Analysis
-
max time kernel
4294229s -
max time network
191s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
09-03-2022 08:13
Static task
static1
Behavioral task
behavioral1
Sample
46b6eca723ff6847d9ca7faa01668a7a4099fd84996f7b0172138f965e510768.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
46b6eca723ff6847d9ca7faa01668a7a4099fd84996f7b0172138f965e510768.exe
Resource
win10v2004-en-20220112
General
-
Target
46b6eca723ff6847d9ca7faa01668a7a4099fd84996f7b0172138f965e510768.exe
-
Size
892KB
-
MD5
c3ef33d077f1471aabf89c3042b0e54a
-
SHA1
ec312ee6026b175c5a73b61b04da1f710fc55a4e
-
SHA256
46b6eca723ff6847d9ca7faa01668a7a4099fd84996f7b0172138f965e510768
-
SHA512
b3e7f023f8ab2d48a2c9f2dd906d44ebd4e61055b8519f0a722985dfd3fcfc90bf3795eead0fc999e692f0a3fa6fee46697e26ed93166a4e0b267deddaccb071
Malware Config
Extracted
darkcomet
Sazan
ffhjfgkjdfg.tk:45622
DC_MUTEX-CAQ9PVQ
-
InstallPath
SYS\Syscal.exe
-
gencode
qsfrz9ZVMWyN
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
SystemCalculator
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\SYS\\Syscal.exe" d.exe -
Executes dropped EXE 2 IoCs
Processes:
d.exeSyscal.exepid process 268 d.exe 1152 Syscal.exe -
Loads dropped DLL 4 IoCs
Processes:
46b6eca723ff6847d9ca7faa01668a7a4099fd84996f7b0172138f965e510768.exed.exepid process 960 46b6eca723ff6847d9ca7faa01668a7a4099fd84996f7b0172138f965e510768.exe 960 46b6eca723ff6847d9ca7faa01668a7a4099fd84996f7b0172138f965e510768.exe 268 d.exe 268 d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
d.exeSyscal.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\SystemCalculator = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\SYS\\Syscal.exe" d.exe Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\SystemCalculator = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\SYS\\Syscal.exe" Syscal.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1676 1056 WerFault.exe notepad.exe 1612 1964 WerFault.exe notepad.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
d.exeSyscal.exedescription pid process Token: SeIncreaseQuotaPrivilege 268 d.exe Token: SeSecurityPrivilege 268 d.exe Token: SeTakeOwnershipPrivilege 268 d.exe Token: SeLoadDriverPrivilege 268 d.exe Token: SeSystemProfilePrivilege 268 d.exe Token: SeSystemtimePrivilege 268 d.exe Token: SeProfSingleProcessPrivilege 268 d.exe Token: SeIncBasePriorityPrivilege 268 d.exe Token: SeCreatePagefilePrivilege 268 d.exe Token: SeBackupPrivilege 268 d.exe Token: SeRestorePrivilege 268 d.exe Token: SeShutdownPrivilege 268 d.exe Token: SeDebugPrivilege 268 d.exe Token: SeSystemEnvironmentPrivilege 268 d.exe Token: SeChangeNotifyPrivilege 268 d.exe Token: SeRemoteShutdownPrivilege 268 d.exe Token: SeUndockPrivilege 268 d.exe Token: SeManageVolumePrivilege 268 d.exe Token: SeImpersonatePrivilege 268 d.exe Token: SeCreateGlobalPrivilege 268 d.exe Token: 33 268 d.exe Token: 34 268 d.exe Token: 35 268 d.exe Token: SeIncreaseQuotaPrivilege 1152 Syscal.exe Token: SeSecurityPrivilege 1152 Syscal.exe Token: SeTakeOwnershipPrivilege 1152 Syscal.exe Token: SeLoadDriverPrivilege 1152 Syscal.exe Token: SeSystemProfilePrivilege 1152 Syscal.exe Token: SeSystemtimePrivilege 1152 Syscal.exe Token: SeProfSingleProcessPrivilege 1152 Syscal.exe Token: SeIncBasePriorityPrivilege 1152 Syscal.exe Token: SeCreatePagefilePrivilege 1152 Syscal.exe Token: SeBackupPrivilege 1152 Syscal.exe Token: SeRestorePrivilege 1152 Syscal.exe Token: SeShutdownPrivilege 1152 Syscal.exe Token: SeDebugPrivilege 1152 Syscal.exe Token: SeSystemEnvironmentPrivilege 1152 Syscal.exe Token: SeChangeNotifyPrivilege 1152 Syscal.exe Token: SeRemoteShutdownPrivilege 1152 Syscal.exe Token: SeUndockPrivilege 1152 Syscal.exe Token: SeManageVolumePrivilege 1152 Syscal.exe Token: SeImpersonatePrivilege 1152 Syscal.exe Token: SeCreateGlobalPrivilege 1152 Syscal.exe Token: 33 1152 Syscal.exe Token: 34 1152 Syscal.exe Token: 35 1152 Syscal.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Syscal.exepid process 1152 Syscal.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
46b6eca723ff6847d9ca7faa01668a7a4099fd84996f7b0172138f965e510768.exed.execmd.execmd.exenotepad.exeSyscal.exedescription pid process target process PID 960 wrote to memory of 268 960 46b6eca723ff6847d9ca7faa01668a7a4099fd84996f7b0172138f965e510768.exe d.exe PID 960 wrote to memory of 268 960 46b6eca723ff6847d9ca7faa01668a7a4099fd84996f7b0172138f965e510768.exe d.exe PID 960 wrote to memory of 268 960 46b6eca723ff6847d9ca7faa01668a7a4099fd84996f7b0172138f965e510768.exe d.exe PID 960 wrote to memory of 268 960 46b6eca723ff6847d9ca7faa01668a7a4099fd84996f7b0172138f965e510768.exe d.exe PID 268 wrote to memory of 544 268 d.exe cmd.exe PID 268 wrote to memory of 544 268 d.exe cmd.exe PID 268 wrote to memory of 544 268 d.exe cmd.exe PID 268 wrote to memory of 544 268 d.exe cmd.exe PID 268 wrote to memory of 1540 268 d.exe cmd.exe PID 268 wrote to memory of 1540 268 d.exe cmd.exe PID 268 wrote to memory of 1540 268 d.exe cmd.exe PID 268 wrote to memory of 1540 268 d.exe cmd.exe PID 268 wrote to memory of 1056 268 d.exe notepad.exe PID 268 wrote to memory of 1056 268 d.exe notepad.exe PID 268 wrote to memory of 1056 268 d.exe notepad.exe PID 268 wrote to memory of 1056 268 d.exe notepad.exe PID 268 wrote to memory of 1056 268 d.exe notepad.exe PID 268 wrote to memory of 1056 268 d.exe notepad.exe PID 268 wrote to memory of 1056 268 d.exe notepad.exe PID 544 wrote to memory of 1912 544 cmd.exe attrib.exe PID 544 wrote to memory of 1912 544 cmd.exe attrib.exe PID 544 wrote to memory of 1912 544 cmd.exe attrib.exe PID 544 wrote to memory of 1912 544 cmd.exe attrib.exe PID 268 wrote to memory of 1056 268 d.exe notepad.exe PID 1540 wrote to memory of 1244 1540 cmd.exe attrib.exe PID 1540 wrote to memory of 1244 1540 cmd.exe attrib.exe PID 1540 wrote to memory of 1244 1540 cmd.exe attrib.exe PID 1540 wrote to memory of 1244 1540 cmd.exe attrib.exe PID 268 wrote to memory of 1056 268 d.exe notepad.exe PID 268 wrote to memory of 1056 268 d.exe notepad.exe PID 268 wrote to memory of 1056 268 d.exe notepad.exe PID 268 wrote to memory of 1056 268 d.exe notepad.exe PID 268 wrote to memory of 1056 268 d.exe notepad.exe PID 268 wrote to memory of 1056 268 d.exe notepad.exe PID 268 wrote to memory of 1056 268 d.exe notepad.exe PID 268 wrote to memory of 1056 268 d.exe notepad.exe PID 268 wrote to memory of 1056 268 d.exe notepad.exe PID 268 wrote to memory of 1056 268 d.exe notepad.exe PID 1056 wrote to memory of 1676 1056 notepad.exe WerFault.exe PID 1056 wrote to memory of 1676 1056 notepad.exe WerFault.exe PID 1056 wrote to memory of 1676 1056 notepad.exe WerFault.exe PID 1056 wrote to memory of 1676 1056 notepad.exe WerFault.exe PID 268 wrote to memory of 1152 268 d.exe Syscal.exe PID 268 wrote to memory of 1152 268 d.exe Syscal.exe PID 268 wrote to memory of 1152 268 d.exe Syscal.exe PID 268 wrote to memory of 1152 268 d.exe Syscal.exe PID 1152 wrote to memory of 1964 1152 Syscal.exe notepad.exe PID 1152 wrote to memory of 1964 1152 Syscal.exe notepad.exe PID 1152 wrote to memory of 1964 1152 Syscal.exe notepad.exe PID 1152 wrote to memory of 1964 1152 Syscal.exe notepad.exe PID 1152 wrote to memory of 1964 1152 Syscal.exe notepad.exe PID 1152 wrote to memory of 1964 1152 Syscal.exe notepad.exe PID 1152 wrote to memory of 1964 1152 Syscal.exe notepad.exe PID 1152 wrote to memory of 1964 1152 Syscal.exe notepad.exe PID 1152 wrote to memory of 1964 1152 Syscal.exe notepad.exe PID 1152 wrote to memory of 1964 1152 Syscal.exe notepad.exe PID 1152 wrote to memory of 1964 1152 Syscal.exe notepad.exe PID 1152 wrote to memory of 1964 1152 Syscal.exe notepad.exe PID 1152 wrote to memory of 1964 1152 Syscal.exe notepad.exe PID 1152 wrote to memory of 1964 1152 Syscal.exe notepad.exe PID 1152 wrote to memory of 1964 1152 Syscal.exe notepad.exe PID 1152 wrote to memory of 1964 1152 Syscal.exe notepad.exe PID 1152 wrote to memory of 1964 1152 Syscal.exe notepad.exe PID 1152 wrote to memory of 1964 1152 Syscal.