Analysis
-
max time kernel
151s -
max time network
20s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
06-07-2020 06:41
Static task
static1
Behavioral task
behavioral1
Sample
dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe
Resource
win7v200430
General
-
Target
dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe
-
Size
975KB
-
MD5
599d467764f284582ec10a55362a9ae7
-
SHA1
6b2ad378d36c7f17183a5a4f9d660ff580e4cd8e
-
SHA256
dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b
-
SHA512
b60fcd50148e119a18711dda0b233b8dca9168d908ab4bbdb21bf2de5a2ec5f5629ed0210314725cf1f43fcb960b151899a45acb8e95f63cb40daf0d06fc3b42
Malware Config
Extracted
darkcomet
IMAGESZ
manymoney-70.no-ip.org:82
DC_MUTEX-9MB7QNH
-
gencode
xUDwyyxhTSgj
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
detect.exedetect.exepid process 1412 detect.exe 328 detect.exe -
Drops startup file 1 IoCs
Processes:
dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ID Detector.vbs dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe -
Loads dropped DLL 1 IoCs
Processes:
dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exepid process 1356 dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
detect.exedescription pid process target process PID 1412 set thread context of 328 1412 detect.exe detect.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
detect.exepid process 1412 detect.exe 1412 detect.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
detect.exedescription pid process Token: SeIncreaseQuotaPrivilege 328 detect.exe Token: SeSecurityPrivilege 328 detect.exe Token: SeTakeOwnershipPrivilege 328 detect.exe Token: SeLoadDriverPrivilege 328 detect.exe Token: SeSystemProfilePrivilege 328 detect.exe Token: SeSystemtimePrivilege 328 detect.exe Token: SeProfSingleProcessPrivilege 328 detect.exe Token: SeIncBasePriorityPrivilege 328 detect.exe Token: SeCreatePagefilePrivilege 328 detect.exe Token: SeBackupPrivilege 328 detect.exe Token: SeRestorePrivilege 328 detect.exe Token: SeShutdownPrivilege 328 detect.exe Token: SeDebugPrivilege 328 detect.exe Token: SeSystemEnvironmentPrivilege 328 detect.exe Token: SeChangeNotifyPrivilege 328 detect.exe Token: SeRemoteShutdownPrivilege 328 detect.exe Token: SeUndockPrivilege 328 detect.exe Token: SeManageVolumePrivilege 328 detect.exe Token: SeImpersonatePrivilege 328 detect.exe Token: SeCreateGlobalPrivilege 328 detect.exe Token: 33 328 detect.exe Token: 34 328 detect.exe Token: 35 328 detect.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
detect.exepid process 328 detect.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exedetect.exedescription pid process target process PID 1356 wrote to memory of 1412 1356 dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe detect.exe PID 1356 wrote to memory of 1412 1356 dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe detect.exe PID 1356 wrote to memory of 1412 1356 dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe detect.exe PID 1356 wrote to memory of 1412 1356 dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe detect.exe PID 1412 wrote to memory of 328 1412 detect.exe detect.exe PID 1412 wrote to memory of 328 1412 detect.exe detect.exe PID 1412 wrote to memory of 328 1412 detect.exe detect.exe PID 1412 wrote to memory of 328 1412 detect.exe detect.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe"C:\Users\Admin\AppData\Local\Temp\dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:328
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exeMD5
599d467764f284582ec10a55362a9ae7
SHA16b2ad378d36c7f17183a5a4f9d660ff580e4cd8e
SHA256dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b
SHA512b60fcd50148e119a18711dda0b233b8dca9168d908ab4bbdb21bf2de5a2ec5f5629ed0210314725cf1f43fcb960b151899a45acb8e95f63cb40daf0d06fc3b42
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exeMD5
599d467764f284582ec10a55362a9ae7
SHA16b2ad378d36c7f17183a5a4f9d660ff580e4cd8e
SHA256dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b
SHA512b60fcd50148e119a18711dda0b233b8dca9168d908ab4bbdb21bf2de5a2ec5f5629ed0210314725cf1f43fcb960b151899a45acb8e95f63cb40daf0d06fc3b42
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exeMD5
599d467764f284582ec10a55362a9ae7
SHA16b2ad378d36c7f17183a5a4f9d660ff580e4cd8e
SHA256dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b
SHA512b60fcd50148e119a18711dda0b233b8dca9168d908ab4bbdb21bf2de5a2ec5f5629ed0210314725cf1f43fcb960b151899a45acb8e95f63cb40daf0d06fc3b42
-
\Users\Admin\AppData\Roaming\ID Detector\detect.exeMD5
599d467764f284582ec10a55362a9ae7
SHA16b2ad378d36c7f17183a5a4f9d660ff580e4cd8e
SHA256dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b
SHA512b60fcd50148e119a18711dda0b233b8dca9168d908ab4bbdb21bf2de5a2ec5f5629ed0210314725cf1f43fcb960b151899a45acb8e95f63cb40daf0d06fc3b42
-
memory/328-3-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/328-4-0x000000000048F888-mapping.dmp
-
memory/328-6-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1412-1-0x0000000000000000-mapping.dmp