Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
15-08-2020 06:59
Static task
static1
Behavioral task
behavioral1
Sample
74556POZ_pdf.exe
Resource
win7v200722
General
-
Target
74556POZ_pdf.exe
-
Size
749KB
-
MD5
8c783ee344384ce8f3282675e961c3c0
-
SHA1
eb699861cb2ec0fdc2fb736c6f4eba93133f2100
-
SHA256
bbc8f1873aefb2518b9675fdda8446a2ba7dc159bab9bfd08b40e19b654ea8bb
-
SHA512
ed6ab8e3d8cc3a6cbbadd944d59f8112d9bb4fba2c73d9d476be4e2a9ab929e4836626e113efb72d184b275ea5c8653494fe6e8834571f0bd89f24b83d913aec
Malware Config
Extracted
darkcomet
Good News
boki.zapto.org:1905
DCMIN_MUTEX-ZAT3FJZ
-
gencode
BrxJcaQU7jzd
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Processes:
resource yara_rule behavioral2/memory/2560-2-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2560-4-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2560-5-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
Processes:
74556POZ_pdf.exedescription pid process target process PID 3976 set thread context of 2560 3976 74556POZ_pdf.exe 74556POZ_pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
74556POZ_pdf.exedescription pid process Token: SeIncreaseQuotaPrivilege 2560 74556POZ_pdf.exe Token: SeSecurityPrivilege 2560 74556POZ_pdf.exe Token: SeTakeOwnershipPrivilege 2560 74556POZ_pdf.exe Token: SeLoadDriverPrivilege 2560 74556POZ_pdf.exe Token: SeSystemProfilePrivilege 2560 74556POZ_pdf.exe Token: SeSystemtimePrivilege 2560 74556POZ_pdf.exe Token: SeProfSingleProcessPrivilege 2560 74556POZ_pdf.exe Token: SeIncBasePriorityPrivilege 2560 74556POZ_pdf.exe Token: SeCreatePagefilePrivilege 2560 74556POZ_pdf.exe Token: SeBackupPrivilege 2560 74556POZ_pdf.exe Token: SeRestorePrivilege 2560 74556POZ_pdf.exe Token: SeShutdownPrivilege 2560 74556POZ_pdf.exe Token: SeDebugPrivilege 2560 74556POZ_pdf.exe Token: SeSystemEnvironmentPrivilege 2560 74556POZ_pdf.exe Token: SeChangeNotifyPrivilege 2560 74556POZ_pdf.exe Token: SeRemoteShutdownPrivilege 2560 74556POZ_pdf.exe Token: SeUndockPrivilege 2560 74556POZ_pdf.exe Token: SeManageVolumePrivilege 2560 74556POZ_pdf.exe Token: SeImpersonatePrivilege 2560 74556POZ_pdf.exe Token: SeCreateGlobalPrivilege 2560 74556POZ_pdf.exe Token: 33 2560 74556POZ_pdf.exe Token: 34 2560 74556POZ_pdf.exe Token: 35 2560 74556POZ_pdf.exe Token: 36 2560 74556POZ_pdf.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
74556POZ_pdf.exepid process 2560 74556POZ_pdf.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
74556POZ_pdf.exedescription pid process target process PID 3976 wrote to memory of 2332 3976 74556POZ_pdf.exe schtasks.exe PID 3976 wrote to memory of 2332 3976 74556POZ_pdf.exe schtasks.exe PID 3976 wrote to memory of 2332 3976 74556POZ_pdf.exe schtasks.exe PID 3976 wrote to memory of 2560 3976 74556POZ_pdf.exe 74556POZ_pdf.exe PID 3976 wrote to memory of 2560 3976 74556POZ_pdf.exe 74556POZ_pdf.exe PID 3976 wrote to memory of 2560 3976 74556POZ_pdf.exe 74556POZ_pdf.exe PID 3976 wrote to memory of 2560 3976 74556POZ_pdf.exe 74556POZ_pdf.exe PID 3976 wrote to memory of 2560 3976 74556POZ_pdf.exe 74556POZ_pdf.exe PID 3976 wrote to memory of 2560 3976 74556POZ_pdf.exe 74556POZ_pdf.exe PID 3976 wrote to memory of 2560 3976 74556POZ_pdf.exe 74556POZ_pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74556POZ_pdf.exe"C:\Users\Admin\AppData\Local\Temp\74556POZ_pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\igDEjuKnNuUIk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4DB8.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\74556POZ_pdf.exe"C:\Users\Admin\AppData\Local\Temp\74556POZ_pdf.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4DB8.tmpMD5
dfc81f75ca0a2ea3ad5a9d5f04fc2eb0
SHA13cbe69b25a95af40e56d49fb0a8af1aa37deab2b
SHA256a2e2d57d39054b6105e5812620f2b83982df7613f070463970cae66283824401
SHA51214b1cff62ea19306fe8d514efab145848d11a6e26f538c73543aac5a76c9d868aa0414ba88b818b9052db8da53fde0fe63199466579548bd97f82ab8cf7fed73
-
memory/2332-0-0x0000000000000000-mapping.dmp
-
memory/2560-2-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2560-3-0x00000000004B5000-mapping.dmp
-
memory/2560-4-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2560-5-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB