Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10-11-2020 10:54
Static task
static1
Behavioral task
behavioral1
Sample
23177b599c322119b7796bbfd6e8f0005ed1f3a6e51b28c19bfe85706cbc30ea.exe
Resource
win7v20201028
General
-
Target
23177b599c322119b7796bbfd6e8f0005ed1f3a6e51b28c19bfe85706cbc30ea.exe
-
Size
726KB
-
MD5
36f8a5356eaa170009cd6cc4bb7e4eeb
-
SHA1
fc4601d48e42cfbea7cee7891d9170d7d9de2370
-
SHA256
23177b599c322119b7796bbfd6e8f0005ed1f3a6e51b28c19bfe85706cbc30ea
-
SHA512
30cab5cb33f7fd22bfe004cb794e65ad7bd1513404893107ebcb8bc12ea6d7ee4526302cd352710ed650dc3043fd16c333eb131e8313951dea48273060096660
Malware Config
Extracted
darkcomet
Cybergate
xyk.no-ip.org:82
DC_MUTEX-CBRCJKD
-
gencode
dStG8rFqSf0i
-
install
false
-
offline_keylogger
true
-
password
12345678
-
persistence
false
Signatures
-
Processes:
resource yara_rule behavioral1/memory/660-2-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/660-4-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/660-5-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/660-6-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuauclt = "C:\\Users\\Admin\\AppData\\Local\\WinUpdate.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
23177b599c322119b7796bbfd6e8f0005ed1f3a6e51b28c19bfe85706cbc30ea.exedescription pid process target process PID 1056 set thread context of 660 1056 23177b599c322119b7796bbfd6e8f0005ed1f3a6e51b28c19bfe85706cbc30ea.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
23177b599c322119b7796bbfd6e8f0005ed1f3a6e51b28c19bfe85706cbc30ea.exeAppLaunch.exedescription pid process Token: SeDebugPrivilege 1056 23177b599c322119b7796bbfd6e8f0005ed1f3a6e51b28c19bfe85706cbc30ea.exe Token: SeIncreaseQuotaPrivilege 660 AppLaunch.exe Token: SeSecurityPrivilege 660 AppLaunch.exe Token: SeTakeOwnershipPrivilege 660 AppLaunch.exe Token: SeLoadDriverPrivilege 660 AppLaunch.exe Token: SeSystemProfilePrivilege 660 AppLaunch.exe Token: SeSystemtimePrivilege 660 AppLaunch.exe Token: SeProfSingleProcessPrivilege 660 AppLaunch.exe Token: SeIncBasePriorityPrivilege 660 AppLaunch.exe Token: SeCreatePagefilePrivilege 660 AppLaunch.exe Token: SeBackupPrivilege 660 AppLaunch.exe Token: SeRestorePrivilege 660 AppLaunch.exe Token: SeShutdownPrivilege 660 AppLaunch.exe Token: SeDebugPrivilege 660 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 660 AppLaunch.exe Token: SeChangeNotifyPrivilege 660 AppLaunch.exe Token: SeRemoteShutdownPrivilege 660 AppLaunch.exe Token: SeUndockPrivilege 660 AppLaunch.exe Token: SeManageVolumePrivilege 660 AppLaunch.exe Token: SeImpersonatePrivilege 660 AppLaunch.exe Token: SeCreateGlobalPrivilege 660 AppLaunch.exe Token: 33 660 AppLaunch.exe Token: 34 660 AppLaunch.exe Token: 35 660 AppLaunch.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 1644 DllHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
AppLaunch.exepid process 660 AppLaunch.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
23177b599c322119b7796bbfd6e8f0005ed1f3a6e51b28c19bfe85706cbc30ea.execmd.exedescription pid process target process PID 1056 wrote to memory of 268 1056 23177b599c322119b7796bbfd6e8f0005ed1f3a6e51b28c19bfe85706cbc30ea.exe cmd.exe PID 1056 wrote to memory of 268 1056 23177b599c322119b7796bbfd6e8f0005ed1f3a6e51b28c19bfe85706cbc30ea.exe cmd.exe PID 1056 wrote to memory of 268 1056 23177b599c322119b7796bbfd6e8f0005ed1f3a6e51b28c19bfe85706cbc30ea.exe cmd.exe PID 1056 wrote to memory of 268 1056 23177b599c322119b7796bbfd6e8f0005ed1f3a6e51b28c19bfe85706cbc30ea.exe cmd.exe PID 268 wrote to memory of 756 268 cmd.exe reg.exe PID 268 wrote to memory of 756 268 cmd.exe reg.exe PID 268 wrote to memory of 756 268 cmd.exe reg.exe PID 268 wrote to memory of 756 268 cmd.exe reg.exe PID 1056 wrote to memory of 660 1056 23177b599c322119b7796bbfd6e8f0005ed1f3a6e51b28c19bfe85706cbc30ea.exe AppLaunch.exe PID 1056 wrote to memory of 660 1056 23177b599c322119b7796bbfd6e8f0005ed1f3a6e51b28c19bfe85706cbc30ea.exe AppLaunch.exe PID 1056 wrote to memory of 660 1056 23177b599c322119b7796bbfd6e8f0005ed1f3a6e51b28c19bfe85706cbc30ea.exe AppLaunch.exe PID 1056 wrote to memory of 660 1056 23177b599c322119b7796bbfd6e8f0005ed1f3a6e51b28c19bfe85706cbc30ea.exe AppLaunch.exe PID 1056 wrote to memory of 660 1056 23177b599c322119b7796bbfd6e8f0005ed1f3a6e51b28c19bfe85706cbc30ea.exe AppLaunch.exe PID 1056 wrote to memory of 660 1056 23177b599c322119b7796bbfd6e8f0005ed1f3a6e51b28c19bfe85706cbc30ea.exe AppLaunch.exe PID 1056 wrote to memory of 660 1056 23177b599c322119b7796bbfd6e8f0005ed1f3a6e51b28c19bfe85706cbc30ea.exe AppLaunch.exe PID 1056 wrote to memory of 660 1056 23177b599c322119b7796bbfd6e8f0005ed1f3a6e51b28c19bfe85706cbc30ea.exe AppLaunch.exe PID 1056 wrote to memory of 660 1056 23177b599c322119b7796bbfd6e8f0005ed1f3a6e51b28c19bfe85706cbc30ea.exe AppLaunch.exe PID 1056 wrote to memory of 660 1056 23177b599c322119b7796bbfd6e8f0005ed1f3a6e51b28c19bfe85706cbc30ea.exe AppLaunch.exe PID 1056 wrote to memory of 660 1056 23177b599c322119b7796bbfd6e8f0005ed1f3a6e51b28c19bfe85706cbc30ea.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\23177b599c322119b7796bbfd6e8f0005ed1f3a6e51b28c19bfe85706cbc30ea.exe"C:\Users\Admin\AppData\Local\Temp\23177b599c322119b7796bbfd6e8f0005ed1f3a6e51b28c19bfe85706cbc30ea.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:660 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "wuauclt" /t REG_SZ /d "C:\Users\Admin\AppData\Local\WinUpdate.exe2⤵
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "wuauclt" /t REG_SZ /d "C:\Users\Admin\AppData\Local\WinUpdate.exe3⤵
- Adds Run key to start application
PID:756
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1644
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\009_1000.jpgMD5
f872dbef1b21f5e9d6f42141b182a3ce
SHA15f14df484e47aaebf7b21270e6cac5ae62251607
SHA2565f18bbf671e345f7e33bc008423454912214820be2915ac92c1886a36842c085
SHA512bae710ce728755169b200080246eec2f7cb1c2fc4664ea4a1c7a911b76c20b7eed358a1c47d516b4ad4196769431dc8a4f362374b17fb719c60d524886b3e5cb
-
memory/268-0-0x0000000000000000-mapping.dmp
-
memory/660-3-0x00000000004B5670-mapping.dmp
-
memory/660-2-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/660-4-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/660-5-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/660-6-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/756-1-0x0000000000000000-mapping.dmp