Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
16-02-2021 06:24
Static task
static1
Behavioral task
behavioral1
Sample
Payment 761.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Payment 761.exe
Resource
win10v20201028
General
-
Target
Payment 761.exe
-
Size
3.0MB
-
MD5
62a68863c4cc45f3044a82468175e2d8
-
SHA1
1872815154485c5f9af9cc93678bfa0da049d057
-
SHA256
0988c85492437167f5cef3d98c7313ac4c15ca9c765b89261fad0622bf61622f
-
SHA512
6328700abc7f907e4a56866698ff3249351ac07d0175a17ed6810a2a1b029aa7902b34b966518983830d7d2b193a5f950b634945d2588d18cafe26b1b5044508
Malware Config
Extracted
darkcomet
FEBruary 2021
chrisle79.ddns.net:3317
jacknop79.ddns.net:3317
smath79.ddns.net:3317
whatis79.ddns.net:3317
goodgt79.ddns.net:3317
bonding79.ddns.net:3317
DC_MUTEX-X4WFYA8
-
gencode
vYNzRAlAVaCD
-
install
false
-
offline_keylogger
true
-
password
Password20$
-
persistence
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Payment 761.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\2WA5iVqHdZ35azk2\\GD4bwzQAc8CQ.exe\",explorer.exe" Payment 761.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Payment 761.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Payment 761.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Payment 761.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Payment 761.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine Payment 761.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment 761.exedescription pid process target process PID 3116 set thread context of 2208 3116 Payment 761.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Payment 761.exepid process 3116 Payment 761.exe 3116 Payment 761.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
Payment 761.exevbc.exedescription pid process Token: SeDebugPrivilege 3116 Payment 761.exe Token: SeDebugPrivilege 3116 Payment 761.exe Token: SeIncreaseQuotaPrivilege 2208 vbc.exe Token: SeSecurityPrivilege 2208 vbc.exe Token: SeTakeOwnershipPrivilege 2208 vbc.exe Token: SeLoadDriverPrivilege 2208 vbc.exe Token: SeSystemProfilePrivilege 2208 vbc.exe Token: SeSystemtimePrivilege 2208 vbc.exe Token: SeProfSingleProcessPrivilege 2208 vbc.exe Token: SeIncBasePriorityPrivilege 2208 vbc.exe Token: SeCreatePagefilePrivilege 2208 vbc.exe Token: SeBackupPrivilege 2208 vbc.exe Token: SeRestorePrivilege 2208 vbc.exe Token: SeShutdownPrivilege 2208 vbc.exe Token: SeDebugPrivilege 2208 vbc.exe Token: SeSystemEnvironmentPrivilege 2208 vbc.exe Token: SeChangeNotifyPrivilege 2208 vbc.exe Token: SeRemoteShutdownPrivilege 2208 vbc.exe Token: SeUndockPrivilege 2208 vbc.exe Token: SeManageVolumePrivilege 2208 vbc.exe Token: SeImpersonatePrivilege 2208 vbc.exe Token: SeCreateGlobalPrivilege 2208 vbc.exe Token: 33 2208 vbc.exe Token: 34 2208 vbc.exe Token: 35 2208 vbc.exe Token: 36 2208 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 2208 vbc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Payment 761.exedescription pid process target process PID 3116 wrote to memory of 2208 3116 Payment 761.exe vbc.exe PID 3116 wrote to memory of 2208 3116 Payment 761.exe vbc.exe PID 3116 wrote to memory of 2208 3116 Payment 761.exe vbc.exe PID 3116 wrote to memory of 2208 3116 Payment 761.exe vbc.exe PID 3116 wrote to memory of 2208 3116 Payment 761.exe vbc.exe PID 3116 wrote to memory of 2208 3116 Payment 761.exe vbc.exe PID 3116 wrote to memory of 2208 3116 Payment 761.exe vbc.exe PID 3116 wrote to memory of 2208 3116 Payment 761.exe vbc.exe PID 3116 wrote to memory of 2208 3116 Payment 761.exe vbc.exe PID 3116 wrote to memory of 2208 3116 Payment 761.exe vbc.exe PID 3116 wrote to memory of 2208 3116 Payment 761.exe vbc.exe PID 3116 wrote to memory of 2208 3116 Payment 761.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment 761.exe"C:\Users\Admin\AppData\Local\Temp\Payment 761.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2208-4-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2208-5-0x000000000048F888-mapping.dmp
-
memory/2208-7-0x0000000002230000-0x0000000002231000-memory.dmpFilesize
4KB
-
memory/2208-6-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3116-2-0x0000000000D62000-0x0000000000DEE000-memory.dmpFilesize
560KB
-
memory/3116-3-0x0000000005560000-0x0000000005561000-memory.dmpFilesize
4KB