darkcomet | 9eea21de124f6cca492e675bd88c96edbc0685d772221d8d0b88dbb1967072f3

General

Target

1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
Size

748KB
MD5

1f68ac4cea5976b8c89dbb2a6a16bf75
SHA1

506d7d46319a116e7106c1379423d9ce16b854f9
SHA256

9eea21de124f6cca492e675bd88c96edbc0685d772221d8d0b88dbb1967072f3
SHA512

cfd134a813aee19a8cc63127a232d09d1beff9f5fcf56a73f3df7b3ba0fb6c2e11d9c37b2e80dd2e7ebb19753d09b7fe7c22f684c6c0eed67369a35e3d7bea1c
SSDEEP

12288:dEogJC6YLIWhNdOPzUoHT3pM/hjX3iFGkBpgHSheFlfkYJvh5OznUNv0JuSajV4:dEogIkWhNdO1HT3pMZFkBplMXfk0vhW5

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

darkcomet2013.no-ip.biz:1500

192.168.1.71:1500

Mutex

DC_MUTEX-EL0EZ2Q

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
avRlhtZvzGeQ
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 9 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

msdcsc.exemsdcsc.exe1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\avRlhtZvzGeQ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\avRlhtZvzGeQ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\avRlhtZvzGeQ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\avRlhtZvzGeQ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\avRlhtZvzGeQ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\msdcsc.exe"	msdcsc.exe

Sets file to hidden 1 TTPs 18 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
1780	attrib.exe
2160	attrib.exe
2848	attrib.exe
2504	attrib.exe
1724	attrib.exe
2716	attrib.exe
2340	attrib.exe
1940	attrib.exe
2864	attrib.exe
2476	attrib.exe
1960	attrib.exe
2672	attrib.exe
1940	attrib.exe
2936	attrib.exe
2960	attrib.exe
3044	attrib.exe
2876	attrib.exe
2824	attrib.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

3028 notepad.exe

pid	process
3028	notepad.exe

Executes dropped EXE 16 IoCs

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

pid	process
2752	msdcsc.exe
2188	msdcsc.exe
1128	msdcsc.exe
2592	msdcsc.exe
536	msdcsc.exe
588	msdcsc.exe
1952	msdcsc.exe
1240	msdcsc.exe
2700	msdcsc.exe
2744	msdcsc.exe
2656	msdcsc.exe
1292	msdcsc.exe
380	msdcsc.exe
768	msdcsc.exe
904	msdcsc.exe
2896	msdcsc.exe

Loads dropped DLL 17 IoCs

Processes:

1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

pid	process
2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
2752	msdcsc.exe
2188	msdcsc.exe
2188	msdcsc.exe
2592	msdcsc.exe
2592	msdcsc.exe
588	msdcsc.exe
588	msdcsc.exe
1240	msdcsc.exe
1240	msdcsc.exe
2744	msdcsc.exe
2744	msdcsc.exe
1292	msdcsc.exe
1292	msdcsc.exe
768	msdcsc.exe
768	msdcsc.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\avRlhtZvzGeQ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\avRlhtZvzGeQ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\avRlhtZvzGeQ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\avRlhtZvzGeQ\\avRlhtZvzGeQ\\msdcsc.exe"	msdcsc.exe

Drops file in System32 directory 53 IoCs

Processes:

msdcsc.exeattrib.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exeattrib.exe1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exeattrib.exeattrib.exemsdcsc.exeattrib.exeattrib.exemsdcsc.exeattrib.exeattrib.exemsdcsc.exemsdcsc.exemsdcsc.exeattrib.exemsdcsc.exeattrib.exemsdcsc.exeattrib.exeattrib.exemsdcsc.exemsdcsc.exeattrib.exemsdcsc.exeattrib.exeattrib.exemsdcsc.exemsdcsc.exeattrib.exe

description	ioc	process
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe	attrib.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	pid	process	target process
PID 1280 set thread context of 2112	1280	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
PID 2752 set thread context of 2188	2752	msdcsc.exe	msdcsc.exe
PID 1128 set thread context of 2592	1128	msdcsc.exe	msdcsc.exe
PID 536 set thread context of 588	536	msdcsc.exe	msdcsc.exe
PID 1952 set thread context of 1240	1952	msdcsc.exe	msdcsc.exe
PID 2700 set thread context of 2744	2700	msdcsc.exe	msdcsc.exe
PID 2656 set thread context of 1292	2656	msdcsc.exe	msdcsc.exe
PID 380 set thread context of 768	380	msdcsc.exe	msdcsc.exe
PID 904 set thread context of 2896	904	msdcsc.exe	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exemsdcsc.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
Token: SeSecurityPrivilege	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
Token: SeBackupPrivilege	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
Token: SeRestorePrivilege	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
Token: SeShutdownPrivilege	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
Token: SeDebugPrivilege	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
Token: SeUndockPrivilege	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
Token: 33	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
Token: 34	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
Token: 35	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2188	msdcsc.exe
Token: SeSecurityPrivilege	2188	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2188	msdcsc.exe
Token: SeLoadDriverPrivilege	2188	msdcsc.exe
Token: SeSystemProfilePrivilege	2188	msdcsc.exe
Token: SeSystemtimePrivilege	2188	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2188	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2188	msdcsc.exe
Token: SeCreatePagefilePrivilege	2188	msdcsc.exe
Token: SeBackupPrivilege	2188	msdcsc.exe
Token: SeRestorePrivilege	2188	msdcsc.exe
Token: SeShutdownPrivilege	2188	msdcsc.exe
Token: SeDebugPrivilege	2188	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2188	msdcsc.exe
Token: SeChangeNotifyPrivilege	2188	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2188	msdcsc.exe
Token: SeUndockPrivilege	2188	msdcsc.exe
Token: SeManageVolumePrivilege	2188	msdcsc.exe
Token: SeImpersonatePrivilege	2188	msdcsc.exe
Token: SeCreateGlobalPrivilege	2188	msdcsc.exe
Token: 33	2188	msdcsc.exe
Token: 34	2188	msdcsc.exe
Token: 35	2188	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	2592	msdcsc.exe
Token: SeSecurityPrivilege	2592	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2592	msdcsc.exe
Token: SeLoadDriverPrivilege	2592	msdcsc.exe
Token: SeSystemProfilePrivilege	2592	msdcsc.exe
Token: SeSystemtimePrivilege	2592	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2592	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2592	msdcsc.exe
Token: SeCreatePagefilePrivilege	2592	msdcsc.exe
Token: SeBackupPrivilege	2592	msdcsc.exe
Token: SeRestorePrivilege	2592	msdcsc.exe
Token: SeShutdownPrivilege	2592	msdcsc.exe
Token: SeDebugPrivilege	2592	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2592	msdcsc.exe
Token: SeChangeNotifyPrivilege	2592	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2592	msdcsc.exe
Token: SeUndockPrivilege	2592	msdcsc.exe
Token: SeManageVolumePrivilege	2592	msdcsc.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

pid	process
1280	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
2752	msdcsc.exe
1128	msdcsc.exe
536	msdcsc.exe
1952	msdcsc.exe
2700	msdcsc.exe
2656	msdcsc.exe
380	msdcsc.exe
904	msdcsc.exe
2436	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.execmd.execmd.exemsdcsc.exe

description	pid	process	target process
PID 1280 wrote to memory of 2112	1280	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
PID 1280 wrote to memory of 2112	1280	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
PID 1280 wrote to memory of 2112	1280	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
PID 1280 wrote to memory of 2112	1280	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
PID 1280 wrote to memory of 2112	1280	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
PID 1280 wrote to memory of 2112	1280	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
PID 1280 wrote to memory of 2112	1280	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
PID 1280 wrote to memory of 2112	1280	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
PID 1280 wrote to memory of 2112	1280	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
PID 1280 wrote to memory of 2112	1280	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
PID 1280 wrote to memory of 2112	1280	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
PID 1280 wrote to memory of 2112	1280	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
PID 1280 wrote to memory of 2112	1280	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
PID 1280 wrote to memory of 2112	1280	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
PID 1280 wrote to memory of 2112	1280	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
PID 2112 wrote to memory of 3032	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	cmd.exe
PID 2112 wrote to memory of 3032	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	cmd.exe
PID 2112 wrote to memory of 3032	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	cmd.exe
PID 2112 wrote to memory of 3032	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	cmd.exe
PID 2112 wrote to memory of 2080	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	cmd.exe
PID 2112 wrote to memory of 2080	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	cmd.exe
PID 2112 wrote to memory of 2080	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	cmd.exe
PID 2112 wrote to memory of 2080	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	cmd.exe
PID 2112 wrote to memory of 3028	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	notepad.exe
PID 2112 wrote to memory of 3028	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	notepad.exe
PID 2112 wrote to memory of 3028	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	notepad.exe
PID 2112 wrote to memory of 3028	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	notepad.exe
PID 2112 wrote to memory of 3028	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	notepad.exe
PID 2112 wrote to memory of 3028	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	notepad.exe
PID 2112 wrote to memory of 3028	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	notepad.exe
PID 2112 wrote to memory of 3028	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	notepad.exe
PID 2112 wrote to memory of 3028	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	notepad.exe
PID 2112 wrote to memory of 3028	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	notepad.exe
PID 2112 wrote to memory of 3028	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	notepad.exe
PID 2112 wrote to memory of 3028	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	notepad.exe
PID 2112 wrote to memory of 3028	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	notepad.exe
PID 2112 wrote to memory of 3028	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	notepad.exe
PID 2112 wrote to memory of 3028	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	notepad.exe
PID 2112 wrote to memory of 3028	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	notepad.exe
PID 2112 wrote to memory of 3028	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	notepad.exe
PID 2112 wrote to memory of 3028	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	notepad.exe
PID 3032 wrote to memory of 2848	3032	cmd.exe	attrib.exe
PID 3032 wrote to memory of 2848	3032	cmd.exe	attrib.exe
PID 3032 wrote to memory of 2848	3032	cmd.exe	attrib.exe
PID 3032 wrote to memory of 2848	3032	cmd.exe	attrib.exe
PID 2080 wrote to memory of 2504	2080	cmd.exe	attrib.exe
PID 2080 wrote to memory of 2504	2080	cmd.exe	attrib.exe
PID 2080 wrote to memory of 2504	2080	cmd.exe	attrib.exe
PID 2080 wrote to memory of 2504	2080	cmd.exe	attrib.exe
PID 2112 wrote to memory of 2752	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	conhost.exe
PID 2112 wrote to memory of 2752	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	conhost.exe
PID 2112 wrote to memory of 2752	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	conhost.exe
PID 2112 wrote to memory of 2752	2112	1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe	conhost.exe
PID 2752 wrote to memory of 2188	2752	msdcsc.exe	msdcsc.exe
PID 2752 wrote to memory of 2188	2752	msdcsc.exe	msdcsc.exe
PID 2752 wrote to memory of 2188	2752	msdcsc.exe	msdcsc.exe
PID 2752 wrote to memory of 2188	2752	msdcsc.exe	msdcsc.exe
PID 2752 wrote to memory of 2188	2752	msdcsc.exe	msdcsc.exe
PID 2752 wrote to memory of 2188	2752	msdcsc.exe	msdcsc.exe
PID 2752 wrote to memory of 2188	2752	msdcsc.exe	msdcsc.exe
PID 2752 wrote to memory of 2188	2752	msdcsc.exe	msdcsc.exe
PID 2752 wrote to memory of 2188	2752	msdcsc.exe	msdcsc.exe
PID 2752 wrote to memory of 2188	2752	msdcsc.exe	msdcsc.exe
PID 2752 wrote to memory of 2188	2752	msdcsc.exe	msdcsc.exe

Views/modifies file attributes 1 TTPs 18 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
2340	attrib.exe
2504	attrib.exe
2824	attrib.exe
2864	attrib.exe
2160	attrib.exe
1724	attrib.exe
2716	attrib.exe
3044	attrib.exe
2960	attrib.exe
1780	attrib.exe
2476	attrib.exe
2876	attrib.exe
1940	attrib.exe
1960	attrib.exe
2672	attrib.exe
1940	attrib.exe
2848	attrib.exe
2936	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\1f68ac4cea5976b8c89dbb2a6a16bf75_JaffaCakes118.exe" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2504

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
- Deletes itself
PID:3028

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
5⤵
PID:2528

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
5⤵
PID:2560

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2960

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:2616

C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe
"C:\Windows\system32\MSDCSC\avRlhtZvzGeQ\msdcsc.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1128

C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe
C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe" +s +h
7⤵
PID:108

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe" +s +h
8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ" +s +h
7⤵
PID:1748

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ" +s +h
8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2476

C:\Windows\SysWOW64\notepad.exe
notepad
7⤵
PID:1744

C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe
"C:\Windows\system32\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe"
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:536

C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe
C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe
8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe" +s +h
9⤵
PID:1276

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe" +s +h
10⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ" +s +h
9⤵
PID:1792

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ" +s +h
10⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1940

C:\Windows\SysWOW64\notepad.exe
notepad
9⤵
PID:640

C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe
"C:\Windows\system32\MSDCSC\avRlhtZvzGeQ\msdcsc.exe"
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe
C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe
10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1240

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe" +s +h
11⤵
PID:848

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe" +s +h
12⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ" +s +h
11⤵
PID:576

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ" +s +h
12⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3044

C:\Windows\SysWOW64\notepad.exe
notepad
11⤵
PID:1992

C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe
"C:\Windows\system32\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe"
11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2700

C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe
C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe
12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe" +s +h
13⤵
PID:2532

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe" +s +h
14⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ" +s +h
13⤵
PID:2324

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ" +s +h
14⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2672

C:\Windows\SysWOW64\notepad.exe
notepad
13⤵
PID:2524

C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe
"C:\Windows\system32\MSDCSC\avRlhtZvzGeQ\msdcsc.exe"
13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2656

C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe
C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe
14⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe" +s +h
15⤵
PID:2740

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe" +s +h
16⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ" +s +h
15⤵
PID:2300

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ" +s +h
16⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2864

C:\Windows\SysWOW64\notepad.exe
notepad
15⤵
PID:1260

C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe
"C:\Windows\system32\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe"
15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:380

C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe
C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe
16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe" +s +h
17⤵
PID:1040

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe" +s +h
18⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ" +s +h
17⤵
PID:536

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ" +s +h
18⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2160

C:\Windows\SysWOW64\notepad.exe
notepad
17⤵
PID:1844

C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe
"C:\Windows\system32\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe"
17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:904

C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe
C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe
18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe" +s +h
19⤵
PID:2148

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ\msdcsc.exe" +s +h
20⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ" +s +h
19⤵
PID:2104

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\avRlhtZvzGeQ" +s +h
20⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2716

C:\Windows\SysWOW64\notepad.exe
notepad
19⤵
PID:992

C:\Windows\SysWOW64\MSDCSC\avRlhtZvzGeQ\msdcsc.exe
"C:\Windows\system32\MSDCSC\avRlhtZvzGeQ\msdcsc.exe"
19⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2095331053-240096758-1543742754496004497-21902033243837759-1178681543-822739089"
1⤵
PID:2752

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
748KB

MD5
1f68ac4cea5976b8c89dbb2a6a16bf75

SHA1
506d7d46319a116e7106c1379423d9ce16b854f9

SHA256
9eea21de124f6cca492e675bd88c96edbc0685d772221d8d0b88dbb1967072f3

SHA512
cfd134a813aee19a8cc63127a232d09d1beff9f5fcf56a73f3df7b3ba0fb6c2e11d9c37b2e80dd2e7ebb19753d09b7fe7c22f684c6c0eed67369a35e3d7bea1c

Download Submit
memory/2112-2-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2112-3-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2112-4-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2112-5-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2112-6-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2112-38-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2188-83-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2592-91-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3028-10-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/3028-24-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads