Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:36
Behavioral task
behavioral1
Sample
4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe
Resource
win7-20220414-en
General
-
Target
4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe
-
Size
756KB
-
MD5
86498e5016ff2cb3f0a84f0e03612858
-
SHA1
4f35692e54c22730b0601a9c3048c7baadf57939
-
SHA256
4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481
-
SHA512
fbe48fb5e8d351a80363dc0de57d970cabed1228e20560df4cd02d75c42b219a70d46057af9c581fcb364751cca315d866b8fcfe46630be72c49e8aecf46453f
Malware Config
Extracted
darkcomet
TacticG
192.168.1.113:1604
DC_MUTEX-H293GMA
-
InstallPath
windows\RealBoss.exe
-
gencode
kYG8AAeQRp04
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
RealBoss.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\windows\\RealBoss.exe" 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
RealBoss.exepid process 952 RealBoss.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RealBoss.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windows\\RealBoss.exe" 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exeRealBoss.exedescription pid process Token: SeIncreaseQuotaPrivilege 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe Token: SeSecurityPrivilege 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe Token: SeTakeOwnershipPrivilege 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe Token: SeLoadDriverPrivilege 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe Token: SeSystemProfilePrivilege 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe Token: SeSystemtimePrivilege 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe Token: SeProfSingleProcessPrivilege 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe Token: SeIncBasePriorityPrivilege 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe Token: SeCreatePagefilePrivilege 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe Token: SeBackupPrivilege 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe Token: SeRestorePrivilege 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe Token: SeShutdownPrivilege 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe Token: SeDebugPrivilege 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe Token: SeSystemEnvironmentPrivilege 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe Token: SeChangeNotifyPrivilege 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe Token: SeRemoteShutdownPrivilege 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe Token: SeUndockPrivilege 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe Token: SeManageVolumePrivilege 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe Token: SeImpersonatePrivilege 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe Token: SeCreateGlobalPrivilege 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe Token: 33 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe Token: 34 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe Token: 35 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe Token: 36 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe Token: SeIncreaseQuotaPrivilege 952 RealBoss.exe Token: SeSecurityPrivilege 952 RealBoss.exe Token: SeTakeOwnershipPrivilege 952 RealBoss.exe Token: SeLoadDriverPrivilege 952 RealBoss.exe Token: SeSystemProfilePrivilege 952 RealBoss.exe Token: SeSystemtimePrivilege 952 RealBoss.exe Token: SeProfSingleProcessPrivilege 952 RealBoss.exe Token: SeIncBasePriorityPrivilege 952 RealBoss.exe Token: SeCreatePagefilePrivilege 952 RealBoss.exe Token: SeBackupPrivilege 952 RealBoss.exe Token: SeRestorePrivilege 952 RealBoss.exe Token: SeShutdownPrivilege 952 RealBoss.exe Token: SeDebugPrivilege 952 RealBoss.exe Token: SeSystemEnvironmentPrivilege 952 RealBoss.exe Token: SeChangeNotifyPrivilege 952 RealBoss.exe Token: SeRemoteShutdownPrivilege 952 RealBoss.exe Token: SeUndockPrivilege 952 RealBoss.exe Token: SeManageVolumePrivilege 952 RealBoss.exe Token: SeImpersonatePrivilege 952 RealBoss.exe Token: SeCreateGlobalPrivilege 952 RealBoss.exe Token: 33 952 RealBoss.exe Token: 34 952 RealBoss.exe Token: 35 952 RealBoss.exe Token: 36 952 RealBoss.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RealBoss.exepid process 952 RealBoss.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.execmd.execmd.exeRealBoss.exedescription pid process target process PID 4200 wrote to memory of 3120 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe cmd.exe PID 4200 wrote to memory of 3120 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe cmd.exe PID 4200 wrote to memory of 3120 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe cmd.exe PID 4200 wrote to memory of 4088 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe cmd.exe PID 4200 wrote to memory of 4088 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe cmd.exe PID 4200 wrote to memory of 4088 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe cmd.exe PID 3120 wrote to memory of 4128 3120 cmd.exe attrib.exe PID 3120 wrote to memory of 4128 3120 cmd.exe attrib.exe PID 3120 wrote to memory of 4128 3120 cmd.exe attrib.exe PID 4088 wrote to memory of 1192 4088 cmd.exe attrib.exe PID 4088 wrote to memory of 1192 4088 cmd.exe attrib.exe PID 4088 wrote to memory of 1192 4088 cmd.exe attrib.exe PID 4200 wrote to memory of 952 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe RealBoss.exe PID 4200 wrote to memory of 952 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe RealBoss.exe PID 4200 wrote to memory of 952 4200 4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe RealBoss.exe PID 952 wrote to memory of 1684 952 RealBoss.exe notepad.exe PID 952 wrote to memory of 1684 952 RealBoss.exe notepad.exe PID 952 wrote to memory of 1684 952 RealBoss.exe notepad.exe PID 952 wrote to memory of 1684 952 RealBoss.exe notepad.exe PID 952 wrote to memory of 1684 952 RealBoss.exe notepad.exe PID 952 wrote to memory of 1684 952 RealBoss.exe notepad.exe PID 952 wrote to memory of 1684 952 RealBoss.exe notepad.exe PID 952 wrote to memory of 1684 952 RealBoss.exe notepad.exe PID 952 wrote to memory of 1684 952 RealBoss.exe notepad.exe PID 952 wrote to memory of 1684 952 RealBoss.exe notepad.exe PID 952 wrote to memory of 1684 952 RealBoss.exe notepad.exe PID 952 wrote to memory of 1684 952 RealBoss.exe notepad.exe PID 952 wrote to memory of 1684 952 RealBoss.exe notepad.exe PID 952 wrote to memory of 1684 952 RealBoss.exe notepad.exe PID 952 wrote to memory of 1684 952 RealBoss.exe notepad.exe PID 952 wrote to memory of 1684 952 RealBoss.exe notepad.exe PID 952 wrote to memory of 1684 952 RealBoss.exe notepad.exe PID 952 wrote to memory of 1684 952 RealBoss.exe notepad.exe PID 952 wrote to memory of 1684 952 RealBoss.exe notepad.exe PID 952 wrote to memory of 1684 952 RealBoss.exe notepad.exe PID 952 wrote to memory of 1684 952 RealBoss.exe notepad.exe PID 952 wrote to memory of 1684 952 RealBoss.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4128 attrib.exe 1192 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe"C:\Users\Admin\AppData\Local\Temp\4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\4873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\windows\RealBoss.exe"C:\Users\Admin\AppData\Local\Temp\windows\RealBoss.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\windows\RealBoss.exeFilesize
756KB
MD586498e5016ff2cb3f0a84f0e03612858
SHA14f35692e54c22730b0601a9c3048c7baadf57939
SHA2564873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481
SHA512fbe48fb5e8d351a80363dc0de57d970cabed1228e20560df4cd02d75c42b219a70d46057af9c581fcb364751cca315d866b8fcfe46630be72c49e8aecf46453f
-
C:\Users\Admin\AppData\Local\Temp\windows\RealBoss.exeFilesize
756KB
MD586498e5016ff2cb3f0a84f0e03612858
SHA14f35692e54c22730b0601a9c3048c7baadf57939
SHA2564873d23065574c318aa28955737d7d0a74372453ffa950f97da3acc8a2d60481
SHA512fbe48fb5e8d351a80363dc0de57d970cabed1228e20560df4cd02d75c42b219a70d46057af9c581fcb364751cca315d866b8fcfe46630be72c49e8aecf46453f
-
memory/952-134-0x0000000000000000-mapping.dmp
-
memory/1192-133-0x0000000000000000-mapping.dmp
-
memory/1684-137-0x0000000000000000-mapping.dmp
-
memory/3120-130-0x0000000000000000-mapping.dmp
-
memory/4088-131-0x0000000000000000-mapping.dmp
-
memory/4128-132-0x0000000000000000-mapping.dmp