Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
02-12-2021 02:11
Static task
static1
Behavioral task
behavioral1
Sample
DAZ Studio Professional 4.15.0.30 x64c.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
DAZ Studio Professional 4.15.0.30 x64c.exe
Resource
win10-en-20211014
General
-
Target
DAZ Studio Professional 4.15.0.30 x64c.exe
-
Size
536KB
-
MD5
6485a104cfdf2d8e847f3116347736a6
-
SHA1
17d5e7d32055ed9c98de05b9f14c9ae2cb573fcc
-
SHA256
43017a60a99ab0a9ac4ac4087b4d25ff4263e5bae796f4979d777395ae09e67b
-
SHA512
0ff04031a776e5beb8062bc6483f265f5e043b44d760320b2052a7ce98d6b3181cd7e1f4c69374e9af4a9397a48c83c95d61aee733c03a8d2ef1acafe454ac8c
Malware Config
Extracted
darkcomet
DAZ Studio Professional 4.15.0.30 x64
clientts.ddns.net:1604
DCMIN_MUTEX-7VA997K
-
gencode
iVpp885bSBQY
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
DAZ Studio Professional 4.15.0.30 x64c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\services\\jCCOsRcoejGI.exe\",explorer.exe" DAZ Studio Professional 4.15.0.30 x64c.exe -
Processes:
resource yara_rule behavioral2/memory/3708-116-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3708-121-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3708-122-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
DAZ Studio Professional 4.15.0.30 x64c.exedescription pid process target process PID 2500 set thread context of 3708 2500 DAZ Studio Professional 4.15.0.30 x64c.exe vbc.exe PID 2500 set thread context of 3708 2500 DAZ Studio Professional 4.15.0.30 x64c.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
DAZ Studio Professional 4.15.0.30 x64c.exepid process 2500 DAZ Studio Professional 4.15.0.30 x64c.exe 2500 DAZ Studio Professional 4.15.0.30 x64c.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
DAZ Studio Professional 4.15.0.30 x64c.exevbc.exedescription pid process Token: SeDebugPrivilege 2500 DAZ Studio Professional 4.15.0.30 x64c.exe Token: SeDebugPrivilege 2500 DAZ Studio Professional 4.15.0.30 x64c.exe Token: SeIncreaseQuotaPrivilege 3708 vbc.exe Token: SeSecurityPrivilege 3708 vbc.exe Token: SeTakeOwnershipPrivilege 3708 vbc.exe Token: SeLoadDriverPrivilege 3708 vbc.exe Token: SeSystemProfilePrivilege 3708 vbc.exe Token: SeSystemtimePrivilege 3708 vbc.exe Token: SeProfSingleProcessPrivilege 3708 vbc.exe Token: SeIncBasePriorityPrivilege 3708 vbc.exe Token: SeCreatePagefilePrivilege 3708 vbc.exe Token: SeBackupPrivilege 3708 vbc.exe Token: SeRestorePrivilege 3708 vbc.exe Token: SeShutdownPrivilege 3708 vbc.exe Token: SeDebugPrivilege 3708 vbc.exe Token: SeSystemEnvironmentPrivilege 3708 vbc.exe Token: SeChangeNotifyPrivilege 3708 vbc.exe Token: SeRemoteShutdownPrivilege 3708 vbc.exe Token: SeUndockPrivilege 3708 vbc.exe Token: SeManageVolumePrivilege 3708 vbc.exe Token: SeImpersonatePrivilege 3708 vbc.exe Token: SeCreateGlobalPrivilege 3708 vbc.exe Token: 33 3708 vbc.exe Token: 34 3708 vbc.exe Token: 35 3708 vbc.exe Token: 36 3708 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 3708 vbc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
DAZ Studio Professional 4.15.0.30 x64c.exedescription pid process target process PID 2500 wrote to memory of 3708 2500 DAZ Studio Professional 4.15.0.30 x64c.exe vbc.exe PID 2500 wrote to memory of 3708 2500 DAZ Studio Professional 4.15.0.30 x64c.exe vbc.exe PID 2500 wrote to memory of 3708 2500 DAZ Studio Professional 4.15.0.30 x64c.exe vbc.exe PID 2500 wrote to memory of 3708 2500 DAZ Studio Professional 4.15.0.30 x64c.exe vbc.exe PID 2500 wrote to memory of 3708 2500 DAZ Studio Professional 4.15.0.30 x64c.exe vbc.exe PID 2500 wrote to memory of 3708 2500 DAZ Studio Professional 4.15.0.30 x64c.exe vbc.exe PID 2500 wrote to memory of 3708 2500 DAZ Studio Professional 4.15.0.30 x64c.exe vbc.exe PID 2500 wrote to memory of 3708 2500 DAZ Studio Professional 4.15.0.30 x64c.exe vbc.exe PID 2500 wrote to memory of 3708 2500 DAZ Studio Professional 4.15.0.30 x64c.exe vbc.exe PID 2500 wrote to memory of 3708 2500 DAZ Studio Professional 4.15.0.30 x64c.exe vbc.exe PID 2500 wrote to memory of 3708 2500 DAZ Studio Professional 4.15.0.30 x64c.exe vbc.exe PID 2500 wrote to memory of 3708 2500 DAZ Studio Professional 4.15.0.30 x64c.exe vbc.exe PID 2500 wrote to memory of 3708 2500 DAZ Studio Professional 4.15.0.30 x64c.exe vbc.exe PID 2500 wrote to memory of 3708 2500 DAZ Studio Professional 4.15.0.30 x64c.exe vbc.exe PID 2500 wrote to memory of 3708 2500 DAZ Studio Professional 4.15.0.30 x64c.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DAZ Studio Professional 4.15.0.30 x64c.exe"C:\Users\Admin\AppData\Local\Temp\DAZ Studio Professional 4.15.0.30 x64c.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2500-115-0x0000000002720000-0x0000000002721000-memory.dmpFilesize
4KB
-
memory/3708-116-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3708-117-0x00000000004B5020-mapping.dmp
-
memory/3708-118-0x00000000008A1000-0x00000000008A2000-memory.dmpFilesize
4KB
-
memory/3708-119-0x00000000008A1000-0x00000000008A2000-memory.dmpFilesize
4KB
-
memory/3708-120-0x00000000008A2000-0x00000000008A4000-memory.dmpFilesize
8KB
-
memory/3708-121-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3708-123-0x0000000002410000-0x0000000002411000-memory.dmpFilesize
4KB
-
memory/3708-122-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB