General
Target

a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe

Filesize

252KB

Completed

21-05-2022 18:35

Task

behavioral1

Score
10/10
MD5

532a6afb45c841f08a0ff9f104559334

SHA1

2fe9463e271b50907d72174992f4adf5c5c5eace

SHA256

a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62

SHA256

313db495bc51449b94484e749a2bee932686fabdfcf2e1a6e2c8caa10fe034960408c2f6a9b90f31e3ae55a1881752fab4baf1bae1fc5d14cf073884c358e7a4

Malware Config
Signatures 11

Filter: none

Defense Evasion
Discovery
Persistence
  • Darkcomet

    Description

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence
    a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe

    TTPs

    Winlogon Helper DLLModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\proverka_stiller.exe"a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
  • Modifies firewall policy service
    proverka_stiller.exe

    Tags

    TTPs

    Modify RegistryModify Existing Service

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfileproverka_stiller.exe
    Set value (int)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"proverka_stiller.exe
    Set value (int)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"proverka_stiller.exe
  • Executes dropped EXE
    proverka_stiller.exe

    Reported IOCs

    pidprocess
    924proverka_stiller.exe
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x00090000000132c6-55.datupx
    behavioral1/files/0x00090000000132c6-56.datupx
    behavioral1/files/0x00090000000132c6-58.datupx
    behavioral1/files/0x00090000000132c6-60.datupx
  • Loads dropped DLL
    a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe

    Reported IOCs

    pidprocess
    1744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
    1744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
  • Adds Run key to start application
    a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\proverka_stiller.exe"a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious use of AdjustPrivilegeToken
    a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exeproverka_stiller.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeIncreaseQuotaPrivilege1744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
    Token: SeSecurityPrivilege1744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
    Token: SeTakeOwnershipPrivilege1744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
    Token: SeLoadDriverPrivilege1744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
    Token: SeSystemProfilePrivilege1744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
    Token: SeSystemtimePrivilege1744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
    Token: SeProfSingleProcessPrivilege1744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
    Token: SeIncBasePriorityPrivilege1744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
    Token: SeCreatePagefilePrivilege1744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
    Token: SeBackupPrivilege1744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
    Token: SeRestorePrivilege1744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
    Token: SeShutdownPrivilege1744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
    Token: SeDebugPrivilege1744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
    Token: SeSystemEnvironmentPrivilege1744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
    Token: SeChangeNotifyPrivilege1744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
    Token: SeRemoteShutdownPrivilege1744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
    Token: SeUndockPrivilege1744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
    Token: SeManageVolumePrivilege1744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
    Token: SeImpersonatePrivilege1744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
    Token: SeCreateGlobalPrivilege1744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
    Token: 331744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
    Token: 341744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
    Token: 351744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
    Token: SeIncreaseQuotaPrivilege924proverka_stiller.exe
    Token: SeSecurityPrivilege924proverka_stiller.exe
    Token: SeTakeOwnershipPrivilege924proverka_stiller.exe
    Token: SeLoadDriverPrivilege924proverka_stiller.exe
    Token: SeSystemProfilePrivilege924proverka_stiller.exe
    Token: SeSystemtimePrivilege924proverka_stiller.exe
    Token: SeProfSingleProcessPrivilege924proverka_stiller.exe
    Token: SeIncBasePriorityPrivilege924proverka_stiller.exe
    Token: SeCreatePagefilePrivilege924proverka_stiller.exe
    Token: SeBackupPrivilege924proverka_stiller.exe
    Token: SeRestorePrivilege924proverka_stiller.exe
    Token: SeShutdownPrivilege924proverka_stiller.exe
    Token: SeDebugPrivilege924proverka_stiller.exe
    Token: SeSystemEnvironmentPrivilege924proverka_stiller.exe
    Token: SeChangeNotifyPrivilege924proverka_stiller.exe
    Token: SeRemoteShutdownPrivilege924proverka_stiller.exe
    Token: SeUndockPrivilege924proverka_stiller.exe
    Token: SeManageVolumePrivilege924proverka_stiller.exe
    Token: SeImpersonatePrivilege924proverka_stiller.exe
    Token: SeCreateGlobalPrivilege924proverka_stiller.exe
    Token: 33924proverka_stiller.exe
    Token: 34924proverka_stiller.exe
    Token: 35924proverka_stiller.exe
  • Suspicious use of SetWindowsHookEx
    proverka_stiller.exe

    Reported IOCs

    pidprocess
    924proverka_stiller.exe
  • Suspicious use of WriteProcessMemory
    a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1744 wrote to memory of 9241744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exeproverka_stiller.exe
    PID 1744 wrote to memory of 9241744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exeproverka_stiller.exe
    PID 1744 wrote to memory of 9241744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exeproverka_stiller.exe
    PID 1744 wrote to memory of 9241744a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exeproverka_stiller.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
    "C:\Users\Admin\AppData\Local\Temp\a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe"
    Modifies WinLogon for persistence
    Loads dropped DLL
    Adds Run key to start application
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exe
      "C:\Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exe"
      Modifies firewall policy service
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:924
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exe

                      MD5

                      532a6afb45c841f08a0ff9f104559334

                      SHA1

                      2fe9463e271b50907d72174992f4adf5c5c5eace

                      SHA256

                      a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62

                      SHA512

                      313db495bc51449b94484e749a2bee932686fabdfcf2e1a6e2c8caa10fe034960408c2f6a9b90f31e3ae55a1881752fab4baf1bae1fc5d14cf073884c358e7a4

                    • C:\Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exe

                      MD5

                      532a6afb45c841f08a0ff9f104559334

                      SHA1

                      2fe9463e271b50907d72174992f4adf5c5c5eace

                      SHA256

                      a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62

                      SHA512

                      313db495bc51449b94484e749a2bee932686fabdfcf2e1a6e2c8caa10fe034960408c2f6a9b90f31e3ae55a1881752fab4baf1bae1fc5d14cf073884c358e7a4

                    • \Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exe

                      MD5

                      532a6afb45c841f08a0ff9f104559334

                      SHA1

                      2fe9463e271b50907d72174992f4adf5c5c5eace

                      SHA256

                      a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62

                      SHA512

                      313db495bc51449b94484e749a2bee932686fabdfcf2e1a6e2c8caa10fe034960408c2f6a9b90f31e3ae55a1881752fab4baf1bae1fc5d14cf073884c358e7a4

                    • \Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exe

                      MD5

                      532a6afb45c841f08a0ff9f104559334

                      SHA1

                      2fe9463e271b50907d72174992f4adf5c5c5eace

                      SHA256

                      a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62

                      SHA512

                      313db495bc51449b94484e749a2bee932686fabdfcf2e1a6e2c8caa10fe034960408c2f6a9b90f31e3ae55a1881752fab4baf1bae1fc5d14cf073884c358e7a4

                    • memory/924-57-0x0000000000000000-mapping.dmp

                    • memory/1744-54-0x0000000075761000-0x0000000075763000-memory.dmp