darkcomet | a7e8eccf72d7f433cbe460d7b986b9044cbe4152a37717464c22cc5627997a43

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad80fab1b61eedd00adda7872a1b81f8_JaffaCakes118.exe
Size

3.0MB
MD5

ad80fab1b61eedd00adda7872a1b81f8
SHA1

ab5ce17152b8363686e95f30bdc3adebe6976abe
SHA256

a7e8eccf72d7f433cbe460d7b986b9044cbe4152a37717464c22cc5627997a43
SHA512

6fb3ff62aaf54cb11a5ba8a4eea3255aecbca4c08169892a640182e0aad428b1a1f90361123f9d4b39d0640bc3497a94b00575bbad62b4dfd2221548b596b7c6
SSDEEP

98304:bE3AkV49N65xEfyoc0GS+pkowEbUw6k8ZDz5:nkV49AxUyopGS+plwkUwSZz5

Score

10^/10

darkcomet latentbot guest16 discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

medoseleman.zapto.org:1604

Mutex

DC_MUTEX-YJYEBPK

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
tQiKsS04Yhz9
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Extracted

Family

latentbot

medoseleman.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	ss.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ss.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	nLite-v1.3b-_Requires-.NET-Framework-v2.0_.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ss.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D.exe	ad80fab1b61eedd00adda7872a1b81f8_JaffaCakes118.exe

Executes dropped EXE 9 IoCs

pid	Process
4664	D.exe
2992	nLite-v1.3b-_Requires-.NET-Framework-v2.0_.exe
3484	install.exe
2604	incase.exe
1692	nLite-1.3.beta.installer.exe
628	ss.exe
3328	is-H6BNJ.tmp
4884	msdcsc.exe
3156	pskill.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4160-0-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4160-28-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/2604-59-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/files/0x0007000000023492-60.dat	upx
behavioral2/memory/2604-204-0x0000000000400000-0x000000000044B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	ss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4160-28-0x0000000000400000-0x00000000004B8000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pskill.exe	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\pskill.exe	xcopy.exe

Drops file in Program Files directory 47 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\nLite\is-LIG7Q.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\is-T332D.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-AO4T1.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-PBVSS.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-ACKT7.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\is-3QFNP.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-C068O.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-47HFS.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-QKAGT.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-M7D30.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-92VLF.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-U74O4.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-ICQO8.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\is-G04AU.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\is-LG81N.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-S0E8P.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-6H34O.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-CB0Q6.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-VHSLS.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-MGLTL.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-QO9DP.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-B6V1T.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\is-8VEET.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-25IL5.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-C3PSE.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-A0ARI.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\is-P4UIM.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-2FJ50.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-PNQMT.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-AGNGJ.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-4UTIM.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-CC95B.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-SR9K1.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-TMK7O.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-QOVB6.tmp	is-H6BNJ.tmp
File opened for modification	C:\Program Files (x86)\nLite\nlite.url	is-H6BNJ.tmp
File opened for modification	C:\Program Files (x86)\nLite\unins000.dat	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\unins000.dat	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\is-733IT.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-OTB5U.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-LMPLR.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-CMGBU.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-FIAFO.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-8M4SM.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-HCGPA.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-88MLO.tmp	is-H6BNJ.tmp
File created	C:\Program Files (x86)\nLite\Lang\is-93NLT.tmp	is-H6BNJ.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nLite-v1.3b-_Requires-.NET-Framework-v2.0_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	incase.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-H6BNJ.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pskill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad80fab1b61eedd00adda7872a1b81f8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nLite-1.3.beta.installer.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3156	pskill.exe
3156	pskill.exe
3156	pskill.exe
3156	pskill.exe
3156	pskill.exe
3156	pskill.exe
3156	pskill.exe
3156	pskill.exe
3156	pskill.exe
3156	pskill.exe
3156	pskill.exe
3156	pskill.exe
3156	pskill.exe
3156	pskill.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeDebugPrivilege	4664	D.exe
Token: 33	4664	D.exe
Token: SeIncBasePriorityPrivilege	4664	D.exe
Token: SeIncreaseQuotaPrivilege	628	ss.exe
Token: SeSecurityPrivilege	628	ss.exe
Token: SeTakeOwnershipPrivilege	628	ss.exe
Token: SeLoadDriverPrivilege	628	ss.exe
Token: SeSystemProfilePrivilege	628	ss.exe
Token: SeSystemtimePrivilege	628	ss.exe
Token: SeProfSingleProcessPrivilege	628	ss.exe
Token: SeIncBasePriorityPrivilege	628	ss.exe
Token: SeCreatePagefilePrivilege	628	ss.exe
Token: SeBackupPrivilege	628	ss.exe
Token: SeRestorePrivilege	628	ss.exe
Token: SeShutdownPrivilege	628	ss.exe
Token: SeDebugPrivilege	628	ss.exe
Token: SeSystemEnvironmentPrivilege	628	ss.exe
Token: SeChangeNotifyPrivilege	628	ss.exe
Token: SeRemoteShutdownPrivilege	628	ss.exe
Token: SeUndockPrivilege	628	ss.exe
Token: SeManageVolumePrivilege	628	ss.exe
Token: SeImpersonatePrivilege	628	ss.exe
Token: SeCreateGlobalPrivilege	628	ss.exe
Token: 33	628	ss.exe
Token: 34	628	ss.exe
Token: 35	628	ss.exe
Token: 36	628	ss.exe
Token: SeIncreaseQuotaPrivilege	4884	msdcsc.exe
Token: SeSecurityPrivilege	4884	msdcsc.exe
Token: SeTakeOwnershipPrivilege	4884	msdcsc.exe
Token: SeLoadDriverPrivilege	4884	msdcsc.exe
Token: SeSystemProfilePrivilege	4884	msdcsc.exe
Token: SeSystemtimePrivilege	4884	msdcsc.exe
Token: SeProfSingleProcessPrivilege	4884	msdcsc.exe
Token: SeIncBasePriorityPrivilege	4884	msdcsc.exe
Token: SeCreatePagefilePrivilege	4884	msdcsc.exe
Token: SeBackupPrivilege	4884	msdcsc.exe
Token: SeRestorePrivilege	4884	msdcsc.exe
Token: SeShutdownPrivilege	4884	msdcsc.exe
Token: SeDebugPrivilege	4884	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	4884	msdcsc.exe
Token: SeChangeNotifyPrivilege	4884	msdcsc.exe
Token: SeRemoteShutdownPrivilege	4884	msdcsc.exe
Token: SeUndockPrivilege	4884	msdcsc.exe
Token: SeManageVolumePrivilege	4884	msdcsc.exe
Token: SeImpersonatePrivilege	4884	msdcsc.exe
Token: SeCreateGlobalPrivilege	4884	msdcsc.exe
Token: 33	4884	msdcsc.exe
Token: 34	4884	msdcsc.exe
Token: 35	4884	msdcsc.exe
Token: 36	4884	msdcsc.exe
Token: SeDebugPrivilege	3156	pskill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2604	incase.exe
2604	incase.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2604	incase.exe
2604	incase.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4884	msdcsc.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 4664	4160	ad80fab1b61eedd00adda7872a1b81f8_JaffaCakes118.exe	86
PID 4160 wrote to memory of 4664	4160	ad80fab1b61eedd00adda7872a1b81f8_JaffaCakes118.exe	86
PID 4160 wrote to memory of 2992	4160	ad80fab1b61eedd00adda7872a1b81f8_JaffaCakes118.exe	87
PID 4160 wrote to memory of 2992	4160	ad80fab1b61eedd00adda7872a1b81f8_JaffaCakes118.exe	87
PID 4160 wrote to memory of 2992	4160	ad80fab1b61eedd00adda7872a1b81f8_JaffaCakes118.exe	87
PID 2992 wrote to memory of 3484	2992	nLite-v1.3b-_Requires-.NET-Framework-v2.0_.exe	89
PID 2992 wrote to memory of 3484	2992	nLite-v1.3b-_Requires-.NET-Framework-v2.0_.exe	89
PID 2992 wrote to memory of 3484	2992	nLite-v1.3b-_Requires-.NET-Framework-v2.0_.exe	89
PID 3484 wrote to memory of 3808	3484	install.exe	90
PID 3484 wrote to memory of 3808	3484	install.exe	90
PID 3484 wrote to memory of 3808	3484	install.exe	90
PID 3808 wrote to memory of 3704	3808	cmd.exe	93
PID 3808 wrote to memory of 3704	3808	cmd.exe	93
PID 3808 wrote to memory of 3704	3808	cmd.exe	93
PID 3808 wrote to memory of 2604	3808	cmd.exe	94
PID 3808 wrote to memory of 2604	3808	cmd.exe	94
PID 3808 wrote to memory of 2604	3808	cmd.exe	94
PID 3808 wrote to memory of 1692	3808	cmd.exe	95
PID 3808 wrote to memory of 1692	3808	cmd.exe	95
PID 3808 wrote to memory of 1692	3808	cmd.exe	95
PID 4664 wrote to memory of 628	4664	D.exe	96
PID 4664 wrote to memory of 628	4664	D.exe	96
PID 4664 wrote to memory of 628	4664	D.exe	96
PID 1692 wrote to memory of 3328	1692	nLite-1.3.beta.installer.exe	97
PID 1692 wrote to memory of 3328	1692	nLite-1.3.beta.installer.exe	97
PID 1692 wrote to memory of 3328	1692	nLite-1.3.beta.installer.exe	97
PID 628 wrote to memory of 4884	628	ss.exe	99
PID 628 wrote to memory of 4884	628	ss.exe	99
PID 628 wrote to memory of 4884	628	ss.exe	99
PID 3808 wrote to memory of 3156	3808	cmd.exe	100
PID 3808 wrote to memory of 3156	3808	cmd.exe	100
PID 3808 wrote to memory of 3156	3808	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\ad80fab1b61eedd00adda7872a1b81f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ad80fab1b61eedd00adda7872a1b81f8_JaffaCakes118.exe"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Users\Admin\AppData\Local\Temp\D.exe
  C:\Users\Admin\AppData\Local\Temp/D.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Users\Admin\AppData\Local\Temp\ss.exe
    "C:\Users\Admin\AppData\Local\Temp\ss.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Drops file in Drivers directory
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4884
- C:\Users\Admin\AppData\Local\Temp\nLite-v1.3b-_Requires-.NET-Framework-v2.0_.exe
  C:\Users\Admin\AppData\Local\Temp/nLite-v1.3b-_Requires-.NET-Framework-v2.0_.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe" /nLite-v1.3b-_Requires-.NET-Framework-v2.0_.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3484
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt4206.bat /nLite-v1.3b-_Requires-.NET-Framework-v2.0_.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3808
    - - C:\Windows\SysWOW64\xcopy.exe
        
        XCOPY "pskill.exe" "C:\Windows\system32" /y /i /s /e /r /v /k /f /c /h
        5⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:3704
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\incase.exe
        
        incase.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2604
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\nLite-1.3.beta.installer.exe
        
        nLite-1.3.beta.installer.exe /sp- /verysilent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\Users\Admin\AppData\Local\Temp\is-R3EMF.tmp\is-H6BNJ.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-R3EMF.tmp\is-H6BNJ.tmp" /SL4 $80054 "C:\Users\Admin\AppData\Local\Temp\RarSFX0\nLite-1.3.beta.installer.exe" 1701773 52224 /sp- /verysilent
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:3328
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\pskill.exe
        
        pskill incase.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D.exe

Filesize
384KB

MD5
99d24ede3c3d5de90411be63606a3c9c

SHA1
e09322ee5106338d3f157dfe79dc54378ee7acc1

SHA256
0886acb74275903edf6453e70bcb3cf145cf071457f62496ea5729ebc045e466

SHA512
a95d22f08e43e98e4faa031599326a2e41619b782777fd9d7d1c8f5e6e09c7d179ba68d0fee9d626d560b10badf6d38b2370db9b1b4d624b3344c82b8d787741

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\incase.exe

Filesize
41KB

MD5
38d6c13045b5c999b1be7ccef4ac6af9

SHA1
d539c3c6a2b6b9d90651d13fae7fe4d084d2d778

SHA256
9e9dc28ec773f20483a98ad33743bbc526a73d1a1feaaa5c67a3fc0329d213a8

SHA512
c43144c025e5f2f3d50a9607b3078ce118307a45861beff80674ce3b6d6331986fe2a2e17edc88c8b55c8421b71cbbf4637bfdb509d5c21a5ab2e939caef344b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
146KB

MD5
1b288be8a2d937e60e328891276de40b

SHA1
5178897c4461614aced6f873f5f34e206a208e85

SHA256
2cf6874dda9e838bcfe0188788147186fe8ec6dcf18b53888d005e99d5dcdd11

SHA512
a8eb5d957603452f49fbc14286c61b6cb738df3e41e6886b68e20e87aa21ded61d64dcc723b0e6f10f8af7e81eeda52ba8b49b5e049983d7473c0ffc108f361f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nLite-1.3.beta.installer.exe

Filesize
1.8MB

MD5
8f16ee829248120fe8f667c02665b6aa

SHA1
916eed949e33d5f2b8612e4b09abf4cc9e7bf6eb

SHA256
9f4b52f1ef1a752a208d935624bfde700a716cd3ac80729122aee576c45e919c

SHA512
4017826b07a717356a7b5479d0304f694b0604dfba14920351aa62009f6096c1fb80efae76eb1fe33b5cdd18a315d3c2d0c60f7e4e5882201f7508efb9511af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pskill.exe

Filesize
92KB

MD5
2e8a63a935822684bc3538a61749d9d2

SHA1
f76afcfba1f52fb8eb3e9c217d4a073117ee110a

SHA256
7ac2375c6569ad1f8e25ee7fc4a4ebcb0425bbd5ab19c2844f1580a8e0fcab76

SHA512
dcf63037bd7389900bddb1ec87168183d6ea6ff569ecb88e7fd52fe5a4d6c535931ea86b83d5e8300476e8b10677f3545b2e2eefe6df5ce877cfaade4e7444b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut8B88.tmp

Filesize
82KB

MD5
1db7b97e3b5959d0a73b9a6d15c4631d

SHA1
2ccadb24698034f1fb436de84361f607b54f6bab

SHA256
d9a44df55f7be30fe3f06333e5bcba6aec4461eab3712e6b152f787b77949822

SHA512
a702bc2ddfcfbffc6b52be6b386e8fa84f2e25693fccd1685c97ef34bbc15cadff39ae063929c4271d770a969504a307a7eea9fb32a98b52b5a9991018e39fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\bt4206.bat

Filesize
172B

MD5
d1aa79c4a4ee74dc36088bc2cdcefb03

SHA1
3a87a86750074a101648d21c5b7d6e3cccd96237

SHA256
bcef3b40ce623a6de3a565156a47fbd43c4e650c4397b1c50cf02fc2622a49e6

SHA512
5432459588a042f235a59e7cc2fee2a95628e0563576c27d57d13219fd6895903a6929d2a15f3730d711aa816abc81cffe7dbc8f4a701d08a26d6771202d2610

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-R3EMF.tmp\is-H6BNJ.tmp

Filesize
652KB

MD5
581bb44526a65c02b388e1b8a83fe86c

SHA1
dc387f115977b5fb94d9c9084f33a1c231b50acb

SHA256
385a9bb48f5180984867f3bff1d327250d22ab4399137b343be291c370ee3699

SHA512
aab4cb6dd5ad4ebfded18748c5cd1a4361c154459f36a4cb49e32855b6866f92d3f065cd9cafa16e621a4216bb176f1554a8bbea7fd458b317eb1ff4c3c2bea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nLite-v1.3b-_Requires-.NET-Framework-v2.0_.exe

Filesize
2.4MB

MD5
9ea9dd70099931d318352e9cbdef1910

SHA1
cee84845fdf648aec207554eab51bd34da4661db

SHA256
c5c338125a680b78ba49cb3a58e3d6ab3b53b5ffaaaa2f0192b529a9c950b3eb

SHA512
52c5f18f048e01713377bc855bbe9efbd4b3b3bf551e6d809342c6c909298adfcf2e4ddb7acd5d20ef17304e7b559a63a6086e6e466477ec39c3cccf19407976

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss.exe

Filesize
236KB

MD5
e6fe8286d44317d33787347c5640a858

SHA1
f661c5dd1817cb5d90406e24cff58f7221b1b412

SHA256
38feffcabedffd4f81341730f0a6df18e44955ae145915fc2bb9c58b5f345fe5

SHA512
501ba1f84b1d73c4c8d701282efef770406811cd8bdc13082856c41e3d28fc8d4b3d77d7f6c67e22f003ed55911346993166ce62fb9a3fd6dcba38c09405416c

Download Submit
memory/628-208-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/628-79-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1692-64-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1692-202-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2604-59-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2604-204-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2992-206-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3328-201-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3484-205-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4160-28-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4160-0-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4664-82-0x00007FFFAC710000-0x00007FFFAD0B1000-memory.dmp

Filesize
9.6MB

Download
memory/4664-40-0x000000001C160000-0x000000001C62E000-memory.dmp

Filesize
4.8MB

Download
memory/4664-39-0x00007FFFAC710000-0x00007FFFAD0B1000-memory.dmp

Filesize
9.6MB

Download
memory/4664-30-0x000000001BBE0000-0x000000001BC86000-memory.dmp

Filesize
664KB

Download
memory/4664-29-0x00007FFFAC710000-0x00007FFFAD0B1000-memory.dmp

Filesize
9.6MB

Download
memory/4664-26-0x00007FFFAC9C5000-0x00007FFFAC9C6000-memory.dmp

Filesize
4KB

Download
memory/4884-209-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4884-210-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4884-211-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4884-212-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4884-213-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4884-214-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4884-215-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4884-216-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4884-217-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4884-218-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4884-219-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4884-220-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4884-221-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4884-222-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4884-223-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download