darkcomet | 96a6764d36095ee5fcd9bd60b3596d6a0a33049b4f41a2eb9133b2f6ec9ffa56

Analysis

max time kernel
148s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24-09-2024 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Size

3.7MB
MD5

f46d21e85d029a0382317f00fc34f342
SHA1

993f7e41464de9d369cfed3bf04ddea124fa1fd4
SHA256

96a6764d36095ee5fcd9bd60b3596d6a0a33049b4f41a2eb9133b2f6ec9ffa56
SHA512

ad7d22e00088dd50ae8bbc8c921db31b0024d5285a4984494f10749b9f6f8002810a809d919ef29ccf719e41afbcb470c2fbaa724829fe5f3403e0595baac065
SSDEEP

98304:zJDvjtj2taCrHMII7nCWTQfNwY2i0sFW2:17JjErI3yNz2iJFW2

Score

10^/10

darkcomet modiloader discovery evasion rat themida trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/2656-54-0x0000000000010000-0x0000000000036000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-50-0x0000000000010000-0x0000000000036000-memory.dmp	modiloader_stage2

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
2972	DFRG.EXE
2040	EXTRAC32.EXE
2656	apoca.exe
2980	EXTRAC32.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	explorer.exe

Loads dropped DLL 5 IoCs

pid	Process
1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
2040	EXTRAC32.EXE

Themida packer 53 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1948-0-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/1948-2-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/1948-3-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/1948-4-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/1948-5-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/1948-7-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/1948-6-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/1948-8-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/1948-9-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/1948-10-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/1948-11-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/1948-12-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/1948-13-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/1948-15-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/1948-14-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/1948-18-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/1948-19-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/1948-20-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/1948-70-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-69-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-67-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-91-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-90-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-89-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-88-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-87-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-86-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-85-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-84-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-83-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-82-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-81-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-80-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-79-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-78-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-77-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-76-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-75-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-74-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-73-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-72-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-71-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-94-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-93-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-92-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-103-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-114-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-113-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-104-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-102-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-116-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-115-0x0000000013140000-0x0000000013956000-memory.dmp	themida
behavioral1/memory/2912-117-0x0000000013140000-0x0000000013956000-memory.dmp	themida

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
2912	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 2980	2040	EXTRAC32.EXE	35
PID 1948 set thread context of 2912	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe	36

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016cc4-32.dat	upx
behavioral1/memory/2656-54-0x0000000000010000-0x0000000000036000-memory.dmp	upx
behavioral1/memory/2972-50-0x0000000000010000-0x0000000000036000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\apoca.exe	DFRG.EXE
File opened for modification	C:\Windows\apoca.exe	DFRG.EXE
File created	C:\Windows\apoca.exe	apoca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DFRG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apoca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXTRAC32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXTRAC32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
2912	explorer.exe
2980	EXTRAC32.exe
2980	EXTRAC32.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Token: SeSecurityPrivilege	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Token: SeBackupPrivilege	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Token: SeRestorePrivilege	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Token: SeShutdownPrivilege	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Token: SeDebugPrivilege	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Token: SeUndockPrivilege	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Token: SeImpersonatePrivilege	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Token: 33	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Token: 34	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Token: 35	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2912	explorer.exe
Token: SeSecurityPrivilege	2912	explorer.exe
Token: SeTakeOwnershipPrivilege	2912	explorer.exe
Token: SeLoadDriverPrivilege	2912	explorer.exe
Token: SeSystemProfilePrivilege	2912	explorer.exe
Token: SeSystemtimePrivilege	2912	explorer.exe
Token: SeProfSingleProcessPrivilege	2912	explorer.exe
Token: SeIncBasePriorityPrivilege	2912	explorer.exe
Token: SeCreatePagefilePrivilege	2912	explorer.exe
Token: SeBackupPrivilege	2912	explorer.exe
Token: SeRestorePrivilege	2912	explorer.exe
Token: SeShutdownPrivilege	2912	explorer.exe
Token: SeDebugPrivilege	2912	explorer.exe
Token: SeSystemEnvironmentPrivilege	2912	explorer.exe
Token: SeChangeNotifyPrivilege	2912	explorer.exe
Token: SeRemoteShutdownPrivilege	2912	explorer.exe
Token: SeUndockPrivilege	2912	explorer.exe
Token: SeManageVolumePrivilege	2912	explorer.exe
Token: SeImpersonatePrivilege	2912	explorer.exe
Token: SeCreateGlobalPrivilege	2912	explorer.exe
Token: 33	2912	explorer.exe
Token: 34	2912	explorer.exe
Token: 35	2912	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2856	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2040	EXTRAC32.EXE
2912	explorer.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2972	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe	31
PID 1948 wrote to memory of 2972	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe	31
PID 1948 wrote to memory of 2972	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe	31
PID 1948 wrote to memory of 2972	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe	31
PID 1948 wrote to memory of 2040	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe	32
PID 1948 wrote to memory of 2040	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe	32
PID 1948 wrote to memory of 2040	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe	32
PID 1948 wrote to memory of 2040	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe	32
PID 2972 wrote to memory of 2656	2972	DFRG.EXE	33
PID 2972 wrote to memory of 2656	2972	DFRG.EXE	33
PID 2972 wrote to memory of 2656	2972	DFRG.EXE	33
PID 2972 wrote to memory of 2656	2972	DFRG.EXE	33
PID 2656 wrote to memory of 600	2656	apoca.exe	34
PID 2656 wrote to memory of 600	2656	apoca.exe	34
PID 2656 wrote to memory of 600	2656	apoca.exe	34
PID 2656 wrote to memory of 600	2656	apoca.exe	34
PID 2040 wrote to memory of 2980	2040	EXTRAC32.EXE	35
PID 2040 wrote to memory of 2980	2040	EXTRAC32.EXE	35
PID 2040 wrote to memory of 2980	2040	EXTRAC32.EXE	35
PID 2040 wrote to memory of 2980	2040	EXTRAC32.EXE	35
PID 2040 wrote to memory of 2980	2040	EXTRAC32.EXE	35
PID 2040 wrote to memory of 2980	2040	EXTRAC32.EXE	35
PID 2040 wrote to memory of 2980	2040	EXTRAC32.EXE	35
PID 2040 wrote to memory of 2980	2040	EXTRAC32.EXE	35
PID 1948 wrote to memory of 2912	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe	36
PID 1948 wrote to memory of 2912	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe	36
PID 1948 wrote to memory of 2912	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe	36
PID 1948 wrote to memory of 2912	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe	36
PID 1948 wrote to memory of 2912	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe	36
PID 1948 wrote to memory of 2912	1948	f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe	36
PID 2980 wrote to memory of 1216	2980	EXTRAC32.exe	21
PID 2980 wrote to memory of 1216	2980	EXTRAC32.exe	21
PID 2980 wrote to memory of 1216	2980	EXTRAC32.exe	21
PID 2980 wrote to memory of 1216	2980	EXTRAC32.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f46d21e85d029a0382317f00fc34f342_JaffaCakes118.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\DFRG.EXE
    "C:\Users\Admin\AppData\Local\Temp\DFRG.EXE"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\apoca.exe
      -bs
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        -bs
        5⤵
        
        PID:600
- - C:\Users\Admin\AppData\Local\Temp\EXTRAC32.EXE
    "C:\Users\Admin\AppData\Local\Temp\EXTRAC32.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\EXTRAC32.exe
      C:\Users\Admin\AppData\Local\Temp\EXTRAC32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2980
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2912

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\558743_158133497650471_722615898_N.JPG

Filesize
13KB

MD5
cf5f3ab87cfd8be2d6da9d9b96c39d32

SHA1
a61520383b2ca98a78c77bf896989964a31d831a

SHA256
50ecad47b87415cb8363f2de3b0e59caaf5badbff8a571bac374430fd6cac59e

SHA512
c170c925d6b510d41854924bd09323172805f7c5099dfab60653dc5123c7e6dca052274976b458ddb2fe91212b4d12cc0fd7d4b937ee87bae62999b5b6197ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFRG.EXE

Filesize
98KB

MD5
8ac81b2be6b1d8013191b361ae6e96d1

SHA1
9334814be1553f5029cbc7ea5619dd3e28b1c004

SHA256
5b155f5d12ba84fa40e5a0bb6749b7f9cc15fec18593059d0ac35c5787ec2e0e

SHA512
955bb9f7609c10a53070e94a7870e54eb9a7bf2f8d64c601e560aa7f5f86d7afd695a081c346df9b9304cb4daeea962df3df59df67f25e1e6b839915c4363e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXTRAC32.EXE

Filesize
277KB

MD5
1cee0e7bdd2e6fedce0eaffa4be3eaf1

SHA1
23d5e66c13a00c8aa4ec8f9659fb4d385d4defe9

SHA256
ca315f94a5027073cfe352a5c6ef6aca5a1c6fbe8ab9c9f32e07a2b250bbaf7e

SHA512
3aa8ddf1c2d5210ed73b96882d76d839e0b7d89baf7d7bab155a9ac64055b2a5af08a34e456fa27a3d1ed64d8c815c907ead060ef8abd603b8f374c721938a9f

Download Submit
memory/1216-96-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1216-99-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1948-11-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/1948-14-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/1948-4-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/1948-5-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/1948-7-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/1948-6-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/1948-8-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/1948-9-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/1948-10-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/1948-70-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/1948-12-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/1948-13-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/1948-15-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/1948-3-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/1948-18-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/1948-19-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/1948-20-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/1948-21-0x0000000005720000-0x0000000005722000-memory.dmp

Filesize
8KB

Download
memory/1948-34-0x00000000061A0000-0x00000000061C6000-memory.dmp

Filesize
152KB

Download
memory/1948-0-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/1948-1-0x0000000013141000-0x000000001318E000-memory.dmp

Filesize
308KB

Download
memory/1948-2-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2656-54-0x0000000000010000-0x0000000000036000-memory.dmp

Filesize
152KB

Download
memory/2856-118-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2856-33-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2856-22-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2912-90-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-74-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-67-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2912-91-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-64-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-89-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-88-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-87-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-86-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-85-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-84-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-83-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-82-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-81-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-80-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-79-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-78-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-77-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-76-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-75-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-69-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-73-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-72-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-71-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-94-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-93-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-92-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-117-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-115-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-103-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-116-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-102-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-114-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-113-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2912-104-0x0000000013140000-0x0000000013956000-memory.dmp

Filesize
8.1MB

Download
memory/2972-50-0x0000000000010000-0x0000000000036000-memory.dmp

Filesize
152KB

Download
memory/2980-111-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2980-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2980-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2980-62-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download