Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-04-2021 18:02
Static task
static1
Behavioral task
behavioral1
Sample
Order Requirement 893.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Order Requirement 893.exe
Resource
win10v20210410
General
-
Target
Order Requirement 893.exe
-
Size
3.1MB
-
MD5
94d0f17a6ccc191912e09efdbe611f5e
-
SHA1
347d4231e88ac6fe82a8e701d0b16cfac652c92c
-
SHA256
e3532fb1c9e0c23e6e0b556425bceb08953c97883aacfb347789a3d8dd80099d
-
SHA512
7c322675175a6f3d50ce72208e6275e3853ea25de8beac1ff81ed8638fc7a305cb50f967cb194c146ac417c78593b9a1f1c18d01fd90fcc2ce3d5a2bbb31c76d
Malware Config
Extracted
darkcomet
April 2021
bonding79.ddns.net:3316
goodgt79.ddns.net:3316
whatis79.ddns.net:3316
smath79.ddns.net:3316
jacknop79.ddns.net:3316
chrisle79.ddns.net:3316
DC_MUTEX-L1TFBNC
-
gencode
PvcfTTVpBSKd
-
install
false
-
offline_keylogger
true
-
password
Password20$
-
persistence
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Order Requirement 893.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\ye5MuI5NRbzmJH25\\sFibM50rC83T.exe\",explorer.exe" Order Requirement 893.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Order Requirement 893.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Order Requirement 893.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Order Requirement 893.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Order Requirement 893.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Wine Order Requirement 893.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Order Requirement 893.exedescription pid process target process PID 1908 set thread context of 3356 1908 Order Requirement 893.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Order Requirement 893.exepid process 1908 Order Requirement 893.exe 1908 Order Requirement 893.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
Order Requirement 893.exevbc.exedescription pid process Token: SeDebugPrivilege 1908 Order Requirement 893.exe Token: SeDebugPrivilege 1908 Order Requirement 893.exe Token: SeIncreaseQuotaPrivilege 3356 vbc.exe Token: SeSecurityPrivilege 3356 vbc.exe Token: SeTakeOwnershipPrivilege 3356 vbc.exe Token: SeLoadDriverPrivilege 3356 vbc.exe Token: SeSystemProfilePrivilege 3356 vbc.exe Token: SeSystemtimePrivilege 3356 vbc.exe Token: SeProfSingleProcessPrivilege 3356 vbc.exe Token: SeIncBasePriorityPrivilege 3356 vbc.exe Token: SeCreatePagefilePrivilege 3356 vbc.exe Token: SeBackupPrivilege 3356 vbc.exe Token: SeRestorePrivilege 3356 vbc.exe Token: SeShutdownPrivilege 3356 vbc.exe Token: SeDebugPrivilege 3356 vbc.exe Token: SeSystemEnvironmentPrivilege 3356 vbc.exe Token: SeChangeNotifyPrivilege 3356 vbc.exe Token: SeRemoteShutdownPrivilege 3356 vbc.exe Token: SeUndockPrivilege 3356 vbc.exe Token: SeManageVolumePrivilege 3356 vbc.exe Token: SeImpersonatePrivilege 3356 vbc.exe Token: SeCreateGlobalPrivilege 3356 vbc.exe Token: 33 3356 vbc.exe Token: 34 3356 vbc.exe Token: 35 3356 vbc.exe Token: 36 3356 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 3356 vbc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Order Requirement 893.exedescription pid process target process PID 1908 wrote to memory of 3356 1908 Order Requirement 893.exe vbc.exe PID 1908 wrote to memory of 3356 1908 Order Requirement 893.exe vbc.exe PID 1908 wrote to memory of 3356 1908 Order Requirement 893.exe vbc.exe PID 1908 wrote to memory of 3356 1908 Order Requirement 893.exe vbc.exe PID 1908 wrote to memory of 3356 1908 Order Requirement 893.exe vbc.exe PID 1908 wrote to memory of 3356 1908 Order Requirement 893.exe vbc.exe PID 1908 wrote to memory of 3356 1908 Order Requirement 893.exe vbc.exe PID 1908 wrote to memory of 3356 1908 Order Requirement 893.exe vbc.exe PID 1908 wrote to memory of 3356 1908 Order Requirement 893.exe vbc.exe PID 1908 wrote to memory of 3356 1908 Order Requirement 893.exe vbc.exe PID 1908 wrote to memory of 3356 1908 Order Requirement 893.exe vbc.exe PID 1908 wrote to memory of 3356 1908 Order Requirement 893.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order Requirement 893.exe"C:\Users\Admin\AppData\Local\Temp\Order Requirement 893.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1908-114-0x0000000001220000-0x0000000001534000-memory.dmpFilesize
3.1MB
-
memory/1908-115-0x00000000053E0000-0x00000000053E1000-memory.dmpFilesize
4KB
-
memory/3356-116-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3356-117-0x000000000048F888-mapping.dmp
-
memory/3356-118-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3356-119-0x0000000000560000-0x00000000006AA000-memory.dmpFilesize
1.3MB