darkcomet | 1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe
Size

1.7MB
MD5

4a45eda053a2e6ca140a58d2dcba5ff0
SHA1

fa5bcdcb373d8dce86ae6bcc4ed4770ab4498b5d
SHA256

1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11
SHA512

89fdba17a8750c85b3488492e1968a2ae7bc876552a558f84cd6ecee6582ee360112abe580fa0dab0005824f09695b4f8b114a4e2f09e12bad4f7030c14a416b
SSDEEP

49152:kOBuzw/nMVpcq/2ELfWum/+kD+MKklDvjao:kOuzwMobEKpDVKabjao

Score

10^/10

darkcomet 093012de discovery exploit persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

093012DE

hosting.servegame.com:8085

Mutex

DC_MUTEX-NPS90EE

Attributes

gencode
Sjl07Y5gccaE
install
false
offline_keylogger
true
password
Michemicalromance
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Possible privilege escalation attempt 4 IoCs

exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid	Process
676	takeown.exe
2372	icacls.exe
2300	takeown.exe
2456	icacls.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HCMH78.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	HCMH78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	HCMH78.exe

Executes dropped EXE 6 IoCs

Processes:

HCMH78.exeFileName.exeFileName.exeFileName.exeFileName.exebootsect.exe

pid	Process
2940	HCMH78.exe
2592	FileName.exe
2720	FileName.exe
2700	FileName.exe
2644	FileName.exe
2364	bootsect.exe

Loads dropped DLL 9 IoCs

Processes:

1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe

pid	Process
3020	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe
3020	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe
3020	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe
3020	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe
2816	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe
2816	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe
2816	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe
2816	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe
2816	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid	Process
676	takeown.exe
2372	icacls.exe
2300	takeown.exe
2456	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeDLL = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\FileName.exe"	reg.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exeFileName.exe

description	pid	Process	procid_target
PID 1312 set thread context of 3020	1312	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	31
PID 1312 set thread context of 2816	1312	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	32
PID 2592 set thread context of 2720	2592	FileName.exe	60
PID 2592 set thread context of 2700	2592	FileName.exe	61
PID 2592 set thread context of 2644	2592	FileName.exe	62

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3020-99-0x0000000000400000-0x00000000007AD000-memory.dmp	upx
behavioral1/memory/3020-98-0x0000000000400000-0x00000000007AD000-memory.dmp	upx
behavioral1/memory/2816-97-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/3020-96-0x0000000000400000-0x00000000007AD000-memory.dmp	upx
behavioral1/memory/2816-93-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2816-92-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2816-91-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2816-89-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/3020-73-0x0000000000400000-0x00000000007AD000-memory.dmp	upx
behavioral1/memory/3020-72-0x0000000000400000-0x00000000007AD000-memory.dmp	upx
behavioral1/memory/3020-86-0x0000000000400000-0x00000000007AD000-memory.dmp	upx
behavioral1/memory/3020-85-0x0000000000400000-0x00000000007AD000-memory.dmp	upx
behavioral1/memory/2816-83-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2816-81-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0009000000017342-104.dat	upx
behavioral1/memory/3020-116-0x0000000003CF0000-0x0000000003F13000-memory.dmp	upx
behavioral1/memory/2940-119-0x0000000000400000-0x0000000000623000-memory.dmp	upx
behavioral1/memory/3020-225-0x0000000000400000-0x00000000007AD000-memory.dmp	upx
behavioral1/memory/2816-226-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2700-318-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2720-317-0x0000000000400000-0x00000000007AD000-memory.dmp	upx
behavioral1/memory/2644-325-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2940-324-0x0000000000400000-0x0000000000623000-memory.dmp	upx
behavioral1/memory/2816-333-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2720-336-0x0000000000400000-0x00000000007AD000-memory.dmp	upx
behavioral1/memory/2940-348-0x0000000000400000-0x0000000000623000-memory.dmp	upx
behavioral1/memory/3020-351-0x0000000000400000-0x00000000007AD000-memory.dmp	upx
behavioral1/memory/2700-352-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2644-355-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeFileName.execmd.execmd.exeFileName.exe1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exeFileName.exeFileName.execmd.exe1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exeHCMH78.execmd.execmd.exetakeown.execmd.execompact.exe1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exereg.exetakeown.exeicacls.execmd.exeicacls.execmd.exebootsect.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileName.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileName.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileName.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileName.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HCMH78.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compact.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bootsect.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

HCMH78.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	HCMH78.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	HCMH78.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

HCMH78.exe

pid	Process
2940	HCMH78.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

HCMH78.exetakeown.exetakeown.exeFileName.exeFileName.exe

description	pid	Process
Token: 33	2940	HCMH78.exe
Token: SeIncBasePriorityPrivilege	2940	HCMH78.exe
Token: 33	2940	HCMH78.exe
Token: SeIncBasePriorityPrivilege	2940	HCMH78.exe
Token: SeTakeOwnershipPrivilege	676	takeown.exe
Token: SeTakeOwnershipPrivilege	2300	takeown.exe
Token: SeIncreaseQuotaPrivilege	2644	FileName.exe
Token: SeSecurityPrivilege	2644	FileName.exe
Token: SeTakeOwnershipPrivilege	2644	FileName.exe
Token: SeLoadDriverPrivilege	2644	FileName.exe
Token: SeSystemProfilePrivilege	2644	FileName.exe
Token: SeSystemtimePrivilege	2644	FileName.exe
Token: SeProfSingleProcessPrivilege	2644	FileName.exe
Token: SeIncBasePriorityPrivilege	2644	FileName.exe
Token: SeCreatePagefilePrivilege	2644	FileName.exe
Token: SeBackupPrivilege	2644	FileName.exe
Token: SeRestorePrivilege	2644	FileName.exe
Token: SeShutdownPrivilege	2644	FileName.exe
Token: SeDebugPrivilege	2644	FileName.exe
Token: SeSystemEnvironmentPrivilege	2644	FileName.exe
Token: SeChangeNotifyPrivilege	2644	FileName.exe
Token: SeRemoteShutdownPrivilege	2644	FileName.exe
Token: SeUndockPrivilege	2644	FileName.exe
Token: SeManageVolumePrivilege	2644	FileName.exe
Token: SeImpersonatePrivilege	2644	FileName.exe
Token: SeCreateGlobalPrivilege	2644	FileName.exe
Token: 33	2644	FileName.exe
Token: 34	2644	FileName.exe
Token: 35	2644	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe
Token: SeDebugPrivilege	2700	FileName.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

HCMH78.exe

pid	Process
2940	HCMH78.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exeFileName.exeFileName.exeFileName.exeFileName.exe

