Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 06:27
Static task
static1
Behavioral task
behavioral1
Sample
e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe
Resource
win7-20220901-en
General
-
Target
e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe
-
Size
323KB
-
MD5
6055f395ae635cbc8a24ddbec0b5b98b
-
SHA1
30267fe0676c3b0bd1a771c3b8633dab8bc7e66d
-
SHA256
e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180
-
SHA512
135302c08388ef11b425917151f95056bd59733f37a84d809de66c97319124dabeb50058702b9a3e68865705ef9ee80e070273f7183be3d3799c9aeba7768982
-
SSDEEP
6144:54BfhVeQU+OlJd3ZBmFT05EF5O+dDsXB2JASeJ1hbZOEzza:8LeQdOlredaEm+dYJhbI
Malware Config
Extracted
darkcomet
Nieuw
aqo.no-ip.info:1605
DC_MUTEX-F54S21D
-
gencode
ENg71f44tjid
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
resource yara_rule behavioral1/memory/872-58-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/872-60-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/872-61-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/872-64-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/872-67-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/872-68-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/872-73-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/872-74-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/872-75-0x0000000000400000-0x00000000004BA000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1244 set thread context of 872 1244 e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe 27 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 872 vbc.exe Token: SeSecurityPrivilege 872 vbc.exe Token: SeTakeOwnershipPrivilege 872 vbc.exe Token: SeLoadDriverPrivilege 872 vbc.exe Token: SeSystemProfilePrivilege 872 vbc.exe Token: SeSystemtimePrivilege 872 vbc.exe Token: SeProfSingleProcessPrivilege 872 vbc.exe Token: SeIncBasePriorityPrivilege 872 vbc.exe Token: SeCreatePagefilePrivilege 872 vbc.exe Token: SeBackupPrivilege 872 vbc.exe Token: SeRestorePrivilege 872 vbc.exe Token: SeShutdownPrivilege 872 vbc.exe Token: SeDebugPrivilege 872 vbc.exe Token: SeSystemEnvironmentPrivilege 872 vbc.exe Token: SeChangeNotifyPrivilege 872 vbc.exe Token: SeRemoteShutdownPrivilege 872 vbc.exe Token: SeUndockPrivilege 872 vbc.exe Token: SeManageVolumePrivilege 872 vbc.exe Token: SeImpersonatePrivilege 872 vbc.exe Token: SeCreateGlobalPrivilege 872 vbc.exe Token: 33 872 vbc.exe Token: 34 872 vbc.exe Token: 35 872 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 872 vbc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1244 wrote to memory of 872 1244 e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe 27 PID 1244 wrote to memory of 872 1244 e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe 27 PID 1244 wrote to memory of 872 1244 e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe 27 PID 1244 wrote to memory of 872 1244 e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe 27 PID 1244 wrote to memory of 872 1244 e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe 27 PID 1244 wrote to memory of 872 1244 e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe 27 PID 1244 wrote to memory of 872 1244 e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe 27 PID 1244 wrote to memory of 872 1244 e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe 27 PID 1244 wrote to memory of 468 1244 e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe 28 PID 1244 wrote to memory of 468 1244 e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe 28 PID 1244 wrote to memory of 468 1244 e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe 28 PID 1244 wrote to memory of 468 1244 e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe"C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:872
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\UyRjQ.vbs"2⤵PID:468
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
402B
MD5eff7b7b249d68b6b5e35820a3dba3879
SHA1ed0395da8a62572aba32740f4d09899eaca22eb0
SHA25682af7867bc976ee9af0107ccc5d20333b315ba43d6986c4b10eb3ac505492dd8
SHA5122f13dee7ab491a127a51d2f685091d1a66330df2e9daf874bc42ad013738789fa5ed47ef8ba93e8b261c7d3273f2d107acc8e461803a40a001a7201fec97017a