Analysis
-
max time kernel
51s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 03:11
Behavioral task
behavioral1
Sample
14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe
-
Size
661KB
-
MD5
14778af23a015e14c365e2e3f99128b7
-
SHA1
963f99b8f67478c1d35344a191db4e8d05401ca9
-
SHA256
37ef6ca609a8b945cdcb5f40fe3f2c06fcfb7df107af8890332503b66392a2e6
-
SHA512
7457c570cad97d99483b5b6a109e64432d18dde875a843bdfae951c2efb33fd1d78a4f0dc2a6c3472a802e7f185fb83b0838a1b8f9c1487af5e2fae7d9928752
-
SSDEEP
12288:IXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452U2:unAw2WWeFcfbP9VPSPMTSPL/rWvzq4Jm
Malware Config
Extracted
darkcomet
Furkan
furkian.zapto.org:1604
DC_MUTEX-VDNJCF8
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
XDKisQrYB60J
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
Processes:
msdcsc.exemsdcsc.exemsdcsc.exe14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\XDKisQrYB60J\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\XDKisQrYB60J\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\XDKisQrYB60J\\XDKisQrYB60J\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\XDKisQrYB60J\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\XDKisQrYB60J\\XDKisQrYB60J\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\XDKisQrYB60J\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe -
Sets file to hidden 1 TTPs 4 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exeattrib.exeattrib.exepid process 2256 attrib.exe 2988 attrib.exe 4040 attrib.exe 1536 attrib.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exemsdcsc.exemsdcsc.exemsdcsc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation msdcsc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation msdcsc.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation msdcsc.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 744 notepad.exe -
Executes dropped EXE 3 IoCs
Processes:
msdcsc.exemsdcsc.exemsdcsc.exepid process 4452 msdcsc.exe 4612 msdcsc.exe 2076 msdcsc.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exemsdcsc.exemsdcsc.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\XDKisQrYB60J\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\XDKisQrYB60J\\XDKisQrYB60J\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\XDKisQrYB60J\\msdcsc.exe" msdcsc.exe -
Drops file in System32 directory 16 IoCs
Processes:
msdcsc.exemsdcsc.exemsdcsc.exeattrib.exe14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\MSDCSC\XDKisQrYB60J\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\XDKisQrYB60J\XDKisQrYB60J\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\XDKisQrYB60J\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\XDKisQrYB60J\msdcsc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\XDKisQrYB60J\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\XDKisQrYB60J\XDKisQrYB60J\msdcsc.exe attrib.exe File created C:\Windows\SysWOW64\MSDCSC\XDKisQrYB60J\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\XDKisQrYB60J\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\XDKisQrYB60J\XDKisQrYB60J\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe attrib.exe File created C:\Windows\SysWOW64\MSDCSC\XDKisQrYB60J\XDKisQrYB60J\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\XDKisQrYB60J\ msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exemsdcsc.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe Token: SeSecurityPrivilege 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe Token: SeSystemtimePrivilege 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe Token: SeBackupPrivilege 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe Token: SeRestorePrivilege 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe Token: SeShutdownPrivilege 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe Token: SeDebugPrivilege 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe Token: SeUndockPrivilege 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe Token: SeManageVolumePrivilege 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe Token: SeImpersonatePrivilege 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe Token: 33 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe Token: 34 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe Token: 35 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe Token: 36 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4452 msdcsc.exe Token: SeSecurityPrivilege 4452 msdcsc.exe Token: SeTakeOwnershipPrivilege 4452 msdcsc.exe Token: SeLoadDriverPrivilege 4452 msdcsc.exe Token: SeSystemProfilePrivilege 4452 msdcsc.exe Token: SeSystemtimePrivilege 4452 msdcsc.exe Token: SeProfSingleProcessPrivilege 4452 msdcsc.exe Token: SeIncBasePriorityPrivilege 4452 msdcsc.exe Token: SeCreatePagefilePrivilege 4452 msdcsc.exe Token: SeBackupPrivilege 4452 msdcsc.exe Token: SeRestorePrivilege 4452 msdcsc.exe Token: SeShutdownPrivilege 4452 msdcsc.exe Token: SeDebugPrivilege 4452 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4452 msdcsc.exe Token: SeChangeNotifyPrivilege 4452 msdcsc.exe Token: SeRemoteShutdownPrivilege 4452 msdcsc.exe Token: SeUndockPrivilege 4452 msdcsc.exe Token: SeManageVolumePrivilege 4452 msdcsc.exe Token: SeImpersonatePrivilege 4452 msdcsc.exe Token: SeCreateGlobalPrivilege 4452 msdcsc.exe Token: 33 4452 msdcsc.exe Token: 34 4452 msdcsc.exe Token: 35 4452 msdcsc.exe Token: 36 4452 msdcsc.exe Token: SeIncreaseQuotaPrivilege 4612 msdcsc.exe Token: SeSecurityPrivilege 4612 msdcsc.exe Token: SeTakeOwnershipPrivilege 4612 msdcsc.exe Token: SeLoadDriverPrivilege 4612 msdcsc.exe Token: SeSystemProfilePrivilege 4612 msdcsc.exe Token: SeSystemtimePrivilege 4612 msdcsc.exe Token: SeProfSingleProcessPrivilege 4612 msdcsc.exe Token: SeIncBasePriorityPrivilege 4612 msdcsc.exe Token: SeCreatePagefilePrivilege 4612 msdcsc.exe Token: SeBackupPrivilege 4612 msdcsc.exe Token: SeRestorePrivilege 4612 msdcsc.exe Token: SeShutdownPrivilege 4612 msdcsc.exe Token: SeDebugPrivilege 4612 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4612 msdcsc.exe Token: SeChangeNotifyPrivilege 4612 msdcsc.exe Token: SeRemoteShutdownPrivilege 4612 msdcsc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
14778af23a015e14c365e2e3f99128b7_JaffaCakes118.execmd.exemsdcsc.execmd.exemsdcsc.exedescription pid process target process PID 2364 wrote to memory of 4388 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe cmd.exe PID 2364 wrote to memory of 4388 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe cmd.exe PID 2364 wrote to memory of 4388 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe cmd.exe PID 2364 wrote to memory of 744 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe notepad.exe PID 2364 wrote to memory of 744 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe notepad.exe PID 2364 wrote to memory of 744 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe notepad.exe PID 2364 wrote to memory of 744 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe notepad.exe PID 2364 wrote to memory of 744 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe notepad.exe PID 2364 wrote to memory of 744 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe notepad.exe PID 2364 wrote to memory of 744 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe notepad.exe PID 2364 wrote to memory of 744 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe notepad.exe PID 2364 wrote to memory of 744 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe notepad.exe PID 2364 wrote to memory of 744 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe notepad.exe PID 2364 wrote to memory of 744 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe notepad.exe PID 2364 wrote to memory of 744 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe notepad.exe PID 2364 wrote to memory of 744 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe notepad.exe PID 2364 wrote to memory of 744 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe notepad.exe PID 2364 wrote to memory of 744 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe notepad.exe PID 2364 wrote to memory of 744 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe notepad.exe PID 2364 wrote to memory of 744 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe notepad.exe PID 2364 wrote to memory of 4452 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe msdcsc.exe PID 2364 wrote to memory of 4452 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe msdcsc.exe PID 2364 wrote to memory of 4452 2364 14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe msdcsc.exe PID 4388 wrote to memory of 2988 4388 cmd.exe attrib.exe PID 4388 wrote to memory of 2988 4388 cmd.exe attrib.exe PID 4388 wrote to memory of 2988 4388 cmd.exe attrib.exe PID 4452 wrote to memory of 4688 4452 msdcsc.exe cmd.exe PID 4452 wrote to memory of 4688 4452 msdcsc.exe cmd.exe PID 4452 wrote to memory of 4688 4452 msdcsc.exe cmd.exe PID 4452 wrote to memory of 752 4452 msdcsc.exe notepad.exe PID 4452 wrote to memory of 752 4452 msdcsc.exe notepad.exe PID 4452 wrote to memory of 752 4452 msdcsc.exe notepad.exe PID 4452 wrote to memory of 752 4452 msdcsc.exe notepad.exe PID 4452 wrote to memory of 752 4452 msdcsc.exe notepad.exe PID 4452 wrote to memory of 752 4452 msdcsc.exe notepad.exe PID 4452 wrote to memory of 752 4452 msdcsc.exe notepad.exe PID 4452 wrote to memory of 752 4452 msdcsc.exe notepad.exe PID 4452 wrote to memory of 752 4452 msdcsc.exe notepad.exe PID 4452 wrote to memory of 752 4452 msdcsc.exe notepad.exe PID 4452 wrote to memory of 752 4452 msdcsc.exe notepad.exe PID 4452 wrote to memory of 752 4452 msdcsc.exe notepad.exe PID 4452 wrote to memory of 752 4452 msdcsc.exe notepad.exe PID 4452 wrote to memory of 752 4452 msdcsc.exe notepad.exe PID 4452 wrote to memory of 752 4452 msdcsc.exe notepad.exe PID 4452 wrote to memory of 752 4452 msdcsc.exe notepad.exe PID 4452 wrote to memory of 752 4452 msdcsc.exe notepad.exe PID 4452 wrote to memory of 4612 4452 msdcsc.exe msdcsc.exe PID 4452 wrote to memory of 4612 4452 msdcsc.exe msdcsc.exe PID 4452 wrote to memory of 4612 4452 msdcsc.exe msdcsc.exe PID 4688 wrote to memory of 4040 4688 cmd.exe attrib.exe PID 4688 wrote to memory of 4040 4688 cmd.exe attrib.exe PID 4688 wrote to memory of 4040 4688 cmd.exe attrib.exe PID 4612 wrote to memory of 4864 4612 msdcsc.exe cmd.exe PID 4612 wrote to memory of 4864 4612 msdcsc.exe cmd.exe PID 4612 wrote to memory of 4864 4612 msdcsc.exe cmd.exe PID 4612 wrote to memory of 5056 4612 msdcsc.exe notepad.exe PID 4612 wrote to memory of 5056 4612 msdcsc.exe notepad.exe PID 4612 wrote to memory of 5056 4612 msdcsc.exe notepad.exe PID 4612 wrote to memory of 5056 4612 msdcsc.exe notepad.exe PID 4612 wrote to memory of 5056 4612 msdcsc.exe notepad.exe PID 4612 wrote to memory of 5056 4612 msdcsc.exe notepad.exe PID 4612 wrote to memory of 5056 4612 msdcsc.exe notepad.exe PID 4612 wrote to memory of 5056 4612 msdcsc.exe notepad.exe PID 4612 wrote to memory of 5056 4612 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 4 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exepid process 2988 attrib.exe 4040 attrib.exe 1536 attrib.exe 2256 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\14778af23a015e14c365e2e3f99128b7_JaffaCakes118.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2988 -
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
PID:744 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4040 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:752
-
C:\Windows\SysWOW64\MSDCSC\XDKisQrYB60J\msdcsc.exe"C:\Windows\system32\MSDCSC\XDKisQrYB60J\msdcsc.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\XDKisQrYB60J\msdcsc.exe" +s +h4⤵PID:4864
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\XDKisQrYB60J\msdcsc.exe" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1536 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵PID:5056
-
C:\Windows\SysWOW64\MSDCSC\XDKisQrYB60J\XDKisQrYB60J\msdcsc.exe"C:\Windows\system32\MSDCSC\XDKisQrYB60J\XDKisQrYB60J\msdcsc.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\XDKisQrYB60J\XDKisQrYB60J\msdcsc.exe" +s +h5⤵PID:2072
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\XDKisQrYB60J\XDKisQrYB60J\msdcsc.exe" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2256 -
C:\Windows\SysWOW64\notepad.exenotepad5⤵PID:3184
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
661KB
MD514778af23a015e14c365e2e3f99128b7
SHA1963f99b8f67478c1d35344a191db4e8d05401ca9
SHA25637ef6ca609a8b945cdcb5f40fe3f2c06fcfb7df107af8890332503b66392a2e6
SHA5127457c570cad97d99483b5b6a109e64432d18dde875a843bdfae951c2efb33fd1d78a4f0dc2a6c3472a802e7f185fb83b0838a1b8f9c1487af5e2fae7d9928752