Analysis
-
max time kernel
151s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2022 15:15
Behavioral task
behavioral1
Sample
aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe
Resource
win7-20220812-en
General
-
Target
aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe
-
Size
738KB
-
MD5
6091874ab29ffca373d082e83cc5bdc0
-
SHA1
baf56b8a4f78bf21c42fb32f84cb092c68fc831d
-
SHA256
aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de
-
SHA512
abf7a0b7e6fd442cd44b5ad26865d8a70b97007fe73167c483702343fca2e7475064a19eb9f863222d926e99399e6ebdc73b2126b38305cb0c8422791e2cfd34
-
SSDEEP
12288:R9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hWeDhyPuJf:LZ1xuVVjfFoynPaVBUR8f+kN10EBk2rf
Malware Config
Extracted
darkcomet
Guest16
192.168.0.10:1604
DC_MUTEX-LSKZ617
-
InstallPath
MSDCSC\Vevo.exe
-
gencode
RMoWKDyzeBnh
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroU
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\Vevo.exe" aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
Vevo.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Vevo.exe -
Processes:
Vevo.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Vevo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Vevo.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Vevo.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Vevo.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe -
Executes dropped EXE 1 IoCs
Processes:
Vevo.exepid process 1452 Vevo.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1100 attrib.exe 4220 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe -
Processes:
Vevo.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Vevo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Vevo.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroU = "C:\\Users\\Admin\\Documents\\MSDCSC\\Vevo.exe" aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exeVevo.exedescription pid process Token: SeIncreaseQuotaPrivilege 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeSecurityPrivilege 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeTakeOwnershipPrivilege 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeLoadDriverPrivilege 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeSystemProfilePrivilege 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeSystemtimePrivilege 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeProfSingleProcessPrivilege 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeIncBasePriorityPrivilege 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeCreatePagefilePrivilege 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeBackupPrivilege 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeRestorePrivilege 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeShutdownPrivilege 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeDebugPrivilege 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeSystemEnvironmentPrivilege 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeChangeNotifyPrivilege 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeRemoteShutdownPrivilege 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeUndockPrivilege 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeManageVolumePrivilege 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeImpersonatePrivilege 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeCreateGlobalPrivilege 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: 33 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: 34 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: 35 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: 36 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Token: SeIncreaseQuotaPrivilege 1452 Vevo.exe Token: SeSecurityPrivilege 1452 Vevo.exe Token: SeTakeOwnershipPrivilege 1452 Vevo.exe Token: SeLoadDriverPrivilege 1452 Vevo.exe Token: SeSystemProfilePrivilege 1452 Vevo.exe Token: SeSystemtimePrivilege 1452 Vevo.exe Token: SeProfSingleProcessPrivilege 1452 Vevo.exe Token: SeIncBasePriorityPrivilege 1452 Vevo.exe Token: SeCreatePagefilePrivilege 1452 Vevo.exe Token: SeBackupPrivilege 1452 Vevo.exe Token: SeRestorePrivilege 1452 Vevo.exe Token: SeShutdownPrivilege 1452 Vevo.exe Token: SeDebugPrivilege 1452 Vevo.exe Token: SeSystemEnvironmentPrivilege 1452 Vevo.exe Token: SeChangeNotifyPrivilege 1452 Vevo.exe Token: SeRemoteShutdownPrivilege 1452 Vevo.exe Token: SeUndockPrivilege 1452 Vevo.exe Token: SeManageVolumePrivilege 1452 Vevo.exe Token: SeImpersonatePrivilege 1452 Vevo.exe Token: SeCreateGlobalPrivilege 1452 Vevo.exe Token: 33 1452 Vevo.exe Token: 34 1452 Vevo.exe Token: 35 1452 Vevo.exe Token: 36 1452 Vevo.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Vevo.exepid process 1452 Vevo.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.execmd.execmd.exeVevo.exedescription pid process target process PID 4812 wrote to memory of 4188 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe cmd.exe PID 4812 wrote to memory of 4188 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe cmd.exe PID 4812 wrote to memory of 4188 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe cmd.exe PID 4812 wrote to memory of 1060 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe cmd.exe PID 4812 wrote to memory of 1060 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe cmd.exe PID 4812 wrote to memory of 1060 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe cmd.exe PID 4188 wrote to memory of 4220 4188 cmd.exe attrib.exe PID 4188 wrote to memory of 4220 4188 cmd.exe attrib.exe PID 4188 wrote to memory of 4220 4188 cmd.exe attrib.exe PID 1060 wrote to memory of 1100 1060 cmd.exe attrib.exe PID 1060 wrote to memory of 1100 1060 cmd.exe attrib.exe PID 1060 wrote to memory of 1100 1060 cmd.exe attrib.exe PID 4812 wrote to memory of 1452 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Vevo.exe PID 4812 wrote to memory of 1452 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Vevo.exe PID 4812 wrote to memory of 1452 4812 aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe Vevo.exe PID 1452 wrote to memory of 1444 1452 Vevo.exe notepad.exe PID 1452 wrote to memory of 1444 1452 Vevo.exe notepad.exe PID 1452 wrote to memory of 1444 1452 Vevo.exe notepad.exe PID 1452 wrote to memory of 1444 1452 Vevo.exe notepad.exe PID 1452 wrote to memory of 1444 1452 Vevo.exe notepad.exe PID 1452 wrote to memory of 1444 1452 Vevo.exe notepad.exe PID 1452 wrote to memory of 1444 1452 Vevo.exe notepad.exe PID 1452 wrote to memory of 1444 1452 Vevo.exe notepad.exe PID 1452 wrote to memory of 1444 1452 Vevo.exe notepad.exe PID 1452 wrote to memory of 1444 1452 Vevo.exe notepad.exe PID 1452 wrote to memory of 1444 1452 Vevo.exe notepad.exe PID 1452 wrote to memory of 1444 1452 Vevo.exe notepad.exe PID 1452 wrote to memory of 1444 1452 Vevo.exe notepad.exe PID 1452 wrote to memory of 1444 1452 Vevo.exe notepad.exe PID 1452 wrote to memory of 1444 1452 Vevo.exe notepad.exe PID 1452 wrote to memory of 1444 1452 Vevo.exe notepad.exe PID 1452 wrote to memory of 1444 1452 Vevo.exe notepad.exe PID 1452 wrote to memory of 1444 1452 Vevo.exe notepad.exe PID 1452 wrote to memory of 1444 1452 Vevo.exe notepad.exe PID 1452 wrote to memory of 1444 1452 Vevo.exe notepad.exe PID 1452 wrote to memory of 1444 1452 Vevo.exe notepad.exe PID 1452 wrote to memory of 1444 1452 Vevo.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Vevo.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion Vevo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern Vevo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" Vevo.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4220 attrib.exe 1100 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe"C:\Users\Admin\AppData\Local\Temp\aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\Vevo.exe"C:\Users\Admin\Documents\MSDCSC\Vevo.exe"2⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CAPTURE.JPGFilesize
79KB
MD54eb25f939fac175a0c64add204bb4a3a
SHA1c7b301f08b0628d5cd9593a7f96eef75d45e9a53
SHA2563bfc79e8b4e48f836831cc7909d1a9ea477cc3ace7089581ce8c01a998d4a77e
SHA5120d8e63b6f68864e4ab9746925dbf551442846243e773512a40db6e741bd0de21b12dd8abe507e4b5bd828ed53d1383191249b11ffeb0dac781edcfd9a220fddb
-
C:\Users\Admin\Documents\MSDCSC\Vevo.exeFilesize
738KB
MD56091874ab29ffca373d082e83cc5bdc0
SHA1baf56b8a4f78bf21c42fb32f84cb092c68fc831d
SHA256aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de
SHA512abf7a0b7e6fd442cd44b5ad26865d8a70b97007fe73167c483702343fca2e7475064a19eb9f863222d926e99399e6ebdc73b2126b38305cb0c8422791e2cfd34
-
C:\Users\Admin\Documents\MSDCSC\Vevo.exeFilesize
738KB
MD56091874ab29ffca373d082e83cc5bdc0
SHA1baf56b8a4f78bf21c42fb32f84cb092c68fc831d
SHA256aaaa4c64f72af2fc920b47e4bc325049b0555ea8b54c870e9082b96f34d535de
SHA512abf7a0b7e6fd442cd44b5ad26865d8a70b97007fe73167c483702343fca2e7475064a19eb9f863222d926e99399e6ebdc73b2126b38305cb0c8422791e2cfd34
-
memory/1060-133-0x0000000000000000-mapping.dmp
-
memory/1100-135-0x0000000000000000-mapping.dmp
-
memory/1444-140-0x0000000000000000-mapping.dmp
-
memory/1452-136-0x0000000000000000-mapping.dmp
-
memory/4188-132-0x0000000000000000-mapping.dmp
-
memory/4220-134-0x0000000000000000-mapping.dmp