Analysis
-
max time kernel
153s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 03:44
Static task
static1
Behavioral task
behavioral1
Sample
297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe
Resource
win10v2004-20220901-en
General
-
Target
297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe
-
Size
381KB
-
MD5
546c072b018550f4d7d0906a680fd3c0
-
SHA1
7dd5804dc559699abc96d006c05579eed1f85abe
-
SHA256
297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426
-
SHA512
789263c911a0eb94de1125e3cb441476f25eb619d5d966781371e98695a523016c59766252cdd681f8f7bc085894a86213090a89ebf4dd6ef5a324db44fd5b57
-
SSDEEP
6144:+sf/8tS6zpoyWktBnmYAlcw0hvd96/LM69hMNyJwOm:+sX8AYFTtBmYKcD196/oySNyqOm
Malware Config
Extracted
darkcomet
CC
212.7.192.244:1337
DC_MUTEX-8DTXF5E
-
gencode
lN8zNVYPTGKV
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 576 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe 920 tap.exe 1168 tap.exe -
resource yara_rule behavioral1/memory/576-60-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/576-62-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/576-63-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/576-67-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/576-68-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/576-71-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1520-101-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral1/memory/1168-103-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1520-104-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral1/memory/1520-105-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral1/memory/1520-107-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral1/memory/576-108-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1520-111-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral1/memory/1520-112-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral1/memory/1520-113-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral1/memory/1168-114-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1520-115-0x0000000000400000-0x00000000004BB000-memory.dmp upx -
Loads dropped DLL 6 IoCs
pid Process 1976 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe 576 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe 576 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe 576 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe 576 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe 576 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\TapNet = "C:\\Users\\Admin\\AppData\\Roaming\\tapinterface\\tap.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1976 set thread context of 576 1976 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe 26 PID 920 set thread context of 1168 920 tap.exe 31 PID 920 set thread context of 1520 920 tap.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1976 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe Token: SeShutdownPrivilege 1976 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe Token: SeShutdownPrivilege 1976 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe Token: SeShutdownPrivilege 1976 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe Token: SeShutdownPrivilege 1976 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe Token: SeShutdownPrivilege 1976 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe Token: SeShutdownPrivilege 920 tap.exe Token: SeShutdownPrivilege 920 tap.exe Token: SeShutdownPrivilege 920 tap.exe Token: SeShutdownPrivilege 920 tap.exe Token: SeShutdownPrivilege 920 tap.exe Token: SeShutdownPrivilege 920 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeIncreaseQuotaPrivilege 1520 svchost.exe Token: SeSecurityPrivilege 1520 svchost.exe Token: SeTakeOwnershipPrivilege 1520 svchost.exe Token: SeLoadDriverPrivilege 1520 svchost.exe Token: SeSystemProfilePrivilege 1520 svchost.exe Token: SeSystemtimePrivilege 1520 svchost.exe Token: SeProfSingleProcessPrivilege 1520 svchost.exe Token: SeIncBasePriorityPrivilege 1520 svchost.exe Token: SeCreatePagefilePrivilege 1520 svchost.exe Token: SeBackupPrivilege 1520 svchost.exe Token: SeRestorePrivilege 1520 svchost.exe Token: SeShutdownPrivilege 1520 svchost.exe Token: SeDebugPrivilege 1520 svchost.exe Token: SeSystemEnvironmentPrivilege 1520 svchost.exe Token: SeChangeNotifyPrivilege 1520 svchost.exe Token: SeRemoteShutdownPrivilege 1520 svchost.exe Token: SeUndockPrivilege 1520 svchost.exe Token: SeManageVolumePrivilege 1520 svchost.exe Token: SeImpersonatePrivilege 1520 svchost.exe Token: SeCreateGlobalPrivilege 1520 svchost.exe Token: 33 1520 svchost.exe Token: 34 1520 svchost.exe Token: 35 1520 svchost.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe Token: SeDebugPrivilege 1168 tap.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1976 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe 576 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe 920 tap.exe 1168 tap.exe 1520 svchost.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1976 wrote to memory of 576 1976 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe 26 PID 1976 wrote to memory of 576 1976 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe 26 PID 1976 wrote to memory of 576 1976 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe 26 PID 1976 wrote to memory of 576 1976 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe 26 PID 1976 wrote to memory of 576 1976 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe 26 PID 1976 wrote to memory of 576 1976 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe 26 PID 1976 wrote to memory of 576 1976 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe 26 PID 1976 wrote to memory of 576 1976 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe 26 PID 576 wrote to memory of 812 576 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe 27 PID 576 wrote to memory of 812 576 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe 27 PID 576 wrote to memory of 812 576 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe 27 PID 576 wrote to memory of 812 576 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe 27 PID 812 wrote to memory of 2020 812 cmd.exe 29 PID 812 wrote to memory of 2020 812 cmd.exe 29 PID 812 wrote to memory of 2020 812 cmd.exe 29 PID 812 wrote to memory of 2020 812 cmd.exe 29 PID 576 wrote to memory of 920 576 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe 30 PID 576 wrote to memory of 920 576 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe 30 PID 576 wrote to memory of 920 576 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe 30 PID 576 wrote to memory of 920 576 297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe 30 PID 920 wrote to memory of 1168 920 tap.exe 31 PID 920 wrote to memory of 1168 920 tap.exe 31 PID 920 wrote to memory of 1168 920 tap.exe 31 PID 920 wrote to memory of 1168 920 tap.exe 31 PID 920 wrote to memory of 1168 920 tap.exe 31 PID 920 wrote to memory of 1168 920 tap.exe 31 PID 920 wrote to memory of 1168 920 tap.exe 31 PID 920 wrote to memory of 1168 920 tap.exe 31 PID 920 wrote to memory of 1520 920 tap.exe 32 PID 920 wrote to memory of 1520 920 tap.exe 32 PID 920 wrote to memory of 1520 920 tap.exe 32 PID 920 wrote to memory of 1520 920 tap.exe 32 PID 920 wrote to memory of 1520 920 tap.exe 32 PID 920 wrote to memory of 1520 920 tap.exe 32 PID 920 wrote to memory of 1520 920 tap.exe 32 PID 920 wrote to memory of 1520 920 tap.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe"C:\Users\Admin\AppData\Local\Temp\297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe"C:\Users\Admin\AppData\Local\Temp\297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RNBOW.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TapNet" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\tapinterface\tap.exe" /f4⤵
- Adds Run key to start application
PID:2020
-
-
-
C:\Users\Admin\AppData\Roaming\tapinterface\tap.exe"C:\Users\Admin\AppData\Roaming\tapinterface\tap.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Users\Admin\AppData\Roaming\tapinterface\tap.exe"C:\Users\Admin\AppData\Roaming\tapinterface\tap.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1168
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1520
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe
Filesize381KB
MD5546c072b018550f4d7d0906a680fd3c0
SHA17dd5804dc559699abc96d006c05579eed1f85abe
SHA256297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426
SHA512789263c911a0eb94de1125e3cb441476f25eb619d5d966781371e98695a523016c59766252cdd681f8f7bc085894a86213090a89ebf4dd6ef5a324db44fd5b57
-
Filesize
144B
MD5517aa80e282d1f1a3ea764d1a5f32ed8
SHA1990331d6b551d436d81f5aac0914b7ed7fa51136
SHA256fc1c4d0d8ea5d27476e23c49b7dacd40cd9dac4763303ad838774984a2bdc81d
SHA512caf370281540e19a15ac5a44204788525fb181f714bf396af2fc3f717e80c132e55e0a0db82e230c8469c29c3ab49f3a697dbb85141201405334b5420540abc7
-
Filesize
381KB
MD554c1b78ad08f7021e76f924b8566933a
SHA125c1d754c0013fc81a11075b64affef6950bc10a
SHA25667f09ed3a7dec619a9ed55ce22fa4daaec96029d867418e1bed58c9e7d084489
SHA51238b01ff6e2ccf24a06ad94a90e317f12b21836779568d83b6112f8233783fe6a3d4db1df60ac6c2a5e5738ce8baa84b00f689cb22a53a9414d3e359758bf462e
-
Filesize
381KB
MD554c1b78ad08f7021e76f924b8566933a
SHA125c1d754c0013fc81a11075b64affef6950bc10a
SHA25667f09ed3a7dec619a9ed55ce22fa4daaec96029d867418e1bed58c9e7d084489
SHA51238b01ff6e2ccf24a06ad94a90e317f12b21836779568d83b6112f8233783fe6a3d4db1df60ac6c2a5e5738ce8baa84b00f689cb22a53a9414d3e359758bf462e
-
Filesize
381KB
MD554c1b78ad08f7021e76f924b8566933a
SHA125c1d754c0013fc81a11075b64affef6950bc10a
SHA25667f09ed3a7dec619a9ed55ce22fa4daaec96029d867418e1bed58c9e7d084489
SHA51238b01ff6e2ccf24a06ad94a90e317f12b21836779568d83b6112f8233783fe6a3d4db1df60ac6c2a5e5738ce8baa84b00f689cb22a53a9414d3e359758bf462e
-
\Users\Admin\AppData\Local\Temp\297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426.exe
Filesize381KB
MD5546c072b018550f4d7d0906a680fd3c0
SHA17dd5804dc559699abc96d006c05579eed1f85abe
SHA256297e13b4ebfa037f39a01efecd32328bb5886e409cc754d0b8a712dad1f6c426
SHA512789263c911a0eb94de1125e3cb441476f25eb619d5d966781371e98695a523016c59766252cdd681f8f7bc085894a86213090a89ebf4dd6ef5a324db44fd5b57
-
Filesize
381KB
MD554c1b78ad08f7021e76f924b8566933a
SHA125c1d754c0013fc81a11075b64affef6950bc10a
SHA25667f09ed3a7dec619a9ed55ce22fa4daaec96029d867418e1bed58c9e7d084489
SHA51238b01ff6e2ccf24a06ad94a90e317f12b21836779568d83b6112f8233783fe6a3d4db1df60ac6c2a5e5738ce8baa84b00f689cb22a53a9414d3e359758bf462e
-
Filesize
381KB
MD554c1b78ad08f7021e76f924b8566933a
SHA125c1d754c0013fc81a11075b64affef6950bc10a
SHA25667f09ed3a7dec619a9ed55ce22fa4daaec96029d867418e1bed58c9e7d084489
SHA51238b01ff6e2ccf24a06ad94a90e317f12b21836779568d83b6112f8233783fe6a3d4db1df60ac6c2a5e5738ce8baa84b00f689cb22a53a9414d3e359758bf462e
-
Filesize
381KB
MD554c1b78ad08f7021e76f924b8566933a
SHA125c1d754c0013fc81a11075b64affef6950bc10a
SHA25667f09ed3a7dec619a9ed55ce22fa4daaec96029d867418e1bed58c9e7d084489
SHA51238b01ff6e2ccf24a06ad94a90e317f12b21836779568d83b6112f8233783fe6a3d4db1df60ac6c2a5e5738ce8baa84b00f689cb22a53a9414d3e359758bf462e
-
Filesize
381KB
MD554c1b78ad08f7021e76f924b8566933a
SHA125c1d754c0013fc81a11075b64affef6950bc10a
SHA25667f09ed3a7dec619a9ed55ce22fa4daaec96029d867418e1bed58c9e7d084489
SHA51238b01ff6e2ccf24a06ad94a90e317f12b21836779568d83b6112f8233783fe6a3d4db1df60ac6c2a5e5738ce8baa84b00f689cb22a53a9414d3e359758bf462e
-
Filesize
381KB
MD554c1b78ad08f7021e76f924b8566933a
SHA125c1d754c0013fc81a11075b64affef6950bc10a
SHA25667f09ed3a7dec619a9ed55ce22fa4daaec96029d867418e1bed58c9e7d084489
SHA51238b01ff6e2ccf24a06ad94a90e317f12b21836779568d83b6112f8233783fe6a3d4db1df60ac6c2a5e5738ce8baa84b00f689cb22a53a9414d3e359758bf462e