Analysis
-
max time kernel
153s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
13-10-2022 18:09
Behavioral task
behavioral1
Sample
d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
Resource
win7-20220812-en
General
-
Target
d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
-
Size
283KB
-
MD5
78827ea6267d6e13deeaabf83c564a30
-
SHA1
358f5b6da89fce5b40bb656f04e96ac9beaa6793
-
SHA256
d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e
-
SHA512
3588556725d823cb38fd497cea795b9b35a8b0e1e15e0472265bb7060d344b4aaae3d1162e7fcb1ef90da8d2208e29d0853f31f07af4ad48e5e4560cd7010d74
-
SSDEEP
6144:FcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37C:FcW7KEZlPzCy37C
Malware Config
Extracted
darkcomet
Hack
slimeftp.ddns.net:1604
DC_MUTEX-QPDTQVV
-
InstallPath
friedhost.exe
-
gencode
N9ngM7z9Ub0y
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
friedhost.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\friedhost.exe" d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
friedhost.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile friedhost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" friedhost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" friedhost.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
friedhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" friedhost.exe -
Processes:
friedhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" friedhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" friedhost.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
friedhost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" friedhost.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
friedhost.exepid process 1076 friedhost.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 840 attrib.exe 1044 attrib.exe -
Processes:
resource yara_rule behavioral1/memory/1980-55-0x0000000000400000-0x00000000004C7000-memory.dmp upx \Users\Admin\AppData\Roaming\friedhost.exe upx \Users\Admin\AppData\Roaming\friedhost.exe upx C:\Users\Admin\AppData\Roaming\friedhost.exe upx C:\Users\Admin\AppData\Roaming\friedhost.exe upx behavioral1/memory/1076-69-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/1980-70-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/1076-71-0x0000000000400000-0x00000000004C7000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exepid process 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe -
Processes:
friedhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" friedhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" friedhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\friedhost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\friedhost.exe" d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exefriedhost.exedescription pid process Token: SeIncreaseQuotaPrivilege 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeSecurityPrivilege 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeTakeOwnershipPrivilege 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeLoadDriverPrivilege 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeSystemProfilePrivilege 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeSystemtimePrivilege 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeProfSingleProcessPrivilege 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeIncBasePriorityPrivilege 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeCreatePagefilePrivilege 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeBackupPrivilege 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeRestorePrivilege 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeShutdownPrivilege 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeDebugPrivilege 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeSystemEnvironmentPrivilege 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeChangeNotifyPrivilege 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeRemoteShutdownPrivilege 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeUndockPrivilege 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeManageVolumePrivilege 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeImpersonatePrivilege 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeCreateGlobalPrivilege 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: 33 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: 34 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: 35 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeIncreaseQuotaPrivilege 1076 friedhost.exe Token: SeSecurityPrivilege 1076 friedhost.exe Token: SeTakeOwnershipPrivilege 1076 friedhost.exe Token: SeLoadDriverPrivilege 1076 friedhost.exe Token: SeSystemProfilePrivilege 1076 friedhost.exe Token: SeSystemtimePrivilege 1076 friedhost.exe Token: SeProfSingleProcessPrivilege 1076 friedhost.exe Token: SeIncBasePriorityPrivilege 1076 friedhost.exe Token: SeCreatePagefilePrivilege 1076 friedhost.exe Token: SeBackupPrivilege 1076 friedhost.exe Token: SeRestorePrivilege 1076 friedhost.exe Token: SeShutdownPrivilege 1076 friedhost.exe Token: SeDebugPrivilege 1076 friedhost.exe Token: SeSystemEnvironmentPrivilege 1076 friedhost.exe Token: SeChangeNotifyPrivilege 1076 friedhost.exe Token: SeRemoteShutdownPrivilege 1076 friedhost.exe Token: SeUndockPrivilege 1076 friedhost.exe Token: SeManageVolumePrivilege 1076 friedhost.exe Token: SeImpersonatePrivilege 1076 friedhost.exe Token: SeCreateGlobalPrivilege 1076 friedhost.exe Token: 33 1076 friedhost.exe Token: 34 1076 friedhost.exe Token: 35 1076 friedhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
friedhost.exepid process 1076 friedhost.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.execmd.execmd.exefriedhost.exedescription pid process target process PID 1980 wrote to memory of 1296 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe cmd.exe PID 1980 wrote to memory of 1296 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe cmd.exe PID 1980 wrote to memory of 1296 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe cmd.exe PID 1980 wrote to memory of 1296 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe cmd.exe PID 1980 wrote to memory of 1252 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe cmd.exe PID 1980 wrote to memory of 1252 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe cmd.exe PID 1980 wrote to memory of 1252 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe cmd.exe PID 1980 wrote to memory of 1252 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe cmd.exe PID 1296 wrote to memory of 840 1296 cmd.exe attrib.exe PID 1296 wrote to memory of 840 1296 cmd.exe attrib.exe PID 1296 wrote to memory of 840 1296 cmd.exe attrib.exe PID 1296 wrote to memory of 840 1296 cmd.exe attrib.exe PID 1252 wrote to memory of 1044 1252 cmd.exe attrib.exe PID 1252 wrote to memory of 1044 1252 cmd.exe attrib.exe PID 1252 wrote to memory of 1044 1252 cmd.exe attrib.exe PID 1252 wrote to memory of 1044 1252 cmd.exe attrib.exe PID 1980 wrote to memory of 1076 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe friedhost.exe PID 1980 wrote to memory of 1076 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe friedhost.exe PID 1980 wrote to memory of 1076 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe friedhost.exe PID 1980 wrote to memory of 1076 1980 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe friedhost.exe PID 1076 wrote to memory of 520 1076 friedhost.exe notepad.exe PID 1076 wrote to memory of 520 1076 friedhost.exe notepad.exe PID 1076 wrote to memory of 520 1076 friedhost.exe notepad.exe PID 1076 wrote to memory of 520 1076 friedhost.exe notepad.exe PID 1076 wrote to memory of 520 1076 friedhost.exe notepad.exe PID 1076 wrote to memory of 520 1076 friedhost.exe notepad.exe PID 1076 wrote to memory of 520 1076 friedhost.exe notepad.exe PID 1076 wrote to memory of 520 1076 friedhost.exe notepad.exe PID 1076 wrote to memory of 520 1076 friedhost.exe notepad.exe PID 1076 wrote to memory of 520 1076 friedhost.exe notepad.exe PID 1076 wrote to memory of 520 1076 friedhost.exe notepad.exe PID 1076 wrote to memory of 520 1076 friedhost.exe notepad.exe PID 1076 wrote to memory of 520 1076 friedhost.exe notepad.exe PID 1076 wrote to memory of 520 1076 friedhost.exe notepad.exe PID 1076 wrote to memory of 520 1076 friedhost.exe notepad.exe PID 1076 wrote to memory of 520 1076 friedhost.exe notepad.exe PID 1076 wrote to memory of 520 1076 friedhost.exe notepad.exe PID 1076 wrote to memory of 520 1076 friedhost.exe notepad.exe PID 1076 wrote to memory of 520 1076 friedhost.exe notepad.exe PID 1076 wrote to memory of 520 1076 friedhost.exe notepad.exe PID 1076 wrote to memory of 520 1076 friedhost.exe notepad.exe PID 1076 wrote to memory of 520 1076 friedhost.exe notepad.exe PID 1076 wrote to memory of 520 1076 friedhost.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
friedhost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion friedhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern friedhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" friedhost.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 840 attrib.exe 1044 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe"C:\Users\Admin\AppData\Local\Temp\d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Roaming\friedhost.exe"C:\Users\Admin\AppData\Roaming\friedhost.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\friedhost.exeFilesize
283KB
MD578827ea6267d6e13deeaabf83c564a30
SHA1358f5b6da89fce5b40bb656f04e96ac9beaa6793
SHA256d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e
SHA5123588556725d823cb38fd497cea795b9b35a8b0e1e15e0472265bb7060d344b4aaae3d1162e7fcb1ef90da8d2208e29d0853f31f07af4ad48e5e4560cd7010d74
-
C:\Users\Admin\AppData\Roaming\friedhost.exeFilesize
283KB
MD578827ea6267d6e13deeaabf83c564a30
SHA1358f5b6da89fce5b40bb656f04e96ac9beaa6793
SHA256d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e
SHA5123588556725d823cb38fd497cea795b9b35a8b0e1e15e0472265bb7060d344b4aaae3d1162e7fcb1ef90da8d2208e29d0853f31f07af4ad48e5e4560cd7010d74
-
\Users\Admin\AppData\Roaming\friedhost.exeFilesize
283KB
MD578827ea6267d6e13deeaabf83c564a30
SHA1358f5b6da89fce5b40bb656f04e96ac9beaa6793
SHA256d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e
SHA5123588556725d823cb38fd497cea795b9b35a8b0e1e15e0472265bb7060d344b4aaae3d1162e7fcb1ef90da8d2208e29d0853f31f07af4ad48e5e4560cd7010d74
-
\Users\Admin\AppData\Roaming\friedhost.exeFilesize
283KB
MD578827ea6267d6e13deeaabf83c564a30
SHA1358f5b6da89fce5b40bb656f04e96ac9beaa6793
SHA256d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e
SHA5123588556725d823cb38fd497cea795b9b35a8b0e1e15e0472265bb7060d344b4aaae3d1162e7fcb1ef90da8d2208e29d0853f31f07af4ad48e5e4560cd7010d74
-
memory/520-66-0x0000000000000000-mapping.dmp
-
memory/840-58-0x0000000000000000-mapping.dmp
-
memory/1044-59-0x0000000000000000-mapping.dmp
-
memory/1076-62-0x0000000000000000-mapping.dmp
-
memory/1076-69-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1076-71-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1252-57-0x0000000000000000-mapping.dmp
-
memory/1296-56-0x0000000000000000-mapping.dmp
-
memory/1980-54-0x00000000756B1000-0x00000000756B3000-memory.dmpFilesize
8KB
-
memory/1980-55-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1980-68-0x00000000032C0000-0x0000000003387000-memory.dmpFilesize
796KB
-
memory/1980-70-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB