5 f9f683c1fafc61bcccc9a44bef1f2867
SHA1 464183bbe171e5b07921d293f2692c517353f6e4
SHA256 9eca9396e9230e5d10850f535d8c08f571e73b76794f45c12bdca8a80446314d
SHA512 ca6481f8b1d0d2917368f3178256c2825a4de13b5d9baa720e7fa2aa3fd214b13881cb2457af1abe75345348842ad8896e8f1962d672ffb6cddf008dcd940279

memory/1548-72-0x00000000016F0000-0x0000000001740000-memory.dmp

memory/1548-73-0x00007FFFAA950000-0x00007FFFAB411000-memory.dmp

memory/1548-75-0x0000000001740000-0x0000000001750000-memory.dmp

memory/1548-74-0x0000000001680000-0x0000000001681000-memory.dmp

memory/1548-78-0x0000000001740000-0x0000000001750000-memory.dmp

memory/1548-77-0x0000000001740000-0x0000000001750000-memory.dmp

memory/1548-76-0x000000001BE30000-0x000000001C238000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe

MD5 afaafeb9ed3224a20c008fe4e987e0fc
SHA1 59605cdaded8aa6b009daba59056cbdfce8171d0
SHA256 f0395d96a4dae3a00181ff666507342a1b03f5e9a780d3ce8734e934eb13f90d
SHA512 747b94a51b065ad3f246a3a931dcc0c4a8b8efa6f9e996fdf63fb955e97f8cbcc45c8b2062292c3c89932df8c847d0d051e240f2903774cbae81d2ac83b8bb82

memory/3272-97-0x0000000000400000-0x0000000000EC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE

MD5 656811e5b545b83c89e9172d71a31c9d
SHA1 94dfbaf4b72bb4a627205536db953fdfb06637f4
SHA256 24e4e3268b3b2b043f1ed4ea4e564eba2b0d19824e34f4fbc077510db817eba1
SHA512 66f52fc6dd64d58d5b89628cd276f1b098f6e533f3acb6e081daa3c0ce3b9b68977ac0455deef7488d5d7e58fbeedc01691cc2c535c13e5088533dcc70e2f3de

C:\Users\Admin\AppData\Local\Temp\KULO PROXY.EXE

MD5 5846ff38efa46576737ad1b8a9246766
SHA1 36586aec663d0fcc12d0924b554ea3ce65599da5
SHA256 f6b7fdaa92f8551750fbd372a88efeda90dea586e01c75f9d463478d7752ac7b
SHA512 097058dd94a2de214ff69f56e3be54261d75d8dd7cb7b1a5ae2184cbc4bb720d09ab29defde6246939c0401bfd1171f435a86cf280642ada2578db9d30a65820

memory/4144-121-0x0000000000D60000-0x0000000000E46000-memory.dmp

memory/4144-123-0x000000001B8E0000-0x000000001B91E000-memory.dmp

memory/2728-182-0x0000000000400000-0x00000000007D6000-memory.dmp

memory/4224-183-0x0000000000400000-0x0000000000EC2000-memory.dmp

memory/2144-184-0x0000000000400000-0x00000000007D6000-memory.dmp

memory/1548-185-0x00007FFFAA950000-0x00007FFFAB411000-memory.dmp

memory/1548-188-0x0000000001740000-0x0000000001750000-memory.dmp

memory/1548-190-0x0000000001740000-0x0000000001750000-memory.dmp

memory/1548-189-0x0000000001740000-0x0000000001750000-memory.dmp