darkcomet | b3847c94d840dd53c3ba7248734424f06715deacf6dd6ebb727c2f1a7de4c945

Resubmissions

14-01-2025 06:18

250114-g2qvnsyrdy 7

14-01-2025 06:15

14-01-2025 06:10

14-01-2025 06:09

03-07-2022 12:33

Analysis

max time kernel
15s
max time network
11s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ultima_Multihack.exe
Size

6.4MB
MD5

a2f01be6e514a6cd3424f9762f2c5b02
SHA1

1553dd3e3556f2c82ab312659d5184952d0b9a4e
SHA256

b3847c94d840dd53c3ba7248734424f06715deacf6dd6ebb727c2f1a7de4c945
SHA512

fa9dd15980bd80bcd250a1ac990281824f822635b8d3bb7d1d1a78958c8ec084e775735c3c14c09337076c3f4fe1185cd06cfb4cd989fcc0be78bd99c577e616
SSDEEP

196608:j6bFse+vAqC6Fe656nqpB9zDXq9frWSCuHynw:ebFsXIqje656qpB9zDa9DWSCwynw

Score

10^/10

darkcomet sazan discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

sussysdfffdfff343.duckdns.org:1604

Mutex

DC_MUTEX-LJTACQW

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
l51rypEngfWg
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	loader.exe

Modifies firewall policy service 3 TTPs 9 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	loader.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	loader.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	loader.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe

Modifies security service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	loader.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Disables RegEdit via registry modification 3 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	loader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	msdcsc.exe

