Analysis
-
max time kernel
121s -
max time network
190s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
11-08-2021 08:40
Static task
static1
Behavioral task
behavioral1
Sample
NMDC LTD RTGS Payment Confirmation.exe
Resource
win7v20210410
General
-
Target
NMDC LTD RTGS Payment Confirmation.exe
-
Size
1.3MB
-
MD5
5d06b31229aa680e234485c9fc4c1635
-
SHA1
571f4338a07a2c20c26dbdc66792675b649b1e24
-
SHA256
7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569
-
SHA512
0469e235a13691ff5a058469f04085e5410a53ed596b060ebd17dd6aba45be2845e94ab1d75d85e0411c908ab50e1dfbe550b4baae68e96e8fda9b1f8739ec3f
Malware Config
Signatures
-
suricata: ET MALWARE Backdoor.Win32.DarkComet Keepalive Outbound
suricata: ET MALWARE Backdoor.Win32.DarkComet Keepalive Outbound
-
Executes dropped EXE 2 IoCs
Processes:
juidyd.exejuidyd.exepid process 1712 juidyd.exe 836 juidyd.exe -
Processes:
resource yara_rule behavioral1/memory/836-71-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/836-75-0x0000000000400000-0x00000000004B8000-memory.dmp upx -
Drops startup file 2 IoCs
Processes:
NMDC LTD RTGS Payment Confirmation.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juidyd.exe NMDC LTD RTGS Payment Confirmation.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juidyd.exe NMDC LTD RTGS Payment Confirmation.exe -
Loads dropped DLL 2 IoCs
Processes:
NMDC LTD RTGS Payment Confirmation.exepid process 1304 NMDC LTD RTGS Payment Confirmation.exe 1304 NMDC LTD RTGS Payment Confirmation.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
juidyd.exedescription pid process target process PID 1712 set thread context of 836 1712 juidyd.exe juidyd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
juidyd.exedescription pid process Token: SeIncreaseQuotaPrivilege 836 juidyd.exe Token: SeSecurityPrivilege 836 juidyd.exe Token: SeTakeOwnershipPrivilege 836 juidyd.exe Token: SeLoadDriverPrivilege 836 juidyd.exe Token: SeSystemProfilePrivilege 836 juidyd.exe Token: SeSystemtimePrivilege 836 juidyd.exe Token: SeProfSingleProcessPrivilege 836 juidyd.exe Token: SeIncBasePriorityPrivilege 836 juidyd.exe Token: SeCreatePagefilePrivilege 836 juidyd.exe Token: SeBackupPrivilege 836 juidyd.exe Token: SeRestorePrivilege 836 juidyd.exe Token: SeShutdownPrivilege 836 juidyd.exe Token: SeDebugPrivilege 836 juidyd.exe Token: SeSystemEnvironmentPrivilege 836 juidyd.exe Token: SeChangeNotifyPrivilege 836 juidyd.exe Token: SeRemoteShutdownPrivilege 836 juidyd.exe Token: SeUndockPrivilege 836 juidyd.exe Token: SeManageVolumePrivilege 836 juidyd.exe Token: SeImpersonatePrivilege 836 juidyd.exe Token: SeCreateGlobalPrivilege 836 juidyd.exe Token: 33 836 juidyd.exe Token: 34 836 juidyd.exe Token: 35 836 juidyd.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
NMDC LTD RTGS Payment Confirmation.exejuidyd.exejuidyd.exepid process 1304 NMDC LTD RTGS Payment Confirmation.exe 1712 juidyd.exe 836 juidyd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
NMDC LTD RTGS Payment Confirmation.exejuidyd.exedescription pid process target process PID 1304 wrote to memory of 1712 1304 NMDC LTD RTGS Payment Confirmation.exe juidyd.exe PID 1304 wrote to memory of 1712 1304 NMDC LTD RTGS Payment Confirmation.exe juidyd.exe PID 1304 wrote to memory of 1712 1304 NMDC LTD RTGS Payment Confirmation.exe juidyd.exe PID 1304 wrote to memory of 1712 1304 NMDC LTD RTGS Payment Confirmation.exe juidyd.exe PID 1712 wrote to memory of 836 1712 juidyd.exe juidyd.exe PID 1712 wrote to memory of 836 1712 juidyd.exe juidyd.exe PID 1712 wrote to memory of 836 1712 juidyd.exe juidyd.exe PID 1712 wrote to memory of 836 1712 juidyd.exe juidyd.exe PID 1712 wrote to memory of 836 1712 juidyd.exe juidyd.exe PID 1712 wrote to memory of 836 1712 juidyd.exe juidyd.exe PID 1712 wrote to memory of 836 1712 juidyd.exe juidyd.exe PID 1712 wrote to memory of 836 1712 juidyd.exe juidyd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NMDC LTD RTGS Payment Confirmation.exe"C:\Users\Admin\AppData\Local\Temp\NMDC LTD RTGS Payment Confirmation.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juidyd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juidyd.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juidyd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juidyd.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juidyd.exeMD5
5d06b31229aa680e234485c9fc4c1635
SHA1571f4338a07a2c20c26dbdc66792675b649b1e24
SHA2567fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569
SHA5120469e235a13691ff5a058469f04085e5410a53ed596b060ebd17dd6aba45be2845e94ab1d75d85e0411c908ab50e1dfbe550b4baae68e96e8fda9b1f8739ec3f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juidyd.exeMD5
5d06b31229aa680e234485c9fc4c1635
SHA1571f4338a07a2c20c26dbdc66792675b649b1e24
SHA2567fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569
SHA5120469e235a13691ff5a058469f04085e5410a53ed596b060ebd17dd6aba45be2845e94ab1d75d85e0411c908ab50e1dfbe550b4baae68e96e8fda9b1f8739ec3f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juidyd.exeMD5
5d06b31229aa680e234485c9fc4c1635
SHA1571f4338a07a2c20c26dbdc66792675b649b1e24
SHA2567fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569
SHA5120469e235a13691ff5a058469f04085e5410a53ed596b060ebd17dd6aba45be2845e94ab1d75d85e0411c908ab50e1dfbe550b4baae68e96e8fda9b1f8739ec3f
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juidyd.exeMD5
5d06b31229aa680e234485c9fc4c1635
SHA1571f4338a07a2c20c26dbdc66792675b649b1e24
SHA2567fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569
SHA5120469e235a13691ff5a058469f04085e5410a53ed596b060ebd17dd6aba45be2845e94ab1d75d85e0411c908ab50e1dfbe550b4baae68e96e8fda9b1f8739ec3f
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juidyd.exeMD5
5d06b31229aa680e234485c9fc4c1635
SHA1571f4338a07a2c20c26dbdc66792675b649b1e24
SHA2567fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569
SHA5120469e235a13691ff5a058469f04085e5410a53ed596b060ebd17dd6aba45be2845e94ab1d75d85e0411c908ab50e1dfbe550b4baae68e96e8fda9b1f8739ec3f
-
memory/836-71-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/836-72-0x00000000004B67B0-mapping.dmp
-
memory/836-76-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/836-75-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/1304-62-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB
-
memory/1712-65-0x0000000000000000-mapping.dmp