darkcomet | 138988d27839163466eff6805ca41b8ee9a159fb5038e84083f8d77ab4fcd6f5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2024, 13:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

48077fc7cdbb7f87e0dd80696b9e5915_JaffaCakes118.exe
Size

1.2MB
MD5

48077fc7cdbb7f87e0dd80696b9e5915
SHA1

9c937c8865f82b193ef993c309a96cb813f54c83
SHA256

138988d27839163466eff6805ca41b8ee9a159fb5038e84083f8d77ab4fcd6f5
SHA512

393de570d004e6e708a4513783186e721935a9c8bb52e833da5719b8b4640fa7d3ff2756b78760bd9f0d30db1c76674b2f1696bc93d12ce413a1a9ecda0575bb
SSDEEP

24576:aLUjh/FIFKRKaHYlJyouYoktDoymZJ4CJDKBwmJqQv0myVbpVoHhFCUBag4s/:KyKFUHsJt9o07YJDhmci8p+8ZS

Score

10^/10

darkcomet guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

89.176.206.218:443

Mutex

DC_MUTEX-VV70UTU

Attributes

gencode
sqJYz26CSTJA
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 2 IoCs

pid	Process
2328	M.exe
3328	M.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	48077fc7cdbb7f87e0dd80696b9e5915_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2328 set thread context of 3328	2328	M.exe	194

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48077fc7cdbb7f87e0dd80696b9e5915_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2328	M.exe
2328	M.exe
2328	M.exe
2328	M.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3328	M.exe
Token: SeSecurityPrivilege	3328	M.exe
Token: SeTakeOwnershipPrivilege	3328	M.exe
Token: SeLoadDriverPrivilege	3328	M.exe
Token: SeSystemProfilePrivilege	3328	M.exe
Token: SeSystemtimePrivilege	3328	M.exe
Token: SeProfSingleProcessPrivilege	3328	M.exe
Token: SeIncBasePriorityPrivilege	3328	M.exe
Token: SeCreatePagefilePrivilege	3328	M.exe
Token: SeBackupPrivilege	3328	M.exe
Token: SeRestorePrivilege	3328	M.exe
Token: SeShutdownPrivilege	3328	M.exe
Token: SeDebugPrivilege	3328	M.exe
Token: SeSystemEnvironmentPrivilege	3328	M.exe
Token: SeChangeNotifyPrivilege	3328	M.exe
Token: SeRemoteShutdownPrivilege	3328	M.exe
Token: SeUndockPrivilege	3328	M.exe
Token: SeManageVolumePrivilege	3328	M.exe
Token: SeImpersonatePrivilege	3328	M.exe
Token: SeCreateGlobalPrivilege	3328	M.exe
Token: 33	3328	M.exe
Token: 34	3328	M.exe
Token: 35	3328	M.exe
Token: 36	3328	M.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2328	M.exe
2328	M.exe
3328	M.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2328	2896	48077fc7cdbb7f87e0dd80696b9e5915_JaffaCakes118.exe	86
PID 2896 wrote to memory of 2328	2896	48077fc7cdbb7f87e0dd80696b9e5915_JaffaCakes118.exe	86
PID 2896 wrote to memory of 2328	2896	48077fc7cdbb7f87e0dd80696b9e5915_JaffaCakes118.exe	86
PID 2328 wrote to memory of 2252	2328	M.exe	90
PID 2328 wrote to memory of 2252	2328	M.exe	90
PID 2328 wrote to memory of 2252	2328	M.exe	90
PID 2328 wrote to memory of 2772	2328	M.exe	91
PID 2328 wrote to memory of 2772	2328	M.exe	91
PID 2328 wrote to memory of 2772	2328	M.exe	91
PID 2328 wrote to memory of 1620	2328	M.exe	93
PID 2328 wrote to memory of 1620	2328	M.exe	93
PID 2328 wrote to memory of 1620	2328	M.exe	93
PID 2328 wrote to memory of 368	2328	M.exe	94
PID 2328 wrote to memory of 368	2328	M.exe	94
PID 2328 wrote to memory of 368	2328	M.exe	94
PID 2328 wrote to memory of 2484	2328	M.exe	95
PID 2328 wrote to memory of 2484	2328	M.exe	95
PID 2328 wrote to memory of 2484	2328	M.exe	95
PID 2328 wrote to memory of 716	2328	M.exe	96
PID 2328 wrote to memory of 716	2328	M.exe	96
PID 2328 wrote to memory of 716	2328	M.exe	96
PID 2328 wrote to memory of 3964	2328	M.exe	97
PID 2328 wrote to memory of 3964	2328	M.exe	97
PID 2328 wrote to memory of 3964	2328	M.exe	97
PID 2328 wrote to memory of 1288	2328	M.exe	98
PID 2328 wrote to memory of 1288	2328	M.exe	98
PID 2328 wrote to memory of 1288	2328	M.exe	98
PID 2328 wrote to memory of 1144	2328	M.exe	99
PID 2328 wrote to memory of 1144	2328	M.exe	99
PID 2328 wrote to memory of 1144	2328	M.exe	99
PID 2328 wrote to memory of 684	2328	M.exe	100
PID 2328 wrote to memory of 684	2328	M.exe	100
PID 2328 wrote to memory of 684	2328	M.exe	100
PID 2328 wrote to memory of 4016	2328	M.exe	101
PID 2328 wrote to memory of 4016	2328	M.exe	101
PID 2328 wrote to memory of 4016	2328	M.exe	101
PID 2328 wrote to memory of 2696	2328	M.exe	102
PID 2328 wrote to memory of 2696	2328	M.exe	102
PID 2328 wrote to memory of 2696	2328	M.exe	102
PID 2328 wrote to memory of 1628	2328	M.exe	103
PID 2328 wrote to memory of 1628	2328	M.exe	103
PID 2328 wrote to memory of 1628	2328	M.exe	103
PID 2328 wrote to memory of 920	2328	M.exe	105
PID 2328 wrote to memory of 920	2328	M.exe	105
PID 2328 wrote to memory of 920	2328	M.exe	105
PID 2252 wrote to memory of 1588	2252	cmd.exe	104
PID 2252 wrote to memory of 1588	2252	cmd.exe	104
PID 2252 wrote to memory of 1588	2252	cmd.exe	104
PID 2328 wrote to memory of 3460	2328	M.exe	106
PID 2328 wrote to memory of 3460	2328	M.exe	106
PID 2328 wrote to memory of 3460	2328	M.exe	106
PID 2328 wrote to memory of 3220	2328	M.exe	107
PID 2328 wrote to memory of 3220	2328	M.exe	107
PID 2328 wrote to memory of 3220	2328	M.exe	107
PID 2328 wrote to memory of 3204	2328	M.exe	108
PID 2328 wrote to memory of 3204	2328	M.exe	108
PID 2328 wrote to memory of 3204	2328	M.exe	108
PID 2328 wrote to memory of 1484	2328	M.exe	109
PID 2328 wrote to memory of 1484	2328	M.exe	109
PID 2328 wrote to memory of 1484	2328	M.exe	109
PID 2328 wrote to memory of 944	2328	M.exe	110
PID 2328 wrote to memory of 944	2328	M.exe	110
PID 2328 wrote to memory of 944	2328	M.exe	110
PID 2328 wrote to memory of 4652	2328	M.exe	111

C:\Users\Admin\AppData\Local\Temp\48077fc7cdbb7f87e0dd80696b9e5915_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\48077fc7cdbb7f87e0dd80696b9e5915_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    /c net stop MpsSvc
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\SysWOW64\net.exe
      net stop MpsSvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:1588
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MpsSvc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:884
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2772
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1620
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:368
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2484
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:716
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:3964
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1288
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1144
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:684
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4016
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2696
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1628
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:920
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:3460
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:3220
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:3204
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1484
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:944
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4652
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:748
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:3536
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4180
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2424
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:864
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2316
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2224
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4392
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:724
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4264
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1860
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1304
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2704
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4860
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1624
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4660
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:540
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1452
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2192
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2364
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4636
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:3860
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2988
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:3864
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:3832
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:3596
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:3956
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4388
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:928
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:532
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2604
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4112
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1168
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4752
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4488
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:3648
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:3812
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:5076
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4120
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4656
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4384
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1284
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1908
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1516
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1732
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2820
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:3144
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1604
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:3224
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1964
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2656
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2524
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2056
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1884
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:408
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4344
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1956
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4516
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4776
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4876
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1916
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4540
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:964
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4272
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4768
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:5000
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2664
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4632
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:3992
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:664
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2936
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4960
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2128
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:3928
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:3388
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:3600
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2384
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:3532
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1560
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4932
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:3936
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.ex_

Filesize
839KB

MD5
7e38010d9864e1ff362dd26a518e91ef

SHA1
912b7df201b014d59ffe1b6b357b2a1be7593993

SHA256
f954ed42b465a24011d34e9cb9fe0f28ba94ef07a597e5204e1fcd8654a08c1c

SHA512
25cdad73cb1b0ebde3236567ca23d9751fdfc5490ec7d6406ea421afc22146f6866040cfea6cf6e53c42213a4f25f8e3fa709eb5ae7d1ce8816b3fc1970f8b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe

Filesize
716KB

MD5
aa8a27f555ba52a3057d1ebd59e51193

SHA1
fbc1b0916e428969d2e7e11f2a0c5bd6449ad05f

SHA256
09cd260d8a7a59b6e123b59d1d7ccdb289d56ccf7be4952451768bbafee305d2

SHA512
04bbf4d273bebd851725b5b4cae007413983cdb7efef56f8d88995493f5c8d0afa29accd7d8135ac686acbde8c8f7507c23969b4f5315409dedc2e4d34fdcfb3

Download Submit
memory/2328-7-0x0000000000850000-0x0000000000852000-memory.dmp

Filesize
8KB

Download
memory/2328-14-0x0000000002320000-0x0000000002325000-memory.dmp

Filesize
20KB

Download
memory/3328-21-0x0000000000400000-0x00000000052E8000-memory.dmp

Filesize
78.9MB

Download
memory/3328-19-0x0000000000400000-0x00000000052E8000-memory.dmp

Filesize
78.9MB

Download
memory/3328-17-0x0000000000400000-0x00000000052E8000-memory.dmp

Filesize
78.9MB

Download
memory/3328-22-0x0000000000400000-0x00000000052E8000-memory.dmp

Filesize
78.9MB

Download
memory/3328-23-0x0000000000400000-0x00000000052E8000-memory.dmp

Filesize
78.9MB

Download
memory/3328-24-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/3328-26-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/3328-27-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/3328-28-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/3328-29-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/3328-37-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download