Analysis
-
max time kernel
148s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
28-06-2024 11:41
General
-
Target
19fb9afb30fe88d256fdcb2467833578_JaffaCakes118.exe
-
Size
3.2MB
-
MD5
19fb9afb30fe88d256fdcb2467833578
-
SHA1
438d3369da71184c31b226f5bf090c8954592ff2
-
SHA256
41e8a5c7267018eeff24f122ff2227e7b7ed2e3dc22338745df631d524502c13
-
SHA512
afa881d3600598f87ca6c34f809afe2107e55791dcbf1b59a7e4fa2be093a40423729d7f5a04e1db6748f45c7c5024d9421762996fd9d31edef915032f58d3a0
-
SSDEEP
24576:oFE//Tct4bOs8JVAzWT3G82PQlIYzuJBCWDlWwy018klgFaVSNucktoZAmK+vo11:aSVn
Score
10/10
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 24 IoCs
-
Sets file to hidden 1 TTPs 46 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 24 IoCs
-
Loads dropped DLL 48 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 24 IoCs
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 46 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\19fb9afb30fe88d256fdcb2467833578_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\19fb9afb30fe88d256fdcb2467833578_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Sdat.exeC:\Users\Admin\AppData\Roaming\Sdat.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Sdat.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming\Sdat.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h7⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h7⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h8⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h8⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h9⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h8⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h9⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h10⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h10⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h11⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h11⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h12⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h12⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"11⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h12⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h13⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h12⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h13⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h14⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h14⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"13⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h14⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h15⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h14⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h15⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"14⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h16⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h16⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"15⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h16⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h17⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h16⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h17⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h18⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h18⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"17⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h18⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h19⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h18⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h19⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h20⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h20⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"19⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h20⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h21⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h20⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h21⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"20⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h22⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h22⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"21⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h22⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h23⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h22⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h23⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"22⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h23⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h24⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h23⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h24⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"23⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h24⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h25⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h24⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h25⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h25⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h26⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h25⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h26⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"25⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"25⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 526⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"24⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 525⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"23⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 524⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"22⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 523⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"21⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 522⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"20⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 521⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"19⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 520⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"18⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 519⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"17⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 518⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"16⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 517⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"15⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 516⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"14⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 515⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"13⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 514⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"12⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 513⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"11⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 512⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"10⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 511⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"9⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 510⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 59⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"7⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 58⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"6⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 57⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 56⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 55⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Roaming\Sdat.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 54⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Roaming\Sdat.exeFilesize
747KB
MD587ce1b80fd2506e327c5d75efb1c8101
SHA158af872a21a2492b1407aae7b3e7b55ddb9083c6
SHA256fb6dcc691683d7d1d583237e5f33cd91111bbde25f546b93756299c4c734e092
SHA512fe8cb2a07e3f5d635f6c16984f2efe36917e8deb283cbbdac0174af5f5dcd2cd91b1e4d928b695bfd1feda7bf4252a378b65f77ce8a1c217adf7d8ba556c20c5
-
memory/636-97-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/756-81-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/824-10-0x0000000000400000-0x00000000004BB000-memory.dmpFilesize
748KB
-
memory/824-0-0x0000000000400000-0x00000000004BB000-memory.dmpFilesize
748KB
-
memory/932-99-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/988-77-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1472-91-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1540-98-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1700-51-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1740-54-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1824-92-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2108-63-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2208-86-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2224-100-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2308-24-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2308-11-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/2436-46-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2440-37-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2552-73-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2580-29-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2764-68-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2864-90-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2888-94-0x0000000077A50000-0x0000000077B6F000-memory.dmpFilesize
1.1MB
-
memory/2888-93-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2888-96-0x0000000003270000-0x00000000033CC000-memory.dmpFilesize
1.4MB
-
memory/2888-95-0x0000000077B70000-0x0000000077C6A000-memory.dmpFilesize
1000KB
-
memory/2996-34-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3036-42-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3040-59-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB