darkcomet | 764641bdf9ccf9882c420a154096938fd6d24058e59ccfaf66c9408d16e7872b

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9a562bd7d17c7d6d03ab184743c4f931.exe
Size

6.5MB
MD5

9a562bd7d17c7d6d03ab184743c4f931
SHA1

9ca8540864223697483a0a35d6a36090aa6ef3e1
SHA256

764641bdf9ccf9882c420a154096938fd6d24058e59ccfaf66c9408d16e7872b
SHA512

d09dd1e68fbd656a19fd4f9088b1e7fbe78b3299f37bb81d93bb13744b99a0d24612788412d0706b081b805efe1d0fc8589b01582ad06007b27562ee6bd3ab83
SSDEEP

49152:1jSv/ee5IcdYh5jlGCYtlPqL03jYsnpKngBdPnh2BpwqJ4151UdXEaoMMSxCDwUL:

Score

10^/10

darkcomet discovery evasion persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchost.exe"	divix.exe

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\Avatar.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Avatar.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Avatar.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Avatar.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	Avatar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\Avatar.exe"	Avatar.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4CFAA58-ACEB-8B9F-ABBE-3323CCDF9BCE}	Avatar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4CFAA58-ACEB-8B9F-ABBE-3323CCDF9BCE}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Avatar.exe"	Avatar.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{E4CFAA58-ACEB-8B9F-ABBE-3323CCDF9BCE}	Avatar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{E4CFAA58-ACEB-8B9F-ABBE-3323CCDF9BCE}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Avatar.exe"	Avatar.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	divix.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JaffaCakes118_9a562bd7d17c7d6d03ab184743c4f931.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	msnmsgr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	divix.exe

