Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2024 10:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
21 signatures
150 seconds
General
-
Target
7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe
-
Size
302KB
-
MD5
7eb914089a7e5d827f4d5912fdf0d1af
-
SHA1
1d469f8216dbff2a98cc6ad2fc1eb262155b82df
-
SHA256
fb6d24f8c56f6d8ea302f98dd9b16a71d2f4ad43ff17626426b1fcfb5a97d74c
-
SHA512
c9c2abeff818e41bfda9461985055aaae3c20d370cbabb40a87912cf1d6ba687d1b8a3f67e3c74025e5c1086b3299a30a25eaa353d199cafaad1fef7253ab142
-
SSDEEP
6144:qXmWOEErIBT+UWnAS0OU9fVagMKl4ukYbZ1bqWviJaxggCGyt5f7vKX:MLiASlU9f4WuW6iyt5GX
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
sora25.no-ip.biz:1604
Mutex
DC_MUTEX-95QWLKK
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
akKgEc3SfEnC
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" AppLaunch.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" AppLaunch.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" AppLaunch.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" AppLaunch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" AppLaunch.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 448 attrib.exe 1064 attrib.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation audiadg.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 3108 audiadg.exe 4600 msdcsc.exe 3584 bcdprov.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" AppLaunch.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\audiadg.exe" audiadg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" AppLaunch.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3740 set thread context of 4760 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 102 PID 3584 set thread context of 4552 3584 bcdprov.exe 114 -
resource yara_rule behavioral2/memory/4760-10-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4760-9-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4760-11-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4760-13-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4760-12-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4552-89-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4552-90-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4552-91-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4552-92-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4552-93-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4552-96-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4552-95-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bcdprov.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language audiadg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3108 audiadg.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3108 audiadg.exe 3108 audiadg.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3108 audiadg.exe 3108 audiadg.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3108 audiadg.exe 3108 audiadg.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3108 audiadg.exe 3108 audiadg.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3108 audiadg.exe 3108 audiadg.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3108 audiadg.exe 3108 audiadg.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3108 audiadg.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3108 audiadg.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3108 audiadg.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3108 audiadg.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3108 audiadg.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3108 audiadg.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3108 audiadg.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3108 audiadg.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3108 audiadg.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3108 audiadg.exe 3108 audiadg.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3108 audiadg.exe 3108 audiadg.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3108 audiadg.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 3108 audiadg.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4552 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
description pid Process Token: SeDebugPrivilege 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4760 AppLaunch.exe Token: SeSecurityPrivilege 4760 AppLaunch.exe Token: SeTakeOwnershipPrivilege 4760 AppLaunch.exe Token: SeLoadDriverPrivilege 4760 AppLaunch.exe Token: SeSystemProfilePrivilege 4760 AppLaunch.exe Token: SeSystemtimePrivilege 4760 AppLaunch.exe Token: SeProfSingleProcessPrivilege 4760 AppLaunch.exe Token: SeIncBasePriorityPrivilege 4760 AppLaunch.exe Token: SeCreatePagefilePrivilege 4760 AppLaunch.exe Token: SeBackupPrivilege 4760 AppLaunch.exe Token: SeRestorePrivilege 4760 AppLaunch.exe Token: SeShutdownPrivilege 4760 AppLaunch.exe Token: SeDebugPrivilege 4760 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 4760 AppLaunch.exe Token: SeChangeNotifyPrivilege 4760 AppLaunch.exe Token: SeRemoteShutdownPrivilege 4760 AppLaunch.exe Token: SeUndockPrivilege 4760 AppLaunch.exe Token: SeManageVolumePrivilege 4760 AppLaunch.exe Token: SeImpersonatePrivilege 4760 AppLaunch.exe Token: SeCreateGlobalPrivilege 4760 AppLaunch.exe Token: 33 4760 AppLaunch.exe Token: 34 4760 AppLaunch.exe Token: 35 4760 AppLaunch.exe Token: 36 4760 AppLaunch.exe Token: SeDebugPrivilege 3108 audiadg.exe Token: SeDebugPrivilege 3584 bcdprov.exe Token: SeIncreaseQuotaPrivilege 4552 AppLaunch.exe Token: SeSecurityPrivilege 4552 AppLaunch.exe Token: SeTakeOwnershipPrivilege 4552 AppLaunch.exe Token: SeLoadDriverPrivilege 4552 AppLaunch.exe Token: SeSystemProfilePrivilege 4552 AppLaunch.exe Token: SeSystemtimePrivilege 4552 AppLaunch.exe Token: SeProfSingleProcessPrivilege 4552 AppLaunch.exe Token: SeIncBasePriorityPrivilege 4552 AppLaunch.exe Token: SeCreatePagefilePrivilege 4552 AppLaunch.exe Token: SeBackupPrivilege 4552 AppLaunch.exe Token: SeRestorePrivilege 4552 AppLaunch.exe Token: SeShutdownPrivilege 4552 AppLaunch.exe Token: SeDebugPrivilege 4552 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 4552 AppLaunch.exe Token: SeChangeNotifyPrivilege 4552 AppLaunch.exe Token: SeRemoteShutdownPrivilege 4552 AppLaunch.exe Token: SeUndockPrivilege 4552 AppLaunch.exe Token: SeManageVolumePrivilege 4552 AppLaunch.exe Token: SeImpersonatePrivilege 4552 AppLaunch.exe Token: SeCreateGlobalPrivilege 4552 AppLaunch.exe Token: 33 4552 AppLaunch.exe Token: 34 4552 AppLaunch.exe Token: 35 4552 AppLaunch.exe Token: 36 4552 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4552 AppLaunch.exe -
Suspicious use of WriteProcessMemory 59 IoCs
description pid Process procid_target PID 3740 wrote to memory of 4760 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 102 PID 3740 wrote to memory of 4760 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 102 PID 3740 wrote to memory of 4760 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 102 PID 3740 wrote to memory of 4760 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 102 PID 3740 wrote to memory of 4760 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 102 PID 3740 wrote to memory of 4760 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 102 PID 3740 wrote to memory of 4760 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 102 PID 3740 wrote to memory of 4760 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 102 PID 4760 wrote to memory of 4016 4760 AppLaunch.exe 103 PID 4760 wrote to memory of 4016 4760 AppLaunch.exe 103 PID 4760 wrote to memory of 4016 4760 AppLaunch.exe 103 PID 4760 wrote to memory of 2908 4760 AppLaunch.exe 104 PID 4760 wrote to memory of 2908 4760 AppLaunch.exe 104 PID 4760 wrote to memory of 2908 4760 AppLaunch.exe 104 PID 2908 wrote to memory of 448 2908 cmd.exe 107 PID 2908 wrote to memory of 448 2908 cmd.exe 107 PID 2908 wrote to memory of 448 2908 cmd.exe 107 PID 4016 wrote to memory of 1064 4016 cmd.exe 108 PID 4016 wrote to memory of 1064 4016 cmd.exe 108 PID 4016 wrote to memory of 1064 4016 cmd.exe 108 PID 3740 wrote to memory of 3108 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 109 PID 3740 wrote to memory of 3108 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 109 PID 3740 wrote to memory of 3108 3740 7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe 109 PID 4760 wrote to memory of 4600 4760 AppLaunch.exe 110 PID 4760 wrote to memory of 4600 4760 AppLaunch.exe 110 PID 4760 wrote to memory of 4600 4760 AppLaunch.exe 110 PID 3108 wrote to memory of 3584 3108 audiadg.exe 111 PID 3108 wrote to memory of 3584 3108 audiadg.exe 111 PID 3108 wrote to memory of 3584 3108 audiadg.exe 111 PID 3584 wrote to memory of 4552 3584 bcdprov.exe 114 PID 3584 wrote to memory of 4552 3584 bcdprov.exe 114 PID 3584 wrote to memory of 4552 3584 bcdprov.exe 114 PID 3584 wrote to memory of 4552 3584 bcdprov.exe 114 PID 3584 wrote to memory of 4552 3584 bcdprov.exe 114 PID 3584 wrote to memory of 4552 3584 bcdprov.exe 114 PID 3584 wrote to memory of 4552 3584 bcdprov.exe 114 PID 3584 wrote to memory of 4552 3584 bcdprov.exe 114 PID 4552 wrote to memory of 2428 4552 AppLaunch.exe 115 PID 4552 wrote to memory of 2428 4552 AppLaunch.exe 115 PID 4552 wrote to memory of 2428 4552 AppLaunch.exe 115 PID 4552 wrote to memory of 2428 4552 AppLaunch.exe 115 PID 4552 wrote to memory of 2428 4552 AppLaunch.exe 115 PID 4552 wrote to memory of 2428 4552 AppLaunch.exe 115 PID 4552 wrote to memory of 2428 4552 AppLaunch.exe 115 PID 4552 wrote to memory of 2428 4552 AppLaunch.exe 115 PID 4552 wrote to memory of 2428 4552 AppLaunch.exe 115 PID 4552 wrote to memory of 2428 4552 AppLaunch.exe 115 PID 4552 wrote to memory of 2428 4552 AppLaunch.exe 115 PID 4552 wrote to memory of 2428 4552 AppLaunch.exe 115 PID 4552 wrote to memory of 2428 4552 AppLaunch.exe 115 PID 4552 wrote to memory of 2428 4552 AppLaunch.exe 115 PID 4552 wrote to memory of 2428 4552 AppLaunch.exe 115 PID 4552 wrote to memory of 2428 4552 AppLaunch.exe 115 PID 4552 wrote to memory of 2428 4552 AppLaunch.exe 115 PID 4552 wrote to memory of 2428 4552 AppLaunch.exe 115 PID 4552 wrote to memory of 2428 4552 AppLaunch.exe 115 PID 4552 wrote to memory of 2428 4552 AppLaunch.exe 115 PID 4552 wrote to memory of 2428 4552 AppLaunch.exe 115 PID 4552 wrote to memory of 2428 4552 AppLaunch.exe 115 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1064 attrib.exe 448 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7eb914089a7e5d827f4d5912fdf0d1af_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1064
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:448
-
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4600
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\audiadg.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\audiadg.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\AppData\Local\Temp\bcdprov.exe"C:\Users\Admin\AppData\Local\Temp\bcdprov.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\notepad.exenotepad5⤵
- System Location Discovery: System Language Discovery
PID:2428
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
302KB
MD57eb914089a7e5d827f4d5912fdf0d1af
SHA11d469f8216dbff2a98cc6ad2fc1eb262155b82df
SHA256fb6d24f8c56f6d8ea302f98dd9b16a71d2f4ad43ff17626426b1fcfb5a97d74c
SHA512c9c2abeff818e41bfda9461985055aaae3c20d370cbabb40a87912cf1d6ba687d1b8a3f67e3c74025e5c1086b3299a30a25eaa353d199cafaad1fef7253ab142
-
Filesize
11KB
MD59b3848f7bd575120a33fb480774b5b6b
SHA19a7ef7a9b4f946f4ddbe2fadb3c52f1fd6991045
SHA256271f73350c0e95d765fe1ccbf4b1fae1f7b62b62a723472a65f562ceab22d791
SHA51202a7364ff655f0a4345b7428f577396a8ec7347f2d8466f4d957b7dd3909baf6b7b403135450b3f142ea275452fbfb418f64f075fba11f808640479d726a73b3
-
Filesize
57KB
MD5454501a66ad6e85175a6757573d79f8b
SHA18ca96c61f26a640a5b1b1152d055260b9d43e308
SHA2567fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8
SHA5129dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7