darkcomet | 7b81f22a76c83b176e760f6957f6e86019660656ea94a73f880b4085bcfc7957

Analysis

max time kernel
150s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2025, 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x0007000000019273-20.exe
Size

658KB
MD5

3178fcad2d2c2f3c0f4f70aecfb18db7
SHA1

0ecad6522214f9bef4dd8f2f8eb927827bc4971c
SHA256

dd8650f0e484ba0ea4775ccce3a9644bba747ee92f1b534628525c7ceedc69f9
SHA512

57148c860850344b1086c8765c083862d57d99119914e218aca4c8e80dc9cbe48d206b6aefaea9ad5cda58a459ff5888f1bc82f6fabacd2aa81f52818cef4985
SSDEEP

12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hV:KZ1xuVVjfFoynPaVBUR8f+kN10EBP

Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

127.0.0.1:1604

Mutex

DC_MUTEX-7X99PTF

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
DNgeskLTppzX
install
true
offline_keylogger
true
persistence
true
reg_key
System32.dll

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	0x0007000000019273-20.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3508	attrib.exe
2180	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	0x0007000000019273-20.exe

Deletes itself 1 IoCs

pid	Process
1424	notepad.exe

Executes dropped EXE 17 IoCs

pid	Process
2140	msdcsc.exe
224	msdcsc.exe
1516	msdcsc.exe
2676	msdcsc.exe
1688	msdcsc.exe
3224	msdcsc.exe
4012	msdcsc.exe
4892	msdcsc.exe
5188	msdcsc.exe
2012	msdcsc.exe
5004	msdcsc.exe
1136	msdcsc.exe
2672	msdcsc.exe
2876	msdcsc.exe
5196	msdcsc.exe
2564	msdcsc.exe
3672	msdcsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32.dll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	0x0007000000019273-20.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32.dll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0x0007000000019273-20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	0x0007000000019273-20.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
2656	EXCEL.EXE
2680	WINWORD.EXE
2680	WINWORD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2140	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4928	0x0007000000019273-20.exe
Token: SeSecurityPrivilege	4928	0x0007000000019273-20.exe
Token: SeTakeOwnershipPrivilege	4928	0x0007000000019273-20.exe
Token: SeLoadDriverPrivilege	4928	0x0007000000019273-20.exe
Token: SeSystemProfilePrivilege	4928	0x0007000000019273-20.exe
Token: SeSystemtimePrivilege	4928	0x0007000000019273-20.exe
Token: SeProfSingleProcessPrivilege	4928	0x0007000000019273-20.exe
Token: SeIncBasePriorityPrivilege	4928	0x0007000000019273-20.exe
Token: SeCreatePagefilePrivilege	4928	0x0007000000019273-20.exe
Token: SeBackupPrivilege	4928	0x0007000000019273-20.exe
Token: SeRestorePrivilege	4928	0x0007000000019273-20.exe
Token: SeShutdownPrivilege	4928	0x0007000000019273-20.exe
Token: SeDebugPrivilege	4928	0x0007000000019273-20.exe
Token: SeSystemEnvironmentPrivilege	4928	0x0007000000019273-20.exe
Token: SeChangeNotifyPrivilege	4928	0x0007000000019273-20.exe
Token: SeRemoteShutdownPrivilege	4928	0x0007000000019273-20.exe
Token: SeUndockPrivilege	4928	0x0007000000019273-20.exe
Token: SeManageVolumePrivilege	4928	0x0007000000019273-20.exe
Token: SeImpersonatePrivilege	4928	0x0007000000019273-20.exe
Token: SeCreateGlobalPrivilege	4928	0x0007000000019273-20.exe
Token: 33	4928	0x0007000000019273-20.exe
Token: 34	4928	0x0007000000019273-20.exe
Token: 35	4928	0x0007000000019273-20.exe
Token: 36	4928	0x0007000000019273-20.exe
Token: SeIncreaseQuotaPrivilege	2140	msdcsc.exe
Token: SeSecurityPrivilege	2140	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2140	msdcsc.exe
Token: SeLoadDriverPrivilege	2140	msdcsc.exe
Token: SeSystemProfilePrivilege	2140	msdcsc.exe
Token: SeSystemtimePrivilege	2140	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2140	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2140	msdcsc.exe
Token: SeCreatePagefilePrivilege	2140	msdcsc.exe
Token: SeBackupPrivilege	2140	msdcsc.exe
Token: SeRestorePrivilege	2140	msdcsc.exe
Token: SeShutdownPrivilege	2140	msdcsc.exe
Token: SeDebugPrivilege	2140	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2140	msdcsc.exe
Token: SeChangeNotifyPrivilege	2140	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2140	msdcsc.exe
Token: SeUndockPrivilege	2140	msdcsc.exe
Token: SeManageVolumePrivilege	2140	msdcsc.exe
Token: SeImpersonatePrivilege	2140	msdcsc.exe
Token: SeCreateGlobalPrivilege	2140	msdcsc.exe
Token: 33	2140	msdcsc.exe
Token: 34	2140	msdcsc.exe
Token: 35	2140	msdcsc.exe
Token: 36	2140	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	224	msdcsc.exe
Token: SeSecurityPrivilege	224	msdcsc.exe
Token: SeTakeOwnershipPrivilege	224	msdcsc.exe
Token: SeLoadDriverPrivilege	224	msdcsc.exe
Token: SeSystemProfilePrivilege	224	msdcsc.exe
Token: SeSystemtimePrivilege	224	msdcsc.exe
Token: SeProfSingleProcessPrivilege	224	msdcsc.exe
Token: SeIncBasePriorityPrivilege	224	msdcsc.exe
Token: SeCreatePagefilePrivilege	224	msdcsc.exe
Token: SeBackupPrivilege	224	msdcsc.exe
Token: SeRestorePrivilege	224	msdcsc.exe
Token: SeShutdownPrivilege	224	msdcsc.exe
Token: SeDebugPrivilege	224	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	224	msdcsc.exe
Token: SeChangeNotifyPrivilege	224	msdcsc.exe
Token: SeRemoteShutdownPrivilege	224	msdcsc.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
2140	msdcsc.exe
2656	EXCEL.EXE
2656	EXCEL.EXE
2656	EXCEL.EXE
2656	EXCEL.EXE
2656	EXCEL.EXE
2656	EXCEL.EXE
2656	EXCEL.EXE
2656	EXCEL.EXE
2656	EXCEL.EXE
2656	EXCEL.EXE
2656	EXCEL.EXE
2656	EXCEL.EXE
2680	WINWORD.EXE
2680	WINWORD.EXE
2680	WINWORD.EXE
2680	WINWORD.EXE
2680	WINWORD.EXE
2680	WINWORD.EXE
2680	WINWORD.EXE
2680	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3284 wrote to memory of 2140	3284	cmd.exe	87
PID 3284 wrote to memory of 2140	3284	cmd.exe	87
PID 3284 wrote to memory of 2140	3284	cmd.exe	87
PID 4928 wrote to memory of 1596	4928	0x0007000000019273-20.exe	89
PID 4928 wrote to memory of 1596	4928	0x0007000000019273-20.exe	89
PID 4928 wrote to memory of 1596	4928	0x0007000000019273-20.exe	89
PID 4928 wrote to memory of 5820	4928	0x0007000000019273-20.exe	91
PID 4928 wrote to memory of 5820	4928	0x0007000000019273-20.exe	91
PID 4928 wrote to memory of 5820	4928	0x0007000000019273-20.exe	91
PID 2140 wrote to memory of 5808	2140	msdcsc.exe	92
PID 4928 wrote to memory of 1424	4928	0x0007000000019273-20.exe	93
PID 2140 wrote to memory of 5808	2140	msdcsc.exe	92
PID 2140 wrote to memory of 5808	2140	msdcsc.exe	92
PID 4928 wrote to memory of 1424	4928	0x0007000000019273-20.exe	93
PID 4928 wrote to memory of 1424	4928	0x0007000000019273-20.exe	93
PID 2140 wrote to memory of 5808	2140	msdcsc.exe	92
PID 2140 wrote to memory of 5808	2140	msdcsc.exe	92
PID 4928 wrote to memory of 1424	4928	0x0007000000019273-20.exe	93
PID 2140 wrote to memory of 5808	2140	msdcsc.exe	92
PID 4928 wrote to memory of 1424	4928	0x0007000000019273-20.exe	93
PID 4928 wrote to memory of 1424	4928	0x0007000000019273-20.exe	93
PID 2140 wrote to memory of 5808	2140	msdcsc.exe	92
PID 4928 wrote to memory of 1424	4928	0x0007000000019273-20.exe	93
PID 4928 wrote to memory of 1424	4928	0x0007000000019273-20.exe	93
PID 4928 wrote to memory of 1424	4928	0x0007000000019273-20.exe	93
PID 4928 wrote to memory of 1424	4928	0x0007000000019273-20.exe	93
PID 4928 wrote to memory of 1424	4928	0x0007000000019273-20.exe	93
PID 2140 wrote to memory of 5808	2140	msdcsc.exe	92
PID 4928 wrote to memory of 1424	4928	0x0007000000019273-20.exe	93
PID 2140 wrote to memory of 5808	2140	msdcsc.exe	92
PID 4928 wrote to memory of 1424	4928	0x0007000000019273-20.exe	93
PID 2140 wrote to memory of 5808	2140	msdcsc.exe	92
PID 4928 wrote to memory of 1424	4928	0x0007000000019273-20.exe	93
PID 2140 wrote to memory of 5808	2140	msdcsc.exe	92
PID 4928 wrote to memory of 1424	4928	0x0007000000019273-20.exe	93
PID 2140 wrote to memory of 5808	2140	msdcsc.exe	92
PID 4928 wrote to memory of 1424	4928	0x0007000000019273-20.exe	93
PID 2140 wrote to memory of 5808	2140	msdcsc.exe	92
PID 4928 wrote to memory of 1424	4928	0x0007000000019273-20.exe	93
PID 2140 wrote to memory of 5808	2140	msdcsc.exe	92
PID 2140 wrote to memory of 5808	2140	msdcsc.exe	92
PID 2140 wrote to memory of 5808	2140	msdcsc.exe	92
PID 2140 wrote to memory of 5808	2140	msdcsc.exe	92
PID 2140 wrote to memory of 5808	2140	msdcsc.exe	92
PID 2140 wrote to memory of 5808	2140	msdcsc.exe	92
PID 2140 wrote to memory of 5808	2140	msdcsc.exe	92
PID 2140 wrote to memory of 5808	2140	msdcsc.exe	92
PID 2140 wrote to memory of 5808	2140	msdcsc.exe	92
PID 1596 wrote to memory of 2180	1596	cmd.exe	97
PID 1596 wrote to memory of 2180	1596	cmd.exe	97
PID 1596 wrote to memory of 2180	1596	cmd.exe	97
PID 1788 wrote to memory of 224	1788	cmd.exe	98
PID 1788 wrote to memory of 224	1788	cmd.exe	98
PID 1788 wrote to memory of 224	1788	cmd.exe	98
PID 5820 wrote to memory of 3508	5820	cmd.exe	99
PID 5820 wrote to memory of 3508	5820	cmd.exe	99
PID 5820 wrote to memory of 3508	5820	cmd.exe	99
PID 4928 wrote to memory of 1516	4928	0x0007000000019273-20.exe	100
PID 4928 wrote to memory of 1516	4928	0x0007000000019273-20.exe	100
PID 4928 wrote to memory of 1516	4928	0x0007000000019273-20.exe	100
PID 4764 wrote to memory of 2676	4764	cmd.exe	108
PID 4764 wrote to memory of 2676	4764	cmd.exe	108
PID 4764 wrote to memory of 2676	4764	cmd.exe	108
PID 2820 wrote to memory of 1688	2820	cmd.exe	114

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2180	attrib.exe
3508	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0x0007000000019273-20.exe
"C:\Users\Admin\AppData\Local\Temp\0x0007000000019273-20.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\0x0007000000019273-20.exe" +s +h
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\0x0007000000019273-20.exe" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2180
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5820
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3508
- C:\Windows\SysWOW64\notepad.exe
  notepad
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1424
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3284
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2676

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\RemoveConvertFrom.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:4904
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:5236
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4012

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\ReadTrace.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:6104
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:2348
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:5104
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:1712
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:4444
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:1616
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:2056
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:648
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:5476
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
1⤵
PID:3100
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3672

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E4DA83DD-3BD0-4AD5-AD99-F9A9CD1B6B97

Filesize
178KB

MD5
2ebcab07b0ce5fac2f14a3f8f258b4ca

SHA1
0c8cde0e9f52da284055469727382b4d0c70cee5

SHA256
2d44ba2991907a83af4a90c210af56857dd66069d68388790a55a0a60e949f13

SHA512
d86e344feb43166835ecd0aa38a572635a86a52efd43744d20249a18df19b0c7be72656f378d2892bd3f2acb6cdff64fcffe09f5b9a267308b6fc67e329611d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
12KB

MD5
d5dac67b6cb4a11907b12b307086a787

SHA1
c1322cea1c012f71e8fc407afa1d7ba4fd5d8de3

SHA256
9f178c1bc9b077581d03219e8574ad8240a17901100292fccdf289c6b2fa752b

SHA512
6b0262cf445b92eb80b2ec5307b6cd6a0d4dad53026a499ee76c01eba29eb9e16c63539ca20d9c0b14151cfc83d5a0869852fcc81cd5f20415f49e77c4b210b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
14a78c67c03afe1a6abafc858aaa690a

SHA1
8742d3ee869a65ab1a716c3a4a230b40541c8e82

SHA256
5d7b50cbbdbe110d4395075cc9bc8a28f90c7092539a5c863e75555f0d1d860a

SHA512
65df678e08c7b0d114c1cdff27e93df40d20c4c4b4330afc3c8ac24fffb1de9025688d0e534001fab238ae41c69bf14e966dc4c81eaa095047f7129a2ecccec9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
ab2807a61ab1033aa192b13aa6f6af1c

SHA1
636f3910f45ec5f1c8689bc35f125d984e91b30f

SHA256
33da4754577d84c2d223db37d03b09c5db3f92cf0435e26c964e1d3650878549

SHA512
a6975b19a539afe5766cb73b9b1a6a0a1da03cf00e7a7b4d4d0d444578d2af7512a4a11c3cfca7d312bda600551f136e1bb2155b46913d6264511eadebe9d2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

Filesize
658KB

MD5
3178fcad2d2c2f3c0f4f70aecfb18db7

SHA1
0ecad6522214f9bef4dd8f2f8eb927827bc4971c

SHA256
dd8650f0e484ba0ea4775ccce3a9644bba747ee92f1b534628525c7ceedc69f9

SHA512
57148c860850344b1086c8765c083862d57d99119914e218aca4c8e80dc9cbe48d206b6aefaea9ad5cda58a459ff5888f1bc82f6fabacd2aa81f52818cef4985

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD9000.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
382B

MD5
3d5f0645c4bee8544cb3ed1654fa2479

SHA1
ff25d49dc73af20b997e2d4b7afba10510d7588f

SHA256
aae6e5857c2000f7e72b1acda39761aae811143ac60d3dde2c6bb0abbf5dc285

SHA512
da82a26a794d539ac7c3ec84cc964ce6265923217547ea05d561eb05f86b240fa253fe3eb18a34d8f16315760146673aa26f7ce51581cf57fe4ed94e270d66fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
383B

MD5
e56ccdcf48052f22b8dbe8f522dad643

SHA1
48987a7eb5a14e47a0dc5879b5f4aa0bf99f1f99

SHA256
e68bc54ccab039a73f250501fb1c5bb1c8881be0611cff133676f1589c00fa3d

SHA512
421cb53b4dad05f99af60b7e1c4424e023e2e6d9283eb59fd8be0c3340df3293a28216dd8fe9ca6f17e56075ab850a075907594a324f73b8e5cf6f46b7bd483b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
64f91aea5786c8dbd24a96fc2d10e3dc

SHA1
b450b51e0538b7e9f90323aae003ee537838c657

SHA256
899f4884bdd8376b935b06916c47752840f85910984a16efedc9938f9bf18cf0

SHA512
a68e04105bf54a1af6c401486214a76e525b991f768f867e5f33d904c7847adddbf33b00fa714312e47ccd80f8cd40581be340eb47496faa76cb248af4435e5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
03d7e395ee8cac8a50be4aa79d87386e

SHA1
38823d11b6b97836cc3ae88d0563791c7ced18ea

SHA256
c77fbdd4dd801833da615e05988da312a4c9d5b83aeedf2f0f647f4d04c2d45a

SHA512
c33085605156d39f37768f83bb748aaaaecf86b18be66f46618ceb033478fa07f86e1a089d6a7a2f66d7960855d96d353898ae08769fb0bb022f371ea279f0ed

Download Submit
memory/224-10-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1136-243-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1424-7-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1516-12-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1688-26-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2012-237-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2140-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2140-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2140-16-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2140-100-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2140-6-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2140-27-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2564-260-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2656-20-0x00007FFCF11F0000-0x00007FFCF1200000-memory.dmp

Filesize
64KB

Download
memory/2656-22-0x00007FFCF11F0000-0x00007FFCF1200000-memory.dmp

Filesize
64KB

Download
memory/2656-60-0x00007FFCF11F0000-0x00007FFCF1200000-memory.dmp

Filesize
64KB

Download
memory/2656-25-0x00007FFCEEBC0000-0x00007FFCEEBD0000-memory.dmp

Filesize
64KB

Download
memory/2656-59-0x00007FFCF11F0000-0x00007FFCF1200000-memory.dmp

Filesize
64KB

Download
memory/2656-58-0x00007FFCF11F0000-0x00007FFCF1200000-memory.dmp

Filesize
64KB

Download
memory/2656-18-0x00007FFCF11F0000-0x00007FFCF1200000-memory.dmp

Filesize
64KB

Download
memory/2656-61-0x00007FFCF11F0000-0x00007FFCF1200000-memory.dmp

Filesize
64KB

Download
memory/2656-19-0x00007FFCF11F0000-0x00007FFCF1200000-memory.dmp

Filesize
64KB

Download
memory/2656-21-0x00007FFCF11F0000-0x00007FFCF1200000-memory.dmp

Filesize
64KB

Download
memory/2656-23-0x00007FFCEEBC0000-0x00007FFCEEBD0000-memory.dmp

Filesize
64KB

Download
memory/2672-247-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2676-17-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2680-74-0x00007FFCEEBC0000-0x00007FFCEEBD0000-memory.dmp

Filesize
64KB

Download
memory/2680-73-0x00007FFCEEBC0000-0x00007FFCEEBD0000-memory.dmp

Filesize
64KB

Download
memory/2680-72-0x00007FFCF11F0000-0x00007FFCF1200000-memory.dmp

Filesize
64KB

Download
memory/2680-71-0x00007FFCF11F0000-0x00007FFCF1200000-memory.dmp

Filesize
64KB

Download
memory/2680-70-0x00007FFCF11F0000-0x00007FFCF1200000-memory.dmp

Filesize
64KB

Download
memory/2680-69-0x00007FFCF11F0000-0x00007FFCF1200000-memory.dmp

Filesize
64KB

Download
memory/2680-68-0x00007FFCF11F0000-0x00007FFCF1200000-memory.dmp

Filesize
64KB

Download
memory/2876-252-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3224-63-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3672-263-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4012-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4892-99-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4928-0-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/4928-13-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5004-240-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5188-117-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5196-257-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5808-8-0x0000000001380000-0x0000000001381000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads