Analysis
-
max time kernel
57s -
max time network
68s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-11-2020 18:01
Static task
static1
Behavioral task
behavioral1
Sample
3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe
Resource
win10v20201028
General
-
Target
3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe
-
Size
557KB
-
MD5
316ced1fc09909dff0b75efbd0da2ae0
-
SHA1
2d5cb13b6c956f8a7b6307d7f629a56117d2d9ee
-
SHA256
3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d
-
SHA512
fca713a6489bf4d87be23d9fbc6e9aa6fccf8a6329d1abed6e2e28bf2286f2fd78486cd77111eabed293f29fac81bfa1fbd9c8f9ebdb1452cd5af9eb41bdd5ad
Malware Config
Extracted
darkcomet
2020okt999+++4
sandyclark255.hopto.org:1605
DC_MUTEX-D50H81E
-
InstallPath
word64l.exe
-
gencode
0zgSCfjSH24W
-
install
true
-
offline_keylogger
true
-
password
hhhhhh
-
persistence
true
-
reg_key
winworde
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
rwewqr.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\word64l.exe" rwewqr.exe -
Drops file in Drivers directory 1 IoCs
Processes:
rwewqr.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts rwewqr.exe -
Executes dropped EXE 2 IoCs
Processes:
rwewqr.exeword64l.exepid process 600 rwewqr.exe 2836 word64l.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rwewqr.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation rwewqr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rwewqr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\winworde = "C:\\Users\\Admin\\Documents\\word64l.exe" rwewqr.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exedescription ioc process File created C:\Windows\assembly\Desktop.ini 3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe File opened for modification C:\Windows\assembly\Desktop.ini 3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exedescription pid process target process PID 688 set thread context of 600 688 3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe rwewqr.exe -
Drops file in Windows directory 3 IoCs
Processes:
3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exedescription ioc process File opened for modification C:\Windows\assembly\Desktop.ini 3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe File opened for modification C:\Windows\assembly 3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe File created C:\Windows\assembly\Desktop.ini 3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1336 688 WerFault.exe 3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe 3384 2836 WerFault.exe word64l.exe -
Modifies registry class 1 IoCs
Processes:
rwewqr.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance rwewqr.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exeword64l.exeWerFault.exeWerFault.exepid process 688 3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe 688 3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe 688 3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe 2836 word64l.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exerwewqr.exeWerFault.exeword64l.exeWerFault.exedescription pid process Token: SeDebugPrivilege 688 3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe Token: SeDebugPrivilege 688 3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe Token: SeIncreaseQuotaPrivilege 600 rwewqr.exe Token: SeSecurityPrivilege 600 rwewqr.exe Token: SeTakeOwnershipPrivilege 600 rwewqr.exe Token: SeLoadDriverPrivilege 600 rwewqr.exe Token: SeSystemProfilePrivilege 600 rwewqr.exe Token: SeSystemtimePrivilege 600 rwewqr.exe Token: SeProfSingleProcessPrivilege 600 rwewqr.exe Token: SeIncBasePriorityPrivilege 600 rwewqr.exe Token: SeCreatePagefilePrivilege 600 rwewqr.exe Token: SeBackupPrivilege 600 rwewqr.exe Token: SeRestorePrivilege 600 rwewqr.exe Token: SeShutdownPrivilege 600 rwewqr.exe Token: SeDebugPrivilege 600 rwewqr.exe Token: SeSystemEnvironmentPrivilege 600 rwewqr.exe Token: SeChangeNotifyPrivilege 600 rwewqr.exe Token: SeRemoteShutdownPrivilege 600 rwewqr.exe Token: SeUndockPrivilege 600 rwewqr.exe Token: SeManageVolumePrivilege 600 rwewqr.exe Token: SeImpersonatePrivilege 600 rwewqr.exe Token: SeCreateGlobalPrivilege 600 rwewqr.exe Token: 33 600 rwewqr.exe Token: 34 600 rwewqr.exe Token: 35 600 rwewqr.exe Token: 36 600 rwewqr.exe Token: SeRestorePrivilege 1336 WerFault.exe Token: SeBackupPrivilege 1336 WerFault.exe Token: SeDebugPrivilege 2836 word64l.exe Token: SeDebugPrivilege 3384 WerFault.exe Token: SeDebugPrivilege 1336 WerFault.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exerwewqr.exedescription pid process target process PID 688 wrote to memory of 600 688 3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe rwewqr.exe PID 688 wrote to memory of 600 688 3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe rwewqr.exe PID 688 wrote to memory of 600 688 3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe rwewqr.exe PID 688 wrote to memory of 600 688 3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe rwewqr.exe PID 688 wrote to memory of 600 688 3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe rwewqr.exe PID 688 wrote to memory of 600 688 3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe rwewqr.exe PID 688 wrote to memory of 600 688 3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe rwewqr.exe PID 688 wrote to memory of 600 688 3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe rwewqr.exe PID 688 wrote to memory of 600 688 3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe rwewqr.exe PID 688 wrote to memory of 600 688 3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe rwewqr.exe PID 688 wrote to memory of 600 688 3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe rwewqr.exe PID 688 wrote to memory of 600 688 3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe rwewqr.exe PID 600 wrote to memory of 204 600 rwewqr.exe notepad.exe PID 600 wrote to memory of 204 600 rwewqr.exe notepad.exe PID 600 wrote to memory of 204 600 rwewqr.exe notepad.exe PID 600 wrote to memory of 204 600 rwewqr.exe notepad.exe PID 600 wrote to memory of 204 600 rwewqr.exe notepad.exe PID 600 wrote to memory of 204 600 rwewqr.exe notepad.exe PID 600 wrote to memory of 204 600 rwewqr.exe notepad.exe PID 600 wrote to memory of 204 600 rwewqr.exe notepad.exe PID 600 wrote to memory of 204 600 rwewqr.exe notepad.exe PID 600 wrote to memory of 204 600 rwewqr.exe notepad.exe PID 600 wrote to memory of 204 600 rwewqr.exe notepad.exe PID 600 wrote to memory of 204 600 rwewqr.exe notepad.exe PID 600 wrote to memory of 204 600 rwewqr.exe notepad.exe PID 600 wrote to memory of 204 600 rwewqr.exe notepad.exe PID 600 wrote to memory of 204 600 rwewqr.exe notepad.exe PID 600 wrote to memory of 204 600 rwewqr.exe notepad.exe PID 600 wrote to memory of 204 600 rwewqr.exe notepad.exe PID 600 wrote to memory of 2836 600 rwewqr.exe word64l.exe PID 600 wrote to memory of 2836 600 rwewqr.exe word64l.exe PID 600 wrote to memory of 2836 600 rwewqr.exe word64l.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe"C:\Users\Admin\AppData\Local\Temp\3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0ed94wxm0ij5U6Fj\rwewqr.exe"C:\Users\Admin\AppData\Local\Temp\0ed94wxm0ij5U6Fj\rwewqr.exe"2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Users\Admin\Documents\word64l.exe"C:\Users\Admin\Documents\word64l.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 10364⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 11722⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0ed94wxm0ij5U6Fj\rwewqr.exeMD5
316ced1fc09909dff0b75efbd0da2ae0
SHA12d5cb13b6c956f8a7b6307d7f629a56117d2d9ee
SHA2563b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d
SHA512fca713a6489bf4d87be23d9fbc6e9aa6fccf8a6329d1abed6e2e28bf2286f2fd78486cd77111eabed293f29fac81bfa1fbd9c8f9ebdb1452cd5af9eb41bdd5ad
-
C:\Users\Admin\AppData\Local\Temp\0ed94wxm0ij5U6Fj\rwewqr.exeMD5
316ced1fc09909dff0b75efbd0da2ae0
SHA12d5cb13b6c956f8a7b6307d7f629a56117d2d9ee
SHA2563b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d
SHA512fca713a6489bf4d87be23d9fbc6e9aa6fccf8a6329d1abed6e2e28bf2286f2fd78486cd77111eabed293f29fac81bfa1fbd9c8f9ebdb1452cd5af9eb41bdd5ad
-
C:\Users\Admin\Documents\word64l.exeMD5
316ced1fc09909dff0b75efbd0da2ae0
SHA12d5cb13b6c956f8a7b6307d7f629a56117d2d9ee
SHA2563b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d
SHA512fca713a6489bf4d87be23d9fbc6e9aa6fccf8a6329d1abed6e2e28bf2286f2fd78486cd77111eabed293f29fac81bfa1fbd9c8f9ebdb1452cd5af9eb41bdd5ad
-
C:\Users\Admin\Documents\word64l.exeMD5
316ced1fc09909dff0b75efbd0da2ae0
SHA12d5cb13b6c956f8a7b6307d7f629a56117d2d9ee
SHA2563b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d
SHA512fca713a6489bf4d87be23d9fbc6e9aa6fccf8a6329d1abed6e2e28bf2286f2fd78486cd77111eabed293f29fac81bfa1fbd9c8f9ebdb1452cd5af9eb41bdd5ad
-
memory/204-5-0x0000000000000000-mapping.dmp
-
memory/204-6-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/204-7-0x0000000000000000-mapping.dmp
-
memory/600-0-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/600-1-0x000000000048F888-mapping.dmp
-
memory/600-4-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1336-20-0x00000000059C0000-0x00000000059C1000-memory.dmpFilesize
4KB
-
memory/1336-11-0x0000000004EA0000-0x0000000004EA1000-memory.dmpFilesize
4KB
-
memory/2836-18-0x0000000000000000-mapping.dmp
-
memory/2836-8-0x0000000000000000-mapping.dmp
-
memory/2836-14-0x0000000000000000-mapping.dmp
-
memory/2836-15-0x0000000000000000-mapping.dmp
-
memory/2836-16-0x0000000000000000-mapping.dmp
-
memory/2836-17-0x0000000000000000-mapping.dmp
-
memory/2836-44-0x0000000000000000-mapping.dmp
-
memory/2836-13-0x0000000000000000-mapping.dmp
-
memory/2836-42-0x0000000000000000-mapping.dmp
-
memory/2836-36-0x0000000000000000-mapping.dmp
-
memory/2836-37-0x0000000000000000-mapping.dmp
-
memory/2836-40-0x0000000000000000-mapping.dmp
-
memory/3384-22-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/3384-12-0x0000000004910000-0x0000000004911000-memory.dmpFilesize
4KB