Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/10/2022, 13:08
Static task
static1
Behavioral task
behavioral1
Sample
38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe
Resource
win10v2004-20220812-en
General
-
Target
38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe
-
Size
952KB
-
MD5
81aede4eb24d420a6b7a2943786cf620
-
SHA1
83ce725227bb89aefecf2e4c084d1b111bd78347
-
SHA256
38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f
-
SHA512
71dac65caf8ad2c9fb195678776a90db44b58be4a58fceedf2d94953055cbd526a5e7c7dd829335e6c193ba9da31b491f18ee380ed9c130c7e15698f0f8498f1
-
SSDEEP
12288:byyy7Z3z4I8NXOGjwwG/ZjXsAHHz79p9NM5Tz103j2CF4TxQUOfhVPOSAE//VAci:baCI2OewFJN4mkxyHnnew1SatLRzD
Malware Config
Extracted
darkcomet
010
shades.no-ip.org:1604
DC_MUTEX-DA5KEY9
-
gencode
vdj7j58DDDAn
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1664 micoffice.exe 1768 micoffice.exe 1164 micoffice.exe -
resource yara_rule behavioral1/memory/1172-62-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1172-61-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1172-59-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1172-65-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1172-66-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1172-69-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1172-116-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1768-121-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Loads dropped DLL 5 IoCs
pid Process 1172 38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe 1172 38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe 1172 38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe 1172 38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe 1172 38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\msoffice = "C:\\Users\\Admin\\AppData\\Roaming\\MicrosoftOffice\\micoffice.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1212 set thread context of 1172 1212 38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe 28 PID 1664 set thread context of 1768 1664 micoffice.exe 33 PID 1664 set thread context of 1164 1664 micoffice.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1164 micoffice.exe Token: SeSecurityPrivilege 1164 micoffice.exe Token: SeTakeOwnershipPrivilege 1164 micoffice.exe Token: SeLoadDriverPrivilege 1164 micoffice.exe Token: SeSystemProfilePrivilege 1164 micoffice.exe Token: SeSystemtimePrivilege 1164 micoffice.exe Token: SeProfSingleProcessPrivilege 1164 micoffice.exe Token: SeIncBasePriorityPrivilege 1164 micoffice.exe Token: SeCreatePagefilePrivilege 1164 micoffice.exe Token: SeBackupPrivilege 1164 micoffice.exe Token: SeRestorePrivilege 1164 micoffice.exe Token: SeShutdownPrivilege 1164 micoffice.exe Token: SeDebugPrivilege 1164 micoffice.exe Token: SeSystemEnvironmentPrivilege 1164 micoffice.exe Token: SeChangeNotifyPrivilege 1164 micoffice.exe Token: SeRemoteShutdownPrivilege 1164 micoffice.exe Token: SeUndockPrivilege 1164 micoffice.exe Token: SeManageVolumePrivilege 1164 micoffice.exe Token: SeImpersonatePrivilege 1164 micoffice.exe Token: SeCreateGlobalPrivilege 1164 micoffice.exe Token: 33 1164 micoffice.exe Token: 34 1164 micoffice.exe Token: 35 1164 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe Token: SeDebugPrivilege 1768 micoffice.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1212 38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe 1172 38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe 1664 micoffice.exe 1768 micoffice.exe 1164 micoffice.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 1212 wrote to memory of 1172 1212 38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe 28 PID 1212 wrote to memory of 1172 1212 38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe 28 PID 1212 wrote to memory of 1172 1212 38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe 28 PID 1212 wrote to memory of 1172 1212 38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe 28 PID 1212 wrote to memory of 1172 1212 38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe 28 PID 1212 wrote to memory of 1172 1212 38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe 28 PID 1212 wrote to memory of 1172 1212 38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe 28 PID 1212 wrote to memory of 1172 1212 38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe 28 PID 1172 wrote to memory of 1704 1172 38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe 29 PID 1172 wrote to memory of 1704 1172 38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe 29 PID 1172 wrote to memory of 1704 1172 38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe 29 PID 1172 wrote to memory of 1704 1172 38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe 29 PID 1704 wrote to memory of 1588 1704 cmd.exe 31 PID 1704 wrote to memory of 1588 1704 cmd.exe 31 PID 1704 wrote to memory of 1588 1704 cmd.exe 31 PID 1704 wrote to memory of 1588 1704 cmd.exe 31 PID 1172 wrote to memory of 1664 1172 38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe 32 PID 1172 wrote to memory of 1664 1172 