Executes dropped EXE 5 IoCs

pid	Process
4756	msnmsgr.exe
4880	Zerr0_Injector.exe
3744	Avatar.exe
2740	divix.exe
4604	svchost.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Windows\\system32\\svchost.exe"	divix.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\Avatar.exe"	Avatar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\Avatar.exe"	Avatar.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchost.exe	divix.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe	divix.exe
File opened for modification	C:\Windows\SysWOW64\	divix.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3744-45-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/files/0x0007000000023c9e-42.dat	upx
behavioral2/memory/3744-56-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3744-58-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3744-61-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3744-63-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3744-65-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3744-68-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3744-70-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3744-72-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3744-77-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3744-79-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3744-81-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3744-84-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3744-86-0x0000000000400000-0x0000000000460000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avatar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	divix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9a562bd7d17c7d6d03ab184743c4f931.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zerr0_Injector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	divix.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	divix.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	divix.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	divix.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	divix.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
836	reg.exe
548	reg.exe
4196	reg.exe
2324	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe
4880	Zerr0_Injector.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2740	divix.exe
Token: SeSecurityPrivilege	2740	divix.exe
Token: SeTakeOwnershipPrivilege	2740	divix.exe
Token: SeLoadDriverPrivilege	2740	divix.exe
Token: SeSystemProfilePrivilege	2740	divix.exe
Token: SeSystemtimePrivilege	2740	divix.exe
Token: SeProfSingleProcessPrivilege	2740	divix.exe
Token: SeIncBasePriorityPrivilege	2740	divix.exe
Token: SeCreatePagefilePrivilege	2740	divix.exe
Token: SeBackupPrivilege	2740	divix.exe
Token: SeRestorePrivilege	2740	divix.exe
Token: SeShutdownPrivilege	2740	divix.exe
Token: SeDebugPrivilege	2740	divix.exe
Token: SeSystemEnvironmentPrivilege	2740	divix.exe
Token: SeChangeNotifyPrivilege	2740	divix.exe
Token: SeRemoteShutdownPrivilege	2740	divix.exe
Token: SeUndockPrivilege	2740	divix.exe
Token: SeManageVolumePrivilege	2740	divix.exe
Token: SeImpersonatePrivilege	2740	divix.exe
Token: SeCreateGlobalPrivilege	2740	divix.exe
Token: 33	2740	divix.exe
Token: 34	2740	divix.exe
Token: 35	2740	divix.exe
Token: 36	2740	divix.exe
Token: 1	3744	Avatar.exe
Token: SeCreateTokenPrivilege	3744	Avatar.exe
Token: SeAssignPrimaryTokenPrivilege	3744	Avatar.exe
Token: SeLockMemoryPrivilege	3744	Avatar.exe
Token: SeIncreaseQuotaPrivilege	3744	Avatar.exe
Token: SeMachineAccountPrivilege	3744	Avatar.exe
Token: SeTcbPrivilege	3744	Avatar.exe
Token: SeSecurityPrivilege	3744	Avatar.exe
Token: SeTakeOwnershipPrivilege	3744	Avatar.exe
Token: SeLoadDriverPrivilege	3744	Avatar.exe
Token: SeSystemProfilePrivilege	3744	Avatar.exe
Token: SeSystemtimePrivilege	3744	Avatar.exe
Token: SeProfSingleProcessPrivilege	3744	Avatar.exe
Token: SeIncBasePriorityPrivilege	3744	Avatar.exe
Token: SeCreatePagefilePrivilege	3744	Avatar.exe
Token: SeCreatePermanentPrivilege	3744	Avatar.exe
Token: SeBackupPrivilege	3744	Avatar.exe
Token: SeRestorePrivilege	3744	Avatar.exe
Token: SeShutdownPrivilege	3744	Avatar.exe
Token: SeDebugPrivilege	3744	Avatar.exe
Token: SeAuditPrivilege	3744	Avatar.exe
Token: SeSystemEnvironmentPrivilege	3744	Avatar.exe
Token: SeChangeNotifyPrivilege	3744	Avatar.exe
Token: SeRemoteShutdownPrivilege	3744	Avatar.exe
Token: SeUndockPrivilege	3744	Avatar.exe
Token: SeSyncAgentPrivilege	3744	Avatar.exe
Token: SeEnableDelegationPrivilege	3744	Avatar.exe
Token: SeManageVolumePrivilege	3744	Avatar.exe
Token: SeImpersonatePrivilege	3744	Avatar.exe
Token: SeCreateGlobalPrivilege	3744	Avatar.exe
Token: 31	3744	Avatar.exe
Token: 32	3744	Avatar.exe
Token: 33	3744	Avatar.exe
Token: 34	3744	Avatar.exe
Token: 35	3744	Avatar.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3744	Avatar.exe
3744	Avatar.exe
3744	Avatar.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 4756	4720	JaffaCakes118_9a562bd7d17c7d6d03ab184743c4f931.exe	82
PID 4720 wrote to memory of 4756	4720	JaffaCakes118_9a562bd7d17c7d6d03ab184743c4f931.exe	82
PID 4720 wrote to memory of 4756	4720	JaffaCakes118_9a562bd7d17c7d6d03ab184743c4f931.exe	82
PID 4756 wrote to memory of 4880	4756	msnmsgr.exe	83
PID 4756 wrote to memory of 4880	4756	msnmsgr.exe	83
PID 4756 wrote to memory of 4880	4756	msnmsgr.exe	83
PID 4756 wrote to memory of 3744	4756	msnmsgr.exe	84
PID 4756 wrote to memory of 3744	4756	msnmsgr.exe	84
PID 4756 wrote to memory of 3744	4756	msnmsgr.exe	84
PID 4756 wrote to memory of 2740	4756	msnmsgr.exe	85
PID 4756 wrote to memory of 2740	4756	msnmsgr.exe	85
PID 4756 wrote to memory of 2740	4756	msnmsgr.exe	85
PID 3744 wrote to memory of 208	3744	Avatar.exe	87
PID 3744 wrote to memory of 208	3744	Avatar.exe	87
PID 3744 wrote to memory of 208	3744	Avatar.exe	87
PID 3744 wrote to memory of 2140	3744	Avatar.exe	88
PID 3744 wrote to memory of 2140	3744	Avatar.exe	88
PID 3744 wrote to memory of 2140	3744	Avatar.exe	88
PID 3744 wrote to memory of 220	3744	Avatar.exe	89
PID 3744 wrote to memory of 220	3744	Avatar.exe	89
PID 3744 wrote to memory of 220	3744	Avatar.exe	89
PID 3744 wrote to memory of 2104	3744	Avatar.exe	90
PID 3744 wrote to memory of 2104	3744	Avatar.exe	90
PID 3744 wrote to memory of 2104	3744	Avatar.exe	90
PID 2740 wrote to memory of 2548	2740	divix.exe	86
PID 2740 wrote to memory of 2548	2740	divix.exe	86
PID 2740 wrote to memory of 2548	2740	divix.exe	86
PID 2104 wrote to memory of 2324	2104	cmd.exe	95
PID 2104 wrote to memory of 2324	2104	cmd.exe	95
PID 2104 wrote to memory of 2324	2104	cmd.exe	95
PID 2740 wrote to memory of 4604	2740	divix.exe	96
PID 2740 wrote to memory of 4604	2740	divix.exe	96
PID 2740 wrote to memory of 4604	2740	divix.exe	96
PID 220 wrote to memory of 836	220	cmd.exe	97
PID 220 wrote to memory of 836	220	cmd.exe	97
PID 220 wrote to memory of 836	220	cmd.exe	97
PID 208 wrote to memory of 548	208	cmd.exe	98
PID 208 wrote to memory of 548	208	cmd.exe	98
PID 208 wrote to memory of 548	208	cmd.exe	98
PID 2140 wrote to memory of 4196	2140	cmd.exe	99
PID 2140 wrote to memory of 4196	2140	cmd.exe	99
PID 2140 wrote to memory of 4196	2140	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a562bd7d17c7d6d03ab184743c4f931.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a562bd7d17c7d6d03ab184743c4f931.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4720
- C:\ProgramData\HcCHDPShDEN\XSvLexRMBgpqot\3.13.35.6996\msnmsgr.exe
  "C:\ProgramData\HcCHDPShDEN\XSvLexRMBgpqot\3.13.35.6996\msnmsgr.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Users\Admin\AppData\Local\Temp\Zerr0_Injector.exe
    "C:\Users\Admin\AppData\Local\Temp\Zerr0_Injector.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4880
- - C:\Users\Admin\AppData\Local\Temp\Avatar.exe
    "C:\Users\Admin\AppData\Local\Temp\Avatar.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3744
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:208
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:548
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Avatar.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Avatar.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2140
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Avatar.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Avatar.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4196
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:220
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:836
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Avatar.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Avatar.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2104
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Avatar.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Avatar.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2324
- - C:\Users\Admin\AppData\Local\Temp\divix.exe
    "C:\Users\Admin\AppData\Local\Temp\divix.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      PID:2548
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HcCHDPShDEN\XSvLexRMBgpqot\3.13.35.6996\msnmsgr.exe

Filesize
4.8MB

MD5
da5b33de2fc1556eb39dde6955bcf2c3

SHA1
38f4608e1d0a7bf04d22e751e40aa8f63322ef75

SHA256
0af8bcbc9b11d3aba3a8aafc05f0ae1a901d78faf1d184c4357bea641c1c6553

SHA512
b32a72ae66818451667d9a76fbc217c6300068f847317ca62205d9aca56700545e4fc7655728fbefb9d17ea0e128b1d8c47523e09bc602a3d34244f23681c0ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Avatar.exe

Filesize
119KB

MD5
5f101c7232a82b4f80015dcd742c3f9f

SHA1
b4f58a174f714fd5591156779ec4bc7d6476e401

SHA256
e6d54de1d636c9789a9e39d63cbdae0ddad4111b2c8ee67f618c0c493995b585

SHA512
37951d7dcd0466848ccb25c297ea7200fb5f11787dc40285e63854c9c0d365d9cc3248816ccca58a2c246057c93abad4974bc42b07d82c1e53b2c418514eb82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zerr0_Injector.exe

Filesize
1.1MB

MD5
5dce83fcd35f90f58d6de4801bf42eb2

SHA1
94502dd4ebe743b49cf950457eabc3349b2286be

SHA256
fd242e31afc573e3a5d90d3cbf502f8860431f03d2674fd18e222457abd83df2

SHA512
958aae9b14a57f18feffe931af75367810ae3f02cce9873e09ed2109c66d87e54b03b52b76b31b354ec659525be10dd02e270cf6cafb08e0f6457f1326be4f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\divix.exe

Filesize
635KB

MD5
9ca04ff270d68da6ed9d957edcf4fd4a

SHA1
c171438a23043875e082fa4e69c95d6ec8e71907

SHA256
9c5c1bbc0448b9b9e86c67aa502ac7bfec325b0ffd1aa074542101b0d16b749b

SHA512
30c37338060fc7ecb90703ea1861480bf13dfa899e8d35db67dc83397941625699b5e73291f64e71092e04ea75505133cc9597315818ca629c01c5e27d76ac88

Download Submit
C:\Windows\SysWOW64\svchost.exe

Filesize
45KB

MD5
b7c999040d80e5bf87886d70d992c51e

SHA1
a8ed9a51cc14ccf99b670e60ebbc110756504929

SHA256
5c3257b277f160109071e7e716040e67657341d8c42aa68d9afafe1630fcc53e

SHA512
71ba2fbd705e51b488afe3bb33a67212cf297e97e8b1b20ada33e16956f7ec8f89a79e04a4b256fd61a442fada690aff0c807c2bdcc9165a9c7be3de725de309

Download Submit
memory/2740-53-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3744-56-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3744-72-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3744-86-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3744-45-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3744-84-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3744-81-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3744-79-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3744-77-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3744-70-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3744-68-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3744-58-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3744-61-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3744-63-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3744-65-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4720-0-0x0000000074A42000-0x0000000074A43000-memory.dmp

Filesize
4KB

Download
memory/4720-1-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/4720-2-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/4720-16-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/4756-18-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/4756-17-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/4756-48-0x0000000074A40000-0x0000000074FF1000-memory.dmp

Filesize
5.7MB

Download
memory/4880-54-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download