Analysis
-
max time kernel
156s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2022, 09:54
Static task
static1
Behavioral task
behavioral1
Sample
e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe
Resource
win7-20220812-en
General
-
Target
e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe
-
Size
834KB
-
MD5
8063edbb84b65ca71acbdfd396f02ee0
-
SHA1
f4b71aa3da3109419ea5182aec8e406e4326dbe7
-
SHA256
e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc
-
SHA512
52dd4c1a3eb4e34902f81a3fd6438b00a261834608978f16cbe71819e19b47e5903f33b84fc7a90a4d086b565a2f668c1d2fc0f3b93e6e55a8642a8d734d7a3b
-
SSDEEP
12288:IxDivlXiaS+SKPXBGDWiJDEjL8M847EKdZz+XyiZ5IvyR8/YyBTdMCVInocFtCnY:IwNXpPX8DVDEEMvZzi+VTeDnNtu9+
Malware Config
Extracted
darkcomet
deneme
127.0.0.1:6300
DC_MUTEX-YMRNXXV
-
gencode
5mfVvT3mRv31
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 396 set thread context of 1164 396 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe 81 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1164 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe Token: SeSecurityPrivilege 1164 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe Token: SeTakeOwnershipPrivilege 1164 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe Token: SeLoadDriverPrivilege 1164 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe Token: SeSystemProfilePrivilege 1164 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe Token: SeSystemtimePrivilege 1164 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe Token: SeProfSingleProcessPrivilege 1164 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe Token: SeIncBasePriorityPrivilege 1164 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe Token: SeCreatePagefilePrivilege 1164 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe Token: SeBackupPrivilege 1164 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe Token: SeRestorePrivilege 1164 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe Token: SeShutdownPrivilege 1164 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe Token: SeDebugPrivilege 1164 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe Token: SeSystemEnvironmentPrivilege 1164 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe Token: SeChangeNotifyPrivilege 1164 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe Token: SeRemoteShutdownPrivilege 1164 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe Token: SeUndockPrivilege 1164 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe Token: SeManageVolumePrivilege 1164 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe Token: SeImpersonatePrivilege 1164 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe Token: SeCreateGlobalPrivilege 1164 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe Token: 33 1164 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe Token: 34 1164 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe Token: 35 1164 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe Token: 36 1164 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 396 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe 1164 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 396 wrote to memory of 1164 396 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe 81 PID 396 wrote to memory of 1164 396 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe 81 PID 396 wrote to memory of 1164 396 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe 81 PID 396 wrote to memory of 1164 396 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe 81 PID 396 wrote to memory of 1164 396 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe 81 PID 396 wrote to memory of 1164 396 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe 81 PID 396 wrote to memory of 1164 396 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe 81 PID 396 wrote to memory of 1164 396 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe 81 PID 396 wrote to memory of 1164 396 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe 81 PID 396 wrote to memory of 1164 396 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe 81 PID 396 wrote to memory of 1164 396 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe 81 PID 396 wrote to memory of 1164 396 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe 81 PID 396 wrote to memory of 1164 396 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe 81 PID 396 wrote to memory of 1164 396 e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe"C:\Users\Admin\AppData\Local\Temp\e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Users\Admin\AppData\Local\Temp\e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exeC:\Users\Admin\AppData\Local\Temp\e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1164
-