Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
10-11-2020 11:15
Static task
static1
Behavioral task
behavioral1
Sample
99ed455cf7867678bf77bdbcd8fd1c73586a78402e451c436a2036060ae1fae3.exe
Resource
win7v20201028
General
-
Target
99ed455cf7867678bf77bdbcd8fd1c73586a78402e451c436a2036060ae1fae3.exe
-
Size
939KB
-
MD5
0e838be21a95730626f8751e6d58e1a7
-
SHA1
c5dbfdf431daa4e76029eb91ea622a2973ebbf18
-
SHA256
99ed455cf7867678bf77bdbcd8fd1c73586a78402e451c436a2036060ae1fae3
-
SHA512
746c6d95bd7a1f6fe02a6ab01617017143b4675c383dafcad7ced10d4372b804f584d9e3e271921141950130b3c5208cc181d7fee6dbe1a719917202a5cf0a90
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
192.168.1.132:1604
DC_MUTEX-UZ5QYPV
-
gencode
00JBqsRoxY0q
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 3848 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
99ed455cf7867678bf77bdbcd8fd1c73586a78402e451c436a2036060ae1fae3.exedescription pid process target process PID 848 set thread context of 3848 848 99ed455cf7867678bf77bdbcd8fd1c73586a78402e451c436a2036060ae1fae3.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
svchost.exedescription pid process Token: SeIncreaseQuotaPrivilege 3848 svchost.exe Token: SeSecurityPrivilege 3848 svchost.exe Token: SeTakeOwnershipPrivilege 3848 svchost.exe Token: SeLoadDriverPrivilege 3848 svchost.exe Token: SeSystemProfilePrivilege 3848 svchost.exe Token: SeSystemtimePrivilege 3848 svchost.exe Token: SeProfSingleProcessPrivilege 3848 svchost.exe Token: SeIncBasePriorityPrivilege 3848 svchost.exe Token: SeCreatePagefilePrivilege 3848 svchost.exe Token: SeBackupPrivilege 3848 svchost.exe Token: SeRestorePrivilege 3848 svchost.exe Token: SeShutdownPrivilege 3848 svchost.exe Token: SeDebugPrivilege 3848 svchost.exe Token: SeSystemEnvironmentPrivilege 3848 svchost.exe Token: SeChangeNotifyPrivilege 3848 svchost.exe Token: SeRemoteShutdownPrivilege 3848 svchost.exe Token: SeUndockPrivilege 3848 svchost.exe Token: SeManageVolumePrivilege 3848 svchost.exe Token: SeImpersonatePrivilege 3848 svchost.exe Token: SeCreateGlobalPrivilege 3848 svchost.exe Token: 33 3848 svchost.exe Token: 34 3848 svchost.exe Token: 35 3848 svchost.exe Token: 36 3848 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 3848 svchost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
99ed455cf7867678bf77bdbcd8fd1c73586a78402e451c436a2036060ae1fae3.exedescription pid process target process PID 848 wrote to memory of 3848 848 99ed455cf7867678bf77bdbcd8fd1c73586a78402e451c436a2036060ae1fae3.exe svchost.exe PID 848 wrote to memory of 3848 848 99ed455cf7867678bf77bdbcd8fd1c73586a78402e451c436a2036060ae1fae3.exe svchost.exe PID 848 wrote to memory of 3848 848 99ed455cf7867678bf77bdbcd8fd1c73586a78402e451c436a2036060ae1fae3.exe svchost.exe PID 848 wrote to memory of 3848 848 99ed455cf7867678bf77bdbcd8fd1c73586a78402e451c436a2036060ae1fae3.exe svchost.exe PID 848 wrote to memory of 3848 848 99ed455cf7867678bf77bdbcd8fd1c73586a78402e451c436a2036060ae1fae3.exe svchost.exe PID 848 wrote to memory of 3848 848 99ed455cf7867678bf77bdbcd8fd1c73586a78402e451c436a2036060ae1fae3.exe svchost.exe PID 848 wrote to memory of 3848 848 99ed455cf7867678bf77bdbcd8fd1c73586a78402e451c436a2036060ae1fae3.exe svchost.exe PID 848 wrote to memory of 3848 848 99ed455cf7867678bf77bdbcd8fd1c73586a78402e451c436a2036060ae1fae3.exe svchost.exe PID 848 wrote to memory of 3848 848 99ed455cf7867678bf77bdbcd8fd1c73586a78402e451c436a2036060ae1fae3.exe svchost.exe PID 848 wrote to memory of 3848 848 99ed455cf7867678bf77bdbcd8fd1c73586a78402e451c436a2036060ae1fae3.exe svchost.exe PID 848 wrote to memory of 3848 848 99ed455cf7867678bf77bdbcd8fd1c73586a78402e451c436a2036060ae1fae3.exe svchost.exe PID 848 wrote to memory of 3848 848 99ed455cf7867678bf77bdbcd8fd1c73586a78402e451c436a2036060ae1fae3.exe svchost.exe PID 848 wrote to memory of 3848 848 99ed455cf7867678bf77bdbcd8fd1c73586a78402e451c436a2036060ae1fae3.exe svchost.exe PID 848 wrote to memory of 3848 848 99ed455cf7867678bf77bdbcd8fd1c73586a78402e451c436a2036060ae1fae3.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\99ed455cf7867678bf77bdbcd8fd1c73586a78402e451c436a2036060ae1fae3.exe"C:\Users\Admin\AppData\Local\Temp\99ed455cf7867678bf77bdbcd8fd1c73586a78402e451c436a2036060ae1fae3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Users\Admin\AppData\Local\Temp\plugtemp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\plugtemp\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3848
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\plugtemp\svchost.exeMD5
99d17ff97e92667bf238e5154e53c6a1
SHA1893d5e4fc27e23831dba69e39762fb494c7edc94
SHA256bb44568093a3b7299af075b09358bb4691abaa57c0496e8d97d289b05b58ad27
SHA51231c5a1425d3fd36a26dc85270a19d6d1a07a644466de4527798985b12aba1242a961e6df0990c6f0bbb7f21a4c4de31aa4baaaf18999894e7c6cb56f4689bddd
-
C:\Users\Admin\AppData\Local\Temp\plugtemp\svchost.exeMD5
99d17ff97e92667bf238e5154e53c6a1
SHA1893d5e4fc27e23831dba69e39762fb494c7edc94
SHA256bb44568093a3b7299af075b09358bb4691abaa57c0496e8d97d289b05b58ad27
SHA51231c5a1425d3fd36a26dc85270a19d6d1a07a644466de4527798985b12aba1242a961e6df0990c6f0bbb7f21a4c4de31aa4baaaf18999894e7c6cb56f4689bddd
-
memory/3848-0-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3848-1-0x000000000048F888-mapping.dmp
-
memory/3848-4-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB