darkcomet | 3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/02/2025, 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Size

659KB
MD5

2767d03d18bb350f7a79727d88ed6055
SHA1

319636dd0a845cca392706ed3668eec3681c99fa
SHA256

3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784
SHA512

634e4ae7e2ff933ba40ea69e35332021923ce8c715c1b2d384241f1b8dc8aba894df511cea320545a2a3e6e01437752955bbdcfe8263833976d6054a46744e47
SSDEEP

12288:OQ50wlFE0Zen1Rm8bvfShkU0n4eujffBjmcXI2L2WoH6HCGePcatHl9/+:TWJm8bvK+U0MjRjmcXp2BoCGmn9

Score

10^/10

darkcomet stdeb discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

STDeb

127.0.0.1:1604

allseeingeyes.ddns.net:1604

allseeingeyes.ddns.net:50

allseeingeyes.ddns.net:51

allseeingeyes.ddns.net:52

allseeingeyes.ddns.net:139

Mutex

DC_MUTEX-BH7SGT0

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
J6rFjSkS7kJD
install
true
offline_keylogger
true
persistence
true
reg_key
winupdate

rc4.plain

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe

Executes dropped EXE 2 IoCs

pid	Process
3000	msdcsc.exe
1612	msdcsc.exe

Loads dropped DLL 1 IoCs

pid	Process
2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\ivRetMSP.exe"	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\ivRetMSP.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\ldVEMxvJ.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\ldVEMxvJ.exe"	reg.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 2224 set thread context of 2896	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	34
PID 3000 set thread context of 1612	3000	msdcsc.exe	42
PID 2224 set thread context of 1028	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	46
PID 2224 set thread context of 1976	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	47
PID 2224 set thread context of 1748	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	48
PID 2224 set thread context of 1700	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	49
PID 2224 set thread context of 2384	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	50
PID 2224 set thread context of 2088	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	52
PID 2224 set thread context of 2972	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	53
PID 2224 set thread context of 1112	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	54
PID 2224 set thread context of 3040	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	55

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
3000	msdcsc.exe
2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
3000	msdcsc.exe
2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
3000	msdcsc.exe
2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
3000	msdcsc.exe
2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
3000	msdcsc.exe
2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
3000	msdcsc.exe
2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
3000	msdcsc.exe
2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
3000	msdcsc.exe
2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
3000	msdcsc.exe
2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
3000	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeIncreaseQuotaPrivilege	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeSecurityPrivilege	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeTakeOwnershipPrivilege	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeLoadDriverPrivilege	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeSystemProfilePrivilege	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeSystemtimePrivilege	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeProfSingleProcessPrivilege	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeIncBasePriorityPrivilege	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeCreatePagefilePrivilege	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeBackupPrivilege	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeRestorePrivilege	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeShutdownPrivilege	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeDebugPrivilege	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeSystemEnvironmentPrivilege	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeChangeNotifyPrivilege	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeRemoteShutdownPrivilege	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeUndockPrivilege	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeManageVolumePrivilege	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeImpersonatePrivilege	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeCreateGlobalPrivilege	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: 33	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: 34	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: 35	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeDebugPrivilege	3000	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	1612	msdcsc.exe
Token: SeSecurityPrivilege	1612	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1612	msdcsc.exe
Token: SeLoadDriverPrivilege	1612	msdcsc.exe
Token: SeSystemProfilePrivilege	1612	msdcsc.exe
Token: SeSystemtimePrivilege	1612	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1612	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1612	msdcsc.exe
Token: SeCreatePagefilePrivilege	1612	msdcsc.exe
Token: SeBackupPrivilege	1612	msdcsc.exe
Token: SeRestorePrivilege	1612	msdcsc.exe
Token: SeShutdownPrivilege	1612	msdcsc.exe
Token: SeDebugPrivilege	1612	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1612	msdcsc.exe
Token: SeChangeNotifyPrivilege	1612	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1612	msdcsc.exe
Token: SeUndockPrivilege	1612	msdcsc.exe
Token: SeManageVolumePrivilege	1612	msdcsc.exe
Token: SeImpersonatePrivilege	1612	msdcsc.exe
Token: SeCreateGlobalPrivilege	1612	msdcsc.exe
Token: 33	1612	msdcsc.exe
Token: 34	1612	msdcsc.exe
Token: 35	1612	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	1028	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeSecurityPrivilege	1028	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeTakeOwnershipPrivilege	1028	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeLoadDriverPrivilege	1028	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeSystemProfilePrivilege	1028	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeSystemtimePrivilege	1028	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeProfSingleProcessPrivilege	1028	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeIncBasePriorityPrivilege	1028	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeCreatePagefilePrivilege	1028	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeBackupPrivilege	1028	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeRestorePrivilege	1028	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeShutdownPrivilege	1028	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeDebugPrivilege	1028	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeSystemEnvironmentPrivilege	1028	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeChangeNotifyPrivilege	1028	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
Token: SeRemoteShutdownPrivilege	1028	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1612	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2768	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	31
PID 2224 wrote to memory of 2768	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	31
PID 2224 wrote to memory of 2768	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	31
PID 2224 wrote to memory of 2768	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	31
PID 2768 wrote to memory of 2752	2768	csc.exe	33
PID 2768 wrote to memory of 2752	2768	csc.exe	33
PID 2768 wrote to memory of 2752	2768	csc.exe	33
PID 2768 wrote to memory of 2752	2768	csc.exe	33
PID 2224 wrote to memory of 2896	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	34
PID 2224 wrote to memory of 2896	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	34
PID 2224 wrote to memory of 2896	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	34
PID 2224 wrote to memory of 2896	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	34
PID 2224 wrote to memory of 2896	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	34
PID 2224 wrote to memory of 2896	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	34
PID 2224 wrote to memory of 2896	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	34
PID 2224 wrote to memory of 2896	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	34
PID 2224 wrote to memory of 2896	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	34
PID 2224 wrote to memory of 2896	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	34
PID 2224 wrote to memory of 2896	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	34
PID 2224 wrote to memory of 2896	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	34
PID 2224 wrote to memory of 2896	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	34
PID 2224 wrote to memory of 2564	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	35
PID 2224 wrote to memory of 2564	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	35
PID 2224 wrote to memory of 2564	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	35
PID 2224 wrote to memory of 2564	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	35
PID 2564 wrote to memory of 2432	2564	cmd.exe	37
PID 2564 wrote to memory of 2432	2564	cmd.exe	37
PID 2564 wrote to memory of 2432	2564	cmd.exe	37
PID 2564 wrote to memory of 2432	2564	cmd.exe	37
PID 2896 wrote to memory of 3000	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	38
PID 2896 wrote to memory of 3000	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	38
PID 2896 wrote to memory of 3000	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	38
PID 2896 wrote to memory of 3000	2896	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	38
PID 3000 wrote to memory of 2416	3000	msdcsc.exe	39
PID 3000 wrote to memory of 2416	3000	msdcsc.exe	39
PID 3000 wrote to memory of 2416	3000	msdcsc.exe	39
PID 3000 wrote to memory of 2416	3000	msdcsc.exe	39
PID 2416 wrote to memory of 2064	2416	csc.exe	41
PID 2416 wrote to memory of 2064	2416	csc.exe	41
PID 2416 wrote to memory of 2064	2416	csc.exe	41
PID 2416 wrote to memory of 2064	2416	csc.exe	41
PID 3000 wrote to memory of 1612	3000	msdcsc.exe	42
PID 3000 wrote to memory of 1612	3000	msdcsc.exe	42
PID 3000 wrote to memory of 1612	3000	msdcsc.exe	42
PID 3000 wrote to memory of 1612	3000	msdcsc.exe	42
PID 3000 wrote to memory of 1612	3000	msdcsc.exe	42
PID 3000 wrote to memory of 1612	3000	msdcsc.exe	42
PID 3000 wrote to memory of 1612	3000	msdcsc.exe	42
PID 3000 wrote to memory of 1612	3000	msdcsc.exe	42
PID 3000 wrote to memory of 1612	3000	msdcsc.exe	42
PID 3000 wrote to memory of 1612	3000	msdcsc.exe	42
PID 3000 wrote to memory of 1612	3000	msdcsc.exe	42
PID 3000 wrote to memory of 1612	3000	msdcsc.exe	42
PID 3000 wrote to memory of 1612	3000	msdcsc.exe	42
PID 3000 wrote to memory of 2732	3000	msdcsc.exe	43
PID 3000 wrote to memory of 2732	3000	msdcsc.exe	43
PID 3000 wrote to memory of 2732	3000	msdcsc.exe	43
PID 3000 wrote to memory of 2732	3000	msdcsc.exe	43
PID 2732 wrote to memory of 536	2732	cmd.exe	45
PID 2732 wrote to memory of 536	2732	cmd.exe	45
PID 2732 wrote to memory of 536	2732	cmd.exe	45
PID 2732 wrote to memory of 536	2732	cmd.exe	45
PID 2224 wrote to memory of 1028	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	46
PID 2224 wrote to memory of 1028	2224	3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe	46

C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
"C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0pz_zu1p.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA60.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEA5F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2752
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5txct_6x.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEEC3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEEC2.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
  - - C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
      "C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1612
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ldVEMxvJ.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ldVEMxvJ.exe
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:536
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ivRetMSP.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ivRetMSP.exe
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2432
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1976
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1748
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1700
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2384
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2088
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2972
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1112
- C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0pz_zu1p.dll

Filesize
1.3MB

MD5
f688a9a854cf0c56fac58957a93ae125

SHA1
a016ba7fb3622e8965a2c7aac16ff44f39536994

SHA256
9c83efead53fc0fafda1ad52cefb4e37d7fc68135f91b89111f403a6d184658d

SHA512
4a15a42850357c6e70a8ee4e89c7d78ed3a74fb1e0e68e750549f9209e2a4d7cf9bb3fd90e6908e250eb1b3b24f554224ac518bcfa45eaf3ac42f9f9f84dacdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5txct_6x.dll

Filesize
1.3MB

MD5
06e95e07632bf5a8c23aa4487f1d3cee

SHA1
738b00fefa5857cddaa47d72dae13e4a2740440f

SHA256
df86484d8937ee8019513b941de685eec0d4ce0199b7fcc1bc07d765d7481015

SHA512
5118c6b91f78522aa409555cb400fbcd8ce5a2ee485a20460c53a874f0d0c8232eda6e2b51ea9169dc1326f4a226d6330fef88a03707fb65664f564c264f4f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEA60.tmp

Filesize
1KB

MD5
7af5aa128cfe7574283d72fbf85828df

SHA1
b3f514c0f79b619c62d46fcf6096f94587abc689

SHA256
9dce2931c18ec84eb51180c703e4028f43152eee0b5e82c61150263dc631fcc1

SHA512
02f13996d036b817bed2f3a6500468ee2dc88aa5feff3760532a066799ca2d7ac3226d3564782e880f4bd0979fa7d54373ce8494b15c96b5433bdd4834ef3d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEEC3.tmp

Filesize
1KB

MD5
f797b468ad4cbc518725f76356480638

SHA1
dd381867a64fd89de89c899fa93709d7b4fcfe30

SHA256
48dec5f177be5bb35ef7d7f797fc2f5bd7e16536682714ddc3afcedf313e502c

SHA512
1a78f1ef2b7576cb95150779e7107614f1ce3a4d3945d30546b65dc50b62b76530d095cd8dfc01eb3484f2179298b047ac674cb95aed4994c93ed5b8068817f8

Download Submit
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe

Filesize
659KB

MD5
2767d03d18bb350f7a79727d88ed6055

SHA1
319636dd0a845cca392706ed3668eec3681c99fa

SHA256
3ec4df10da07b3505f3d0cc43c30f37ca9d5e8e2d8349cc5324402ce8e5f4784

SHA512
634e4ae7e2ff933ba40ea69e35332021923ce8c715c1b2d384241f1b8dc8aba894df511cea320545a2a3e6e01437752955bbdcfe8263833976d6054a46744e47

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0pz_zu1p.cmdline

Filesize
196B

MD5
e840603bb76676a9bfaa335fd7950d62

SHA1
14fb2c41086a469fc1b8beeadea3a737199208ec

SHA256
af8bd912349b1f43d325955b9d427a4a7b6b0245ac1aca2589b7c38c757093bc

SHA512
624e3a7e0388e8bc5534faeaec98b8dd2d0f9973f8edfeee8afaf29fc9245e641b93ffe40968f01bb368f0c516725371a717874c005418dc744e89f8008317c2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5txct_6x.cmdline

Filesize
196B

MD5
0bf2a900eed3967c74833347d2f3ce0f

SHA1
cc2c46308e3bcc397fdfcf373390ab9bf98b939e

SHA256
6f7ffef99c89f4bccc2e7baa54321cbe18483742c30bad6c33727856443985e8

SHA512
ee7ba336d16d92459348bcccb6a5f9f9a2232776184c95576a379f54457c6dffa6dd8fed8b59fca878e5d98851450a851eae84aead8251591cd6d19179891a29

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCEA5F.tmp

Filesize
652B

MD5
680d0ac3ea1db70d1a57f823e6a02bf5

SHA1
40e32bed0035fb797a8c38a7bbb1d07905f34c84

SHA256
0ec5e79e0507da5cf0f90674d8bdfc570c8e4a4f1752b4ac4d5104710510f0fd

SHA512
bc6d9a76cf2c3e573066d733b1b0901b8143c93dee5649f47df4195c1c42ee7cbce094a318a7e34f96c78d14509d94e10c299dfb78ef7af8bf5a5ccf5829fe12

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCEEC2.tmp

Filesize
652B

MD5
aaa1f3e8abf997bbf167ee8fe9e926b5

SHA1
6a1dc33d8a7e0edf8b341a25c5f622c39cf1b9a6

SHA256
37a71e6a9f286262cc9a3ed6a6c7f0f9bbbce69ef158428659b7b28741153228

SHA512
cce4d77fa37d3822b36f16a5639cd45bd474914acd54ad682b46a110512cfbc9fc906247b1a58dec3b37f01d7dd55c03e48d7e6dd61e786c154f9429b0069f47

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmpE86C.tmp.txt

Filesize
649KB

MD5
7120e9abe458cf85d553fe8ba1829632

SHA1
a5c9afe205d92681fdcae316c25a21d8bd0b63a2

SHA256
094a826cc6904668cf2894ed5f71c8d6240bd5e85b0cb6cb500c9cbbbbdb5007

SHA512
c3d912ecdfb8ab7c78867a1f65fbce42a4d48cf5f04be5a48dfc4828b44c5b63bcdc4d822c5fd1e03d69b68babd50fec7fa62f4df26269bdf0018c2053b7e706

Download Submit
memory/1612-99-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-98-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-97-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1612-92-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2224-0-0x0000000074B91000-0x0000000074B92000-memory.dmp

Filesize
4KB

Download
memory/2224-101-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/2224-6-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/2224-2-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/2768-16-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/2768-9-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/2896-31-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2896-44-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2896-23-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2896-25-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2896-28-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2896-21-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2896-34-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2896-36-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2896-38-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2896-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2896-19-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2896-100-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2896-43-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download