darktrack | eb8795fd32bcdbbbfd8482bdaac6d130fc09a4a157887ec4c04feabff376219c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11/07/2024, 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

server.exe
Size

627KB
MD5

1053d5bffab97a683ee4fd76d5e04674
SHA1

f19a8c327a3ddf4298676136d970250f7561da1b
SHA256

eb8795fd32bcdbbbfd8482bdaac6d130fc09a4a157887ec4c04feabff376219c
SHA512

1cc0f5c5ad47efa7788dde43af0395f97dcbd20f2290d94e0f5a0d46e6f7a47fbc52e2aa5d37498f8cc2ed01bb36acaf0b1ca1abeb2e3cf173b0764d6224bbdf
SSDEEP

12288:lOqvQomCg4G6q90tmPvj+GU/ttJuqwh3EQiXRUVZs4ixsiNhkApRawP:xoovgbAKvBgtJuqwh3EQihUb1ifNhj

Score

10^/10

darktrack rat spyware stealer upx

Malware Config

Signatures

DarkTrack
DarkTrack is a remote administration tool written in delphi.
rat stealer darktrack

DarkTrack payload 12 IoCs

resource	yara_rule
behavioral1/memory/3800-1-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/3800-2-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/3800-8-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/3800-39-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/3800-57-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/3800-60-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/3800-66-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/3800-69-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/3800-70-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/3800-71-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/3800-72-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/3800-73-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3800-65-0x0000000010000000-0x000000001005A000-memory.dmp	upx
behavioral1/memory/3800-64-0x0000000010000000-0x000000001005A000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\INF\netsstpa.PNF	svchost.exe
File created	C:\Windows\INF\netrasa.PNF	svchost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2316	vlc.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe
3800	server.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3800	server.exe
2316	vlc.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
628	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3932	svchost.exe
Token: SeCreatePagefilePrivilege	3932	svchost.exe
Token: SeLoadDriverPrivilege	3932	svchost.exe
Token: SeLoadDriverPrivilege	3932	svchost.exe
Token: SeLoadDriverPrivilege	3932	svchost.exe
Token: SeLoadDriverPrivilege	3932	svchost.exe
Token: SeLoadDriverPrivilege	3932	svchost.exe
Token: SeLoadDriverPrivilege	3932	svchost.exe
Token: SeLoadDriverPrivilege	3932	svchost.exe
Token: SeLoadDriverPrivilege	3932	svchost.exe
Token: SeLoadDriverPrivilege	3932	svchost.exe
Token: SeLoadDriverPrivilege	3932	svchost.exe
Token: SeLoadDriverPrivilege	3932	svchost.exe
Token: SeLoadDriverPrivilege	3932	svchost.exe
Token: SeLoadDriverPrivilege	3932	svchost.exe
Token: SeLoadDriverPrivilege	3932	svchost.exe
Token: SeLoadDriverPrivilege	3932	svchost.exe
Token: SeLoadDriverPrivilege	3932	svchost.exe
Token: 33	4600	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4600	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 23 IoCs

pid	Process
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe
2316	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2316	vlc.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3800 wrote to memory of 4592	3800	server.exe	72
PID 3800 wrote to memory of 4592	3800	server.exe	72
PID 3800 wrote to memory of 4592	3800	server.exe	72
PID 3800 wrote to memory of 4592	3800	server.exe	72
PID 3800 wrote to memory of 4592	3800	server.exe	72
PID 3800 wrote to memory of 4592	3800	server.exe	72
PID 3800 wrote to memory of 4592	3800	server.exe	72
PID 3800 wrote to memory of 4592	3800	server.exe	72
PID 3800 wrote to memory of 4592	3800	server.exe	72
PID 3800 wrote to memory of 4592	3800	server.exe	72
PID 3800 wrote to memory of 4592	3800	server.exe	72
PID 3800 wrote to memory of 4592	3800	server.exe	72
PID 3800 wrote to memory of 4592	3800	server.exe	72
PID 3800 wrote to memory of 4592	3800	server.exe	72
PID 3800 wrote to memory of 4592	3800	server.exe	72
PID 3800 wrote to memory of 4592	3800	server.exe	72
PID 3800 wrote to memory of 4592	3800	server.exe	72
PID 3800 wrote to memory of 4592	3800	server.exe	72
PID 3800 wrote to memory of 4592	3800	server.exe	72
PID 3800 wrote to memory of 4592	3800	server.exe	72
PID 3800 wrote to memory of 4592	3800	server.exe	72
PID 3800 wrote to memory of 4592	3800	server.exe	72

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Windows\SysWOW64\notepad.exe
  notepad
  2⤵
  PID:4592

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UndoGroup.mpeg2"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2316

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:3948

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
1⤵
PID:748

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
1⤵
PID:920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2336

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3932

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:2196

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x374
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\system32\WerFault.exe
"C:\Windows\system32\WerFault.exe" -k -lc NDIS NDIS-20240711-0736.dmp
1⤵
PID:360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
76B

MD5
7eb02d15e375fae9ca1d42f5aed5208f

SHA1
e1420a85baad72f3b6957e4c440819ce407123f1

SHA256
ace645597e2cf296c7d175d55b43d76b2ce6dc0e82a184b18d745be5186dd488

SHA512
dae3c047c29e3ab884ed294fea114541f6cd9a91a6c845f373e40bec270f162bc2bf6bdfdc7fad93ac21eb358fe8f77acc4a9b6c2096454fd301475d7e3e50e3

Download Submit
C:\Windows\INF\netrasa.PNF

Filesize
22KB

MD5
80648b43d233468718d717d10187b68d

SHA1
a1736e8f0e408ce705722ce097d1adb24ebffc45

SHA256
8ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380

SHA512
eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9

Download Submit
C:\Windows\INF\netsstpa.PNF

Filesize
6KB

MD5
01e21456e8000bab92907eec3b3aeea9

SHA1
39b34fe438352f7b095e24c89968fca48b8ce11c

SHA256
35ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f

SHA512
9d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec

Download Submit
memory/2316-24-0x00007FF8D2820000-0x00007FF8D2831000-memory.dmp

Filesize
68KB

Download
memory/2316-30-0x00007FF8BE010000-0x00007FF8BF0C0000-memory.dmp

Filesize
16.7MB

Download
memory/2316-20-0x00007FF8D2A40000-0x00007FF8D2A74000-memory.dmp

Filesize
208KB

Download
memory/2316-19-0x00007FF778D10000-0x00007FF778E08000-memory.dmp

Filesize
992KB

Download
memory/2316-28-0x00007FF8D0080000-0x00007FF8D0091000-memory.dmp

Filesize
68KB

Download
memory/2316-27-0x00007FF8D27C0000-0x00007FF8D27DD000-memory.dmp

Filesize
116KB

Download
memory/2316-26-0x00007FF8D27E0000-0x00007FF8D27F1000-memory.dmp

Filesize
68KB

Download
memory/2316-25-0x00007FF8D2800000-0x00007FF8D2817000-memory.dmp

Filesize
92KB

Download
memory/2316-50-0x00007FF8BE010000-0x00007FF8BF0C0000-memory.dmp

Filesize
16.7MB

Download
memory/2316-23-0x00007FF8D2840000-0x00007FF8D2857000-memory.dmp

Filesize
92KB

Download
memory/2316-22-0x00007FF8D2B50000-0x00007FF8D2B68000-memory.dmp

Filesize
96KB

Download
memory/2316-21-0x00007FF8CF720000-0x00007FF8CF9D6000-memory.dmp

Filesize
2.7MB

Download
memory/2316-29-0x00007FF8CF490000-0x00007FF8CF69B000-memory.dmp

Filesize
2.0MB

Download
memory/2316-35-0x00007FF8CFB00000-0x00007FF8CFB11000-memory.dmp

Filesize
68KB

Download
memory/2316-38-0x00007FF8CEA00000-0x00007FF8CEA11000-memory.dmp

Filesize
68KB

Download
memory/2316-37-0x00007FF8CFAC0000-0x00007FF8CFADB000-memory.dmp

Filesize
108KB

Download
memory/2316-36-0x00007FF8CFAE0000-0x00007FF8CFAF1000-memory.dmp

Filesize
68KB

Download
memory/2316-34-0x00007FF8CFB20000-0x00007FF8CFB31000-memory.dmp

Filesize
68KB

Download
memory/2316-33-0x00007FF8CFCD0000-0x00007FF8CFCE8000-memory.dmp

Filesize
96KB

Download
memory/2316-32-0x00007FF8CFCF0000-0x00007FF8CFD11000-memory.dmp

Filesize
132KB

Download
memory/2316-49-0x00007FF8CF720000-0x00007FF8CF9D6000-memory.dmp

Filesize
2.7MB

Download
memory/2316-48-0x00007FF8D2A40000-0x00007FF8D2A74000-memory.dmp

Filesize
208KB

Download
memory/2316-31-0x00007FF8CFEF0000-0x00007FF8CFF31000-memory.dmp

Filesize
260KB

Download
memory/2316-47-0x00007FF778D10000-0x00007FF778E08000-memory.dmp

Filesize
992KB

Download
memory/3800-65-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/3800-60-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3800-73-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3800-52-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/3800-2-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3800-53-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/3800-1-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3800-39-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3800-8-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3800-64-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/3800-57-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3800-66-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3800-69-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3800-70-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3800-71-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3800-72-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4592-0-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download