Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2024 17:59
Behavioral task
behavioral1
Sample
9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
23 signatures
150 seconds
General
-
Target
9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe
-
Size
762KB
-
MD5
9d0c1d9b11e1ce48d82a2ea03a0709f9
-
SHA1
69854a50c08f07ffbb384eaa248616bc429c824f
-
SHA256
a5c70a268a567eddb9d7a95b9760a273800800fecaa60668c707e2557440e327
-
SHA512
6f5fb454f256053a5ae925b88df46e434e614992be65a064e1fc0b5f107a7400ae54aacb164b72db0344b6775281e19a3fabf214a04587cc8f617e7ad57c0b71
-
SSDEEP
12288:j9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hzbH:tZ1xuVVjfFoynPaVBUR8f+kN10EBVL
Malware Config
Extracted
Family
darkcomet
Botnet
HF
C2
guysf.no-ip.biz:1604
Mutex
DC_MUTEX-CSMN1X9
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
QeC7oBWrh8EE
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe -
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4080 attrib.exe 2916 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 4932 notepad.exe -
Executes dropped EXE 1 IoCs
pid Process 2816 msdcsc.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2816 set thread context of 3432 2816 msdcsc.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3432 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Token: SeSecurityPrivilege 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Token: SeSystemtimePrivilege 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Token: SeBackupPrivilege 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Token: SeRestorePrivilege 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Token: SeShutdownPrivilege 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Token: SeDebugPrivilege 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Token: SeUndockPrivilege 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Token: SeManageVolumePrivilege 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Token: SeImpersonatePrivilege 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Token: 33 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Token: 34 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Token: 35 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Token: 36 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2816 msdcsc.exe Token: SeSecurityPrivilege 2816 msdcsc.exe Token: SeTakeOwnershipPrivilege 2816 msdcsc.exe Token: SeLoadDriverPrivilege 2816 msdcsc.exe Token: SeSystemProfilePrivilege 2816 msdcsc.exe Token: SeSystemtimePrivilege 2816 msdcsc.exe Token: SeProfSingleProcessPrivilege 2816 msdcsc.exe Token: SeIncBasePriorityPrivilege 2816 msdcsc.exe Token: SeCreatePagefilePrivilege 2816 msdcsc.exe Token: SeBackupPrivilege 2816 msdcsc.exe Token: SeRestorePrivilege 2816 msdcsc.exe Token: SeShutdownPrivilege 2816 msdcsc.exe Token: SeDebugPrivilege 2816 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2816 msdcsc.exe Token: SeChangeNotifyPrivilege 2816 msdcsc.exe Token: SeRemoteShutdownPrivilege 2816 msdcsc.exe Token: SeUndockPrivilege 2816 msdcsc.exe Token: SeManageVolumePrivilege 2816 msdcsc.exe Token: SeImpersonatePrivilege 2816 msdcsc.exe Token: SeCreateGlobalPrivilege 2816 msdcsc.exe Token: 33 2816 msdcsc.exe Token: 34 2816 msdcsc.exe Token: 35 2816 msdcsc.exe Token: 36 2816 msdcsc.exe Token: SeIncreaseQuotaPrivilege 3432 iexplore.exe Token: SeSecurityPrivilege 3432 iexplore.exe Token: SeTakeOwnershipPrivilege 3432 iexplore.exe Token: SeLoadDriverPrivilege 3432 iexplore.exe Token: SeSystemProfilePrivilege 3432 iexplore.exe Token: SeSystemtimePrivilege 3432 iexplore.exe Token: SeProfSingleProcessPrivilege 3432 iexplore.exe Token: SeIncBasePriorityPrivilege 3432 iexplore.exe Token: SeCreatePagefilePrivilege 3432 iexplore.exe Token: SeBackupPrivilege 3432 iexplore.exe Token: SeRestorePrivilege 3432 iexplore.exe Token: SeShutdownPrivilege 3432 iexplore.exe Token: SeDebugPrivilege 3432 iexplore.exe Token: SeSystemEnvironmentPrivilege 3432 iexplore.exe Token: SeChangeNotifyPrivilege 3432 iexplore.exe Token: SeRemoteShutdownPrivilege 3432 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3432 iexplore.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 1284 wrote to memory of 4300 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 83 PID 1284 wrote to memory of 4300 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 83 PID 1284 wrote to memory of 4300 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 83 PID 1284 wrote to memory of 3464 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 85 PID 1284 wrote to memory of 3464 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 85 PID 1284 wrote to memory of 3464 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 85 PID 1284 wrote to memory of 2636 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 87 PID 1284 wrote to memory of 2636 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 87 PID 1284 wrote to memory of 2636 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 87 PID 4300 wrote to memory of 4080 4300 cmd.exe 88 PID 4300 wrote to memory of 4080 4300 cmd.exe 88 PID 4300 wrote to memory of 4080 4300 cmd.exe 88 PID 3464 wrote to memory of 2916 3464 cmd.exe 89 PID 3464 wrote to memory of 2916 3464 cmd.exe 89 PID 3464 wrote to memory of 2916 3464 cmd.exe 89 PID 1284 wrote to memory of 4932 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 90 PID 1284 wrote to memory of 4932 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 90 PID 1284 wrote to memory of 4932 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 90 PID 1284 wrote to memory of 4932 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 90 PID 1284 wrote to memory of 4932 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 90 PID 1284 wrote to memory of 4932 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 90 PID 1284 wrote to memory of 4932 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 90 PID 1284 wrote to memory of 4932 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 90 PID 1284 wrote to memory of 4932 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 90 PID 1284 wrote to memory of 4932 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 90 PID 1284 wrote to memory of 4932 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 90 PID 1284 wrote to memory of 4932 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 90 PID 1284 wrote to memory of 4932 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 90 PID 1284 wrote to memory of 4932 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 90 PID 1284 wrote to memory of 4932 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 90 PID 1284 wrote to memory of 4932 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 90 PID 1284 wrote to memory of 4932 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 90 PID 1284 wrote to memory of 2816 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 91 PID 1284 wrote to memory of 2816 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 91 PID 1284 wrote to memory of 2816 1284 9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe 91 PID 2816 wrote to memory of 3432 2816 msdcsc.exe 92 PID 2816 wrote to memory of 3432 2816 msdcsc.exe 92 PID 2816 wrote to memory of 3432 2816 msdcsc.exe 92 PID 2816 wrote to memory of 3432 2816 msdcsc.exe 92 PID 2816 wrote to memory of 3432 2816 msdcsc.exe 92 PID 3432 wrote to memory of 4224 3432 iexplore.exe 93 PID 3432 wrote to memory of 4224 3432 iexplore.exe 93 PID 3432 wrote to memory of 4224 3432 iexplore.exe 93 PID 3432 wrote to memory of 4224 3432 iexplore.exe 93 PID 3432 wrote to memory of 4224 3432 iexplore.exe 93 PID 3432 wrote to memory of 4224 3432 iexplore.exe 93 PID 3432 wrote to memory of 4224 3432 iexplore.exe 93 PID 3432 wrote to memory of 4224 3432 iexplore.exe 93 PID 3432 wrote to memory of 4224 3432 iexplore.exe 93 PID 3432 wrote to memory of 4224 3432 iexplore.exe 93 PID 3432 wrote to memory of 4224 3432 iexplore.exe 93 PID 3432 wrote to memory of 4224 3432 iexplore.exe 93 PID 3432 wrote to memory of 4224 3432 iexplore.exe 93 PID 3432 wrote to memory of 4224 3432 iexplore.exe 93 PID 3432 wrote to memory of 4224 3432 iexplore.exe 93 PID 3432 wrote to memory of 4224 3432 iexplore.exe 93 PID 3432 wrote to memory of 4224 3432 iexplore.exe 93 PID 3432 wrote to memory of 4224 3432 iexplore.exe 93 PID 3432 wrote to memory of 4224 3432 iexplore.exe 93 PID 3432 wrote to memory of 4224 3432 iexplore.exe 93 PID 3432 wrote to memory of 4224 3432 iexplore.exe 93 PID 3432 wrote to memory of 4224 3432 iexplore.exe 93 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 4080 attrib.exe 2916 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\9d0c1d9b11e1ce48d82a2ea03a0709f9_JaffaCakes118.exe" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4080
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2916
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\SLB RULES.TXT2⤵
- System Location Discovery: System Language Discovery
PID:2636
-
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:4932
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2816 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- System Location Discovery: System Language Discovery
PID:4224
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD54b1c21c161caf75651f2a58c4fe1d762
SHA117e28ed06d1337efc14b1cbd08ad25690ea8a491
SHA2568a13216ff4789cd03f5a6c79458581974c540f98ac4d2cbcfec4dd874f61df4e
SHA5123cf7ac11c1189c6aee559ef861ebc762e3168a55192d0f4756a0312e0ded04813610f90ad1e551a6e79b8f0b91e77a0b9e44525f991b516297646d2c13ac7128
-
Filesize
762KB
MD59d0c1d9b11e1ce48d82a2ea03a0709f9
SHA169854a50c08f07ffbb384eaa248616bc429c824f
SHA256a5c70a268a567eddb9d7a95b9760a273800800fecaa60668c707e2557440e327
SHA5126f5fb454f256053a5ae925b88df46e434e614992be65a064e1fc0b5f107a7400ae54aacb164b72db0344b6775281e19a3fabf214a04587cc8f617e7ad57c0b71