Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2025, 20:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe
Resource
win7-20241010-en
windows7-x64
5 signatures
120 seconds
General
-
Target
46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe
-
Size
864KB
-
MD5
6c0de5b944735fb6574dcdd8b7d563c0
-
SHA1
c2c1032481f7194cbf3e24933ef6671af38f0c2c
-
SHA256
46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838
-
SHA512
f80bfabbcb0dafd0ec94abe4c9deac50ecce54cd4ce341e9ff1072d4a63f4266051d8ce2c818dc5e8558a94e32b0c0321175d19992537d9beb50dc66c4f28b33
-
SSDEEP
24576:lJzKTyB6LIVewBV5nmEY9OY847pKdLCAN:fz16LIzpmHD84O
Malware Config
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe -
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe -
Modifies security service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Disables RegEdit via registry modification 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2884 attrib.exe 1952 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe -
Executes dropped EXE 3 IoCs
pid Process 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 1608 msdcsc.exe 4788 msdcsc.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" iexplore.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4488 set thread context of 4568 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 83 PID 4488 set thread context of 3172 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 87 PID 1608 set thread context of 4472 1608 msdcsc.exe 103 PID 1608 set thread context of 4788 1608 msdcsc.exe 107 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4520 cmd.exe 4112 PING.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4112 PING.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 1608 msdcsc.exe 1608 msdcsc.exe 1608 msdcsc.exe 1608 msdcsc.exe 1608 msdcsc.exe 1608 msdcsc.exe 1608 msdcsc.exe 1608 msdcsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4568 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4568 iexplore.exe Token: SeSecurityPrivilege 4568 iexplore.exe Token: SeTakeOwnershipPrivilege 4568 iexplore.exe Token: SeLoadDriverPrivilege 4568 iexplore.exe Token: SeSystemProfilePrivilege 4568 iexplore.exe Token: SeSystemtimePrivilege 4568 iexplore.exe Token: SeProfSingleProcessPrivilege 4568 iexplore.exe Token: SeIncBasePriorityPrivilege 4568 iexplore.exe Token: SeCreatePagefilePrivilege 4568 iexplore.exe Token: SeBackupPrivilege 4568 iexplore.exe Token: SeRestorePrivilege 4568 iexplore.exe Token: SeShutdownPrivilege 4568 iexplore.exe Token: SeDebugPrivilege 4568 iexplore.exe Token: SeSystemEnvironmentPrivilege 4568 iexplore.exe Token: SeChangeNotifyPrivilege 4568 iexplore.exe Token: SeRemoteShutdownPrivilege 4568 iexplore.exe Token: SeUndockPrivilege 4568 iexplore.exe Token: SeManageVolumePrivilege 4568 iexplore.exe Token: SeImpersonatePrivilege 4568 iexplore.exe Token: SeCreateGlobalPrivilege 4568 iexplore.exe Token: 33 4568 iexplore.exe Token: 34 4568 iexplore.exe Token: 35 4568 iexplore.exe Token: 36 4568 iexplore.exe Token: SeIncreaseQuotaPrivilege 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Token: SeSecurityPrivilege 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Token: SeTakeOwnershipPrivilege 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Token: SeLoadDriverPrivilege 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Token: SeSystemProfilePrivilege 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Token: SeSystemtimePrivilege 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Token: SeProfSingleProcessPrivilege 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Token: SeIncBasePriorityPrivilege 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Token: SeCreatePagefilePrivilege 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Token: SeBackupPrivilege 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Token: SeRestorePrivilege 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Token: SeShutdownPrivilege 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Token: SeDebugPrivilege 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Token: SeSystemEnvironmentPrivilege 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Token: SeChangeNotifyPrivilege 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Token: SeRemoteShutdownPrivilege 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Token: SeUndockPrivilege 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Token: SeManageVolumePrivilege 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Token: SeImpersonatePrivilege 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Token: SeCreateGlobalPrivilege 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Token: 33 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Token: 34 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Token: 35 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Token: 36 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe Token: SeIncreaseQuotaPrivilege 4472 iexplore.exe Token: SeSecurityPrivilege 4472 iexplore.exe Token: SeTakeOwnershipPrivilege 4472 iexplore.exe Token: SeLoadDriverPrivilege 4472 iexplore.exe Token: SeSystemProfilePrivilege 4472 iexplore.exe Token: SeSystemtimePrivilege 4472 iexplore.exe Token: SeProfSingleProcessPrivilege 4472 iexplore.exe Token: SeIncBasePriorityPrivilege 4472 iexplore.exe Token: SeCreatePagefilePrivilege 4472 iexplore.exe Token: SeBackupPrivilege 4472 iexplore.exe Token: SeRestorePrivilege 4472 iexplore.exe Token: SeShutdownPrivilege 4472 iexplore.exe Token: SeDebugPrivilege 4472 iexplore.exe Token: SeSystemEnvironmentPrivilege 4472 iexplore.exe Token: SeChangeNotifyPrivilege 4472 iexplore.exe Token: SeRemoteShutdownPrivilege 4472 iexplore.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 4568 iexplore.exe 1608 msdcsc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4488 wrote to memory of 1148 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 82 PID 4488 wrote to memory of 1148 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 82 PID 4488 wrote to memory of 1148 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 82 PID 4488 wrote to memory of 4568 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 83 PID 4488 wrote to memory of 4568 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 83 PID 4488 wrote to memory of 4568 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 83 PID 4488 wrote to memory of 4568 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 83 PID 4488 wrote to memory of 4568 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 83 PID 4488 wrote to memory of 4568 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 83 PID 4488 wrote to memory of 4568 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 83 PID 4488 wrote to memory of 4568 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 83 PID 4488 wrote to memory of 4568 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 83 PID 4488 wrote to memory of 4568 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 83 PID 4488 wrote to memory of 4568 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 83 PID 4488 wrote to memory of 4568 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 83 PID 4488 wrote to memory of 4568 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 83 PID 4488 wrote to memory of 4568 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 83 PID 1148 wrote to memory of 1920 1148 cmd.exe 85 PID 1148 wrote to memory of 1920 1148 cmd.exe 85 PID 1148 wrote to memory of 1920 1148 cmd.exe 85 PID 1920 wrote to memory of 3344 1920 net.exe 86 PID 1920 wrote to memory of 3344 1920 net.exe 86 PID 1920 wrote to memory of 3344 1920 net.exe 86 PID 4488 wrote to memory of 3172 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 87 PID 4488 wrote to memory of 3172 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 87 PID 4488 wrote to memory of 3172 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 87 PID 4488 wrote to memory of 3172 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 87 PID 4488 wrote to memory of 3172 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 87 PID 4488 wrote to memory of 3172 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 87 PID 4488 wrote to memory of 3172 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 87 PID 4488 wrote to memory of 3172 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 87 PID 4488 wrote to memory of 3172 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 87 PID 4488 wrote to memory of 3172 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 87 PID 4488 wrote to memory of 3172 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 87 PID 4488 wrote to memory of 3172 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 87 PID 4488 wrote to memory of 3172 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 87 PID 4488 wrote to memory of 3172 4488 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 87 PID 3172 wrote to memory of 3692 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 91 PID 3172 wrote to memory of 3692 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 91 PID 3172 wrote to memory of 3692 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 91 PID 3172 wrote to memory of 4668 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 92 PID 3172 wrote to memory of 4668 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 92 PID 3172 wrote to memory of 4668 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 92 PID 3172 wrote to memory of 4520 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 94 PID 3172 wrote to memory of 4520 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 94 PID 3172 wrote to memory of 4520 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 94 PID 4520 wrote to memory of 4112 4520 cmd.exe 97 PID 4520 wrote to memory of 4112 4520 cmd.exe 97 PID 4520 wrote to memory of 4112 4520 cmd.exe 97 PID 3692 wrote to memory of 2884 3692 cmd.exe 98 PID 3692 wrote to memory of 2884 3692 cmd.exe 98 PID 3692 wrote to memory of 2884 3692 cmd.exe 98 PID 4668 wrote to memory of 1952 4668 cmd.exe 100 PID 4668 wrote to memory of 1952 4668 cmd.exe 100 PID 4668 wrote to memory of 1952 4668 cmd.exe 100 PID 3172 wrote to memory of 1608 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 101 PID 3172 wrote to memory of 1608 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 101 PID 3172 wrote to memory of 1608 3172 46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe 101 PID 1608 wrote to memory of 640 1608 msdcsc.exe 102 PID 1608 wrote to memory of 640 1608 msdcsc.exe 102 PID 1608 wrote to memory of 640 1608 msdcsc.exe 102 PID 1608 wrote to memory of 4472 1608 msdcsc.exe 103 PID 1608 wrote to memory of 4472 1608 msdcsc.exe 103 PID 1608 wrote to memory of 4472 1608 msdcsc.exe 103 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2884 attrib.exe 1952 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe"C:\Users\Admin\AppData\Local\Temp\46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
PID:3344
-
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4568
-
-
C:\Users\Admin\AppData\Local\Temp\46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exeC:\Users\Admin\AppData\Local\Temp\46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2884
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1952
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 44⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4112
-
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc4⤵
- System Location Discovery: System Language Discovery
PID:640 -
C:\Windows\SysWOW64\net.exenet stop MpsSvc5⤵
- System Location Discovery: System Language Discovery
PID:1852 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc6⤵
- System Location Discovery: System Language Discovery
PID:412
-
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4472
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- System policy modification
PID:4788
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\46277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838N.exe
Filesize864KB
MD56c0de5b944735fb6574dcdd8b7d563c0
SHA1c2c1032481f7194cbf3e24933ef6671af38f0c2c
SHA25646277ff9b64c1e0c101dbfcbcd3b6522c53246cf2b5d87456cebe1f2efb72838
SHA512f80bfabbcb0dafd0ec94abe4c9deac50ecce54cd4ce341e9ff1072d4a63f4266051d8ce2c818dc5e8558a94e32b0c0321175d19992537d9beb50dc66c4f28b33