Analysis
-
max time kernel
172s -
max time network
187s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 23:30
Behavioral task
behavioral1
Sample
74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe
Resource
win7-20220812-en
General
-
Target
74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe
-
Size
1.4MB
-
MD5
57c70ac8a46540077bc85eb33ffceea4
-
SHA1
1eee0eac9cd92889c2e2485fc3930251024dca3a
-
SHA256
74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d
-
SHA512
8ea27a248fcb878dece1ca23f79e244e8cdb7337f3186f3c922193cacba9910f8a3ff49bfe4f13941d7d286d464e54f229408b84f816c30df8579d4387faca86
-
SSDEEP
24576:v1A/bjvJyQiFqwqbKaWbxL+YthDNRjKZmbj6MUX/4bhMtwNyAGR619Z6awzwhbiG:v1ev98aWd/zRjKZjMUX/4b2twNyAVZ6a
Malware Config
Extracted
darkcomet
Guest16
178.118.159.7:2500
DC_MUTEX-KTLT5KQ
-
gencode
NGjrQs4d1gxe
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
insecure.exeinsecure.exepid process 1264 insecure.exe 1096 insecure.exe -
Processes:
resource yara_rule behavioral1/memory/1892-54-0x0000000000400000-0x0000000000873000-memory.dmp upx behavioral1/memory/1892-55-0x0000000000400000-0x0000000000873000-memory.dmp upx \Users\Admin\AppData\Roaming\Internet Security\insecure.exe upx \Users\Admin\AppData\Roaming\Internet Security\insecure.exe upx C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe upx behavioral1/memory/1892-61-0x0000000000400000-0x0000000000873000-memory.dmp upx behavioral1/memory/1264-62-0x0000000000400000-0x0000000000873000-memory.dmp upx behavioral1/memory/1264-63-0x0000000000400000-0x0000000000873000-memory.dmp upx C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe upx C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe upx behavioral1/memory/1264-82-0x0000000000400000-0x0000000000873000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Internet Security.vbs 74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe -
Loads dropped DLL 2 IoCs
Processes:
74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exepid process 1892 74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe 1892 74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
insecure.exedescription pid process target process PID 1264 set thread context of 1096 1264 insecure.exe insecure.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
insecure.exedescription pid process Token: SeIncreaseQuotaPrivilege 1096 insecure.exe Token: SeSecurityPrivilege 1096 insecure.exe Token: SeTakeOwnershipPrivilege 1096 insecure.exe Token: SeLoadDriverPrivilege 1096 insecure.exe Token: SeSystemProfilePrivilege 1096 insecure.exe Token: SeSystemtimePrivilege 1096 insecure.exe Token: SeProfSingleProcessPrivilege 1096 insecure.exe Token: SeIncBasePriorityPrivilege 1096 insecure.exe Token: SeCreatePagefilePrivilege 1096 insecure.exe Token: SeBackupPrivilege 1096 insecure.exe Token: SeRestorePrivilege 1096 insecure.exe Token: SeShutdownPrivilege 1096 insecure.exe Token: SeDebugPrivilege 1096 insecure.exe Token: SeSystemEnvironmentPrivilege 1096 insecure.exe Token: SeChangeNotifyPrivilege 1096 insecure.exe Token: SeRemoteShutdownPrivilege 1096 insecure.exe Token: SeUndockPrivilege 1096 insecure.exe Token: SeManageVolumePrivilege 1096 insecure.exe Token: SeImpersonatePrivilege 1096 insecure.exe Token: SeCreateGlobalPrivilege 1096 insecure.exe Token: 33 1096 insecure.exe Token: 34 1096 insecure.exe Token: 35 1096 insecure.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
insecure.exepid process 1096 insecure.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exeinsecure.exedescription pid process target process PID 1892 wrote to memory of 1264 1892 74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe insecure.exe PID 1892 wrote to memory of 1264 1892 74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe insecure.exe PID 1892 wrote to memory of 1264 1892 74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe insecure.exe PID 1892 wrote to memory of 1264 1892 74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe insecure.exe PID 1264 wrote to memory of 1096 1264 insecure.exe insecure.exe PID 1264 wrote to memory of 1096 1264 insecure.exe insecure.exe PID 1264 wrote to memory of 1096 1264 insecure.exe insecure.exe PID 1264 wrote to memory of 1096 1264 insecure.exe insecure.exe PID 1264 wrote to memory of 1096 1264 insecure.exe insecure.exe PID 1264 wrote to memory of 1096 1264 insecure.exe insecure.exe PID 1264 wrote to memory of 1096 1264 insecure.exe insecure.exe PID 1264 wrote to memory of 1096 1264 insecure.exe insecure.exe PID 1264 wrote to memory of 1096 1264 insecure.exe insecure.exe PID 1264 wrote to memory of 1096 1264 insecure.exe insecure.exe PID 1264 wrote to memory of 1096 1264 insecure.exe insecure.exe PID 1264 wrote to memory of 1096 1264 insecure.exe insecure.exe PID 1264 wrote to memory of 1096 1264 insecure.exe insecure.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe"C:\Users\Admin\AppData\Local\Temp\74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe"C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe"C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exeFilesize
1.4MB
MD557c70ac8a46540077bc85eb33ffceea4
SHA11eee0eac9cd92889c2e2485fc3930251024dca3a
SHA25674a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d
SHA5128ea27a248fcb878dece1ca23f79e244e8cdb7337f3186f3c922193cacba9910f8a3ff49bfe4f13941d7d286d464e54f229408b84f816c30df8579d4387faca86
-
C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exeFilesize
1.4MB
MD557c70ac8a46540077bc85eb33ffceea4
SHA11eee0eac9cd92889c2e2485fc3930251024dca3a
SHA25674a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d
SHA5128ea27a248fcb878dece1ca23f79e244e8cdb7337f3186f3c922193cacba9910f8a3ff49bfe4f13941d7d286d464e54f229408b84f816c30df8579d4387faca86
-
C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exeFilesize
1.4MB
MD557c70ac8a46540077bc85eb33ffceea4
SHA11eee0eac9cd92889c2e2485fc3930251024dca3a
SHA25674a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d
SHA5128ea27a248fcb878dece1ca23f79e244e8cdb7337f3186f3c922193cacba9910f8a3ff49bfe4f13941d7d286d464e54f229408b84f816c30df8579d4387faca86
-
\Users\Admin\AppData\Roaming\Internet Security\insecure.exeFilesize
1.4MB
MD557c70ac8a46540077bc85eb33ffceea4
SHA11eee0eac9cd92889c2e2485fc3930251024dca3a
SHA25674a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d
SHA5128ea27a248fcb878dece1ca23f79e244e8cdb7337f3186f3c922193cacba9910f8a3ff49bfe4f13941d7d286d464e54f229408b84f816c30df8579d4387faca86
-
\Users\Admin\AppData\Roaming\Internet Security\insecure.exeFilesize
1.4MB
MD557c70ac8a46540077bc85eb33ffceea4
SHA11eee0eac9cd92889c2e2485fc3930251024dca3a
SHA25674a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d
SHA5128ea27a248fcb878dece1ca23f79e244e8cdb7337f3186f3c922193cacba9910f8a3ff49bfe4f13941d7d286d464e54f229408b84f816c30df8579d4387faca86
-
memory/1096-69-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1096-73-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1096-88-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1096-86-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1096-84-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1096-66-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1096-81-0x000000000048F888-mapping.dmp
-
memory/1096-87-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1096-71-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1096-80-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1096-75-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1096-78-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1096-76-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1264-82-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/1264-59-0x0000000000000000-mapping.dmp
-
memory/1264-63-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/1264-62-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/1892-56-0x0000000075811000-0x0000000075813000-memory.dmpFilesize
8KB
-
memory/1892-55-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/1892-54-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/1892-61-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB