darkcomet | 58b345e6951ae9bbb11ca7da778be357e015f969c2ca4f9fd68de188da95a5a2

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QUOTATION.scr
Size

1.3MB
MD5

7be1f7bb5cbbbb26f1d8f15fff4d1785
SHA1

90be8735978435431004dffdd041783844557425
SHA256

0f6a0bda1357048fef49f18a77256520b8d39d336f4d72c2177dd4d721dc29b7
SHA512

818b11259ea6bc68791c2f7bc3e3e5f433a892b35517e07b08237904faaf112f03f2c915a25804becf46f31f1658e2c1aa0c6aa74d7641130896886f0d4c82ab
SSDEEP

24576:f2O/Glc8lub/mjPfqidep71baT+IUCG5+sUBYSS+AzTjmfDiN7gh8/62Ro3SYA5:38A6hspbaTB/Gss4nSFzEEW8/6z3S95

Score

10^/10

darkcomet big money persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

BIG MONEY

213.184.126.150:1616

Mutex

DCMIN_MUTEX-580PFNE

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
SpHN8XLqjdan
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	RegSvcs.exe

Executes dropped EXE 3 IoCs

Processes:

xup.exexup.exeIMDCSC.exe

pid process

1960 xup.exe
2172 xup.exe
2016 IMDCSC.exe
Loads dropped DLL 6 IoCs

Processes:

QUOTATION.scrxup.exeRegSvcs.exe

pid process

1668 QUOTATION.scr
1668 QUOTATION.scr
1668 QUOTATION.scr
1668 QUOTATION.scr
1960 xup.exe
768 RegSvcs.exe

pid	process
1960	xup.exe
2172	xup.exe
2016	IMDCSC.exe

pid	process
1668	QUOTATION.scr
1668	QUOTATION.scr
1668	QUOTATION.scr
1668	QUOTATION.scr
1960	xup.exe
768	RegSvcs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

xup.exeRegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\60748084\\xup.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\60748084\\VIR_GX~1"	xup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

xup.exe

description pid process target process

PID 2172 set thread context of 768 2172 xup.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

xup.exe

pid process

1960 xup.exe

description	pid	process	target process
PID 2172 set thread context of 768	2172	xup.exe	RegSvcs.exe

pid	process
1960	xup.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

RegSvcs.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	768	RegSvcs.exe
Token: SeSecurityPrivilege	768	RegSvcs.exe
Token: SeTakeOwnershipPrivilege	768	RegSvcs.exe
Token: SeLoadDriverPrivilege	768	RegSvcs.exe
Token: SeSystemProfilePrivilege	768	RegSvcs.exe
Token: SeSystemtimePrivilege	768	RegSvcs.exe
Token: SeProfSingleProcessPrivilege	768	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	768	RegSvcs.exe
Token: SeCreatePagefilePrivilege	768	RegSvcs.exe
Token: SeBackupPrivilege	768	RegSvcs.exe
Token: SeRestorePrivilege	768	RegSvcs.exe
Token: SeShutdownPrivilege	768	RegSvcs.exe
Token: SeDebugPrivilege	768	RegSvcs.exe
Token: SeSystemEnvironmentPrivilege	768	RegSvcs.exe
Token: SeChangeNotifyPrivilege	768	RegSvcs.exe
Token: SeRemoteShutdownPrivilege	768	RegSvcs.exe
Token: SeUndockPrivilege	768	RegSvcs.exe
Token: SeManageVolumePrivilege	768	RegSvcs.exe
Token: SeImpersonatePrivilege	768	RegSvcs.exe
Token: SeCreateGlobalPrivilege	768	RegSvcs.exe
Token: 33	768	RegSvcs.exe
Token: 34	768	RegSvcs.exe
Token: 35	768	RegSvcs.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

QUOTATION.scrxup.exexup.exeRegSvcs.exe

description	pid	process	target process
PID 1668 wrote to memory of 1960	1668	QUOTATION.scr	xup.exe
PID 1668 wrote to memory of 1960	1668	QUOTATION.scr	xup.exe
PID 1668 wrote to memory of 1960	1668	QUOTATION.scr	xup.exe
PID 1668 wrote to memory of 1960	1668	QUOTATION.scr	xup.exe
PID 1668 wrote to memory of 1960	1668	QUOTATION.scr	xup.exe
PID 1668 wrote to memory of 1960	1668	QUOTATION.scr	xup.exe
PID 1668 wrote to memory of 1960	1668	QUOTATION.scr	xup.exe
PID 1960 wrote to memory of 2172	1960	xup.exe	xup.exe
PID 1960 wrote to memory of 2172	1960	xup.exe	xup.exe
PID 1960 wrote to memory of 2172	1960	xup.exe	xup.exe
PID 1960 wrote to memory of 2172	1960	xup.exe	xup.exe
PID 1960 wrote to memory of 2172	1960	xup.exe	xup.exe
PID 1960 wrote to memory of 2172	1960	xup.exe	xup.exe
PID 1960 wrote to memory of 2172	1960	xup.exe	xup.exe
PID 2172 wrote to memory of 768	2172	xup.exe	RegSvcs.exe
PID 2172 wrote to memory of 768	2172	xup.exe	RegSvcs.exe
PID 2172 wrote to memory of 768	2172	xup.exe	RegSvcs.exe
PID 2172 wrote to memory of 768	2172	xup.exe	RegSvcs.exe
PID 2172 wrote to memory of 768	2172	xup.exe	RegSvcs.exe
PID 2172 wrote to memory of 768	2172	xup.exe	RegSvcs.exe
PID 2172 wrote to memory of 768	2172	xup.exe	RegSvcs.exe
PID 2172 wrote to memory of 768	2172	xup.exe	RegSvcs.exe
PID 2172 wrote to memory of 768	2172	xup.exe	RegSvcs.exe
PID 2172 wrote to memory of 768	2172	xup.exe	RegSvcs.exe
PID 2172 wrote to memory of 768	2172	xup.exe	RegSvcs.exe
PID 2172 wrote to memory of 768	2172	xup.exe	RegSvcs.exe
PID 2172 wrote to memory of 768	2172	xup.exe	RegSvcs.exe
PID 2172 wrote to memory of 768	2172	xup.exe	RegSvcs.exe
PID 2172 wrote to memory of 768	2172	xup.exe	RegSvcs.exe
PID 2172 wrote to memory of 768	2172	xup.exe	RegSvcs.exe
PID 768 wrote to memory of 2016	768	RegSvcs.exe	IMDCSC.exe
PID 768 wrote to memory of 2016	768	RegSvcs.exe	IMDCSC.exe
PID 768 wrote to memory of 2016	768	RegSvcs.exe	IMDCSC.exe
PID 768 wrote to memory of 2016	768	RegSvcs.exe	IMDCSC.exe
PID 768 wrote to memory of 2016	768	RegSvcs.exe	IMDCSC.exe
PID 768 wrote to memory of 2016	768	RegSvcs.exe	IMDCSC.exe
PID 768 wrote to memory of 2016	768	RegSvcs.exe	IMDCSC.exe

C:\Users\Admin\AppData\Local\Temp\QUOTATION.scr
"C:\Users\Admin\AppData\Local\Temp\QUOTATION.scr" /S
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe
"C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe" vir=gxe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe
C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Users\Admin\AppData\Local\Temp\60748084\OXNZY
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
5⤵
- Executes dropped EXE
PID:2016

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\60748084\OXNZY
Filesize
86KB

MD5
2119ba402290f6647533f887df75ede1

SHA1
f08072e37a05758c82184cdea2d9644241c5990f

SHA256
fa6d5ee9d2f03c43af730b9bb60eeaae88e4b5c7abfebb9190dbc2c9aa13f59e

SHA512
bde4ec9bdc4429747df1cf4cd30c33986c7b92cb24f51497886326c590f1cfbd9906c9770dbe0c36408355e29259be6a34bc2504d135af3931fc95ee695d4c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\aeo.txt
Filesize
601B

MD5
7e68c80144b98534c69062c5d4f63193

SHA1
4fa510145f920a5a01d63d7e7cd3092f02faae92

SHA256
ed28e914111ebbefe6db0146d502d9002bd7e20f19a5281eb28c4cc13d4f3469

SHA512
fd4b2bb086bb599e2b0dde1e9c4ec61baa390d7e352b92c4b712e1725a35b0286bd0b2f32663aba13051043dab32ecf280491fa085c2b28c55e82afce2281f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\bke.docx
Filesize
540B

MD5
7b027091faa7599c8c878baa40380f80

SHA1
e1faf0a90e2f1284b29564a3c721354ebf1c578e

SHA256
5cdc494c02ed18a56b96d9de2ee3209c681651b5d5a774008d9e71207462d4f8

SHA512
d1b979dd9fc91a4cf5b35c266867a845400b6b5c6227ca28d7198bd47c8dfe0b513557695fd1c81a484575f6e4572815e21fa89a088673e3dfad565d7f33dd5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\bpc.txt
Filesize
549B

MD5
73a4ddbff1464e232328647240047417

SHA1
41b2874ad08774e145a60d9ebd75a309b40919e3

SHA256
7233966f9b43d7c06531cabcc3308e241a53381203b34757663c605628ae3fb9

SHA512
015e08c207e9f4fc837204437613d9a59fd20d69502806c25cde5b5f86a72a9a220917900a9e3f994549d2ca27df9ad41e603cb677d5cc76b48fdbf224d98e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\cew.ppt
Filesize
601B

MD5
e62e907f8ac63a23a48bfefbaae0f817

SHA1
20ed5a17f74ec84ce20ac5036e64535999102502

SHA256
366e722ac40e4871ed6b49e0383dcb37b415371cc562d0361cc2c7b4f27f3345

SHA512
f1a2d4adffacd8842973a5758c12c1b10686da9f573fde393972de4ffe5201dd79075d99bd4a259d1b9bfb4d9b04d19a0e2bf94b9263bae1448701ae35210ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\cgl.mp4
Filesize
593B

MD5
6148f84c376c9edb9c27218e53cda4e7

SHA1
e46ff8ed09e90eb9397f01f302468b4602997dc4

SHA256
bb91f56b21293b707e10a87812c8080247e2088cd001f5b4ac90557dcdd24be7

SHA512
801c1fad6345b2d5a52f192c08b9e6289acb5d6519f24d159c11e09391a0ceee1e5d316bcd2cac8d8556c217371543c75643085903bfee82936e98f877ea84fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\ckn.pdf
Filesize
504B

MD5
557254061f5e199663aa53e532c823c4

SHA1
19df493026d1708edc1551b910b4affe9f86d605

SHA256
e8e84759d87cb3e0ec8c380074ec8742af5971373dde9c96e39ad96d1fc1b75a

SHA512
7a7d94982e75ad6bbbfd414c68ef0670dd271bd0b8a67df1fc439afed5ac5015b2f15a2b975292646d05585217594f072c22d00b3b3fcd6b8ca950b56c990c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\daa.jpg
Filesize
607B

MD5
d3c880d061584916c81310b0fd23f7ad

SHA1
3dc4476afe884a0d941eb32b3dc31eac78d897a6

SHA256
233a07f12997bdba3c3879a7d3bbf6dcd86445dc434b8a9d026c58971ca83865

SHA512
de4e5f9dfe4dc4f26a6ef57869341bffd051c5b071ff93bf5e5d76effd6996d62112ae0e8f76040048dd8d92ea5ee64cf1d71babda94efc847d23692c12d1ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\dke.bmp
Filesize
552B

MD5
2599f3f2e15dafa610063737f87e570c

SHA1
28331e45257ba5a53601a222b8a1b933168946dc

SHA256
557ae5381c23603c1c2c6517714dc84e49e5b389b14ea2bbbbf25a399cfba325

SHA512
1c26941cb2929e45964f4565610113a8eb1a7ffeaca94a0802903a8313d7c2ee073845065a1b2953a6ecfb433bf9a633ea3ccb1523ac436050099f8c9402f314

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\dne.mp4
Filesize
507B

MD5
6aedabdecf2efb782612e5a64d54f28d

SHA1
af42fb46702342cd8d83aec9ce31990cd43fd565

SHA256
8b5caf15df7dc51277e50f8d210b1af9250b9ee2d49023c7c4f856af4b5f93d9

SHA512
6adc5a0e7020d6701353462eaaab6f6295ae67e0d51424b1f209cb2e9ee2e773701c552acdfb99e1a48b287dc4e79ae8860d7bf1924e62a7df4dc911e42591d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\dwm.ppt
Filesize
551B

MD5
ff73177bc8806baa20695c3ea64924f7

SHA1
2a13a93709e34adffbf5b8f6ad5925746dc2ade4

SHA256
811341fe56cc37b429e582260c85575eda07eb5ff59b7cfb41f9100e9975abcc

SHA512
1e1f8ced4bfe07b5f6ec5c34eb79dd7efcf3a03b1fc773fbcd3120d23eadbade8d962f1b152cc57237398c8caf042b8a71f4f82c38c93df4c2859bf2c9ff9085

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\eak.txt
Filesize
525B

MD5
6bf1a76f3ab7805d41d5a79bd96f6bed

SHA1
7ef57ba165d2642fecc4043c61a8ecceb126ee3c

SHA256
c0e628591aa502a3b033620c196e64b28492d5f3d450762e23eb4caf89cb1cd7

SHA512
33adaa4c12644f7f58f0ea972a872c0f72558bd203704352b8285ff4941cc85f2ce8a61a244ae2ba85958ecfa5fbf46a8b5881157f527e9bb345d712e13284f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\ejg.jpg
Filesize
520B

MD5
f556ed8ce3360a692b159dac8a166955

SHA1
637871f8cf02c90ed72dba11579b997583b54620

SHA256
9f22f7888583aa88b45354c8dc663d2af2b10abd95a14417be71881b451cde1b

SHA512
add39ed35ae1999b746435c421b64b962e34ff69aaf19b21cd20c178c0cced911aa41917e5489983e0f8b50975e73af36f23ed5c5bf446a613c2200cd67be278

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\fao.bmp
Filesize
543B

MD5
7d4fa65e1d68b9d9758ea294ee234df8

SHA1
9d2ce4f535cb9d6c651c88d14278734bdb498e64

SHA256
a4bc0adc0e2bc9baf9c69c42484de1f3d8708589d9555258b9cc186c9eb3368f

SHA512
be9847ad206c2ccd9ee95699cfe12aa5e64f604e7845362e5d86e5419bfa1c248fbb81f14761f8a6c6c5ca23024ecd90935ade32c24a2b1c57848bed310982fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\fon.dat
Filesize
526B

MD5
84af0dc433d4e667f9d26f7d3b730f20

SHA1
eca0623e6930cbc05c552f918612af2ceb9e6564

SHA256
e3a5a6b91cd9a3e1920e1f6727259cdd74d07526ad72c33f7d9935460943363b

SHA512
d8a821c017d29afd9cbb184783f4ab937460dc1c4641c1284005eaf62cf9563849d4dad4d81d64c50f363f7706e5ba885d9c6ede2296fbb6b5b561862885edae

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\hbq.icm
Filesize
513B

MD5
9d28f938334fa0e7f2b975fab975cae6

SHA1
f97b5c570bd02bbb0d4c4545ae5d5cb9916d6103

SHA256
13056f3f3727532332a8d2c942f129738219f4ff53fc60861ded431f96d457e8

SHA512
24396e04952daa13c63863c3f5fb068ed8c46a97daa350bf8693ea5494e561eabcc11e96580949cc7e6433211ae54c6ba7801e78e33f2669299d54c36a8c65f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\hid.docx
Filesize
573B

MD5
14f50b8bf69beb03b8d37a54900d839a

SHA1
f6aad00f2c08d89cb658caf74b570f9c138e57f7

SHA256
d5e578a2e995b0a0167428b73ce65f40d11161c5dd169866722e3c74a239dd22

SHA512
8f0786fc9bcc396079d5e8372c0c99dfe76b31d464a5f391bb1ec6e228dfae4276961b033fa3f53ba06e1916cd30c56860c736e50d26390606e36789c2a9ec5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\iju.bmp
Filesize
573B

MD5
6b599ee36e844f78ec538719e5e519c8

SHA1
f0941017860bbb7ff14d516fa6056a2c70e556fd

SHA256
f5a620d1ea0157a4ea9081a238174bc10656a8f55f51eef908f557177df846c3

SHA512
242bcced00cca2be7b1f1dc9ce19b3176dd34051fd5b8a0ce02493eb803ac29b48e1c8ecf4395f99ec420b04b2582320e8878b37145cf1cbd01e234a318a6c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\jsj.pdf
Filesize
591B

MD5
619222a29b604dc87d835a0823978618

SHA1
aa81a4963326f965a2a15d4a272510e7aeabeff5

SHA256
6b2336cb760fd056d580b5d91b9e8499a6338821f2d857554bbfe47155712d14

SHA512
60cab44d5733dfe6deabc966aa7f6a70d53bf1f0f5bdfb2be511e3c85bb51f9d939bcb1d176c93a748dc4170749261feaf576f62f17ee56091a8502bc5480592

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\koi.xl
Filesize
536B

MD5
18d9863d59d51e5dc7453772589599ad

SHA1
e980b9683f358a9b9ec8bded0c8e7f60d6d78434

SHA256
7ed097e8701e4e9a6e3c586be8a4c4c93246ead36967269aa00ce846bad16a2a

SHA512
327e0b95d02ea2208678d1a15133384069a2981869b0983ba13d273d6dc8d8d5ccf4ef31b61d6cebd4f0dddc6dd256de67323f5d5fc9efa4a7c845d59c250295

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\lbc.icm
Filesize
575B

MD5
8eadc690507c46a25a2c5ff3c6fbb98c

SHA1
443e42a47d056ea18d9a714ebcef121641b63326

SHA256
58cfb44b55969dcd46d6e5d45f1808786df87d1de42c2876cd31a9cf6f115129

SHA512
3550d378a9de864bf58b31d4156a776bb32f7255d050164e32f327783886a2050dca5faa2731db9a56686c80cd869db033f3e53c854768660fd08613b5b5616f

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\lmg.docx
Filesize
504B

MD5
e6a4b2ec3642c1e2eca5332885ff5192

SHA1
c785e74a1ab71f51e426bd97cc441f602e8012b9

SHA256
e8db2485b0700a4327ef16b3377eea803232e9fea7045dccd38ae2f375a714a8

SHA512
4f3b1730034882060f4f11212967d6724ffa4a93148775a8041e221f98448990c914ed652b5ff29f35b9ab361c897523a1be9265b1f4049eb073ed8514e682da

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\mmg.jpg
Filesize
507B

MD5
b24239198c3b38776cb4c76f40772032

SHA1
93b148fc1af632b3cc02f11f246636e79a131c8f

SHA256
2d4858fab6314d93924b056773c7d559823ed2c91b05b35f96d3bde66e7a0abe

SHA512
616287ef675e5e22f13293f62b3404b937c858ce2c4061e067c9f17a5a937ddbf3485f3441dc1833d64167218c03219f377d3d5b5cdfc7810c7ed58fd7d89d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\mqi.ico
Filesize
518B

MD5
f17755adc1bd60e072002500e9f2da3f

SHA1
572d141a1013862ed9e3b0e088a1cfd49f81379f

SHA256
2e16b21d2c56a63c3a2091ee9d5e8d27a4af4da54fbe7ae5b87e2cb2cf6e591d

SHA512
347c50a35e991e962f09d8d69589e1d920136ca683b7e5d7d22e2e05a79370db65dc8c6e35d8e3965e9be75efa86968770a0af7fba8efe55c9dacca0a1fe010b

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\muj.mp4
Filesize
1.5MB

MD5
520a037b18e1c53010df3cdb7453bd11

SHA1
f1143437176c5381dfc465d0193309e2613f6cf6

SHA256
aa297dd63358b4f6ee80d864abc884cb2ae99c70e59cb74b9d074a517ac0053e

SHA512
f351b5c17781c9862acb67b7cc44438a2af515832d6732ad7d286d68b004c44901286d3301f006346abd5eae9f93193bd4b353d272400a3719f493ad10f60148

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\nmk.pdf
Filesize
545B

MD5
e7698f958f9c7766bc0298d69d2eaa86

SHA1
c09c27b0701dc0f477e917f7c7595f3de1ebbf2b

SHA256
8efd7385665e26ee0e93564ecf975a74f2c319ac9ea67411d894e965d9809599

SHA512
973a28e8531f6beeeb9a11bc81933f05e385a965ed98292fd9341d6528f182dcd52385f4b72d8f4e7b2ae2c202154ff2346a2baf89e8c5ddbf4fcfb7d447a712

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\nst.xl
Filesize
630B

MD5
553e3877bbe30e45e4c672b7089f44da

SHA1
58d17a6bf383c674674fad485beb14b6719e9e01

SHA256
371bbd014dc8732c87929b8dce14a832136f83f765661dd6b183d058dffeb52b

SHA512
0df093c204c0c1379cef0ce8847c3201f3cb6617c37818f11f86cb4941f1d57184ff5eac832877aff044d795d98a9d3736dfbfc3fba156b9dcd492808a7a5132

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\oin.docx
Filesize
505B

MD5
cc917430679676df4bb52cfc46519cf1

SHA1
63983d0933f13cb3b3e2e6b5640740edd3e87e3a

SHA256
44b4bded2fd7aed4b5a8eb0579ae3aefd72d5f5c677a0009cbfd7cf1478ca42e

SHA512
7d135b2e7932d004506d0c109506db6a8fd34e3d288699e7fd477019f6643b3e340085c5ff69118f6f1d6ac80aaee36748522c1155a6a8483eb989c50fb8d709

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\olj.icm
Filesize
519B

MD5
f8962052a9be8710067e42b7dd37c27c

SHA1
92b2964996916aa4fddc4ced4166d7baf2a380d4

SHA256
bfb9f527d23e3eeb0b58b4cc2bb3b554727fbb3391ea77446f6410979aa9cd1f

SHA512
b9962d75d7bb607b5270362014cc13c46add08b7cf8b13d507f1426e7cd99ba2e4a02415d8d8ec94e0e817c2ed381013a98ed249ecc5e820fdd20e569d0ec6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\poa.xl
Filesize
551B

MD5
d5763c03626fbb20e26d8a70d14b184f

SHA1
a587f64c7694cf1371827983004b7af99610e872

SHA256
d0a3f735b11a10444a7d238a75a63e0200983a9841237e0288689a8b4e00acb5

SHA512
1b0ce0290e25dd9ba42e84213462fd95171112039e73116ae7af31afbc86dc2dbabbbc5ee4c1bcc38ca114075b7be1c705f72a7509664240b0bdf43e5e164763

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\prj.pdf
Filesize
525B

MD5
b18f85a41fa08ffc88fd2d20ec9d2a5a

SHA1
320002f029886d5701c10f14af0160584ff459b1

SHA256
1a52148bb7e8483aa4e84212f6732519d3dd1619283d7b964f309df5e10ff2d3

SHA512
a74539a1b4abab2ff556b4d41275c7189997edc7e87a70e5a6fc19adee75f00dcc82ec322aa63f8d09ef26f23b4117a685e93229d6047a124235e512d5ec14b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\ptu.txt
Filesize
638B

MD5
2065e5988d40b506876a001488909aec

SHA1
a3320db0b57da29f91dad29024da1a571865237b

SHA256
a2f3caabafaa8611d4c68ba51209156e5f706fb536c7c7cdbd88e90b822424b8

SHA512
3ef70ce2640422e7ea63b828d0c192880f986be5f43285063c0958fa7f37d21584629f049f3178c954b4d3b1c0b20343b1304eab721d103f48dd6a4d417344ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\qbh.xl
Filesize
508B

MD5
1df1287818564dbda36a6dabb94c91e7

SHA1
35774859bd567f28331af06f51730e1ac07f05dc

SHA256
362640b6162a633b9e175b9f0b47262e792396267a9c297007ddc34af2f91591

SHA512
bdd6ea0c9a985816adbac9b25abf1ad8ba68144fcd25bde63d4ebab783510819fa3c0cd62f9ac2b15fbb028bb371df8d3826ae19b29badde62bec6752eedbded

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\qer.bmp
Filesize
528B

MD5
da1ee8e4494833fe542606e175498c9c

SHA1
73621d5c202afc5ba3329ddadd16da1c599f8bce

SHA256
a84437c7e2e4c4af2489f1dad06af4d2f51a6750527aba02d607d7866f9e933f

SHA512
2e6da0a850ba38110a5a079b1d3a863f9dbcb990d48961292aaa29054a9041acb4c2b5c96f45d920fb40cc1bd15ca3ae0851d1b4f44846145bc65d1d22efc3c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\qix.bmp
Filesize
579B

MD5
d97abd5bdd067cdd3a42b5c65f63e96e

SHA1
c9023a608372c07af7d5ad1f54861668e3e8663d

SHA256
03bcf514d4a6d7a7a2dd50ee48d71ba701932592650c7b3575044e2021ba80d1

SHA512
45dbb3de027f638d4531f2ffdb6fc814e8e0e1ef054ed83bcd30cece014a89600291fca0599a272c7e1416f4015711834d62786f8e8d1150b1098bd34e867a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\rnu.bmp
Filesize
540B

MD5
f870488ba43f6bdefabf848f4972f63a

SHA1
4dda62f86f69238a06f2f4b9e1ff037dd4a87653

SHA256
8e321e251904d1926462522d12eef43aac726679e6a0c8768301024f7c9517c8

SHA512
0e3e54a6a32b4d5bd8952886dbdc1018b72fae14f4d53337623a6b36108f45089f4873fa1138d81fc98b01fa9c0e1d8e8b8fa75b76976fa96a263c029c81c976

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\spp.mp4
Filesize
552B

MD5
83b5a7c3c11f44f42aa9851f919c833c

SHA1
3dd4d6a0eb77464fa1e5cf005356ff5078128914

SHA256
7b4c2bacd4bd15ebf0812cdee67d2b2ce15d8ad6f55e2b525d7514169daeb3a1

SHA512
3df11098a3d1adbe013642e3cadf385251fa31c5e4e8039ada63e19b789196bfd8df152add4d6011506f3a8df457cc295dbff873c3bd4bc51b9022f5d9b5d003

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\sps.dat
Filesize
602B

MD5
77c55091f151ad66d338b07c25337dec

SHA1
ae27f3ffa8c84264c4c5a6624e13379e191e07b7

SHA256
049a836c2d1566907f587ae0d3666630e5c6b4e474f0aa84b1df4fc94d993f00

SHA512
4bea4ca274c01d015ad308a542796d42b3b095c48c3cedda94f2048ed1f62bf9543237245188934334ae077af6174360260fd4a6ac5ad53d3a5e4027877b014d

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\sub.ppt
Filesize
623B

MD5
cd94e9157418207a7431b5ed173c7f5c

SHA1
6f64a66ae6a9a60b971a5c3955d6b253661feb18

SHA256
e12a03ab9391e8e83168a4e0e6f38081c493758135db1c90234c479ce9c5c3ed

SHA512
3ff5c039d8588c79de10679cb5fec1d60f676a83f3f33a5e556b1267d9d316ea125947849d6f1de02a8fed93045ef2fe9d624e755bd31251171c349b5ec81f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\uep.bmp
Filesize
504B

