Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 09:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
10174037f6bab4969360f655ef10a911e535d19b2c731fbe95623b1855050903.exe
Resource
win7-20240903-en
windows7-x64
22 signatures
120 seconds
General
-
Target
10174037f6bab4969360f655ef10a911e535d19b2c731fbe95623b1855050903.exe
-
Size
966KB
-
MD5
22977eaececc124b167967723f591e76
-
SHA1
b209dc0f7a983c03a80885607b826f3e6879b4bc
-
SHA256
10174037f6bab4969360f655ef10a911e535d19b2c731fbe95623b1855050903
-
SHA512
ffd739b82dee5791cf4a932d1d8f7a67d14ec851cc49a433cf404cbc885b785eba67848131365ce38cddd5940dd1174b18ec21572301fcc074f2faed599a40f7
-
SSDEEP
12288:N3TD4DnRfwKl+znaNpofSsa9Pi+W9iXqpea3wJWIfBT3PGUE0/DrRrPGVJ:FTQuKl+zsUC6J9i+3wJRT3PI0/xGj
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
74.65.183.83:1604
74.65.183.83:25565
74.65.183.83:1122
74.65.183.83:100
Mutex
DC_MUTEX-XH87550
Attributes
-
InstallPath
WindowsUpdate.exe
-
gencode
MwBxQSYoXbQb
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
WindoesUpdate.dll
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\WindowsUpdate.exe" BlackWidowV4CrackedBySkullTeam.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile WindowsUpdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" WindowsUpdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" WindowsUpdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" WindowsUpdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" iexplore.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WindowsUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WindowsUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WindowsUpdate.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe -
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2912 attrib.exe 548 attrib.exe -
Executes dropped EXE 3 IoCs
pid Process 1160 BlackWidowV4CrackedBySkullTeam.sfx.exe 2804 BlackWidowV4CrackedBySkullTeam.exe 2176 WindowsUpdate.exe -
Loads dropped DLL 6 IoCs
pid Process 1476 cmd.exe 1160 BlackWidowV4CrackedBySkullTeam.sfx.exe 1160 BlackWidowV4CrackedBySkullTeam.sfx.exe 1160 BlackWidowV4CrackedBySkullTeam.sfx.exe 1160 BlackWidowV4CrackedBySkullTeam.sfx.exe 1160 BlackWidowV4CrackedBySkullTeam.sfx.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WindowsUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WindowsUpdate.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindoesUpdate.dll = "C:\\WindowsUpdate.exe" BlackWidowV4CrackedBySkullTeam.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindoesUpdate.dll = "C:\\WindowsUpdate.exe" WindowsUpdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindoesUpdate.dll = "C:\\WindowsUpdate.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2176 set thread context of 3008 2176 WindowsUpdate.exe 43 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BlackWidowV4CrackedBySkullTeam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BlackWidowV4CrackedBySkullTeam.sfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 10174037f6bab4969360f655ef10a911e535d19b2c731fbe95623b1855050903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3008 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2804 BlackWidowV4CrackedBySkullTeam.exe Token: SeSecurityPrivilege 2804 BlackWidowV4CrackedBySkullTeam.exe Token: SeTakeOwnershipPrivilege 2804 BlackWidowV4CrackedBySkullTeam.exe Token: SeLoadDriverPrivilege 2804 BlackWidowV4CrackedBySkullTeam.exe Token: SeSystemProfilePrivilege 2804 BlackWidowV4CrackedBySkullTeam.exe Token: SeSystemtimePrivilege 2804 BlackWidowV4CrackedBySkullTeam.exe Token: SeProfSingleProcessPrivilege 2804 BlackWidowV4CrackedBySkullTeam.exe Token: SeIncBasePriorityPrivilege 2804 BlackWidowV4CrackedBySkullTeam.exe Token: SeCreatePagefilePrivilege 2804 BlackWidowV4CrackedBySkullTeam.exe Token: SeBackupPrivilege 2804 BlackWidowV4CrackedBySkullTeam.exe Token: SeRestorePrivilege 2804 BlackWidowV4CrackedBySkullTeam.exe Token: SeShutdownPrivilege 2804 BlackWidowV4CrackedBySkullTeam.exe Token: SeDebugPrivilege 2804 BlackWidowV4CrackedBySkullTeam.exe Token: SeSystemEnvironmentPrivilege 2804 BlackWidowV4CrackedBySkullTeam.exe Token: SeChangeNotifyPrivilege 2804 BlackWidowV4CrackedBySkullTeam.exe Token: SeRemoteShutdownPrivilege 2804 BlackWidowV4CrackedBySkullTeam.exe Token: SeUndockPrivilege 2804 BlackWidowV4CrackedBySkullTeam.exe Token: SeManageVolumePrivilege 2804 BlackWidowV4CrackedBySkullTeam.exe Token: SeImpersonatePrivilege 2804 BlackWidowV4CrackedBySkullTeam.exe Token: SeCreateGlobalPrivilege 2804 BlackWidowV4CrackedBySkullTeam.exe Token: 33 2804 BlackWidowV4CrackedBySkullTeam.exe Token: 34 2804 BlackWidowV4CrackedBySkullTeam.exe Token: 35 2804 BlackWidowV4CrackedBySkullTeam.exe Token: SeIncreaseQuotaPrivilege 2176 WindowsUpdate.exe Token: SeSecurityPrivilege 2176 WindowsUpdate.exe Token: SeTakeOwnershipPrivilege 2176 WindowsUpdate.exe Token: SeLoadDriverPrivilege 2176 WindowsUpdate.exe Token: SeSystemProfilePrivilege 2176 WindowsUpdate.exe Token: SeSystemtimePrivilege 2176 WindowsUpdate.exe Token: SeProfSingleProcessPrivilege 2176 WindowsUpdate.exe Token: SeIncBasePriorityPrivilege 2176 WindowsUpdate.exe Token: SeCreatePagefilePrivilege 2176 WindowsUpdate.exe Token: SeBackupPrivilege 2176 WindowsUpdate.exe Token: SeRestorePrivilege 2176 WindowsUpdate.exe Token: SeShutdownPrivilege 2176 WindowsUpdate.exe Token: SeDebugPrivilege 2176 WindowsUpdate.exe Token: SeSystemEnvironmentPrivilege 2176 WindowsUpdate.exe Token: SeChangeNotifyPrivilege 2176 WindowsUpdate.exe Token: SeRemoteShutdownPrivilege 2176 WindowsUpdate.exe Token: SeUndockPrivilege 2176 WindowsUpdate.exe Token: SeManageVolumePrivilege 2176 WindowsUpdate.exe Token: SeImpersonatePrivilege 2176 WindowsUpdate.exe Token: SeCreateGlobalPrivilege 2176 WindowsUpdate.exe Token: 33 2176 WindowsUpdate.exe Token: 34 2176 WindowsUpdate.exe Token: 35 2176 WindowsUpdate.exe Token: SeRestorePrivilege 2176 WindowsUpdate.exe Token: SeBackupPrivilege 2176 WindowsUpdate.exe Token: SeIncreaseQuotaPrivilege 3008 iexplore.exe Token: SeSecurityPrivilege 3008 iexplore.exe Token: SeTakeOwnershipPrivilege 3008 iexplore.exe Token: SeLoadDriverPrivilege 3008 iexplore.exe Token: SeSystemProfilePrivilege 3008 iexplore.exe Token: SeSystemtimePrivilege 3008 iexplore.exe Token: SeProfSingleProcessPrivilege 3008 iexplore.exe Token: SeIncBasePriorityPrivilege 3008 iexplore.exe Token: SeCreatePagefilePrivilege 3008 iexplore.exe Token: SeBackupPrivilege 3008 iexplore.exe Token: SeRestorePrivilege 3008 iexplore.exe Token: SeShutdownPrivilege 3008 iexplore.exe Token: SeDebugPrivilege 3008 iexplore.exe Token: SeSystemEnvironmentPrivilege 3008 iexplore.exe Token: SeChangeNotifyPrivilege 3008 iexplore.exe Token: SeRemoteShutdownPrivilege 3008 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3008 iexplore.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1928 wrote to memory of 1476 1928 10174037f6bab4969360f655ef10a911e535d19b2c731fbe95623b1855050903.exe 30 PID 1928 wrote to memory of 1476 1928 10174037f6bab4969360f655ef10a911e535d19b2c731fbe95623b1855050903.exe 30 PID 1928 wrote to memory of 1476 1928 10174037f6bab4969360f655ef10a911e535d19b2c731fbe95623b1855050903.exe 30 PID 1928 wrote to memory of 1476 1928 10174037f6bab4969360f655ef10a911e535d19b2c731fbe95623b1855050903.exe 30 PID 1476 wrote to memory of 1160 1476 cmd.exe 32 PID 1476 wrote to memory of 1160 1476 cmd.exe 32 PID 1476 wrote to memory of 1160 1476 cmd.exe 32 PID 1476 wrote to memory of 1160 1476 cmd.exe 32 PID 1160 wrote to memory of 2804 1160 BlackWidowV4CrackedBySkullTeam.sfx.exe 33 PID 1160 wrote to memory of 2804 1160 BlackWidowV4CrackedBySkullTeam.sfx.exe 33 PID 1160 wrote to memory of 2804 1160 BlackWidowV4CrackedBySkullTeam.sfx.exe 33 PID 1160 wrote to memory of 2804 1160 BlackWidowV4CrackedBySkullTeam.sfx.exe 33 PID 2804 wrote to memory of 2068 2804 BlackWidowV4CrackedBySkullTeam.exe 35 PID 2804 wrote to memory of 2068 2804 BlackWidowV4CrackedBySkullTeam.exe 35 PID 2804 wrote to memory of 2068 2804 BlackWidowV4CrackedBySkullTeam.exe 35 PID 2804 wrote to memory of 2068 2804 BlackWidowV4CrackedBySkullTeam.exe 35 PID 2804 wrote to memory of 2652 2804 BlackWidowV4CrackedBySkullTeam.exe 36 PID 2804 wrote to memory of 2652 2804 BlackWidowV4CrackedBySkullTeam.exe 36 PID 2804 wrote to memory of 2652 2804 BlackWidowV4CrackedBySkullTeam.exe 36 PID 2804 wrote to memory of 2652 2804 BlackWidowV4CrackedBySkullTeam.exe 36 PID 2804 wrote to memory of 2644 2804 BlackWidowV4CrackedBySkullTeam.exe 37 PID 2804 wrote to memory of 2644 2804 BlackWidowV4CrackedBySkullTeam.exe 37 PID 2804 wrote to memory of 2644 2804 BlackWidowV4CrackedBySkullTeam.exe 37 PID 2804 wrote to memory of 2644 2804 BlackWidowV4CrackedBySkullTeam.exe 37 PID 2804 wrote to memory of 2644 2804 BlackWidowV4CrackedBySkullTeam.exe 37 PID 2804 wrote to memory of 2644 2804 BlackWidowV4CrackedBySkullTeam.exe 37 PID 2804 wrote to memory of 2644 2804 BlackWidowV4CrackedBySkullTeam.exe 37 PID 2804 wrote to memory of 2644 2804 BlackWidowV4CrackedBySkullTeam.exe 37 PID 2804 wrote to memory of 2644 2804 BlackWidowV4CrackedBySkullTeam.exe 37 PID 2804 wrote to memory of 2644 2804 BlackWidowV4CrackedBySkullTeam.exe 37 PID 2804 wrote to memory of 2644 2804 BlackWidowV4CrackedBySkullTeam.exe 37 PID 2804 wrote to memory of 2644 2804 BlackWidowV4CrackedBySkullTeam.exe 37 PID 2804 wrote to memory of 2644 2804 BlackWidowV4CrackedBySkullTeam.exe 37 PID 2804 wrote to memory of 2644 2804 BlackWidowV4CrackedBySkullTeam.exe 37 PID 2804 wrote to memory of 2644 2804 BlackWidowV4CrackedBySkullTeam.exe 37 PID 2804 wrote to memory of 2644 2804 BlackWidowV4CrackedBySkullTeam.exe 37 PID 2804 wrote to memory of 2644 2804 BlackWidowV4CrackedBySkullTeam.exe 37 PID 2804 wrote to memory of 2644 2804 BlackWidowV4CrackedBySkullTeam.exe 37 PID 2804 wrote to memory of 2176 2804 BlackWidowV4CrackedBySkullTeam.exe 40 PID 2804 wrote to memory of 2176 2804 BlackWidowV4CrackedBySkullTeam.exe 40 PID 2804 wrote to memory of 2176 2804 BlackWidowV4CrackedBySkullTeam.exe 40 PID 2804 wrote to memory of 2176 2804 BlackWidowV4CrackedBySkullTeam.exe 40 PID 2804 wrote to memory of 2176 2804 BlackWidowV4CrackedBySkullTeam.exe 40 PID 2804 wrote to memory of 2176 2804 BlackWidowV4CrackedBySkullTeam.exe 40 PID 2804 wrote to memory of 2176 2804 BlackWidowV4CrackedBySkullTeam.exe 40 PID 2068 wrote to memory of 548 2068 cmd.exe 42 PID 2652 wrote to memory of 2912 2652 cmd.exe 41 PID 2068 wrote to memory of 548 2068 cmd.exe 42 PID 2652 wrote to memory of 2912 2652 cmd.exe 41 PID 2068 wrote to memory of 548 2068 cmd.exe 42 PID 2652 wrote to memory of 2912 2652 cmd.exe 41 PID 2068 wrote to memory of 548 2068 cmd.exe 42 PID 2652 wrote to memory of 2912 2652 cmd.exe 41 PID 2176 wrote to memory of 3008 2176 WindowsUpdate.exe 43 PID 2176 wrote to memory of 3008 2176 WindowsUpdate.exe 43 PID 2176 wrote to memory of 3008 2176 WindowsUpdate.exe 43 PID 2176 wrote to memory of 3008 2176 WindowsUpdate.exe 43 PID 2176 wrote to memory of 3008 2176 WindowsUpdate.exe 43 PID 2176 wrote to memory of 3008 2176 WindowsUpdate.exe 43 PID 2176 wrote to memory of 3008 2176 WindowsUpdate.exe 43 PID 2176 wrote to memory of 3008 2176 WindowsUpdate.exe 43 PID 2176 wrote to memory of 3008 2176 WindowsUpdate.exe 43 PID 3008 wrote to memory of 2856 3008 iexplore.exe 44 PID 3008 wrote to memory of 2856 3008 iexplore.exe 44 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion WindowsUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern WindowsUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" WindowsUpdate.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 548 attrib.exe 2912 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\10174037f6bab4969360f655ef10a911e535d19b2c731fbe95623b1855050903.exe"C:\Users\Admin\AppData\Local\Temp\10174037f6bab4969360f655ef10a911e535d19b2c731fbe95623b1855050903.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\dll.bat" "2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\BlackWidowV4CrackedBySkullTeam.sfx.exeBlackWidowV4CrackedBySkullTeam.sfx -parrow1998 -dC:\Users\Admin\AppData\Roaming3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\BlackWidowV4CrackedBySkullTeam.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BlackWidowV4CrackedBySkullTeam.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\RarSFX1\BlackWidowV4CrackedBySkullTeam.exe" +s +h5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\RarSFX1\BlackWidowV4CrackedBySkullTeam.exe" +s +h6⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:548
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\RarSFX1" +s +h5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\RarSFX1" +s +h6⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2912
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
- System Location Discovery: System Language Discovery
PID:2644
-
-
C:\WindowsUpdate.exe"C:\WindowsUpdate.exe"5⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2176 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"6⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\notepad.exenotepad7⤵
- System Location Discovery: System Language Discovery
PID:2856
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
519KB
MD54b7cf29e9744da36f072c88a9372395a
SHA1c9e206d3d81c8b604860c3dd379ee059676aa409
SHA25600f0d8dd7eb761c34048df8706a526963150d95f592ef7e9bb4caa93947114bb
SHA512418be4347a2cc3a50059d707a5a438f707c1385b013a7409d95139b6b8f22f1416d576c6d1c44eea4e930803a50888e0a109c4b2b23c40c4f96f84e5d6a7e303
-
Filesize
58B
MD5d2f7f27d6885c2afea6c3ad5bc6c1190
SHA1f2b23abe2f2d90ca61b1b356e7e125b1f7d41798
SHA2561c4d169e0bb2016066e4e545c89426addb0aaaf58240d2740be8d85753b94261
SHA51235d50b0c23725d40b15e0b7627e8228f02cd26b606c1d2815d1f2ff03ee5098877ab52d8527987b46d425ea34ea258d4710a7f48555a70b8afce5863c1442caa
-
Filesize
1004KB
MD5997c248b8c1ff1e99aaa40e8384331f4
SHA1ca765e630e0fb9ab4837ea0389c012cf12da02f6
SHA2563a4da5311a97fa8a4e8142b6e4847e9effd69b3d6abe7c3bd0a5922cf1bc3cf2
SHA51219a98ba43953fdb7acd721b1fdc3ee96d6964820b04cea6538fe835d0d0047d38ff76f11d9525eb339c9e489e55c0d752ab6cc2eddf1cd7336772dfb00a90166