Analysis
-
max time kernel
151s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
05-05-2021 11:28
Behavioral task
behavioral1
Sample
1yyoRs4y38XZvNF9YQAk.exe
Resource
win7v20210410
General
-
Target
1yyoRs4y38XZvNF9YQAk.exe
-
Size
658KB
-
MD5
db08908582b5fadec29d5ea3c91b954a
-
SHA1
fedaf416dd8019a55657d8321d70e2d09c98c595
-
SHA256
6f08293219654fea6c04ef20b911c4b3d28029ae32b9bcfaa7278df56a059ede
-
SHA512
05e99bb91df650d18da64d2133c7e289c0485d28e289aa77d1c0e0366473e33da3f0d955a29c93d88f4a47b40f766611cf3c3d07174c602cbb2bf6a76641e916
Malware Config
Extracted
darkcomet
Guest16
nanocore4459.ddns.net:5552
DC_MUTEX-WPZT55M
-
InstallPath
C:\Windows\System32\drivers\networkdrv.exe
-
gencode
CtFSuaWNSfPv
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Network Driver
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
1yyoRs4y38XZvNF9YQAk.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\drivers\\networkdrv.exe" 1yyoRs4y38XZvNF9YQAk.exe -
Drops file in Drivers directory 3 IoCs
Processes:
1yyoRs4y38XZvNF9YQAk.exedescription ioc process File created C:\Windows\SysWOW64\drivers\networkdrv.exe 1yyoRs4y38XZvNF9YQAk.exe File opened for modification C:\Windows\SysWOW64\drivers\networkdrv.exe 1yyoRs4y38XZvNF9YQAk.exe File opened for modification C:\Windows\SysWOW64\drivers\ 1yyoRs4y38XZvNF9YQAk.exe -
Executes dropped EXE 1 IoCs
Processes:
networkdrv.exepid process 1840 networkdrv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1yyoRs4y38XZvNF9YQAk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation 1yyoRs4y38XZvNF9YQAk.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 584 notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1yyoRs4y38XZvNF9YQAk.exenetworkdrv.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Network Driver = "C:\\Windows\\System32\\drivers\\networkdrv.exe" 1yyoRs4y38XZvNF9YQAk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Network Driver = "C:\\Windows\\System32\\drivers\\networkdrv.exe" networkdrv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
1yyoRs4y38XZvNF9YQAk.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance 1yyoRs4y38XZvNF9YQAk.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
1yyoRs4y38XZvNF9YQAk.exenetworkdrv.exedescription pid process Token: SeIncreaseQuotaPrivilege 740 1yyoRs4y38XZvNF9YQAk.exe Token: SeSecurityPrivilege 740 1yyoRs4y38XZvNF9YQAk.exe Token: SeTakeOwnershipPrivilege 740 1yyoRs4y38XZvNF9YQAk.exe Token: SeLoadDriverPrivilege 740 1yyoRs4y38XZvNF9YQAk.exe Token: SeSystemProfilePrivilege 740 1yyoRs4y38XZvNF9YQAk.exe Token: SeSystemtimePrivilege 740 1yyoRs4y38XZvNF9YQAk.exe Token: SeProfSingleProcessPrivilege 740 1yyoRs4y38XZvNF9YQAk.exe Token: SeIncBasePriorityPrivilege 740 1yyoRs4y38XZvNF9YQAk.exe Token: SeCreatePagefilePrivilege 740 1yyoRs4y38XZvNF9YQAk.exe Token: SeBackupPrivilege 740 1yyoRs4y38XZvNF9YQAk.exe Token: SeRestorePrivilege 740 1yyoRs4y38XZvNF9YQAk.exe Token: SeShutdownPrivilege 740 1yyoRs4y38XZvNF9YQAk.exe Token: SeDebugPrivilege 740 1yyoRs4y38XZvNF9YQAk.exe Token: SeSystemEnvironmentPrivilege 740 1yyoRs4y38XZvNF9YQAk.exe Token: SeChangeNotifyPrivilege 740 1yyoRs4y38XZvNF9YQAk.exe Token: SeRemoteShutdownPrivilege 740 1yyoRs4y38XZvNF9YQAk.exe Token: SeUndockPrivilege 740 1yyoRs4y38XZvNF9YQAk.exe Token: SeManageVolumePrivilege 740 1yyoRs4y38XZvNF9YQAk.exe Token: SeImpersonatePrivilege 740 1yyoRs4y38XZvNF9YQAk.exe Token: SeCreateGlobalPrivilege 740 1yyoRs4y38XZvNF9YQAk.exe Token: 33 740 1yyoRs4y38XZvNF9YQAk.exe Token: 34 740 1yyoRs4y38XZvNF9YQAk.exe Token: 35 740 1yyoRs4y38XZvNF9YQAk.exe Token: 36 740 1yyoRs4y38XZvNF9YQAk.exe Token: SeIncreaseQuotaPrivilege 1840 networkdrv.exe Token: SeSecurityPrivilege 1840 networkdrv.exe Token: SeTakeOwnershipPrivilege 1840 networkdrv.exe Token: SeLoadDriverPrivilege 1840 networkdrv.exe Token: SeSystemProfilePrivilege 1840 networkdrv.exe Token: SeSystemtimePrivilege 1840 networkdrv.exe Token: SeProfSingleProcessPrivilege 1840 networkdrv.exe Token: SeIncBasePriorityPrivilege 1840 networkdrv.exe Token: SeCreatePagefilePrivilege 1840 networkdrv.exe Token: SeBackupPrivilege 1840 networkdrv.exe Token: SeRestorePrivilege 1840 networkdrv.exe Token: SeShutdownPrivilege 1840 networkdrv.exe Token: SeDebugPrivilege 1840 networkdrv.exe Token: SeSystemEnvironmentPrivilege 1840 networkdrv.exe Token: SeChangeNotifyPrivilege 1840 networkdrv.exe Token: SeRemoteShutdownPrivilege 1840 networkdrv.exe Token: SeUndockPrivilege 1840 networkdrv.exe Token: SeManageVolumePrivilege 1840 networkdrv.exe Token: SeImpersonatePrivilege 1840 networkdrv.exe Token: SeCreateGlobalPrivilege 1840 networkdrv.exe Token: 33 1840 networkdrv.exe Token: 34 1840 networkdrv.exe Token: 35 1840 networkdrv.exe Token: 36 1840 networkdrv.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
networkdrv.exepid process 1840 networkdrv.exe -
Suspicious use of WriteProcessMemory 53 IoCs
Processes:
1yyoRs4y38XZvNF9YQAk.execmd.exenetworkdrv.exedescription pid process target process PID 740 wrote to memory of 3272 740 1yyoRs4y38XZvNF9YQAk.exe cmd.exe PID 740 wrote to memory of 3272 740 1yyoRs4y38XZvNF9YQAk.exe cmd.exe PID 740 wrote to memory of 3272 740 1yyoRs4y38XZvNF9YQAk.exe cmd.exe PID 740 wrote to memory of 584 740 1yyoRs4y38XZvNF9YQAk.exe notepad.exe PID 740 wrote to memory of 584 740 1yyoRs4y38XZvNF9YQAk.exe notepad.exe PID 740 wrote to memory of 584 740 1yyoRs4y38XZvNF9YQAk.exe notepad.exe PID 740 wrote to memory of 584 740 1yyoRs4y38XZvNF9YQAk.exe notepad.exe PID 740 wrote to memory of 584 740 1yyoRs4y38XZvNF9YQAk.exe notepad.exe PID 740 wrote to memory of 584 740 1yyoRs4y38XZvNF9YQAk.exe notepad.exe PID 740 wrote to memory of 584 740 1yyoRs4y38XZvNF9YQAk.exe notepad.exe PID 740 wrote to memory of 584 740 1yyoRs4y38XZvNF9YQAk.exe notepad.exe PID 740 wrote to memory of 584 740 1yyoRs4y38XZvNF9YQAk.exe notepad.exe PID 740 wrote to memory of 584 740 1yyoRs4y38XZvNF9YQAk.exe notepad.exe PID 740 wrote to memory of 584 740 1yyoRs4y38XZvNF9YQAk.exe notepad.exe PID 740 wrote to memory of 584 740 1yyoRs4y38XZvNF9YQAk.exe notepad.exe PID 740 wrote to memory of 584 740 1yyoRs4y38XZvNF9YQAk.exe notepad.exe PID 740 wrote to memory of 584 740 1yyoRs4y38XZvNF9YQAk.exe notepad.exe PID 740 wrote to memory of 584 740 1yyoRs4y38XZvNF9YQAk.exe notepad.exe PID 740 wrote to memory of 584 740 1yyoRs4y38XZvNF9YQAk.exe notepad.exe PID 740 wrote to memory of 584 740 1yyoRs4y38XZvNF9YQAk.exe notepad.exe PID 3272 wrote to memory of 204 3272 cmd.exe attrib.exe PID 3272 wrote to memory of 204 3272 cmd.exe attrib.exe PID 3272 wrote to memory of 204 3272 cmd.exe attrib.exe PID 740 wrote to memory of 1840 740 1yyoRs4y38XZvNF9YQAk.exe networkdrv.exe PID 740 wrote to memory of 1840 740 1yyoRs4y38XZvNF9YQAk.exe networkdrv.exe PID 740 wrote to memory of 1840 740 1yyoRs4y38XZvNF9YQAk.exe networkdrv.exe PID 1840 wrote to memory of 3676 1840 networkdrv.exe iexplore.exe PID 1840 wrote to memory of 3676 1840 networkdrv.exe iexplore.exe PID 1840 wrote to memory of 3676 1840 networkdrv.exe iexplore.exe PID 1840 wrote to memory of 1416 1840 networkdrv.exe explorer.exe PID 1840 wrote to memory of 1416 1840 networkdrv.exe explorer.exe PID 1840 wrote to memory of 3084 1840 networkdrv.exe notepad.exe PID 1840 wrote to memory of 3084 1840 networkdrv.exe notepad.exe PID 1840 wrote to memory of 3084 1840 networkdrv.exe notepad.exe PID 1840 wrote to memory of 3084 1840 networkdrv.exe notepad.exe PID 1840 wrote to memory of 3084 1840 networkdrv.exe notepad.exe PID 1840 wrote to memory of 3084 1840 networkdrv.exe notepad.exe PID 1840 wrote to memory of 3084 1840 networkdrv.exe notepad.exe PID 1840 wrote to memory of 3084 1840 networkdrv.exe notepad.exe PID 1840 wrote to memory of 3084 1840 networkdrv.exe notepad.exe PID 1840 wrote to memory of 3084 1840 networkdrv.exe notepad.exe PID 1840 wrote to memory of 3084 1840 networkdrv.exe notepad.exe PID 1840 wrote to memory of 3084 1840 networkdrv.exe notepad.exe PID 1840 wrote to memory of 3084 1840 networkdrv.exe notepad.exe PID 1840 wrote to memory of 3084 1840 networkdrv.exe notepad.exe PID 1840 wrote to memory of 3084 1840 networkdrv.exe notepad.exe PID 1840 wrote to memory of 3084 1840 networkdrv.exe notepad.exe PID 1840 wrote to memory of 3084 1840 networkdrv.exe notepad.exe PID 1840 wrote to memory of 3084 1840 networkdrv.exe notepad.exe PID 1840 wrote to memory of 3084 1840 networkdrv.exe notepad.exe PID 1840 wrote to memory of 3084 1840 networkdrv.exe notepad.exe PID 1840 wrote to memory of 3084 1840 networkdrv.exe notepad.exe PID 1840 wrote to memory of 3084 1840 networkdrv.exe notepad.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1yyoRs4y38XZvNF9YQAk.exe"C:\Users\Admin\AppData\Local\Temp\1yyoRs4y38XZvNF9YQAk.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\1yyoRs4y38XZvNF9YQAk.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\1yyoRs4y38XZvNF9YQAk.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
-
C:\Windows\SysWOW64\drivers\networkdrv.exe"C:\Windows\System32\drivers\networkdrv.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\drivers\networkdrv.exeMD5
db08908582b5fadec29d5ea3c91b954a
SHA1fedaf416dd8019a55657d8321d70e2d09c98c595
SHA2566f08293219654fea6c04ef20b911c4b3d28029ae32b9bcfaa7278df56a059ede
SHA51205e99bb91df650d18da64d2133c7e289c0485d28e289aa77d1c0e0366473e33da3f0d955a29c93d88f4a47b40f766611cf3c3d07174c602cbb2bf6a76641e916
-
C:\Windows\SysWOW64\drivers\networkdrv.exeMD5
db08908582b5fadec29d5ea3c91b954a
SHA1fedaf416dd8019a55657d8321d70e2d09c98c595
SHA2566f08293219654fea6c04ef20b911c4b3d28029ae32b9bcfaa7278df56a059ede
SHA51205e99bb91df650d18da64d2133c7e289c0485d28e289aa77d1c0e0366473e33da3f0d955a29c93d88f4a47b40f766611cf3c3d07174c602cbb2bf6a76641e916
-
memory/204-117-0x0000000000000000-mapping.dmp
-
memory/584-116-0x0000000000000000-mapping.dmp
-
memory/584-118-0x00000000007E0000-0x00000000007E1000-memory.dmpFilesize
4KB
-
memory/740-114-0x0000000000780000-0x0000000000781000-memory.dmpFilesize
4KB
-
memory/1840-119-0x0000000000000000-mapping.dmp
-
memory/1840-123-0x00000000020F0000-0x00000000020F1000-memory.dmpFilesize
4KB
-
memory/3084-122-0x0000000000000000-mapping.dmp
-
memory/3084-124-0x00000000004B0000-0x00000000004B1000-memory.dmpFilesize
4KB
-
memory/3272-115-0x0000000000000000-mapping.dmp