MD5
be76cfc488c99ab5fafe42ac801682a2

SHA1
e51749f599d5ca3173582c362caa85adb88f2325

SHA256
df0bf5657084bb21486d69d662d851d556d135a723b9b7f3d453f6f25ba67f4b

SHA512
7bfce392a797461d5857ac12829577b0ebc233d7148ff67772293b84909186854200775b20ae7eb49974b0f2502c13c742eca52bd2fa0fb0046f1416b4a19ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\ukn.jpg
Filesize
569B

MD5
3c666fbdc460f3abb0512e3ffcf3aafd

SHA1
817ea5b68b582c37a23ef2bd3348097737af5d19

SHA256
cb46ab6690c2c60c6c3c218da9cbe5cb75ac4a8a5ec1559decf6595bb6ec806f

SHA512
bc0fc22d568af308684b9da41cc0894a23403687882a448d9ec009a39299b7ba4ca9d059fc2d7d63fd3a4e10cbb3253b6f34acfce33b39efa8b8907174eb7f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\uxo.ppt
Filesize
533B

MD5
74021a8f6c474e54ebc03f958a2ee625

SHA1
544492104d5fd9e3ea1ecf2eb47ac0c493c8a059

SHA256
ef21fd919ee673bf93066885121bac6dae6dd7dfd37f9e0400b00f54be5a0439

SHA512
3190c402d1a90870fcde7d733352ef7e55b10d3ad0deb44e091ef286801c163dd1aa71d1908fd105eb15dcece6eeda8497ef2d7d2ae77a5d93ca8324ded6a51d

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\vei.ico
Filesize
509B

MD5
eeb43f5c5a4adceea67484f4bceb2824

SHA1
fe187a8982dbd2d7e7fa781d0deffafba06cbc1e

SHA256
7b2ef6d386af1dea8cda45074867022f02f639368102727c47baadeda4c0fa66

SHA512
6d6309e8d6fdedb0f86a6d9c24f51f693822e0aa7005c6c050cbab2679f758f96525b0acda7aaa05cdd16510fd01b1045a458ab51e661b1c3ed6c2df71e1e7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\vir=gxe
Filesize
215KB

MD5
6966e3f5a812ccfa6cf64bd9ca781a4f

SHA1
eb3d3bc8f88ffa69e0169d45a7036b2978c0312e

SHA256
e462dff41fef6a4919ba0d5bbc15185be323a441ed1441891431a628dedd793f

SHA512
edd99cb924b46a1b45044b9ffafdbc3921bedd0ea98bb5eb67af8f3e07a767793bed992f3d3138d945ce6b57ad580fcbe35c2a8151a84d4b279f45890f649706

Download Submit
C:\Users\Admin\AppData\Local\Temp\60748084\xhw.ppt
Filesize
525B

MD5
7ef358ab2e7323d27e74a336f533177a

SHA1
1d64f54e110ab71be948333784f0ea9782b4447f

SHA256
8821f2668ef13d8dd500d8ffd866a64e3f905f6d5349f1fde44eb13344bb1ea2

SHA512
418d6df679b104f7a25fc2fc1a623484a15baba4744057b831ce91d8a11a11246cfda54c9e41b6d0487a475ae2dba1c3354c67459d717a6995811e377b142c7a

Download Submit
\Users\Admin\AppData\Local\Temp\60748084\xup.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/768-169-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/768-154-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/768-156-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/768-166-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/768-164-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/768-162-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/768-160-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/768-168-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/768-158-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/768-172-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/768-170-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/768-152-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2016-180-0x0000000000CC0000-0x0000000000CCE000-memory.dmp

Filesize
56KB

Download
memory/2016-181-0x00000000008A0000-0x00000000008C0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads