Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-01-2021 06:41
Static task
static1
Behavioral task
behavioral1
Sample
Order Requirement 341.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Order Requirement 341.exe
Resource
win10v20201028
General
-
Target
Order Requirement 341.exe
-
Size
3.1MB
-
MD5
f0706cd83ed4da6d24a71767ccfd5741
-
SHA1
d76adb5de515fbcedb4cae93cf77951c33505a1f
-
SHA256
2d631fe6c1c02c67198648c5f7ae1891262bf277721f664bd6c8ffb0e7d6a681
-
SHA512
087dd99254f5a11c2df615c99e161f849d86eb8dcdb4bf242b756c20a369aad1355ef9a2f451f682d2a674a69d25f5c0ba1fdb3642587be2862cb284d17a2b2d
Malware Config
Extracted
darkcomet
JANuary 2021
chrisle79.ddns.net:3317
jacknop79.ddns.net:3317
smath79.ddns.net:3317
whatis79.ddns.net:3317
goodgt79.ddns.net:3317
bonding79.ddns.net:3317
DC_MUTEX-X1VW1F7
-
gencode
U35l73tWGu8y
-
install
false
-
offline_keylogger
true
-
password
Password20$
-
persistence
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Order Requirement 341.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\dWZXvMes6eRk2d5b\\CIe1f5SAYb7X.exe\",explorer.exe" Order Requirement 341.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Order Requirement 341.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Order Requirement 341.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Order Requirement 341.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Order Requirement 341.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine Order Requirement 341.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Order Requirement 341.exedescription pid process target process PID 1924 set thread context of 584 1924 Order Requirement 341.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Order Requirement 341.exepid process 1924 Order Requirement 341.exe 1924 Order Requirement 341.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
Order Requirement 341.exevbc.exedescription pid process Token: SeDebugPrivilege 1924 Order Requirement 341.exe Token: SeDebugPrivilege 1924 Order Requirement 341.exe Token: SeIncreaseQuotaPrivilege 584 vbc.exe Token: SeSecurityPrivilege 584 vbc.exe Token: SeTakeOwnershipPrivilege 584 vbc.exe Token: SeLoadDriverPrivilege 584 vbc.exe Token: SeSystemProfilePrivilege 584 vbc.exe Token: SeSystemtimePrivilege 584 vbc.exe Token: SeProfSingleProcessPrivilege 584 vbc.exe Token: SeIncBasePriorityPrivilege 584 vbc.exe Token: SeCreatePagefilePrivilege 584 vbc.exe Token: SeBackupPrivilege 584 vbc.exe Token: SeRestorePrivilege 584 vbc.exe Token: SeShutdownPrivilege 584 vbc.exe Token: SeDebugPrivilege 584 vbc.exe Token: SeSystemEnvironmentPrivilege 584 vbc.exe Token: SeChangeNotifyPrivilege 584 vbc.exe Token: SeRemoteShutdownPrivilege 584 vbc.exe Token: SeUndockPrivilege 584 vbc.exe Token: SeManageVolumePrivilege 584 vbc.exe Token: SeImpersonatePrivilege 584 vbc.exe Token: SeCreateGlobalPrivilege 584 vbc.exe Token: 33 584 vbc.exe Token: 34 584 vbc.exe Token: 35 584 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 584 vbc.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Order Requirement 341.exedescription pid process target process PID 1924 wrote to memory of 584 1924 Order Requirement 341.exe vbc.exe PID 1924 wrote to memory of 584 1924 Order Requirement 341.exe vbc.exe PID 1924 wrote to memory of 584 1924 Order Requirement 341.exe vbc.exe PID 1924 wrote to memory of 584 1924 Order Requirement 341.exe vbc.exe PID 1924 wrote to memory of 584 1924 Order Requirement 341.exe vbc.exe PID 1924 wrote to memory of 584 1924 Order Requirement 341.exe vbc.exe PID 1924 wrote to memory of 584 1924 Order Requirement 341.exe vbc.exe PID 1924 wrote to memory of 584 1924 Order Requirement 341.exe vbc.exe PID 1924 wrote to memory of 584 1924 Order Requirement 341.exe vbc.exe PID 1924 wrote to memory of 584 1924 Order Requirement 341.exe vbc.exe PID 1924 wrote to memory of 584 1924 Order Requirement 341.exe vbc.exe PID 1924 wrote to memory of 584 1924 Order Requirement 341.exe vbc.exe PID 1924 wrote to memory of 584 1924 Order Requirement 341.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order Requirement 341.exe"C:\Users\Admin\AppData\Local\Temp\Order Requirement 341.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/584-6-0x000000000048F888-mapping.dmp
-
memory/584-5-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/584-9-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/584-8-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1924-2-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1924-3-0x0000000000DC2000-0x0000000000E52000-memory.dmpFilesize
576KB
-
memory/1924-4-0x0000000004A70000-0x0000000004A71000-memory.dmpFilesize
4KB