Analysis
-
max time kernel
131s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 19:32
Static task
static1
Behavioral task
behavioral1
Sample
5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe
Resource
win7-20220718-en
General
-
Target
5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe
-
Size
1.3MB
-
MD5
41f3dbdd92071247b28fdb7e43b34bef
-
SHA1
1e1919d995f75098d0ee65b638e7bc90cca1039c
-
SHA256
5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0
-
SHA512
d550a440e361544a2cea4f2b8fa5ab930d5c95daa9005e817062dfb4c95dc4b0d4b57d71c1e46d564a3e5dbf0736b97fde751e0df4045e907c166ca912e7cbd9
Malware Config
Extracted
darkcomet
Guest16
109.20.230.130:1604
DC_MUTEX-N4XL9B6
-
gencode
m8Aeownffhl6
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exedescription pid process target process PID 1812 set thread context of 2288 1812 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exedescription pid process Token: SeIncreaseQuotaPrivilege 2288 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe Token: SeSecurityPrivilege 2288 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe Token: SeTakeOwnershipPrivilege 2288 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe Token: SeLoadDriverPrivilege 2288 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe Token: SeSystemProfilePrivilege 2288 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe Token: SeSystemtimePrivilege 2288 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe Token: SeProfSingleProcessPrivilege 2288 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe Token: SeIncBasePriorityPrivilege 2288 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe Token: SeCreatePagefilePrivilege 2288 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe Token: SeBackupPrivilege 2288 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe Token: SeRestorePrivilege 2288 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe Token: SeShutdownPrivilege 2288 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe Token: SeDebugPrivilege 2288 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe Token: SeSystemEnvironmentPrivilege 2288 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe Token: SeChangeNotifyPrivilege 2288 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe Token: SeRemoteShutdownPrivilege 2288 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe Token: SeUndockPrivilege 2288 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe Token: SeManageVolumePrivilege 2288 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe Token: SeImpersonatePrivilege 2288 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe Token: SeCreateGlobalPrivilege 2288 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe Token: 33 2288 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe Token: 34 2288 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe Token: 35 2288 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe Token: 36 2288 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exepid process 2288 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exedescription pid process target process PID 1812 wrote to memory of 2288 1812 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe PID 1812 wrote to memory of 2288 1812 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe PID 1812 wrote to memory of 2288 1812 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe PID 1812 wrote to memory of 2288 1812 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe PID 1812 wrote to memory of 2288 1812 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe PID 1812 wrote to memory of 2288 1812 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe PID 1812 wrote to memory of 2288 1812 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe PID 1812 wrote to memory of 2288 1812 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe PID 1812 wrote to memory of 2288 1812 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe PID 1812 wrote to memory of 2288 1812 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe PID 1812 wrote to memory of 2288 1812 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe 5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe"C:\Users\Admin\AppData\Local\Temp\5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe"C:\Users\Admin\AppData\Local\Temp\5eaf2714cc996f09d764d358bb6be88fe7eaf892d4cc04f85b3f022d0efb81e0.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2288-130-0x0000000000000000-mapping.dmp
-
memory/2288-131-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2288-132-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2288-133-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2288-134-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB