Analysis
-
max time kernel
150s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
31-07-2022 03:58
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe
Resource
win7-20220715-en
General
-
Target
PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe
-
Size
1.5MB
-
MD5
0bdb26ca33bd21c9426be99b13227817
-
SHA1
c1db7ee7509179c95ba1fe81c1f438995b6d7dcb
-
SHA256
81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a
-
SHA512
a9260ac1f768db12f49aadfc719ea4bf6a71131f6a8e4da8d54be99ab429ce1ba2b660db965b7fac0c4ca32e33c575b15ae7fbe2e4699eb1bf08e1a9cf726ed8
Malware Config
Extracted
darkcomet
NEWPORT1
austin.mlbfan.org:2220
DC_MUTEX-T6TM293
-
gencode
gutLHsPCWP68
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1868-58-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1868-60-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1868-62-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1868-63-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1868-64-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1868-65-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exedescription pid process target process PID 532 set thread context of 1868 532 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exedescription pid process Token: SeIncreaseQuotaPrivilege 1868 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeSecurityPrivilege 1868 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeTakeOwnershipPrivilege 1868 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeLoadDriverPrivilege 1868 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeSystemProfilePrivilege 1868 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeSystemtimePrivilege 1868 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeProfSingleProcessPrivilege 1868 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeIncBasePriorityPrivilege 1868 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeCreatePagefilePrivilege 1868 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeBackupPrivilege 1868 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeRestorePrivilege 1868 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeShutdownPrivilege 1868 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeDebugPrivilege 1868 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeSystemEnvironmentPrivilege 1868 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeChangeNotifyPrivilege 1868 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeRemoteShutdownPrivilege 1868 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeUndockPrivilege 1868 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeManageVolumePrivilege 1868 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeImpersonatePrivilege 1868 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeCreateGlobalPrivilege 1868 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: 33 1868 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: 34 1868 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: 35 1868 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exePAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exepid process 532 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe 1868 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exedescription pid process target process PID 532 wrote to memory of 1868 532 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PID 532 wrote to memory of 1868 532 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PID 532 wrote to memory of 1868 532 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PID 532 wrote to memory of 1868 532 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PID 532 wrote to memory of 1868 532 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PID 532 wrote to memory of 1868 532 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PID 532 wrote to memory of 1868 532 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PID 532 wrote to memory of 1868 532 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PID 532 wrote to memory of 1868 532 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PID 532 wrote to memory of 1868 532 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/532-56-0x0000000000240000-0x0000000000246000-memory.dmpFilesize
24KB
-
memory/532-57-0x00000000766A1000-0x00000000766A3000-memory.dmpFilesize
8KB
-
memory/1868-58-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1868-60-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1868-59-0x00000000004B5660-mapping.dmp
-
memory/1868-62-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1868-63-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1868-64-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1868-65-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB