Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-10-2024 10:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
21 signatures
150 seconds
General
-
Target
7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe
-
Size
302KB
-
MD5
7eb914089a7e5d827f4d5912fdf0d1af
-
SHA1
1d469f8216dbff2a98cc6ad2fc1eb262155b82df
-
SHA256
fb6d24f8c56f6d8ea302f98dd9b16a71d2f4ad43ff17626426b1fcfb5a97d74c
-
SHA512
c9c2abeff818e41bfda9461985055aaae3c20d370cbabb40a87912cf1d6ba687d1b8a3f67e3c74025e5c1086b3299a30a25eaa353d199cafaad1fef7253ab142
-
SSDEEP
6144:qXmWOEErIBT+UWnAS0OU9fVagMKl4ukYbZ1bqWviJaxggCGyt5f7vKX:MLiASlU9f4WuW6iyt5GX
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
sora25.no-ip.biz:1604
Mutex
DC_MUTEX-95QWLKK
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
akKgEc3SfEnC
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" AppLaunch.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" AppLaunch.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" AppLaunch.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" AppLaunch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" AppLaunch.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2104 attrib.exe 1892 attrib.exe -
Executes dropped EXE 3 IoCs
pid Process 2772 audiadg.exe 1896 bcdprov.exe 668 msdcsc.exe -
Loads dropped DLL 4 IoCs
pid Process 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2860 AppLaunch.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" AppLaunch.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\audiadg.exe" audiadg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" AppLaunch.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2520 set thread context of 2860 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 31 PID 1896 set thread context of 1304 1896 bcdprov.exe 41 -
resource yara_rule behavioral1/memory/2860-16-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2860-12-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2860-10-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2860-15-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2860-17-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2860-22-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2860-21-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2860-20-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2860-19-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2860-43-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1304-52-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1304-50-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1304-54-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1304-53-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1304-56-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1304-55-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language audiadg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bcdprov.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2772 audiadg.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2772 audiadg.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2772 audiadg.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2772 audiadg.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 2772 audiadg.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1304 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeDebugPrivilege 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2860 AppLaunch.exe Token: SeSecurityPrivilege 2860 AppLaunch.exe Token: SeTakeOwnershipPrivilege 2860 AppLaunch.exe Token: SeLoadDriverPrivilege 2860 AppLaunch.exe Token: SeSystemProfilePrivilege 2860 AppLaunch.exe Token: SeSystemtimePrivilege 2860 AppLaunch.exe Token: SeProfSingleProcessPrivilege 2860 AppLaunch.exe Token: SeIncBasePriorityPrivilege 2860 AppLaunch.exe Token: SeCreatePagefilePrivilege 2860 AppLaunch.exe Token: SeBackupPrivilege 2860 AppLaunch.exe Token: SeRestorePrivilege 2860 AppLaunch.exe Token: SeShutdownPrivilege 2860 AppLaunch.exe Token: SeDebugPrivilege 2860 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 2860 AppLaunch.exe Token: SeChangeNotifyPrivilege 2860 AppLaunch.exe Token: SeRemoteShutdownPrivilege 2860 AppLaunch.exe Token: SeUndockPrivilege 2860 AppLaunch.exe Token: SeManageVolumePrivilege 2860 AppLaunch.exe Token: SeImpersonatePrivilege 2860 AppLaunch.exe Token: SeCreateGlobalPrivilege 2860 AppLaunch.exe Token: 33 2860 AppLaunch.exe Token: 34 2860 AppLaunch.exe Token: 35 2860 AppLaunch.exe Token: SeDebugPrivilege 2772 audiadg.exe Token: SeDebugPrivilege 1896 bcdprov.exe Token: SeIncreaseQuotaPrivilege 1304 AppLaunch.exe Token: SeSecurityPrivilege 1304 AppLaunch.exe Token: SeTakeOwnershipPrivilege 1304 AppLaunch.exe Token: SeLoadDriverPrivilege 1304 AppLaunch.exe Token: SeSystemProfilePrivilege 1304 AppLaunch.exe Token: SeSystemtimePrivilege 1304 AppLaunch.exe Token: SeProfSingleProcessPrivilege 1304 AppLaunch.exe Token: SeIncBasePriorityPrivilege 1304 AppLaunch.exe Token: SeCreatePagefilePrivilege 1304 AppLaunch.exe Token: SeBackupPrivilege 1304 AppLaunch.exe Token: SeRestorePrivilege 1304 AppLaunch.exe Token: SeShutdownPrivilege 1304 AppLaunch.exe Token: SeDebugPrivilege 1304 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 1304 AppLaunch.exe Token: SeChangeNotifyPrivilege 1304 AppLaunch.exe Token: SeRemoteShutdownPrivilege 1304 AppLaunch.exe Token: SeUndockPrivilege 1304 AppLaunch.exe Token: SeManageVolumePrivilege 1304 AppLaunch.exe Token: SeImpersonatePrivilege 1304 AppLaunch.exe Token: SeCreateGlobalPrivilege 1304 AppLaunch.exe Token: 33 1304 AppLaunch.exe Token: 34 1304 AppLaunch.exe Token: 35 1304 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1304 AppLaunch.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2860 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 31 PID 2520 wrote to memory of 2860 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 31 PID 2520 wrote to memory of 2860 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 31 PID 2520 wrote to memory of 2860 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 31 PID 2520 wrote to memory of 2860 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 31 PID 2520 wrote to memory of 2860 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 31 PID 2520 wrote to memory of 2860 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 31 PID 2520 wrote to memory of 2860 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 31 PID 2520 wrote to memory of 2860 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 31 PID 2520 wrote to memory of 2860 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 31 PID 2520 wrote to memory of 2860 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 31 PID 2860 wrote to memory of 2988 2860 AppLaunch.exe 32 PID 2860 wrote to memory of 2988 2860 AppLaunch.exe 32 PID 2860 wrote to memory of 2988 2860 AppLaunch.exe 32 PID 2860 wrote to memory of 2988 2860 AppLaunch.exe 32 PID 2860 wrote to memory of 2988 2860 AppLaunch.exe 32 PID 2860 wrote to memory of 2988 2860 AppLaunch.exe 32 PID 2860 wrote to memory of 2988 2860 AppLaunch.exe 32 PID 2860 wrote to memory of 2764 2860 AppLaunch.exe 33 PID 2860 wrote to memory of 2764 2860 AppLaunch.exe 33 PID 2860 wrote to memory of 2764 2860 AppLaunch.exe 33 PID 2860 wrote to memory of 2764 2860 AppLaunch.exe 33 PID 2860 wrote to memory of 2764 2860 AppLaunch.exe 33 PID 2860 wrote to memory of 2764 2860 AppLaunch.exe 33 PID 2860 wrote to memory of 2764 2860 AppLaunch.exe 33 PID 2520 wrote to memory of 2772 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 34 PID 2520 wrote to memory of 2772 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 34 PID 2520 wrote to memory of 2772 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 34 PID 2520 wrote to memory of 2772 2520 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 34 PID 2764 wrote to memory of 2104 2764 cmd.exe 38 PID 2764 wrote to memory of 2104 2764 cmd.exe 38 PID 2764 wrote to memory of 2104 2764 cmd.exe 38 PID 2764 wrote to memory of 2104 2764 cmd.exe 38 PID 2764 wrote to memory of 2104 2764 cmd.exe 38 PID 2764 wrote to memory of 2104 2764 cmd.exe 38 PID 2764 wrote to memory of 2104 2764 cmd.exe 38 PID 2988 wrote to memory of 1892 2988 cmd.exe 37 PID 2988 wrote to memory of 1892 2988 cmd.exe 37 PID 2988 wrote to memory of 1892 2988 cmd.exe 37 PID 2988 wrote to memory of 1892 2988 cmd.exe 37 PID 2988 wrote to memory of 1892 2988 cmd.exe 37 PID 2988 wrote to memory of 1892 2988 cmd.exe 37 PID 2988 wrote to memory of 1892 2988 cmd.exe 37 PID 2772 wrote to memory of 1896 2772 audiadg.exe 39 PID 2772 wrote to memory of 1896 2772 audiadg.exe 39 PID 2772 wrote to memory of 1896 2772 audiadg.exe 39 PID 2772 wrote to memory of 1896 2772 audiadg.exe 39 PID 2860 wrote to memory of 668 2860 AppLaunch.exe 40 PID 2860 wrote to memory of 668 2860 AppLaunch.exe 40 PID 2860 wrote to memory of 668 2860 AppLaunch.exe 40 PID 2860 wrote to memory of 668 2860 AppLaunch.exe 40 PID 2860 wrote to memory of 668 2860 AppLaunch.exe 40 PID 2860 wrote to memory of 668 2860 AppLaunch.exe 40 PID 2860 wrote to memory of 668 2860 AppLaunch.exe 40 PID 1896 wrote to memory of 1304 1896 bcdprov.exe 41 PID 1896 wrote to memory of 1304 1896 bcdprov.exe 41 PID 1896 wrote to memory of 1304 1896 bcdprov.exe 41 PID 1896 wrote to memory of 1304 1896 bcdprov.exe 41 PID 1896 wrote to memory of 1304 1896 bcdprov.exe 41 PID 1896 wrote to memory of 1304 1896 bcdprov.exe 41 PID 1896 wrote to memory of 1304 1896 bcdprov.exe 41 PID 1896 wrote to memory of 1304 1896 bcdprov.exe 41 PID 1896 wrote to memory of 1304 1896 bcdprov.exe 41 PID 1896 wrote to memory of 1304 1896 bcdprov.exe 41 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2104 attrib.exe 1892 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1892
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2104
-
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:668
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\audiadg.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\audiadg.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\bcdprov.exe"C:\Users\Admin\AppData\Local\Temp\bcdprov.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1304 -
C:\Windows\SysWOW64\notepad.exenotepad5⤵
- System Location Discovery: System Language Discovery
PID:2252
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
302KB
MD57eb914089a7e5d827f4d5912fdf0d1af
SHA11d469f8216dbff2a98cc6ad2fc1eb262155b82df
SHA256fb6d24f8c56f6d8ea302f98dd9b16a71d2f4ad43ff17626426b1fcfb5a97d74c
SHA512c9c2abeff818e41bfda9461985055aaae3c20d370cbabb40a87912cf1d6ba687d1b8a3f67e3c74025e5c1086b3299a30a25eaa353d199cafaad1fef7253ab142
-
Filesize
11KB
MD59b3848f7bd575120a33fb480774b5b6b
SHA19a7ef7a9b4f946f4ddbe2fadb3c52f1fd6991045
SHA256271f73350c0e95d765fe1ccbf4b1fae1f7b62b62a723472a65f562ceab22d791
SHA51202a7364ff655f0a4345b7428f577396a8ec7347f2d8466f4d957b7dd3909baf6b7b403135450b3f142ea275452fbfb418f64f075fba11f808640479d726a73b3
-
Filesize
54KB
MD50f01571a3e4c71eb4313175aae86488e
SHA12ba648afe2cd52edf5f25e304f77d457abf7ac0e
SHA2568cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022
SHA512159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794