Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-04-2021 06:37
Static task
static1
Behavioral task
behavioral1
Sample
Payment 831.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Payment 831.exe
Resource
win10v20201028
General
-
Target
Payment 831.exe
-
Size
2.1MB
-
MD5
90f1582eb4aa8c5db832919e5e475fc5
-
SHA1
bbc4d5e90346af2ec03f7ec4af33a728108818a3
-
SHA256
136eddfd86a8ee4a6e6c8ed4d82bc78e795e5f02ff5e347dd95893a9b011222f
-
SHA512
37cd15caa53b047036334cf5b19ffaf7fc94aa32d4dc8648c2fe0c1bd623e332f70778b2bb59c3aeaf0f6ba5cae6fa1c1a360780e1c7d29e4be4a4d9ab459b43
Malware Config
Extracted
darkcomet
April 2021
bonding79.ddns.net:3316
goodgt79.ddns.net:3316
whatis79.ddns.net:3316
smath79.ddns.net:3316
jacknop79.ddns.net:3316
chrisle79.ddns.net:3316
DC_MUTEX-L1TFBNC
-
gencode
PvcfTTVpBSKd
-
install
false
-
offline_keylogger
true
-
password
Password20$
-
persistence
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Payment 831.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\4623ct41TTgJMuPp\\aFnwz8007fdp.exe\",explorer.exe" Payment 831.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Payment 831.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Payment 831.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Payment 831.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Payment 831.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine Payment 831.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment 831.exedescription pid process target process PID 1120 set thread context of 2812 1120 Payment 831.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Payment 831.exepid process 1120 Payment 831.exe 1120 Payment 831.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
Payment 831.exevbc.exedescription pid process Token: SeDebugPrivilege 1120 Payment 831.exe Token: SeDebugPrivilege 1120 Payment 831.exe Token: SeIncreaseQuotaPrivilege 2812 vbc.exe Token: SeSecurityPrivilege 2812 vbc.exe Token: SeTakeOwnershipPrivilege 2812 vbc.exe Token: SeLoadDriverPrivilege 2812 vbc.exe Token: SeSystemProfilePrivilege 2812 vbc.exe Token: SeSystemtimePrivilege 2812 vbc.exe Token: SeProfSingleProcessPrivilege 2812 vbc.exe Token: SeIncBasePriorityPrivilege 2812 vbc.exe Token: SeCreatePagefilePrivilege 2812 vbc.exe Token: SeBackupPrivilege 2812 vbc.exe Token: SeRestorePrivilege 2812 vbc.exe Token: SeShutdownPrivilege 2812 vbc.exe Token: SeDebugPrivilege 2812 vbc.exe Token: SeSystemEnvironmentPrivilege 2812 vbc.exe Token: SeChangeNotifyPrivilege 2812 vbc.exe Token: SeRemoteShutdownPrivilege 2812 vbc.exe Token: SeUndockPrivilege 2812 vbc.exe Token: SeManageVolumePrivilege 2812 vbc.exe Token: SeImpersonatePrivilege 2812 vbc.exe Token: SeCreateGlobalPrivilege 2812 vbc.exe Token: 33 2812 vbc.exe Token: 34 2812 vbc.exe Token: 35 2812 vbc.exe Token: 36 2812 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 2812 vbc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Payment 831.exedescription pid process target process PID 1120 wrote to memory of 2812 1120 Payment 831.exe vbc.exe PID 1120 wrote to memory of 2812 1120 Payment 831.exe vbc.exe PID 1120 wrote to memory of 2812 1120 Payment 831.exe vbc.exe PID 1120 wrote to memory of 2812 1120 Payment 831.exe vbc.exe PID 1120 wrote to memory of 2812 1120 Payment 831.exe vbc.exe PID 1120 wrote to memory of 2812 1120 Payment 831.exe vbc.exe PID 1120 wrote to memory of 2812 1120 Payment 831.exe vbc.exe PID 1120 wrote to memory of 2812 1120 Payment 831.exe vbc.exe PID 1120 wrote to memory of 2812 1120 Payment 831.exe vbc.exe PID 1120 wrote to memory of 2812 1120 Payment 831.exe vbc.exe PID 1120 wrote to memory of 2812 1120 Payment 831.exe vbc.exe PID 1120 wrote to memory of 2812 1120 Payment 831.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment 831.exe"C:\Users\Admin\AppData\Local\Temp\Payment 831.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1120-2-0x00000000010C2000-0x0000000001140000-memory.dmpFilesize
504KB
-
memory/1120-3-0x00000000049C0000-0x00000000049C1000-memory.dmpFilesize
4KB
-
memory/2812-4-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2812-5-0x000000000048F888-mapping.dmp
-
memory/2812-7-0x0000000000690000-0x0000000000691000-memory.dmpFilesize
4KB
-
memory/2812-6-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB