Analysis
-
max time kernel
16s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:44
Static task
static1
Behavioral task
behavioral1
Sample
dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe
Resource
win7v20201028
General
-
Target
dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe
-
Size
1.5MB
-
MD5
17324f12dc50cb5cbee601f34b563293
-
SHA1
b8e8ea642c064aed63ee175c2478f752433d5b99
-
SHA256
dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80
-
SHA512
7209de88c0eada80c141bbe8d8efe5ed14c4cb8173aca34f815a8f61790b8c1e97f3c6cbecf9f8729241b00a4f995b142e78c468846f0f9411477297ec56d2dc
Malware Config
Extracted
darkcomet
Runescape
mrsnickers03.no-ip.biz:340
DC_MUTEX-6ZFK11A
-
gencode
uNwew4gojxtu
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
ichader.exeichader.exeichader.exepid process 200 ichader.exe 2844 ichader.exe 2208 ichader.exe -
Processes:
resource yara_rule behavioral2/memory/3456-7-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3456-10-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3456-11-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2208-33-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2208-41-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2208-42-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Roaming\\IDM\\ichader.exe" reg.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exeichader.exedescription pid process target process PID 3304 set thread context of 3844 3304 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe svchost.exe PID 3304 set thread context of 3456 3304 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe PID 200 set thread context of 2264 200 ichader.exe svchost.exe PID 200 set thread context of 2844 200 ichader.exe ichader.exe PID 200 set thread context of 2208 200 ichader.exe ichader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe 3844 svchost.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
ichader.exeichader.exedescription pid process Token: SeIncreaseQuotaPrivilege 2208 ichader.exe Token: SeSecurityPrivilege 2208 ichader.exe Token: SeTakeOwnershipPrivilege 2208 ichader.exe Token: SeLoadDriverPrivilege 2208 ichader.exe Token: SeSystemProfilePrivilege 2208 ichader.exe Token: SeSystemtimePrivilege 2208 ichader.exe Token: SeProfSingleProcessPrivilege 2208 ichader.exe Token: SeIncBasePriorityPrivilege 2208 ichader.exe Token: SeCreatePagefilePrivilege 2208 ichader.exe Token: SeBackupPrivilege 2208 ichader.exe Token: SeRestorePrivilege 2208 ichader.exe Token: SeShutdownPrivilege 2208 ichader.exe Token: SeDebugPrivilege 2208 ichader.exe Token: SeSystemEnvironmentPrivilege 2208 ichader.exe Token: SeChangeNotifyPrivilege 2208 ichader.exe Token: SeRemoteShutdownPrivilege 2208 ichader.exe Token: SeUndockPrivilege 2208 ichader.exe Token: SeManageVolumePrivilege 2208 ichader.exe Token: SeImpersonatePrivilege 2208 ichader.exe Token: SeCreateGlobalPrivilege 2208 ichader.exe Token: 33 2208 ichader.exe Token: 34 2208 ichader.exe Token: 35 2208 ichader.exe Token: 36 2208 ichader.exe Token: SeDebugPrivilege 2844 ichader.exe Token: SeDebugPrivilege 2844 ichader.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exesvchost.exedadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exeichader.exesvchost.exeichader.exeichader.exepid process 3304 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe 3844 svchost.exe 3456 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe 200 ichader.exe 2264 svchost.exe 2844 ichader.exe 2208 ichader.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exedadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.execmd.exeichader.exedescription pid process target process PID 3304 wrote to memory of 3844 3304 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe svchost.exe PID 3304 wrote to memory of 3844 3304 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe svchost.exe PID 3304 wrote to memory of 3844 3304 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe svchost.exe PID 3304 wrote to memory of 3844 3304 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe svchost.exe PID 3304 wrote to memory of 3844 3304 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe svchost.exe PID 3304 wrote to memory of 3844 3304 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe svchost.exe PID 3304 wrote to memory of 3844 3304 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe svchost.exe PID 3304 wrote to memory of 3844 3304 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe svchost.exe PID 3304 wrote to memory of 3844 3304 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe svchost.exe PID 3304 wrote to memory of 3456 3304 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe PID 3304 wrote to memory of 3456 3304 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe PID 3304 wrote to memory of 3456 3304 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe PID 3304 wrote to memory of 3456 3304 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe PID 3304 wrote to memory of 3456 3304 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe PID 3304 wrote to memory of 3456 3304 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe PID 3304 wrote to memory of 3456 3304 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe PID 3304 wrote to memory of 3456 3304 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe PID 3456 wrote to memory of 2192 3456 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe cmd.exe PID 3456 wrote to memory of 2192 3456 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe cmd.exe PID 3456 wrote to memory of 2192 3456 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe cmd.exe PID 2192 wrote to memory of 4036 2192 cmd.exe reg.exe PID 2192 wrote to memory of 4036 2192 cmd.exe reg.exe PID 2192 wrote to memory of 4036 2192 cmd.exe reg.exe PID 3456 wrote to memory of 200 3456 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe ichader.exe PID 3456 wrote to memory of 200 3456 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe ichader.exe PID 3456 wrote to memory of 200 3456 dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe ichader.exe PID 200 wrote to memory of 2264 200 ichader.exe svchost.exe PID 200 wrote to memory of 2264 200 ichader.exe svchost.exe PID 200 wrote to memory of 2264 200 ichader.exe svchost.exe PID 200 wrote to memory of 2264 200 ichader.exe svchost.exe PID 200 wrote to memory of 2264 200 ichader.exe svchost.exe PID 200 wrote to memory of 2264 200 ichader.exe svchost.exe PID 200 wrote to memory of 2264 200 ichader.exe svchost.exe PID 200 wrote to memory of 2264 200 ichader.exe svchost.exe PID 200 wrote to memory of 2264 200 ichader.exe svchost.exe PID 200 wrote to memory of 2844 200 ichader.exe ichader.exe PID 200 wrote to memory of 2844 200 ichader.exe ichader.exe PID 200 wrote to memory of 2844 200 ichader.exe ichader.exe PID 200 wrote to memory of 2844 200 ichader.exe ichader.exe PID 200 wrote to memory of 2844 200 ichader.exe ichader.exe PID 200 wrote to memory of 2844 200 ichader.exe ichader.exe PID 200 wrote to memory of 2844 200 ichader.exe ichader.exe PID 200 wrote to memory of 2844 200 ichader.exe ichader.exe PID 200 wrote to memory of 2208 200 ichader.exe ichader.exe PID 200 wrote to memory of 2208 200 ichader.exe ichader.exe PID 200 wrote to memory of 2208 200 ichader.exe ichader.exe PID 200 wrote to memory of 2208 200 ichader.exe ichader.exe PID 200 wrote to memory of 2208 200 ichader.exe ichader.exe PID 200 wrote to memory of 2208 200 ichader.exe ichader.exe PID 200 wrote to memory of 2208 200 ichader.exe ichader.exe PID 200 wrote to memory of 2208 200 ichader.exe ichader.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe"C:\Users\Admin\AppData\Local\Temp\dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3844 -
C:\Users\Admin\AppData\Local\Temp\dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe"C:\Users\Admin\AppData\Local\Temp\dadbbae49763300bb65adb6e4adb49fc3d8d041df3acf36d968694274d4f0d80.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQERC.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "java" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe" /f4⤵
- Adds Run key to start application
PID:4036 -
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:200 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:2264 -
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2844 -
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2208
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\UQERC.batMD5
92353035f01403e26aa2ff51c3963238
SHA1d13f167c73bfce23a2deab8ce7c4ce9f78759ff4
SHA2562e72a8542f8f809bfb1e4adfb481c7c5e6dc00dda7970c74692ba8d83ea0a870
SHA51274560e33477caae3c7bc13914e4ae3c6911bbcfe257b2833155c236a158db0aca17478beb9d97f648ff1ea566005260f511361771c74203195107f4e82cce7df
-
C:\Users\Admin\AppData\Roaming\IDM\ichader.exeMD5
047abf60617ba7b20275e47893e79b05
SHA1b4425c0a9cfc33ba030c8f8ce397b056073402ae
SHA256b113a13bc7d7cfe291bdb155a5e78c1722debacd4f2386e67baef43fa7bb21ad
SHA51271d90d2be56d58a9e853530facaca2e256b2f39349d283ebad1034807ef152e1509908f008296a37076a33d3330fab80acd619e95fbfe717bb70680b83d57e6a
-
C:\Users\Admin\AppData\Roaming\IDM\ichader.exeMD5
047abf60617ba7b20275e47893e79b05
SHA1b4425c0a9cfc33ba030c8f8ce397b056073402ae
SHA256b113a13bc7d7cfe291bdb155a5e78c1722debacd4f2386e67baef43fa7bb21ad
SHA51271d90d2be56d58a9e853530facaca2e256b2f39349d283ebad1034807ef152e1509908f008296a37076a33d3330fab80acd619e95fbfe717bb70680b83d57e6a
-
C:\Users\Admin\AppData\Roaming\IDM\ichader.exeMD5
047abf60617ba7b20275e47893e79b05
SHA1b4425c0a9cfc33ba030c8f8ce397b056073402ae
SHA256b113a13bc7d7cfe291bdb155a5e78c1722debacd4f2386e67baef43fa7bb21ad
SHA51271d90d2be56d58a9e853530facaca2e256b2f39349d283ebad1034807ef152e1509908f008296a37076a33d3330fab80acd619e95fbfe717bb70680b83d57e6a
-
C:\Users\Admin\AppData\Roaming\IDM\ichader.exeMD5
047abf60617ba7b20275e47893e79b05
SHA1b4425c0a9cfc33ba030c8f8ce397b056073402ae
SHA256b113a13bc7d7cfe291bdb155a5e78c1722debacd4f2386e67baef43fa7bb21ad
SHA51271d90d2be56d58a9e853530facaca2e256b2f39349d283ebad1034807ef152e1509908f008296a37076a33d3330fab80acd619e95fbfe717bb70680b83d57e6a
-
memory/200-20-0x0000000072E10000-0x0000000072EA3000-memory.dmpFilesize
588KB
-
memory/200-17-0x0000000000000000-mapping.dmp
-
memory/2192-14-0x0000000000000000-mapping.dmp
-
memory/2208-33-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2208-35-0x00000000004B5210-mapping.dmp
-
memory/2208-38-0x0000000072E10000-0x0000000072EA3000-memory.dmpFilesize
588KB
-
memory/2208-41-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2208-42-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2264-24-0x000000000040B000-mapping.dmp
-
memory/2264-25-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2264-23-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2844-29-0x00000000004085D0-mapping.dmp
-
memory/2844-32-0x0000000072E10000-0x0000000072EA3000-memory.dmpFilesize
588KB
-
memory/3456-11-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/3456-10-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/3456-9-0x00000000004085D0-mapping.dmp
-
memory/3456-7-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/3844-2-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3844-5-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3844-4-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3844-3-0x000000000040B000-mapping.dmp
-
memory/4036-16-0x0000000000000000-mapping.dmp