Analysis
-
max time kernel
151s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 15:03
Static task
static1
Behavioral task
behavioral1
Sample
6eab736495f914d3adffd4cf0a923d36.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
6eab736495f914d3adffd4cf0a923d36.exe
Resource
win10v20201028
General
-
Target
6eab736495f914d3adffd4cf0a923d36.exe
-
Size
658KB
-
MD5
6eab736495f914d3adffd4cf0a923d36
-
SHA1
96134248a09a77b7960bac38a441538a76ca5a7c
-
SHA256
1cdca2d78597458423dae50d4c693e5d6fed8bd2ef0cc83f08e3dce36225bd92
-
SHA512
ac783fc437db544c6407da4e6bbf4619c5ad917bb1165ca2064305b015f292dba8edbf96ac298246cee3fe86f4b07a87c9808141a0a9e8d007d1d4483f872e20
Malware Config
Extracted
darkcomet
mitakacska
127.0.0.1:1122
DCMIN_MUTEX-X9BQVDS
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
m0YbYRxzGMkb
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
6eab736495f914d3adffd4cf0a923d36.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" 6eab736495f914d3adffd4cf0a923d36.exe -
Executes dropped EXE 1 IoCs
Processes:
IMDCSC.exepid process 1728 IMDCSC.exe -
Loads dropped DLL 2 IoCs
Processes:
6eab736495f914d3adffd4cf0a923d36.exepid process 1068 6eab736495f914d3adffd4cf0a923d36.exe 1068 6eab736495f914d3adffd4cf0a923d36.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6eab736495f914d3adffd4cf0a923d36.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" 6eab736495f914d3adffd4cf0a923d36.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
6eab736495f914d3adffd4cf0a923d36.exeIMDCSC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1068 6eab736495f914d3adffd4cf0a923d36.exe Token: SeSecurityPrivilege 1068 6eab736495f914d3adffd4cf0a923d36.exe Token: SeTakeOwnershipPrivilege 1068 6eab736495f914d3adffd4cf0a923d36.exe Token: SeLoadDriverPrivilege 1068 6eab736495f914d3adffd4cf0a923d36.exe Token: SeSystemProfilePrivilege 1068 6eab736495f914d3adffd4cf0a923d36.exe Token: SeSystemtimePrivilege 1068 6eab736495f914d3adffd4cf0a923d36.exe Token: SeProfSingleProcessPrivilege 1068 6eab736495f914d3adffd4cf0a923d36.exe Token: SeIncBasePriorityPrivilege 1068 6eab736495f914d3adffd4cf0a923d36.exe Token: SeCreatePagefilePrivilege 1068 6eab736495f914d3adffd4cf0a923d36.exe Token: SeBackupPrivilege 1068 6eab736495f914d3adffd4cf0a923d36.exe Token: SeRestorePrivilege 1068 6eab736495f914d3adffd4cf0a923d36.exe Token: SeShutdownPrivilege 1068 6eab736495f914d3adffd4cf0a923d36.exe Token: SeDebugPrivilege 1068 6eab736495f914d3adffd4cf0a923d36.exe Token: SeSystemEnvironmentPrivilege 1068 6eab736495f914d3adffd4cf0a923d36.exe Token: SeChangeNotifyPrivilege 1068 6eab736495f914d3adffd4cf0a923d36.exe Token: SeRemoteShutdownPrivilege 1068 6eab736495f914d3adffd4cf0a923d36.exe Token: SeUndockPrivilege 1068 6eab736495f914d3adffd4cf0a923d36.exe Token: SeManageVolumePrivilege 1068 6eab736495f914d3adffd4cf0a923d36.exe Token: SeImpersonatePrivilege 1068 6eab736495f914d3adffd4cf0a923d36.exe Token: SeCreateGlobalPrivilege 1068 6eab736495f914d3adffd4cf0a923d36.exe Token: 33 1068 6eab736495f914d3adffd4cf0a923d36.exe Token: 34 1068 6eab736495f914d3adffd4cf0a923d36.exe Token: 35 1068 6eab736495f914d3adffd4cf0a923d36.exe Token: SeIncreaseQuotaPrivilege 1728 IMDCSC.exe Token: SeSecurityPrivilege 1728 IMDCSC.exe Token: SeTakeOwnershipPrivilege 1728 IMDCSC.exe Token: SeLoadDriverPrivilege 1728 IMDCSC.exe Token: SeSystemProfilePrivilege 1728 IMDCSC.exe Token: SeSystemtimePrivilege 1728 IMDCSC.exe Token: SeProfSingleProcessPrivilege 1728 IMDCSC.exe Token: SeIncBasePriorityPrivilege 1728 IMDCSC.exe Token: SeCreatePagefilePrivilege 1728 IMDCSC.exe Token: SeBackupPrivilege 1728 IMDCSC.exe Token: SeRestorePrivilege 1728 IMDCSC.exe Token: SeShutdownPrivilege 1728 IMDCSC.exe Token: SeDebugPrivilege 1728 IMDCSC.exe Token: SeSystemEnvironmentPrivilege 1728 IMDCSC.exe Token: SeChangeNotifyPrivilege 1728 IMDCSC.exe Token: SeRemoteShutdownPrivilege 1728 IMDCSC.exe Token: SeUndockPrivilege 1728 IMDCSC.exe Token: SeManageVolumePrivilege 1728 IMDCSC.exe Token: SeImpersonatePrivilege 1728 IMDCSC.exe Token: SeCreateGlobalPrivilege 1728 IMDCSC.exe Token: 33 1728 IMDCSC.exe Token: 34 1728 IMDCSC.exe Token: 35 1728 IMDCSC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
IMDCSC.exepid process 1728 IMDCSC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
6eab736495f914d3adffd4cf0a923d36.exedescription pid process target process PID 1068 wrote to memory of 1728 1068 6eab736495f914d3adffd4cf0a923d36.exe IMDCSC.exe PID 1068 wrote to memory of 1728 1068 6eab736495f914d3adffd4cf0a923d36.exe IMDCSC.exe PID 1068 wrote to memory of 1728 1068 6eab736495f914d3adffd4cf0a923d36.exe IMDCSC.exe PID 1068 wrote to memory of 1728 1068 6eab736495f914d3adffd4cf0a923d36.exe IMDCSC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6eab736495f914d3adffd4cf0a923d36.exe"C:\Users\Admin\AppData\Local\Temp\6eab736495f914d3adffd4cf0a923d36.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exeMD5
6eab736495f914d3adffd4cf0a923d36
SHA196134248a09a77b7960bac38a441538a76ca5a7c
SHA2561cdca2d78597458423dae50d4c693e5d6fed8bd2ef0cc83f08e3dce36225bd92
SHA512ac783fc437db544c6407da4e6bbf4619c5ad917bb1165ca2064305b015f292dba8edbf96ac298246cee3fe86f4b07a87c9808141a0a9e8d007d1d4483f872e20
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exeMD5
6eab736495f914d3adffd4cf0a923d36
SHA196134248a09a77b7960bac38a441538a76ca5a7c
SHA2561cdca2d78597458423dae50d4c693e5d6fed8bd2ef0cc83f08e3dce36225bd92
SHA512ac783fc437db544c6407da4e6bbf4619c5ad917bb1165ca2064305b015f292dba8edbf96ac298246cee3fe86f4b07a87c9808141a0a9e8d007d1d4483f872e20
-
\Users\Admin\Documents\DCSCMIN\IMDCSC.exeMD5
6eab736495f914d3adffd4cf0a923d36
SHA196134248a09a77b7960bac38a441538a76ca5a7c
SHA2561cdca2d78597458423dae50d4c693e5d6fed8bd2ef0cc83f08e3dce36225bd92
SHA512ac783fc437db544c6407da4e6bbf4619c5ad917bb1165ca2064305b015f292dba8edbf96ac298246cee3fe86f4b07a87c9808141a0a9e8d007d1d4483f872e20
-
\Users\Admin\Documents\DCSCMIN\IMDCSC.exeMD5
6eab736495f914d3adffd4cf0a923d36
SHA196134248a09a77b7960bac38a441538a76ca5a7c
SHA2561cdca2d78597458423dae50d4c693e5d6fed8bd2ef0cc83f08e3dce36225bd92
SHA512ac783fc437db544c6407da4e6bbf4619c5ad917bb1165ca2064305b015f292dba8edbf96ac298246cee3fe86f4b07a87c9808141a0a9e8d007d1d4483f872e20
-
memory/1728-4-0x0000000000000000-mapping.dmp