darkcomet | 8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
28-12-2024 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Size

1.5MB
MD5

2a4364298a4c39150726789ed6f8b761
SHA1

3db55edbf09535eff8e55fdee7b6b96e9cf7e1ae
SHA256

8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa
SHA512

70e1ffc70437f10cbfb660de42f2cb525af06c497b60afd261dce3add158d27ec0d87361163580c79feaabf17b174596688bcc360b042e221b067fe88ab04e54
SSDEEP

24576:hFQeYLbKKEPS1bvKE2JCavnObjq2R19fiMFOWExOYww4r:hFQzKKEP2biE2JCavnOnT9fbkCYTI

Score

10^/10

darkcomet guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

choco378787.no-ip.biz:1606

Mutex

DC_MUTEX-9SWT19V

Attributes

gencode
6jeW0kHnheiZ
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RUN	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCE	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qAe77Jk = "C:\\Users\\Admin\\iSt28Sz\\svchost.exe.exe"	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNONCE	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RUNONCE	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\p:	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
File opened (read-only)	\??\r:	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
File opened (read-only)	\??\a:	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
File opened (read-only)	\??\h:	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
File opened (read-only)	\??\i:	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
File opened (read-only)	\??\k:	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
File opened (read-only)	\??\l:	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
File opened (read-only)	\??\m:	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
File opened (read-only)	\??\s:	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
File opened (read-only)	\??\u:	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
File opened (read-only)	\??\e:	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
File opened (read-only)	\??\x:	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
File opened (read-only)	\??\g:	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
File opened (read-only)	\??\j:	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
File opened (read-only)	\??\o:	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
File opened (read-only)	\??\t:	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
File opened (read-only)	\??\v:	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
File opened (read-only)	\??\w:	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
File opened (read-only)	\??\y:	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
File opened (read-only)	\??\b:	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
File opened (read-only)	\??\z:	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
File opened (read-only)	\??\q:	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
File opened (read-only)	\??\n:	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2748 set thread context of 2160	2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Token: SeIncreaseQuotaPrivilege	2160	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Token: SeSecurityPrivilege	2160	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Token: SeTakeOwnershipPrivilege	2160	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Token: SeLoadDriverPrivilege	2160	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Token: SeSystemProfilePrivilege	2160	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Token: SeSystemtimePrivilege	2160	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Token: SeProfSingleProcessPrivilege	2160	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Token: SeIncBasePriorityPrivilege	2160	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Token: SeCreatePagefilePrivilege	2160	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Token: SeBackupPrivilege	2160	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Token: SeRestorePrivilege	2160	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Token: SeShutdownPrivilege	2160	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Token: SeDebugPrivilege	2160	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Token: SeSystemEnvironmentPrivilege	2160	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Token: SeChangeNotifyPrivilege	2160	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Token: SeRemoteShutdownPrivilege	2160	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Token: SeUndockPrivilege	2160	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Token: SeManageVolumePrivilege	2160	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Token: SeImpersonatePrivilege	2160	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Token: SeCreateGlobalPrivilege	2160	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Token: 33	2160	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Token: 34	2160	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
Token: 35	2160	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2160	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2160	2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe	31
PID 2748 wrote to memory of 2160	2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe	31
PID 2748 wrote to memory of 2160	2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe	31
PID 2748 wrote to memory of 2160	2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe	31
PID 2748 wrote to memory of 2160	2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe	31
PID 2748 wrote to memory of 2160	2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe	31
PID 2748 wrote to memory of 2160	2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe	31
PID 2748 wrote to memory of 2160	2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe	31
PID 2748 wrote to memory of 2160	2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe	31
PID 2748 wrote to memory of 2160	2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe	31
PID 2748 wrote to memory of 2160	2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe	31
PID 2748 wrote to memory of 2160	2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe	31
PID 2748 wrote to memory of 2160	2748	8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe	31

C:\Users\Admin\AppData\Local\Temp\8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
"C:\Users\Admin\AppData\Local\Temp\8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe
  "C:\Users\Admin\AppData\Local\Temp\8e62ca1802bb4f7510305c74defe9521a0fbc3d4884a2460dfb6f3bfaec34faa.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\qYr33Bv.DV8

Filesize
662KB

MD5
17acb6bd3357d69307a24b344df505fa

SHA1
1ef133d1088e2a43262323ff96156888837e2fa3

SHA256
093b83fea21e1cb9f474f9322147c3b41c28dfc6dcbef187e8c1f088d03cd219

SHA512
17762f240f94806a4533667702dd147d1203273b3e53b210ec5c791e25bea8e6272e8aedba02fdfb5ddcfe5ed581ca4da6c65367d677965afbc2007e9ecbbafc

Download Submit
memory/2160-13-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-25-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-29-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2160-33-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-34-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-32-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-31-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-27-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-23-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-21-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-20-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-17-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-15-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-35-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-37-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-36-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-38-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-39-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-40-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-41-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-42-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-43-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-44-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-45-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-46-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-47-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-48-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-49-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-50-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-51-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-52-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2160-53-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download