Analysis
-
max time kernel
110s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-01-2025 05:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe
Resource
win7-20240903-en
windows7-x64
26 signatures
120 seconds
General
-
Target
38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe
-
Size
864KB
-
MD5
154831ca12b23ff1b10b3900ec4cbb99
-
SHA1
7183eace34de8cb38e5b57845096188342f394ca
-
SHA256
38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e
-
SHA512
b106e8ba82bd694e662abab6117ef293eeb01c5d01efc456326c692e5bfa20a4ebea8678e60f3a8f9eaa5ec3d22f4c7c24d98d6ded07fed5493ce94bb1b9afab
-
SSDEEP
24576:lJzKTyB6LIVewBV5nmEY9OY847pKdLCAv:fz16LIzpmHD84q
Malware Config
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe -
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe -
Modifies security service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Disables RegEdit via registry modification 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe -
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4760 attrib.exe 1848 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe -
Executes dropped EXE 3 IoCs
pid Process 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 636 msdcsc.exe 1060 msdcsc.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" msdcsc.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1040 set thread context of 4752 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 84 PID 1040 set thread context of 2176 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 88 PID 636 set thread context of 348 636 msdcsc.exe 101 PID 636 set thread context of 1060 636 msdcsc.exe 105 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3836 cmd.exe 3252 PING.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3252 PING.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 636 msdcsc.exe 636 msdcsc.exe 636 msdcsc.exe 636 msdcsc.exe 636 msdcsc.exe 636 msdcsc.exe 636 msdcsc.exe 636 msdcsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4752 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4752 iexplore.exe Token: SeSecurityPrivilege 4752 iexplore.exe Token: SeTakeOwnershipPrivilege 4752 iexplore.exe Token: SeLoadDriverPrivilege 4752 iexplore.exe Token: SeSystemProfilePrivilege 4752 iexplore.exe Token: SeSystemtimePrivilege 4752 iexplore.exe Token: SeProfSingleProcessPrivilege 4752 iexplore.exe Token: SeIncBasePriorityPrivilege 4752 iexplore.exe Token: SeCreatePagefilePrivilege 4752 iexplore.exe Token: SeBackupPrivilege 4752 iexplore.exe Token: SeRestorePrivilege 4752 iexplore.exe Token: SeShutdownPrivilege 4752 iexplore.exe Token: SeDebugPrivilege 4752 iexplore.exe Token: SeSystemEnvironmentPrivilege 4752 iexplore.exe Token: SeChangeNotifyPrivilege 4752 iexplore.exe Token: SeRemoteShutdownPrivilege 4752 iexplore.exe Token: SeUndockPrivilege 4752 iexplore.exe Token: SeManageVolumePrivilege 4752 iexplore.exe Token: SeImpersonatePrivilege 4752 iexplore.exe Token: SeCreateGlobalPrivilege 4752 iexplore.exe Token: 33 4752 iexplore.exe Token: 34 4752 iexplore.exe Token: 35 4752 iexplore.exe Token: 36 4752 iexplore.exe Token: SeIncreaseQuotaPrivilege 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Token: SeSecurityPrivilege 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Token: SeTakeOwnershipPrivilege 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Token: SeLoadDriverPrivilege 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Token: SeSystemProfilePrivilege 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Token: SeSystemtimePrivilege 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Token: SeProfSingleProcessPrivilege 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Token: SeIncBasePriorityPrivilege 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Token: SeCreatePagefilePrivilege 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Token: SeBackupPrivilege 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Token: SeRestorePrivilege 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Token: SeShutdownPrivilege 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Token: SeDebugPrivilege 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Token: SeSystemEnvironmentPrivilege 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Token: SeChangeNotifyPrivilege 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Token: SeRemoteShutdownPrivilege 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Token: SeUndockPrivilege 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Token: SeManageVolumePrivilege 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Token: SeImpersonatePrivilege 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Token: SeCreateGlobalPrivilege 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Token: 33 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Token: 34 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Token: 35 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Token: 36 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe Token: SeIncreaseQuotaPrivilege 348 iexplore.exe Token: SeSecurityPrivilege 348 iexplore.exe Token: SeTakeOwnershipPrivilege 348 iexplore.exe Token: SeLoadDriverPrivilege 348 iexplore.exe Token: SeSystemProfilePrivilege 348 iexplore.exe Token: SeSystemtimePrivilege 348 iexplore.exe Token: SeProfSingleProcessPrivilege 348 iexplore.exe Token: SeIncBasePriorityPrivilege 348 iexplore.exe Token: SeCreatePagefilePrivilege 348 iexplore.exe Token: SeBackupPrivilege 348 iexplore.exe Token: SeRestorePrivilege 348 iexplore.exe Token: SeShutdownPrivilege 348 iexplore.exe Token: SeDebugPrivilege 348 iexplore.exe Token: SeSystemEnvironmentPrivilege 348 iexplore.exe Token: SeChangeNotifyPrivilege 348 iexplore.exe Token: SeRemoteShutdownPrivilege 348 iexplore.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 4752 iexplore.exe 636 msdcsc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1040 wrote to memory of 3240 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 83 PID 1040 wrote to memory of 3240 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 83 PID 1040 wrote to memory of 3240 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 83 PID 1040 wrote to memory of 4752 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 84 PID 1040 wrote to memory of 4752 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 84 PID 1040 wrote to memory of 4752 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 84 PID 1040 wrote to memory of 4752 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 84 PID 1040 wrote to memory of 4752 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 84 PID 1040 wrote to memory of 4752 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 84 PID 1040 wrote to memory of 4752 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 84 PID 1040 wrote to memory of 4752 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 84 PID 1040 wrote to memory of 4752 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 84 PID 1040 wrote to memory of 4752 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 84 PID 1040 wrote to memory of 4752 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 84 PID 1040 wrote to memory of 4752 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 84 PID 1040 wrote to memory of 4752 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 84 PID 1040 wrote to memory of 4752 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 84 PID 3240 wrote to memory of 3708 3240 cmd.exe 86 PID 3240 wrote to memory of 3708 3240 cmd.exe 86 PID 3240 wrote to memory of 3708 3240 cmd.exe 86 PID 3708 wrote to memory of 2224 3708 net.exe 87 PID 3708 wrote to memory of 2224 3708 net.exe 87 PID 3708 wrote to memory of 2224 3708 net.exe 87 PID 1040 wrote to memory of 2176 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 88 PID 1040 wrote to memory of 2176 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 88 PID 1040 wrote to memory of 2176 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 88 PID 1040 wrote to memory of 2176 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 88 PID 1040 wrote to memory of 2176 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 88 PID 1040 wrote to memory of 2176 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 88 PID 1040 wrote to memory of 2176 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 88 PID 1040 wrote to memory of 2176 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 88 PID 1040 wrote to memory of 2176 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 88 PID 1040 wrote to memory of 2176 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 88 PID 1040 wrote to memory of 2176 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 88 PID 1040 wrote to memory of 2176 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 88 PID 1040 wrote to memory of 2176 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 88 PID 1040 wrote to memory of 2176 1040 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 88 PID 2176 wrote to memory of 1516 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 90 PID 2176 wrote to memory of 1516 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 90 PID 2176 wrote to memory of 1516 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 90 PID 2176 wrote to memory of 1920 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 91 PID 2176 wrote to memory of 1920 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 91 PID 2176 wrote to memory of 1920 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 91 PID 2176 wrote to memory of 3836 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 94 PID 2176 wrote to memory of 3836 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 94 PID 2176 wrote to memory of 3836 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 94 PID 1516 wrote to memory of 1848 1516 cmd.exe 96 PID 1516 wrote to memory of 1848 1516 cmd.exe 96 PID 1516 wrote to memory of 1848 1516 cmd.exe 96 PID 1920 wrote to memory of 4760 1920 cmd.exe 97 PID 1920 wrote to memory of 4760 1920 cmd.exe 97 PID 1920 wrote to memory of 4760 1920 cmd.exe 97 PID 3836 wrote to memory of 3252 3836 cmd.exe 98 PID 3836 wrote to memory of 3252 3836 cmd.exe 98 PID 3836 wrote to memory of 3252 3836 cmd.exe 98 PID 2176 wrote to memory of 636 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 99 PID 2176 wrote to memory of 636 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 99 PID 2176 wrote to memory of 636 2176 38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe 99 PID 636 wrote to memory of 3040 636 msdcsc.exe 100 PID 636 wrote to memory of 3040 636 msdcsc.exe 100 PID 636 wrote to memory of 3040 636 msdcsc.exe 100 PID 636 wrote to memory of 348 636 msdcsc.exe 101 PID 636 wrote to memory of 348 636 msdcsc.exe 101 PID 636 wrote to memory of 348 636 msdcsc.exe 101 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 4760 attrib.exe 1848 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe"C:\Users\Admin\AppData\Local\Temp\38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
PID:2224
-
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4752
-
-
C:\Users\Admin\AppData\Local\Temp\38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exeC:\Users\Admin\AppData\Local\Temp\38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1848
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4760
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 44⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3252
-
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\SysWOW64\net.exenet stop MpsSvc5⤵
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc6⤵
- System Location Discovery: System Language Discovery
PID:880
-
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:348
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- System policy modification
PID:1060
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\38ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e.exe
Filesize864KB
MD5154831ca12b23ff1b10b3900ec4cbb99
SHA17183eace34de8cb38e5b57845096188342f394ca
SHA25638ddbd7df2d92bc13ccce06c95ee3fcb4ee3151095662330df9438b2e1a0c92e
SHA512b106e8ba82bd694e662abab6117ef293eeb01c5d01efc456326c692e5bfa20a4ebea8678e60f3a8f9eaa5ec3d22f4c7c24d98d6ded07fed5493ce94bb1b9afab