Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-05-2021 13:09
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order 781.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Malware Config
Extracted
Family
darkcomet
Botnet
May 2021
C2
bonding79.ddns.net:3316
goodgt79.ddns.net:3316
whatis79.ddns.net:3316
smath79.ddns.net:3316
jacknop79.ddns.net:3316
chrisle79.ddns.net:3316
Mutex
DC_MUTEX-PPMNGQA
Attributes
-
gencode
AUQYBsRj2TWk
-
install
false
-
offline_keylogger
true
-
password
Password20$
-
persistence
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Purchase Order 781.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\k6l50Mr8Exu7gS7Z\\nbyENHoPfvzk.exe\",explorer.exe" Purchase Order 781.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Purchase Order 781.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Purchase Order 781.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Purchase Order 781.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Purchase Order 781.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Wine Purchase Order 781.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Purchase Order 781.exedescription pid process target process PID 4436 set thread context of 4032 4436 Purchase Order 781.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Purchase Order 781.exepid process 4436 Purchase Order 781.exe 4436 Purchase Order 781.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
Purchase Order 781.exevbc.exedescription pid process Token: SeDebugPrivilege 4436 Purchase Order 781.exe Token: SeDebugPrivilege 4436 Purchase Order 781.exe Token: SeIncreaseQuotaPrivilege 4032 vbc.exe Token: SeSecurityPrivilege 4032 vbc.exe Token: SeTakeOwnershipPrivilege 4032 vbc.exe Token: SeLoadDriverPrivilege 4032 vbc.exe Token: SeSystemProfilePrivilege 4032 vbc.exe Token: SeSystemtimePrivilege 4032 vbc.exe Token: SeProfSingleProcessPrivilege 4032 vbc.exe Token: SeIncBasePriorityPrivilege 4032 vbc.exe Token: SeCreatePagefilePrivilege 4032 vbc.exe Token: SeBackupPrivilege 4032 vbc.exe Token: SeRestorePrivilege 4032 vbc.exe Token: SeShutdownPrivilege 4032 vbc.exe Token: SeDebugPrivilege 4032 vbc.exe Token: SeSystemEnvironmentPrivilege 4032 vbc.exe Token: SeChangeNotifyPrivilege 4032 vbc.exe Token: SeRemoteShutdownPrivilege 4032 vbc.exe Token: SeUndockPrivilege 4032 vbc.exe Token: SeManageVolumePrivilege 4032 vbc.exe Token: SeImpersonatePrivilege 4032 vbc.exe Token: SeCreateGlobalPrivilege 4032 vbc.exe Token: 33 4032 vbc.exe Token: 34 4032 vbc.exe Token: 35 4032 vbc.exe Token: 36 4032 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 4032 vbc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Purchase Order 781.exedescription pid process target process PID 4436 wrote to memory of 4032 4436 Purchase Order 781.exe vbc.exe PID 4436 wrote to memory of 4032 4436 Purchase Order 781.exe vbc.exe PID 4436 wrote to memory of 4032 4436 Purchase Order 781.exe vbc.exe PID 4436 wrote to memory of 4032 4436 Purchase Order 781.exe vbc.exe PID 4436 wrote to memory of 4032 4436 Purchase Order 781.exe vbc.exe PID 4436 wrote to memory of 4032 4436 Purchase Order 781.exe vbc.exe PID 4436 wrote to memory of 4032 4436 Purchase Order 781.exe vbc.exe PID 4436 wrote to memory of 4032 4436 Purchase Order 781.exe vbc.exe PID 4436 wrote to memory of 4032 4436 Purchase Order 781.exe vbc.exe PID 4436 wrote to memory of 4032 4436 Purchase Order 781.exe vbc.exe PID 4436 wrote to memory of 4032 4436 Purchase Order 781.exe vbc.exe PID 4436 wrote to memory of 4032 4436 Purchase Order 781.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order 781.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order 781.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4032-116-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4032-117-0x000000000048F888-mapping.dmp
-
memory/4032-119-0x0000000000560000-0x00000000006AA000-memory.dmpFilesize
1.3MB
-
memory/4032-118-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4436-114-0x0000000000880000-0x0000000000CE0000-memory.dmpFilesize
4.4MB
-
memory/4436-115-0x0000000004A70000-0x0000000004A71000-memory.dmpFilesize
4KB