Analysis
-
max time kernel
131s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2022 15:17
Static task
static1
Behavioral task
behavioral1
Sample
fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe
Resource
win7-20220812-en
General
-
Target
fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe
-
Size
696KB
-
MD5
5f504720f1edba6a0c1debae9d7fc482
-
SHA1
81825d20f0c2ff30119a701f0b66e7ed7f8a2097
-
SHA256
fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4
-
SHA512
31993341102101dc845a1ee7e890a0d25aa7386d78bb4467ba62af00e226a1904b97f66035e1cc5521d36668478f6c9ff30fc5836f34b274f343dd6a3fc02a8d
-
SSDEEP
12288:xeSNQkmWMHV+9X14gOs/rdxUbKnpe/0s/Isf0YuGc:IE2I148RFnpO0svfbPc
Malware Config
Extracted
darkcomet
Guest16
hackerboy1200.no-ip.biz:1604
DC_MUTEX-USWPV2T
-
gencode
YfQyDrJ6XAPb
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exedescription pid process Token: SeIncreaseQuotaPrivilege 456 fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe Token: SeSecurityPrivilege 456 fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe Token: SeTakeOwnershipPrivilege 456 fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe Token: SeLoadDriverPrivilege 456 fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe Token: SeSystemProfilePrivilege 456 fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe Token: SeSystemtimePrivilege 456 fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe Token: SeProfSingleProcessPrivilege 456 fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe Token: SeIncBasePriorityPrivilege 456 fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe Token: SeCreatePagefilePrivilege 456 fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe Token: SeBackupPrivilege 456 fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe Token: SeRestorePrivilege 456 fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe Token: SeShutdownPrivilege 456 fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe Token: SeDebugPrivilege 456 fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe Token: SeSystemEnvironmentPrivilege 456 fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe Token: SeChangeNotifyPrivilege 456 fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe Token: SeRemoteShutdownPrivilege 456 fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe Token: SeUndockPrivilege 456 fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe Token: SeManageVolumePrivilege 456 fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe Token: SeImpersonatePrivilege 456 fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe Token: SeCreateGlobalPrivilege 456 fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe Token: 33 456 fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe Token: 34 456 fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe Token: 35 456 fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe Token: 36 456 fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exepid process 456 fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe"C:\Users\Admin\AppData\Local\Temp\fa49123feb767e88b9ee228be4ab567e81ca05917098633c8dfb95c3969b47c4.exe"1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/456-132-0x0000000000400000-0x00000000004E9000-memory.dmpFilesize
932KB
-
memory/456-133-0x0000000000400000-0x00000000004E9000-memory.dmpFilesize
932KB
-
memory/456-134-0x0000000000600000-0x0000000000604000-memory.dmpFilesize
16KB
-
memory/456-135-0x0000000002120000-0x0000000002159000-memory.dmpFilesize
228KB
-
memory/456-136-0x0000000000400000-0x00000000004E9000-memory.dmpFilesize
932KB
-
memory/456-137-0x0000000000400000-0x00000000004E9000-memory.dmpFilesize
932KB
-
memory/456-138-0x0000000002120000-0x0000000002159000-memory.dmpFilesize
228KB