Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-05-2021 09:07
Static task
static1
URLScan task
urlscan1
Sample
https://bit.ly/34b1IGn
Malware Config
Extracted
darkcomet
May 2021
bonding79.ddns.net:3316
goodgt79.ddns.net:3316
whatis79.ddns.net:3316
smath79.ddns.net:3316
jacknop79.ddns.net:3316
chrisle79.ddns.net:3316
DC_MUTEX-PPMNGQA
-
gencode
AUQYBsRj2TWk
-
install
false
-
offline_keylogger
true
-
password
Password20$
-
persistence
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Purchase Order 781.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\k6l50Mr8Exu7gS7Z\\f5e1kBrX7EB0.exe\",explorer.exe" Purchase Order 781.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Purchase Order 781.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Purchase Order 781.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Purchase Order 781.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Purchase Order 781.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Wine Purchase Order 781.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Purchase Order 781.exedescription pid process target process PID 2292 set thread context of 3328 2292 Purchase Order 781.exe vbc.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 339704ea112ed701 iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30888060" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "328612467" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{6E7AF5E2-D78C-4C4A-977F-CBC91FB74A64}" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3701446062" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30888060" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{07E9D37F-BC70-11EB-A11C-46584878C9AA} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3701446062" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3711289868" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "328629061" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "328661053" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30888060" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe -
Modifies registry class 1 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings iexplore.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Purchase Order 781.exepid process 2292 Purchase Order 781.exe 2292 Purchase Order 781.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
Purchase Order 781.exevbc.exedescription pid process Token: SeDebugPrivilege 2292 Purchase Order 781.exe Token: SeDebugPrivilege 2292 Purchase Order 781.exe Token: SeIncreaseQuotaPrivilege 3328 vbc.exe Token: SeSecurityPrivilege 3328 vbc.exe Token: SeTakeOwnershipPrivilege 3328 vbc.exe Token: SeLoadDriverPrivilege 3328 vbc.exe Token: SeSystemProfilePrivilege 3328 vbc.exe Token: SeSystemtimePrivilege 3328 vbc.exe Token: SeProfSingleProcessPrivilege 3328 vbc.exe Token: SeIncBasePriorityPrivilege 3328 vbc.exe Token: SeCreatePagefilePrivilege 3328 vbc.exe Token: SeBackupPrivilege 3328 vbc.exe Token: SeRestorePrivilege 3328 vbc.exe Token: SeShutdownPrivilege 3328 vbc.exe Token: SeDebugPrivilege 3328 vbc.exe Token: SeSystemEnvironmentPrivilege 3328 vbc.exe Token: SeChangeNotifyPrivilege 3328 vbc.exe Token: SeRemoteShutdownPrivilege 3328 vbc.exe Token: SeUndockPrivilege 3328 vbc.exe Token: SeManageVolumePrivilege 3328 vbc.exe Token: SeImpersonatePrivilege 3328 vbc.exe Token: SeCreateGlobalPrivilege 3328 vbc.exe Token: 33 3328 vbc.exe Token: 34 3328 vbc.exe Token: 35 3328 vbc.exe Token: 36 3328 vbc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exepid process 1968 iexplore.exe 1968 iexplore.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
iexplore.exeIEXPLORE.EXEvbc.exepid process 1968 iexplore.exe 1968 iexplore.exe 1816 IEXPLORE.EXE 1816 IEXPLORE.EXE 3328 vbc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
iexplore.exePurchase Order 781.exedescription pid process target process PID 1968 wrote to memory of 1816 1968 iexplore.exe IEXPLORE.EXE PID 1968 wrote to memory of 1816 1968 iexplore.exe IEXPLORE.EXE PID 1968 wrote to memory of 1816 1968 iexplore.exe IEXPLORE.EXE PID 2292 wrote to memory of 3328 2292 Purchase Order 781.exe vbc.exe PID 2292 wrote to memory of 3328 2292 Purchase Order 781.exe vbc.exe PID 2292 wrote to memory of 3328 2292 Purchase Order 781.exe vbc.exe PID 2292 wrote to memory of 3328 2292 Purchase Order 781.exe vbc.exe PID 2292 wrote to memory of 3328 2292 Purchase Order 781.exe vbc.exe PID 2292 wrote to memory of 3328 2292 Purchase Order 781.exe vbc.exe PID 2292 wrote to memory of 3328 2292 Purchase Order 781.exe vbc.exe PID 2292 wrote to memory of 3328 2292 Purchase Order 781.exe vbc.exe PID 2292 wrote to memory of 3328 2292 Purchase Order 781.exe vbc.exe PID 2292 wrote to memory of 3328 2292 Purchase Order 781.exe vbc.exe PID 2292 wrote to memory of 3328 2292 Purchase Order 781.exe vbc.exe PID 2292 wrote to memory of 3328 2292 Purchase Order 781.exe vbc.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://bit.ly/34b1IGn1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1968 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Purchase_Order_781.zip\Purchase Order 781.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Purchase_Order_781.zip\Purchase Order 781.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
ec3d35056ed319ebf029273ad7b05ec0
SHA1d17853eb8dea282d84488c41ee79235d4de17e4c
SHA2561cc39ee9114987433d0e92ff39c7972245eaa0b8d2378bce66b0567dbf2e53eb
SHA512ad21c9130a9b77b05366cc52d6c6008aae2e05bd3f52e31104ba777fd302467101c29ffda94d26f28b808aa585606f2e0d6c39bce9903d894f812900655c35f7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
d1a9c3e131945d8f541f9578cf91dc7e
SHA193288e87dcf156fe55478a832637e572d209a442
SHA256f1c585aba7454ec1d49f583788a1b88e76d0e44fbcec2818e3738d33a832148d
SHA51210bbcb973a7bc103f418dc818c50f037d1088cf5455e53ad482958dceb8003567bd5921e208630f4276e42f3313c03b94a64c22822bc77404275db18aac2d762
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U0EJMF7X\Purchase_Order_781.zip.ifshtii.partialMD5
244bd3926f2173d3afc03dc30911bd0f
SHA1906ed2a55f4dcae21221e9b99e0b8ba321176d94
SHA256e1239f00d096ca7c112ae7e0c4f6a2d622b5d59b4702c80fc62b25c83c733473
SHA51235c1fa37f45a4d3873a9f288f84761d03bd65d98d01a6c3a6f816cc981f77373f8045c8508b8978b04aae93c6cf2b983fa1bc2b0b7a8cc53f74c8c5a664fddd6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\008Z630D.cookieMD5
c736ae0c49719abc35c82d3ef84efe80
SHA1fa52d53fe0d8c211bd689d3d94d8a09bb3097844
SHA2568eb4a3e5b21feb5e69d776b499e6796707650fbf4dc6883e40fb2a106300211b
SHA5120941c29bdd588e9008546f520f35fd633f848f8f15daaf15c6579f26c957cc7fde6978b43a918e80a430350d6b5e4523529e318ea5eb4c1955af365ec149bdd9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\AZVKYRIG.cookieMD5
ab4334a439b097a58025443cc4e3b002
SHA1f361320f842cf1a8c770c981c2489410d2eb5953
SHA256ea91f36fa4f42c3889f67d36ed4d4e8d741cb46f21701f391c6c4dbc1f76dfc8
SHA5128f681416ff180e0043871cea0752d2b65a31a6dda82cfd60a6d990932b5dc881d49005b8feacc90a987e8b3a257f9599e5ebceeec3f8b8bd5ee881c6b693802d
-
memory/1816-115-0x0000000000000000-mapping.dmp
-
memory/1968-114-0x00007FFC1B3D0000-0x00007FFC1B43B000-memory.dmpFilesize
428KB
-
memory/2292-118-0x00000000050E0000-0x00000000050E1000-memory.dmpFilesize
4KB
-
memory/2292-117-0x0000000000D90000-0x00000000011F0000-memory.dmpFilesize
4.4MB
-
memory/3328-121-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3328-123-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3328-124-0x0000000002230000-0x0000000002231000-memory.dmpFilesize
4KB
-
memory/3328-122-0x000000000048F888-mapping.dmp