Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
05-10-2021 14:29
Static task
static1
Behavioral task
behavioral1
Sample
79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exe
Resource
win10v20210408
General
-
Target
79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exe
-
Size
544KB
-
MD5
70370dcb2ad41fb78d0439236518c6c2
-
SHA1
35d86808ab71511ca0aaf5268dad6644718d3eb3
-
SHA256
79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0
-
SHA512
7d697c6a89c0b9b7eb57ba4df5feba4aeac410187187ab67779f8f300eb7f908925df62ef9b11923337f55b4a805ef68c719432caa3c880d1d26c63cd35fb0ee
Malware Config
Extracted
darkcomet
Guest16
sommerishere.sytes.net:1678
ommerishere.sytes.net:1678
ommerishere.sytes.net:1679
DC_MUTEX-3YA4GBR
-
gencode
C8EBUD2QBFHF
-
install
false
-
offline_keylogger
true
-
password
likethat@123
-
persistence
false
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
cssrr.execssrr.exepid process 2652 cssrr.exe 3968 cssrr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cssrr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cssrr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\SubFolder\\SubFolder\\cssrr.exe" cssrr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cssrr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\SubFolder\\SubFolder\\cssrr.exe" cssrr.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cssrr.exedescription pid process target process PID 2652 set thread context of 3968 2652 cssrr.exe cssrr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 3 IoCs
Processes:
79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.execmd.execmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe\:ZONE.identifier:$DATA 79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe:ZONE.identifier cmd.exe File created C:\Users\Admin\AppData\Local\Temp\79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exe:ZONE.identifier cmd.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
cssrr.exedescription pid process Token: SeIncreaseQuotaPrivilege 3968 cssrr.exe Token: SeSecurityPrivilege 3968 cssrr.exe Token: SeTakeOwnershipPrivilege 3968 cssrr.exe Token: SeLoadDriverPrivilege 3968 cssrr.exe Token: SeSystemProfilePrivilege 3968 cssrr.exe Token: SeSystemtimePrivilege 3968 cssrr.exe Token: SeProfSingleProcessPrivilege 3968 cssrr.exe Token: SeIncBasePriorityPrivilege 3968 cssrr.exe Token: SeCreatePagefilePrivilege 3968 cssrr.exe Token: SeBackupPrivilege 3968 cssrr.exe Token: SeRestorePrivilege 3968 cssrr.exe Token: SeShutdownPrivilege 3968 cssrr.exe Token: SeDebugPrivilege 3968 cssrr.exe Token: SeSystemEnvironmentPrivilege 3968 cssrr.exe Token: SeChangeNotifyPrivilege 3968 cssrr.exe Token: SeRemoteShutdownPrivilege 3968 cssrr.exe Token: SeUndockPrivilege 3968 cssrr.exe Token: SeManageVolumePrivilege 3968 cssrr.exe Token: SeImpersonatePrivilege 3968 cssrr.exe Token: SeCreateGlobalPrivilege 3968 cssrr.exe Token: 33 3968 cssrr.exe Token: 34 3968 cssrr.exe Token: 35 3968 cssrr.exe Token: 36 3968 cssrr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cssrr.exepid process 3968 cssrr.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.execssrr.exedescription pid process target process PID 900 wrote to memory of 2020 900 79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exe cmd.exe PID 900 wrote to memory of 2020 900 79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exe cmd.exe PID 900 wrote to memory of 2020 900 79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exe cmd.exe PID 900 wrote to memory of 2652 900 79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exe cssrr.exe PID 900 wrote to memory of 2652 900 79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exe cssrr.exe PID 900 wrote to memory of 2652 900 79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exe cssrr.exe PID 2652 wrote to memory of 3152 2652 cssrr.exe cmd.exe PID 2652 wrote to memory of 3152 2652 cssrr.exe cmd.exe PID 2652 wrote to memory of 3152 2652 cssrr.exe cmd.exe PID 2652 wrote to memory of 3968 2652 cssrr.exe cssrr.exe PID 2652 wrote to memory of 3968 2652 cssrr.exe cssrr.exe PID 2652 wrote to memory of 3968 2652 cssrr.exe cssrr.exe PID 2652 wrote to memory of 3968 2652 cssrr.exe cssrr.exe PID 2652 wrote to memory of 3968 2652 cssrr.exe cssrr.exe PID 2652 wrote to memory of 3968 2652 cssrr.exe cssrr.exe PID 2652 wrote to memory of 3968 2652 cssrr.exe cssrr.exe PID 2652 wrote to memory of 3968 2652 cssrr.exe cssrr.exe PID 2652 wrote to memory of 3968 2652 cssrr.exe cssrr.exe PID 2652 wrote to memory of 3968 2652 cssrr.exe cssrr.exe PID 2652 wrote to memory of 3968 2652 cssrr.exe cssrr.exe PID 2652 wrote to memory of 3968 2652 cssrr.exe cssrr.exe PID 2652 wrote to memory of 3968 2652 cssrr.exe cssrr.exe PID 2652 wrote to memory of 3968 2652 cssrr.exe cssrr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exe"C:\Users\Admin\AppData\Local\Temp\79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exe":ZONE.identifier & exit2⤵
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe":ZONE.identifier & exit3⤵
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exeMD5
70370dcb2ad41fb78d0439236518c6c2
SHA135d86808ab71511ca0aaf5268dad6644718d3eb3
SHA25679ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0
SHA5127d697c6a89c0b9b7eb57ba4df5feba4aeac410187187ab67779f8f300eb7f908925df62ef9b11923337f55b4a805ef68c719432caa3c880d1d26c63cd35fb0ee
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exeMD5
70370dcb2ad41fb78d0439236518c6c2
SHA135d86808ab71511ca0aaf5268dad6644718d3eb3
SHA25679ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0
SHA5127d697c6a89c0b9b7eb57ba4df5feba4aeac410187187ab67779f8f300eb7f908925df62ef9b11923337f55b4a805ef68c719432caa3c880d1d26c63cd35fb0ee
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exeMD5
70370dcb2ad41fb78d0439236518c6c2
SHA135d86808ab71511ca0aaf5268dad6644718d3eb3
SHA25679ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0
SHA5127d697c6a89c0b9b7eb57ba4df5feba4aeac410187187ab67779f8f300eb7f908925df62ef9b11923337f55b4a805ef68c719432caa3c880d1d26c63cd35fb0ee
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exeMD5
70370dcb2ad41fb78d0439236518c6c2
SHA135d86808ab71511ca0aaf5268dad6644718d3eb3
SHA25679ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0
SHA5127d697c6a89c0b9b7eb57ba4df5feba4aeac410187187ab67779f8f300eb7f908925df62ef9b11923337f55b4a805ef68c719432caa3c880d1d26c63cd35fb0ee
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exeMD5
70370dcb2ad41fb78d0439236518c6c2
SHA135d86808ab71511ca0aaf5268dad6644718d3eb3
SHA25679ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0
SHA5127d697c6a89c0b9b7eb57ba4df5feba4aeac410187187ab67779f8f300eb7f908925df62ef9b11923337f55b4a805ef68c719432caa3c880d1d26c63cd35fb0ee
-
memory/900-114-0x0000000002D50000-0x0000000002D51000-memory.dmpFilesize
4KB
-
memory/2020-115-0x0000000000000000-mapping.dmp
-
memory/2652-120-0x0000000002E30000-0x0000000002E31000-memory.dmpFilesize
4KB
-
memory/2652-117-0x0000000000000000-mapping.dmp
-
memory/2652-126-0x0000000002E31000-0x0000000002E32000-memory.dmpFilesize
4KB
-
memory/3152-121-0x0000000000000000-mapping.dmp
-
memory/3968-122-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3968-123-0x000000000048F888-mapping.dmp
-
memory/3968-127-0x0000000002E90000-0x0000000002E91000-memory.dmpFilesize
4KB