Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21-10-2022 06:49
Static task
static1
Behavioral task
behavioral1
Sample
bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe
Resource
win10v2004-20220812-en
General
-
Target
bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe
-
Size
759KB
-
MD5
5a8b8f6969ad1562fa7429de7da84ac0
-
SHA1
b7fd78d674bd0c72a685fb3c8957118c6bc9d5e3
-
SHA256
bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0
-
SHA512
a8aa1ea5a7b6ec10d75d9179f8e51b3c2be6a4acf86524e326ea1c6207a99f4ed5ce05a2ea7b1f405d4ce88db6fc27c2ce1d86fbfe482d0cdbe1416dc353364e
-
SSDEEP
12288:awoEPOA85/98nxvUy96snJFHyVKMsYghTsKi1033G6366G7pkz8fdjzfJpFSa2jf:/S5OnjAuSVKvPhTsKiIi6p81PEjf
Malware Config
Extracted
darkcomet
Infected
saerchap.no-ip.biz:1604
DC_MUTEX-TBLTDNE
-
gencode
0y0oASJgFJ6Q
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
msconfig.exepid process 2380 msconfig.exe -
Loads dropped DLL 6 IoCs
Processes:
bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exepid process 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FacbookUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\FacbookUpdate.exe" bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exedescription pid process target process PID 4744 set thread context of 2380 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe msconfig.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exepid process 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exemsconfig.exedescription pid process Token: SeDebugPrivilege 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe Token: SeIncreaseQuotaPrivilege 2380 msconfig.exe Token: SeSecurityPrivilege 2380 msconfig.exe Token: SeTakeOwnershipPrivilege 2380 msconfig.exe Token: SeLoadDriverPrivilege 2380 msconfig.exe Token: SeSystemProfilePrivilege 2380 msconfig.exe Token: SeSystemtimePrivilege 2380 msconfig.exe Token: SeProfSingleProcessPrivilege 2380 msconfig.exe Token: SeIncBasePriorityPrivilege 2380 msconfig.exe Token: SeCreatePagefilePrivilege 2380 msconfig.exe Token: SeBackupPrivilege 2380 msconfig.exe Token: SeRestorePrivilege 2380 msconfig.exe Token: SeShutdownPrivilege 2380 msconfig.exe Token: SeDebugPrivilege 2380 msconfig.exe Token: SeSystemEnvironmentPrivilege 2380 msconfig.exe Token: SeChangeNotifyPrivilege 2380 msconfig.exe Token: SeRemoteShutdownPrivilege 2380 msconfig.exe Token: SeUndockPrivilege 2380 msconfig.exe Token: SeManageVolumePrivilege 2380 msconfig.exe Token: SeImpersonatePrivilege 2380 msconfig.exe Token: SeCreateGlobalPrivilege 2380 msconfig.exe Token: 33 2380 msconfig.exe Token: 34 2380 msconfig.exe Token: 35 2380 msconfig.exe Token: 36 2380 msconfig.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msconfig.exepid process 2380 msconfig.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.execsc.exedescription pid process target process PID 4744 wrote to memory of 1928 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe csc.exe PID 4744 wrote to memory of 1928 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe csc.exe PID 4744 wrote to memory of 1928 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe csc.exe PID 1928 wrote to memory of 5072 1928 csc.exe cvtres.exe PID 1928 wrote to memory of 5072 1928 csc.exe cvtres.exe PID 1928 wrote to memory of 5072 1928 csc.exe cvtres.exe PID 4744 wrote to memory of 2380 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe msconfig.exe PID 4744 wrote to memory of 2380 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe msconfig.exe PID 4744 wrote to memory of 2380 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe msconfig.exe PID 4744 wrote to memory of 2380 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe msconfig.exe PID 4744 wrote to memory of 2380 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe msconfig.exe PID 4744 wrote to memory of 2380 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe msconfig.exe PID 4744 wrote to memory of 2380 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe msconfig.exe PID 4744 wrote to memory of 2380 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe msconfig.exe PID 4744 wrote to memory of 2380 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe msconfig.exe PID 4744 wrote to memory of 2380 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe msconfig.exe PID 4744 wrote to memory of 2380 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe msconfig.exe PID 4744 wrote to memory of 2380 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe msconfig.exe PID 4744 wrote to memory of 2380 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe msconfig.exe PID 4744 wrote to memory of 2380 4744 bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe msconfig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe"C:\Users\Admin\AppData\Local\Temp\bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3pnupqpt.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBBD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEBBC.tmp"3⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\AppLaunch\msconfig.exeC:\Users\Admin\AppData\Local\Temp\\AppLaunch\msconfig.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2380
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3pnupqpt.dllFilesize
4KB
MD5c7e9220490774c0306663af97056a4e0
SHA1e48d706bc182478d986ce46b143e63b0dfab2b41
SHA256404defe062e339faa44499d0ef24c3dbac525a1844959e867424bc3f6ddb8c50
SHA512ddf710ba387a2d005f8be782256784d850c479d4aade8804790dfeb57104c60bee23b892e832f07eada71f0b9e744105b03ddcb2d07297ffe06cbbb4dea7995f
-
C:\Users\Admin\AppData\Local\Temp\3pnupqpt.dllFilesize
4KB
MD5c7e9220490774c0306663af97056a4e0
SHA1e48d706bc182478d986ce46b143e63b0dfab2b41
SHA256404defe062e339faa44499d0ef24c3dbac525a1844959e867424bc3f6ddb8c50
SHA512ddf710ba387a2d005f8be782256784d850c479d4aade8804790dfeb57104c60bee23b892e832f07eada71f0b9e744105b03ddcb2d07297ffe06cbbb4dea7995f
-
C:\Users\Admin\AppData\Local\Temp\3pnupqpt.dllFilesize
4KB
MD5c7e9220490774c0306663af97056a4e0
SHA1e48d706bc182478d986ce46b143e63b0dfab2b41
SHA256404defe062e339faa44499d0ef24c3dbac525a1844959e867424bc3f6ddb8c50
SHA512ddf710ba387a2d005f8be782256784d850c479d4aade8804790dfeb57104c60bee23b892e832f07eada71f0b9e744105b03ddcb2d07297ffe06cbbb4dea7995f
-
C:\Users\Admin\AppData\Local\Temp\3pnupqpt.dllFilesize
4KB
MD5c7e9220490774c0306663af97056a4e0
SHA1e48d706bc182478d986ce46b143e63b0dfab2b41
SHA256404defe062e339faa44499d0ef24c3dbac525a1844959e867424bc3f6ddb8c50
SHA512ddf710ba387a2d005f8be782256784d850c479d4aade8804790dfeb57104c60bee23b892e832f07eada71f0b9e744105b03ddcb2d07297ffe06cbbb4dea7995f
-
C:\Users\Admin\AppData\Local\Temp\3pnupqpt.dllFilesize
4KB
MD5c7e9220490774c0306663af97056a4e0
SHA1e48d706bc182478d986ce46b143e63b0dfab2b41
SHA256404defe062e339faa44499d0ef24c3dbac525a1844959e867424bc3f6ddb8c50
SHA512ddf710ba387a2d005f8be782256784d850c479d4aade8804790dfeb57104c60bee23b892e832f07eada71f0b9e744105b03ddcb2d07297ffe06cbbb4dea7995f
-
C:\Users\Admin\AppData\Local\Temp\3pnupqpt.dllFilesize
4KB
MD5c7e9220490774c0306663af97056a4e0
SHA1e48d706bc182478d986ce46b143e63b0dfab2b41
SHA256404defe062e339faa44499d0ef24c3dbac525a1844959e867424bc3f6ddb8c50
SHA512ddf710ba387a2d005f8be782256784d850c479d4aade8804790dfeb57104c60bee23b892e832f07eada71f0b9e744105b03ddcb2d07297ffe06cbbb4dea7995f
-
C:\Users\Admin\AppData\Local\Temp\3pnupqpt.dllFilesize
4KB
MD5c7e9220490774c0306663af97056a4e0
SHA1e48d706bc182478d986ce46b143e63b0dfab2b41
SHA256404defe062e339faa44499d0ef24c3dbac525a1844959e867424bc3f6ddb8c50
SHA512ddf710ba387a2d005f8be782256784d850c479d4aade8804790dfeb57104c60bee23b892e832f07eada71f0b9e744105b03ddcb2d07297ffe06cbbb4dea7995f
-
C:\Users\Admin\AppData\Local\Temp\AppLaunch\msconfig.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
C:\Users\Admin\AppData\Local\Temp\AppLaunch\msconfig.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
C:\Users\Admin\AppData\Local\Temp\RESEBBD.tmpFilesize
1KB
MD599e6b78a599e446659cbd8eca7329628
SHA1722bc06daa5eb3d6cae9e5bf8161cde445facb05
SHA25664f32e31598ae47a0b665f4a0189c2211d9bc0c29001efb4fbbde16740a54d6f
SHA51221d757737900398b2e39e96df1d4652b24e1400cc05a7368d3314977692ac97e844110b2cb7f6a6ea869d7a8101249c3b30ffa3a045fdae5839652fc24583be5
-
\??\c:\Users\Admin\AppData\Local\Temp\3pnupqpt.0.csFilesize
1KB
MD5726a6cdc1c8c93a4187bde307bdcce62
SHA17be83ba9aa298ee36171b41c2696091eb9096230
SHA256f80bab86984f7b0a86e23622bc49bd78c54acbf179e9fb4be1ee14fa0a6616d0
SHA5120ba2ca78052eb3f0bbcb533f2a511d4d2fa459893c0e7f795d255124f079f7b7b6532631ebf72516ec6b67cce132d0b955e87f7369b5fd08c26afb4160e86cdd
-
\??\c:\Users\Admin\AppData\Local\Temp\3pnupqpt.cmdlineFilesize
195B
MD5d90bcd94b4b896a143b85fc8e6964b35
SHA1dfd8efb7346a753b9ec63ffb074c49c6d095712c
SHA25610272865f8019f44378efc466786e5508866ac96ffc8bb56e7e282d5e0ba45ca
SHA5122d0c191d57e1f52ebdeff13e34726998e4b72a8c3c5cab27d63acc474a88378cac9032e679ee899a879f9e5d6e275fad89f5360fc9ec26f51001849406ac611c
-
\??\c:\Users\Admin\AppData\Local\Temp\CSCEBBC.tmpFilesize
652B
MD5e90a7bb55462575b93bf24abb4b24427
SHA1cc6231de5324e935a077d97de55597de86abd833
SHA2562c2d5dc7fc49adae0abbf8afbd6fcd5049d3ec17cc84b7fb7499741fd10baa14
SHA5126c388488ae80abf8e5823749c2452e63cc42ae87fb24da44773b4d5d8e8f4aa67dee590e417748b77c28ea04dad9c281be36de27cd814df570fcedc08f165a69
-
memory/1928-133-0x0000000000000000-mapping.dmp
-
memory/2380-147-0x0000000000000000-mapping.dmp
-
memory/2380-148-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2380-151-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2380-152-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2380-154-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2380-155-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2380-156-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4744-146-0x0000000074F40000-0x00000000754F1000-memory.dmpFilesize
5.7MB
-
memory/4744-132-0x0000000074F40000-0x00000000754F1000-memory.dmpFilesize
5.7MB
-
memory/5072-136-0x0000000000000000-mapping.dmp