darkcomet | 5ab8d01b8144e70ab1e5720ec8e672695068439c8e65b7bd884944117aa00e40

General

Target

03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
Size

1.3MB
MD5

03d6a067416e684cba893542c4ff1094
SHA1

ad1540618c02545b54b3d6f6785d565569c17ab7
SHA256

5ab8d01b8144e70ab1e5720ec8e672695068439c8e65b7bd884944117aa00e40
SHA512

7ed26f125ec87ed34131e31352132d2b4dd8aff850cb5b2a38420b7d77ccf430be9b222aa0c2e83fcd5aa401a0a521ae588524481b0a66fd3f452b447fa3c2e5
SSDEEP

24576:BzNYD0Wr6ULip3Z/A7nDTz+KHfAcV8towmD0Wr6sP7:tqD0W9iZMnDpfAu1D0W9

Score

10^/10

darkcomet modiloader bootkit persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

darkcrypted.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	darkcrypted.exe

ModiLoader Second Stage 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4232-47-0x0000000000400000-0x000000000040F000-memory.dmp	modiloader_stage2
behavioral2/memory/4232-50-0x0000000000400000-0x000000000040F000-memory.dmp	modiloader_stage2
behavioral2/memory/4232-53-0x0000000000400000-0x000000000040F000-memory.dmp	modiloader_stage2
behavioral2/memory/4232-45-0x0000000000400000-0x000000000040F000-memory.dmp	modiloader_stage2
behavioral2/memory/4232-81-0x0000000000400000-0x000000000040F000-memory.dmp	modiloader_stage2
behavioral2/memory/2516-107-0x0000000000400000-0x000000000040F000-memory.dmp	modiloader_stage2
behavioral2/memory/2516-120-0x0000000000400000-0x000000000040F000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

darkcrypted.exe03d6a067416e684cba893542c4ff1094_JaffaCakes118.exed48z.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	darkcrypted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	d48z.exe

Executes dropped EXE 12 IoCs

Processes:

darkcrypted.exed48z.exed48z.exed48z.exedarkcrypted.exedarkcrypted.exemet start.exesvchost.exemet start.exemet start.exesvchost.exesvchost.exe

pid	process
4820	darkcrypted.exe
976	d48z.exe
2472	d48z.exe
4232	d48z.exe
2260	darkcrypted.exe
4940	darkcrypted.exe
1948	met start.exe
4560	svchost.exe
1268	met start.exe
2516	met start.exe
3320	svchost.exe
2932	svchost.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d48z.exedarkcrypted.exemet start.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\met start.exe\""	d48z.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	darkcrypted.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\met start.exe\""	met start.exe

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

met start.exesvchost.exe03d6a067416e684cba893542c4ff1094_JaffaCakes118.exed48z.exedarkcrypted.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	met start.exe
File opened for modification	\??\PhysicalDrive0	svchost.exe
File opened for modification	\??\PhysicalDrive0	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	d48z.exe
File opened for modification	\??\PhysicalDrive0	darkcrypted.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

03d6a067416e684cba893542c4ff1094_JaffaCakes118.exed48z.exed48z.exedarkcrypted.exedarkcrypted.exemet start.exemet start.exesvchost.exesvchost.exe

description	pid	process	target process
PID 2496 set thread context of 2860	2496	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 976 set thread context of 2472	976	d48z.exe	d48z.exe
PID 2472 set thread context of 4232	2472	d48z.exe	d48z.exe
PID 4820 set thread context of 2260	4820	darkcrypted.exe	darkcrypted.exe
PID 2260 set thread context of 4940	2260	darkcrypted.exe	darkcrypted.exe
PID 1948 set thread context of 1268	1948	met start.exe	met start.exe
PID 1268 set thread context of 2516	1268	met start.exe	met start.exe
PID 4560 set thread context of 3320	4560	svchost.exe	svchost.exe
PID 3320 set thread context of 2932	3320	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3444 PING.EXE

pid	process
3444	PING.EXE

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

darkcrypted.exesvchost.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4940	darkcrypted.exe
Token: SeSecurityPrivilege	4940	darkcrypted.exe
Token: SeTakeOwnershipPrivilege	4940	darkcrypted.exe
Token: SeLoadDriverPrivilege	4940	darkcrypted.exe
Token: SeSystemProfilePrivilege	4940	darkcrypted.exe
Token: SeSystemtimePrivilege	4940	darkcrypted.exe
Token: SeProfSingleProcessPrivilege	4940	darkcrypted.exe
Token: SeIncBasePriorityPrivilege	4940	darkcrypted.exe
Token: SeCreatePagefilePrivilege	4940	darkcrypted.exe
Token: SeBackupPrivilege	4940	darkcrypted.exe
Token: SeRestorePrivilege	4940	darkcrypted.exe
Token: SeShutdownPrivilege	4940	darkcrypted.exe
Token: SeDebugPrivilege	4940	darkcrypted.exe
Token: SeSystemEnvironmentPrivilege	4940	darkcrypted.exe
Token: SeChangeNotifyPrivilege	4940	darkcrypted.exe
Token: SeRemoteShutdownPrivilege	4940	darkcrypted.exe
Token: SeUndockPrivilege	4940	darkcrypted.exe
Token: SeManageVolumePrivilege	4940	darkcrypted.exe
Token: SeImpersonatePrivilege	4940	darkcrypted.exe
Token: SeCreateGlobalPrivilege	4940	darkcrypted.exe
Token: 33	4940	darkcrypted.exe
Token: 34	4940	darkcrypted.exe
Token: 35	4940	darkcrypted.exe
Token: 36	4940	darkcrypted.exe
Token: SeIncreaseQuotaPrivilege	2932	svchost.exe
Token: SeSecurityPrivilege	2932	svchost.exe
Token: SeTakeOwnershipPrivilege	2932	svchost.exe
Token: SeLoadDriverPrivilege	2932	svchost.exe
Token: SeSystemProfilePrivilege	2932	svchost.exe
Token: SeSystemtimePrivilege	2932	svchost.exe
Token: SeProfSingleProcessPrivilege	2932	svchost.exe
Token: SeIncBasePriorityPrivilege	2932	svchost.exe
Token: SeCreatePagefilePrivilege	2932	svchost.exe
Token: SeBackupPrivilege	2932	svchost.exe
Token: SeRestorePrivilege	2932	svchost.exe
Token: SeShutdownPrivilege	2932	svchost.exe
Token: SeDebugPrivilege	2932	svchost.exe
Token: SeSystemEnvironmentPrivilege	2932	svchost.exe
Token: SeChangeNotifyPrivilege	2932	svchost.exe
Token: SeRemoteShutdownPrivilege	2932	svchost.exe
Token: SeUndockPrivilege	2932	svchost.exe
Token: SeManageVolumePrivilege	2932	svchost.exe
Token: SeImpersonatePrivilege	2932	svchost.exe
Token: SeCreateGlobalPrivilege	2932	svchost.exe
Token: 33	2932	svchost.exe
Token: 34	2932	svchost.exe
Token: 35	2932	svchost.exe
Token: 36	2932	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe03d6a067416e684cba893542c4ff1094_JaffaCakes118.exed48z.exedarkcrypted.exed48z.exedarkcrypted.exemet start.exesvchost.exemet start.exesvchost.exe

pid	process
2496	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
2860	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
976	d48z.exe
4820	darkcrypted.exe
2472	d48z.exe
2260	darkcrypted.exe
1948	met start.exe
4560	svchost.exe
1268	met start.exe
3320	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe03d6a067416e684cba893542c4ff1094_JaffaCakes118.exed48z.exed48z.exedarkcrypted.exedarkcrypted.exed48z.exedarkcrypted.exe

