Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-02-2021 12:16
Static task
static1
Behavioral task
behavioral1
Sample
Payment 381.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Payment 381.exe
Resource
win10v20201028
General
-
Target
Payment 381.exe
-
Size
3.1MB
-
MD5
3602f8e02342949364e8669e0c88f686
-
SHA1
8b2f47300d6fecd4d5fcef477b7cbd63cf6ef8c5
-
SHA256
87fd1a37f56e55cc20cdf882955d9ac37a857bd0bf12c480ea76f9a452438ab6
-
SHA512
c4368cf6fc0e76442f9e8ff812d4dea125ff61eee360085ccd870d8e11c57dec8d1c92cd310cfee58990f220236e06561424c48e84e743140923f7a15bca8890
Malware Config
Extracted
darkcomet
FEBruary 2021
bonding79.ddns.net:3316
goodgt79.ddns.net:3316
whatis79.ddns.net:3316
smath79.ddns.net:3316
jacknop79.ddns.net:3316
chrisle79.ddns.net:3316
DC_MUTEX-ZKP4D0B
-
gencode
wb6TW2qCEdyf
-
install
false
-
offline_keylogger
true
-
password
Password20$
-
persistence
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Payment 381.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\BlVOMYes18rDEfDp\\IBGNJl8agV4P.exe\",explorer.exe" Payment 381.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Payment 381.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Payment 381.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Payment 381.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Payment 381.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine Payment 381.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment 381.exedescription pid process target process PID 4692 set thread context of 3096 4692 Payment 381.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Payment 381.exepid process 4692 Payment 381.exe 4692 Payment 381.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
Payment 381.exevbc.exedescription pid process Token: SeDebugPrivilege 4692 Payment 381.exe Token: SeDebugPrivilege 4692 Payment 381.exe Token: SeIncreaseQuotaPrivilege 3096 vbc.exe Token: SeSecurityPrivilege 3096 vbc.exe Token: SeTakeOwnershipPrivilege 3096 vbc.exe Token: SeLoadDriverPrivilege 3096 vbc.exe Token: SeSystemProfilePrivilege 3096 vbc.exe Token: SeSystemtimePrivilege 3096 vbc.exe Token: SeProfSingleProcessPrivilege 3096 vbc.exe Token: SeIncBasePriorityPrivilege 3096 vbc.exe Token: SeCreatePagefilePrivilege 3096 vbc.exe Token: SeBackupPrivilege 3096 vbc.exe Token: SeRestorePrivilege 3096 vbc.exe Token: SeShutdownPrivilege 3096 vbc.exe Token: SeDebugPrivilege 3096 vbc.exe Token: SeSystemEnvironmentPrivilege 3096 vbc.exe Token: SeChangeNotifyPrivilege 3096 vbc.exe Token: SeRemoteShutdownPrivilege 3096 vbc.exe Token: SeUndockPrivilege 3096 vbc.exe Token: SeManageVolumePrivilege 3096 vbc.exe Token: SeImpersonatePrivilege 3096 vbc.exe Token: SeCreateGlobalPrivilege 3096 vbc.exe Token: 33 3096 vbc.exe Token: 34 3096 vbc.exe Token: 35 3096 vbc.exe Token: 36 3096 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 3096 vbc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Payment 381.exedescription pid process target process PID 4692 wrote to memory of 3096 4692 Payment 381.exe vbc.exe PID 4692 wrote to memory of 3096 4692 Payment 381.exe vbc.exe PID 4692 wrote to memory of 3096 4692 Payment 381.exe vbc.exe PID 4692 wrote to memory of 3096 4692 Payment 381.exe vbc.exe PID 4692 wrote to memory of 3096 4692 Payment 381.exe vbc.exe PID 4692 wrote to memory of 3096 4692 Payment 381.exe vbc.exe PID 4692 wrote to memory of 3096 4692 Payment 381.exe vbc.exe PID 4692 wrote to memory of 3096 4692 Payment 381.exe vbc.exe PID 4692 wrote to memory of 3096 4692 Payment 381.exe vbc.exe PID 4692 wrote to memory of 3096 4692 Payment 381.exe vbc.exe PID 4692 wrote to memory of 3096 4692 Payment 381.exe vbc.exe PID 4692 wrote to memory of 3096 4692 Payment 381.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment 381.exe"C:\Users\Admin\AppData\Local\Temp\Payment 381.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3096-4-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3096-5-0x000000000048F888-mapping.dmp
-
memory/3096-6-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3096-7-0x0000000002230000-0x0000000002231000-memory.dmpFilesize
4KB
-
memory/4692-2-0x00000000008E2000-0x0000000000978000-memory.dmpFilesize
600KB
-
memory/4692-3-0x0000000004FA0000-0x0000000004FA1000-memory.dmpFilesize
4KB