Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-10-2022 15:15
Behavioral task
behavioral1
Sample
aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe
Resource
win7-20220812-en
General
-
Target
aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe
-
Size
738KB
-
MD5
6091874ab29ffca373d082e83cc5bdc0
-
SHA1
baf56b8a4f78bf21c42fb32f84cb092c68fc831d
-
SHA256
aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de
-
SHA512
abf7a0b7e6fd442cd44b5ad26865d8a70b97007fe73167c483702343fca2e7475064a19eb9f863222d926e99399e6ebdc73b2126b38305cb0c8422791e2cfd34
-
SSDEEP
12288:R9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hWeDhyPuJf:LZ1xuVVjfFoynPaVBUR8f+kN10EBk2rf
Malware Config
Extracted
darkcomet
Guest16
192.168.0.10:1604
DC_MUTEX-LSKZ617
-
InstallPath
MSDCSC\Vevo.exe
-
gencode
RMoWKDyzeBnh
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroU
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\Vevo.exe" aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
Vevo.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Vevo.exe -
Processes:
Vevo.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Vevo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Vevo.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Vevo.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Vevo.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe -
Executes dropped EXE 1 IoCs
Processes:
Vevo.exepid process 1684 Vevo.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1492 attrib.exe 968 attrib.exe -
Loads dropped DLL 2 IoCs
Processes:
aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exepid process 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe -
Processes:
Vevo.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Vevo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Vevo.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroU = "C:\\Users\\Admin\\Documents\\MSDCSC\\Vevo.exe" aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exeVevo.exedescription pid process Token: SeIncreaseQuotaPrivilege 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeSecurityPrivilege 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeTakeOwnershipPrivilege 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeLoadDriverPrivilege 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeSystemProfilePrivilege 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeSystemtimePrivilege 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeProfSingleProcessPrivilege 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeIncBasePriorityPrivilege 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeCreatePagefilePrivilege 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeBackupPrivilege 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeRestorePrivilege 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeShutdownPrivilege 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeDebugPrivilege 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeSystemEnvironmentPrivilege 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeChangeNotifyPrivilege 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeRemoteShutdownPrivilege 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeUndockPrivilege 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeManageVolumePrivilege 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeImpersonatePrivilege 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeCreateGlobalPrivilege 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: 33 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: 34 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: 35 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeIncreaseQuotaPrivilege 1684 Vevo.exe Token: SeSecurityPrivilege 1684 Vevo.exe Token: SeTakeOwnershipPrivilege 1684 Vevo.exe Token: SeLoadDriverPrivilege 1684 Vevo.exe Token: SeSystemProfilePrivilege 1684 Vevo.exe Token: SeSystemtimePrivilege 1684 Vevo.exe Token: SeProfSingleProcessPrivilege 1684 Vevo.exe Token: SeIncBasePriorityPrivilege 1684 Vevo.exe Token: SeCreatePagefilePrivilege 1684 Vevo.exe Token: SeBackupPrivilege 1684 Vevo.exe Token: SeRestorePrivilege 1684 Vevo.exe Token: SeShutdownPrivilege 1684 Vevo.exe Token: SeDebugPrivilege 1684 Vevo.exe Token: SeSystemEnvironmentPrivilege 1684 Vevo.exe Token: SeChangeNotifyPrivilege 1684 Vevo.exe Token: SeRemoteShutdownPrivilege 1684 Vevo.exe Token: SeUndockPrivilege 1684 Vevo.exe Token: SeManageVolumePrivilege 1684 Vevo.exe Token: SeImpersonatePrivilege 1684 Vevo.exe Token: SeCreateGlobalPrivilege 1684 Vevo.exe Token: 33 1684 Vevo.exe Token: 34 1684 Vevo.exe Token: 35 1684 Vevo.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
DllHost.exepid process 956 DllHost.exe 956 DllHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Vevo.exepid process 1684 Vevo.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.execmd.execmd.exeVevo.exedescription pid process target process PID 1404 wrote to memory of 1656 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe cmd.exe PID 1404 wrote to memory of 1656 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe cmd.exe PID 1404 wrote to memory of 1656 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe cmd.exe PID 1404 wrote to memory of 1656 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe cmd.exe PID 1404 wrote to memory of 1668 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe cmd.exe PID 1404 wrote to memory of 1668 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe cmd.exe PID 1404 wrote to memory of 1668 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe cmd.exe PID 1404 wrote to memory of 1668 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe cmd.exe PID 1656 wrote to memory of 1492 1656 cmd.exe attrib.exe PID 1656 wrote to memory of 1492 1656 cmd.exe attrib.exe PID 1656 wrote to memory of 1492 1656 cmd.exe attrib.exe PID 1656 wrote to memory of 1492 1656 cmd.exe attrib.exe PID 1668 wrote to memory of 968 1668 cmd.exe attrib.exe PID 1668 wrote to memory of 968 1668 cmd.exe attrib.exe PID 1668 wrote to memory of 968 1668 cmd.exe attrib.exe PID 1668 wrote to memory of 968 1668 cmd.exe attrib.exe PID 1404 wrote to memory of 1684 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Vevo.exe PID 1404 wrote to memory of 1684 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Vevo.exe PID 1404 wrote to memory of 1684 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Vevo.exe PID 1404 wrote to memory of 1684 1404 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Vevo.exe PID 1684 wrote to memory of 1364 1684 Vevo.exe notepad.exe PID 1684 wrote to memory of 1364 1684 Vevo.exe notepad.exe PID 1684 wrote to memory of 1364 1684 Vevo.exe notepad.exe PID 1684 wrote to memory of 1364 1684 Vevo.exe notepad.exe PID 1684 wrote to memory of 1364 1684 Vevo.exe notepad.exe PID 1684 wrote to memory of 1364 1684 Vevo.exe notepad.exe PID 1684 wrote to memory of 1364 1684 Vevo.exe notepad.exe PID 1684 wrote to memory of 1364 1684 Vevo.exe notepad.exe PID 1684 wrote to memory of 1364 1684 Vevo.exe notepad.exe PID 1684 wrote to memory of 1364 1684 Vevo.exe notepad.exe PID 1684 wrote to memory of 1364 1684 Vevo.exe notepad.exe PID 1684 wrote to memory of 1364 1684 Vevo.exe notepad.exe PID 1684 wrote to memory of 1364 1684 Vevo.exe notepad.exe PID 1684 wrote to memory of 1364 1684 Vevo.exe notepad.exe PID 1684 wrote to memory of 1364 1684 Vevo.exe notepad.exe PID 1684 wrote to memory of 1364 1684 Vevo.exe notepad.exe PID 1684 wrote to memory of 1364 1684 Vevo.exe notepad.exe PID 1684 wrote to memory of 1364 1684 Vevo.exe notepad.exe PID 1684 wrote to memory of 1364 1684 Vevo.exe notepad.exe PID 1684 wrote to memory of 1364 1684 Vevo.exe notepad.exe PID 1684 wrote to memory of 1364 1684 Vevo.exe notepad.exe PID 1684 wrote to memory of 1364 1684 Vevo.exe notepad.exe PID 1684 wrote to memory of 1364 1684 Vevo.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Vevo.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion Vevo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern Vevo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" Vevo.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1492 attrib.exe 968 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe"C:\Users\Admin\AppData\Local\Temp\aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\Vevo.exe"C:\Users\Admin\Documents\MSDCSC\Vevo.exe"2⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CAPTURE.JPGFilesize
79KB
MD54eb25f939fac175a0c64add204bb4a3a
SHA1c7b301f08b0628d5cd9593a7f96eef75d45e9a53
SHA2563bfc79e8b4e48f836831cc7909d1a9ea477cc3ace7089581ce8c01a998d4a77e
SHA5120d8e63b6f68864e4ab9746925dbf551442846243e773512a40db6e741bd0de21b12dd8abe507e4b5bd828ed53d1383191249b11ffeb0dac781edcfd9a220fddb
-
C:\Users\Admin\AppData\Local\Temp\CAPTURE.JPGFilesize
79KB
MD54eb25f939fac175a0c64add204bb4a3a
SHA1c7b301f08b0628d5cd9593a7f96eef75d45e9a53
SHA2563bfc79e8b4e48f836831cc7909d1a9ea477cc3ace7089581ce8c01a998d4a77e
SHA5120d8e63b6f68864e4ab9746925dbf551442846243e773512a40db6e741bd0de21b12dd8abe507e4b5bd828ed53d1383191249b11ffeb0dac781edcfd9a220fddb
-
C:\Users\Admin\Documents\MSDCSC\Vevo.exeFilesize
738KB
MD56091874ab29ffca373d082e83cc5bdc0
SHA1baf56b8a4f78bf21c42fb32f84cb092c68fc831d
SHA256aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de
SHA512abf7a0b7e6fd442cd44b5ad26865d8a70b97007fe73167c483702343fca2e7475064a19eb9f863222d926e99399e6ebdc73b2126b38305cb0c8422791e2cfd34
-
C:\Users\Admin\Documents\MSDCSC\Vevo.exeFilesize
738KB
MD56091874ab29ffca373d082e83cc5bdc0
SHA1baf56b8a4f78bf21c42fb32f84cb092c68fc831d
SHA256aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de
SHA512abf7a0b7e6fd442cd44b5ad26865d8a70b97007fe73167c483702343fca2e7475064a19eb9f863222d926e99399e6ebdc73b2126b38305cb0c8422791e2cfd34
-
\Users\Admin\Documents\MSDCSC\Vevo.exeFilesize
738KB
MD56091874ab29ffca373d082e83cc5bdc0
SHA1baf56b8a4f78bf21c42fb32f84cb092c68fc831d
SHA256aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de
SHA512abf7a0b7e6fd442cd44b5ad26865d8a70b97007fe73167c483702343fca2e7475064a19eb9f863222d926e99399e6ebdc73b2126b38305cb0c8422791e2cfd34
-
\Users\Admin\Documents\MSDCSC\Vevo.exeFilesize
738KB
MD56091874ab29ffca373d082e83cc5bdc0
SHA1baf56b8a4f78bf21c42fb32f84cb092c68fc831d
SHA256aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de
SHA512abf7a0b7e6fd442cd44b5ad26865d8a70b97007fe73167c483702343fca2e7475064a19eb9f863222d926e99399e6ebdc73b2126b38305cb0c8422791e2cfd34
-
memory/968-58-0x0000000000000000-mapping.dmp
-
memory/1364-68-0x0000000000000000-mapping.dmp
-
memory/1404-54-0x0000000074F01000-0x0000000074F03000-memory.dmpFilesize
8KB
-
memory/1492-57-0x0000000000000000-mapping.dmp
-
memory/1656-55-0x0000000000000000-mapping.dmp
-
memory/1668-56-0x0000000000000000-mapping.dmp
-
memory/1684-62-0x0000000000000000-mapping.dmp