darkcomet | 5ab8d01b8144e70ab1e5720ec8e672695068439c8e65b7bd884944117aa00e40

General

Target

03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
Size

1.3MB
MD5

03d6a067416e684cba893542c4ff1094
SHA1

ad1540618c02545b54b3d6f6785d565569c17ab7
SHA256

5ab8d01b8144e70ab1e5720ec8e672695068439c8e65b7bd884944117aa00e40
SHA512

7ed26f125ec87ed34131e31352132d2b4dd8aff850cb5b2a38420b7d77ccf430be9b222aa0c2e83fcd5aa401a0a521ae588524481b0a66fd3f452b447fa3c2e5
SSDEEP

24576:BzNYD0Wr6ULip3Z/A7nDTz+KHfAcV8towmD0Wr6sP7:tqD0W9iZMnDpfAu1D0W9

Score

10^/10

darkcomet modiloader bootkit persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

darkcrypted.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	darkcrypted.exe

ModiLoader Second Stage 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2524-83-0x0000000000400000-0x000000000040F000-memory.dmp	modiloader_stage2
behavioral1/memory/2524-82-0x0000000000400000-0x000000000040F000-memory.dmp	modiloader_stage2
behavioral1/memory/2524-101-0x0000000000400000-0x000000000040F000-memory.dmp	modiloader_stage2
behavioral1/memory/2524-88-0x0000000000400000-0x000000000040F000-memory.dmp	modiloader_stage2
behavioral1/memory/2524-80-0x0000000000400000-0x000000000040F000-memory.dmp	modiloader_stage2
behavioral1/memory/2524-76-0x0000000000400000-0x000000000040F000-memory.dmp	modiloader_stage2
behavioral1/memory/2524-74-0x0000000000400000-0x000000000040F000-memory.dmp	modiloader_stage2
behavioral1/memory/2524-72-0x0000000000400000-0x000000000040F000-memory.dmp	modiloader_stage2
behavioral1/memory/2524-70-0x0000000000400000-0x000000000040F000-memory.dmp	modiloader_stage2
behavioral1/memory/2524-68-0x0000000000400000-0x000000000040F000-memory.dmp	modiloader_stage2

Executes dropped EXE 12 IoCs

Processes:

darkcrypted.exed48z.exed48z.exed48z.exemet start.exedarkcrypted.exedarkcrypted.exemet start.exemet start.exesvchost.exesvchost.exesvchost.exe

pid	process
2128	darkcrypted.exe
2736	d48z.exe
2680	d48z.exe
2524	d48z.exe
2592	met start.exe
2952	darkcrypted.exe
2428	darkcrypted.exe
628	met start.exe
1308	met start.exe
2840	svchost.exe
540	svchost.exe
1484	svchost.exe

Loads dropped DLL 12 IoCs

Processes:

03d6a067416e684cba893542c4ff1094_JaffaCakes118.exed48z.exed48z.exedarkcrypted.exed48z.exedarkcrypted.exedarkcrypted.exe

pid	process
1704	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
1704	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
1704	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
1704	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
2736	d48z.exe
2680	d48z.exe
2128	darkcrypted.exe
2524	d48z.exe
2524	d48z.exe
2952	darkcrypted.exe
2428	darkcrypted.exe
2428	darkcrypted.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d48z.exedarkcrypted.exemet start.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\met start.exe\""	d48z.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	darkcrypted.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\met start.exe\""	met start.exe

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

darkcrypted.exemet start.exesvchost.exe03d6a067416e684cba893542c4ff1094_JaffaCakes118.exed48z.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	darkcrypted.exe
File opened for modification	\??\PhysicalDrive0	met start.exe
File opened for modification	\??\PhysicalDrive0	svchost.exe
File opened for modification	\??\PhysicalDrive0	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	d48z.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

03d6a067416e684cba893542c4ff1094_JaffaCakes118.exed48z.exed48z.exedarkcrypted.exedarkcrypted.exemet start.exemet start.exesvchost.exesvchost.exe

description	pid	process	target process
PID 2716 set thread context of 1704	2716	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2736 set thread context of 2680	2736	d48z.exe	d48z.exe
PID 2680 set thread context of 2524	2680	d48z.exe	d48z.exe
PID 2128 set thread context of 2952	2128	darkcrypted.exe	darkcrypted.exe
PID 2952 set thread context of 2428	2952	darkcrypted.exe	darkcrypted.exe
PID 2592 set thread context of 628	2592	met start.exe	met start.exe
PID 628 set thread context of 1308	628	met start.exe	met start.exe
PID 2840 set thread context of 540	2840	svchost.exe	svchost.exe
PID 540 set thread context of 1484	540	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2112 PING.EXE

pid	process
2112	PING.EXE

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

darkcrypted.exesvchost.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2428	darkcrypted.exe
Token: SeSecurityPrivilege	2428	darkcrypted.exe
Token: SeTakeOwnershipPrivilege	2428	darkcrypted.exe
Token: SeLoadDriverPrivilege	2428	darkcrypted.exe
Token: SeSystemProfilePrivilege	2428	darkcrypted.exe
Token: SeSystemtimePrivilege	2428	darkcrypted.exe
Token: SeProfSingleProcessPrivilege	2428	darkcrypted.exe
Token: SeIncBasePriorityPrivilege	2428	darkcrypted.exe
Token: SeCreatePagefilePrivilege	2428	darkcrypted.exe
Token: SeBackupPrivilege	2428	darkcrypted.exe
Token: SeRestorePrivilege	2428	darkcrypted.exe
Token: SeShutdownPrivilege	2428	darkcrypted.exe
Token: SeDebugPrivilege	2428	darkcrypted.exe
Token: SeSystemEnvironmentPrivilege	2428	darkcrypted.exe
Token: SeChangeNotifyPrivilege	2428	darkcrypted.exe
Token: SeRemoteShutdownPrivilege	2428	darkcrypted.exe
Token: SeUndockPrivilege	2428	darkcrypted.exe
Token: SeManageVolumePrivilege	2428	darkcrypted.exe
Token: SeImpersonatePrivilege	2428	darkcrypted.exe
Token: SeCreateGlobalPrivilege	2428	darkcrypted.exe
Token: 33	2428	darkcrypted.exe
Token: 34	2428	darkcrypted.exe
Token: 35	2428	darkcrypted.exe
Token: SeIncreaseQuotaPrivilege	1484	svchost.exe
Token: SeSecurityPrivilege	1484	svchost.exe
Token: SeTakeOwnershipPrivilege	1484	svchost.exe
Token: SeLoadDriverPrivilege	1484	svchost.exe
Token: SeSystemProfilePrivilege	1484	svchost.exe
Token: SeSystemtimePrivilege	1484	svchost.exe
Token: SeProfSingleProcessPrivilege	1484	svchost.exe
Token: SeIncBasePriorityPrivilege	1484	svchost.exe
Token: SeCreatePagefilePrivilege	1484	svchost.exe
Token: SeBackupPrivilege	1484	svchost.exe
Token: SeRestorePrivilege	1484	svchost.exe
Token: SeShutdownPrivilege	1484	svchost.exe
Token: SeDebugPrivilege	1484	svchost.exe
Token: SeSystemEnvironmentPrivilege	1484	svchost.exe
Token: SeChangeNotifyPrivilege	1484	svchost.exe
Token: SeRemoteShutdownPrivilege	1484	svchost.exe
Token: SeUndockPrivilege	1484	svchost.exe
Token: SeManageVolumePrivilege	1484	svchost.exe
Token: SeImpersonatePrivilege	1484	svchost.exe
Token: SeCreateGlobalPrivilege	1484	svchost.exe
Token: 33	1484	svchost.exe
Token: 34	1484	svchost.exe
Token: 35	1484	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe03d6a067416e684cba893542c4ff1094_JaffaCakes118.exed48z.exedarkcrypted.exed48z.exemet start.exedarkcrypted.exemet start.exesvchost.exesvchost.exe

pid	process
2716	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
1704	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
2736	d48z.exe
2128	darkcrypted.exe
2680	d48z.exe
2592	met start.exe
2952	darkcrypted.exe
628	met start.exe
2840	svchost.exe
540	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe03d6a067416e684cba893542c4ff1094_JaffaCakes118.exed48z.exed48z.exedarkcrypted.exed48z.exedarkcrypted.exe

description	pid	process	target process
PID 2716 wrote to memory of 1704	2716	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2716 wrote to memory of 1704	2716	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2716 wrote to memory of 1704	2716	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2716 wrote to memory of 1704	2716	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2716 wrote to memory of 1704	2716	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2716 wrote to memory of 1704	2716	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2716 wrote to memory of 1704	2716	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2716 wrote to memory of 1704	2716	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2716 wrote to memory of 1704	2716	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 1704 wrote to memory of 2128	1704	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	darkcrypted.exe
PID 1704 wrote to memory of 2128	1704	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	darkcrypted.exe
PID 1704 wrote to memory of 2128	1704	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	darkcrypted.exe
PID 1704 wrote to memory of 2128	1704	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	darkcrypted.exe
PID 1704 wrote to memory of 2736	1704	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	d48z.exe
PID 1704 wrote to memory of 2736	1704	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	d48z.exe
PID 1704 wrote to memory of 2736	1704	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	d48z.exe
PID 1704 wrote to memory of 2736	1704	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	d48z.exe
PID 2736 wrote to memory of 2680	2736	d48z.exe	d48z.exe
PID 2736 wrote to memory of 2680	2736	d48z.exe	d48z.exe
PID 2736 wrote to memory of 2680	2736	d48z.exe	d48z.exe
PID 2736 wrote to memory of 2680	2736	d48z.exe	d48z.exe
PID 2736 wrote to memory of 2680	2736	d48z.exe	d48z.exe
PID 2736 wrote to memory of 2680	2736	d48z.exe	d48z.exe
PID 2736 wrote to memory of 2680	2736	d48z.exe	d48z.exe
PID 2736 wrote to memory of 2680	2736	d48z.exe	d48z.exe
PID 2736 wrote to memory of 2680	2736	d48z.exe	d48z.exe
PID 2680 wrote to memory of 2524	2680	d48z.exe	d48z.exe
PID 2680 wrote to memory of 2524	2680	d48z.exe	d48z.exe
PID 2680 wrote to memory of 2524	2680	d48z.exe	d48z.exe
PID 2680 wrote to memory of 2524	2680	d48z.exe	d48z.exe
PID 2680 wrote to memory of 2524	2680	d48z.exe	d48z.exe
PID 2680 wrote to memory of 2524	2680	d48z.exe	d48z.exe
PID 2680 wrote to memory of 2524	2680	d48z.exe	d48z.exe
PID 2680 wrote to memory of 2524	2680	d48z.exe	d48z.exe
PID 2680 wrote to memory of 2524	2680	d48z.exe	d48z.exe
PID 2680 wrote to memory of 2524	2680	d48z.exe	d48z.exe
PID 2680 wrote to memory of 2524	2680	d48z.exe	d48z.exe
PID 2680 wrote to memory of 2524	2680	d48z.exe	d48z.exe
PID 2128 wrote to memory of 2952	2128	darkcrypted.exe	darkcrypted.exe
PID 2128 wrote to memory of 2952	2128	darkcrypted.exe	darkcrypted.exe
PID 2128 wrote to memory of 2952	2128	darkcrypted.exe	darkcrypted.exe
PID 2128 wrote to memory of 2952	2128	darkcrypted.exe	darkcrypted.exe
PID 2524 wrote to memory of 2592	2524	d48z.exe	met start.exe
PID 2524 wrote to memory of 2592	2524	d48z.exe	met start.exe
PID 2524 wrote to memory of 2592	2524	d48z.exe	met start.exe
PID 2524 wrote to memory of 2592	2524	d48z.exe	met start.exe
PID 2128 wrote to memory of 2952	2128	darkcrypted.exe	darkcrypted.exe
PID 2128 wrote to memory of 2952	2128	darkcrypted.exe	darkcrypted.exe
PID 2128 wrote to memory of 2952	2128	darkcrypted.exe	darkcrypted.exe
PID 2128 wrote to memory of 2952	2128	darkcrypted.exe	darkcrypted.exe
PID 2128 wrote to memory of 2952	2128	darkcrypted.exe	darkcrypted.exe
PID 2952 wrote to memory of 2428	2952	darkcrypted.exe	darkcrypted.exe
PID 2952 wrote to memory of 2428	2952	darkcrypted.exe	darkcrypted.exe
PID 2952 wrote to memory of 2428	2952	darkcrypted.exe	darkcrypted.exe
PID 2952 wrote to memory of 2428	2952	darkcrypted.exe	darkcrypted.exe
PID 2952 wrote to memory of 2428	2952	darkcrypted.exe	darkcrypted.exe
PID 2952 wrote to memory of 2428	2952	darkcrypted.exe	darkcrypted.exe
PID 2952 wrote to memory of 2428	2952	darkcrypted.exe	darkcrypted.exe
PID 2952 wrote to memory of 2428	2952	darkcrypted.exe	darkcrypted.exe
PID 2952 wrote to memory of 2428	2952	darkcrypted.exe	darkcrypted.exe
PID 2952 wrote to memory of 2428	2952	darkcrypted.exe	darkcrypted.exe
PID 2952 wrote to memory of 2428	2952	darkcrypted.exe	darkcrypted.exe
PID 2952 wrote to memory of 2428	2952	darkcrypted.exe	darkcrypted.exe
PID 2952 wrote to memory of 2428	2952	darkcrypted.exe	darkcrypted.exe

C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716

C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
"C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128

C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
"C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2952

C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
"C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2840

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:540

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe"
6⤵
PID:2696

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
7⤵
- Runs ping.exe
PID:2112

C:\Users\Admin\AppData\Local\Temp\d48z.exe
"C:\Users\Admin\AppData\Local\Temp\d48z.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Local\Temp\d48z.exe
"C:\Users\Admin\AppData\Local\Temp\d48z.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680

C:\Users\Admin\AppData\Local\Temp\d48z.exe
"C:\Users\Admin\AppData\Local\Temp\d48z.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2524

C:\Users\Admin\AppData\Roaming\met start.exe
"C:\Users\Admin\AppData\Roaming\met start.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2592

C:\Users\Admin\AppData\Roaming\met start.exe
"C:\Users\Admin\AppData\Roaming\met start.exe"
7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:628

C:\Users\Admin\AppData\Roaming\met start.exe
"C:\Users\Admin\AppData\Roaming\met start.exe"
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d48z.exe

Filesize
240KB

MD5
c7e2e7f78d3176794bfd37c571552c5d

SHA1
5ade0c1a932080dc28982e9ac751ef40a819bfab

SHA256
b148721896f9a0fbb6113e5c381dd2555dbbb37d72c780a6ca09b2639e20e876

SHA512
f0b9e1d64c5484cd1073c8cdf65f3c8921fe1588137137de0a3d3bcdb2818441fd0e2ddb7d8b189ef879b3303804438e615ed79398e2c5a8aa254d6428b9848a

Download Submit
C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe

Filesize
852KB

MD5
dc11a2ac0e7fda0d531fcd4350b6b56f

SHA1
32bf2255a2397c4bae5e9250260ce9b2c2a901c4

SHA256
fb708bf5cb6e60a45fbe23446b723b79ca3b1720f567afca5c5cd57c07ccb23c

SHA512
a4a569fcdf977dd1e5b01416b69a04f53af190dd0d956f3ffca6101f8af62d8bc47052ede34f3ba395e683aeae3669e609a44812753e8d4818cf1eb1e0698e7f

Download Submit
memory/1704-3-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1704-7-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1704-13-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1704-15-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1704-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1704-5-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1704-40-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2128-37-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2524-64-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2524-66-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2524-74-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2524-76-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2524-80-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2524-88-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2524-70-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2524-83-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2524-82-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2524-68-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2524-101-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2524-72-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2680-48-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2680-91-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2680-46-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2680-50-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2680-56-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2680-60-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2716-0-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/2736-36-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2952-105-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2952-106-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2952-108-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2952-113-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads