Analysis
-
max time kernel
11s -
max time network
103s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-02-2021 07:21
Static task
static1
Behavioral task
behavioral1
Sample
f221abcc28479d141353cdf6963987ed217d33eea32cca67e10a68e63c1dfc7a.exe
Resource
win7v20201028
General
-
Target
f221abcc28479d141353cdf6963987ed217d33eea32cca67e10a68e63c1dfc7a.exe
-
Size
644KB
-
MD5
0d3f19a7659758718fa2f98942158f80
-
SHA1
20bded958907454ad87040c2f9c8bbe81f1aba7f
-
SHA256
f221abcc28479d141353cdf6963987ed217d33eea32cca67e10a68e63c1dfc7a
-
SHA512
9e184048301ea56fd1632efcaa1aec05185b2b916b703460752a27aeff9a72d5918353a356252588c0db8736208a8116a76e98e70dd4e12135278a08c676e7b7
Malware Config
Extracted
darkcomet
Guest16
192.168.0.23:1604
DC_MUTEX-DHQ9E4A
-
gencode
iJFVs5RVgM1t
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
test.sfx.exetest.exepid process 4340 test.sfx.exe 3376 test.exe -
Drops file in Program Files directory 6 IoCs
Processes:
f221abcc28479d141353cdf6963987ed217d33eea32cca67e10a68e63c1dfc7a.exedescription ioc process File created C:\Program Files (x86)\&appdata%\stub.bat f221abcc28479d141353cdf6963987ed217d33eea32cca67e10a68e63c1dfc7a.exe File opened for modification C:\Program Files (x86)\&appdata%\stub.bat f221abcc28479d141353cdf6963987ed217d33eea32cca67e10a68e63c1dfc7a.exe File created C:\Program Files (x86)\&appdata%\test.sfx.exe f221abcc28479d141353cdf6963987ed217d33eea32cca67e10a68e63c1dfc7a.exe File opened for modification C:\Program Files (x86)\&appdata%\test.sfx.exe f221abcc28479d141353cdf6963987ed217d33eea32cca67e10a68e63c1dfc7a.exe File opened for modification C:\Program Files (x86)\&appdata% f221abcc28479d141353cdf6963987ed217d33eea32cca67e10a68e63c1dfc7a.exe File created C:\Program Files (x86)\&appdata%\__tmp_rar_sfx_access_check_259287406 f221abcc28479d141353cdf6963987ed217d33eea32cca67e10a68e63c1dfc7a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
test.exedescription pid process Token: SeIncreaseQuotaPrivilege 3376 test.exe Token: SeSecurityPrivilege 3376 test.exe Token: SeTakeOwnershipPrivilege 3376 test.exe Token: SeLoadDriverPrivilege 3376 test.exe Token: SeSystemProfilePrivilege 3376 test.exe Token: SeSystemtimePrivilege 3376 test.exe Token: SeProfSingleProcessPrivilege 3376 test.exe Token: SeIncBasePriorityPrivilege 3376 test.exe Token: SeCreatePagefilePrivilege 3376 test.exe Token: SeBackupPrivilege 3376 test.exe Token: SeRestorePrivilege 3376 test.exe Token: SeShutdownPrivilege 3376 test.exe Token: SeDebugPrivilege 3376 test.exe Token: SeSystemEnvironmentPrivilege 3376 test.exe Token: SeChangeNotifyPrivilege 3376 test.exe Token: SeRemoteShutdownPrivilege 3376 test.exe Token: SeUndockPrivilege 3376 test.exe Token: SeManageVolumePrivilege 3376 test.exe Token: SeImpersonatePrivilege 3376 test.exe Token: SeCreateGlobalPrivilege 3376 test.exe Token: 33 3376 test.exe Token: 34 3376 test.exe Token: 35 3376 test.exe Token: 36 3376 test.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
test.exepid process 3376 test.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
f221abcc28479d141353cdf6963987ed217d33eea32cca67e10a68e63c1dfc7a.execmd.exetest.sfx.exedescription pid process target process PID 4808 wrote to memory of 3668 4808 f221abcc28479d141353cdf6963987ed217d33eea32cca67e10a68e63c1dfc7a.exe cmd.exe PID 4808 wrote to memory of 3668 4808 f221abcc28479d141353cdf6963987ed217d33eea32cca67e10a68e63c1dfc7a.exe cmd.exe PID 4808 wrote to memory of 3668 4808 f221abcc28479d141353cdf6963987ed217d33eea32cca67e10a68e63c1dfc7a.exe cmd.exe PID 3668 wrote to memory of 4340 3668 cmd.exe test.sfx.exe PID 3668 wrote to memory of 4340 3668 cmd.exe test.sfx.exe PID 3668 wrote to memory of 4340 3668 cmd.exe test.sfx.exe PID 4340 wrote to memory of 3376 4340 test.sfx.exe test.exe PID 4340 wrote to memory of 3376 4340 test.sfx.exe test.exe PID 4340 wrote to memory of 3376 4340 test.sfx.exe test.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f221abcc28479d141353cdf6963987ed217d33eea32cca67e10a68e63c1dfc7a.exe"C:\Users\Admin\AppData\Local\Temp\f221abcc28479d141353cdf6963987ed217d33eea32cca67e10a68e63c1dfc7a.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\&appdata%\stub.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Program Files (x86)\&appdata%\test.sfx.exetest.sfx.exe -p123 -dC:\Users\Admin\AppData\Roaming3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Users\Admin\AppData\Roaming\test.exe"C:\Users\Admin\AppData\Roaming\test.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3376
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\&appdata%\stub.batMD5
4650b4847d0a73cd1c182e1081bd155b
SHA15c3c722126c5453243aef79472104e61f44c57bd
SHA25637fa2dd47b98506f732b902c0a1547919d2a8ef08ad4c4c385ca3bf58dc91706
SHA512a87f8e26a9fb40238b4fe55c50d9cb584478fefbe456dbcad0fe4c6475394476872282520279631fd51007aa150e78bb2b29d05d1d3161d46a5d84b802cbb401
-
C:\Program Files (x86)\&appdata%\test.sfx.exeMD5
ffeaed60c36edf0967df46fea575cf3c
SHA11737aad788fb76c8221a19fd5bada0f0c8347628
SHA2569bbf537996bef3ba6a95527940eb2b44d104451c51699d349b6769a53c9a75bb
SHA512fbd92ffdca2411fac3f3ef950b4210e6bde0655e9969f795c59520dd0201be65b2b03d75c34d0033cee8f6fd3f582e8fbb1d868ae9617f3898d6de49f0ea9451
-
C:\Program Files (x86)\&appdata%\test.sfx.exeMD5
ffeaed60c36edf0967df46fea575cf3c
SHA11737aad788fb76c8221a19fd5bada0f0c8347628
SHA2569bbf537996bef3ba6a95527940eb2b44d104451c51699d349b6769a53c9a75bb
SHA512fbd92ffdca2411fac3f3ef950b4210e6bde0655e9969f795c59520dd0201be65b2b03d75c34d0033cee8f6fd3f582e8fbb1d868ae9617f3898d6de49f0ea9451
-
C:\Users\Admin\AppData\Roaming\test.exeMD5
ff379de6470a3493074c42d1e5d1d41c
SHA112d3afb3f1bbc911197bd6fade97ccc2ff613590
SHA256f5d8a001c7de3bf91c5b4bc3dbbd3c991122591f45807954eda70363944f5945
SHA5125ca03c96fb14b34d2abb1595d5ec000a4f7a6ed8be445ee24e3e9e50847c5e2b398a5b58889c0cdea633b4af31113c58d05f2f5bb7f267da6cb51e5bf954eea9
-
C:\Users\Admin\AppData\Roaming\test.exeMD5
ff379de6470a3493074c42d1e5d1d41c
SHA112d3afb3f1bbc911197bd6fade97ccc2ff613590
SHA256f5d8a001c7de3bf91c5b4bc3dbbd3c991122591f45807954eda70363944f5945
SHA5125ca03c96fb14b34d2abb1595d5ec000a4f7a6ed8be445ee24e3e9e50847c5e2b398a5b58889c0cdea633b4af31113c58d05f2f5bb7f267da6cb51e5bf954eea9
-
memory/3376-8-0x0000000000000000-mapping.dmp
-
memory/3376-11-0x00000000741A0000-0x0000000074233000-memory.dmpFilesize
588KB
-
memory/3376-12-0x0000000002220000-0x0000000002221000-memory.dmpFilesize
4KB
-
memory/3668-2-0x0000000000000000-mapping.dmp
-
memory/4340-5-0x0000000000000000-mapping.dmp
-
memory/4808-3-0x0000000002F90000-0x0000000002F91000-memory.dmpFilesize
4KB