Analysis
-
max time kernel
151s -
max time network
175s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 02:41
Static task
static1
Behavioral task
behavioral1
Sample
81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe
Resource
win10v2004-20220812-en
General
-
Target
81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe
-
Size
728KB
-
MD5
47a3a38c613fc7fe50379423838f42a0
-
SHA1
baf35bd9625bec201df56e0859f6205f55fe480b
-
SHA256
81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006
-
SHA512
4efbfceaf33d19596173b0ec9ae2c8e5894182edf0366b4aa543cda9b4a957a4d36be897626668fbd2256f8f17045a355bb5067dfdd3297946ef53034798051f
-
SSDEEP
12288:7iLERtSJj3culKz/LXzqCFeJ8eAQlfmO8hzrFsaCT6xwb2T99X//Mbt:71ij3cJzTXz/Ub8NYmxxTnX
Malware Config
Extracted
darkcomet
installs
shine.redirectme.net:1604
DCMIN_MUTEX-82NGH63
-
gencode
6yJTM4P9wAcU
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 908 firefox udate.exe 612 firefox udate.exe -
resource yara_rule behavioral1/memory/1076-61-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1076-63-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1076-64-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1076-67-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1076-68-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1076-71-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/612-112-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1076-120-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/612-125-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Loads dropped DLL 5 IoCs
pid Process 1076 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe 1076 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe 1076 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe 1076 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe 1076 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox udate.exe = "C:\\Users\\Admin\\AppData\\Roaming\\temp\\firefox udate.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1884 set thread context of 1076 1884 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe 28 PID 908 set thread context of 612 908 firefox udate.exe 33 PID 908 set thread context of 1072 908 firefox udate.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1072 svchost.exe Token: SeSecurityPrivilege 1072 svchost.exe Token: SeTakeOwnershipPrivilege 1072 svchost.exe Token: SeLoadDriverPrivilege 1072 svchost.exe Token: SeSystemProfilePrivilege 1072 svchost.exe Token: SeSystemtimePrivilege 1072 svchost.exe Token: SeProfSingleProcessPrivilege 1072 svchost.exe Token: SeIncBasePriorityPrivilege 1072 svchost.exe Token: SeCreatePagefilePrivilege 1072 svchost.exe Token: SeBackupPrivilege 1072 svchost.exe Token: SeRestorePrivilege 1072 svchost.exe Token: SeShutdownPrivilege 1072 svchost.exe Token: SeDebugPrivilege 1072 svchost.exe Token: SeSystemEnvironmentPrivilege 1072 svchost.exe Token: SeChangeNotifyPrivilege 1072 svchost.exe Token: SeRemoteShutdownPrivilege 1072 svchost.exe Token: SeUndockPrivilege 1072 svchost.exe Token: SeManageVolumePrivilege 1072 svchost.exe Token: SeImpersonatePrivilege 1072 svchost.exe Token: SeCreateGlobalPrivilege 1072 svchost.exe Token: 33 1072 svchost.exe Token: 34 1072 svchost.exe Token: 35 1072 svchost.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe Token: SeDebugPrivilege 612 firefox udate.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1884 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe 1076 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe 908 firefox udate.exe 612 firefox udate.exe 1072 svchost.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 1884 wrote to memory of 1076 1884 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe 28 PID 1884 wrote to memory of 1076 1884 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe 28 PID 1884 wrote to memory of 1076 1884 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe 28 PID 1884 wrote to memory of 1076 1884 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe 28 PID 1884 wrote to memory of 1076 1884 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe 28 PID 1884 wrote to memory of 1076 1884 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe 28 PID 1884 wrote to memory of 1076 1884 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe 28 PID 1884 wrote to memory of 1076 1884 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe 28 PID 1076 wrote to memory of 1720 1076 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe 29 PID 1076 wrote to memory of 1720 1076 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe 29 PID 1076 wrote to memory of 1720 1076 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe 29 PID 1076 wrote to memory of 1720 1076 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe 29 PID 1720 wrote to memory of 340 1720 cmd.exe 31 PID 1720 wrote to memory of 340 1720 cmd.exe 31 PID 1720 wrote to memory of 340 1720 cmd.exe 31 PID 1720 wrote to memory of 340 1720 cmd.exe 31 PID 1076 wrote to memory of 908 1076 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe 32 PID 1076 wrote to memory of 908 1076 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe 32 PID 1076 wrote to memory of 908 1076 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe 32 PID 1076 wrote to memory of 908 1076 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe 32 PID 908 wrote to memory of 612 908 firefox udate.exe 33 PID 908 wrote to memory of 612 908 firefox udate.exe 33 PID 908 wrote to memory of 612 908 firefox udate.exe 33 PID 908 wrote to memory of 612 908 firefox udate.exe 33 PID 908 wrote to memory of 612 908 firefox udate.exe 33 PID 908 wrote to memory of 612 908 firefox udate.exe 33 PID 908 wrote to memory of 612 908 firefox udate.exe 33 PID 908 wrote to memory of 612 908 firefox udate.exe 33 PID 908 wrote to memory of 1072 908 firefox udate.exe 34 PID 908 wrote to memory of 1072 908 firefox udate.exe 34 PID 908 wrote to memory of 1072 908 firefox udate.exe 34 PID 908 wrote to memory of 1072 908 firefox udate.exe 34 PID 908 wrote to memory of 1072 908 firefox udate.exe 34 PID 908 wrote to memory of 1072 908 firefox udate.exe 34 PID 908 wrote to memory of 1072 908 firefox udate.exe 34 PID 908 wrote to memory of 1072 908 firefox udate.exe 34 PID 908 wrote to memory of 1072 908 firefox udate.exe 34 PID 908 wrote to memory of 1072 908 firefox udate.exe 34 PID 908 wrote to memory of 1072 908 firefox udate.exe 34 PID 908 wrote to memory of 1072 908 firefox udate.exe 34 PID 908 wrote to memory of 1072 908 firefox udate.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe"C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe"C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\DULJA.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "firefox udate.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe" /f4⤵
- Adds Run key to start application
PID:340
-
-
-
C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe"C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe"C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:612
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1072
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
157B
MD5b03159f96ccac2ce831bdb56b8d4fa0f
SHA1575391e3af00ffe0b31e5fafadb8b0d87609c94a
SHA256c94041f2bd22f248f9bd175a089d9d8461af32add1fff5b8ce00816cce520d3c
SHA512889199d3e641bfcc15b2be03781196736538e7407e03eaeba0393226efea09983be622858c8bbc6f17997358aa42cd71bb81c3b82387164a78205a553a899be4
-
Filesize
728KB
MD5181e2f86c874a3edcd82334b239dfc3d
SHA1b40d7334ff53659877bcebc164b56a2e93e5e1e8
SHA256abad3a9b5c922eb738ba46c9f8fcb33a6b27aa85aac22fa7477cc589f0342d53
SHA512c2124baf957a55807c9bc248ea5cef7e5bbe17468e3d08a8f69e7275451811b5b54fe32f56bcb560b6fbfdaed3657666773a409897d992ffefbab35ebc72cdbd
-
Filesize
728KB
MD5181e2f86c874a3edcd82334b239dfc3d
SHA1b40d7334ff53659877bcebc164b56a2e93e5e1e8
SHA256abad3a9b5c922eb738ba46c9f8fcb33a6b27aa85aac22fa7477cc589f0342d53
SHA512c2124baf957a55807c9bc248ea5cef7e5bbe17468e3d08a8f69e7275451811b5b54fe32f56bcb560b6fbfdaed3657666773a409897d992ffefbab35ebc72cdbd
-
Filesize
728KB
MD5181e2f86c874a3edcd82334b239dfc3d
SHA1b40d7334ff53659877bcebc164b56a2e93e5e1e8
SHA256abad3a9b5c922eb738ba46c9f8fcb33a6b27aa85aac22fa7477cc589f0342d53
SHA512c2124baf957a55807c9bc248ea5cef7e5bbe17468e3d08a8f69e7275451811b5b54fe32f56bcb560b6fbfdaed3657666773a409897d992ffefbab35ebc72cdbd
-
Filesize
728KB
MD5181e2f86c874a3edcd82334b239dfc3d
SHA1b40d7334ff53659877bcebc164b56a2e93e5e1e8
SHA256abad3a9b5c922eb738ba46c9f8fcb33a6b27aa85aac22fa7477cc589f0342d53
SHA512c2124baf957a55807c9bc248ea5cef7e5bbe17468e3d08a8f69e7275451811b5b54fe32f56bcb560b6fbfdaed3657666773a409897d992ffefbab35ebc72cdbd
-
Filesize
728KB
MD5181e2f86c874a3edcd82334b239dfc3d
SHA1b40d7334ff53659877bcebc164b56a2e93e5e1e8
SHA256abad3a9b5c922eb738ba46c9f8fcb33a6b27aa85aac22fa7477cc589f0342d53
SHA512c2124baf957a55807c9bc248ea5cef7e5bbe17468e3d08a8f69e7275451811b5b54fe32f56bcb560b6fbfdaed3657666773a409897d992ffefbab35ebc72cdbd
-
Filesize
728KB
MD5181e2f86c874a3edcd82334b239dfc3d
SHA1b40d7334ff53659877bcebc164b56a2e93e5e1e8
SHA256abad3a9b5c922eb738ba46c9f8fcb33a6b27aa85aac22fa7477cc589f0342d53
SHA512c2124baf957a55807c9bc248ea5cef7e5bbe17468e3d08a8f69e7275451811b5b54fe32f56bcb560b6fbfdaed3657666773a409897d992ffefbab35ebc72cdbd
-
Filesize
728KB
MD5181e2f86c874a3edcd82334b239dfc3d
SHA1b40d7334ff53659877bcebc164b56a2e93e5e1e8
SHA256abad3a9b5c922eb738ba46c9f8fcb33a6b27aa85aac22fa7477cc589f0342d53
SHA512c2124baf957a55807c9bc248ea5cef7e5bbe17468e3d08a8f69e7275451811b5b54fe32f56bcb560b6fbfdaed3657666773a409897d992ffefbab35ebc72cdbd
-
Filesize
728KB
MD5181e2f86c874a3edcd82334b239dfc3d
SHA1b40d7334ff53659877bcebc164b56a2e93e5e1e8
SHA256abad3a9b5c922eb738ba46c9f8fcb33a6b27aa85aac22fa7477cc589f0342d53
SHA512c2124baf957a55807c9bc248ea5cef7e5bbe17468e3d08a8f69e7275451811b5b54fe32f56bcb560b6fbfdaed3657666773a409897d992ffefbab35ebc72cdbd