Analysis
-
max time kernel
152s -
max time network
167s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/10/2022, 15:03
Static task
static1
Behavioral task
behavioral1
Sample
bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe
Resource
win10v2004-20220812-en
General
-
Target
bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe
-
Size
381KB
-
MD5
83003c24123609acdec44b1263f6d66d
-
SHA1
7154c1219a0b151051d930c6cc2063a170425d18
-
SHA256
bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706
-
SHA512
7f562d8bde844bc153e1743487c7594c520a2e44b3d732472a140af534c2b68dea4f18144c893196267ff81d22f13c4e6abc7112a27540324ede6ff61054f535
-
SSDEEP
6144:Gsf/8tS6zpoyWktBnmYAlcw0hvd96/LM69hMNyJwO6:GsX8AYFTtBmYKcD196/oySNyqO6
Malware Config
Extracted
darkcomet
CC
212.7.192.244:1337
DC_MUTEX-8DTXF5E
-
gencode
lN8zNVYPTGKV
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1600 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe 560 tap.exe 1536 tap.exe -
resource yara_rule behavioral1/memory/1600-60-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1600-62-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1600-63-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1600-67-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1600-68-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1600-71-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1600-73-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1536-101-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1348-104-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral1/memory/1348-106-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral1/memory/1348-107-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral1/memory/1600-110-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1348-109-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral1/memory/1348-112-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral1/memory/1348-113-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral1/memory/1348-114-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral1/memory/1536-115-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1348-116-0x0000000000400000-0x00000000004BB000-memory.dmp upx -
Loads dropped DLL 6 IoCs
pid Process 1008 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe 1600 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe 1600 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe 1600 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe 1600 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe 1600 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\TapNet = "C:\\Users\\Admin\\AppData\\Roaming\\tapinterface\\tap.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1008 set thread context of 1600 1008 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe 28 PID 560 set thread context of 1536 560 tap.exe 33 PID 560 set thread context of 1348 560 tap.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1008 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe Token: SeShutdownPrivilege 1008 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe Token: SeShutdownPrivilege 1008 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe Token: SeShutdownPrivilege 1008 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe Token: SeShutdownPrivilege 1008 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe Token: SeShutdownPrivilege 1008 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe Token: SeShutdownPrivilege 560 tap.exe Token: SeShutdownPrivilege 560 tap.exe Token: SeShutdownPrivilege 560 tap.exe Token: SeShutdownPrivilege 560 tap.exe Token: SeShutdownPrivilege 560 tap.exe Token: SeShutdownPrivilege 560 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeIncreaseQuotaPrivilege 1348 svchost.exe Token: SeSecurityPrivilege 1348 svchost.exe Token: SeTakeOwnershipPrivilege 1348 svchost.exe Token: SeLoadDriverPrivilege 1348 svchost.exe Token: SeSystemProfilePrivilege 1348 svchost.exe Token: SeSystemtimePrivilege 1348 svchost.exe Token: SeProfSingleProcessPrivilege 1348 svchost.exe Token: SeIncBasePriorityPrivilege 1348 svchost.exe Token: SeCreatePagefilePrivilege 1348 svchost.exe Token: SeBackupPrivilege 1348 svchost.exe Token: SeRestorePrivilege 1348 svchost.exe Token: SeShutdownPrivilege 1348 svchost.exe Token: SeDebugPrivilege 1348 svchost.exe Token: SeSystemEnvironmentPrivilege 1348 svchost.exe Token: SeChangeNotifyPrivilege 1348 svchost.exe Token: SeRemoteShutdownPrivilege 1348 svchost.exe Token: SeUndockPrivilege 1348 svchost.exe Token: SeManageVolumePrivilege 1348 svchost.exe Token: SeImpersonatePrivilege 1348 svchost.exe Token: SeCreateGlobalPrivilege 1348 svchost.exe Token: 33 1348 svchost.exe Token: 34 1348 svchost.exe Token: 35 1348 svchost.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe Token: SeDebugPrivilege 1536 tap.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1008 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe 1600 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe 560 tap.exe 1536 tap.exe 1348 svchost.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1008 wrote to memory of 1600 1008 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe 28 PID 1008 wrote to memory of 1600 1008 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe 28 PID 1008 wrote to memory of 1600 1008 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe 28 PID 1008 wrote to memory of 1600 1008 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe 28 PID 1008 wrote to memory of 1600 1008 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe 28 PID 1008 wrote to memory of 1600 1008 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe 28 PID 1008 wrote to memory of 1600 1008 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe 28 PID 1008 wrote to memory of 1600 1008 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe 28 PID 1600 wrote to memory of 1324 1600 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe 29 PID 1600 wrote to memory of 1324 1600 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe 29 PID 1600 wrote to memory of 1324 1600 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe 29 PID 1600 wrote to memory of 1324 1600 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe 29 PID 1324 wrote to memory of 1456 1324 cmd.exe 31 PID 1324 wrote to memory of 1456 1324 cmd.exe 31 PID 1324 wrote to memory of 1456 1324 cmd.exe 31 PID 1324 wrote to memory of 1456 1324 cmd.exe 31 PID 1600 wrote to memory of 560 1600 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe 32 PID 1600 wrote to memory of 560 1600 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe 32 PID 1600 wrote to memory of 560 1600 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe 32 PID 1600 wrote to memory of 560 1600 bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe 32 PID 560 wrote to memory of 1536 560 tap.exe 33 PID 560 wrote to memory of 1536 560 tap.exe 33 PID 560 wrote to memory of 1536 560 tap.exe 33 PID 560 wrote to memory of 1536 560 tap.exe 33 PID 560 wrote to memory of 1536 560 tap.exe 33 PID 560 wrote to memory of 1536 560 tap.exe 33 PID 560 wrote to memory of 1536 560 tap.exe 33 PID 560 wrote to memory of 1536 560 tap.exe 33 PID 560 wrote to memory of 1348 560 tap.exe 34 PID 560 wrote to memory of 1348 560 tap.exe 34 PID 560 wrote to memory of 1348 560 tap.exe 34 PID 560 wrote to memory of 1348 560 tap.exe 34 PID 560 wrote to memory of 1348 560 tap.exe 34 PID 560 wrote to memory of 1348 560 tap.exe 34 PID 560 wrote to memory of 1348 560 tap.exe 34 PID 560 wrote to memory of 1348 560 tap.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe"C:\Users\Admin\AppData\Local\Temp\bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe"C:\Users\Admin\AppData\Local\Temp\bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\GMRCA.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TapNet" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\tapinterface\tap.exe" /f4⤵
- Adds Run key to start application
PID:1456
-
-
-
C:\Users\Admin\AppData\Roaming\tapinterface\tap.exe"C:\Users\Admin\AppData\Roaming\tapinterface\tap.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Users\Admin\AppData\Roaming\tapinterface\tap.exe"C:\Users\Admin\AppData\Roaming\tapinterface\tap.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1536
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1348
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5517aa80e282d1f1a3ea764d1a5f32ed8
SHA1990331d6b551d436d81f5aac0914b7ed7fa51136
SHA256fc1c4d0d8ea5d27476e23c49b7dacd40cd9dac4763303ad838774984a2bdc81d
SHA512caf370281540e19a15ac5a44204788525fb181f714bf396af2fc3f717e80c132e55e0a0db82e230c8469c29c3ab49f3a697dbb85141201405334b5420540abc7
-
C:\Users\Admin\AppData\Local\Temp\bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe
Filesize381KB
MD583003c24123609acdec44b1263f6d66d
SHA17154c1219a0b151051d930c6cc2063a170425d18
SHA256bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706
SHA5127f562d8bde844bc153e1743487c7594c520a2e44b3d732472a140af534c2b68dea4f18144c893196267ff81d22f13c4e6abc7112a27540324ede6ff61054f535
-
Filesize
381KB
MD5c11f85a2b0977f5d0cb82b54a931bdb0
SHA10f17cebed26a4ab0c590aab40f87c6e60468eafd
SHA256ee4f1ddecbfa190fe8bbf87bfa080752fd0ac3bfbdc0148d6f7a3b9b4672d493
SHA5128db757a469f6d191ddacf5fc81d04b4f5a9170005fb93a72b0c0d2daebbb3f86420b976cc47ced983710e63c78c4b5bbcd87fe8bb23e0a3d98f1b784fb548057
-
Filesize
381KB
MD5c11f85a2b0977f5d0cb82b54a931bdb0
SHA10f17cebed26a4ab0c590aab40f87c6e60468eafd
SHA256ee4f1ddecbfa190fe8bbf87bfa080752fd0ac3bfbdc0148d6f7a3b9b4672d493
SHA5128db757a469f6d191ddacf5fc81d04b4f5a9170005fb93a72b0c0d2daebbb3f86420b976cc47ced983710e63c78c4b5bbcd87fe8bb23e0a3d98f1b784fb548057
-
Filesize
381KB
MD5c11f85a2b0977f5d0cb82b54a931bdb0
SHA10f17cebed26a4ab0c590aab40f87c6e60468eafd
SHA256ee4f1ddecbfa190fe8bbf87bfa080752fd0ac3bfbdc0148d6f7a3b9b4672d493
SHA5128db757a469f6d191ddacf5fc81d04b4f5a9170005fb93a72b0c0d2daebbb3f86420b976cc47ced983710e63c78c4b5bbcd87fe8bb23e0a3d98f1b784fb548057
-
\Users\Admin\AppData\Local\Temp\bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706.exe
Filesize381KB
MD583003c24123609acdec44b1263f6d66d
SHA17154c1219a0b151051d930c6cc2063a170425d18
SHA256bb7f3eda45f6778f485ba585195cad9cfd7535ea0d5ec26962abafe7034cb706
SHA5127f562d8bde844bc153e1743487c7594c520a2e44b3d732472a140af534c2b68dea4f18144c893196267ff81d22f13c4e6abc7112a27540324ede6ff61054f535
-
Filesize
381KB
MD5c11f85a2b0977f5d0cb82b54a931bdb0
SHA10f17cebed26a4ab0c590aab40f87c6e60468eafd
SHA256ee4f1ddecbfa190fe8bbf87bfa080752fd0ac3bfbdc0148d6f7a3b9b4672d493
SHA5128db757a469f6d191ddacf5fc81d04b4f5a9170005fb93a72b0c0d2daebbb3f86420b976cc47ced983710e63c78c4b5bbcd87fe8bb23e0a3d98f1b784fb548057
-
Filesize
381KB
MD5c11f85a2b0977f5d0cb82b54a931bdb0
SHA10f17cebed26a4ab0c590aab40f87c6e60468eafd
SHA256ee4f1ddecbfa190fe8bbf87bfa080752fd0ac3bfbdc0148d6f7a3b9b4672d493
SHA5128db757a469f6d191ddacf5fc81d04b4f5a9170005fb93a72b0c0d2daebbb3f86420b976cc47ced983710e63c78c4b5bbcd87fe8bb23e0a3d98f1b784fb548057
-
Filesize
381KB
MD5c11f85a2b0977f5d0cb82b54a931bdb0
SHA10f17cebed26a4ab0c590aab40f87c6e60468eafd
SHA256ee4f1ddecbfa190fe8bbf87bfa080752fd0ac3bfbdc0148d6f7a3b9b4672d493
SHA5128db757a469f6d191ddacf5fc81d04b4f5a9170005fb93a72b0c0d2daebbb3f86420b976cc47ced983710e63c78c4b5bbcd87fe8bb23e0a3d98f1b784fb548057
-
Filesize
381KB
MD5c11f85a2b0977f5d0cb82b54a931bdb0
SHA10f17cebed26a4ab0c590aab40f87c6e60468eafd
SHA256ee4f1ddecbfa190fe8bbf87bfa080752fd0ac3bfbdc0148d6f7a3b9b4672d493
SHA5128db757a469f6d191ddacf5fc81d04b4f5a9170005fb93a72b0c0d2daebbb3f86420b976cc47ced983710e63c78c4b5bbcd87fe8bb23e0a3d98f1b784fb548057
-
Filesize
381KB
MD5c11f85a2b0977f5d0cb82b54a931bdb0
SHA10f17cebed26a4ab0c590aab40f87c6e60468eafd
SHA256ee4f1ddecbfa190fe8bbf87bfa080752fd0ac3bfbdc0148d6f7a3b9b4672d493
SHA5128db757a469f6d191ddacf5fc81d04b4f5a9170005fb93a72b0c0d2daebbb3f86420b976cc47ced983710e63c78c4b5bbcd87fe8bb23e0a3d98f1b784fb548057