pid	Process
1312	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe
2816	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe
3020	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe
2592	FileName.exe
2700	FileName.exe
2644	FileName.exe
2720	FileName.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	Process	procid_target
PID 1312 wrote to memory of 3020	1312	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	31
PID 1312 wrote to memory of 3020	1312	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	31
PID 1312 wrote to memory of 3020	1312	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	31
PID 1312 wrote to memory of 3020	1312	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	31
PID 1312 wrote to memory of 3020	1312	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	31
PID 1312 wrote to memory of 3020	1312	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	31
PID 1312 wrote to memory of 3020	1312	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	31
PID 1312 wrote to memory of 3020	1312	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	31
PID 1312 wrote to memory of 2816	1312	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	32
PID 1312 wrote to memory of 2816	1312	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	32
PID 1312 wrote to memory of 2816	1312	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	32
PID 1312 wrote to memory of 2816	1312	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	32
PID 1312 wrote to memory of 2816	1312	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	32
PID 1312 wrote to memory of 2816	1312	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	32
PID 1312 wrote to memory of 2816	1312	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	32
PID 1312 wrote to memory of 2816	1312	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	32
PID 3020 wrote to memory of 2940	3020	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	33
PID 3020 wrote to memory of 2940	3020	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	33
PID 3020 wrote to memory of 2940	3020	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	33
PID 3020 wrote to memory of 2940	3020	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	33
PID 2816 wrote to memory of 2792	2816	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	34
PID 2816 wrote to memory of 2792	2816	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	34
PID 2816 wrote to memory of 2792	2816	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	34
PID 2816 wrote to memory of 2792	2816	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	34
PID 2792 wrote to memory of 1648	2792	cmd.exe	36
PID 2792 wrote to memory of 1648	2792	cmd.exe	36
PID 2792 wrote to memory of 1648	2792	cmd.exe	36
PID 2792 wrote to memory of 1648	2792	cmd.exe	36
PID 2816 wrote to memory of 2592	2816	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	37
PID 2816 wrote to memory of 2592	2816	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	37
PID 2816 wrote to memory of 2592	2816	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	37
PID 2816 wrote to memory of 2592	2816	1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe	37
PID 2940 wrote to memory of 1576	2940	HCMH78.exe	40
PID 2940 wrote to memory of 1576	2940	HCMH78.exe	40
PID 2940 wrote to memory of 1576	2940	HCMH78.exe	40
PID 2940 wrote to memory of 1576	2940	HCMH78.exe	40
PID 1576 wrote to memory of 2580	1576	cmd.exe	42
PID 1576 wrote to memory of 2580	1576	cmd.exe	42
PID 1576 wrote to memory of 2580	1576	cmd.exe	42
PID 1576 wrote to memory of 2580	1576	cmd.exe	42
PID 2580 wrote to memory of 676	2580	cmd.exe	43
PID 2580 wrote to memory of 676	2580	cmd.exe	43
PID 2580 wrote to memory of 676	2580	cmd.exe	43
PID 2580 wrote to memory of 676	2580	cmd.exe	43
PID 2940 wrote to memory of 1696	2940	HCMH78.exe	44
PID 2940 wrote to memory of 1696	2940	HCMH78.exe	44
PID 2940 wrote to memory of 1696	2940	HCMH78.exe	44
PID 2940 wrote to memory of 1696	2940	HCMH78.exe	44
PID 1696 wrote to memory of 2372	1696	cmd.exe	46
PID 1696 wrote to memory of 2372	1696	cmd.exe	46
PID 1696 wrote to memory of 2372	1696	cmd.exe	46
PID 1696 wrote to memory of 2372	1696	cmd.exe	46
PID 2940 wrote to memory of 904	2940	HCMH78.exe	47
PID 2940 wrote to memory of 904	2940	HCMH78.exe	47
PID 2940 wrote to memory of 904	2940	HCMH78.exe	47
PID 2940 wrote to memory of 904	2940	HCMH78.exe	47
PID 904 wrote to memory of 1464	904	cmd.exe	49
PID 904 wrote to memory of 1464	904	cmd.exe	49
PID 904 wrote to memory of 1464	904	cmd.exe	49
PID 904 wrote to memory of 1464	904	cmd.exe	49
PID 1464 wrote to memory of 2300	1464	cmd.exe	50
PID 1464 wrote to memory of 2300	1464	cmd.exe	50
PID 1464 wrote to memory of 2300	1464	cmd.exe	50
PID 1464 wrote to memory of 2300	1464	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe
"C:\Users\Admin\AppData\Local\Temp\1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe
  "C:\Users\Admin\AppData\Local\Temp\1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Users\Admin\AppData\Roaming\HCMH78.exe
    "C:\Users\Admin\AppData\Roaming\HCMH78.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1576
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c takeown /f C:\ldrscan\bootwin
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\ldrscan\bootwin
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:676
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:2372
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:904
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c takeown /f C:\ldrscan\bootwin
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1464
      - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\ldrscan\bootwin
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2104
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:2456
  - - C:\Windows\system32\cmd.exe
      cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""
      4⤵
      PID:1984
    - - C:\Windows\System32\cscript.exe
        
        C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"
        5⤵
        
        PID:308
  - - C:\Windows\system32\cmd.exe
      cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"
      4⤵
      PID:2424
    - - C:\Windows\System32\cscript.exe
        
        C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2
        5⤵
        
        PID:3068
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /A /C "compact /u \\?\Volume{367eaf83-3d79-11ef-ac21-806e6f6e6963}\MHJCS"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2916
    - - C:\Windows\SysWOW64\compact.exe
        
        compact /u \\?\Volume{367eaf83-3d79-11ef-ac21-806e6f6e6963}\MHJCS
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1920
    - - C:\bootsect.exe
        
        C:\bootsect.exe /nt60 SYS /force
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2364
- C:\Users\Admin\AppData\Local\Temp\1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe
  "C:\Users\Admin\AppData\Local\Temp\1e177bb6591daf06a0dafc378093c04669403a90fda3e539ca4a1aa2a67c7c11N.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\LTHRH.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AdobeDLL" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\FileName.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:1648
- - C:\Users\Admin\AppData\Roaming\FolderName\FileName.exe
    "C:\Users\Admin\AppData\Roaming\FolderName\FileName.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2592
  - - C:\Users\Admin\AppData\Roaming\FolderName\FileName.exe
      "C:\Users\Admin\AppData\Roaming\FolderName\FileName.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2720
  - - C:\Users\Admin\AppData\Roaming\FolderName\FileName.exe
      "C:\Users\Admin\AppData\Roaming\FolderName\FileName.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2700
  - - C:\Users\Admin\AppData\Roaming\FolderName\FileName.exe
      "C:\Users\Admin\AppData\Roaming\FolderName\FileName.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Acer.XRM-MS

Filesize
2KB

MD5
f25832af6a684360950dbb15589de34a

SHA1
17ff1d21005c1695ae3dcbdc3435017c895fff5d

SHA256
266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f

SHA512
e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LTHRH.bat

Filesize
149B

MD5
4b05d1e57e68c984b22080ba52141cf6

SHA1
e24e2b20367bb2344ffe5f003ecc93e7d4f63882

SHA256
3d287de92ac4dcb4f85dc66770f9d13be5775980f75b82da44a3e1f77ed8c884

SHA512
bbc7f57d56478018f5f607d4e43eacbd4ced26b85fd06a760ec3bb7726ba8874f918709733a05821fdd2dc645face265752c6884b36e5c804b18914a71eaf816

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\FileName.exe

Filesize
1.7MB

MD5
9f9ff50f2fcb8ebe36f2d7ab3c4cd07a

SHA1
5d0852438ec222bc89c401a59afc536a047c5de3

SHA256
1fb78daf06a8749a2919be9b7d0c07cfcbfe8db6bb4b81377b5d8c9a563a2491

SHA512
1e709c0970a610c1b58e9e02a49455c85feff2a983162e46df73cb3f175d2c5dfd304f16a6f42f05a8e4a9b64da291fca95fd72520b95566fc89015eb42a83cb

Download Submit
C:\bootsect.exe

Filesize
95KB

MD5
900afcdb6923b58798566101a957809c

SHA1
72f4a66de64d6745ceb86ecc123bc958c51b6067

SHA256
0f759cd6cf30b90336e9523ba42892b6221144cf0ea38ac49e2f2e1242643180

SHA512
722d899668974f36a6b1fe4a10fc7e67d945e6d97ad491d83d036eec2b27126156461673753b3997307b407fac0ab562500acbe7d135e5eecc30002e1ccdf38b

Download Submit
\??\Volume{367eaf83-3d79-11ef-ac21-806e6f6e6963}\MHJCS

Filesize
314KB

MD5
590ca01034604734a72b616a00c082a0

SHA1
aa0742708b74a4ca25e9a2bf35374da2ccb6fb35

SHA256
ec4f793f3fa5d93106064857cbaf79c39ff76bf776e3c4f9af1257477a3b6424

SHA512
7744bef754aa9fb5acc1d94b226a0525df27b8b17a443b7481a500084daf6b678a84a95cd9040a88d7b70c657c4c911c743bf6915b4d47267e0b540dc7c335ea

Download Submit
\Users\Admin\AppData\Roaming\HCMH78.exe

Filesize
3.6MB

MD5
54687dfbd4e31c206ea4036fcad32738

SHA1
ff30aea6c549943815418399d389fd179a24b505

SHA256
fc761228d8892545e813e763deac19105c3fce15ebd642f5332ad12217402ceb

SHA512
7bf3d91fa4a83ab2ff28a8c6c422d113df439be2000a02e878f713a24cb2e2aa98caea3416d141ce519666e96b9a4662afb1d75c7a64118884f868738e379613

Download Submit
memory/1312-46-0x0000000002940000-0x0000000002AA2000-memory.dmp

Filesize
1.4MB

Download
memory/1312-28-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2644-355-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2644-325-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2700-352-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2700-318-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2720-317-0x0000000000400000-0x00000000007AD000-memory.dmp

Filesize
3.7MB

Download
memory/2720-336-0x0000000000400000-0x00000000007AD000-memory.dmp

Filesize
3.7MB

Download
memory/2816-333-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2816-89-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2816-83-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2816-81-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2816-79-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2816-91-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2816-226-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2816-92-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2816-93-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2816-97-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2940-150-0x00000000002D0000-0x00000000002E1000-memory.dmp

Filesize
68KB

Download
memory/2940-142-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2940-134-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2940-129-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/2940-121-0x0000000000280000-0x0000000000293000-memory.dmp

Filesize
76KB

Download
memory/2940-119-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2940-348-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2940-324-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/3020-85-0x0000000000400000-0x00000000007AD000-memory.dmp

Filesize
3.7MB

Download
memory/3020-117-0x0000000003CF0000-0x0000000003F13000-memory.dmp

Filesize
2.1MB

Download
memory/3020-227-0x0000000003CF0000-0x0000000003F13000-memory.dmp

Filesize
2.1MB

Download
memory/3020-225-0x0000000000400000-0x00000000007AD000-memory.dmp

Filesize
3.7MB

Download
memory/3020-86-0x0000000000400000-0x00000000007AD000-memory.dmp

Filesize
3.7MB

Download
memory/3020-316-0x0000000003CF0000-0x0000000003F13000-memory.dmp

Filesize
2.1MB

Download
memory/3020-70-0x0000000000400000-0x00000000007AD000-memory.dmp

Filesize
3.7MB

Download
memory/3020-107-0x0000000003CF0000-0x0000000003F13000-memory.dmp

Filesize
2.1MB

Download
memory/3020-72-0x0000000000400000-0x00000000007AD000-memory.dmp

Filesize
3.7MB

Download
memory/3020-73-0x0000000000400000-0x00000000007AD000-memory.dmp

Filesize
3.7MB

Download
memory/3020-96-0x0000000000400000-0x00000000007AD000-memory.dmp

Filesize
3.7MB

Download
memory/3020-98-0x0000000000400000-0x00000000007AD000-memory.dmp

Filesize
3.7MB

Download
memory/3020-116-0x0000000003CF0000-0x0000000003F13000-memory.dmp

Filesize
2.1MB

Download
memory/3020-351-0x0000000000400000-0x00000000007AD000-memory.dmp

Filesize
3.7MB

Download
memory/3020-99-0x0000000000400000-0x00000000007AD000-memory.dmp

Filesize
3.7MB

Download
memory/3020-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download