Analysis
-
max time kernel
151s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/10/2022, 16:21
Static task
static1
Behavioral task
behavioral1
Sample
36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe
Resource
win7-20220812-en
General
-
Target
36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe
-
Size
818KB
-
MD5
a2325f08d58dba788f3ab58f89e4a0b0
-
SHA1
60057894fe68b30e15ae4b14740db897012f9a69
-
SHA256
36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3
-
SHA512
bad9a11c6021cf7d93b251d9321edcb57a2c007e45ef3a042b7a34c360dbc0e0e4bf48601612890101925f030b3a993da6c5b1848cb090e114b514d4e61b5c3d
-
SSDEEP
12288:ZphltQSgqI39cn/vkFQbYbv7Q1nLpsEiyrqx518NCXUo1z16Sl3C5FiduwlU:GqIOnkFQekLpsZyrI18N4Ff6Sl3mIuL
Malware Config
Extracted
darkcomet
Slave
ghost1997.no-ip.biz:1337
DC_MUTEX-J3WWY9F
-
gencode
tdtxd3ezaYVU
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe -
Executes dropped EXE 1 IoCs
pid Process 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1876 attrib.exe 1736 attrib.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe -
Loads dropped DLL 1 IoCs
pid Process 748 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 748 set thread context of 940 748 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 748 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe Token: SeSecurityPrivilege 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe Token: SeTakeOwnershipPrivilege 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe Token: SeLoadDriverPrivilege 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe Token: SeSystemProfilePrivilege 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe Token: SeSystemtimePrivilege 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe Token: SeProfSingleProcessPrivilege 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe Token: SeIncBasePriorityPrivilege 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe Token: SeCreatePagefilePrivilege 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe Token: SeBackupPrivilege 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe Token: SeRestorePrivilege 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe Token: SeShutdownPrivilege 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe Token: SeDebugPrivilege 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe Token: SeSystemEnvironmentPrivilege 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe Token: SeChangeNotifyPrivilege 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe Token: SeRemoteShutdownPrivilege 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe Token: SeUndockPrivilege 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe Token: SeManageVolumePrivilege 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe Token: SeImpersonatePrivilege 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe Token: SeCreateGlobalPrivilege 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe Token: 33 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe Token: 34 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe Token: 35 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 748 wrote to memory of 1964 748 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 27 PID 748 wrote to memory of 1964 748 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 27 PID 748 wrote to memory of 1964 748 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 27 PID 748 wrote to memory of 1964 748 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 27 PID 748 wrote to memory of 940 748 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 28 PID 748 wrote to memory of 940 748 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 28 PID 748 wrote to memory of 940 748 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 28 PID 748 wrote to memory of 940 748 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 28 PID 748 wrote to memory of 940 748 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 28 PID 748 wrote to memory of 940 748 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 28 PID 748 wrote to memory of 940 748 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 28 PID 748 wrote to memory of 940 748 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 28 PID 748 wrote to memory of 940 748 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 28 PID 748 wrote to memory of 940 748 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 28 PID 748 wrote to memory of 940 748 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 28 PID 748 wrote to memory of 940 748 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 28 PID 748 wrote to memory of 940 748 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 28 PID 1964 wrote to memory of 1712 1964 cmd.exe 30 PID 1964 wrote to memory of 1712 1964 cmd.exe 30 PID 1964 wrote to memory of 1712 1964 cmd.exe 30 PID 1964 wrote to memory of 1712 1964 cmd.exe 30 PID 1712 wrote to memory of 1776 1712 net.exe 31 PID 1712 wrote to memory of 1776 1712 net.exe 31 PID 1712 wrote to memory of 1776 1712 net.exe 31 PID 1712 wrote to memory of 1776 1712 net.exe 31 PID 940 wrote to memory of 472 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 32 PID 940 wrote to memory of 472 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 32 PID 940 wrote to memory of 472 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 32 PID 940 wrote to memory of 472 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 32 PID 940 wrote to memory of 688 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 33 PID 940 wrote to memory of 688 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 33 PID 940 wrote to memory of 688 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 33 PID 940 wrote to memory of 688 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 33 PID 688 wrote to memory of 1736 688 cmd.exe 37 PID 688 wrote to memory of 1736 688 cmd.exe 37 PID 688 wrote to memory of 1736 688 cmd.exe 37 PID 688 wrote to memory of 1736 688 cmd.exe 37 PID 472 wrote to memory of 1876 472 cmd.exe 36 PID 472 wrote to memory of 1876 472 cmd.exe 36 PID 472 wrote to memory of 1876 472 cmd.exe 36 PID 472 wrote to memory of 1876 472 cmd.exe 36 PID 940 wrote to memory of 1988 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 38 PID 940 wrote to memory of 1988 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 38 PID 940 wrote to memory of 1988 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 38 PID 940 wrote to memory of 1988 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 38 PID 940 wrote to memory of 1988 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 38 PID 940 wrote to memory of 1988 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 38 PID 940 wrote to memory of 1988 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 38 PID 940 wrote to memory of 1988 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 38 PID 940 wrote to memory of 1988 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 38 PID 940 wrote to memory of 1988 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 38 PID 940 wrote to memory of 1988 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 38 PID 940 wrote to memory of 1988 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 38 PID 940 wrote to memory of 1988 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 38 PID 940 wrote to memory of 1988 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 38 PID 940 wrote to memory of 1988 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 38 PID 940 wrote to memory of 1988 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 38 PID 940 wrote to memory of 1988 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 38 PID 940 wrote to memory of 1988 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 38 PID 940 wrote to memory of 1988 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 38 PID 940 wrote to memory of 1988 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 38 PID 940 wrote to memory of 1988 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 38 PID 940 wrote to memory of 1988 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 38 PID 940 wrote to memory of 1988 940 36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe 38 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1876 attrib.exe 1736 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe"C:\Users\Admin\AppData\Local\Temp\36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc2⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵PID:1776
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exeC:\Users\Admin\AppData\Local\Temp\36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1876
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1736
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:1988
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe
Filesize818KB
MD5a2325f08d58dba788f3ab58f89e4a0b0
SHA160057894fe68b30e15ae4b14740db897012f9a69
SHA25636f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3
SHA512bad9a11c6021cf7d93b251d9321edcb57a2c007e45ef3a042b7a34c360dbc0e0e4bf48601612890101925f030b3a993da6c5b1848cb090e114b514d4e61b5c3d
-
\Users\Admin\AppData\Local\Temp\36f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3.exe
Filesize818KB
MD5a2325f08d58dba788f3ab58f89e4a0b0
SHA160057894fe68b30e15ae4b14740db897012f9a69
SHA25636f8422a4c2d465ac8adced544708603ae5fcf680fe15af563a4eb45b287c0c3
SHA512bad9a11c6021cf7d93b251d9321edcb57a2c007e45ef3a042b7a34c360dbc0e0e4bf48601612890101925f030b3a993da6c5b1848cb090e114b514d4e61b5c3d