Analysis
-
max time kernel
151s -
max time network
137s -
platform
windows7_x64 -
resource
win7-en-20210916 -
submitted
17-09-2021 13:32
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order 461.exe
Resource
win7-en-20210916
Behavioral task
behavioral2
Sample
Purchase Order 461.exe
Resource
win10v20210408
General
-
Target
Purchase Order 461.exe
-
Size
2.0MB
-
MD5
f88cdbcb740a75972cfef27692239991
-
SHA1
fcdaed8c771069c111afb78bd1d2ebaeb28a6688
-
SHA256
b6191c6a038f6d49e6941f00ded6a45cf3050ff0a2ecea3a3b3b462dc580f352
-
SHA512
44265899cd6915a0c637496598b1110f81a3a1a42d5c2c77137bb7745663335f0dc48fa184632226d18294da23a354780009386d6dd6613ad605b5021ff1d8b3
Malware Config
Extracted
darkcomet
SeptemBER 2021
bonding79.ddns.net:3316
goodgt79.ddns.net:3316
whatis79.ddns.net:3316
smath79.ddns.net:3316
jacknop79.ddns.net:3316
chrisle79.ddns.net:3316
DC_MUTEX-6JQTXC0
-
gencode
cVaduGzs7zFu
-
install
false
-
offline_keylogger
true
-
password
Password20$
-
persistence
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Purchase Order 461.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\yISM0wdU8nvQZS6R\\G8LO56BAxqme.exe\",explorer.exe" Purchase Order 461.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Purchase Order 461.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Purchase Order 461.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Purchase Order 461.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Purchase Order 461.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Wine Purchase Order 461.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Purchase Order 461.exedescription pid process target process PID 1188 set thread context of 1808 1188 Purchase Order 461.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Purchase Order 461.exepid process 1188 Purchase Order 461.exe 1188 Purchase Order 461.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
Purchase Order 461.exevbc.exedescription pid process Token: SeDebugPrivilege 1188 Purchase Order 461.exe Token: SeDebugPrivilege 1188 Purchase Order 461.exe Token: SeIncreaseQuotaPrivilege 1808 vbc.exe Token: SeSecurityPrivilege 1808 vbc.exe Token: SeTakeOwnershipPrivilege 1808 vbc.exe Token: SeLoadDriverPrivilege 1808 vbc.exe Token: SeSystemProfilePrivilege 1808 vbc.exe Token: SeSystemtimePrivilege 1808 vbc.exe Token: SeProfSingleProcessPrivilege 1808 vbc.exe Token: SeIncBasePriorityPrivilege 1808 vbc.exe Token: SeCreatePagefilePrivilege 1808 vbc.exe Token: SeBackupPrivilege 1808 vbc.exe Token: SeRestorePrivilege 1808 vbc.exe Token: SeShutdownPrivilege 1808 vbc.exe Token: SeDebugPrivilege 1808 vbc.exe Token: SeSystemEnvironmentPrivilege 1808 vbc.exe Token: SeChangeNotifyPrivilege 1808 vbc.exe Token: SeRemoteShutdownPrivilege 1808 vbc.exe Token: SeUndockPrivilege 1808 vbc.exe Token: SeManageVolumePrivilege 1808 vbc.exe Token: SeImpersonatePrivilege 1808 vbc.exe Token: SeCreateGlobalPrivilege 1808 vbc.exe Token: 33 1808 vbc.exe Token: 34 1808 vbc.exe Token: 35 1808 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 1808 vbc.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Purchase Order 461.exedescription pid process target process PID 1188 wrote to memory of 1808 1188 Purchase Order 461.exe vbc.exe PID 1188 wrote to memory of 1808 1188 Purchase Order 461.exe vbc.exe PID 1188 wrote to memory of 1808 1188 Purchase Order 461.exe vbc.exe PID 1188 wrote to memory of 1808 1188 Purchase Order 461.exe vbc.exe PID 1188 wrote to memory of 1808 1188 Purchase Order 461.exe vbc.exe PID 1188 wrote to memory of 1808 1188 Purchase Order 461.exe vbc.exe PID 1188 wrote to memory of 1808 1188 Purchase Order 461.exe vbc.exe PID 1188 wrote to memory of 1808 1188 Purchase Order 461.exe vbc.exe PID 1188 wrote to memory of 1808 1188 Purchase Order 461.exe vbc.exe PID 1188 wrote to memory of 1808 1188 Purchase Order 461.exe vbc.exe PID 1188 wrote to memory of 1808 1188 Purchase Order 461.exe vbc.exe PID 1188 wrote to memory of 1808 1188 Purchase Order 461.exe vbc.exe PID 1188 wrote to memory of 1808 1188 Purchase Order 461.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order 461.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order 461.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1188-53-0x0000000076291000-0x0000000076293000-memory.dmpFilesize
8KB
-
memory/1188-54-0x0000000000EA0000-0x00000000012F0000-memory.dmpFilesize
4.3MB
-
memory/1188-55-0x0000000004570000-0x0000000004571000-memory.dmpFilesize
4KB
-
memory/1808-56-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1808-57-0x000000000048F888-mapping.dmp
-
memory/1808-60-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1808-59-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB