Analysis
-
max time kernel
142s -
max time network
144s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
16-12-2020 23:21
Static task
static1
Behavioral task
behavioral1
Sample
lenovo_sistem_bilgileri.sfx.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
lenovo_sistem_bilgileri.sfx.exe
Resource
win10v20201028
General
-
Target
lenovo_sistem_bilgileri.sfx.exe
-
Size
690KB
-
MD5
46c1ca9ea33fc2ea90f6b9fee8a6dd76
-
SHA1
db41c5acb4e44895176d2e1f844d5b400592a1bc
-
SHA256
5537299b16dea72f79f1700864a97cfc12bc7a1cf02faeb083fb8cf76a1beaaf
-
SHA512
046ee4fea95cfed7b4f2f392e50122f376b7505603aaf0345c8f843dfd4eaa8c742382d9220a0a422ea8091f4b6318cb8e16ae5d00d6beb3e508fccfba867ebe
Malware Config
Extracted
darkcomet
�LK KURBAN
erenbey.duckdns.org:1604
DCMIN_MUTEX-TDLEW50
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
CkJypkKdCu96
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
lenovo_sistem_bilgileri.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" lenovo_sistem_bilgileri.exe -
Executes dropped EXE 2 IoCs
Processes:
lenovo_sistem_bilgileri.exeIMDCSC.exepid process 1268 lenovo_sistem_bilgileri.exe 1616 IMDCSC.exe -
Loads dropped DLL 7 IoCs
Processes:
lenovo_sistem_bilgileri.sfx.exelenovo_sistem_bilgileri.exepid process 1640 lenovo_sistem_bilgileri.sfx.exe 1640 lenovo_sistem_bilgileri.sfx.exe 1640 lenovo_sistem_bilgileri.sfx.exe 1640 lenovo_sistem_bilgileri.sfx.exe 1640 lenovo_sistem_bilgileri.sfx.exe 1268 lenovo_sistem_bilgileri.exe 1268 lenovo_sistem_bilgileri.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
lenovo_sistem_bilgileri.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" lenovo_sistem_bilgileri.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
lenovo_sistem_bilgileri.exeIMDCSC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1268 lenovo_sistem_bilgileri.exe Token: SeSecurityPrivilege 1268 lenovo_sistem_bilgileri.exe Token: SeTakeOwnershipPrivilege 1268 lenovo_sistem_bilgileri.exe Token: SeLoadDriverPrivilege 1268 lenovo_sistem_bilgileri.exe Token: SeSystemProfilePrivilege 1268 lenovo_sistem_bilgileri.exe Token: SeSystemtimePrivilege 1268 lenovo_sistem_bilgileri.exe Token: SeProfSingleProcessPrivilege 1268 lenovo_sistem_bilgileri.exe Token: SeIncBasePriorityPrivilege 1268 lenovo_sistem_bilgileri.exe Token: SeCreatePagefilePrivilege 1268 lenovo_sistem_bilgileri.exe Token: SeBackupPrivilege 1268 lenovo_sistem_bilgileri.exe Token: SeRestorePrivilege 1268 lenovo_sistem_bilgileri.exe Token: SeShutdownPrivilege 1268 lenovo_sistem_bilgileri.exe Token: SeDebugPrivilege 1268 lenovo_sistem_bilgileri.exe Token: SeSystemEnvironmentPrivilege 1268 lenovo_sistem_bilgileri.exe Token: SeChangeNotifyPrivilege 1268 lenovo_sistem_bilgileri.exe Token: SeRemoteShutdownPrivilege 1268 lenovo_sistem_bilgileri.exe Token: SeUndockPrivilege 1268 lenovo_sistem_bilgileri.exe Token: SeManageVolumePrivilege 1268 lenovo_sistem_bilgileri.exe Token: SeImpersonatePrivilege 1268 lenovo_sistem_bilgileri.exe Token: SeCreateGlobalPrivilege 1268 lenovo_sistem_bilgileri.exe Token: 33 1268 lenovo_sistem_bilgileri.exe Token: 34 1268 lenovo_sistem_bilgileri.exe Token: 35 1268 lenovo_sistem_bilgileri.exe Token: SeIncreaseQuotaPrivilege 1616 IMDCSC.exe Token: SeSecurityPrivilege 1616 IMDCSC.exe Token: SeTakeOwnershipPrivilege 1616 IMDCSC.exe Token: SeLoadDriverPrivilege 1616 IMDCSC.exe Token: SeSystemProfilePrivilege 1616 IMDCSC.exe Token: SeSystemtimePrivilege 1616 IMDCSC.exe Token: SeProfSingleProcessPrivilege 1616 IMDCSC.exe Token: SeIncBasePriorityPrivilege 1616 IMDCSC.exe Token: SeCreatePagefilePrivilege 1616 IMDCSC.exe Token: SeBackupPrivilege 1616 IMDCSC.exe Token: SeRestorePrivilege 1616 IMDCSC.exe Token: SeShutdownPrivilege 1616 IMDCSC.exe Token: SeDebugPrivilege 1616 IMDCSC.exe Token: SeSystemEnvironmentPrivilege 1616 IMDCSC.exe Token: SeChangeNotifyPrivilege 1616 IMDCSC.exe Token: SeRemoteShutdownPrivilege 1616 IMDCSC.exe Token: SeUndockPrivilege 1616 IMDCSC.exe Token: SeManageVolumePrivilege 1616 IMDCSC.exe Token: SeImpersonatePrivilege 1616 IMDCSC.exe Token: SeCreateGlobalPrivilege 1616 IMDCSC.exe Token: 33 1616 IMDCSC.exe Token: 34 1616 IMDCSC.exe Token: 35 1616 IMDCSC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
IMDCSC.exepid process 1616 IMDCSC.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
lenovo_sistem_bilgileri.sfx.exelenovo_sistem_bilgileri.exedescription pid process target process PID 1640 wrote to memory of 1268 1640 lenovo_sistem_bilgileri.sfx.exe lenovo_sistem_bilgileri.exe PID 1640 wrote to memory of 1268 1640 lenovo_sistem_bilgileri.sfx.exe lenovo_sistem_bilgileri.exe PID 1640 wrote to memory of 1268 1640 lenovo_sistem_bilgileri.sfx.exe lenovo_sistem_bilgileri.exe PID 1640 wrote to memory of 1268 1640 lenovo_sistem_bilgileri.sfx.exe lenovo_sistem_bilgileri.exe PID 1640 wrote to memory of 1268 1640 lenovo_sistem_bilgileri.sfx.exe lenovo_sistem_bilgileri.exe PID 1640 wrote to memory of 1268 1640 lenovo_sistem_bilgileri.sfx.exe lenovo_sistem_bilgileri.exe PID 1640 wrote to memory of 1268 1640 lenovo_sistem_bilgileri.sfx.exe lenovo_sistem_bilgileri.exe PID 1268 wrote to memory of 1616 1268 lenovo_sistem_bilgileri.exe IMDCSC.exe PID 1268 wrote to memory of 1616 1268 lenovo_sistem_bilgileri.exe IMDCSC.exe PID 1268 wrote to memory of 1616 1268 lenovo_sistem_bilgileri.exe IMDCSC.exe PID 1268 wrote to memory of 1616 1268 lenovo_sistem_bilgileri.exe IMDCSC.exe PID 1268 wrote to memory of 1616 1268 lenovo_sistem_bilgileri.exe IMDCSC.exe PID 1268 wrote to memory of 1616 1268 lenovo_sistem_bilgileri.exe IMDCSC.exe PID 1268 wrote to memory of 1616 1268 lenovo_sistem_bilgileri.exe IMDCSC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lenovo_sistem_bilgileri.sfx.exe"C:\Users\Admin\AppData\Local\Temp\lenovo_sistem_bilgileri.sfx.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lenovo_sistem_bilgileri.exe"C:\Users\Admin\AppData\Local\Temp\lenovo_sistem_bilgileri.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lenovo_sistem_bilgileri.exeMD5
6aa20f1b32d6f6739c8ac9cf065aca06
SHA1d5616dbe1f62bf13a7be036660b6bfcfd0208841
SHA25601ed164e4173d301e3cbc2573f158473560f48e88f728e21b17f123aac67186f
SHA5123bfdb7d4945eb07183ccb329cce50fd73006e0614e2deec52e845c58835f1e8d0813a843be077704bb56f4afbc682c86484b2d047c92a677c3d30dae0d9adcfb
-
C:\Users\Admin\AppData\Local\Temp\lenovo_sistem_bilgileri.exeMD5
6aa20f1b32d6f6739c8ac9cf065aca06
SHA1d5616dbe1f62bf13a7be036660b6bfcfd0208841
SHA25601ed164e4173d301e3cbc2573f158473560f48e88f728e21b17f123aac67186f
SHA5123bfdb7d4945eb07183ccb329cce50fd73006e0614e2deec52e845c58835f1e8d0813a843be077704bb56f4afbc682c86484b2d047c92a677c3d30dae0d9adcfb
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exeMD5
6aa20f1b32d6f6739c8ac9cf065aca06
SHA1d5616dbe1f62bf13a7be036660b6bfcfd0208841
SHA25601ed164e4173d301e3cbc2573f158473560f48e88f728e21b17f123aac67186f
SHA5123bfdb7d4945eb07183ccb329cce50fd73006e0614e2deec52e845c58835f1e8d0813a843be077704bb56f4afbc682c86484b2d047c92a677c3d30dae0d9adcfb
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exeMD5
6aa20f1b32d6f6739c8ac9cf065aca06
SHA1d5616dbe1f62bf13a7be036660b6bfcfd0208841
SHA25601ed164e4173d301e3cbc2573f158473560f48e88f728e21b17f123aac67186f
SHA5123bfdb7d4945eb07183ccb329cce50fd73006e0614e2deec52e845c58835f1e8d0813a843be077704bb56f4afbc682c86484b2d047c92a677c3d30dae0d9adcfb
-
\Users\Admin\AppData\Local\Temp\lenovo_sistem_bilgileri.exeMD5
6aa20f1b32d6f6739c8ac9cf065aca06
SHA1d5616dbe1f62bf13a7be036660b6bfcfd0208841
SHA25601ed164e4173d301e3cbc2573f158473560f48e88f728e21b17f123aac67186f
SHA5123bfdb7d4945eb07183ccb329cce50fd73006e0614e2deec52e845c58835f1e8d0813a843be077704bb56f4afbc682c86484b2d047c92a677c3d30dae0d9adcfb
-
\Users\Admin\AppData\Local\Temp\lenovo_sistem_bilgileri.exeMD5
6aa20f1b32d6f6739c8ac9cf065aca06
SHA1d5616dbe1f62bf13a7be036660b6bfcfd0208841
SHA25601ed164e4173d301e3cbc2573f158473560f48e88f728e21b17f123aac67186f
SHA5123bfdb7d4945eb07183ccb329cce50fd73006e0614e2deec52e845c58835f1e8d0813a843be077704bb56f4afbc682c86484b2d047c92a677c3d30dae0d9adcfb
-
\Users\Admin\AppData\Local\Temp\lenovo_sistem_bilgileri.exeMD5
6aa20f1b32d6f6739c8ac9cf065aca06
SHA1d5616dbe1f62bf13a7be036660b6bfcfd0208841
SHA25601ed164e4173d301e3cbc2573f158473560f48e88f728e21b17f123aac67186f
SHA5123bfdb7d4945eb07183ccb329cce50fd73006e0614e2deec52e845c58835f1e8d0813a843be077704bb56f4afbc682c86484b2d047c92a677c3d30dae0d9adcfb
-
\Users\Admin\AppData\Local\Temp\lenovo_sistem_bilgileri.exeMD5
6aa20f1b32d6f6739c8ac9cf065aca06
SHA1d5616dbe1f62bf13a7be036660b6bfcfd0208841
SHA25601ed164e4173d301e3cbc2573f158473560f48e88f728e21b17f123aac67186f
SHA5123bfdb7d4945eb07183ccb329cce50fd73006e0614e2deec52e845c58835f1e8d0813a843be077704bb56f4afbc682c86484b2d047c92a677c3d30dae0d9adcfb
-
\Users\Admin\AppData\Local\Temp\lenovo_sistem_bilgileri.exeMD5
6aa20f1b32d6f6739c8ac9cf065aca06
SHA1d5616dbe1f62bf13a7be036660b6bfcfd0208841
SHA25601ed164e4173d301e3cbc2573f158473560f48e88f728e21b17f123aac67186f
SHA5123bfdb7d4945eb07183ccb329cce50fd73006e0614e2deec52e845c58835f1e8d0813a843be077704bb56f4afbc682c86484b2d047c92a677c3d30dae0d9adcfb
-
\Users\Admin\Documents\DCSCMIN\IMDCSC.exeMD5
6aa20f1b32d6f6739c8ac9cf065aca06
SHA1d5616dbe1f62bf13a7be036660b6bfcfd0208841
SHA25601ed164e4173d301e3cbc2573f158473560f48e88f728e21b17f123aac67186f
SHA5123bfdb7d4945eb07183ccb329cce50fd73006e0614e2deec52e845c58835f1e8d0813a843be077704bb56f4afbc682c86484b2d047c92a677c3d30dae0d9adcfb
-
\Users\Admin\Documents\DCSCMIN\IMDCSC.exeMD5
6aa20f1b32d6f6739c8ac9cf065aca06
SHA1d5616dbe1f62bf13a7be036660b6bfcfd0208841
SHA25601ed164e4173d301e3cbc2573f158473560f48e88f728e21b17f123aac67186f
SHA5123bfdb7d4945eb07183ccb329cce50fd73006e0614e2deec52e845c58835f1e8d0813a843be077704bb56f4afbc682c86484b2d047c92a677c3d30dae0d9adcfb
-
memory/1268-7-0x0000000000000000-mapping.dmp
-
memory/1616-12-0x0000000000000000-mapping.dmp