Analysis
-
max time kernel
143s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 23:30
Behavioral task
behavioral1
Sample
74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe
Resource
win7-20220812-en
General
-
Target
74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe
-
Size
1.4MB
-
MD5
57c70ac8a46540077bc85eb33ffceea4
-
SHA1
1eee0eac9cd92889c2e2485fc3930251024dca3a
-
SHA256
74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d
-
SHA512
8ea27a248fcb878dece1ca23f79e244e8cdb7337f3186f3c922193cacba9910f8a3ff49bfe4f13941d7d286d464e54f229408b84f816c30df8579d4387faca86
-
SSDEEP
24576:v1A/bjvJyQiFqwqbKaWbxL+YthDNRjKZmbj6MUX/4bhMtwNyAGR619Z6awzwhbiG:v1ev98aWd/zRjKZjMUX/4b2twNyAVZ6a
Malware Config
Extracted
darkcomet
Guest16
178.118.159.7:2500
DC_MUTEX-KTLT5KQ
-
gencode
NGjrQs4d1gxe
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
insecure.exeinsecure.exepid process 3784 insecure.exe 4684 insecure.exe -
Processes:
resource yara_rule behavioral2/memory/5008-132-0x0000000000400000-0x0000000000873000-memory.dmp upx behavioral2/memory/5008-133-0x0000000000400000-0x0000000000873000-memory.dmp upx C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe upx C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe upx behavioral2/memory/5008-137-0x0000000000400000-0x0000000000873000-memory.dmp upx behavioral2/memory/3784-138-0x0000000000400000-0x0000000000873000-memory.dmp upx behavioral2/memory/3784-139-0x0000000000400000-0x0000000000873000-memory.dmp upx C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe upx behavioral2/memory/3784-144-0x0000000000400000-0x0000000000873000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Internet Security.vbs 74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
insecure.exedescription pid process target process PID 3784 set thread context of 4684 3784 insecure.exe insecure.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
insecure.exedescription pid process Token: SeIncreaseQuotaPrivilege 4684 insecure.exe Token: SeSecurityPrivilege 4684 insecure.exe Token: SeTakeOwnershipPrivilege 4684 insecure.exe Token: SeLoadDriverPrivilege 4684 insecure.exe Token: SeSystemProfilePrivilege 4684 insecure.exe Token: SeSystemtimePrivilege 4684 insecure.exe Token: SeProfSingleProcessPrivilege 4684 insecure.exe Token: SeIncBasePriorityPrivilege 4684 insecure.exe Token: SeCreatePagefilePrivilege 4684 insecure.exe Token: SeBackupPrivilege 4684 insecure.exe Token: SeRestorePrivilege 4684 insecure.exe Token: SeShutdownPrivilege 4684 insecure.exe Token: SeDebugPrivilege 4684 insecure.exe Token: SeSystemEnvironmentPrivilege 4684 insecure.exe Token: SeChangeNotifyPrivilege 4684 insecure.exe Token: SeRemoteShutdownPrivilege 4684 insecure.exe Token: SeUndockPrivilege 4684 insecure.exe Token: SeManageVolumePrivilege 4684 insecure.exe Token: SeImpersonatePrivilege 4684 insecure.exe Token: SeCreateGlobalPrivilege 4684 insecure.exe Token: 33 4684 insecure.exe Token: 34 4684 insecure.exe Token: 35 4684 insecure.exe Token: 36 4684 insecure.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
insecure.exepid process 4684 insecure.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exeinsecure.exedescription pid process target process PID 5008 wrote to memory of 3784 5008 74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe insecure.exe PID 5008 wrote to memory of 3784 5008 74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe insecure.exe PID 5008 wrote to memory of 3784 5008 74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe insecure.exe PID 3784 wrote to memory of 4684 3784 insecure.exe insecure.exe PID 3784 wrote to memory of 4684 3784 insecure.exe insecure.exe PID 3784 wrote to memory of 4684 3784 insecure.exe insecure.exe PID 3784 wrote to memory of 4684 3784 insecure.exe insecure.exe PID 3784 wrote to memory of 4684 3784 insecure.exe insecure.exe PID 3784 wrote to memory of 4684 3784 insecure.exe insecure.exe PID 3784 wrote to memory of 4684 3784 insecure.exe insecure.exe PID 3784 wrote to memory of 4684 3784 insecure.exe insecure.exe PID 3784 wrote to memory of 4684 3784 insecure.exe insecure.exe PID 3784 wrote to memory of 4684 3784 insecure.exe insecure.exe PID 3784 wrote to memory of 4684 3784 insecure.exe insecure.exe PID 3784 wrote to memory of 4684 3784 insecure.exe insecure.exe PID 3784 wrote to memory of 4684 3784 insecure.exe insecure.exe PID 3784 wrote to memory of 4684 3784 insecure.exe insecure.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe"C:\Users\Admin\AppData\Local\Temp\74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe"C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe"C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exeFilesize
1.4MB
MD557c70ac8a46540077bc85eb33ffceea4
SHA11eee0eac9cd92889c2e2485fc3930251024dca3a
SHA25674a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d
SHA5128ea27a248fcb878dece1ca23f79e244e8cdb7337f3186f3c922193cacba9910f8a3ff49bfe4f13941d7d286d464e54f229408b84f816c30df8579d4387faca86
-
C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exeFilesize
1.4MB
MD557c70ac8a46540077bc85eb33ffceea4
SHA11eee0eac9cd92889c2e2485fc3930251024dca3a
SHA25674a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d
SHA5128ea27a248fcb878dece1ca23f79e244e8cdb7337f3186f3c922193cacba9910f8a3ff49bfe4f13941d7d286d464e54f229408b84f816c30df8579d4387faca86
-
C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exeFilesize
1.4MB
MD557c70ac8a46540077bc85eb33ffceea4
SHA11eee0eac9cd92889c2e2485fc3930251024dca3a
SHA25674a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d
SHA5128ea27a248fcb878dece1ca23f79e244e8cdb7337f3186f3c922193cacba9910f8a3ff49bfe4f13941d7d286d464e54f229408b84f816c30df8579d4387faca86
-
memory/3784-138-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/3784-134-0x0000000000000000-mapping.dmp
-
memory/3784-139-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/3784-144-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/4684-140-0x0000000000000000-mapping.dmp
-
memory/4684-141-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4684-143-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4684-145-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4684-146-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/5008-137-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/5008-132-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/5008-133-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB