Analysis
-
max time kernel
147s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
02-07-2024 12:11
General
-
Target
Facebook Account Hacker.exe
-
Size
1002KB
-
MD5
810ee30f3831206f115a9de523d553ea
-
SHA1
cce8aa42fff602345db5baa6b20bf663481ccb07
-
SHA256
16af77f601bb55b12c0d4f4ec36c600fa651bb3c085b6342bd93437d287024d1
-
SHA512
ec00695ba3aacb276b7a4f12f116e171f978363f5fc4f9c7f6a00ecfa8d4f61fa198f747ba0d107155b7992366655af78c7a00d034845d03a87b477ef7c2f305
-
SSDEEP
24576:M3nbWmJVJFwSddIXvfhqbiaxvRxq9ULjpc:yamdZdcBYtPpc
Score
10/10
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 24 IoCs
-
Sets file to hidden 1 TTPs 46 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 46 IoCs
-
Loads dropped DLL 64 IoCs
-
Adds Run key to start application 2 TTPs 24 IoCs
-
Drops file in System32 directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 46 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Facebook Account Hacker.exe"C:\Users\Admin\AppData\Local\Temp\Facebook Account Hacker.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h7⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h7⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h8⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h8⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "8⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h9⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "8⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h9⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h10⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h10⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h11⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h11⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h12⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h12⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"11⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"11⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "12⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h13⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "12⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h13⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"12⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h14⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h14⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"13⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"13⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "14⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h15⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "14⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h15⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"14⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"14⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h16⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h16⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"15⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"15⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "16⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h17⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "16⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h17⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"16⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h18⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h18⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"17⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"17⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "18⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h19⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "18⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h19⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"18⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h20⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h20⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"19⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"19⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "20⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h21⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "20⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h21⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"20⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"20⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h22⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h22⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"21⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"21⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "22⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h23⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "22⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h23⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"22⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"22⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "23⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h24⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "23⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h24⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"23⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"23⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "24⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h25⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "24⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h25⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXE"24⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOK HACK BY ANONYMOUS.EXEFilesize
180KB
MD57d8c2af7a794c92ab5f99c39b3ea412b
SHA194fde30b423cadcf2459410e10227545f370bfc1
SHA256cc166ff5aa7a0a1aaf0463139d1a8bd069707a1ec43f9680155219a4786ce333
SHA51289d96f9edaff9ce5b950398ebf467096cbfd9a704d640cb3b1d97aedcf1786790fde928d5e86a514167be5135e06c29bdd0a2697da9de6040410d13e0da1223a
-
C:\Users\Admin\AppData\Local\Temp\tmpcmd.batFilesize
78B
MD59f9fce0aaa63f0ad4003dc6f5cde1f59
SHA15d9df8d4cffc9575c297008b36a91b0160182f7d
SHA2565dd4c0d6fcd6b71f214641d6e7f0b9cd81c87fdf9dad47ee499a277699e7be72
SHA5128569281415a0c5c0ad1a7ceaf2261c6846249f3c8f76d9e2d498ab174fc6a9f7236d7437b76993495f1b398cfff8729775e88021450b4d3bacd4ca49ff9c241e
-
C:\Users\Admin\AppData\Local\Temp\tmpcmd.batFilesize
50B
MD5b774ae3fb1da087e1f83b4f7b2060e5a
SHA197eb9be49ac3af9c851c9e1e84e32bfd53e325a8
SHA256adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b
SHA512f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701
-
C:\Users\Admin\AppData\Local\Temp\tmpcmd.batFilesize
54B
MD5b960305e23cbfd65106f326e54e2edfd
SHA1522c5e95a4306797b3e71bbe62158087f779ee7a
SHA256c31911cf00619f811195612355d7c762cd7e65d7d06756f62815b029cda65855
SHA512294181df282b6901de3e2743a6986637303f7bc63555ad171c07f6457d2895907aeae800eb7f948ac6380ba87e76423eb150792d05754aa6152c9d9921edc024
-
C:\Users\Admin\AppData\Local\Temp\tmpcmd.batFilesize
43B
MD554552c311a8c2081eefdad310b19b5db
SHA1718edabb22a5b5481815682eb1b3cd17c316c1dc
SHA256233765af9f5b64cdcae82b709e94f3d26d9486c90e3074a79ebeb915e386bfea
SHA512dc004dfaacba0417a6e631099c46ca99a832000286baabfa035a176e5b99fdd78f61c97a37d7d1b8e29711b657bc5df4bc601a28c431c38b2395347858cd4f02
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
1002KB
MD5810ee30f3831206f115a9de523d553ea
SHA1cce8aa42fff602345db5baa6b20bf663481ccb07
SHA25616af77f601bb55b12c0d4f4ec36c600fa651bb3c085b6342bd93437d287024d1
SHA512ec00695ba3aacb276b7a4f12f116e171f978363f5fc4f9c7f6a00ecfa8d4f61fa198f747ba0d107155b7992366655af78c7a00d034845d03a87b477ef7c2f305
-
memory/352-87-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/748-274-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/876-478-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/1256-112-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/1492-38-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/1492-0-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/1608-458-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/1656-234-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/1708-382-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/1852-161-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2076-256-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2100-328-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2156-292-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2164-186-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2164-496-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2248-346-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2284-438-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2304-364-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2488-210-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2572-400-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2624-63-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2668-420-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2700-29-0x00000000001E0000-0x0000000000214000-memory.dmpFilesize
208KB
-
memory/2740-310-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/2996-137-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB