Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
19/10/2022, 13:08
Static task
static1
Behavioral task
behavioral1
Sample
4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe
Resource
win10v2004-20220901-en
General
-
Target
4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe
-
Size
952KB
-
MD5
922f4b905a3be7b8d48ad90f72673050
-
SHA1
ea6c6fee64a8c52b711ea0d2bc4070674c8f9b8a
-
SHA256
4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f
-
SHA512
fa85db160ae4c628466cee3333f2698854f3c7cbe8f053ac30ec7b4c61f223b0833da12ae5704c3fdb6d745b5143c0742b0b87ac9acd8fad1de4521429cac9d3
-
SSDEEP
12288:byyy7Z3z4I8NXOGjwwG/ZjXsAHHz79p9NM5Tz103j2CF4TxQUOfhVPOSAE//VAci:baCI2OewFJN4mkxyHnnew1SatLRzD
Malware Config
Extracted
darkcomet
010
shades.no-ip.org:1604
DC_MUTEX-DA5KEY9
-
gencode
vdj7j58DDDAn
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 884 micoffice.exe 1644 micoffice.exe 920 micoffice.exe -
resource yara_rule behavioral1/memory/1200-59-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1200-61-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1200-62-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1200-65-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1200-66-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1200-69-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1200-115-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1644-121-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Loads dropped DLL 5 IoCs
pid Process 1200 4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe 1200 4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe 1200 4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe 1200 4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe 1200 4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\msoffice = "C:\\Users\\Admin\\AppData\\Roaming\\MicrosoftOffice\\micoffice.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1740 set thread context of 1200 1740 4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe 27 PID 884 set thread context of 1644 884 micoffice.exe 32 PID 884 set thread context of 920 884 micoffice.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 920 micoffice.exe Token: SeSecurityPrivilege 920 micoffice.exe Token: SeTakeOwnershipPrivilege 920 micoffice.exe Token: SeLoadDriverPrivilege 920 micoffice.exe Token: SeSystemProfilePrivilege 920 micoffice.exe Token: SeSystemtimePrivilege 920 micoffice.exe Token: SeProfSingleProcessPrivilege 920 micoffice.exe Token: SeIncBasePriorityPrivilege 920 micoffice.exe Token: SeCreatePagefilePrivilege 920 micoffice.exe Token: SeBackupPrivilege 920 micoffice.exe Token: SeRestorePrivilege 920 micoffice.exe Token: SeShutdownPrivilege 920 micoffice.exe Token: SeDebugPrivilege 920 micoffice.exe Token: SeSystemEnvironmentPrivilege 920 micoffice.exe Token: SeChangeNotifyPrivilege 920 micoffice.exe Token: SeRemoteShutdownPrivilege 920 micoffice.exe Token: SeUndockPrivilege 920 micoffice.exe Token: SeManageVolumePrivilege 920 micoffice.exe Token: SeImpersonatePrivilege 920 micoffice.exe Token: SeCreateGlobalPrivilege 920 micoffice.exe Token: 33 920 micoffice.exe Token: 34 920 micoffice.exe Token: 35 920 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe Token: SeDebugPrivilege 1644 micoffice.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1740 4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe 1200 4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe 884 micoffice.exe 1644 micoffice.exe 920 micoffice.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 1740 wrote to memory of 1200 1740 4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe 27 PID 1740 wrote to memory of 1200 1740 4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe 27 PID 1740 wrote to memory of 1200 1740 4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe 27 PID 1740 wrote to memory of 1200 1740 4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe 27 PID 1740 wrote to memory of 1200 1740 4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe 27 PID 1740 wrote to memory of 1200 1740 4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe 27 PID 1740 wrote to memory of 1200 1740 4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe 27 PID 1740 wrote to memory of 1200 1740 4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe 27 PID 1200 wrote to memory of 536 1200 4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe 28 PID 1200 wrote to memory of 536 1200 4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe 28 PID 1200 wrote to memory of 536 1200 4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe 28 PID 1200 wrote to memory of 536 1200 4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe 28 PID 536 wrote to memory of 572 536 cmd.exe 30 PID 536 wrote to memory of 572 536 cmd.exe 30 PID 536 wrote to memory of 572 536 cmd.exe 30 PID 536 wrote to memory of 572 536 cmd.exe 30 PID 1200 wrote to memory of 884 1200 4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe 31 PID 1200 wrote to memory of 884 1200 4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe 31 PID 1200 wrote to memory of 884 1200 4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe 31 PID 1200 wrote to memory of 884 1200 4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe 31 PID 884 wrote to memory of 1644 884 micoffice.exe 32 PID 884 wrote to memory of 1644 884 micoffice.exe 32 PID 884 wrote to memory of 1644 884 micoffice.exe 32 PID 884 wrote to memory of 1644 884 micoffice.exe 32 PID 884 wrote to memory of 1644 884 micoffice.exe 32 PID 884 wrote to memory of 1644 884 micoffice.exe 32 PID 884 wrote to memory of 1644 884 micoffice.exe 32 PID 884 wrote to memory of 1644 884 micoffice.exe 32 PID 884 wrote to memory of 920 884 micoffice.exe 33 PID 884 wrote to memory of 920 884 micoffice.exe 33 PID 884 wrote to memory of 920 884 micoffice.exe 33 PID 884 wrote to memory of 920 884 micoffice.exe 33 PID 884 wrote to memory of 920 884 micoffice.exe 33 PID 884 wrote to memory of 920 884 micoffice.exe 33 PID 884 wrote to memory of 920 884 micoffice.exe 33 PID 884 wrote to memory of 920 884 micoffice.exe 33 PID 884 wrote to memory of 920 884 micoffice.exe 33 PID 884 wrote to memory of 920 884 micoffice.exe 33 PID 884 wrote to memory of 920 884 micoffice.exe 33 PID 884 wrote to memory of 920 884 micoffice.exe 33 PID 884 wrote to memory of 920 884 micoffice.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe"C:\Users\Admin\AppData\Local\Temp\4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe"C:\Users\Admin\AppData\Local\Temp\4d4ca606e35160ef23c9a396bc1758fbcddd0e56f94d4b2c0ba41d70d9e5740f.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ITYVJ.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "msoffice" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe" /f4⤵
- Adds Run key to start application
PID:572
-
-
-
C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1644
-
-
C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:920
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
155B
MD5f07b93136766adced3c6f0d74d869da0
SHA1787c530f33687d758b41295e01d7a9a1bba3a467
SHA256cd603067047c028fe12d4b099d13b3681dd698d25bc32474184e9d8edd3ed701
SHA512050105a5f14939a37f653421b24959cc90cb082b20df5bb1a81335fd0ad5e70c740b43f1d6df0fc7324551425894668acc3af0c533c7d90ff149d84e844c2d10
-
Filesize
952KB
MD5b0854ce2dd390e7824e0cf92df73923e
SHA1257a4de4f2c89e000bc8211158d5e96ddd70acff
SHA2566137b32220d18ad7b2a1edd568f1697022687cc40c40c32945d41acb2286d381
SHA5124118fdd3da61b38629331600cec3643c395b9d4d41d553e00a6a6777632ec4368df49c6db8233b97b0430cc00a220323197c17903e5470be17bf6d1e19e9e555
-
Filesize
952KB
MD5b0854ce2dd390e7824e0cf92df73923e
SHA1257a4de4f2c89e000bc8211158d5e96ddd70acff
SHA2566137b32220d18ad7b2a1edd568f1697022687cc40c40c32945d41acb2286d381
SHA5124118fdd3da61b38629331600cec3643c395b9d4d41d553e00a6a6777632ec4368df49c6db8233b97b0430cc00a220323197c17903e5470be17bf6d1e19e9e555
-
Filesize
952KB
MD5b0854ce2dd390e7824e0cf92df73923e
SHA1257a4de4f2c89e000bc8211158d5e96ddd70acff
SHA2566137b32220d18ad7b2a1edd568f1697022687cc40c40c32945d41acb2286d381
SHA5124118fdd3da61b38629331600cec3643c395b9d4d41d553e00a6a6777632ec4368df49c6db8233b97b0430cc00a220323197c17903e5470be17bf6d1e19e9e555
-
Filesize
952KB
MD5b0854ce2dd390e7824e0cf92df73923e
SHA1257a4de4f2c89e000bc8211158d5e96ddd70acff
SHA2566137b32220d18ad7b2a1edd568f1697022687cc40c40c32945d41acb2286d381
SHA5124118fdd3da61b38629331600cec3643c395b9d4d41d553e00a6a6777632ec4368df49c6db8233b97b0430cc00a220323197c17903e5470be17bf6d1e19e9e555
-
Filesize
952KB
MD5b0854ce2dd390e7824e0cf92df73923e
SHA1257a4de4f2c89e000bc8211158d5e96ddd70acff
SHA2566137b32220d18ad7b2a1edd568f1697022687cc40c40c32945d41acb2286d381
SHA5124118fdd3da61b38629331600cec3643c395b9d4d41d553e00a6a6777632ec4368df49c6db8233b97b0430cc00a220323197c17903e5470be17bf6d1e19e9e555
-
Filesize
952KB
MD5b0854ce2dd390e7824e0cf92df73923e
SHA1257a4de4f2c89e000bc8211158d5e96ddd70acff
SHA2566137b32220d18ad7b2a1edd568f1697022687cc40c40c32945d41acb2286d381
SHA5124118fdd3da61b38629331600cec3643c395b9d4d41d553e00a6a6777632ec4368df49c6db8233b97b0430cc00a220323197c17903e5470be17bf6d1e19e9e555
-
Filesize
952KB
MD5b0854ce2dd390e7824e0cf92df73923e
SHA1257a4de4f2c89e000bc8211158d5e96ddd70acff
SHA2566137b32220d18ad7b2a1edd568f1697022687cc40c40c32945d41acb2286d381
SHA5124118fdd3da61b38629331600cec3643c395b9d4d41d553e00a6a6777632ec4368df49c6db8233b97b0430cc00a220323197c17903e5470be17bf6d1e19e9e555
-
Filesize
952KB
MD5b0854ce2dd390e7824e0cf92df73923e
SHA1257a4de4f2c89e000bc8211158d5e96ddd70acff
SHA2566137b32220d18ad7b2a1edd568f1697022687cc40c40c32945d41acb2286d381
SHA5124118fdd3da61b38629331600cec3643c395b9d4d41d553e00a6a6777632ec4368df49c6db8233b97b0430cc00a220323197c17903e5470be17bf6d1e19e9e555
-
Filesize
952KB
MD5b0854ce2dd390e7824e0cf92df73923e
SHA1257a4de4f2c89e000bc8211158d5e96ddd70acff
SHA2566137b32220d18ad7b2a1edd568f1697022687cc40c40c32945d41acb2286d381
SHA5124118fdd3da61b38629331600cec3643c395b9d4d41d553e00a6a6777632ec4368df49c6db8233b97b0430cc00a220323197c17903e5470be17bf6d1e19e9e555