Analysis
-
max time kernel
10s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 22:17
Static task
static1
Behavioral task
behavioral1
Sample
2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe
Resource
win10v2004-20220414-en
General
-
Target
2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe
-
Size
1.6MB
-
MD5
e85965a416297e42529e543082e768db
-
SHA1
63183601121650f80f85cbaf6c561c68613a5001
-
SHA256
2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446
-
SHA512
b6783897b060391c256a82ceac32e88bff83c2dc0faafff2c1cda83311af4b031c0921df8b6702ce2e22b9569812b635913070dde75cd823450fec056e93ee78
Malware Config
Extracted
darkcomet
Sazan
127.0.0.1:1604
DC_MUTEX-U4PFWCK
-
gencode
Ne7VJi8yzj7V
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exeSynaptics.exepid process 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe 4864 Synaptics.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RIP crack dragonjin = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exedescription pid process target process PID 1600 set thread context of 3004 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Token: SeSecurityPrivilege 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Token: SeTakeOwnershipPrivilege 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Token: SeLoadDriverPrivilege 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Token: SeSystemProfilePrivilege 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Token: SeSystemtimePrivilege 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Token: SeProfSingleProcessPrivilege 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Token: SeIncBasePriorityPrivilege 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Token: SeCreatePagefilePrivilege 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Token: SeBackupPrivilege 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Token: SeRestorePrivilege 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Token: SeShutdownPrivilege 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Token: SeDebugPrivilege 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Token: SeSystemEnvironmentPrivilege 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Token: SeChangeNotifyPrivilege 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Token: SeRemoteShutdownPrivilege 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Token: SeUndockPrivilege 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Token: SeManageVolumePrivilege 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Token: SeImpersonatePrivilege 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Token: SeCreateGlobalPrivilege 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Token: 33 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Token: 34 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Token: 35 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Token: 36 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Token: SeIncreaseQuotaPrivilege 3004 iexplore.exe Token: SeSecurityPrivilege 3004 iexplore.exe Token: SeTakeOwnershipPrivilege 3004 iexplore.exe Token: SeLoadDriverPrivilege 3004 iexplore.exe Token: SeSystemProfilePrivilege 3004 iexplore.exe Token: SeSystemtimePrivilege 3004 iexplore.exe Token: SeProfSingleProcessPrivilege 3004 iexplore.exe Token: SeIncBasePriorityPrivilege 3004 iexplore.exe Token: SeCreatePagefilePrivilege 3004 iexplore.exe Token: SeBackupPrivilege 3004 iexplore.exe Token: SeRestorePrivilege 3004 iexplore.exe Token: SeShutdownPrivilege 3004 iexplore.exe Token: SeDebugPrivilege 3004 iexplore.exe Token: SeSystemEnvironmentPrivilege 3004 iexplore.exe Token: SeChangeNotifyPrivilege 3004 iexplore.exe Token: SeRemoteShutdownPrivilege 3004 iexplore.exe Token: SeUndockPrivilege 3004 iexplore.exe Token: SeManageVolumePrivilege 3004 iexplore.exe Token: SeImpersonatePrivilege 3004 iexplore.exe Token: SeCreateGlobalPrivilege 3004 iexplore.exe Token: 33 3004 iexplore.exe Token: 34 3004 iexplore.exe Token: 35 3004 iexplore.exe Token: 36 3004 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 3004 iexplore.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exedescription pid process target process PID 4836 wrote to memory of 1600 4836 2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe PID 4836 wrote to memory of 1600 4836 2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe PID 4836 wrote to memory of 1600 4836 2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe PID 1600 wrote to memory of 3004 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe iexplore.exe PID 1600 wrote to memory of 3004 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe iexplore.exe PID 1600 wrote to memory of 3004 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe iexplore.exe PID 1600 wrote to memory of 3004 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe iexplore.exe PID 1600 wrote to memory of 3004 1600 ._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe iexplore.exe PID 4836 wrote to memory of 4864 4836 2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Synaptics.exe PID 4836 wrote to memory of 4864 4836 2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Synaptics.exe PID 4836 wrote to memory of 4864 4836 2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe Synaptics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe"C:\Users\Admin\AppData\Local\Temp\2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe"C:\Users\Admin\AppData\Local\Temp\._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Synaptics\Synaptics.exeFilesize
939KB
MD54431d23847904ab8bd03aa6505ef9012
SHA1983f6c25926404cb1b8183e8977464f4fed722f0
SHA2566dc69ae06ba3401d0bc3ebd18f7bc30b9e4f796d1dca85443aeb34c3ac719bbc
SHA5128de3c5215a16d524221fe5c466b16cc1eadce200f910d2c891611b5a8fdeea963f5134fe918aaa2c9582ff02e2ab39dc7d3b93f87aa5b3724df9dafcb442ae1c
-
C:\ProgramData\Synaptics\Synaptics.exeFilesize
939KB
MD54431d23847904ab8bd03aa6505ef9012
SHA1983f6c25926404cb1b8183e8977464f4fed722f0
SHA2566dc69ae06ba3401d0bc3ebd18f7bc30b9e4f796d1dca85443aeb34c3ac719bbc
SHA5128de3c5215a16d524221fe5c466b16cc1eadce200f910d2c891611b5a8fdeea963f5134fe918aaa2c9582ff02e2ab39dc7d3b93f87aa5b3724df9dafcb442ae1c
-
C:\Users\Admin\AppData\Local\Temp\._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exeFilesize
658KB
MD544293d6792c2ecf5470b9c69b15e8811
SHA148df36cb442c7984c2391e5d072e5d2606854332
SHA2564dc4c3ffed634fad94c878d2683d2716b21da62655f7fe188c8f35dcdeda4337
SHA512812325043852f11dc3d36e9799fa41b5bb2449fb33fb7bd68f835ce7ebf83d4b00a251b103ef0b691a3fdaccc07e733071b7f92d54c882d5b8abb332cb4ca340
-
C:\Users\Admin\AppData\Local\Temp\._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exeFilesize
658KB
MD544293d6792c2ecf5470b9c69b15e8811
SHA148df36cb442c7984c2391e5d072e5d2606854332
SHA2564dc4c3ffed634fad94c878d2683d2716b21da62655f7fe188c8f35dcdeda4337
SHA512812325043852f11dc3d36e9799fa41b5bb2449fb33fb7bd68f835ce7ebf83d4b00a251b103ef0b691a3fdaccc07e733071b7f92d54c882d5b8abb332cb4ca340
-
C:\Users\Admin\AppData\Local\Temp\HPJT6hAM.xlsmFilesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
memory/1600-130-0x0000000000000000-mapping.dmp
-
memory/4000-136-0x00007FFF77E70000-0x00007FFF77E80000-memory.dmpFilesize
64KB
-
memory/4000-140-0x00007FFF77E70000-0x00007FFF77E80000-memory.dmpFilesize
64KB
-
memory/4000-139-0x00007FFF77E70000-0x00007FFF77E80000-memory.dmpFilesize
64KB
-
memory/4000-138-0x00007FFF77E70000-0x00007FFF77E80000-memory.dmpFilesize
64KB
-
memory/4000-137-0x00007FFF77E70000-0x00007FFF77E80000-memory.dmpFilesize
64KB
-
memory/4000-141-0x00007FFF75DE0000-0x00007FFF75DF0000-memory.dmpFilesize
64KB
-
memory/4000-142-0x00007FFF75DE0000-0x00007FFF75DF0000-memory.dmpFilesize
64KB
-
memory/4864-133-0x0000000000000000-mapping.dmp