Analysis
-
max time kernel
208s -
max time network
218s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-07-2022 11:34
Static task
static1
Behavioral task
behavioral1
Sample
IMG_WA-D0014/IMG_WA-D0014.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
IMG_WA-D0014/IMG_WA-D0014.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
IMG_WA-D0014/IMG_WA-L0015.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
IMG_WA-D0014/IMG_WA-L0015.exe
Resource
win10v2004-20220414-en
General
-
Target
IMG_WA-D0014/IMG_WA-D0014.exe
-
Size
1.5MB
-
MD5
f43802841b34045780b19c44f10652aa
-
SHA1
8395ff25a349459512b81c26eddff2812c486595
-
SHA256
e771b871b56ae87849d567a693ac3c01c5f57b737dc74435289425869ae17657
-
SHA512
c50e5a8c76b27bb3bb50761c7f0b9c8b0535bc604a8f687189048bb69cb903d896eb2931ab585d77c1493daec83c8369fc7f1d3ea5c7d5549fb28da2d9fb8eab
Malware Config
Extracted
darkcomet
Oct 29 19
bio4kobs.geekgalaxy.com:1609
DC_MUTEX-QUS1L2L
-
gencode
sgZH9wbBsjsB
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
doctbqr.exepid process 2840 doctbqr.exe -
Processes:
resource yara_rule behavioral2/memory/32-135-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/32-136-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/32-137-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/32-138-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/32-139-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/32-140-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
IMG_WA-D0014.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation IMG_WA-D0014.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
doctbqr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doct = "C:\\Users\\Admin\\AppData\\Local\\doct\\doctos.vbs" doctbqr.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
doctbqr.exedescription pid process target process PID 2840 set thread context of 32 2840 doctbqr.exe TapiUnattend.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
doctbqr.exepid process 2840 doctbqr.exe 2840 doctbqr.exe 2840 doctbqr.exe 2840 doctbqr.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
TapiUnattend.exedescription pid process Token: SeIncreaseQuotaPrivilege 32 TapiUnattend.exe Token: SeSecurityPrivilege 32 TapiUnattend.exe Token: SeTakeOwnershipPrivilege 32 TapiUnattend.exe Token: SeLoadDriverPrivilege 32 TapiUnattend.exe Token: SeSystemProfilePrivilege 32 TapiUnattend.exe Token: SeSystemtimePrivilege 32 TapiUnattend.exe Token: SeProfSingleProcessPrivilege 32 TapiUnattend.exe Token: SeIncBasePriorityPrivilege 32 TapiUnattend.exe Token: SeCreatePagefilePrivilege 32 TapiUnattend.exe Token: SeBackupPrivilege 32 TapiUnattend.exe Token: SeRestorePrivilege 32 TapiUnattend.exe Token: SeShutdownPrivilege 32 TapiUnattend.exe Token: SeDebugPrivilege 32 TapiUnattend.exe Token: SeSystemEnvironmentPrivilege 32 TapiUnattend.exe Token: SeChangeNotifyPrivilege 32 TapiUnattend.exe Token: SeRemoteShutdownPrivilege 32 TapiUnattend.exe Token: SeUndockPrivilege 32 TapiUnattend.exe Token: SeManageVolumePrivilege 32 TapiUnattend.exe Token: SeImpersonatePrivilege 32 TapiUnattend.exe Token: SeCreateGlobalPrivilege 32 TapiUnattend.exe Token: 33 32 TapiUnattend.exe Token: 34 32 TapiUnattend.exe Token: 35 32 TapiUnattend.exe Token: 36 32 TapiUnattend.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
TapiUnattend.exepid process 32 TapiUnattend.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
IMG_WA-D0014.exedoctbqr.exedescription pid process target process PID 552 wrote to memory of 2840 552 IMG_WA-D0014.exe doctbqr.exe PID 552 wrote to memory of 2840 552 IMG_WA-D0014.exe doctbqr.exe PID 552 wrote to memory of 2840 552 IMG_WA-D0014.exe doctbqr.exe PID 2840 wrote to memory of 32 2840 doctbqr.exe TapiUnattend.exe PID 2840 wrote to memory of 32 2840 doctbqr.exe TapiUnattend.exe PID 2840 wrote to memory of 32 2840 doctbqr.exe TapiUnattend.exe PID 2840 wrote to memory of 32 2840 doctbqr.exe TapiUnattend.exe PID 2840 wrote to memory of 32 2840 doctbqr.exe TapiUnattend.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\IMG_WA-D0014\IMG_WA-D0014.exe"C:\Users\Admin\AppData\Local\Temp\IMG_WA-D0014\IMG_WA-D0014.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Users\Admin\AppData\Roaming\doctbqr.exe"C:\Users\Admin\AppData\Roaming\doctbqr.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:32
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD53e9f0eb34cd0aa86faadc2c19b1aadc8
SHA1f755c8b082f46c97e9c377e93bacae0a3f5521c1
SHA2565fb71c17a71dcc2dedc9d45c56f5621e9fd5773f8f7b2409fc83a0edf3df8dfa
SHA512b6b337cdbf0a2d5f57edae8781a1745e9784f667cc3922bf576b467c4a5817b41b4aafd5322a0808b377a6407d851998bf84b69384f52266f286be4066c63f85
-
Filesize
891KB
MD58336ccaea93bd351eca733be59cc95a6
SHA1c4a7abdd39e9dd0ec560a3ec3f9cab0e65b19488
SHA256a0663ae9e890d831284aa95a6aacbef1e99b01440319ee4b05b747dbba7ee5ea
SHA5125e3acaf8cf0c0b70e008b4fa030116652d84253ae6b2cbdfc718aa3a643b3f397b8ba6a3b72d94954af550caceda72af2edc457f278eb4c11628860614f980c3
-
Filesize
891KB
MD58336ccaea93bd351eca733be59cc95a6
SHA1c4a7abdd39e9dd0ec560a3ec3f9cab0e65b19488
SHA256a0663ae9e890d831284aa95a6aacbef1e99b01440319ee4b05b747dbba7ee5ea
SHA5125e3acaf8cf0c0b70e008b4fa030116652d84253ae6b2cbdfc718aa3a643b3f397b8ba6a3b72d94954af550caceda72af2edc457f278eb4c11628860614f980c3