Analysis
-
max time kernel
153s -
max time network
36s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
06-07-2020 06:47
Static task
static1
Behavioral task
behavioral1
Sample
b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.exe
Resource
win10v200430
General
-
Target
b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.exe
-
Size
476KB
-
MD5
b0196d39c93d411d1c26d053464e9063
-
SHA1
9468b91d627458e62cafdc4319fa673a5140f93c
-
SHA256
b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b
-
SHA512
fa49fdc90c924c2078ee210a6dc6b5c139462f8b76b94a7a998a73200a0c618d92f921dea6b7574ffcd0a583c01166deebb7acf474fd33de76cfa758e7aeeb29
Malware Config
Extracted
darkcomet
�킽����
darkanony0501.no-ip.biz:1604
DC_MUTEX-RUSU0K2
-
gencode
Jv5i6qhD7WCB
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
csrss.exepid process 1056 csrss.exe -
Loads dropped DLL 2 IoCs
Processes:
b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.exepid process 1520 b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.exe 1520 b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
csrss.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\18.exe = "C:\\Users\\Admin\\AppData\\RoamingMicrosoft\\System\\Services\\18.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\18.exe = "C:\\Users\\Admin\\AppData\\RoamingMicrosoft\\System\\Services\\18.exe" csrss.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
csrss.exedescription pid process target process PID 1056 set thread context of 1172 1056 csrss.exe cvtres.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.execsrss.exepid process 1520 b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.exe 1056 csrss.exe 1056 csrss.exe 1056 csrss.exe 1056 csrss.exe 1056 csrss.exe 1056 csrss.exe 1056 csrss.exe 1056 csrss.exe 1056 csrss.exe 1056 csrss.exe 1056 csrss.exe 1056 csrss.exe 1056 csrss.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.execsrss.execvtres.exedescription pid process Token: SeDebugPrivilege 1520 b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.exe Token: SeDebugPrivilege 1056 csrss.exe Token: SeIncreaseQuotaPrivilege 1172 cvtres.exe Token: SeSecurityPrivilege 1172 cvtres.exe Token: SeTakeOwnershipPrivilege 1172 cvtres.exe Token: SeLoadDriverPrivilege 1172 cvtres.exe Token: SeSystemProfilePrivilege 1172 cvtres.exe Token: SeSystemtimePrivilege 1172 cvtres.exe Token: SeProfSingleProcessPrivilege 1172 cvtres.exe Token: SeIncBasePriorityPrivilege 1172 cvtres.exe Token: SeCreatePagefilePrivilege 1172 cvtres.exe Token: SeBackupPrivilege 1172 cvtres.exe Token: SeRestorePrivilege 1172 cvtres.exe Token: SeShutdownPrivilege 1172 cvtres.exe Token: SeDebugPrivilege 1172 cvtres.exe Token: SeSystemEnvironmentPrivilege 1172 cvtres.exe Token: SeChangeNotifyPrivilege 1172 cvtres.exe Token: SeRemoteShutdownPrivilege 1172 cvtres.exe Token: SeUndockPrivilege 1172 cvtres.exe Token: SeManageVolumePrivilege 1172 cvtres.exe Token: SeImpersonatePrivilege 1172 cvtres.exe Token: SeCreateGlobalPrivilege 1172 cvtres.exe Token: 33 1172 cvtres.exe Token: 34 1172 cvtres.exe Token: 35 1172 cvtres.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cvtres.exepid process 1172 cvtres.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.execsrss.exedescription pid process target process PID 1520 wrote to memory of 1056 1520 b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.exe csrss.exe PID 1520 wrote to memory of 1056 1520 b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.exe csrss.exe PID 1520 wrote to memory of 1056 1520 b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.exe csrss.exe PID 1520 wrote to memory of 1056 1520 b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.exe csrss.exe PID 1056 wrote to memory of 1172 1056 csrss.exe cvtres.exe PID 1056 wrote to memory of 1172 1056 csrss.exe cvtres.exe PID 1056 wrote to memory of 1172 1056 csrss.exe cvtres.exe PID 1056 wrote to memory of 1172 1056 csrss.exe cvtres.exe PID 1056 wrote to memory of 1172 1056 csrss.exe cvtres.exe PID 1056 wrote to memory of 1172 1056 csrss.exe cvtres.exe PID 1056 wrote to memory of 1172 1056 csrss.exe cvtres.exe PID 1056 wrote to memory of 1172 1056 csrss.exe cvtres.exe PID 1056 wrote to memory of 1172 1056 csrss.exe cvtres.exe PID 1056 wrote to memory of 1172 1056 csrss.exe cvtres.exe PID 1056 wrote to memory of 1172 1056 csrss.exe cvtres.exe PID 1056 wrote to memory of 1172 1056 csrss.exe cvtres.exe PID 1056 wrote to memory of 1172 1056 csrss.exe cvtres.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.exe"C:\Users\Admin\AppData\Local\Temp\b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1172
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\csrss.exeMD5
b0196d39c93d411d1c26d053464e9063
SHA19468b91d627458e62cafdc4319fa673a5140f93c
SHA256b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b
SHA512fa49fdc90c924c2078ee210a6dc6b5c139462f8b76b94a7a998a73200a0c618d92f921dea6b7574ffcd0a583c01166deebb7acf474fd33de76cfa758e7aeeb29
-
C:\Users\Admin\AppData\Roaming\csrss.exeMD5
b0196d39c93d411d1c26d053464e9063
SHA19468b91d627458e62cafdc4319fa673a5140f93c
SHA256b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b
SHA512fa49fdc90c924c2078ee210a6dc6b5c139462f8b76b94a7a998a73200a0c618d92f921dea6b7574ffcd0a583c01166deebb7acf474fd33de76cfa758e7aeeb29
-
\Users\Admin\AppData\Roaming\csrss.exeMD5
b0196d39c93d411d1c26d053464e9063
SHA19468b91d627458e62cafdc4319fa673a5140f93c
SHA256b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b
SHA512fa49fdc90c924c2078ee210a6dc6b5c139462f8b76b94a7a998a73200a0c618d92f921dea6b7574ffcd0a583c01166deebb7acf474fd33de76cfa758e7aeeb29
-
\Users\Admin\AppData\Roaming\csrss.exeMD5
b0196d39c93d411d1c26d053464e9063
SHA19468b91d627458e62cafdc4319fa673a5140f93c
SHA256b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b
SHA512fa49fdc90c924c2078ee210a6dc6b5c139462f8b76b94a7a998a73200a0c618d92f921dea6b7574ffcd0a583c01166deebb7acf474fd33de76cfa758e7aeeb29
-
memory/1056-2-0x0000000000000000-mapping.dmp
-
memory/1172-5-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1172-6-0x000000000048F888-mapping.dmp
-
memory/1172-7-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB