Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
28-06-2024 11:41
General
-
Target
19fb9afb30fe88d256fdcb2467833578_JaffaCakes118.exe
-
Size
3.2MB
-
MD5
19fb9afb30fe88d256fdcb2467833578
-
SHA1
438d3369da71184c31b226f5bf090c8954592ff2
-
SHA256
41e8a5c7267018eeff24f122ff2227e7b7ed2e3dc22338745df631d524502c13
-
SHA512
afa881d3600598f87ca6c34f809afe2107e55791dcbf1b59a7e4fa2be093a40423729d7f5a04e1db6748f45c7c5024d9421762996fd9d31edef915032f58d3a0
-
SSDEEP
24576:oFE//Tct4bOs8JVAzWT3G82PQlIYzuJBCWDlWwy018klgFaVSNucktoZAmK+vo11:aSVn
Score
10/10
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 24 IoCs
-
Sets file to hidden 1 TTPs 48 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 24 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 24 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 24 IoCs
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 23 IoCs
-
Runs ping.exe 1 TTPs 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 48 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\19fb9afb30fe88d256fdcb2467833578_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\19fb9afb30fe88d256fdcb2467833578_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Sdat.exeC:\Users\Admin\AppData\Roaming\Sdat.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Sdat.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming\Sdat.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h7⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h7⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"7⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h8⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h9⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h8⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h9⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"8⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h10⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h10⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"9⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h11⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h11⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"10⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h12⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h12⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"11⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h12⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h13⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h12⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h13⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"12⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h14⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h14⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"13⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h14⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h15⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h14⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h15⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"14⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h16⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h16⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"15⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h16⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h17⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h16⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h17⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"16⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h18⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h18⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"17⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h18⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h19⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h18⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h19⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"18⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h20⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h20⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"19⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h20⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h21⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h20⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h21⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"20⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h22⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h22⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"21⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h22⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h23⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h22⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h23⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"22⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h23⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h24⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h23⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h24⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"23⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h24⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h25⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h24⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h25⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"24⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h25⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h26⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h25⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h26⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"25⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h26⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost\svchost.exe" +s +h27⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost" +s +h26⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svchost" +s +h27⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"26⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"26⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"25⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 526⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"24⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 525⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"23⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 524⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"22⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 523⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"21⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 522⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"20⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 521⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"19⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 520⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"18⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 519⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"17⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 518⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"16⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 517⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"15⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 516⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"14⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 515⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"13⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 514⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"12⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 513⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"11⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 512⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"10⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 511⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"9⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 510⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 59⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"7⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 58⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"6⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 57⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 56⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Windows\SysWOW64\svchost\svchost.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 55⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Roaming\Sdat.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 54⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Sdat.exeFilesize
747KB
MD587ce1b80fd2506e327c5d75efb1c8101
SHA158af872a21a2492b1407aae7b3e7b55ddb9083c6
SHA256fb6dcc691683d7d1d583237e5f33cd91111bbde25f546b93756299c4c734e092
SHA512fe8cb2a07e3f5d635f6c16984f2efe36917e8deb283cbbdac0174af5f5dcd2cd91b1e4d928b695bfd1feda7bf4252a378b65f77ce8a1c217adf7d8ba556c20c5
-
memory/388-85-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/444-67-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/708-81-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/932-46-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1152-71-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1512-69-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1512-65-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1652-57-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1660-61-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2272-7-0x0000000002500000-0x0000000002501000-memory.dmpFilesize
4KB
-
memory/2272-42-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2492-53-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3116-44-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3116-63-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3956-59-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4208-73-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4604-51-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4872-55-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4884-49-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4988-0-0x0000000000400000-0x00000000004BB000-memory.dmpFilesize
748KB
-
memory/4988-6-0x0000000000400000-0x00000000004BB000-memory.dmpFilesize
748KB
-
memory/5444-75-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/5524-89-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/5548-83-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/5616-87-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/5860-77-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/6116-79-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB