Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-01-2021 07:33
Static task
static1
Behavioral task
behavioral1
Sample
Payment 901.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Payment 901.exe
Resource
win10v20201028
General
-
Target
Payment 901.exe
-
Size
3.0MB
-
MD5
33d9370ab0c06bea92774b43d138f5b3
-
SHA1
cba894efb96a1ae3982a10363814366b478c39d7
-
SHA256
b81dece72c020fa2cb5f5df57f71de84142574d54ef1a165aff47ec171b618d0
-
SHA512
573b5a9331b28ef6aaeaef616a89a05c70d478510141e636614f1dabfae290710cf620811dec90c8bcae3fc78ed26a6c4b317bbc08256cc4626ce7675ec3f7be
Malware Config
Extracted
darkcomet
JANuary 2021
chrisle79.ddns.net:3317
jacknop79.ddns.net:3317
smath79.ddns.net:3317
whatis79.ddns.net:3317
goodgt79.ddns.net:3317
bonding79.ddns.net:3317
DC_MUTEX-X1VW1F7
-
gencode
U35l73tWGu8y
-
install
false
-
offline_keylogger
true
-
password
Password20$
-
persistence
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Payment 901.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Uhj6qmCFUPxUc9qJ\\5tbiU0l1xwLC.exe\",explorer.exe" Payment 901.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Payment 901.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Payment 901.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Payment 901.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Payment 901.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine Payment 901.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment 901.exedescription pid process target process PID 1036 set thread context of 3400 1036 Payment 901.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Payment 901.exepid process 1036 Payment 901.exe 1036 Payment 901.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
Payment 901.exevbc.exedescription pid process Token: SeDebugPrivilege 1036 Payment 901.exe Token: SeDebugPrivilege 1036 Payment 901.exe Token: SeIncreaseQuotaPrivilege 3400 vbc.exe Token: SeSecurityPrivilege 3400 vbc.exe Token: SeTakeOwnershipPrivilege 3400 vbc.exe Token: SeLoadDriverPrivilege 3400 vbc.exe Token: SeSystemProfilePrivilege 3400 vbc.exe Token: SeSystemtimePrivilege 3400 vbc.exe Token: SeProfSingleProcessPrivilege 3400 vbc.exe Token: SeIncBasePriorityPrivilege 3400 vbc.exe Token: SeCreatePagefilePrivilege 3400 vbc.exe Token: SeBackupPrivilege 3400 vbc.exe Token: SeRestorePrivilege 3400 vbc.exe Token: SeShutdownPrivilege 3400 vbc.exe Token: SeDebugPrivilege 3400 vbc.exe Token: SeSystemEnvironmentPrivilege 3400 vbc.exe Token: SeChangeNotifyPrivilege 3400 vbc.exe Token: SeRemoteShutdownPrivilege 3400 vbc.exe Token: SeUndockPrivilege 3400 vbc.exe Token: SeManageVolumePrivilege 3400 vbc.exe Token: SeImpersonatePrivilege 3400 vbc.exe Token: SeCreateGlobalPrivilege 3400 vbc.exe Token: 33 3400 vbc.exe Token: 34 3400 vbc.exe Token: 35 3400 vbc.exe Token: 36 3400 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 3400 vbc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Payment 901.exedescription pid process target process PID 1036 wrote to memory of 3400 1036 Payment 901.exe vbc.exe PID 1036 wrote to memory of 3400 1036 Payment 901.exe vbc.exe PID 1036 wrote to memory of 3400 1036 Payment 901.exe vbc.exe PID 1036 wrote to memory of 3400 1036 Payment 901.exe vbc.exe PID 1036 wrote to memory of 3400 1036 Payment 901.exe vbc.exe PID 1036 wrote to memory of 3400 1036 Payment 901.exe vbc.exe PID 1036 wrote to memory of 3400 1036 Payment 901.exe vbc.exe PID 1036 wrote to memory of 3400 1036 Payment 901.exe vbc.exe PID 1036 wrote to memory of 3400 1036 Payment 901.exe vbc.exe PID 1036 wrote to memory of 3400 1036 Payment 901.exe vbc.exe PID 1036 wrote to memory of 3400 1036 Payment 901.exe vbc.exe PID 1036 wrote to memory of 3400 1036 Payment 901.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment 901.exe"C:\Users\Admin\AppData\Local\Temp\Payment 901.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx