Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-06-2022 20:53
Behavioral task
behavioral1
Sample
hobaa.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
hobaa.exe
Resource
win10v2004-20220414-en
General
-
Target
hobaa.exe
-
Size
658KB
-
MD5
73cf29c4ce3770bcf52c21b94588ca24
-
SHA1
81180bc25cc7a11cc570085ff383e356232d27f0
-
SHA256
3033e88038cf80d4ea502099291f9ea0e93c5995f96282ad26e5c21e8442c5ce
-
SHA512
f05600475b81e9434f9268ee5af33c760204af2e6ff0efd26dda20d123b004c33e75aef68182a5a43b0d34160ead09041b29e6ac9ad3b4b59485a29245f531b1
Malware Config
Extracted
darkcomet
Sazan
4.tcp.eu.ngrok.io:14008
DC_MUTEX-K3TSWRH
-
InstallPath
MSDCSC\SystemUI.exe
-
gencode
2Ua3NFMLv0El
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
SystemFile
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
hobaa.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\SystemUI.exe" hobaa.exe -
Executes dropped EXE 1 IoCs
Processes:
SystemUI.exepid process 956 SystemUI.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 908 notepad.exe -
Loads dropped DLL 2 IoCs
Processes:
hobaa.exepid process 1376 hobaa.exe 1376 hobaa.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
hobaa.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\SystemFile = "C:\\Windows\\system32\\MSDCSC\\SystemUI.exe" hobaa.exe -
Drops file in System32 directory 3 IoCs
Processes:
hobaa.exedescription ioc process File created C:\Windows\SysWOW64\MSDCSC\SystemUI.exe hobaa.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\SystemUI.exe hobaa.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ hobaa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
hobaa.exeSystemUI.exedescription pid process Token: SeIncreaseQuotaPrivilege 1376 hobaa.exe Token: SeSecurityPrivilege 1376 hobaa.exe Token: SeTakeOwnershipPrivilege 1376 hobaa.exe Token: SeLoadDriverPrivilege 1376 hobaa.exe Token: SeSystemProfilePrivilege 1376 hobaa.exe Token: SeSystemtimePrivilege 1376 hobaa.exe Token: SeProfSingleProcessPrivilege 1376 hobaa.exe Token: SeIncBasePriorityPrivilege 1376 hobaa.exe Token: SeCreatePagefilePrivilege 1376 hobaa.exe Token: SeBackupPrivilege 1376 hobaa.exe Token: SeRestorePrivilege 1376 hobaa.exe Token: SeShutdownPrivilege 1376 hobaa.exe Token: SeDebugPrivilege 1376 hobaa.exe Token: SeSystemEnvironmentPrivilege 1376 hobaa.exe Token: SeChangeNotifyPrivilege 1376 hobaa.exe Token: SeRemoteShutdownPrivilege 1376 hobaa.exe Token: SeUndockPrivilege 1376 hobaa.exe Token: SeManageVolumePrivilege 1376 hobaa.exe Token: SeImpersonatePrivilege 1376 hobaa.exe Token: SeCreateGlobalPrivilege 1376 hobaa.exe Token: 33 1376 hobaa.exe Token: 34 1376 hobaa.exe Token: 35 1376 hobaa.exe Token: SeIncreaseQuotaPrivilege 956 SystemUI.exe Token: SeSecurityPrivilege 956 SystemUI.exe Token: SeTakeOwnershipPrivilege 956 SystemUI.exe Token: SeLoadDriverPrivilege 956 SystemUI.exe Token: SeSystemProfilePrivilege 956 SystemUI.exe Token: SeSystemtimePrivilege 956 SystemUI.exe Token: SeProfSingleProcessPrivilege 956 SystemUI.exe Token: SeIncBasePriorityPrivilege 956 SystemUI.exe Token: SeCreatePagefilePrivilege 956 SystemUI.exe Token: SeBackupPrivilege 956 SystemUI.exe Token: SeRestorePrivilege 956 SystemUI.exe Token: SeShutdownPrivilege 956 SystemUI.exe Token: SeDebugPrivilege 956 SystemUI.exe Token: SeSystemEnvironmentPrivilege 956 SystemUI.exe Token: SeChangeNotifyPrivilege 956 SystemUI.exe Token: SeRemoteShutdownPrivilege 956 SystemUI.exe Token: SeUndockPrivilege 956 SystemUI.exe Token: SeManageVolumePrivilege 956 SystemUI.exe Token: SeImpersonatePrivilege 956 SystemUI.exe Token: SeCreateGlobalPrivilege 956 SystemUI.exe Token: 33 956 SystemUI.exe Token: 34 956 SystemUI.exe Token: 35 956 SystemUI.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SystemUI.exepid process 956 SystemUI.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
hobaa.exedescription pid process target process PID 1376 wrote to memory of 908 1376 hobaa.exe notepad.exe PID 1376 wrote to memory of 908 1376 hobaa.exe notepad.exe PID 1376 wrote to memory of 908 1376 hobaa.exe notepad.exe PID 1376 wrote to memory of 908 1376 hobaa.exe notepad.exe PID 1376 wrote to memory of 908 1376 hobaa.exe notepad.exe PID 1376 wrote to memory of 908 1376 hobaa.exe notepad.exe PID 1376 wrote to memory of 908 1376 hobaa.exe notepad.exe PID 1376 wrote to memory of 908 1376 hobaa.exe notepad.exe PID 1376 wrote to memory of 908 1376 hobaa.exe notepad.exe PID 1376 wrote to memory of 908 1376 hobaa.exe notepad.exe PID 1376 wrote to memory of 908 1376 hobaa.exe notepad.exe PID 1376 wrote to memory of 908 1376 hobaa.exe notepad.exe PID 1376 wrote to memory of 908 1376 hobaa.exe notepad.exe PID 1376 wrote to memory of 908 1376 hobaa.exe notepad.exe PID 1376 wrote to memory of 908 1376 hobaa.exe notepad.exe PID 1376 wrote to memory of 908 1376 hobaa.exe notepad.exe PID 1376 wrote to memory of 908 1376 hobaa.exe notepad.exe PID 1376 wrote to memory of 908 1376 hobaa.exe notepad.exe PID 1376 wrote to memory of 956 1376 hobaa.exe SystemUI.exe PID 1376 wrote to memory of 956 1376 hobaa.exe SystemUI.exe PID 1376 wrote to memory of 956 1376 hobaa.exe SystemUI.exe PID 1376 wrote to memory of 956 1376 hobaa.exe SystemUI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hobaa.exe"C:\Users\Admin\AppData\Local\Temp\hobaa.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
-
C:\Windows\SysWOW64\MSDCSC\SystemUI.exe"C:\Windows\system32\MSDCSC\SystemUI.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\MSDCSC\SystemUI.exeFilesize
658KB
MD573cf29c4ce3770bcf52c21b94588ca24
SHA181180bc25cc7a11cc570085ff383e356232d27f0
SHA2563033e88038cf80d4ea502099291f9ea0e93c5995f96282ad26e5c21e8442c5ce
SHA512f05600475b81e9434f9268ee5af33c760204af2e6ff0efd26dda20d123b004c33e75aef68182a5a43b0d34160ead09041b29e6ac9ad3b4b59485a29245f531b1
-
C:\Windows\SysWOW64\MSDCSC\SystemUI.exeFilesize
658KB
MD573cf29c4ce3770bcf52c21b94588ca24
SHA181180bc25cc7a11cc570085ff383e356232d27f0
SHA2563033e88038cf80d4ea502099291f9ea0e93c5995f96282ad26e5c21e8442c5ce
SHA512f05600475b81e9434f9268ee5af33c760204af2e6ff0efd26dda20d123b004c33e75aef68182a5a43b0d34160ead09041b29e6ac9ad3b4b59485a29245f531b1
-
\Windows\SysWOW64\MSDCSC\SystemUI.exeFilesize
658KB
MD573cf29c4ce3770bcf52c21b94588ca24
SHA181180bc25cc7a11cc570085ff383e356232d27f0
SHA2563033e88038cf80d4ea502099291f9ea0e93c5995f96282ad26e5c21e8442c5ce
SHA512f05600475b81e9434f9268ee5af33c760204af2e6ff0efd26dda20d123b004c33e75aef68182a5a43b0d34160ead09041b29e6ac9ad3b4b59485a29245f531b1
-
\Windows\SysWOW64\MSDCSC\SystemUI.exeFilesize
658KB
MD573cf29c4ce3770bcf52c21b94588ca24
SHA181180bc25cc7a11cc570085ff383e356232d27f0
SHA2563033e88038cf80d4ea502099291f9ea0e93c5995f96282ad26e5c21e8442c5ce
SHA512f05600475b81e9434f9268ee5af33c760204af2e6ff0efd26dda20d123b004c33e75aef68182a5a43b0d34160ead09041b29e6ac9ad3b4b59485a29245f531b1
-
memory/908-55-0x0000000000000000-mapping.dmp
-
memory/956-59-0x0000000000000000-mapping.dmp
-
memory/1376-54-0x0000000075D21000-0x0000000075D23000-memory.dmpFilesize
8KB