Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2022 18:09
Behavioral task
behavioral1
Sample
d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
Resource
win7-20220812-en
General
-
Target
d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe
-
Size
283KB
-
MD5
78827ea6267d6e13deeaabf83c564a30
-
SHA1
358f5b6da89fce5b40bb656f04e96ac9beaa6793
-
SHA256
d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e
-
SHA512
3588556725d823cb38fd497cea795b9b35a8b0e1e15e0472265bb7060d344b4aaae3d1162e7fcb1ef90da8d2208e29d0853f31f07af4ad48e5e4560cd7010d74
-
SSDEEP
6144:FcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37C:FcW7KEZlPzCy37C
Malware Config
Extracted
darkcomet
Hack
slimeftp.ddns.net:1604
DC_MUTEX-QPDTQVV
-
InstallPath
friedhost.exe
-
gencode
N9ngM7z9Ub0y
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
friedhost.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\friedhost.exe" d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
friedhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" friedhost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" friedhost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile friedhost.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
friedhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" friedhost.exe -
Processes:
friedhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" friedhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" friedhost.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
friedhost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" friedhost.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
friedhost.exepid process 4668 friedhost.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 3288 attrib.exe 3364 attrib.exe -
Processes:
resource yara_rule behavioral2/memory/1972-132-0x0000000000400000-0x00000000004C7000-memory.dmp upx C:\Users\Admin\AppData\Roaming\friedhost.exe upx C:\Users\Admin\AppData\Roaming\friedhost.exe upx behavioral2/memory/4668-141-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/1972-142-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/4668-143-0x0000000000400000-0x00000000004C7000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe -
Processes:
friedhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" friedhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" friedhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\friedhost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\friedhost.exe" d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exefriedhost.exedescription pid process Token: SeIncreaseQuotaPrivilege 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeSecurityPrivilege 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeTakeOwnershipPrivilege 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeLoadDriverPrivilege 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeSystemProfilePrivilege 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeSystemtimePrivilege 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeProfSingleProcessPrivilege 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeIncBasePriorityPrivilege 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeCreatePagefilePrivilege 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeBackupPrivilege 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeRestorePrivilege 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeShutdownPrivilege 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeDebugPrivilege 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeSystemEnvironmentPrivilege 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeChangeNotifyPrivilege 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeRemoteShutdownPrivilege 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeUndockPrivilege 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeManageVolumePrivilege 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeImpersonatePrivilege 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeCreateGlobalPrivilege 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: 33 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: 34 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: 35 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: 36 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe Token: SeIncreaseQuotaPrivilege 4668 friedhost.exe Token: SeSecurityPrivilege 4668 friedhost.exe Token: SeTakeOwnershipPrivilege 4668 friedhost.exe Token: SeLoadDriverPrivilege 4668 friedhost.exe Token: SeSystemProfilePrivilege 4668 friedhost.exe Token: SeSystemtimePrivilege 4668 friedhost.exe Token: SeProfSingleProcessPrivilege 4668 friedhost.exe Token: SeIncBasePriorityPrivilege 4668 friedhost.exe Token: SeCreatePagefilePrivilege 4668 friedhost.exe Token: SeBackupPrivilege 4668 friedhost.exe Token: SeRestorePrivilege 4668 friedhost.exe Token: SeShutdownPrivilege 4668 friedhost.exe Token: SeDebugPrivilege 4668 friedhost.exe Token: SeSystemEnvironmentPrivilege 4668 friedhost.exe Token: SeChangeNotifyPrivilege 4668 friedhost.exe Token: SeRemoteShutdownPrivilege 4668 friedhost.exe Token: SeUndockPrivilege 4668 friedhost.exe Token: SeManageVolumePrivilege 4668 friedhost.exe Token: SeImpersonatePrivilege 4668 friedhost.exe Token: SeCreateGlobalPrivilege 4668 friedhost.exe Token: 33 4668 friedhost.exe Token: 34 4668 friedhost.exe Token: 35 4668 friedhost.exe Token: 36 4668 friedhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
friedhost.exepid process 4668 friedhost.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.execmd.execmd.exefriedhost.exedescription pid process target process PID 1972 wrote to memory of 1668 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe cmd.exe PID 1972 wrote to memory of 1668 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe cmd.exe PID 1972 wrote to memory of 1668 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe cmd.exe PID 1972 wrote to memory of 4684 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe cmd.exe PID 1972 wrote to memory of 4684 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe cmd.exe PID 1972 wrote to memory of 4684 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe cmd.exe PID 1972 wrote to memory of 4668 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe friedhost.exe PID 1972 wrote to memory of 4668 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe friedhost.exe PID 1972 wrote to memory of 4668 1972 d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe friedhost.exe PID 1668 wrote to memory of 3288 1668 cmd.exe attrib.exe PID 1668 wrote to memory of 3288 1668 cmd.exe attrib.exe PID 1668 wrote to memory of 3288 1668 cmd.exe attrib.exe PID 4684 wrote to memory of 3364 4684 cmd.exe attrib.exe PID 4684 wrote to memory of 3364 4684 cmd.exe attrib.exe PID 4684 wrote to memory of 3364 4684 cmd.exe attrib.exe PID 4668 wrote to memory of 4720 4668 friedhost.exe notepad.exe PID 4668 wrote to memory of 4720 4668 friedhost.exe notepad.exe PID 4668 wrote to memory of 4720 4668 friedhost.exe notepad.exe PID 4668 wrote to memory of 4720 4668 friedhost.exe notepad.exe PID 4668 wrote to memory of 4720 4668 friedhost.exe notepad.exe PID 4668 wrote to memory of 4720 4668 friedhost.exe notepad.exe PID 4668 wrote to memory of 4720 4668 friedhost.exe notepad.exe PID 4668 wrote to memory of 4720 4668 friedhost.exe notepad.exe PID 4668 wrote to memory of 4720 4668 friedhost.exe notepad.exe PID 4668 wrote to memory of 4720 4668 friedhost.exe notepad.exe PID 4668 wrote to memory of 4720 4668 friedhost.exe notepad.exe PID 4668 wrote to memory of 4720 4668 friedhost.exe notepad.exe PID 4668 wrote to memory of 4720 4668 friedhost.exe notepad.exe PID 4668 wrote to memory of 4720 4668 friedhost.exe notepad.exe PID 4668 wrote to memory of 4720 4668 friedhost.exe notepad.exe PID 4668 wrote to memory of 4720 4668 friedhost.exe notepad.exe PID 4668 wrote to memory of 4720 4668 friedhost.exe notepad.exe PID 4668 wrote to memory of 4720 4668 friedhost.exe notepad.exe PID 4668 wrote to memory of 4720 4668 friedhost.exe notepad.exe PID 4668 wrote to memory of 4720 4668 friedhost.exe notepad.exe PID 4668 wrote to memory of 4720 4668 friedhost.exe notepad.exe PID 4668 wrote to memory of 4720 4668 friedhost.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
friedhost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion friedhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern friedhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" friedhost.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3288 attrib.exe 3364 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe"C:\Users\Admin\AppData\Local\Temp\d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Roaming\friedhost.exe"C:\Users\Admin\AppData\Roaming\friedhost.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\friedhost.exeFilesize
283KB
MD578827ea6267d6e13deeaabf83c564a30
SHA1358f5b6da89fce5b40bb656f04e96ac9beaa6793
SHA256d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e
SHA5123588556725d823cb38fd497cea795b9b35a8b0e1e15e0472265bb7060d344b4aaae3d1162e7fcb1ef90da8d2208e29d0853f31f07af4ad48e5e4560cd7010d74
-
C:\Users\Admin\AppData\Roaming\friedhost.exeFilesize
283KB
MD578827ea6267d6e13deeaabf83c564a30
SHA1358f5b6da89fce5b40bb656f04e96ac9beaa6793
SHA256d13019a4b6cadfe2158c2d5618a5138bf83575bd93899ab4539a219b7313e50e
SHA5123588556725d823cb38fd497cea795b9b35a8b0e1e15e0472265bb7060d344b4aaae3d1162e7fcb1ef90da8d2208e29d0853f31f07af4ad48e5e4560cd7010d74
-
memory/1668-133-0x0000000000000000-mapping.dmp
-
memory/1972-132-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1972-142-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/3288-138-0x0000000000000000-mapping.dmp
-
memory/3364-139-0x0000000000000000-mapping.dmp
-
memory/4668-135-0x0000000000000000-mapping.dmp
-
memory/4668-141-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/4668-143-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/4684-134-0x0000000000000000-mapping.dmp
-
memory/4720-140-0x0000000000000000-mapping.dmp