Malware Analysis Report

2024-08-06 17:33

Sample ID 240621-2el87axaml
Target 68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a
SHA256 68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a
Tags
guest16 darkcomet persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a

Threat Level: Known bad

The file 68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a was found to be: Known bad.

Malicious Activity Summary

guest16 darkcomet persistence rat trojan

Darkcomet family

Modifies WinLogon for persistence

Darkcomet

Drops file in Drivers directory

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-21 22:29

Signatures

Darkcomet family

darkcomet

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 22:29

Reported

2024-06-21 22:32

Platform

win7-20240508-en

Max time kernel

138s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: 34 N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: 35 N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2984 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
PID 2984 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
PID 2984 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
PID 2984 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe

"C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"

Network

Country Destination Domain Proto
N/A 192.168.124.129:1604 tcp
N/A 192.168.124.129:1604 tcp
N/A 192.168.124.129:1604 tcp
N/A 192.168.124.129:1604 tcp
N/A 192.168.124.129:1604 tcp
N/A 192.168.124.129:1604 tcp
N/A 192.168.124.129:1604 tcp

Files

memory/2984-0-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2984-5-0x00000000021A0000-0x00000000021A2000-memory.dmp

memory/2696-6-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2696-7-0x00000000002A0000-0x00000000002A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IMAGE1.PNG

MD5 c5fe8a51879d59c371506a672acf1831
SHA1 30eeb21ad0b8c30d1e45b78e733a7966f3009503
SHA256 d58e159d5dc87ab5c10514ea6de719a0a31e2c5c6e3846553bb65b3f660590b7
SHA512 c3688bd4416f1a74462c6d73083cb558af54ccaf7c526e80a9ee6513fd0b231869f5dbac3b887091f4ab82247c86cf1e0792efe0b8803186e467e4c0996020e5

\Users\Admin\Documents\MSDCSC\msdcsc.exe

MD5 66f3b3833902264db9ef07ca2f83ff52
SHA1 d3da2491ce5db90511b5896932a688e800dd620b
SHA256 68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a
SHA512 2b56e45bc1411a7335ff3cf467a3acaae3c21ce92ebe8e87c8a5f93a6bc145d7cc12f1d98e088c104cef9741ae44640e50f293fad7b24173f9aab0a0ac5d1dfe

memory/2984-18-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/2520-19-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/2696-21-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2520-22-0x0000000000400000-0x00000000004DF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 22:29

Reported

2024-06-21 22:32

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: 33 N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: 34 N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: 35 N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Token: 36 N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
PID 1848 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
PID 1848 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe

"C:\Users\Admin\AppData\Local\Temp\68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a.exe"

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 88.221.83.184:443 www.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 184.83.221.88.in-addr.arpa udp
N/A 192.168.124.129:1604 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/1848-0-0x0000000002190000-0x0000000002191000-memory.dmp

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

MD5 66f3b3833902264db9ef07ca2f83ff52
SHA1 d3da2491ce5db90511b5896932a688e800dd620b
SHA256 68b5724614943efc6e393be7d55fcd7b7c6d4640764abcc51e504ce800da286a
SHA512 2b56e45bc1411a7335ff3cf467a3acaae3c21ce92ebe8e87c8a5f93a6bc145d7cc12f1d98e088c104cef9741ae44640e50f293fad7b24173f9aab0a0ac5d1dfe

memory/3664-15-0x00000000006F0000-0x00000000006F1000-memory.dmp

memory/1848-16-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/3664-17-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/3664-19-0x0000000000400000-0x00000000004DF000-memory.dmp