Analysis
-
max time kernel
152s -
max time network
15s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-11-2020 14:09
Static task
static1
Behavioral task
behavioral1
Sample
b1418392b544a51ff07f543c3f76030f.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
b1418392b544a51ff07f543c3f76030f.exe
Resource
win10v20201028
General
-
Target
b1418392b544a51ff07f543c3f76030f.exe
-
Size
1.1MB
-
MD5
b1418392b544a51ff07f543c3f76030f
-
SHA1
6fbad484bbfd66afc868c6d1d700aa3eed644e70
-
SHA256
dd146247f7cb47a6256829a01089d8e95d67d31d52431eeb0261333615927152
-
SHA512
a14feac08bc7b4da4ccb9ddff8069bee7c2ac125c9128ae773cbf546d0bc03c76ae7b2c292916062fcc691969ef062c008ce578ac69c663c5de0340173364d87
Malware Config
Extracted
darkcomet
Winrar 5.0 final 10-10-2013
rainbowie.no-ip.biz:2302
DC_MUTEX-GL3ZW69
-
InstallPath
windirsx.exe
-
gencode
4EYDgQDgUmXr
-
install
true
-
offline_keylogger
true
-
password
hypethetimet
-
persistence
true
-
reg_key
Windows Login System
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
b1418392b544a51ff07f543c3f76030f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\windirsx.exe" b1418392b544a51ff07f543c3f76030f.exe -
Executes dropped EXE 3 IoCs
Processes:
KEYGEN.EXEwindirsx.exewindirsx.exepid process 1324 KEYGEN.EXE 1416 windirsx.exe 280 windirsx.exe -
Loads dropped DLL 4 IoCs
Processes:
b1418392b544a51ff07f543c3f76030f.exepid process 1772 b1418392b544a51ff07f543c3f76030f.exe 1772 b1418392b544a51ff07f543c3f76030f.exe 1772 b1418392b544a51ff07f543c3f76030f.exe 1772 b1418392b544a51ff07f543c3f76030f.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b1418392b544a51ff07f543c3f76030f.exewindirsx.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Login System = "C:\\Users\\Admin\\AppData\\Roaming\\windirsx.exe" b1418392b544a51ff07f543c3f76030f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Login System = "C:\\Users\\Admin\\AppData\\Roaming\\windirsx.exe" windirsx.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
b1418392b544a51ff07f543c3f76030f.exewindirsx.exedescription pid process target process PID 644 set thread context of 1772 644 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 1416 set thread context of 280 1416 windirsx.exe windirsx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
KEYGEN.EXEpid process 1324 KEYGEN.EXE -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
b1418392b544a51ff07f543c3f76030f.exeb1418392b544a51ff07f543c3f76030f.exewindirsx.exewindirsx.exedescription pid process Token: SeDebugPrivilege 644 b1418392b544a51ff07f543c3f76030f.exe Token: SeIncreaseQuotaPrivilege 1772 b1418392b544a51ff07f543c3f76030f.exe Token: SeSecurityPrivilege 1772 b1418392b544a51ff07f543c3f76030f.exe Token: SeTakeOwnershipPrivilege 1772 b1418392b544a51ff07f543c3f76030f.exe Token: SeLoadDriverPrivilege 1772 b1418392b544a51ff07f543c3f76030f.exe Token: SeSystemProfilePrivilege 1772 b1418392b544a51ff07f543c3f76030f.exe Token: SeSystemtimePrivilege 1772 b1418392b544a51ff07f543c3f76030f.exe Token: SeProfSingleProcessPrivilege 1772 b1418392b544a51ff07f543c3f76030f.exe Token: SeIncBasePriorityPrivilege 1772 b1418392b544a51ff07f543c3f76030f.exe Token: SeCreatePagefilePrivilege 1772 b1418392b544a51ff07f543c3f76030f.exe Token: SeBackupPrivilege 1772 b1418392b544a51ff07f543c3f76030f.exe Token: SeRestorePrivilege 1772 b1418392b544a51ff07f543c3f76030f.exe Token: SeShutdownPrivilege 1772 b1418392b544a51ff07f543c3f76030f.exe Token: SeDebugPrivilege 1772 b1418392b544a51ff07f543c3f76030f.exe Token: SeSystemEnvironmentPrivilege 1772 b1418392b544a51ff07f543c3f76030f.exe Token: SeChangeNotifyPrivilege 1772 b1418392b544a51ff07f543c3f76030f.exe Token: SeRemoteShutdownPrivilege 1772 b1418392b544a51ff07f543c3f76030f.exe Token: SeUndockPrivilege 1772 b1418392b544a51ff07f543c3f76030f.exe Token: SeManageVolumePrivilege 1772 b1418392b544a51ff07f543c3f76030f.exe Token: SeImpersonatePrivilege 1772 b1418392b544a51ff07f543c3f76030f.exe Token: SeCreateGlobalPrivilege 1772 b1418392b544a51ff07f543c3f76030f.exe Token: 33 1772 b1418392b544a51ff07f543c3f76030f.exe Token: 34 1772 b1418392b544a51ff07f543c3f76030f.exe Token: 35 1772 b1418392b544a51ff07f543c3f76030f.exe Token: SeDebugPrivilege 1416 windirsx.exe Token: SeIncreaseQuotaPrivilege 280 windirsx.exe Token: SeSecurityPrivilege 280 windirsx.exe Token: SeTakeOwnershipPrivilege 280 windirsx.exe Token: SeLoadDriverPrivilege 280 windirsx.exe Token: SeSystemProfilePrivilege 280 windirsx.exe Token: SeSystemtimePrivilege 280 windirsx.exe Token: SeProfSingleProcessPrivilege 280 windirsx.exe Token: SeIncBasePriorityPrivilege 280 windirsx.exe Token: SeCreatePagefilePrivilege 280 windirsx.exe Token: SeBackupPrivilege 280 windirsx.exe Token: SeRestorePrivilege 280 windirsx.exe Token: SeShutdownPrivilege 280 windirsx.exe Token: SeDebugPrivilege 280 windirsx.exe Token: SeSystemEnvironmentPrivilege 280 windirsx.exe Token: SeChangeNotifyPrivilege 280 windirsx.exe Token: SeRemoteShutdownPrivilege 280 windirsx.exe Token: SeUndockPrivilege 280 windirsx.exe Token: SeManageVolumePrivilege 280 windirsx.exe Token: SeImpersonatePrivilege 280 windirsx.exe Token: SeCreateGlobalPrivilege 280 windirsx.exe Token: 33 280 windirsx.exe Token: 34 280 windirsx.exe Token: 35 280 windirsx.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
KEYGEN.EXEwindirsx.exepid process 1324 KEYGEN.EXE 1324 KEYGEN.EXE 280 windirsx.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
b1418392b544a51ff07f543c3f76030f.exeb1418392b544a51ff07f543c3f76030f.exewindirsx.exedescription pid process target process PID 644 wrote to memory of 1772 644 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 644 wrote to memory of 1772 644 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 644 wrote to memory of 1772 644 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 644 wrote to memory of 1772 644 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 644 wrote to memory of 1772 644 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 644 wrote to memory of 1772 644 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 644 wrote to memory of 1772 644 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 644 wrote to memory of 1772 644 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 644 wrote to memory of 1772 644 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 644 wrote to memory of 1772 644 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 644 wrote to memory of 1772 644 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 644 wrote to memory of 1772 644 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 644 wrote to memory of 1772 644 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 1772 wrote to memory of 1324 1772 b1418392b544a51ff07f543c3f76030f.exe KEYGEN.EXE PID 1772 wrote to memory of 1324 1772 b1418392b544a51ff07f543c3f76030f.exe KEYGEN.EXE PID 1772 wrote to memory of 1324 1772 b1418392b544a51ff07f543c3f76030f.exe KEYGEN.EXE PID 1772 wrote to memory of 1324 1772 b1418392b544a51ff07f543c3f76030f.exe KEYGEN.EXE PID 1772 wrote to memory of 1416 1772 b1418392b544a51ff07f543c3f76030f.exe windirsx.exe PID 1772 wrote to memory of 1416 1772 b1418392b544a51ff07f543c3f76030f.exe windirsx.exe PID 1772 wrote to memory of 1416 1772 b1418392b544a51ff07f543c3f76030f.exe windirsx.exe PID 1772 wrote to memory of 1416 1772 b1418392b544a51ff07f543c3f76030f.exe windirsx.exe PID 1416 wrote to memory of 280 1416 windirsx.exe windirsx.exe PID 1416 wrote to memory of 280 1416 windirsx.exe windirsx.exe PID 1416 wrote to memory of 280 1416 windirsx.exe windirsx.exe PID 1416 wrote to memory of 280 1416 windirsx.exe windirsx.exe PID 1416 wrote to memory of 280 1416 windirsx.exe windirsx.exe PID 1416 wrote to memory of 280 1416 windirsx.exe windirsx.exe PID 1416 wrote to memory of 280 1416 windirsx.exe windirsx.exe PID 1416 wrote to memory of 280 1416 windirsx.exe windirsx.exe PID 1416 wrote to memory of 280 1416 windirsx.exe windirsx.exe PID 1416 wrote to memory of 280 1416 windirsx.exe windirsx.exe PID 1416 wrote to memory of 280 1416 windirsx.exe windirsx.exe PID 1416 wrote to memory of 280 1416 windirsx.exe windirsx.exe PID 1416 wrote to memory of 280 1416 windirsx.exe windirsx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1418392b544a51ff07f543c3f76030f.exe"C:\Users\Admin\AppData\Local\Temp\b1418392b544a51ff07f543c3f76030f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b1418392b544a51ff07f543c3f76030f.exe"C:\Users\Admin\AppData\Local\Temp\b1418392b544a51ff07f543c3f76030f.exe"2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\KEYGEN.EXE"C:\Users\Admin\AppData\Local\Temp\KEYGEN.EXE"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\windirsx.exe"C:\Users\Admin\AppData\Roaming\windirsx.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\windirsx.exe"C:\Users\Admin\AppData\Roaming\windirsx.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\KEYGEN.EXEMD5
ed4bd2fbf1381e22da37c09a935a51ef
SHA182447f22fa4d3f9de55dabad79f139cad3e6a442
SHA256776303a0a9794f0abc8696c395892d84de37b050c5adb76e2f7fe64f594090e1
SHA51289299332d173f0f6c2f9053c1862b1c101fdd99712e710286d17c2cc094d9701fe6b03aaf6af3e1747b9e817fefd0b8675c322c5675ed1ad5a8bd6694df0ff93
-
C:\Users\Admin\AppData\Local\Temp\KEYGEN.EXEMD5
ed4bd2fbf1381e22da37c09a935a51ef
SHA182447f22fa4d3f9de55dabad79f139cad3e6a442
SHA256776303a0a9794f0abc8696c395892d84de37b050c5adb76e2f7fe64f594090e1
SHA51289299332d173f0f6c2f9053c1862b1c101fdd99712e710286d17c2cc094d9701fe6b03aaf6af3e1747b9e817fefd0b8675c322c5675ed1ad5a8bd6694df0ff93
-
C:\Users\Admin\AppData\Roaming\windirsx.exeMD5
b1418392b544a51ff07f543c3f76030f
SHA16fbad484bbfd66afc868c6d1d700aa3eed644e70
SHA256dd146247f7cb47a6256829a01089d8e95d67d31d52431eeb0261333615927152
SHA512a14feac08bc7b4da4ccb9ddff8069bee7c2ac125c9128ae773cbf546d0bc03c76ae7b2c292916062fcc691969ef062c008ce578ac69c663c5de0340173364d87
-
C:\Users\Admin\AppData\Roaming\windirsx.exeMD5
b1418392b544a51ff07f543c3f76030f
SHA16fbad484bbfd66afc868c6d1d700aa3eed644e70
SHA256dd146247f7cb47a6256829a01089d8e95d67d31d52431eeb0261333615927152
SHA512a14feac08bc7b4da4ccb9ddff8069bee7c2ac125c9128ae773cbf546d0bc03c76ae7b2c292916062fcc691969ef062c008ce578ac69c663c5de0340173364d87
-
C:\Users\Admin\AppData\Roaming\windirsx.exeMD5
b1418392b544a51ff07f543c3f76030f
SHA16fbad484bbfd66afc868c6d1d700aa3eed644e70
SHA256dd146247f7cb47a6256829a01089d8e95d67d31d52431eeb0261333615927152
SHA512a14feac08bc7b4da4ccb9ddff8069bee7c2ac125c9128ae773cbf546d0bc03c76ae7b2c292916062fcc691969ef062c008ce578ac69c663c5de0340173364d87
-
\Users\Admin\AppData\Local\Temp\KEYGEN.EXEMD5
ed4bd2fbf1381e22da37c09a935a51ef
SHA182447f22fa4d3f9de55dabad79f139cad3e6a442
SHA256776303a0a9794f0abc8696c395892d84de37b050c5adb76e2f7fe64f594090e1
SHA51289299332d173f0f6c2f9053c1862b1c101fdd99712e710286d17c2cc094d9701fe6b03aaf6af3e1747b9e817fefd0b8675c322c5675ed1ad5a8bd6694df0ff93
-
\Users\Admin\AppData\Local\Temp\KEYGEN.EXEMD5
ed4bd2fbf1381e22da37c09a935a51ef
SHA182447f22fa4d3f9de55dabad79f139cad3e6a442
SHA256776303a0a9794f0abc8696c395892d84de37b050c5adb76e2f7fe64f594090e1
SHA51289299332d173f0f6c2f9053c1862b1c101fdd99712e710286d17c2cc094d9701fe6b03aaf6af3e1747b9e817fefd0b8675c322c5675ed1ad5a8bd6694df0ff93
-
\Users\Admin\AppData\Roaming\windirsx.exeMD5
b1418392b544a51ff07f543c3f76030f
SHA16fbad484bbfd66afc868c6d1d700aa3eed644e70
SHA256dd146247f7cb47a6256829a01089d8e95d67d31d52431eeb0261333615927152
SHA512a14feac08bc7b4da4ccb9ddff8069bee7c2ac125c9128ae773cbf546d0bc03c76ae7b2c292916062fcc691969ef062c008ce578ac69c663c5de0340173364d87
-
\Users\Admin\AppData\Roaming\windirsx.exeMD5
b1418392b544a51ff07f543c3f76030f
SHA16fbad484bbfd66afc868c6d1d700aa3eed644e70
SHA256dd146247f7cb47a6256829a01089d8e95d67d31d52431eeb0261333615927152
SHA512a14feac08bc7b4da4ccb9ddff8069bee7c2ac125c9128ae773cbf546d0bc03c76ae7b2c292916062fcc691969ef062c008ce578ac69c663c5de0340173364d87
-
memory/280-14-0x000000000048F888-mapping.dmp
-
memory/280-16-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/1324-5-0x0000000000000000-mapping.dmp
-
memory/1416-10-0x0000000000000000-mapping.dmp
-
memory/1772-0-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/1772-2-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/1772-1-0x000000000048F888-mapping.dmp