Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-01-2021 07:33
Static task
static1
Behavioral task
behavioral1
Sample
Payment 901.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Payment 901.exe
Resource
win10v20201028
General
-
Target
Payment 901.exe
-
Size
3.0MB
-
MD5
33d9370ab0c06bea92774b43d138f5b3
-
SHA1
cba894efb96a1ae3982a10363814366b478c39d7
-
SHA256
b81dece72c020fa2cb5f5df57f71de84142574d54ef1a165aff47ec171b618d0
-
SHA512
573b5a9331b28ef6aaeaef616a89a05c70d478510141e636614f1dabfae290710cf620811dec90c8bcae3fc78ed26a6c4b317bbc08256cc4626ce7675ec3f7be
Malware Config
Extracted
darkcomet
JANuary 2021
chrisle79.ddns.net:3317
jacknop79.ddns.net:3317
smath79.ddns.net:3317
whatis79.ddns.net:3317
goodgt79.ddns.net:3317
bonding79.ddns.net:3317
DC_MUTEX-X1VW1F7
-
gencode
U35l73tWGu8y
-
install
false
-
offline_keylogger
true
-
password
Password20$
-
persistence
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Payment 901.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uhj6qmCFUPxUc9qJ\\87VwNYBWGmQY.exe\",explorer.exe" Payment 901.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Payment 901.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Payment 901.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Payment 901.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Payment 901.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine Payment 901.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment 901.exedescription pid process target process PID 1824 set thread context of 1668 1824 Payment 901.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Payment 901.exepid process 1824 Payment 901.exe 1824 Payment 901.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
Payment 901.exevbc.exedescription pid process Token: SeDebugPrivilege 1824 Payment 901.exe Token: SeDebugPrivilege 1824 Payment 901.exe Token: SeIncreaseQuotaPrivilege 1668 vbc.exe Token: SeSecurityPrivilege 1668 vbc.exe Token: SeTakeOwnershipPrivilege 1668 vbc.exe Token: SeLoadDriverPrivilege 1668 vbc.exe Token: SeSystemProfilePrivilege 1668 vbc.exe Token: SeSystemtimePrivilege 1668 vbc.exe Token: SeProfSingleProcessPrivilege 1668 vbc.exe Token: SeIncBasePriorityPrivilege 1668 vbc.exe Token: SeCreatePagefilePrivilege 1668 vbc.exe Token: SeBackupPrivilege 1668 vbc.exe Token: SeRestorePrivilege 1668 vbc.exe Token: SeShutdownPrivilege 1668 vbc.exe Token: SeDebugPrivilege 1668 vbc.exe Token: SeSystemEnvironmentPrivilege 1668 vbc.exe Token: SeChangeNotifyPrivilege 1668 vbc.exe Token: SeRemoteShutdownPrivilege 1668 vbc.exe Token: SeUndockPrivilege 1668 vbc.exe Token: SeManageVolumePrivilege 1668 vbc.exe Token: SeImpersonatePrivilege 1668 vbc.exe Token: SeCreateGlobalPrivilege 1668 vbc.exe Token: 33 1668 vbc.exe Token: 34 1668 vbc.exe Token: 35 1668 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 1668 vbc.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Payment 901.exedescription pid process target process PID 1824 wrote to memory of 1668 1824 Payment 901.exe vbc.exe PID 1824 wrote to memory of 1668 1824 Payment 901.exe vbc.exe PID 1824 wrote to memory of 1668 1824 Payment 901.exe vbc.exe PID 1824 wrote to memory of 1668 1824 Payment 901.exe vbc.exe PID 1824 wrote to memory of 1668 1824 Payment 901.exe vbc.exe PID 1824 wrote to memory of 1668 1824 Payment 901.exe vbc.exe PID 1824 wrote to memory of 1668 1824 Payment 901.exe vbc.exe PID 1824 wrote to memory of 1668 1824 Payment 901.exe vbc.exe PID 1824 wrote to memory of 1668 1824 Payment 901.exe vbc.exe PID 1824 wrote to memory of 1668 1824 Payment 901.exe vbc.exe PID 1824 wrote to memory of 1668 1824 Payment 901.exe vbc.exe PID 1824 wrote to memory of 1668 1824 Payment 901.exe vbc.exe PID 1824 wrote to memory of 1668 1824 Payment 901.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment 901.exe"C:\Users\Admin\AppData\Local\Temp\Payment 901.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx