Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
06-07-2020 06:41
Static task
static1
Behavioral task
behavioral1
Sample
dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe
Resource
win7v200430
General
-
Target
dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe
-
Size
975KB
-
MD5
599d467764f284582ec10a55362a9ae7
-
SHA1
6b2ad378d36c7f17183a5a4f9d660ff580e4cd8e
-
SHA256
dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b
-
SHA512
b60fcd50148e119a18711dda0b233b8dca9168d908ab4bbdb21bf2de5a2ec5f5629ed0210314725cf1f43fcb960b151899a45acb8e95f63cb40daf0d06fc3b42
Malware Config
Extracted
darkcomet
IMAGESZ
manymoney-70.no-ip.org:82
DC_MUTEX-9MB7QNH
-
gencode
xUDwyyxhTSgj
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
detect.exedetect.exepid process 3716 detect.exe 2708 detect.exe -
Drops startup file 1 IoCs
Processes:
dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ID Detector.vbs dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
detect.exedescription pid process target process PID 3716 set thread context of 2708 3716 detect.exe detect.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
detect.exepid process 3716 detect.exe 3716 detect.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
detect.exedescription pid process Token: SeIncreaseQuotaPrivilege 2708 detect.exe Token: SeSecurityPrivilege 2708 detect.exe Token: SeTakeOwnershipPrivilege 2708 detect.exe Token: SeLoadDriverPrivilege 2708 detect.exe Token: SeSystemProfilePrivilege 2708 detect.exe Token: SeSystemtimePrivilege 2708 detect.exe Token: SeProfSingleProcessPrivilege 2708 detect.exe Token: SeIncBasePriorityPrivilege 2708 detect.exe Token: SeCreatePagefilePrivilege 2708 detect.exe Token: SeBackupPrivilege 2708 detect.exe Token: SeRestorePrivilege 2708 detect.exe Token: SeShutdownPrivilege 2708 detect.exe Token: SeDebugPrivilege 2708 detect.exe Token: SeSystemEnvironmentPrivilege 2708 detect.exe Token: SeChangeNotifyPrivilege 2708 detect.exe Token: SeRemoteShutdownPrivilege 2708 detect.exe Token: SeUndockPrivilege 2708 detect.exe Token: SeManageVolumePrivilege 2708 detect.exe Token: SeImpersonatePrivilege 2708 detect.exe Token: SeCreateGlobalPrivilege 2708 detect.exe Token: 33 2708 detect.exe Token: 34 2708 detect.exe Token: 35 2708 detect.exe Token: 36 2708 detect.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
detect.exepid process 2708 detect.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exedetect.exedescription pid process target process PID 1616 wrote to memory of 3716 1616 dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe detect.exe PID 1616 wrote to memory of 3716 1616 dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe detect.exe PID 1616 wrote to memory of 3716 1616 dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe detect.exe PID 3716 wrote to memory of 2708 3716 detect.exe detect.exe PID 3716 wrote to memory of 2708 3716 detect.exe detect.exe PID 3716 wrote to memory of 2708 3716 detect.exe detect.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe"C:\Users\Admin\AppData\Local\Temp\dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2708
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exeMD5
599d467764f284582ec10a55362a9ae7
SHA16b2ad378d36c7f17183a5a4f9d660ff580e4cd8e
SHA256dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b
SHA512b60fcd50148e119a18711dda0b233b8dca9168d908ab4bbdb21bf2de5a2ec5f5629ed0210314725cf1f43fcb960b151899a45acb8e95f63cb40daf0d06fc3b42
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exeMD5
599d467764f284582ec10a55362a9ae7
SHA16b2ad378d36c7f17183a5a4f9d660ff580e4cd8e
SHA256dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b
SHA512b60fcd50148e119a18711dda0b233b8dca9168d908ab4bbdb21bf2de5a2ec5f5629ed0210314725cf1f43fcb960b151899a45acb8e95f63cb40daf0d06fc3b42
-
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exeMD5
599d467764f284582ec10a55362a9ae7
SHA16b2ad378d36c7f17183a5a4f9d660ff580e4cd8e
SHA256dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b
SHA512b60fcd50148e119a18711dda0b233b8dca9168d908ab4bbdb21bf2de5a2ec5f5629ed0210314725cf1f43fcb960b151899a45acb8e95f63cb40daf0d06fc3b42
-
memory/2708-3-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2708-4-0x000000000048F888-mapping.dmp
-
memory/2708-6-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3716-0-0x0000000000000000-mapping.dmp