Analysis
-
max time kernel
138s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-08-2021 09:04
Static task
static1
Behavioral task
behavioral1
Sample
NMDC LTD RTGS Payment Confirmation.exe
Resource
win7v20210410
General
-
Target
NMDC LTD RTGS Payment Confirmation.exe
-
Size
1.3MB
-
MD5
5d06b31229aa680e234485c9fc4c1635
-
SHA1
571f4338a07a2c20c26dbdc66792675b649b1e24
-
SHA256
7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569
-
SHA512
0469e235a13691ff5a058469f04085e5410a53ed596b060ebd17dd6aba45be2845e94ab1d75d85e0411c908ab50e1dfbe550b4baae68e96e8fda9b1f8739ec3f
Malware Config
Signatures
-
suricata: ET MALWARE Backdoor.Win32.DarkComet Keepalive Inbound
suricata: ET MALWARE Backdoor.Win32.DarkComet Keepalive Inbound
-
suricata: ET MALWARE Backdoor.Win32.DarkComet Keepalive Outbound
suricata: ET MALWARE Backdoor.Win32.DarkComet Keepalive Outbound
-
Executes dropped EXE 2 IoCs
Processes:
juidyd.exejuidyd.exepid process 2520 juidyd.exe 3020 juidyd.exe -
Processes:
resource yara_rule behavioral2/memory/3020-121-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/3020-124-0x0000000000400000-0x00000000004B8000-memory.dmp upx -
Drops startup file 2 IoCs
Processes:
NMDC LTD RTGS Payment Confirmation.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juidyd.exe NMDC LTD RTGS Payment Confirmation.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juidyd.exe NMDC LTD RTGS Payment Confirmation.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
juidyd.exedescription pid process target process PID 2520 set thread context of 3020 2520 juidyd.exe juidyd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
juidyd.exedescription pid process Token: SeIncreaseQuotaPrivilege 3020 juidyd.exe Token: SeSecurityPrivilege 3020 juidyd.exe Token: SeTakeOwnershipPrivilege 3020 juidyd.exe Token: SeLoadDriverPrivilege 3020 juidyd.exe Token: SeSystemProfilePrivilege 3020 juidyd.exe Token: SeSystemtimePrivilege 3020 juidyd.exe Token: SeProfSingleProcessPrivilege 3020 juidyd.exe Token: SeIncBasePriorityPrivilege 3020 juidyd.exe Token: SeCreatePagefilePrivilege 3020 juidyd.exe Token: SeBackupPrivilege 3020 juidyd.exe Token: SeRestorePrivilege 3020 juidyd.exe Token: SeShutdownPrivilege 3020 juidyd.exe Token: SeDebugPrivilege 3020 juidyd.exe Token: SeSystemEnvironmentPrivilege 3020 juidyd.exe Token: SeChangeNotifyPrivilege 3020 juidyd.exe Token: SeRemoteShutdownPrivilege 3020 juidyd.exe Token: SeUndockPrivilege 3020 juidyd.exe Token: SeManageVolumePrivilege 3020 juidyd.exe Token: SeImpersonatePrivilege 3020 juidyd.exe Token: SeCreateGlobalPrivilege 3020 juidyd.exe Token: 33 3020 juidyd.exe Token: 34 3020 juidyd.exe Token: 35 3020 juidyd.exe Token: 36 3020 juidyd.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
NMDC LTD RTGS Payment Confirmation.exejuidyd.exejuidyd.exepid process 4084 NMDC LTD RTGS Payment Confirmation.exe 2520 juidyd.exe 3020 juidyd.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
NMDC LTD RTGS Payment Confirmation.exejuidyd.exedescription pid process target process PID 4084 wrote to memory of 2520 4084 NMDC LTD RTGS Payment Confirmation.exe juidyd.exe PID 4084 wrote to memory of 2520 4084 NMDC LTD RTGS Payment Confirmation.exe juidyd.exe PID 4084 wrote to memory of 2520 4084 NMDC LTD RTGS Payment Confirmation.exe juidyd.exe PID 2520 wrote to memory of 3020 2520 juidyd.exe juidyd.exe PID 2520 wrote to memory of 3020 2520 juidyd.exe juidyd.exe PID 2520 wrote to memory of 3020 2520 juidyd.exe juidyd.exe PID 2520 wrote to memory of 3020 2520 juidyd.exe juidyd.exe PID 2520 wrote to memory of 3020 2520 juidyd.exe juidyd.exe PID 2520 wrote to memory of 3020 2520 juidyd.exe juidyd.exe PID 2520 wrote to memory of 3020 2520 juidyd.exe juidyd.exe PID 2520 wrote to memory of 3020 2520 juidyd.exe juidyd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NMDC LTD RTGS Payment Confirmation.exe"C:\Users\Admin\AppData\Local\Temp\NMDC LTD RTGS Payment Confirmation.exe"1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juidyd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juidyd.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juidyd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juidyd.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juidyd.exeMD5
5d06b31229aa680e234485c9fc4c1635
SHA1571f4338a07a2c20c26dbdc66792675b649b1e24
SHA2567fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569
SHA5120469e235a13691ff5a058469f04085e5410a53ed596b060ebd17dd6aba45be2845e94ab1d75d85e0411c908ab50e1dfbe550b4baae68e96e8fda9b1f8739ec3f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juidyd.exeMD5
5d06b31229aa680e234485c9fc4c1635
SHA1571f4338a07a2c20c26dbdc66792675b649b1e24
SHA2567fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569
SHA5120469e235a13691ff5a058469f04085e5410a53ed596b060ebd17dd6aba45be2845e94ab1d75d85e0411c908ab50e1dfbe550b4baae68e96e8fda9b1f8739ec3f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juidyd.exeMD5
5d06b31229aa680e234485c9fc4c1635
SHA1571f4338a07a2c20c26dbdc66792675b649b1e24
SHA2567fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569
SHA5120469e235a13691ff5a058469f04085e5410a53ed596b060ebd17dd6aba45be2845e94ab1d75d85e0411c908ab50e1dfbe550b4baae68e96e8fda9b1f8739ec3f
-
memory/2520-116-0x0000000000000000-mapping.dmp
-
memory/3020-121-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/3020-122-0x00000000004B67B0-mapping.dmp
-
memory/3020-124-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/3020-125-0x0000000000A80000-0x0000000000A81000-memory.dmpFilesize
4KB