Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 20:11
Static task
static1
Behavioral task
behavioral1
Sample
5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe
Resource
win10v2004-20220721-en
General
-
Target
5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe
-
Size
831KB
-
MD5
8c47d220c6f5462e850bc975b7b3250a
-
SHA1
be17048d36e5759ac477c48bcc00834f987daf0c
-
SHA256
5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989
-
SHA512
f913467a56df8ad018b86f113b4d0da5d51bcc3c4337b2cfad6afd2091dc8f096225284f46f1f8373e22be7ecaf1063f5ea8bdcc109a9f14e42691c29392bd87
Malware Config
Extracted
darkcomet
Crypt
BiNC.no-ip.biz:1604
DC_MUTEX-0GJMXZ4
-
gencode
MALR2k7k9YBe
-
install
false
-
offline_keylogger
false
-
persistence
false
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe" 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exedescription pid process target process PID 2804 set thread context of 4124 2804 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe PID 4124 set thread context of 1584 4124 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exedescription pid process Token: SeIncreaseQuotaPrivilege 1584 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe Token: SeSecurityPrivilege 1584 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe Token: SeTakeOwnershipPrivilege 1584 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe Token: SeLoadDriverPrivilege 1584 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe Token: SeSystemProfilePrivilege 1584 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe Token: SeSystemtimePrivilege 1584 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe Token: SeProfSingleProcessPrivilege 1584 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe Token: SeIncBasePriorityPrivilege 1584 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe Token: SeCreatePagefilePrivilege 1584 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe Token: SeBackupPrivilege 1584 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe Token: SeRestorePrivilege 1584 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe Token: SeShutdownPrivilege 1584 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe Token: SeDebugPrivilege 1584 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe Token: SeSystemEnvironmentPrivilege 1584 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe Token: SeChangeNotifyPrivilege 1584 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe Token: SeRemoteShutdownPrivilege 1584 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe Token: SeUndockPrivilege 1584 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe Token: SeManageVolumePrivilege 1584 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe Token: SeImpersonatePrivilege 1584 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe Token: SeCreateGlobalPrivilege 1584 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe Token: 33 1584 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe Token: 34 1584 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe Token: 35 1584 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe Token: 36 1584 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exedescription pid process target process PID 2804 wrote to memory of 4124 2804 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe PID 2804 wrote to memory of 4124 2804 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe PID 2804 wrote to memory of 4124 2804 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe PID 2804 wrote to memory of 4124 2804 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe PID 2804 wrote to memory of 4124 2804 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe PID 2804 wrote to memory of 4124 2804 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe PID 2804 wrote to memory of 4124 2804 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe PID 2804 wrote to memory of 4124 2804 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe PID 2804 wrote to memory of 4124 2804 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe PID 2804 wrote to memory of 4124 2804 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe PID 2804 wrote to memory of 4124 2804 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe PID 4124 wrote to memory of 1584 4124 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe PID 4124 wrote to memory of 1584 4124 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe PID 4124 wrote to memory of 1584 4124 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe PID 4124 wrote to memory of 1584 4124 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe PID 4124 wrote to memory of 1584 4124 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe PID 4124 wrote to memory of 1584 4124 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe PID 4124 wrote to memory of 1584 4124 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe PID 4124 wrote to memory of 1584 4124 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe PID 4124 wrote to memory of 1584 4124 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe PID 4124 wrote to memory of 1584 4124 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe PID 4124 wrote to memory of 1584 4124 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe PID 4124 wrote to memory of 1584 4124 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe PID 4124 wrote to memory of 1584 4124 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe PID 4124 wrote to memory of 1584 4124 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe 5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe"C:\Users\Admin\AppData\Local\Temp\5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe"C:\Users\Admin\AppData\Local\Temp\5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe"C:\Users\Admin\AppData\Local\Temp\5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1584-134-0x0000000000000000-mapping.dmp
-
memory/1584-135-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1584-136-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1584-138-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1584-139-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1584-140-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4124-130-0x0000000000000000-mapping.dmp
-
memory/4124-131-0x0000000000400000-0x00000000004AC000-memory.dmpFilesize
688KB
-
memory/4124-133-0x0000000000400000-0x00000000004AC000-memory.dmpFilesize
688KB
-
memory/4124-137-0x0000000000400000-0x00000000004AC000-memory.dmpFilesize
688KB