Analysis
-
max time kernel
162s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 03:58
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe
Resource
win7-20220715-en
General
-
Target
PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe
-
Size
1.5MB
-
MD5
0bdb26ca33bd21c9426be99b13227817
-
SHA1
c1db7ee7509179c95ba1fe81c1f438995b6d7dcb
-
SHA256
81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a
-
SHA512
a9260ac1f768db12f49aadfc719ea4bf6a71131f6a8e4da8d54be99ab429ce1ba2b660db965b7fac0c4ca32e33c575b15ae7fbe2e4699eb1bf08e1a9cf726ed8
Malware Config
Extracted
darkcomet
NEWPORT1
austin.mlbfan.org:2220
DC_MUTEX-T6TM293
-
gencode
gutLHsPCWP68
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4708-136-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4708-137-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4708-138-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4708-140-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4708-141-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4708-142-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exedescription pid process target process PID 4720 set thread context of 4708 4720 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exedescription pid process Token: SeIncreaseQuotaPrivilege 4708 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeSecurityPrivilege 4708 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeTakeOwnershipPrivilege 4708 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeLoadDriverPrivilege 4708 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeSystemProfilePrivilege 4708 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeSystemtimePrivilege 4708 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeProfSingleProcessPrivilege 4708 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeIncBasePriorityPrivilege 4708 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeCreatePagefilePrivilege 4708 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeBackupPrivilege 4708 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeRestorePrivilege 4708 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeShutdownPrivilege 4708 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeDebugPrivilege 4708 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeSystemEnvironmentPrivilege 4708 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeChangeNotifyPrivilege 4708 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeRemoteShutdownPrivilege 4708 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeUndockPrivilege 4708 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeManageVolumePrivilege 4708 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeImpersonatePrivilege 4708 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: SeCreateGlobalPrivilege 4708 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: 33 4708 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: 34 4708 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: 35 4708 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe Token: 36 4708 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exePAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exepid process 4720 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe 4708 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exedescription pid process target process PID 4720 wrote to memory of 4708 4720 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PID 4720 wrote to memory of 4708 4720 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PID 4720 wrote to memory of 4708 4720 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PID 4720 wrote to memory of 4708 4720 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PID 4720 wrote to memory of 4708 4720 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PID 4720 wrote to memory of 4708 4720 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PID 4720 wrote to memory of 4708 4720 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PID 4720 wrote to memory of 4708 4720 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PID 4720 wrote to memory of 4708 4720 PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENTCONFIRMATIONREQUEST092092992outputBC94F6F.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4708-135-0x0000000000000000-mapping.dmp
-
memory/4708-136-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4708-137-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4708-138-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4708-140-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4708-141-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4708-142-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4720-134-0x0000000002330000-0x0000000002336000-memory.dmpFilesize
24KB