Analysis
-
max time kernel
150s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 16:56
Static task
static1
Behavioral task
behavioral1
Sample
e437647987807d34da932489603025d4.exe
Resource
win7v20201028
General
-
Target
e437647987807d34da932489603025d4.exe
-
Size
945KB
-
MD5
e437647987807d34da932489603025d4
-
SHA1
d1129315116b9c041942df9d9fa49323a416125b
-
SHA256
550c64585f830c9ab794ad1f9e9df78ecf9b2dc8580038532e9b9033118186a1
-
SHA512
24c4021a81cccf1b99d3795e50aee0524910735a5446ef7d8f012b16139767a4c169d51ce0473f4eb7c56380d48fb1deb6b005a63cd74f1eaade3e40a09d0676
Malware Config
Extracted
darkcomet
guest
127.0.0.1:1604
DC_MUTEX-1JZLPXV
-
gencode
9npjPzJ7GsSo
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
KU 1.0.0.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" KU 1.0.0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" KU 1.0.0.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile KU 1.0.0.exe -
Executes dropped EXE 2 IoCs
Processes:
utorrent.1.8.2.exeKU 1.0.0.exepid process 2752 utorrent.1.8.2.exe 3444 KU 1.0.0.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\utorrent.1.8.2.exe upx C:\Users\Admin\AppData\Local\Temp\utorrent.1.8.2.exe upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
KU 1.0.0.exepid process 3444 KU 1.0.0.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
KU 1.0.0.exedescription pid process Token: SeIncreaseQuotaPrivilege 3444 KU 1.0.0.exe Token: SeSecurityPrivilege 3444 KU 1.0.0.exe Token: SeTakeOwnershipPrivilege 3444 KU 1.0.0.exe Token: SeLoadDriverPrivilege 3444 KU 1.0.0.exe Token: SeSystemProfilePrivilege 3444 KU 1.0.0.exe Token: SeSystemtimePrivilege 3444 KU 1.0.0.exe Token: SeProfSingleProcessPrivilege 3444 KU 1.0.0.exe Token: SeIncBasePriorityPrivilege 3444 KU 1.0.0.exe Token: SeCreatePagefilePrivilege 3444 KU 1.0.0.exe Token: SeBackupPrivilege 3444 KU 1.0.0.exe Token: SeRestorePrivilege 3444 KU 1.0.0.exe Token: SeShutdownPrivilege 3444 KU 1.0.0.exe Token: SeDebugPrivilege 3444 KU 1.0.0.exe Token: SeSystemEnvironmentPrivilege 3444 KU 1.0.0.exe Token: SeChangeNotifyPrivilege 3444 KU 1.0.0.exe Token: SeRemoteShutdownPrivilege 3444 KU 1.0.0.exe Token: SeUndockPrivilege 3444 KU 1.0.0.exe Token: SeManageVolumePrivilege 3444 KU 1.0.0.exe Token: SeImpersonatePrivilege 3444 KU 1.0.0.exe Token: SeCreateGlobalPrivilege 3444 KU 1.0.0.exe Token: 33 3444 KU 1.0.0.exe Token: 34 3444 KU 1.0.0.exe Token: 35 3444 KU 1.0.0.exe Token: 36 3444 KU 1.0.0.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
utorrent.1.8.2.exeKU 1.0.0.exepid process 2752 utorrent.1.8.2.exe 3444 KU 1.0.0.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
e437647987807d34da932489603025d4.exeKU 1.0.0.execmd.execmd.exedescription pid process target process PID 3920 wrote to memory of 2752 3920 e437647987807d34da932489603025d4.exe utorrent.1.8.2.exe PID 3920 wrote to memory of 2752 3920 e437647987807d34da932489603025d4.exe utorrent.1.8.2.exe PID 3920 wrote to memory of 2752 3920 e437647987807d34da932489603025d4.exe utorrent.1.8.2.exe PID 3920 wrote to memory of 3444 3920 e437647987807d34da932489603025d4.exe KU 1.0.0.exe PID 3920 wrote to memory of 3444 3920 e437647987807d34da932489603025d4.exe KU 1.0.0.exe PID 3920 wrote to memory of 3444 3920 e437647987807d34da932489603025d4.exe KU 1.0.0.exe PID 3444 wrote to memory of 184 3444 KU 1.0.0.exe cmd.exe PID 3444 wrote to memory of 184 3444 KU 1.0.0.exe cmd.exe PID 3444 wrote to memory of 184 3444 KU 1.0.0.exe cmd.exe PID 3444 wrote to memory of 3032 3444 KU 1.0.0.exe cmd.exe PID 3444 wrote to memory of 3032 3444 KU 1.0.0.exe cmd.exe PID 3444 wrote to memory of 3032 3444 KU 1.0.0.exe cmd.exe PID 3444 wrote to memory of 2364 3444 KU 1.0.0.exe notepad.exe PID 3444 wrote to memory of 2364 3444 KU 1.0.0.exe notepad.exe PID 3444 wrote to memory of 2364 3444 KU 1.0.0.exe notepad.exe PID 3444 wrote to memory of 2364 3444 KU 1.0.0.exe notepad.exe PID 3444 wrote to memory of 2364 3444 KU 1.0.0.exe notepad.exe PID 3444 wrote to memory of 2364 3444 KU 1.0.0.exe notepad.exe PID 3444 wrote to memory of 2364 3444 KU 1.0.0.exe notepad.exe PID 3444 wrote to memory of 2364 3444 KU 1.0.0.exe notepad.exe PID 3444 wrote to memory of 2364 3444 KU 1.0.0.exe notepad.exe PID 3444 wrote to memory of 2364 3444 KU 1.0.0.exe notepad.exe PID 3444 wrote to memory of 2364 3444 KU 1.0.0.exe notepad.exe PID 3444 wrote to memory of 2364 3444 KU 1.0.0.exe notepad.exe PID 3444 wrote to memory of 2364 3444 KU 1.0.0.exe notepad.exe PID 3444 wrote to memory of 2364 3444 KU 1.0.0.exe notepad.exe PID 3444 wrote to memory of 2364 3444 KU 1.0.0.exe notepad.exe PID 3444 wrote to memory of 2364 3444 KU 1.0.0.exe notepad.exe PID 3444 wrote to memory of 2364 3444 KU 1.0.0.exe notepad.exe PID 3444 wrote to memory of 2364 3444 KU 1.0.0.exe notepad.exe PID 3444 wrote to memory of 2364 3444 KU 1.0.0.exe notepad.exe PID 3444 wrote to memory of 2364 3444 KU 1.0.0.exe notepad.exe PID 3444 wrote to memory of 2364 3444 KU 1.0.0.exe notepad.exe PID 3444 wrote to memory of 2364 3444 KU 1.0.0.exe notepad.exe PID 3032 wrote to memory of 1308 3032 cmd.exe attrib.exe PID 3032 wrote to memory of 1308 3032 cmd.exe attrib.exe PID 3032 wrote to memory of 1308 3032 cmd.exe attrib.exe PID 184 wrote to memory of 1132 184 cmd.exe attrib.exe PID 184 wrote to memory of 1132 184 cmd.exe attrib.exe PID 184 wrote to memory of 1132 184 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1308 attrib.exe 1132 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e437647987807d34da932489603025d4.exe"C:\Users\Admin\AppData\Local\Temp\e437647987807d34da932489603025d4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\utorrent.1.8.2.exe"C:\Users\Admin\AppData\Local\Temp\utorrent.1.8.2.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\KU 1.0.0.exe"C:\Users\Admin\AppData\Local\Temp\KU 1.0.0.exe"2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\KU 1.0.0.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\KU 1.0.0.exe" +s +h4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\KU 1.0.0.exeMD5
d53c04debe6a797614e81d0c619db0aa
SHA150b44416059ef0ee0890f58729471e6f898dcc36
SHA256030ba12e3c65d93c775d6d75e72fbc462cd59eba6325a6a0a4f98fea5b36077a
SHA512d81d1cad85fb7378cf2911541ebf7eaaed8f072aab87d3dc0acaf84491fb51033fac53b79b7eb133a13172f17e75795bd2e840d939824af2e33d8a668078f7e1
-
C:\Users\Admin\AppData\Local\Temp\KU 1.0.0.exeMD5
d53c04debe6a797614e81d0c619db0aa
SHA150b44416059ef0ee0890f58729471e6f898dcc36
SHA256030ba12e3c65d93c775d6d75e72fbc462cd59eba6325a6a0a4f98fea5b36077a
SHA512d81d1cad85fb7378cf2911541ebf7eaaed8f072aab87d3dc0acaf84491fb51033fac53b79b7eb133a13172f17e75795bd2e840d939824af2e33d8a668078f7e1
-
C:\Users\Admin\AppData\Local\Temp\utorrent.1.8.2.exeMD5
4451d6d00bf3bb253bc1d32ca3c5b9d0
SHA1c3db3028f2ca98dd419e26f4d3507fab8c881ef8
SHA2563272964edf0e3fca43515decdb5aa5efda73f985c248afc96ea88ad31c9bbdd5
SHA5121ca6f759fdc65c8319a52735ff046cc3725a4676c0239e466f58f8dcee34c4a071066932ab015fb61f0b48b225f95345d4b085fa20803a7cbfa6173fd262b0cc
-
C:\Users\Admin\AppData\Local\Temp\utorrent.1.8.2.exeMD5
4451d6d00bf3bb253bc1d32ca3c5b9d0
SHA1c3db3028f2ca98dd419e26f4d3507fab8c881ef8
SHA2563272964edf0e3fca43515decdb5aa5efda73f985c248afc96ea88ad31c9bbdd5
SHA5121ca6f759fdc65c8319a52735ff046cc3725a4676c0239e466f58f8dcee34c4a071066932ab015fb61f0b48b225f95345d4b085fa20803a7cbfa6173fd262b0cc
-
memory/184-8-0x0000000000000000-mapping.dmp
-
memory/1132-14-0x0000000000000000-mapping.dmp
-
memory/1308-13-0x0000000000000000-mapping.dmp
-
memory/2364-11-0x0000000000B60000-0x0000000000B61000-memory.dmpFilesize
4KB
-
memory/2364-10-0x0000000000000000-mapping.dmp
-
memory/2364-12-0x0000000000000000-mapping.dmp
-
memory/2752-2-0x0000000000000000-mapping.dmp
-
memory/3032-9-0x0000000000000000-mapping.dmp
-
memory/3444-5-0x0000000000000000-mapping.dmp