Executes dropped EXE 4 IoCs

pid	Process
2884	ultima.exe
2612	loader.exe
2920	msdcsc.exe
1520	loader.exe

Loads dropped DLL 8 IoCs

pid	Process
2884	ultima.exe
2884	ultima.exe
2804	cmd.exe
2804	cmd.exe
2612	loader.exe
2612	loader.exe
1580	cmd.exe
1580	cmd.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	loader.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	loader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2920 set thread context of 2716	2920	msdcsc.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultima_Multihack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ultima.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2884	ultima.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2612	loader.exe
Token: SeSecurityPrivilege	2612	loader.exe
Token: SeTakeOwnershipPrivilege	2612	loader.exe
Token: SeLoadDriverPrivilege	2612	loader.exe
Token: SeSystemProfilePrivilege	2612	loader.exe
Token: SeSystemtimePrivilege	2612	loader.exe
Token: SeProfSingleProcessPrivilege	2612	loader.exe
Token: SeIncBasePriorityPrivilege	2612	loader.exe
Token: SeCreatePagefilePrivilege	2612	loader.exe
Token: SeBackupPrivilege	2612	loader.exe
Token: SeRestorePrivilege	2612	loader.exe
Token: SeShutdownPrivilege	2612	loader.exe
Token: SeDebugPrivilege	2612	loader.exe
Token: SeSystemEnvironmentPrivilege	2612	loader.exe
Token: SeChangeNotifyPrivilege	2612	loader.exe
Token: SeRemoteShutdownPrivilege	2612	loader.exe
Token: SeUndockPrivilege	2612	loader.exe
Token: SeManageVolumePrivilege	2612	loader.exe
Token: SeImpersonatePrivilege	2612	loader.exe
Token: SeCreateGlobalPrivilege	2612	loader.exe
Token: 33	2612	loader.exe
Token: 34	2612	loader.exe
Token: 35	2612	loader.exe
Token: SeIncreaseQuotaPrivilege	2920	msdcsc.exe
Token: SeSecurityPrivilege	2920	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2920	msdcsc.exe
Token: SeLoadDriverPrivilege	2920	msdcsc.exe
Token: SeSystemProfilePrivilege	2920	msdcsc.exe
Token: SeSystemtimePrivilege	2920	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2920	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2920	msdcsc.exe
Token: SeCreatePagefilePrivilege	2920	msdcsc.exe
Token: SeBackupPrivilege	2920	msdcsc.exe
Token: SeRestorePrivilege	2920	msdcsc.exe
Token: SeShutdownPrivilege	2920	msdcsc.exe
Token: SeDebugPrivilege	2920	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2920	msdcsc.exe
Token: SeChangeNotifyPrivilege	2920	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2920	msdcsc.exe
Token: SeUndockPrivilege	2920	msdcsc.exe
Token: SeManageVolumePrivilege	2920	msdcsc.exe
Token: SeImpersonatePrivilege	2920	msdcsc.exe
Token: SeCreateGlobalPrivilege	2920	msdcsc.exe
Token: 33	2920	msdcsc.exe
Token: 34	2920	msdcsc.exe
Token: 35	2920	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	2716	iexplore.exe
Token: SeSecurityPrivilege	2716	iexplore.exe
Token: SeTakeOwnershipPrivilege	2716	iexplore.exe
Token: SeLoadDriverPrivilege	2716	iexplore.exe
Token: SeSystemProfilePrivilege	2716	iexplore.exe
Token: SeSystemtimePrivilege	2716	iexplore.exe
Token: SeProfSingleProcessPrivilege	2716	iexplore.exe
Token: SeIncBasePriorityPrivilege	2716	iexplore.exe
Token: SeCreatePagefilePrivilege	2716	iexplore.exe
Token: SeBackupPrivilege	2716	iexplore.exe
Token: SeRestorePrivilege	2716	iexplore.exe
Token: SeShutdownPrivilege	2716	iexplore.exe
Token: SeDebugPrivilege	2716	iexplore.exe
Token: SeSystemEnvironmentPrivilege	2716	iexplore.exe
Token: SeChangeNotifyPrivilege	2716	iexplore.exe
Token: SeRemoteShutdownPrivilege	2716	iexplore.exe
Token: SeUndockPrivilege	2716	iexplore.exe
Token: SeManageVolumePrivilege	2716	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2716	iexplore.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2060	2528	Ultima_Multihack.exe	30
PID 2528 wrote to memory of 2060	2528	Ultima_Multihack.exe	30
PID 2528 wrote to memory of 2060	2528	Ultima_Multihack.exe	30
PID 2528 wrote to memory of 2060	2528	Ultima_Multihack.exe	30
PID 2060 wrote to memory of 2884	2060	cmd.exe	32
PID 2060 wrote to memory of 2884	2060	cmd.exe	32
PID 2060 wrote to memory of 2884	2060	cmd.exe	32
PID 2060 wrote to memory of 2884	2060	cmd.exe	32
PID 2884 wrote to memory of 2804	2884	ultima.exe	33
PID 2884 wrote to memory of 2804	2884	ultima.exe	33
PID 2884 wrote to memory of 2804	2884	ultima.exe	33
PID 2884 wrote to memory of 2804	2884	ultima.exe	33
PID 2804 wrote to memory of 2612	2804	cmd.exe	35
PID 2804 wrote to memory of 2612	2804	cmd.exe	35
PID 2804 wrote to memory of 2612	2804	cmd.exe	35
PID 2804 wrote to memory of 2612	2804	cmd.exe	35
PID 2612 wrote to memory of 2920	2612	loader.exe	36
PID 2612 wrote to memory of 2920	2612	loader.exe	36
PID 2612 wrote to memory of 2920	2612	loader.exe	36
PID 2612 wrote to memory of 2920	2612	loader.exe	36
PID 2920 wrote to memory of 2716	2920	msdcsc.exe	37
PID 2920 wrote to memory of 2716	2920	msdcsc.exe	37
PID 2920 wrote to memory of 2716	2920	msdcsc.exe	37
PID 2920 wrote to memory of 2716	2920	msdcsc.exe	37
PID 2920 wrote to memory of 2716	2920	msdcsc.exe	37
PID 2920 wrote to memory of 2716	2920	msdcsc.exe	37
PID 2716 wrote to memory of 2656	2716	iexplore.exe	38
PID 2716 wrote to memory of 2656	2716	iexplore.exe	38
PID 2716 wrote to memory of 2656	2716	iexplore.exe	38
PID 2716 wrote to memory of 2656	2716	iexplore.exe	38
PID 2716 wrote to memory of 2656	2716	iexplore.exe	38
PID 2716 wrote to memory of 2656	2716	iexplore.exe	38
PID 2716 wrote to memory of 2656	2716	iexplore.exe	38
PID 2716 wrote to memory of 2656	2716	iexplore.exe	38
PID 2716 wrote to memory of 2656	2716	iexplore.exe	38
PID 2716 wrote to memory of 2656	2716	iexplore.exe	38
PID 2716 wrote to memory of 2656	2716	iexplore.exe	38
PID 2716 wrote to memory of 2656	2716	iexplore.exe	38
PID 2716 wrote to memory of 2656	2716	iexplore.exe	38
PID 2716 wrote to memory of 2656	2716	iexplore.exe	38
PID 2716 wrote to memory of 2656	2716	iexplore.exe	38
PID 2716 wrote to memory of 2656	2716	iexplore.exe	38
PID 2716 wrote to memory of 2656	2716	iexplore.exe	38
PID 2716 wrote to memory of 2656	2716	iexplore.exe	38
PID 2716 wrote to memory of 2656	2716	iexplore.exe	38
PID 2716 wrote to memory of 2656	2716	iexplore.exe	38
PID 2716 wrote to memory of 2656	2716	iexplore.exe	38
PID 2716 wrote to memory of 2656	2716	iexplore.exe	38
PID 2716 wrote to memory of 2656	2716	iexplore.exe	38
PID 2884 wrote to memory of 1580	2884	ultima.exe	40
PID 2884 wrote to memory of 1580	2884	ultima.exe	40
PID 2884 wrote to memory of 1580	2884	ultima.exe	40
PID 2884 wrote to memory of 1580	2884	ultima.exe	40
PID 1580 wrote to memory of 1520	1580	cmd.exe	42
PID 1580 wrote to memory of 1520	1580	cmd.exe	42
PID 1580 wrote to memory of 1520	1580	cmd.exe	42
PID 1580 wrote to memory of 1520	1580	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\Ultima_Multihack.exe
"C:\Users\Admin\AppData\Local\Temp\Ultima_Multihack.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A64D.tmp\A64E.tmp\A64F.bat C:\Users\Admin\AppData\Local\Temp\Ultima_Multihack.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Users\Admin\AppData\Local\Temp\A64D.tmp\ultima.exe
    ultima.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\A64D.tmp\launcher.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Users\Admin\AppData\Local\Temp\A64D.tmp\loader.exe
        
        loader.exe
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Modifies firewall policy service
        Modifies security service
        Windows security bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        7⤵
        Modifies firewall policy service
        Modifies security service
        Windows security bypass
        Disables RegEdit via registry modification
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\A64D.tmp\launcher.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1580
    - - C:\Users\Admin\AppData\Local\Temp\A64D.tmp\loader.exe
        
        loader.exe
        5⤵
        Modifies firewall policy service
        Modifies security service
        Windows security bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        
        PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A64D.tmp\A64E.tmp\A64F.bat

Filesize
48B

MD5
a703e72757cc5721f6604f29501d1fcb

SHA1
f296318971c483966d39548c7b26072c58b1cb63

SHA256
b7a7e70f4a51a62b70a08919924409d102b3d797189cca93295a24caa7fa4508

SHA512
f6c68271b63dedda9d7269d5a055b61ef68c5d9f6022e99cb1f08c1737085276c8ad63a7f79041b0076b960144cded460175b9ba09465e6641f00fff455b7764

Download Submit
C:\Users\Admin\AppData\Local\Temp\A64D.tmp\launcher.bat

Filesize
29B

MD5
14051903ecd83d03ce60bb5727003bb8

SHA1
30859f29275844876b926f226037bd53347dcb38

SHA256
3adcf0469cc7fd97e9e747afcd8564f64c4339b91033a1478d1786de4ca40c84

SHA512
e729ba7ea97c60c89415e4ab43eb2f347a3325a785b8ca6820f59d8f1044f846c11817e2c4c585a81330ea42e556d7f5f46f9840e0bdedc4661db59e76230608

Download Submit
C:\Users\Admin\AppData\Local\Temp\A64D.tmp\ultima.exe

Filesize
5.8MB

MD5
c67ec628289d5c29f6d3b925a8c0f4f9

SHA1
cf7710c70bdf807130f86241e1e6829594345fb7

SHA256
291c70fb8033924f6767371e3d5a53c896c57abc914b5729ef0a082cb63903fb

SHA512
c6ef4e80f7a84f8c675576c18e753273eb5b345843c1c6d571137adbcd66214e2284e7e3d730fa8a5c0314edbac9ab70ab9b7c0eaa1668fe22e36fde9121a97f

Download Submit
\Users\Admin\AppData\Local\Temp\A64D.tmp\Bunifu_UI_v1.5.3.dll

Filesize
236KB

MD5
2ecb51ab00c5f340380ecf849291dbcf

SHA1
1a4dffbce2a4ce65495ed79eab42a4da3b660931

SHA256
f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

SHA512
e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

Download Submit
\Users\Admin\AppData\Local\Temp\A64D.tmp\loader.exe

Filesize
659KB

MD5
559e77c66347f99fc2ab5e9ef757ce0d

SHA1
86bd1056e44cdf6dcd3188e16f55cef80a840949

SHA256
8d5f887270c6f0c2b383c57435bbf7d222ce416a09b3d74d4e1d80608543d0ce

SHA512
30f67914a11b57dd69d4f2715c03477d934442169db37c5b74e91d0fb8cbf00b3d4fbd94a38b3ed456b9363d551e2b22756087c19cea53eb3da52eb5fd8515e9

Download Submit
memory/1520-82-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2612-77-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2656-76-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2656-38-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2716-36-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2884-78-0x000000007492E000-0x000000007492F000-memory.dmp

Filesize
4KB

Download
memory/2884-19-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2884-17-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2884-18-0x00000000024B0000-0x00000000024F2000-memory.dmp

Filesize
264KB

Download
memory/2884-13-0x00000000003D0000-0x00000000009A4000-memory.dmp

Filesize
5.8MB

Download
memory/2884-12-0x000000007492E000-0x000000007492F000-memory.dmp

Filesize
4KB

Download
memory/2884-83-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2884-84-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2884-85-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2920-37-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads