Analysis
-
max time kernel
175s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2022 12:38
Static task
static1
Behavioral task
behavioral1
Sample
DRVHDD.EXE.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
DRVHDD.EXE.exe
Resource
win10v2004-20220812-en
General
-
Target
DRVHDD.EXE.exe
-
Size
621KB
-
MD5
ca7c02df3ed08ea9cab8da59f1e5bd8d
-
SHA1
97eb40ea42e9c3b531a70bc298fece3885f59e3f
-
SHA256
4ad0cac19bc9ebbdfc08c8440d4d5a7da007ddc252b15fc0c536476917bb6532
-
SHA512
dd65d2213a8229d8ff475194235f5662278e235eda7aedd141d524ce94d6206ed14ed5ff78b251ea2abab5f04d8751f0301c5a011cf868bed1aa812b4c28e8e5
-
SSDEEP
12288:zPdlIazoZLq2wHCRzwR/NlljwYWRyDnGVZu0+O:jd+aEZeLHkUR/NjMYzDGLu0n
Malware Config
Extracted
darkcomet
New-July-July4-0
45.74.4.244:35800
DC_MUTEX-RT27KF0
-
gencode
cKUHbX2GsGhs
-
install
false
-
offline_keylogger
true
-
password
hhhhhh
-
persistence
false
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
DRVHDD.EXE.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts DRVHDD.EXE.exe -
Processes:
resource yara_rule behavioral2/memory/3024-146-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3024-147-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3024-148-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3024-149-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3024-150-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3024-151-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DRVHDD.EXE.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation DRVHDD.EXE.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DRVHDD.EXE.exedescription pid process target process PID 4948 set thread context of 3024 4948 DRVHDD.EXE.exe DRVHDD.EXE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeDRVHDD.EXE.exepid process 2596 powershell.exe 2596 powershell.exe 4948 DRVHDD.EXE.exe 4948 DRVHDD.EXE.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
powershell.exeDRVHDD.EXE.exeDRVHDD.EXE.exedescription pid process Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 4948 DRVHDD.EXE.exe Token: SeIncreaseQuotaPrivilege 3024 DRVHDD.EXE.exe Token: SeSecurityPrivilege 3024 DRVHDD.EXE.exe Token: SeTakeOwnershipPrivilege 3024 DRVHDD.EXE.exe Token: SeLoadDriverPrivilege 3024 DRVHDD.EXE.exe Token: SeSystemProfilePrivilege 3024 DRVHDD.EXE.exe Token: SeSystemtimePrivilege 3024 DRVHDD.EXE.exe Token: SeProfSingleProcessPrivilege 3024 DRVHDD.EXE.exe Token: SeIncBasePriorityPrivilege 3024 DRVHDD.EXE.exe Token: SeCreatePagefilePrivilege 3024 DRVHDD.EXE.exe Token: SeBackupPrivilege 3024 DRVHDD.EXE.exe Token: SeRestorePrivilege 3024 DRVHDD.EXE.exe Token: SeShutdownPrivilege 3024 DRVHDD.EXE.exe Token: SeDebugPrivilege 3024 DRVHDD.EXE.exe Token: SeSystemEnvironmentPrivilege 3024 DRVHDD.EXE.exe Token: SeChangeNotifyPrivilege 3024 DRVHDD.EXE.exe Token: SeRemoteShutdownPrivilege 3024 DRVHDD.EXE.exe Token: SeUndockPrivilege 3024 DRVHDD.EXE.exe Token: SeManageVolumePrivilege 3024 DRVHDD.EXE.exe Token: SeImpersonatePrivilege 3024 DRVHDD.EXE.exe Token: SeCreateGlobalPrivilege 3024 DRVHDD.EXE.exe Token: 33 3024 DRVHDD.EXE.exe Token: 34 3024 DRVHDD.EXE.exe Token: 35 3024 DRVHDD.EXE.exe Token: 36 3024 DRVHDD.EXE.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
DRVHDD.EXE.exepid process 3024 DRVHDD.EXE.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
DRVHDD.EXE.exedescription pid process target process PID 4948 wrote to memory of 2596 4948 DRVHDD.EXE.exe powershell.exe PID 4948 wrote to memory of 2596 4948 DRVHDD.EXE.exe powershell.exe PID 4948 wrote to memory of 2596 4948 DRVHDD.EXE.exe powershell.exe PID 4948 wrote to memory of 3024 4948 DRVHDD.EXE.exe DRVHDD.EXE.exe PID 4948 wrote to memory of 3024 4948 DRVHDD.EXE.exe DRVHDD.EXE.exe PID 4948 wrote to memory of 3024 4948 DRVHDD.EXE.exe DRVHDD.EXE.exe PID 4948 wrote to memory of 3024 4948 DRVHDD.EXE.exe DRVHDD.EXE.exe PID 4948 wrote to memory of 3024 4948 DRVHDD.EXE.exe DRVHDD.EXE.exe PID 4948 wrote to memory of 3024 4948 DRVHDD.EXE.exe DRVHDD.EXE.exe PID 4948 wrote to memory of 3024 4948 DRVHDD.EXE.exe DRVHDD.EXE.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE.exe"C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE.exeC:\Users\Admin\AppData\Local\Temp\DRVHDD.EXE.exe2⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3024