Analysis
-
max time kernel
153s -
max time network
162s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 04:46
Static task
static1
Behavioral task
behavioral1
Sample
06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe
Resource
win10v2004-20220812-en
General
-
Target
06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe
-
Size
436KB
-
MD5
74e09e6568f65ad52cbc96f72cb31400
-
SHA1
e79c603182b1fd9d198247af00be9a3cefc51210
-
SHA256
06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397
-
SHA512
78949f8598ce50b7bb355ed6b59f5b01124cef8ab2bae1bd6cabba6f6e4260a2511fef92060fb4b823e17c4040841994fe2547a89b76648724e7b52b5d78e364
-
SSDEEP
6144:6wItv0HIwLLFCWv4+C5/ZFD9UXOEPyHmKL9dE+OzhS6izw0oJlPg:63oOjLQV6HfE+Ozrizw5Jlo
Malware Config
Extracted
darkcomet
Lul
grrr.no-ip.org:1604
morans.no-ip.biz:1604
morans.no-ip.org:1604
DC_MUTEX-0D8NNLE
-
gencode
AmCYTKSaZjnL
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 572 W7.exe 896 W7.exe 1480 W7.exe -
resource yara_rule behavioral1/memory/1480-112-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1480-115-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1480-120-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1480-117-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1480-122-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1480-124-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1480-126-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1480-127-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1480-134-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1480-135-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Loads dropped DLL 5 IoCs
pid Process 1324 06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe 1324 06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe 1324 06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe 1324 06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe 1324 06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\W7.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\W7.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 944 set thread context of 1324 944 06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe 27 PID 572 set thread context of 896 572 W7.exe 29 PID 572 set thread context of 1480 572 W7.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 896 W7.exe Token: SeIncreaseQuotaPrivilege 1480 W7.exe Token: SeSecurityPrivilege 1480 W7.exe Token: SeTakeOwnershipPrivilege 1480 W7.exe Token: SeLoadDriverPrivilege 1480 W7.exe Token: SeSystemProfilePrivilege 1480 W7.exe Token: SeSystemtimePrivilege 1480 W7.exe Token: SeProfSingleProcessPrivilege 1480 W7.exe Token: SeIncBasePriorityPrivilege 1480 W7.exe Token: SeCreatePagefilePrivilege 1480 W7.exe Token: SeBackupPrivilege 1480 W7.exe Token: SeRestorePrivilege 1480 W7.exe Token: SeShutdownPrivilege 1480 W7.exe Token: SeDebugPrivilege 1480 W7.exe Token: SeSystemEnvironmentPrivilege 1480 W7.exe Token: SeChangeNotifyPrivilege 1480 W7.exe Token: SeRemoteShutdownPrivilege 1480 W7.exe Token: SeUndockPrivilege 1480 W7.exe Token: SeManageVolumePrivilege 1480 W7.exe Token: SeImpersonatePrivilege 1480 W7.exe Token: SeCreateGlobalPrivilege 1480 W7.exe Token: 33 1480 W7.exe Token: 34 1480 W7.exe Token: 35 1480 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe Token: SeDebugPrivilege 896 W7.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 944 06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe 1324 06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe 572 W7.exe 896 W7.exe 1480 W7.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 944 wrote to memory of 1324 944 06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe 27 PID 944 wrote to memory of 1324 944 06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe 27 PID 944 wrote to memory of 1324 944 06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe 27 PID 944 wrote to memory of 1324 944 06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe 27 PID 944 wrote to memory of 1324 944 06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe 27 PID 944 wrote to memory of 1324 944 06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe 27 PID 944 wrote to memory of 1324 944 06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe 27 PID 944 wrote to memory of 1324 944 06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe 27 PID 944 wrote to memory of 1324 944 06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe 27 PID 1324 wrote to memory of 572 1324 06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe 28 PID 1324 wrote to memory of 572 1324 06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe 28 PID 1324 wrote to memory of 572 1324 06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe 28 PID 1324 wrote to memory of 572 1324 06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe 28 PID 572 wrote to memory of 896 572 W7.exe 29 PID 572 wrote to memory of 896 572 W7.exe 29 PID 572 wrote to memory of 896 572 W7.exe 29 PID 572 wrote to memory of 896 572 W7.exe 29 PID 572 wrote to memory of 896 572 W7.exe 29 PID 572 wrote to memory of 896 572 W7.exe 29 PID 572 wrote to memory of 896 572 W7.exe 29 PID 572 wrote to memory of 896 572 W7.exe 29 PID 572 wrote to memory of 896 572 W7.exe 29 PID 572 wrote to memory of 1480 572 W7.exe 30 PID 572 wrote to memory of 1480 572 W7.exe 30 PID 572 wrote to memory of 1480 572 W7.exe 30 PID 572 wrote to memory of 1480 572 W7.exe 30 PID 572 wrote to memory of 1480 572 W7.exe 30 PID 572 wrote to memory of 1480 572 W7.exe 30 PID 572 wrote to memory of 1480 572 W7.exe 30 PID 572 wrote to memory of 1480 572 W7.exe 30 PID 896 wrote to memory of 1936 896 W7.exe 31 PID 896 wrote to memory of 1936 896 W7.exe 31 PID 896 wrote to memory of 1936 896 W7.exe 31 PID 896 wrote to memory of 1936 896 W7.exe 31 PID 896 wrote to memory of 1936 896 W7.exe 31 PID 896 wrote to memory of 1936 896 W7.exe 31 PID 1936 wrote to memory of 1596 1936 bitsadmin.exe 33 PID 1936 wrote to memory of 1596 1936 bitsadmin.exe 33 PID 1936 wrote to memory of 1596 1936 bitsadmin.exe 33 PID 1936 wrote to memory of 1596 1936 bitsadmin.exe 33 PID 1596 wrote to memory of 1484 1596 cmd.exe 35 PID 1596 wrote to memory of 1484 1596 cmd.exe 35 PID 1596 wrote to memory of 1484 1596 cmd.exe 35 PID 1596 wrote to memory of 1484 1596 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe"C:\Users\Admin\AppData\Local\Temp\06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Users\Admin\AppData\Local\Temp\06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe"C:\Users\Admin\AppData\Local\Temp\06160291415e47db3c11816c825cf81e9d9b709b894342518f67ef52a9826397.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Users\Admin\AppData\Roaming\Windows\W7.exe"C:\Users\Admin\AppData\Roaming\Windows\W7.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Users\Admin\AppData\Roaming\Windows\W7.exe"C:\Users\Admin\AppData\Roaming\Windows\W7.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\bitsadmin.exe"C:\Windows\system32\bitsadmin.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\MFUEM.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "W7.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows\W7.exe" /f7⤵
- Adds Run key to start application
PID:1484
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\W7.exe"C:\Users\Admin\AppData\Roaming\Windows\W7.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1480
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138B
MD5422f78c09d2fad901947aff10115e540
SHA15bc69f68c1d9d6cf46233349c4a5c2a7830592de
SHA2564ff904ef2cb6d79403ff58feadb91372b4824c851073db1c0b80db53c6beaacd
SHA512a357b4f7335176150061ac6494e963575f77b3664c4d8b3561860dff7ecfbe4828c1c5feb6c03f5a69c886cfdfa7a2b69e1d199e976603bf62b9c2e11e234a3d
-
Filesize
436KB
MD5d6ad8646b9237750b612819494b04bc0
SHA12ad1cf8420648d1e663eec90016fdf02bc4c6c7c
SHA256bcf353ae39a5c4bb7660c7619fe8b4a6cdc24d4c8809289a4084a7bc859d0446
SHA512798e3ab5f159a9b92541f29c62b487dab1ea4b6cde187f236ac35fc834a1d49ff75508a5f249fad806bd086fafdcf69b00e928227be82ead4eeccc9480e03b88
-
Filesize
436KB
MD5d6ad8646b9237750b612819494b04bc0
SHA12ad1cf8420648d1e663eec90016fdf02bc4c6c7c
SHA256bcf353ae39a5c4bb7660c7619fe8b4a6cdc24d4c8809289a4084a7bc859d0446
SHA512798e3ab5f159a9b92541f29c62b487dab1ea4b6cde187f236ac35fc834a1d49ff75508a5f249fad806bd086fafdcf69b00e928227be82ead4eeccc9480e03b88
-
Filesize
436KB
MD5d6ad8646b9237750b612819494b04bc0
SHA12ad1cf8420648d1e663eec90016fdf02bc4c6c7c
SHA256bcf353ae39a5c4bb7660c7619fe8b4a6cdc24d4c8809289a4084a7bc859d0446
SHA512798e3ab5f159a9b92541f29c62b487dab1ea4b6cde187f236ac35fc834a1d49ff75508a5f249fad806bd086fafdcf69b00e928227be82ead4eeccc9480e03b88
-
Filesize
436KB
MD5d6ad8646b9237750b612819494b04bc0
SHA12ad1cf8420648d1e663eec90016fdf02bc4c6c7c
SHA256bcf353ae39a5c4bb7660c7619fe8b4a6cdc24d4c8809289a4084a7bc859d0446
SHA512798e3ab5f159a9b92541f29c62b487dab1ea4b6cde187f236ac35fc834a1d49ff75508a5f249fad806bd086fafdcf69b00e928227be82ead4eeccc9480e03b88
-
Filesize
436KB
MD5d6ad8646b9237750b612819494b04bc0
SHA12ad1cf8420648d1e663eec90016fdf02bc4c6c7c
SHA256bcf353ae39a5c4bb7660c7619fe8b4a6cdc24d4c8809289a4084a7bc859d0446
SHA512798e3ab5f159a9b92541f29c62b487dab1ea4b6cde187f236ac35fc834a1d49ff75508a5f249fad806bd086fafdcf69b00e928227be82ead4eeccc9480e03b88
-
Filesize
436KB
MD5d6ad8646b9237750b612819494b04bc0
SHA12ad1cf8420648d1e663eec90016fdf02bc4c6c7c
SHA256bcf353ae39a5c4bb7660c7619fe8b4a6cdc24d4c8809289a4084a7bc859d0446
SHA512798e3ab5f159a9b92541f29c62b487dab1ea4b6cde187f236ac35fc834a1d49ff75508a5f249fad806bd086fafdcf69b00e928227be82ead4eeccc9480e03b88
-
Filesize
436KB
MD5d6ad8646b9237750b612819494b04bc0
SHA12ad1cf8420648d1e663eec90016fdf02bc4c6c7c
SHA256bcf353ae39a5c4bb7660c7619fe8b4a6cdc24d4c8809289a4084a7bc859d0446
SHA512798e3ab5f159a9b92541f29c62b487dab1ea4b6cde187f236ac35fc834a1d49ff75508a5f249fad806bd086fafdcf69b00e928227be82ead4eeccc9480e03b88
-
Filesize
436KB
MD5d6ad8646b9237750b612819494b04bc0
SHA12ad1cf8420648d1e663eec90016fdf02bc4c6c7c
SHA256bcf353ae39a5c4bb7660c7619fe8b4a6cdc24d4c8809289a4084a7bc859d0446
SHA512798e3ab5f159a9b92541f29c62b487dab1ea4b6cde187f236ac35fc834a1d49ff75508a5f249fad806bd086fafdcf69b00e928227be82ead4eeccc9480e03b88
-
Filesize
436KB
MD5d6ad8646b9237750b612819494b04bc0
SHA12ad1cf8420648d1e663eec90016fdf02bc4c6c7c
SHA256bcf353ae39a5c4bb7660c7619fe8b4a6cdc24d4c8809289a4084a7bc859d0446
SHA512798e3ab5f159a9b92541f29c62b487dab1ea4b6cde187f236ac35fc834a1d49ff75508a5f249fad806bd086fafdcf69b00e928227be82ead4eeccc9480e03b88