Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-12-2024 23:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
16 signatures
150 seconds
General
-
Target
e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
e8e5c9e651f358d8c24c8f6757f164ed
-
SHA1
74296bf4fceba6d906055c4fedc51b75f4f99f0d
-
SHA256
dcff421c7cd4cc77eda4ce513f23ef47cea8784979375ed62a3a78672c590138
-
SHA512
8605b1b3ecb56450fe1b57aa6a62fc9a18045025b4a1cc7094216da9e86b8c8b19d3f243a8e6a696ec502c80f2837b7350c0f5e0da66014a4d48f0e5784e6c9d
-
SSDEEP
49152:vYb/OBImCOQewFay6GKEIhfb0wyI9Ko2P4RP:wbCImCOQewFay6GQhfb0FI9KXk
Malware Config
Extracted
Family
darkcomet
Botnet
Novo
C2
tutoriais157.no-ip.org:1604
Mutex
DC_MUTEX-VRFY1RF
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
MlBzybfvaNEy
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Executes dropped EXE 4 IoCs
pid Process 2544 H3R0 INJECTOR.EXE 2724 msdcsc.exe 2464 msdcsc.exe 2872 msdcsc.exe -
Loads dropped DLL 6 IoCs
pid Process 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 2724 msdcsc.exe 2464 msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1508 set thread context of 2680 1508 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 31 PID 2680 set thread context of 2684 2680 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 32 PID 2724 set thread context of 2464 2724 msdcsc.exe 35 PID 2464 set thread context of 2872 2464 msdcsc.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language H3R0 INJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE 2544 H3R0 INJECTOR.EXE -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeSecurityPrivilege 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeSystemtimePrivilege 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeBackupPrivilege 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeRestorePrivilege 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeShutdownPrivilege 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeDebugPrivilege 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeUndockPrivilege 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeManageVolumePrivilege 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeImpersonatePrivilege 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: 33 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: 34 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: 35 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2872 msdcsc.exe Token: SeSecurityPrivilege 2872 msdcsc.exe Token: SeTakeOwnershipPrivilege 2872 msdcsc.exe Token: SeLoadDriverPrivilege 2872 msdcsc.exe Token: SeSystemProfilePrivilege 2872 msdcsc.exe Token: SeSystemtimePrivilege 2872 msdcsc.exe Token: SeProfSingleProcessPrivilege 2872 msdcsc.exe Token: SeIncBasePriorityPrivilege 2872 msdcsc.exe Token: SeCreatePagefilePrivilege 2872 msdcsc.exe Token: SeBackupPrivilege 2872 msdcsc.exe Token: SeRestorePrivilege 2872 msdcsc.exe Token: SeShutdownPrivilege 2872 msdcsc.exe Token: SeDebugPrivilege 2872 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2872 msdcsc.exe Token: SeChangeNotifyPrivilege 2872 msdcsc.exe Token: SeRemoteShutdownPrivilege 2872 msdcsc.exe Token: SeUndockPrivilege 2872 msdcsc.exe Token: SeManageVolumePrivilege 2872 msdcsc.exe Token: SeImpersonatePrivilege 2872 msdcsc.exe Token: SeCreateGlobalPrivilege 2872 msdcsc.exe Token: 33 2872 msdcsc.exe Token: 34 2872 msdcsc.exe Token: 35 2872 msdcsc.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1508 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 2680 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 2724 msdcsc.exe 2464 msdcsc.exe 2872 msdcsc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1508 wrote to memory of 2680 1508 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 31 PID 1508 wrote to memory of 2680 1508 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 31 PID 1508 wrote to memory of 2680 1508 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 31 PID 1508 wrote to memory of 2680 1508 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 31 PID 1508 wrote to memory of 2680 1508 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 31 PID 1508 wrote to memory of 2680 1508 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 31 PID 1508 wrote to memory of 2680 1508 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 31 PID 1508 wrote to memory of 2680 1508 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 31 PID 1508 wrote to memory of 2680 1508 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 31 PID 2680 wrote to memory of 2684 2680 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 32 PID 2680 wrote to memory of 2684 2680 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 32 PID 2680 wrote to memory of 2684 2680 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 32 PID 2680 wrote to memory of 2684 2680 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 32 PID 2680 wrote to memory of 2684 2680 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 32 PID 2680 wrote to memory of 2684 2680 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 32 PID 2680 wrote to memory of 2684 2680 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 32 PID 2680 wrote to memory of 2684 2680 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 32 PID 2680 wrote to memory of 2684 2680 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 32 PID 2680 wrote to memory of 2684 2680 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 32 PID 2680 wrote to memory of 2684 2680 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 32 PID 2680 wrote to memory of 2684 2680 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 32 PID 2680 wrote to memory of 2684 2680 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 32 PID 2684 wrote to memory of 2544 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 33 PID 2684 wrote to memory of 2544 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 33 PID 2684 wrote to memory of 2544 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 33 PID 2684 wrote to memory of 2544 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 33 PID 2684 wrote to memory of 2724 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 34 PID 2684 wrote to memory of 2724 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 34 PID 2684 wrote to memory of 2724 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 34 PID 2684 wrote to memory of 2724 2684 e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe 34 PID 2724 wrote to memory of 2464 2724 msdcsc.exe 35 PID 2724 wrote to memory of 2464 2724 msdcsc.exe 35 PID 2724 wrote to memory of 2464 2724 msdcsc.exe 35 PID 2724 wrote to memory of 2464 2724 msdcsc.exe 35 PID 2724 wrote to memory of 2464 2724 msdcsc.exe 35 PID 2724 wrote to memory of 2464 2724 msdcsc.exe 35 PID 2724 wrote to memory of 2464 2724 msdcsc.exe 35 PID 2724 wrote to memory of 2464 2724 msdcsc.exe 35 PID 2724 wrote to memory of 2464 2724 msdcsc.exe 35 PID 2464 wrote to memory of 2872 2464 msdcsc.exe 36 PID 2464 wrote to memory of 2872 2464 msdcsc.exe 36 PID 2464 wrote to memory of 2872 2464 msdcsc.exe 36 PID 2464 wrote to memory of 2872 2464 msdcsc.exe 36 PID 2464 wrote to memory of 2872 2464 msdcsc.exe 36 PID 2464 wrote to memory of 2872 2464 msdcsc.exe 36 PID 2464 wrote to memory of 2872 2464 msdcsc.exe 36 PID 2464 wrote to memory of 2872 2464 msdcsc.exe 36 PID 2464 wrote to memory of 2872 2464 msdcsc.exe 36 PID 2464 wrote to memory of 2872 2464 msdcsc.exe 36 PID 2464 wrote to memory of 2872 2464 msdcsc.exe 36 PID 2464 wrote to memory of 2872 2464 msdcsc.exe 36 PID 2464 wrote to memory of 2872 2464 msdcsc.exe 36 PID 2872 wrote to memory of 2272 2872 msdcsc.exe 37 PID 2872 wrote to memory of 2272 2872 msdcsc.exe 37 PID 2872 wrote to memory of 2272 2872 msdcsc.exe 37 PID 2872 wrote to memory of 2272 2872 msdcsc.exe 37 PID 2872 wrote to memory of 2272 2872 msdcsc.exe 37 PID 2872 wrote to memory of 2272 2872 msdcsc.exe 37 PID 2872 wrote to memory of 2272 2872 msdcsc.exe 37 PID 2872 wrote to memory of 2272 2872 msdcsc.exe 37 PID 2872 wrote to memory of 2272 2872 msdcsc.exe 37 PID 2872 wrote to memory of 2272 2872 msdcsc.exe 37 PID 2872 wrote to memory of 2272 2872 msdcsc.exe 37 PID 2872 wrote to memory of 2272 2872 msdcsc.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118.exe3⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\H3R0 INJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\H3R0 INJECTOR.EXE"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2544
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeC:\Windows\SysWOW64\MSDCSC\msdcsc.exe6⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\notepad.exenotepad7⤵
- System Location Discovery: System Language Discovery
PID:2272
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD54274aa3fb911f5621f34595e58e50a7b
SHA1d029a0e95a96be0571ceff311c562e52eb878c28
SHA2565a109456ccb1a4435cf6664086f3312820550af2687fc2192712323f13f8f7f1
SHA512f7ddb71f80a2e52e1d6068758a1fd220e023889245d1df981511b24a60bcde2d7800ad395be099232693f618a07a800d5868b582078242d89a9b59329847c312
-
Filesize
2.2MB
MD5e8e5c9e651f358d8c24c8f6757f164ed
SHA174296bf4fceba6d906055c4fedc51b75f4f99f0d
SHA256dcff421c7cd4cc77eda4ce513f23ef47cea8784979375ed62a3a78672c590138
SHA5128605b1b3ecb56450fe1b57aa6a62fc9a18045025b4a1cc7094216da9e86b8c8b19d3f243a8e6a696ec502c80f2837b7350c0f5e0da66014a4d48f0e5784e6c9d