Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
06-07-2020 06:47
Static task
static1
Behavioral task
behavioral1
Sample
b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.exe
Resource
win10v200430
General
-
Target
b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.exe
-
Size
476KB
-
MD5
b0196d39c93d411d1c26d053464e9063
-
SHA1
9468b91d627458e62cafdc4319fa673a5140f93c
-
SHA256
b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b
-
SHA512
fa49fdc90c924c2078ee210a6dc6b5c139462f8b76b94a7a998a73200a0c618d92f921dea6b7574ffcd0a583c01166deebb7acf474fd33de76cfa758e7aeeb29
Malware Config
Extracted
darkcomet
�킽����
darkanony0501.no-ip.biz:1604
DC_MUTEX-RUSU0K2
-
gencode
Jv5i6qhD7WCB
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
csrss.exepid process 1784 csrss.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
csrss.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\18.exe = "C:\\Users\\Admin\\AppData\\RoamingMicrosoft\\System\\Services\\18.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\18.exe = "C:\\Users\\Admin\\AppData\\RoamingMicrosoft\\System\\Services\\18.exe" csrss.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
csrss.exedescription pid process target process PID 1784 set thread context of 1696 1784 csrss.exe cvtres.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.execsrss.exepid process 1616 b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.exe 1784 csrss.exe 1784 csrss.exe 1784 csrss.exe 1784 csrss.exe 1784 csrss.exe 1784 csrss.exe 1784 csrss.exe 1784 csrss.exe 1784 csrss.exe 1784 csrss.exe 1784 csrss.exe 1784 csrss.exe 1784 csrss.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.execsrss.execvtres.exedescription pid process Token: SeDebugPrivilege 1616 b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.exe Token: SeDebugPrivilege 1784 csrss.exe Token: SeIncreaseQuotaPrivilege 1696 cvtres.exe Token: SeSecurityPrivilege 1696 cvtres.exe Token: SeTakeOwnershipPrivilege 1696 cvtres.exe Token: SeLoadDriverPrivilege 1696 cvtres.exe Token: SeSystemProfilePrivilege 1696 cvtres.exe Token: SeSystemtimePrivilege 1696 cvtres.exe Token: SeProfSingleProcessPrivilege 1696 cvtres.exe Token: SeIncBasePriorityPrivilege 1696 cvtres.exe Token: SeCreatePagefilePrivilege 1696 cvtres.exe Token: SeBackupPrivilege 1696 cvtres.exe Token: SeRestorePrivilege 1696 cvtres.exe Token: SeShutdownPrivilege 1696 cvtres.exe Token: SeDebugPrivilege 1696 cvtres.exe Token: SeSystemEnvironmentPrivilege 1696 cvtres.exe Token: SeChangeNotifyPrivilege 1696 cvtres.exe Token: SeRemoteShutdownPrivilege 1696 cvtres.exe Token: SeUndockPrivilege 1696 cvtres.exe Token: SeManageVolumePrivilege 1696 cvtres.exe Token: SeImpersonatePrivilege 1696 cvtres.exe Token: SeCreateGlobalPrivilege 1696 cvtres.exe Token: 33 1696 cvtres.exe Token: 34 1696 cvtres.exe Token: 35 1696 cvtres.exe Token: 36 1696 cvtres.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cvtres.exepid process 1696 cvtres.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.execsrss.exedescription pid process target process PID 1616 wrote to memory of 1784 1616 b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.exe csrss.exe PID 1616 wrote to memory of 1784 1616 b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.exe csrss.exe PID 1616 wrote to memory of 1784 1616 b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.exe csrss.exe PID 1784 wrote to memory of 1696 1784 csrss.exe cvtres.exe PID 1784 wrote to memory of 1696 1784 csrss.exe cvtres.exe PID 1784 wrote to memory of 1696 1784 csrss.exe cvtres.exe PID 1784 wrote to memory of 1696 1784 csrss.exe cvtres.exe PID 1784 wrote to memory of 1696 1784 csrss.exe cvtres.exe PID 1784 wrote to memory of 1696 1784 csrss.exe cvtres.exe PID 1784 wrote to memory of 1696 1784 csrss.exe cvtres.exe PID 1784 wrote to memory of 1696 1784 csrss.exe cvtres.exe PID 1784 wrote to memory of 1696 1784 csrss.exe cvtres.exe PID 1784 wrote to memory of 1696 1784 csrss.exe cvtres.exe PID 1784 wrote to memory of 1696 1784 csrss.exe cvtres.exe PID 1784 wrote to memory of 1696 1784 csrss.exe cvtres.exe PID 1784 wrote to memory of 1696 1784 csrss.exe cvtres.exe PID 1784 wrote to memory of 1696 1784 csrss.exe cvtres.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.exe"C:\Users\Admin\AppData\Local\Temp\b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\csrss.exeMD5
b0196d39c93d411d1c26d053464e9063
SHA19468b91d627458e62cafdc4319fa673a5140f93c
SHA256b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b
SHA512fa49fdc90c924c2078ee210a6dc6b5c139462f8b76b94a7a998a73200a0c618d92f921dea6b7574ffcd0a583c01166deebb7acf474fd33de76cfa758e7aeeb29
-
C:\Users\Admin\AppData\Roaming\csrss.exeMD5
b0196d39c93d411d1c26d053464e9063
SHA19468b91d627458e62cafdc4319fa673a5140f93c
SHA256b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b
SHA512fa49fdc90c924c2078ee210a6dc6b5c139462f8b76b94a7a998a73200a0c618d92f921dea6b7574ffcd0a583c01166deebb7acf474fd33de76cfa758e7aeeb29
-
memory/1696-3-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1696-4-0x000000000048F888-mapping.dmp
-
memory/1696-5-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1784-0-0x0000000000000000-mapping.dmp