Analysis
-
max time kernel
7s -
max time network
151s -
platform
windows10_x64 -
resource
win10 -
submitted
06-07-2020 06:38
Static task
static1
Behavioral task
behavioral1
Sample
e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe
Resource
win7
General
-
Target
e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe
-
Size
1.5MB
-
MD5
7cc85df763a92dfc8c4102121b931cc2
-
SHA1
334842967271d72a6d5e12c60c484fd5acb92be1
-
SHA256
e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f
-
SHA512
3606a6d7d0850ba4b16b34e889b280c0a2ebf95c40e6b45cd6dec6a6103192c1d5a9819e7b9dd4dbf8dc04f034be468eda2a47ef8d745c0a4a66c4d405e07ce9
Malware Config
Extracted
darkcomet
Runescape
mrsnickers03.no-ip.biz:340
DC_MUTEX-6ZFK11A
-
gencode
uNwew4gojxtu
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
ichader.exeichader.exeichader.exepid process 508 ichader.exe 2340 ichader.exe 2140 ichader.exe -
Processes:
resource yara_rule behavioral2/memory/3960-7-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3960-10-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3960-11-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2140-32-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2140-37-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2140-39-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Roaming\\IDM\\ichader.exe" reg.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exeichader.exedescription pid process target process PID 3920 set thread context of 2968 3920 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe svchost.exe PID 3920 set thread context of 3960 3920 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe PID 508 set thread context of 2728 508 ichader.exe svchost.exe PID 508 set thread context of 2340 508 ichader.exe ichader.exe PID 508 set thread context of 2140 508 ichader.exe ichader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe 2968 svchost.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
ichader.exeichader.exedescription pid process Token: SeIncreaseQuotaPrivilege 2140 ichader.exe Token: SeSecurityPrivilege 2140 ichader.exe Token: SeTakeOwnershipPrivilege 2140 ichader.exe Token: SeLoadDriverPrivilege 2140 ichader.exe Token: SeSystemProfilePrivilege 2140 ichader.exe Token: SeSystemtimePrivilege 2140 ichader.exe Token: SeProfSingleProcessPrivilege 2140 ichader.exe Token: SeIncBasePriorityPrivilege 2140 ichader.exe Token: SeCreatePagefilePrivilege 2140 ichader.exe Token: SeBackupPrivilege 2140 ichader.exe Token: SeRestorePrivilege 2140 ichader.exe Token: SeShutdownPrivilege 2140 ichader.exe Token: SeDebugPrivilege 2140 ichader.exe Token: SeSystemEnvironmentPrivilege 2140 ichader.exe Token: SeChangeNotifyPrivilege 2140 ichader.exe Token: SeRemoteShutdownPrivilege 2140 ichader.exe Token: SeUndockPrivilege 2140 ichader.exe Token: SeManageVolumePrivilege 2140 ichader.exe Token: SeImpersonatePrivilege 2140 ichader.exe Token: SeCreateGlobalPrivilege 2140 ichader.exe Token: 33 2140 ichader.exe Token: 34 2140 ichader.exe Token: 35 2140 ichader.exe Token: 36 2140 ichader.exe Token: SeDebugPrivilege 2340 ichader.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exesvchost.exee03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exeichader.exesvchost.exeichader.exeichader.exepid process 3920 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe 2968 svchost.exe 3960 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe 508 ichader.exe 2728 svchost.exe 2340 ichader.exe 2140 ichader.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exee03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.execmd.exeichader.exedescription pid process target process PID 3920 wrote to memory of 2968 3920 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe svchost.exe PID 3920 wrote to memory of 2968 3920 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe svchost.exe PID 3920 wrote to memory of 2968 3920 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe svchost.exe PID 3920 wrote to memory of 2968 3920 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe svchost.exe PID 3920 wrote to memory of 2968 3920 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe svchost.exe PID 3920 wrote to memory of 2968 3920 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe svchost.exe PID 3920 wrote to memory of 2968 3920 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe svchost.exe PID 3920 wrote to memory of 2968 3920 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe svchost.exe PID 3920 wrote to memory of 2968 3920 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe svchost.exe PID 3920 wrote to memory of 3960 3920 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe PID 3920 wrote to memory of 3960 3920 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe PID 3920 wrote to memory of 3960 3920 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe PID 3920 wrote to memory of 3960 3920 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe PID 3920 wrote to memory of 3960 3920 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe PID 3920 wrote to memory of 3960 3920 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe PID 3920 wrote to memory of 3960 3920 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe PID 3920 wrote to memory of 3960 3920 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe PID 3960 wrote to memory of 1584 3960 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe cmd.exe PID 3960 wrote to memory of 1584 3960 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe cmd.exe PID 3960 wrote to memory of 1584 3960 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe cmd.exe PID 1584 wrote to memory of 3212 1584 cmd.exe reg.exe PID 1584 wrote to memory of 3212 1584 cmd.exe reg.exe PID 1584 wrote to memory of 3212 1584 cmd.exe reg.exe PID 3960 wrote to memory of 508 3960 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe ichader.exe PID 3960 wrote to memory of 508 3960 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe ichader.exe PID 3960 wrote to memory of 508 3960 e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe ichader.exe PID 508 wrote to memory of 2728 508 ichader.exe svchost.exe PID 508 wrote to memory of 2728 508 ichader.exe svchost.exe PID 508 wrote to memory of 2728 508 ichader.exe svchost.exe PID 508 wrote to memory of 2728 508 ichader.exe svchost.exe PID 508 wrote to memory of 2728 508 ichader.exe svchost.exe PID 508 wrote to memory of 2728 508 ichader.exe svchost.exe PID 508 wrote to memory of 2728 508 ichader.exe svchost.exe PID 508 wrote to memory of 2728 508 ichader.exe svchost.exe PID 508 wrote to memory of 2728 508 ichader.exe svchost.exe PID 508 wrote to memory of 2340 508 ichader.exe ichader.exe PID 508 wrote to memory of 2340 508 ichader.exe ichader.exe PID 508 wrote to memory of 2340 508 ichader.exe ichader.exe PID 508 wrote to memory of 2340 508 ichader.exe ichader.exe PID 508 wrote to memory of 2340 508 ichader.exe ichader.exe PID 508 wrote to memory of 2340 508 ichader.exe ichader.exe PID 508 wrote to memory of 2340 508 ichader.exe ichader.exe PID 508 wrote to memory of 2340 508 ichader.exe ichader.exe PID 508 wrote to memory of 2140 508 ichader.exe ichader.exe PID 508 wrote to memory of 2140 508 ichader.exe ichader.exe PID 508 wrote to memory of 2140 508 ichader.exe ichader.exe PID 508 wrote to memory of 2140 508 ichader.exe ichader.exe PID 508 wrote to memory of 2140 508 ichader.exe ichader.exe PID 508 wrote to memory of 2140 508 ichader.exe ichader.exe PID 508 wrote to memory of 2140 508 ichader.exe ichader.exe PID 508 wrote to memory of 2140 508 ichader.exe ichader.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe"C:\Users\Admin\AppData\Local\Temp\e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe"C:\Users\Admin\AppData\Local\Temp\e03f222360351f9333ff0270a3fed39e1b6416328d13a9846b732af2bbf8c39f.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKYXJ.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "java" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe" /f4⤵
- Adds Run key to start application
PID:3212 -
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:508 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:2728 -
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2340 -
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2140
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FKYXJ.batMD5
92353035f01403e26aa2ff51c3963238
SHA1d13f167c73bfce23a2deab8ce7c4ce9f78759ff4
SHA2562e72a8542f8f809bfb1e4adfb481c7c5e6dc00dda7970c74692ba8d83ea0a870
SHA51274560e33477caae3c7bc13914e4ae3c6911bbcfe257b2833155c236a158db0aca17478beb9d97f648ff1ea566005260f511361771c74203195107f4e82cce7df
-
C:\Users\Admin\AppData\Roaming\IDM\ichader.exeMD5
bbf3d508766055abd8692a8538eecdf8
SHA1b608ad6ef2fae009244a33d3c94f361e7ed1e178
SHA25623de5c23def9b0a4ccdce06d90d430ce04db47d969573fddc4f6f62a960cdde2
SHA512340871db15f1c2df0b5aa5280c14d9f3fba356ccacb8ddaf8003608fb26012945ba0381dcbd21232699feb71d7784dc5f1f3a62b1d9ec9c33d61f9157f026920
-
C:\Users\Admin\AppData\Roaming\IDM\ichader.exeMD5
bbf3d508766055abd8692a8538eecdf8
SHA1b608ad6ef2fae009244a33d3c94f361e7ed1e178
SHA25623de5c23def9b0a4ccdce06d90d430ce04db47d969573fddc4f6f62a960cdde2
SHA512340871db15f1c2df0b5aa5280c14d9f3fba356ccacb8ddaf8003608fb26012945ba0381dcbd21232699feb71d7784dc5f1f3a62b1d9ec9c33d61f9157f026920
-
C:\Users\Admin\AppData\Roaming\IDM\ichader.exeMD5
bbf3d508766055abd8692a8538eecdf8
SHA1b608ad6ef2fae009244a33d3c94f361e7ed1e178
SHA25623de5c23def9b0a4ccdce06d90d430ce04db47d969573fddc4f6f62a960cdde2
SHA512340871db15f1c2df0b5aa5280c14d9f3fba356ccacb8ddaf8003608fb26012945ba0381dcbd21232699feb71d7784dc5f1f3a62b1d9ec9c33d61f9157f026920
-
C:\Users\Admin\AppData\Roaming\IDM\ichader.exeMD5
bbf3d508766055abd8692a8538eecdf8
SHA1b608ad6ef2fae009244a33d3c94f361e7ed1e178
SHA25623de5c23def9b0a4ccdce06d90d430ce04db47d969573fddc4f6f62a960cdde2
SHA512340871db15f1c2df0b5aa5280c14d9f3fba356ccacb8ddaf8003608fb26012945ba0381dcbd21232699feb71d7784dc5f1f3a62b1d9ec9c33d61f9157f026920
-
memory/508-17-0x0000000000000000-mapping.dmp
-
memory/1584-14-0x0000000000000000-mapping.dmp
-
memory/2140-39-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2140-37-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2140-34-0x00000000004B5210-mapping.dmp
-
memory/2140-32-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2340-28-0x00000000004085D0-mapping.dmp
-
memory/2728-22-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2728-23-0x000000000040B000-mapping.dmp
-
memory/2728-24-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2968-3-0x000000000040B000-mapping.dmp
-
memory/2968-4-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2968-2-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2968-5-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3212-16-0x0000000000000000-mapping.dmp
-
memory/3960-7-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/3960-11-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/3960-10-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/3960-8-0x00000000004085D0-mapping.dmp