Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 06:14
Static task
static1
Behavioral task
behavioral1
Sample
fc785230d7610c48808ce0ca635ce4230b20984bb8068bd488b4efdadf40f64f.exe
Resource
win7-20220812-en
General
-
Target
fc785230d7610c48808ce0ca635ce4230b20984bb8068bd488b4efdadf40f64f.exe
-
Size
454KB
-
MD5
65a87dffa5617ef83fa7e82df1d57e20
-
SHA1
be61d5cf9783929a606c17c48144b9346c2b2dee
-
SHA256
fc785230d7610c48808ce0ca635ce4230b20984bb8068bd488b4efdadf40f64f
-
SHA512
0828535c4678922fca86f861ea855efd7f418286d51431184ab1d896800f9f14db5be3058931ab77f182cb5bf77809fbcbe9fe7a7f8a7e246dae3c858bae877b
-
SSDEEP
6144:Ahu69AOdMTj7ffR+iW9TaR9Do7o4SXqC0WcKk1CTcycicmyCNZQPX:AhnbUjDR+hso8DXqC0WH/TcTi94
Malware Config
Extracted
darkcomet
Guest16
108.212.228.172:1231
DC_MUTEX-Q5TS8CL
-
gencode
fCvTysMgftsM
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4380 help.exe 4944 help.exe -
resource yara_rule behavioral2/memory/4944-138-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4944-140-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4944-142-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4944-144-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4944-145-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Windows\\InstallDir\\help.exe" help.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Windows\\InstallDir\\help.exe" help.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4380 set thread context of 4944 4380 help.exe 86 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\InstallDir fc785230d7610c48808ce0ca635ce4230b20984bb8068bd488b4efdadf40f64f.exe File created C:\Windows\InstallDir\help.exe fc785230d7610c48808ce0ca635ce4230b20984bb8068bd488b4efdadf40f64f.exe File opened for modification C:\Windows\InstallDir\help.exe fc785230d7610c48808ce0ca635ce4230b20984bb8068bd488b4efdadf40f64f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4944 help.exe Token: SeSecurityPrivilege 4944 help.exe Token: SeTakeOwnershipPrivilege 4944 help.exe Token: SeLoadDriverPrivilege 4944 help.exe Token: SeSystemProfilePrivilege 4944 help.exe Token: SeSystemtimePrivilege 4944 help.exe Token: SeProfSingleProcessPrivilege 4944 help.exe Token: SeIncBasePriorityPrivilege 4944 help.exe Token: SeCreatePagefilePrivilege 4944 help.exe Token: SeBackupPrivilege 4944 help.exe Token: SeRestorePrivilege 4944 help.exe Token: SeShutdownPrivilege 4944 help.exe Token: SeDebugPrivilege 4944 help.exe Token: SeSystemEnvironmentPrivilege 4944 help.exe Token: SeChangeNotifyPrivilege 4944 help.exe Token: SeRemoteShutdownPrivilege 4944 help.exe Token: SeUndockPrivilege 4944 help.exe Token: SeManageVolumePrivilege 4944 help.exe Token: SeImpersonatePrivilege 4944 help.exe Token: SeCreateGlobalPrivilege 4944 help.exe Token: 33 4944 help.exe Token: 34 4944 help.exe Token: 35 4944 help.exe Token: 36 4944 help.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4944 help.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4240 wrote to memory of 4380 4240 fc785230d7610c48808ce0ca635ce4230b20984bb8068bd488b4efdadf40f64f.exe 84 PID 4240 wrote to memory of 4380 4240 fc785230d7610c48808ce0ca635ce4230b20984bb8068bd488b4efdadf40f64f.exe 84 PID 4240 wrote to memory of 4380 4240 fc785230d7610c48808ce0ca635ce4230b20984bb8068bd488b4efdadf40f64f.exe 84 PID 4380 wrote to memory of 2888 4380 help.exe 85 PID 4380 wrote to memory of 2888 4380 help.exe 85 PID 4380 wrote to memory of 2888 4380 help.exe 85 PID 4380 wrote to memory of 4944 4380 help.exe 86 PID 4380 wrote to memory of 4944 4380 help.exe 86 PID 4380 wrote to memory of 4944 4380 help.exe 86 PID 4380 wrote to memory of 4944 4380 help.exe 86 PID 4380 wrote to memory of 4944 4380 help.exe 86 PID 4380 wrote to memory of 4944 4380 help.exe 86 PID 4380 wrote to memory of 4944 4380 help.exe 86 PID 4380 wrote to memory of 4944 4380 help.exe 86 PID 2888 wrote to memory of 224 2888 cmd.exe 88 PID 2888 wrote to memory of 224 2888 cmd.exe 88 PID 2888 wrote to memory of 224 2888 cmd.exe 88 PID 224 wrote to memory of 2324 224 net.exe 89 PID 224 wrote to memory of 2324 224 net.exe 89 PID 224 wrote to memory of 2324 224 net.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc785230d7610c48808ce0ca635ce4230b20984bb8068bd488b4efdadf40f64f.exe"C:\Users\Admin\AppData\Local\Temp\fc785230d7610c48808ce0ca635ce4230b20984bb8068bd488b4efdadf40f64f.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\InstallDir\help.exeC:\Windows\InstallDir\help.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc3⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\net.exenet stop MpsSvc4⤵
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc5⤵PID:2324
-
-
-
-
C:\Windows\InstallDir\help.exeC:\Windows\InstallDir\help.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4944
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
454KB
MD565a87dffa5617ef83fa7e82df1d57e20
SHA1be61d5cf9783929a606c17c48144b9346c2b2dee
SHA256fc785230d7610c48808ce0ca635ce4230b20984bb8068bd488b4efdadf40f64f
SHA5120828535c4678922fca86f861ea855efd7f418286d51431184ab1d896800f9f14db5be3058931ab77f182cb5bf77809fbcbe9fe7a7f8a7e246dae3c858bae877b
-
Filesize
454KB
MD565a87dffa5617ef83fa7e82df1d57e20
SHA1be61d5cf9783929a606c17c48144b9346c2b2dee
SHA256fc785230d7610c48808ce0ca635ce4230b20984bb8068bd488b4efdadf40f64f
SHA5120828535c4678922fca86f861ea855efd7f418286d51431184ab1d896800f9f14db5be3058931ab77f182cb5bf77809fbcbe9fe7a7f8a7e246dae3c858bae877b
-
Filesize
454KB
MD565a87dffa5617ef83fa7e82df1d57e20
SHA1be61d5cf9783929a606c17c48144b9346c2b2dee
SHA256fc785230d7610c48808ce0ca635ce4230b20984bb8068bd488b4efdadf40f64f
SHA5120828535c4678922fca86f861ea855efd7f418286d51431184ab1d896800f9f14db5be3058931ab77f182cb5bf77809fbcbe9fe7a7f8a7e246dae3c858bae877b