Analysis
-
max time kernel
151s -
max time network
138s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-04-2021 18:02
Static task
static1
Behavioral task
behavioral1
Sample
Order Requirement 893.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Order Requirement 893.exe
Resource
win10v20210410
General
-
Target
Order Requirement 893.exe
-
Size
3.1MB
-
MD5
94d0f17a6ccc191912e09efdbe611f5e
-
SHA1
347d4231e88ac6fe82a8e701d0b16cfac652c92c
-
SHA256
e3532fb1c9e0c23e6e0b556425bceb08953c97883aacfb347789a3d8dd80099d
-
SHA512
7c322675175a6f3d50ce72208e6275e3853ea25de8beac1ff81ed8638fc7a305cb50f967cb194c146ac417c78593b9a1f1c18d01fd90fcc2ce3d5a2bbb31c76d
Malware Config
Extracted
darkcomet
April 2021
bonding79.ddns.net:3316
goodgt79.ddns.net:3316
whatis79.ddns.net:3316
smath79.ddns.net:3316
jacknop79.ddns.net:3316
chrisle79.ddns.net:3316
DC_MUTEX-L1TFBNC
-
gencode
PvcfTTVpBSKd
-
install
false
-
offline_keylogger
true
-
password
Password20$
-
persistence
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Order Requirement 893.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\ye5MuI5NRbzmJH25\\tNmo0kk46PJh.exe\",explorer.exe" Order Requirement 893.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Order Requirement 893.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Order Requirement 893.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Order Requirement 893.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Order Requirement 893.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine Order Requirement 893.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Order Requirement 893.exedescription pid process target process PID 1240 set thread context of 1004 1240 Order Requirement 893.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Order Requirement 893.exepid process 1240 Order Requirement 893.exe 1240 Order Requirement 893.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
Order Requirement 893.exevbc.exedescription pid process Token: SeDebugPrivilege 1240 Order Requirement 893.exe Token: SeDebugPrivilege 1240 Order Requirement 893.exe Token: SeIncreaseQuotaPrivilege 1004 vbc.exe Token: SeSecurityPrivilege 1004 vbc.exe Token: SeTakeOwnershipPrivilege 1004 vbc.exe Token: SeLoadDriverPrivilege 1004 vbc.exe Token: SeSystemProfilePrivilege 1004 vbc.exe Token: SeSystemtimePrivilege 1004 vbc.exe Token: SeProfSingleProcessPrivilege 1004 vbc.exe Token: SeIncBasePriorityPrivilege 1004 vbc.exe Token: SeCreatePagefilePrivilege 1004 vbc.exe Token: SeBackupPrivilege 1004 vbc.exe Token: SeRestorePrivilege 1004 vbc.exe Token: SeShutdownPrivilege 1004 vbc.exe Token: SeDebugPrivilege 1004 vbc.exe Token: SeSystemEnvironmentPrivilege 1004 vbc.exe Token: SeChangeNotifyPrivilege 1004 vbc.exe Token: SeRemoteShutdownPrivilege 1004 vbc.exe Token: SeUndockPrivilege 1004 vbc.exe Token: SeManageVolumePrivilege 1004 vbc.exe Token: SeImpersonatePrivilege 1004 vbc.exe Token: SeCreateGlobalPrivilege 1004 vbc.exe Token: 33 1004 vbc.exe Token: 34 1004 vbc.exe Token: 35 1004 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 1004 vbc.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Order Requirement 893.exedescription pid process target process PID 1240 wrote to memory of 1004 1240 Order Requirement 893.exe vbc.exe PID 1240 wrote to memory of 1004 1240 Order Requirement 893.exe vbc.exe PID 1240 wrote to memory of 1004 1240 Order Requirement 893.exe vbc.exe PID 1240 wrote to memory of 1004 1240 Order Requirement 893.exe vbc.exe PID 1240 wrote to memory of 1004 1240 Order Requirement 893.exe vbc.exe PID 1240 wrote to memory of 1004 1240 Order Requirement 893.exe vbc.exe PID 1240 wrote to memory of 1004 1240 Order Requirement 893.exe vbc.exe PID 1240 wrote to memory of 1004 1240 Order Requirement 893.exe vbc.exe PID 1240 wrote to memory of 1004 1240 Order Requirement 893.exe vbc.exe PID 1240 wrote to memory of 1004 1240 Order Requirement 893.exe vbc.exe PID 1240 wrote to memory of 1004 1240 Order Requirement 893.exe vbc.exe PID 1240 wrote to memory of 1004 1240 Order Requirement 893.exe vbc.exe PID 1240 wrote to memory of 1004 1240 Order Requirement 893.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order Requirement 893.exe"C:\Users\Admin\AppData\Local\Temp\Order Requirement 893.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1004-62-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1004-63-0x000000000048F888-mapping.dmp
-
memory/1004-65-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1004-66-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1240-59-0x00000000752B1000-0x00000000752B3000-memory.dmpFilesize
8KB
-
memory/1240-60-0x0000000000A40000-0x0000000000D54000-memory.dmpFilesize
3.1MB
-
memory/1240-61-0x0000000003660000-0x0000000003661000-memory.dmpFilesize
4KB