Analysis
-
max time kernel
151s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 14:09
Static task
static1
Behavioral task
behavioral1
Sample
b1418392b544a51ff07f543c3f76030f.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
b1418392b544a51ff07f543c3f76030f.exe
Resource
win10v20201028
General
-
Target
b1418392b544a51ff07f543c3f76030f.exe
-
Size
1.1MB
-
MD5
b1418392b544a51ff07f543c3f76030f
-
SHA1
6fbad484bbfd66afc868c6d1d700aa3eed644e70
-
SHA256
dd146247f7cb47a6256829a01089d8e95d67d31d52431eeb0261333615927152
-
SHA512
a14feac08bc7b4da4ccb9ddff8069bee7c2ac125c9128ae773cbf546d0bc03c76ae7b2c292916062fcc691969ef062c008ce578ac69c663c5de0340173364d87
Malware Config
Extracted
darkcomet
Winrar 5.0 final 10-10-2013
rainbowie.no-ip.biz:2302
DC_MUTEX-GL3ZW69
-
InstallPath
windirsx.exe
-
gencode
4EYDgQDgUmXr
-
install
true
-
offline_keylogger
true
-
password
hypethetimet
-
persistence
true
-
reg_key
Windows Login System
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
b1418392b544a51ff07f543c3f76030f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\windirsx.exe" b1418392b544a51ff07f543c3f76030f.exe -
Executes dropped EXE 3 IoCs
Processes:
KEYGEN.EXEwindirsx.exewindirsx.exepid process 3952 KEYGEN.EXE 196 windirsx.exe 1976 windirsx.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b1418392b544a51ff07f543c3f76030f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation b1418392b544a51ff07f543c3f76030f.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b1418392b544a51ff07f543c3f76030f.exewindirsx.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Login System = "C:\\Users\\Admin\\AppData\\Roaming\\windirsx.exe" b1418392b544a51ff07f543c3f76030f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Login System = "C:\\Users\\Admin\\AppData\\Roaming\\windirsx.exe" windirsx.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
b1418392b544a51ff07f543c3f76030f.exewindirsx.exedescription pid process target process PID 3636 set thread context of 2804 3636 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 196 set thread context of 1976 196 windirsx.exe windirsx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
b1418392b544a51ff07f543c3f76030f.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance b1418392b544a51ff07f543c3f76030f.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
b1418392b544a51ff07f543c3f76030f.exeb1418392b544a51ff07f543c3f76030f.exewindirsx.exewindirsx.exedescription pid process Token: SeDebugPrivilege 3636 b1418392b544a51ff07f543c3f76030f.exe Token: SeIncreaseQuotaPrivilege 2804 b1418392b544a51ff07f543c3f76030f.exe Token: SeSecurityPrivilege 2804 b1418392b544a51ff07f543c3f76030f.exe Token: SeTakeOwnershipPrivilege 2804 b1418392b544a51ff07f543c3f76030f.exe Token: SeLoadDriverPrivilege 2804 b1418392b544a51ff07f543c3f76030f.exe Token: SeSystemProfilePrivilege 2804 b1418392b544a51ff07f543c3f76030f.exe Token: SeSystemtimePrivilege 2804 b1418392b544a51ff07f543c3f76030f.exe Token: SeProfSingleProcessPrivilege 2804 b1418392b544a51ff07f543c3f76030f.exe Token: SeIncBasePriorityPrivilege 2804 b1418392b544a51ff07f543c3f76030f.exe Token: SeCreatePagefilePrivilege 2804 b1418392b544a51ff07f543c3f76030f.exe Token: SeBackupPrivilege 2804 b1418392b544a51ff07f543c3f76030f.exe Token: SeRestorePrivilege 2804 b1418392b544a51ff07f543c3f76030f.exe Token: SeShutdownPrivilege 2804 b1418392b544a51ff07f543c3f76030f.exe Token: SeDebugPrivilege 2804 b1418392b544a51ff07f543c3f76030f.exe Token: SeSystemEnvironmentPrivilege 2804 b1418392b544a51ff07f543c3f76030f.exe Token: SeChangeNotifyPrivilege 2804 b1418392b544a51ff07f543c3f76030f.exe Token: SeRemoteShutdownPrivilege 2804 b1418392b544a51ff07f543c3f76030f.exe Token: SeUndockPrivilege 2804 b1418392b544a51ff07f543c3f76030f.exe Token: SeManageVolumePrivilege 2804 b1418392b544a51ff07f543c3f76030f.exe Token: SeImpersonatePrivilege 2804 b1418392b544a51ff07f543c3f76030f.exe Token: SeCreateGlobalPrivilege 2804 b1418392b544a51ff07f543c3f76030f.exe Token: 33 2804 b1418392b544a51ff07f543c3f76030f.exe Token: 34 2804 b1418392b544a51ff07f543c3f76030f.exe Token: 35 2804 b1418392b544a51ff07f543c3f76030f.exe Token: 36 2804 b1418392b544a51ff07f543c3f76030f.exe Token: SeDebugPrivilege 196 windirsx.exe Token: SeIncreaseQuotaPrivilege 1976 windirsx.exe Token: SeSecurityPrivilege 1976 windirsx.exe Token: SeTakeOwnershipPrivilege 1976 windirsx.exe Token: SeLoadDriverPrivilege 1976 windirsx.exe Token: SeSystemProfilePrivilege 1976 windirsx.exe Token: SeSystemtimePrivilege 1976 windirsx.exe Token: SeProfSingleProcessPrivilege 1976 windirsx.exe Token: SeIncBasePriorityPrivilege 1976 windirsx.exe Token: SeCreatePagefilePrivilege 1976 windirsx.exe Token: SeBackupPrivilege 1976 windirsx.exe Token: SeRestorePrivilege 1976 windirsx.exe Token: SeShutdownPrivilege 1976 windirsx.exe Token: SeDebugPrivilege 1976 windirsx.exe Token: SeSystemEnvironmentPrivilege 1976 windirsx.exe Token: SeChangeNotifyPrivilege 1976 windirsx.exe Token: SeRemoteShutdownPrivilege 1976 windirsx.exe Token: SeUndockPrivilege 1976 windirsx.exe Token: SeManageVolumePrivilege 1976 windirsx.exe Token: SeImpersonatePrivilege 1976 windirsx.exe Token: SeCreateGlobalPrivilege 1976 windirsx.exe Token: 33 1976 windirsx.exe Token: 34 1976 windirsx.exe Token: 35 1976 windirsx.exe Token: 36 1976 windirsx.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
KEYGEN.EXEwindirsx.exepid process 3952 KEYGEN.EXE 3952 KEYGEN.EXE 1976 windirsx.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
b1418392b544a51ff07f543c3f76030f.exeb1418392b544a51ff07f543c3f76030f.exewindirsx.exedescription pid process target process PID 3636 wrote to memory of 2804 3636 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 3636 wrote to memory of 2804 3636 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 3636 wrote to memory of 2804 3636 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 3636 wrote to memory of 2804 3636 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 3636 wrote to memory of 2804 3636 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 3636 wrote to memory of 2804 3636 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 3636 wrote to memory of 2804 3636 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 3636 wrote to memory of 2804 3636 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 3636 wrote to memory of 2804 3636 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 3636 wrote to memory of 2804 3636 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 3636 wrote to memory of 2804 3636 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 3636 wrote to memory of 2804 3636 b1418392b544a51ff07f543c3f76030f.exe b1418392b544a51ff07f543c3f76030f.exe PID 2804 wrote to memory of 3952 2804 b1418392b544a51ff07f543c3f76030f.exe KEYGEN.EXE PID 2804 wrote to memory of 3952 2804 b1418392b544a51ff07f543c3f76030f.exe KEYGEN.EXE PID 2804 wrote to memory of 3952 2804 b1418392b544a51ff07f543c3f76030f.exe KEYGEN.EXE PID 2804 wrote to memory of 196 2804 b1418392b544a51ff07f543c3f76030f.exe windirsx.exe PID 2804 wrote to memory of 196 2804 b1418392b544a51ff07f543c3f76030f.exe windirsx.exe PID 2804 wrote to memory of 196 2804 b1418392b544a51ff07f543c3f76030f.exe windirsx.exe PID 196 wrote to memory of 1976 196 windirsx.exe windirsx.exe PID 196 wrote to memory of 1976 196 windirsx.exe windirsx.exe PID 196 wrote to memory of 1976 196 windirsx.exe windirsx.exe PID 196 wrote to memory of 1976 196 windirsx.exe windirsx.exe PID 196 wrote to memory of 1976 196 windirsx.exe windirsx.exe PID 196 wrote to memory of 1976 196 windirsx.exe windirsx.exe PID 196 wrote to memory of 1976 196 windirsx.exe windirsx.exe PID 196 wrote to memory of 1976 196 windirsx.exe windirsx.exe PID 196 wrote to memory of 1976 196 windirsx.exe windirsx.exe PID 196 wrote to memory of 1976 196 windirsx.exe windirsx.exe PID 196 wrote to memory of 1976 196 windirsx.exe windirsx.exe PID 196 wrote to memory of 1976 196 windirsx.exe windirsx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1418392b544a51ff07f543c3f76030f.exe"C:\Users\Admin\AppData\Local\Temp\b1418392b544a51ff07f543c3f76030f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b1418392b544a51ff07f543c3f76030f.exe"C:\Users\Admin\AppData\Local\Temp\b1418392b544a51ff07f543c3f76030f.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\KEYGEN.EXE"C:\Users\Admin\AppData\Local\Temp\KEYGEN.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\windirsx.exe"C:\Users\Admin\AppData\Roaming\windirsx.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\windirsx.exe"C:\Users\Admin\AppData\Roaming\windirsx.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\KEYGEN.EXEMD5
ed4bd2fbf1381e22da37c09a935a51ef
SHA182447f22fa4d3f9de55dabad79f139cad3e6a442
SHA256776303a0a9794f0abc8696c395892d84de37b050c5adb76e2f7fe64f594090e1
SHA51289299332d173f0f6c2f9053c1862b1c101fdd99712e710286d17c2cc094d9701fe6b03aaf6af3e1747b9e817fefd0b8675c322c5675ed1ad5a8bd6694df0ff93
-
C:\Users\Admin\AppData\Local\Temp\KEYGEN.EXEMD5
ed4bd2fbf1381e22da37c09a935a51ef
SHA182447f22fa4d3f9de55dabad79f139cad3e6a442
SHA256776303a0a9794f0abc8696c395892d84de37b050c5adb76e2f7fe64f594090e1
SHA51289299332d173f0f6c2f9053c1862b1c101fdd99712e710286d17c2cc094d9701fe6b03aaf6af3e1747b9e817fefd0b8675c322c5675ed1ad5a8bd6694df0ff93
-
C:\Users\Admin\AppData\Roaming\windirsx.exeMD5
b1418392b544a51ff07f543c3f76030f
SHA16fbad484bbfd66afc868c6d1d700aa3eed644e70
SHA256dd146247f7cb47a6256829a01089d8e95d67d31d52431eeb0261333615927152
SHA512a14feac08bc7b4da4ccb9ddff8069bee7c2ac125c9128ae773cbf546d0bc03c76ae7b2c292916062fcc691969ef062c008ce578ac69c663c5de0340173364d87
-
C:\Users\Admin\AppData\Roaming\windirsx.exeMD5
b1418392b544a51ff07f543c3f76030f
SHA16fbad484bbfd66afc868c6d1d700aa3eed644e70
SHA256dd146247f7cb47a6256829a01089d8e95d67d31d52431eeb0261333615927152
SHA512a14feac08bc7b4da4ccb9ddff8069bee7c2ac125c9128ae773cbf546d0bc03c76ae7b2c292916062fcc691969ef062c008ce578ac69c663c5de0340173364d87
-
C:\Users\Admin\AppData\Roaming\windirsx.exeMD5
b1418392b544a51ff07f543c3f76030f
SHA16fbad484bbfd66afc868c6d1d700aa3eed644e70
SHA256dd146247f7cb47a6256829a01089d8e95d67d31d52431eeb0261333615927152
SHA512a14feac08bc7b4da4ccb9ddff8069bee7c2ac125c9128ae773cbf546d0bc03c76ae7b2c292916062fcc691969ef062c008ce578ac69c663c5de0340173364d87
-
memory/196-6-0x0000000000000000-mapping.dmp
-
memory/1976-10-0x000000000048F888-mapping.dmp
-
memory/1976-12-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/2804-0-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/2804-1-0x000000000048F888-mapping.dmp
-
memory/2804-2-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/3952-3-0x0000000000000000-mapping.dmp