description	pid	process	target process
PID 2496 wrote to memory of 2860	2496	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2496 wrote to memory of 2860	2496	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2496 wrote to memory of 2860	2496	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2496 wrote to memory of 2860	2496	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2496 wrote to memory of 2860	2496	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2496 wrote to memory of 2860	2496	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2496 wrote to memory of 2860	2496	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2496 wrote to memory of 2860	2496	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2860 wrote to memory of 4820	2860	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	darkcrypted.exe
PID 2860 wrote to memory of 4820	2860	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	darkcrypted.exe
PID 2860 wrote to memory of 4820	2860	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	darkcrypted.exe
PID 2860 wrote to memory of 976	2860	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	d48z.exe
PID 2860 wrote to memory of 976	2860	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	d48z.exe
PID 2860 wrote to memory of 976	2860	03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe	d48z.exe
PID 976 wrote to memory of 2472	976	d48z.exe	d48z.exe
PID 976 wrote to memory of 2472	976	d48z.exe	d48z.exe
PID 976 wrote to memory of 2472	976	d48z.exe	d48z.exe
PID 976 wrote to memory of 2472	976	d48z.exe	d48z.exe
PID 976 wrote to memory of 2472	976	d48z.exe	d48z.exe
PID 976 wrote to memory of 2472	976	d48z.exe	d48z.exe
PID 976 wrote to memory of 2472	976	d48z.exe	d48z.exe
PID 976 wrote to memory of 2472	976	d48z.exe	d48z.exe
PID 2472 wrote to memory of 4232	2472	d48z.exe	d48z.exe
PID 2472 wrote to memory of 4232	2472	d48z.exe	d48z.exe
PID 2472 wrote to memory of 4232	2472	d48z.exe	d48z.exe
PID 2472 wrote to memory of 4232	2472	d48z.exe	d48z.exe
PID 2472 wrote to memory of 4232	2472	d48z.exe	d48z.exe
PID 2472 wrote to memory of 4232	2472	d48z.exe	d48z.exe
PID 2472 wrote to memory of 4232	2472	d48z.exe	d48z.exe
PID 2472 wrote to memory of 4232	2472	d48z.exe	d48z.exe
PID 2472 wrote to memory of 4232	2472	d48z.exe	d48z.exe
PID 2472 wrote to memory of 4232	2472	d48z.exe	d48z.exe
PID 2472 wrote to memory of 4232	2472	d48z.exe	d48z.exe
PID 2472 wrote to memory of 4232	2472	d48z.exe	d48z.exe
PID 2472 wrote to memory of 4232	2472	d48z.exe	d48z.exe
PID 4820 wrote to memory of 2260	4820	darkcrypted.exe	darkcrypted.exe
PID 4820 wrote to memory of 2260	4820	darkcrypted.exe	darkcrypted.exe
PID 4820 wrote to memory of 2260	4820	darkcrypted.exe	darkcrypted.exe
PID 4820 wrote to memory of 2260	4820	darkcrypted.exe	darkcrypted.exe
PID 4820 wrote to memory of 2260	4820	darkcrypted.exe	darkcrypted.exe
PID 4820 wrote to memory of 2260	4820	darkcrypted.exe	darkcrypted.exe
PID 4820 wrote to memory of 2260	4820	darkcrypted.exe	darkcrypted.exe
PID 4820 wrote to memory of 2260	4820	darkcrypted.exe	darkcrypted.exe
PID 2260 wrote to memory of 4940	2260	darkcrypted.exe	darkcrypted.exe
PID 2260 wrote to memory of 4940	2260	darkcrypted.exe	darkcrypted.exe
PID 2260 wrote to memory of 4940	2260	darkcrypted.exe	darkcrypted.exe
PID 2260 wrote to memory of 4940	2260	darkcrypted.exe	darkcrypted.exe
PID 2260 wrote to memory of 4940	2260	darkcrypted.exe	darkcrypted.exe
PID 2260 wrote to memory of 4940	2260	darkcrypted.exe	darkcrypted.exe
PID 2260 wrote to memory of 4940	2260	darkcrypted.exe	darkcrypted.exe
PID 2260 wrote to memory of 4940	2260	darkcrypted.exe	darkcrypted.exe
PID 2260 wrote to memory of 4940	2260	darkcrypted.exe	darkcrypted.exe
PID 2260 wrote to memory of 4940	2260	darkcrypted.exe	darkcrypted.exe
PID 2260 wrote to memory of 4940	2260	darkcrypted.exe	darkcrypted.exe
PID 2260 wrote to memory of 4940	2260	darkcrypted.exe	darkcrypted.exe
PID 2260 wrote to memory of 4940	2260	darkcrypted.exe	darkcrypted.exe
PID 2260 wrote to memory of 4940	2260	darkcrypted.exe	darkcrypted.exe
PID 4232 wrote to memory of 1948	4232	d48z.exe	met start.exe
PID 4232 wrote to memory of 1948	4232	d48z.exe	met start.exe
PID 4232 wrote to memory of 1948	4232	d48z.exe	met start.exe
PID 4940 wrote to memory of 4560	4940	darkcrypted.exe	svchost.exe
PID 4940 wrote to memory of 4560	4940	darkcrypted.exe	svchost.exe
PID 4940 wrote to memory of 4560	4940	darkcrypted.exe	svchost.exe
PID 4940 wrote to memory of 3032	4940	darkcrypted.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2496

C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860

C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
"C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4820

C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
"C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe"
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260

C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
"C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe"
5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4560

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3320

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe"
6⤵
PID:3032

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
7⤵
- Runs ping.exe
PID:3444

C:\Users\Admin\AppData\Local\Temp\d48z.exe
"C:\Users\Admin\AppData\Local\Temp\d48z.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:976

C:\Users\Admin\AppData\Local\Temp\d48z.exe
"C:\Users\Admin\AppData\Local\Temp\d48z.exe"
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472

C:\Users\Admin\AppData\Local\Temp\d48z.exe
"C:\Users\Admin\AppData\Local\Temp\d48z.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4232

C:\Users\Admin\AppData\Roaming\met start.exe
"C:\Users\Admin\AppData\Roaming\met start.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1948

C:\Users\Admin\AppData\Roaming\met start.exe
"C:\Users\Admin\AppData\Roaming\met start.exe"
7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1268

C:\Users\Admin\AppData\Roaming\met start.exe
"C:\Users\Admin\AppData\Roaming\met start.exe"
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2516

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d48z.exe
Filesize
240KB

MD5
c7e2e7f78d3176794bfd37c571552c5d

SHA1
5ade0c1a932080dc28982e9ac751ef40a819bfab

SHA256
b148721896f9a0fbb6113e5c381dd2555dbbb37d72c780a6ca09b2639e20e876

SHA512
f0b9e1d64c5484cd1073c8cdf65f3c8921fe1588137137de0a3d3bcdb2818441fd0e2ddb7d8b189ef879b3303804438e615ed79398e2c5a8aa254d6428b9848a

Download Submit
C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
Filesize
852KB

MD5
dc11a2ac0e7fda0d531fcd4350b6b56f

SHA1
32bf2255a2397c4bae5e9250260ce9b2c2a901c4

SHA256
fb708bf5cb6e60a45fbe23446b723b79ca3b1720f567afca5c5cd57c07ccb23c

SHA512
a4a569fcdf977dd1e5b01416b69a04f53af190dd0d956f3ffca6101f8af62d8bc47052ede34f3ba395e683aeae3669e609a44812753e8d4818cf1eb1e0698e7f

Download Submit
memory/976-31-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1268-108-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1268-102-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1948-78-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2260-48-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2260-55-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2260-66-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2472-42-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2472-39-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2472-58-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2496-0-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/2516-120-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2516-107-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2860-5-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2860-38-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2860-3-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2932-122-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2932-125-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2932-140-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2932-137-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2932-134-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2932-131-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2932-128-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2932-118-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2932-119-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2932-117-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3320-112-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/3320-121-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4232-50-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4232-47-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4232-45-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4232-53-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4232-81-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4560-95-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4820-20-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4940-61-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4940-63-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4940-98-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads