General
-
Target
ftah2.ini
-
Size
48B
-
Sample
240802-q8rj8asamg
-
MD5
294ab38e0053c30b7ed63a50c3170480
-
SHA1
cfa378923e848f5ac5a7782c1c310ad195ac1bf1
-
SHA256
4fd167e871391b6593cc83e9b735b8ecbb067afda8fbefdb2f4fd4c91f9d5a9f
-
SHA512
41f96ea1d9421fd653a8e5e60defb5be0001caf687cfbf4bcd7f8242d385fca202888038bce42271d291becca8e1cbe5e142857f87634ceeabbe2832f82a95f2
Static task
static1
Behavioral task
behavioral1
Sample
ftah2.ini
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
ftah2.ini
Resource
win10v2004-20240730-en
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:888
DC_MUTEX-4C8Y0GM
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
JyJGPjcioEiq
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
ftah2.ini
-
Size
48B
-
MD5
294ab38e0053c30b7ed63a50c3170480
-
SHA1
cfa378923e848f5ac5a7782c1c310ad195ac1bf1
-
SHA256
4fd167e871391b6593cc83e9b735b8ecbb067afda8fbefdb2f4fd4c91f9d5a9f
-
SHA512
41f96ea1d9421fd653a8e5e60defb5be0001caf687cfbf4bcd7f8242d385fca202888038bce42271d291becca8e1cbe5e142857f87634ceeabbe2832f82a95f2
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Adds Run key to start application
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Subvert Trust Controls
1SIP and Trust Provider Hijacking
1