38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe 32 PID 1172 wrote to memory of 1664 1172 38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe 32 PID 1172 wrote to memory of 1664 1172 38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe 32 PID 1664 wrote to memory of 1768 1664 micoffice.exe 33 PID 1664 wrote to memory of 1768 1664 micoffice.exe 33 PID 1664 wrote to memory of 1768 1664 micoffice.exe 33 PID 1664 wrote to memory of 1768 1664 micoffice.exe 33 PID 1664 wrote to memory of 1768 1664 micoffice.exe 33 PID 1664 wrote to memory of 1768 1664 micoffice.exe 33 PID 1664 wrote to memory of 1768 1664 micoffice.exe 33 PID 1664 wrote to memory of 1768 1664 micoffice.exe 33 PID 1664 wrote to memory of 1164 1664 micoffice.exe 34 PID 1664 wrote to memory of 1164 1664 micoffice.exe 34 PID 1664 wrote to memory of 1164 1664 micoffice.exe 34 PID 1664 wrote to memory of 1164 1664 micoffice.exe 34 PID 1664 wrote to memory of 1164 1664 micoffice.exe 34 PID 1664 wrote to memory of 1164 1664 micoffice.exe 34 PID 1664 wrote to memory of 1164 1664 micoffice.exe 34 PID 1664 wrote to memory of 1164 1664 micoffice.exe 34 PID 1664 wrote to memory of 1164 1664 micoffice.exe 34 PID 1664 wrote to memory of 1164 1664 micoffice.exe 34 PID 1664 wrote to memory of 1164 1664 micoffice.exe 34 PID 1664 wrote to memory of 1164 1664 micoffice.exe 34 PID 1664 wrote to memory of 1164 1664 micoffice.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe"C:\Users\Admin\AppData\Local\Temp\38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe"C:\Users\Admin\AppData\Local\Temp\38fe0f23f3ceeca17a13a952f9b6b72b6e3dd64c42e67786732258f0cd35074f.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XOLGV.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "msoffice" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe" /f4⤵
- Adds Run key to start application
PID:1588
-
-
-
C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1768
-
-
C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1164
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
155B
MD5f07b93136766adced3c6f0d74d869da0
SHA1787c530f33687d758b41295e01d7a9a1bba3a467
SHA256cd603067047c028fe12d4b099d13b3681dd698d25bc32474184e9d8edd3ed701
SHA512050105a5f14939a37f653421b24959cc90cb082b20df5bb1a81335fd0ad5e70c740b43f1d6df0fc7324551425894668acc3af0c533c7d90ff149d84e844c2d10
-
Filesize
952KB
MD59af6bd730a1622e152701d2658ddd665
SHA1f6390bb376182f18b40311273d7c0a7b4ccdfb68
SHA256e46071299afbabb1cad1d8b2cda05cd83f320e905e787495f577bcb0bf61c88b
SHA512575b75a34aa7ab015db7f75dc99e3cc60412cde7e8e365f7e6dd759351229faa560733382c7e838be39b94cd84dbc94818005af62b86724e58ed3f7e4ba79cec
-
Filesize
952KB
MD59af6bd730a1622e152701d2658ddd665
SHA1f6390bb376182f18b40311273d7c0a7b4ccdfb68
SHA256e46071299afbabb1cad1d8b2cda05cd83f320e905e787495f577bcb0bf61c88b
SHA512575b75a34aa7ab015db7f75dc99e3cc60412cde7e8e365f7e6dd759351229faa560733382c7e838be39b94cd84dbc94818005af62b86724e58ed3f7e4ba79cec
-
Filesize
952KB
MD59af6bd730a1622e152701d2658ddd665
SHA1f6390bb376182f18b40311273d7c0a7b4ccdfb68
SHA256e46071299afbabb1cad1d8b2cda05cd83f320e905e787495f577bcb0bf61c88b
SHA512575b75a34aa7ab015db7f75dc99e3cc60412cde7e8e365f7e6dd759351229faa560733382c7e838be39b94cd84dbc94818005af62b86724e58ed3f7e4ba79cec
-
Filesize
952KB
MD59af6bd730a1622e152701d2658ddd665
SHA1f6390bb376182f18b40311273d7c0a7b4ccdfb68
SHA256e46071299afbabb1cad1d8b2cda05cd83f320e905e787495f577bcb0bf61c88b
SHA512575b75a34aa7ab015db7f75dc99e3cc60412cde7e8e365f7e6dd759351229faa560733382c7e838be39b94cd84dbc94818005af62b86724e58ed3f7e4ba79cec
-
Filesize
952KB
MD59af6bd730a1622e152701d2658ddd665
SHA1f6390bb376182f18b40311273d7c0a7b4ccdfb68
SHA256e46071299afbabb1cad1d8b2cda05cd83f320e905e787495f577bcb0bf61c88b
SHA512575b75a34aa7ab015db7f75dc99e3cc60412cde7e8e365f7e6dd759351229faa560733382c7e838be39b94cd84dbc94818005af62b86724e58ed3f7e4ba79cec
-
Filesize
952KB
MD59af6bd730a1622e152701d2658ddd665
SHA1f6390bb376182f18b40311273d7c0a7b4ccdfb68
SHA256e46071299afbabb1cad1d8b2cda05cd83f320e905e787495f577bcb0bf61c88b
SHA512575b75a34aa7ab015db7f75dc99e3cc60412cde7e8e365f7e6dd759351229faa560733382c7e838be39b94cd84dbc94818005af62b86724e58ed3f7e4ba79cec
-
Filesize
952KB
MD59af6bd730a1622e152701d2658ddd665
SHA1f6390bb376182f18b40311273d7c0a7b4ccdfb68
SHA256e46071299afbabb1cad1d8b2cda05cd83f320e905e787495f577bcb0bf61c88b
SHA512575b75a34aa7ab015db7f75dc99e3cc60412cde7e8e365f7e6dd759351229faa560733382c7e838be39b94cd84dbc94818005af62b86724e58ed3f7e4ba79cec
-
Filesize
952KB
MD59af6bd730a1622e152701d2658ddd665
SHA1f6390bb376182f18b40311273d7c0a7b4ccdfb68
SHA256e46071299afbabb1cad1d8b2cda05cd83f320e905e787495f577bcb0bf61c88b
SHA512575b75a34aa7ab015db7f75dc99e3cc60412cde7e8e365f7e6dd759351229faa560733382c7e838be39b94cd84dbc94818005af62b86724e58ed3f7e4ba79cec
-
Filesize
952KB
MD59af6bd730a1622e152701d2658ddd665
SHA1f6390bb376182f18b40311273d7c0a7b4ccdfb68
SHA256e46071299afbabb1cad1d8b2cda05cd83f320e905e787495f577bcb0bf61c88b
SHA512575b75a34aa7ab015db7f75dc99e3cc60412cde7e8e365f7e6dd759351229faa560733382c7e838be39b94cd84dbc94818005af62b86724e58ed3f7e4ba79cec