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1244 attrib.exe 1912 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\46b6eca723ff6847d9ca7faa01668a7a4099fd84996f7b0172138f965e510768.exe"C:\Users\Admin\AppData\Local\Temp\46b6eca723ff6847d9ca7faa01668a7a4099fd84996f7b0172138f965e510768.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d.exe"C:\Users\Admin\AppData\Local\Temp\d.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\d.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\d.exe" +s +h4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 2644⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SYS\Syscal.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SYS\Syscal.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 2205⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\d.exeMD5
86ce2843c1f4a5f4585ceee1eb68d2e4
SHA17b3480b5c72accee0839d476ef2979c4c4755aea
SHA2561af6703a93d8901ac9342797b59ebe03118ea89276f31737b79e8e15ba7fa58f
SHA512133be13ca504fd760dceacd393c280243dbbe52d63e3bd65f79760b21ed3eff45ad6856a799774c399c18a02a32abd94622db31eb2cf72747e69a26a1b7f31a1
-
C:\Users\Admin\AppData\Local\Temp\d.exeMD5
86ce2843c1f4a5f4585ceee1eb68d2e4
SHA17b3480b5c72accee0839d476ef2979c4c4755aea
SHA2561af6703a93d8901ac9342797b59ebe03118ea89276f31737b79e8e15ba7fa58f
SHA512133be13ca504fd760dceacd393c280243dbbe52d63e3bd65f79760b21ed3eff45ad6856a799774c399c18a02a32abd94622db31eb2cf72747e69a26a1b7f31a1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SYS\Syscal.exeMD5
86ce2843c1f4a5f4585ceee1eb68d2e4
SHA17b3480b5c72accee0839d476ef2979c4c4755aea
SHA2561af6703a93d8901ac9342797b59ebe03118ea89276f31737b79e8e15ba7fa58f
SHA512133be13ca504fd760dceacd393c280243dbbe52d63e3bd65f79760b21ed3eff45ad6856a799774c399c18a02a32abd94622db31eb2cf72747e69a26a1b7f31a1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SYS\Syscal.exeMD5
86ce2843c1f4a5f4585ceee1eb68d2e4
SHA17b3480b5c72accee0839d476ef2979c4c4755aea
SHA2561af6703a93d8901ac9342797b59ebe03118ea89276f31737b79e8e15ba7fa58f
SHA512133be13ca504fd760dceacd393c280243dbbe52d63e3bd65f79760b21ed3eff45ad6856a799774c399c18a02a32abd94622db31eb2cf72747e69a26a1b7f31a1
-
\Users\Admin\AppData\Local\Temp\d.exeMD5
86ce2843c1f4a5f4585ceee1eb68d2e4
SHA17b3480b5c72accee0839d476ef2979c4c4755aea
SHA2561af6703a93d8901ac9342797b59ebe03118ea89276f31737b79e8e15ba7fa58f
SHA512133be13ca504fd760dceacd393c280243dbbe52d63e3bd65f79760b21ed3eff45ad6856a799774c399c18a02a32abd94622db31eb2cf72747e69a26a1b7f31a1
-
\Users\Admin\AppData\Local\Temp\d.exeMD5
86ce2843c1f4a5f4585ceee1eb68d2e4
SHA17b3480b5c72accee0839d476ef2979c4c4755aea
SHA2561af6703a93d8901ac9342797b59ebe03118ea89276f31737b79e8e15ba7fa58f
SHA512133be13ca504fd760dceacd393c280243dbbe52d63e3bd65f79760b21ed3eff45ad6856a799774c399c18a02a32abd94622db31eb2cf72747e69a26a1b7f31a1
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SYS\Syscal.exeMD5
86ce2843c1f4a5f4585ceee1eb68d2e4
SHA17b3480b5c72accee0839d476ef2979c4c4755aea
SHA2561af6703a93d8901ac9342797b59ebe03118ea89276f31737b79e8e15ba7fa58f
SHA512133be13ca504fd760dceacd393c280243dbbe52d63e3bd65f79760b21ed3eff45ad6856a799774c399c18a02a32abd94622db31eb2cf72747e69a26a1b7f31a1
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SYS\Syscal.exeMD5
86ce2843c1f4a5f4585ceee1eb68d2e4
SHA17b3480b5c72accee0839d476ef2979c4c4755aea
SHA2561af6703a93d8901ac9342797b59ebe03118ea89276f31737b79e8e15ba7fa58f
SHA512133be13ca504fd760dceacd393c280243dbbe52d63e3bd65f79760b21ed3eff45ad6856a799774c399c18a02a32abd94622db31eb2cf72747e69a26a1b7f31a1
-
memory/268-60-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/268-91-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/960-54-0x0000000000380000-0x000000000038A000-memory.dmpFilesize
40KB
-
memory/960-55-0x0000000074D70000-0x000000007545E000-memory.dmpFilesize
6.9MB
-
memory/960-56-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/1056-62-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/1152-136-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB