darkcomet | 343aaf3307a88ac8be9ebc8a3562905d7c34e3dadc477d7557b00f06c3904e7c

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Size

2.0MB
MD5

e761ad70be62309281d1edf463e8c0e4
SHA1

6003a7704f131074cb9a8162c4cfdf979ce5be8f
SHA256

343aaf3307a88ac8be9ebc8a3562905d7c34e3dadc477d7557b00f06c3904e7c
SHA512

068bed4b6e6b7ef8a5f9ba596b18f5f3a76949961e9994e488109fe2266ddcf831240f72f510bf98cbc38653584c8682ed272cd72819bd714dd947727e0707c7
SSDEEP

49152:1rLsrRotIig7rLaKXrrf7mX8rptlyXFwtAamqRkWvazk:1rGL3LZPaXwt6ExAFzk

Score

10^/10

darkcomet jdb discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

JDB

wonanwad.no-ip.biz:1604

Mutex

DCMIN_MUTEX-6X4A2HS

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
NMt8acKfFNq0
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	2576	rundll32.exe
8	2576	rundll32.exe

Executes dropped EXE 5 IoCs

pid	Process
1408	BS.exe
1932	IMDCSC.exe
2620	IMDCSC.exe
3064	IMDCSC.exe
2532	BS.exe

Loads dropped DLL 19 IoCs

pid	Process
2640	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
1932	IMDCSC.exe
2620	IMDCSC.exe
2620	IMDCSC.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rwning = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe"	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rwning = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe"	IMDCSC.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1508 set thread context of 2976	1508	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	31
PID 2976 set thread context of 2640	2976	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	32
PID 2640 set thread context of 2812	2640	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	33
PID 1932 set thread context of 2620	1932	IMDCSC.exe	37
PID 2620 set thread context of 3064	2620	IMDCSC.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2288	2532	WerFault.exe	39
1712	1408	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\OOBGameInstalled = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\ServiceLocation	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX	rundll32.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Token: SeSecurityPrivilege	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Token: SeBackupPrivilege	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Token: SeRestorePrivilege	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Token: SeShutdownPrivilege	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Token: SeDebugPrivilege	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Token: SeUndockPrivilege	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Token: 33	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Token: 34	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Token: 35	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	3064	IMDCSC.exe
Token: SeSecurityPrivilege	3064	IMDCSC.exe
Token: SeTakeOwnershipPrivilege	3064	IMDCSC.exe
Token: SeLoadDriverPrivilege	3064	IMDCSC.exe
Token: SeSystemProfilePrivilege	3064	IMDCSC.exe
Token: SeSystemtimePrivilege	3064	IMDCSC.exe
Token: SeProfSingleProcessPrivilege	3064	IMDCSC.exe
Token: SeIncBasePriorityPrivilege	3064	IMDCSC.exe
Token: SeCreatePagefilePrivilege	3064	IMDCSC.exe
Token: SeBackupPrivilege	3064	IMDCSC.exe
Token: SeRestorePrivilege	3064	IMDCSC.exe
Token: SeShutdownPrivilege	3064	IMDCSC.exe
Token: SeDebugPrivilege	3064	IMDCSC.exe
Token: SeSystemEnvironmentPrivilege	3064	IMDCSC.exe
Token: SeChangeNotifyPrivilege	3064	IMDCSC.exe
Token: SeRemoteShutdownPrivilege	3064	IMDCSC.exe
Token: SeUndockPrivilege	3064	IMDCSC.exe
Token: SeManageVolumePrivilege	3064	IMDCSC.exe
Token: SeImpersonatePrivilege	3064	IMDCSC.exe
Token: SeCreateGlobalPrivilege	3064	IMDCSC.exe
Token: 33	3064	IMDCSC.exe
Token: 34	3064	IMDCSC.exe
Token: 35	3064	IMDCSC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3064	IMDCSC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2976	1508	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	31
PID 1508 wrote to memory of 2976	1508	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	31
PID 1508 wrote to memory of 2976	1508	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	31
PID 1508 wrote to memory of 2976	1508	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	31
PID 2976 wrote to memory of 2640	2976	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	32
PID 2976 wrote to memory of 2640	2976	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	32
PID 2976 wrote to memory of 2640	2976	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	32
PID 2976 wrote to memory of 2640	2976	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	32
PID 2976 wrote to memory of 2640	2976	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	32
PID 2976 wrote to memory of 2640	2976	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	32
PID 2976 wrote to memory of 2640	2976	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	32
PID 2976 wrote to memory of 2640	2976	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	32
PID 2976 wrote to memory of 2640	2976	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	32
PID 2976 wrote to memory of 2640	2976	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	32
PID 2976 wrote to memory of 2640	2976	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	32
PID 2640 wrote to memory of 2812	2640	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	33
PID 2640 wrote to memory of 2812	2640	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	33
PID 2640 wrote to memory of 2812	2640	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	33
PID 2640 wrote to memory of 2812	2640	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	33
PID 2640 wrote to memory of 2812	2640	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	33
PID 2640 wrote to memory of 2812	2640	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	33
PID 2640 wrote to memory of 2812	2640	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	33
PID 2640 wrote to memory of 2812	2640	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	33
PID 2640 wrote to memory of 2812	2640	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	33
PID 2640 wrote to memory of 2812	2640	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	33
PID 2640 wrote to memory of 2812	2640	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	33
PID 2640 wrote to memory of 2812	2640	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	33
PID 2640 wrote to memory of 2812	2640	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	33
PID 2640 wrote to memory of 1408	2640	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	34
PID 2640 wrote to memory of 1408	2640	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	34
PID 2640 wrote to memory of 1408	2640	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	34
PID 2640 wrote to memory of 1408	2640	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	34
PID 2640 wrote to memory of 1408	2640	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	34
PID 2640 wrote to memory of 1408	2640	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	34
PID 2640 wrote to memory of 1408	2640	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	34
PID 2812 wrote to memory of 1932	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	35
PID 2812 wrote to memory of 1932	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	35
PID 2812 wrote to memory of 1932	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	35
PID 2812 wrote to memory of 1932	2812	e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe	35
PID 1408 wrote to memory of 2576	1408	BS.exe	36
PID 1408 wrote to memory of 2576	1408	BS.exe	36
PID 1408 wrote to memory of 2576	1408	BS.exe	36
PID 1408 wrote to memory of 2576	1408	BS.exe	36
PID 1408 wrote to memory of 2576	1408	BS.exe	36
PID 1408 wrote to memory of 2576	1408	BS.exe	36
PID 1408 wrote to memory of 2576	1408	BS.exe	36
PID 1932 wrote to memory of 2620	1932	IMDCSC.exe	37
PID 1932 wrote to memory of 2620	1932	IMDCSC.exe	37
PID 1932 wrote to memory of 2620	1932	IMDCSC.exe	37
PID 1932 wrote to memory of 2620	1932	IMDCSC.exe	37
PID 1932 wrote to memory of 2620	1932	IMDCSC.exe	37
PID 1932 wrote to memory of 2620	1932	IMDCSC.exe	37
PID 1932 wrote to memory of 2620	1932	IMDCSC.exe	37
PID 1932 wrote to memory of 2620	1932	IMDCSC.exe	37
PID 1932 wrote to memory of 2620	1932	IMDCSC.exe	37
PID 1932 wrote to memory of 2620	1932	IMDCSC.exe	37
PID 1932 wrote to memory of 2620	1932	IMDCSC.exe	37
PID 2620 wrote to memory of 3064	2620	IMDCSC.exe	38
PID 2620 wrote to memory of 3064	2620	IMDCSC.exe	38
PID 2620 wrote to memory of 3064	2620	IMDCSC.exe	38
PID 2620 wrote to memory of 3064	2620	IMDCSC.exe	38
PID 2620 wrote to memory of 3064	2620	IMDCSC.exe	38
PID 2620 wrote to memory of 3064	2620	IMDCSC.exe	38
PID 2620 wrote to memory of 3064	2620	IMDCSC.exe	38

C:\Users\Admin\AppData\Local\Temp\e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\Temp\e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Users\Admin\AppData\Local\Temp\e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\e761ad70be62309281d1edf463e8c0e4_JaffaCakes118.exe"
      4⤵
      Modifies WinLogon for persistence
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
        
        "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1932
      - C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
        
        "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
        
        "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\BS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BS.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {868c988d-ecf6-40cd-b1ab-8c5f0607dd95};C:\Users\Admin\AppData\Local\Temp\BS.exe;2532
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 260
        8⤵
        Loads dropped DLL
        Program crash
        
        PID:2288
  - - C:\Users\Admin\AppData\Local\Temp\BS.exe
      "C:\Users\Admin\AppData\Local\Temp\BS.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1408
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {868c988d-ecf6-40cd-b1ab-8c5f0607dd95};C:\Users\Admin\AppData\Local\Temp\BS.exe;1408
        5⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 260
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

Filesize
2.0MB

MD5
e761ad70be62309281d1edf463e8c0e4

SHA1
6003a7704f131074cb9a8162c4cfdf979ce5be8f

SHA256
343aaf3307a88ac8be9ebc8a3562905d7c34e3dadc477d7557b00f06c3904e7c

SHA512
068bed4b6e6b7ef8a5f9ba596b18f5f3a76949961e9994e488109fe2266ddcf831240f72f510bf98cbc38653584c8682ed272cd72819bd714dd947727e0707c7

Download Submit
\Users\Admin\AppData\Local\Temp\BS.exe

Filesize
1.1MB

MD5
1b86d2f35d809aaf46f61422db2347e5

SHA1
a22dd1923e062ccc254cb954ead83f4a2aeec8bb

SHA256
6a9ee948c23523392aa357598582eb173506ecfffe92c0524a666ca026814735

SHA512
f6626d2f913e8bfbf1de7827f1661374d228c7106624089d29bcba16c41ca0271c0ccc88073fc1898593dd67155d7b276a35cbec35703e4f944abff5cbaadbdc

Download Submit
memory/2620-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2640-45-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2640-10-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2640-8-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2640-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2640-5-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2640-4-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2640-11-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2640-2-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2640-0-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2640-1-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2640-3-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/2812-18-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2812-33-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2812-22-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2812-34-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2812-16-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2812-24-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2812-30-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2812-20-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2812-36-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2812-35-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2812-14-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2812-12-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2812-26-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2812-97-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3064-87-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads