Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-11-2020 11:22
Static task
static1
Behavioral task
behavioral1
Sample
8b4e13336abef6ecfbff5b1fea65e840863acbe85ef008fc43f4c6f108b391b8.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
8b4e13336abef6ecfbff5b1fea65e840863acbe85ef008fc43f4c6f108b391b8.exe
-
Size
404KB
-
MD5
031bc4d25f79bc974e1eb0a389590a4d
-
SHA1
35ca2381988729dd6ac4f57f945472b56a76182b
-
SHA256
8b4e13336abef6ecfbff5b1fea65e840863acbe85ef008fc43f4c6f108b391b8
-
SHA512
393c8e69c3f69754b42f09ce227548f6c1b2b722384ce92c669ccad072f9d730a06c93132b9ec43f51f0eb4d7ad04197fc23d8b61dc6aa9351b9ce12ddcd9820
Malware Config
Extracted
Family
darkcomet
Botnet
PrivCrypt
C2
emile2012.no-ip.info:1337
Mutex
DCMIN_MUTEX-WB71XN1
Attributes
-
gencode
dby0EQrVG8Ck
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1668-0-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/1668-2-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/1668-3-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
8b4e13336abef6ecfbff5b1fea65e840863acbe85ef008fc43f4c6f108b391b8.exedescription pid process target process PID 648 set thread context of 1668 648 8b4e13336abef6ecfbff5b1fea65e840863acbe85ef008fc43f4c6f108b391b8.exe vbc.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1668 vbc.exe Token: SeSecurityPrivilege 1668 vbc.exe Token: SeTakeOwnershipPrivilege 1668 vbc.exe Token: SeLoadDriverPrivilege 1668 vbc.exe Token: SeSystemProfilePrivilege 1668 vbc.exe Token: SeSystemtimePrivilege 1668 vbc.exe Token: SeProfSingleProcessPrivilege 1668 vbc.exe Token: SeIncBasePriorityPrivilege 1668 vbc.exe Token: SeCreatePagefilePrivilege 1668 vbc.exe Token: SeBackupPrivilege 1668 vbc.exe Token: SeRestorePrivilege 1668 vbc.exe Token: SeShutdownPrivilege 1668 vbc.exe Token: SeDebugPrivilege 1668 vbc.exe Token: SeSystemEnvironmentPrivilege 1668 vbc.exe Token: SeChangeNotifyPrivilege 1668 vbc.exe Token: SeRemoteShutdownPrivilege 1668 vbc.exe Token: SeUndockPrivilege 1668 vbc.exe Token: SeManageVolumePrivilege 1668 vbc.exe Token: SeImpersonatePrivilege 1668 vbc.exe Token: SeCreateGlobalPrivilege 1668 vbc.exe Token: 33 1668 vbc.exe Token: 34 1668 vbc.exe Token: 35 1668 vbc.exe Token: 36 1668 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 1668 vbc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8b4e13336abef6ecfbff5b1fea65e840863acbe85ef008fc43f4c6f108b391b8.exedescription pid process target process PID 648 wrote to memory of 1668 648 8b4e13336abef6ecfbff5b1fea65e840863acbe85ef008fc43f4c6f108b391b8.exe vbc.exe PID 648 wrote to memory of 1668 648 8b4e13336abef6ecfbff5b1fea65e840863acbe85ef008fc43f4c6f108b391b8.exe vbc.exe PID 648 wrote to memory of 1668 648 8b4e13336abef6ecfbff5b1fea65e840863acbe85ef008fc43f4c6f108b391b8.exe vbc.exe PID 648 wrote to memory of 1668 648 8b4e13336abef6ecfbff5b1fea65e840863acbe85ef008fc43f4c6f108b391b8.exe vbc.exe PID 648 wrote to memory of 1668 648 8b4e13336abef6ecfbff5b1fea65e840863acbe85ef008fc43f4c6f108b391b8.exe vbc.exe PID 648 wrote to memory of 1668 648 8b4e13336abef6ecfbff5b1fea65e840863acbe85ef008fc43f4c6f108b391b8.exe vbc.exe PID 648 wrote to memory of 1668 648 8b4e13336abef6ecfbff5b1fea65e840863acbe85ef008fc43f4c6f108b391b8.exe vbc.exe PID 648 wrote to memory of 1668 648 8b4e13336abef6ecfbff5b1fea65e840863acbe85ef008fc43f4c6f108b391b8.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b4e13336abef6ecfbff5b1fea65e840863acbe85ef008fc43f4c6f108b391b8.exe"C:\Users\Admin\AppData\Local\Temp\8b4e13336abef6ecfbff5b1fea65e840863acbe85ef008fc43f4c6f108b391b8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1668
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1668-0-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1668-1-0x00000000004B5000-mapping.dmp
-
memory/1668-2-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1668-3-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB