Analysis
-
max time kernel
151s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/10/2022, 16:21
Static task
static1
Behavioral task
behavioral1
Sample
8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe
Resource
win7-20220812-en
General
-
Target
8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe
-
Size
349KB
-
MD5
a18f9185d5ebc3a0aa7806b19e7ff6c0
-
SHA1
c06b84b749a8e6c57651060c9f19572f4d9f5875
-
SHA256
8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134
-
SHA512
98ca350ab40187bd6c764cb7a9a9e18e30a56196d0f2be1f57ca417b1b8b865fd71fbc7150933a5ddb7069f969c8c5c1861d1d8225cfb7eef27ab5eeddc16eee
-
SSDEEP
6144:CqLzGyzpKalLBQmByTIRb5K+WrxJA6AIsPSBD3FvbXB7oOdvkoOgVQKMkXIzcQj:RphltQEI+Gc6ANP0d7bv65k4zcQj
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-YTGAJF9
-
InstallPath
steam.exe
-
gencode
nTQWxdykrfam
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
steam
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\steam.exe" 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe -
Executes dropped EXE 2 IoCs
pid Process 1692 steam.exe 1156 steam.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1404 attrib.exe 984 attrib.exe -
resource yara_rule behavioral1/memory/836-56-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/836-58-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/836-59-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/836-62-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/836-64-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/836-65-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/836-66-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/836-93-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1156-94-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1156-95-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Deletes itself 1 IoCs
pid Process 2024 notepad.exe -
Loads dropped DLL 2 IoCs
pid Process 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\steam = "C:\\Windows\\system32\\steam.exe" 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" steam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" steam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\steam = "C:\\Windows\\system32\\steam.exe" steam.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\steam.exe 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe File opened for modification C:\Windows\SysWOW64\steam.exe 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe File opened for modification C:\Windows\SysWOW64\ 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe File opened for modification C:\Windows\SysWOW64\steam.exe steam.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1840 set thread context of 836 1840 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 27 PID 1692 set thread context of 1156 1692 steam.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1840 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 1692 steam.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1156 steam.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe Token: SeSecurityPrivilege 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe Token: SeTakeOwnershipPrivilege 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe Token: SeLoadDriverPrivilege 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe Token: SeSystemProfilePrivilege 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe Token: SeSystemtimePrivilege 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe Token: SeProfSingleProcessPrivilege 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe Token: SeIncBasePriorityPrivilege 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe Token: SeCreatePagefilePrivilege 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe Token: SeBackupPrivilege 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe Token: SeRestorePrivilege 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe Token: SeShutdownPrivilege 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe Token: SeDebugPrivilege 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe Token: SeSystemEnvironmentPrivilege 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe Token: SeChangeNotifyPrivilege 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe Token: SeRemoteShutdownPrivilege 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe Token: SeUndockPrivilege 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe Token: SeManageVolumePrivilege 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe Token: SeImpersonatePrivilege 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe Token: SeCreateGlobalPrivilege 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe Token: 33 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe Token: 34 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe Token: 35 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe Token: SeIncreaseQuotaPrivilege 1156 steam.exe Token: SeSecurityPrivilege 1156 steam.exe Token: SeTakeOwnershipPrivilege 1156 steam.exe Token: SeLoadDriverPrivilege 1156 steam.exe Token: SeSystemProfilePrivilege 1156 steam.exe Token: SeSystemtimePrivilege 1156 steam.exe Token: SeProfSingleProcessPrivilege 1156 steam.exe Token: SeIncBasePriorityPrivilege 1156 steam.exe Token: SeCreatePagefilePrivilege 1156 steam.exe Token: SeBackupPrivilege 1156 steam.exe Token: SeRestorePrivilege 1156 steam.exe Token: SeShutdownPrivilege 1156 steam.exe Token: SeDebugPrivilege 1156 steam.exe Token: SeSystemEnvironmentPrivilege 1156 steam.exe Token: SeChangeNotifyPrivilege 1156 steam.exe Token: SeRemoteShutdownPrivilege 1156 steam.exe Token: SeUndockPrivilege 1156 steam.exe Token: SeManageVolumePrivilege 1156 steam.exe Token: SeImpersonatePrivilege 1156 steam.exe Token: SeCreateGlobalPrivilege 1156 steam.exe Token: 33 1156 steam.exe Token: 34 1156 steam.exe Token: 35 1156 steam.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1156 steam.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1840 wrote to memory of 836 1840 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 27 PID 1840 wrote to memory of 836 1840 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 27 PID 1840 wrote to memory of 836 1840 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 27 PID 1840 wrote to memory of 836 1840 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 27 PID 1840 wrote to memory of 836 1840 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 27 PID 1840 wrote to memory of 836 1840 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 27 PID 1840 wrote to memory of 836 1840 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 27 PID 1840 wrote to memory of 836 1840 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 27 PID 836 wrote to memory of 1136 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 28 PID 836 wrote to memory of 1136 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 28 PID 836 wrote to memory of 1136 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 28 PID 836 wrote to memory of 1136 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 28 PID 836 wrote to memory of 2016 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 31 PID 836 wrote to memory of 2016 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 31 PID 836 wrote to memory of 2016 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 31 PID 836 wrote to memory of 2016 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 31 PID 836 wrote to memory of 2024 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 30 PID 836 wrote to memory of 2024 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 30 PID 836 wrote to memory of 2024 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 30 PID 836 wrote to memory of 2024 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 30 PID 836 wrote to memory of 2024 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 30 PID 836 wrote to memory of 2024 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 30 PID 836 wrote to memory of 2024 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 30 PID 836 wrote to memory of 2024 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 30 PID 836 wrote to memory of 2024 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 30 PID 836 wrote to memory of 2024 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 30 PID 836 wrote to memory of 2024 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 30 PID 836 wrote to memory of 2024 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 30 PID 836 wrote to memory of 2024 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 30 PID 836 wrote to memory of 2024 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 30 PID 836 wrote to memory of 2024 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 30 PID 836 wrote to memory of 2024 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 30 PID 836 wrote to memory of 2024 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 30 PID 836 wrote to memory of 2024 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 30 PID 1136 wrote to memory of 984 1136 cmd.exe 34 PID 1136 wrote to memory of 984 1136 cmd.exe 34 PID 1136 wrote to memory of 984 1136 cmd.exe 34 PID 1136 wrote to memory of 984 1136 cmd.exe 34 PID 2016 wrote to memory of 1404 2016 cmd.exe 33 PID 2016 wrote to memory of 1404 2016 cmd.exe 33 PID 2016 wrote to memory of 1404 2016 cmd.exe 33 PID 2016 wrote to memory of 1404 2016 cmd.exe 33 PID 836 wrote to memory of 1692 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 35 PID 836 wrote to memory of 1692 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 35 PID 836 wrote to memory of 1692 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 35 PID 836 wrote to memory of 1692 836 8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe 35 PID 1692 wrote to memory of 1156 1692 steam.exe 36 PID 1692 wrote to memory of 1156 1692 steam.exe 36 PID 1692 wrote to memory of 1156 1692 steam.exe 36 PID 1692 wrote to memory of 1156 1692 steam.exe 36 PID 1692 wrote to memory of 1156 1692 steam.exe 36 PID 1692 wrote to memory of 1156 1692 steam.exe 36 PID 1692 wrote to memory of 1156 1692 steam.exe 36 PID 1692 wrote to memory of 1156 1692 steam.exe 36 PID 1156 wrote to memory of 1408 1156 steam.exe 37 PID 1156 wrote to memory of 1408 1156 steam.exe 37 PID 1156 wrote to memory of 1408 1156 steam.exe 37 PID 1156 wrote to memory of 1408 1156 steam.exe 37 PID 1156 wrote to memory of 1408 1156 steam.exe 37 PID 1156 wrote to memory of 1408 1156 steam.exe 37 PID 1156 wrote to memory of 1408 1156 steam.exe 37 PID 1156 wrote to memory of 1408 1156 steam.exe 37 PID 1156 wrote to memory of 1408 1156 steam.exe 37 PID 1156 wrote to memory of 1408 1156 steam.exe 37 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1404 attrib.exe 984 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe"C:\Users\Admin\AppData\Local\Temp\8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exeC:\Users\Admin\AppData\Local\Temp\8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:984
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Deletes itself
PID:2024
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1404
-
-
-
C:\Windows\SysWOW64\steam.exe"C:\Windows\system32\steam.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\steam.exeC:\Windows\SysWOW64\steam.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\notepad.exenotepad5⤵PID:1408
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
349KB
MD5a18f9185d5ebc3a0aa7806b19e7ff6c0
SHA1c06b84b749a8e6c57651060c9f19572f4d9f5875
SHA2568097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134
SHA51298ca350ab40187bd6c764cb7a9a9e18e30a56196d0f2be1f57ca417b1b8b865fd71fbc7150933a5ddb7069f969c8c5c1861d1d8225cfb7eef27ab5eeddc16eee
-
Filesize
349KB
MD5a18f9185d5ebc3a0aa7806b19e7ff6c0
SHA1c06b84b749a8e6c57651060c9f19572f4d9f5875
SHA2568097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134
SHA51298ca350ab40187bd6c764cb7a9a9e18e30a56196d0f2be1f57ca417b1b8b865fd71fbc7150933a5ddb7069f969c8c5c1861d1d8225cfb7eef27ab5eeddc16eee
-
Filesize
349KB
MD5a18f9185d5ebc3a0aa7806b19e7ff6c0
SHA1c06b84b749a8e6c57651060c9f19572f4d9f5875
SHA2568097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134
SHA51298ca350ab40187bd6c764cb7a9a9e18e30a56196d0f2be1f57ca417b1b8b865fd71fbc7150933a5ddb7069f969c8c5c1861d1d8225cfb7eef27ab5eeddc16eee
-
Filesize
349KB
MD5a18f9185d5ebc3a0aa7806b19e7ff6c0
SHA1c06b84b749a8e6c57651060c9f19572f4d9f5875
SHA2568097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134
SHA51298ca350ab40187bd6c764cb7a9a9e18e30a56196d0f2be1f57ca417b1b8b865fd71fbc7150933a5ddb7069f969c8c5c1861d1d8225cfb7eef27ab5eeddc16eee
-
Filesize
349KB
MD5a18f9185d5ebc3a0aa7806b19e7ff6c0
SHA1c06b84b749a8e6c57651060c9f19572f4d9f5875
SHA2568097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134
SHA51298ca350ab40187bd6c764cb7a9a9e18e30a56196d0f2be1f57ca417b1b8b865fd71fbc7150933a5ddb7069f969c8c5c1861d1d8225cfb7eef27ab5eeddc16eee
-
Filesize
349KB
MD5a18f9185d5ebc3a0aa7806b19e7ff6c0
SHA1c06b84b749a8e6c57651060c9f19572f4d9f5875
SHA2568097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134
SHA51298ca350ab40187bd6c764cb7a9a9e18e30a56196d0f2be1f57ca417b1b8b865fd71fbc7150933a5ddb7069f969c8c5c1861d1d8225cfb7eef27ab5eeddc16eee