Analysis
-
max time kernel
155s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2022, 14:08
Static task
static1
Behavioral task
behavioral1
Sample
f85a49531e9d2b8fba2f505b6199111d3eb7ec20c3226278ec631e868a5c6f1f.exe
Resource
win7-20220812-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
f85a49531e9d2b8fba2f505b6199111d3eb7ec20c3226278ec631e868a5c6f1f.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
f85a49531e9d2b8fba2f505b6199111d3eb7ec20c3226278ec631e868a5c6f1f.exe
-
Size
1.4MB
-
MD5
f1dce02270c994b295f4e0c501a68688
-
SHA1
0dbfe5bc38fc766fec9da4dc9bad677733c44dad
-
SHA256
f85a49531e9d2b8fba2f505b6199111d3eb7ec20c3226278ec631e868a5c6f1f
-
SHA512
74a04f4a78a94c8c35d203dd348cc42147a51e8255c3317b37449be934a4f60f5dbf4a9d0d15ef4ae4b5c3577b5428d9f12c34213642897ad37732d4654695cf
-
SSDEEP
24576:Gx4Xwm93aftAyKOTyHm4yIHKib/p6e0Brc2UJ8K5+c9pB2DZJ7JsXlSV3CQOD3fv:KOT9dysmf6d/4CnR+00D7Jyf
Score
10/10
Malware Config
Extracted
Family
darkcomet
Botnet
Rat
C2
testingdirtypic.no-ip.biz:1701
Mutex
DC_MUTEX-K8KYHE6
Attributes
-
InstallPath
WinDir\rundll32.exe
-
gencode
hpWkLgQk4yn2
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Windows Rundll32
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\WinDir\\rundll32.exe" vbc.exe -
Executes dropped EXE 1 IoCs
pid Process 920 rundll32.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinDir\\rundll32.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinDir\\rundll32.exe" vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1556 set thread context of 4896 1556 f85a49531e9d2b8fba2f505b6199111d3eb7ec20c3226278ec631e868a5c6f1f.exe 80 PID 920 set thread context of 1780 920 rundll32.exe 82 -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4896 vbc.exe Token: SeSecurityPrivilege 4896 vbc.exe Token: SeTakeOwnershipPrivilege 4896 vbc.exe Token: SeLoadDriverPrivilege 4896 vbc.exe Token: SeSystemProfilePrivilege 4896 vbc.exe Token: SeSystemtimePrivilege 4896 vbc.exe Token: SeProfSingleProcessPrivilege 4896 vbc.exe Token: SeIncBasePriorityPrivilege 4896 vbc.exe Token: SeCreatePagefilePrivilege 4896 vbc.exe Token: SeBackupPrivilege 4896 vbc.exe Token: SeRestorePrivilege 4896 vbc.exe Token: SeShutdownPrivilege 4896 vbc.exe Token: SeDebugPrivilege 4896 vbc.exe Token: SeSystemEnvironmentPrivilege 4896 vbc.exe Token: SeChangeNotifyPrivilege 4896 vbc.exe Token: SeRemoteShutdownPrivilege 4896 vbc.exe Token: SeUndockPrivilege 4896 vbc.exe Token: SeManageVolumePrivilege 4896 vbc.exe Token: SeImpersonatePrivilege 4896 vbc.exe Token: SeCreateGlobalPrivilege 4896 vbc.exe Token: 33 4896 vbc.exe Token: 34 4896 vbc.exe Token: 35 4896 vbc.exe Token: 36 4896 vbc.exe Token: SeIncreaseQuotaPrivilege 1780 vbc.exe Token: SeSecurityPrivilege 1780 vbc.exe Token: SeTakeOwnershipPrivilege 1780 vbc.exe Token: SeLoadDriverPrivilege 1780 vbc.exe Token: SeSystemProfilePrivilege 1780 vbc.exe Token: SeSystemtimePrivilege 1780 vbc.exe Token: SeProfSingleProcessPrivilege 1780 vbc.exe Token: SeIncBasePriorityPrivilege 1780 vbc.exe Token: SeCreatePagefilePrivilege 1780 vbc.exe Token: SeBackupPrivilege 1780 vbc.exe Token: SeRestorePrivilege 1780 vbc.exe Token: SeShutdownPrivilege 1780 vbc.exe Token: SeDebugPrivilege 1780 vbc.exe Token: SeSystemEnvironmentPrivilege 1780 vbc.exe Token: SeChangeNotifyPrivilege 1780 vbc.exe Token: SeRemoteShutdownPrivilege 1780 vbc.exe Token: SeUndockPrivilege 1780 vbc.exe Token: SeManageVolumePrivilege 1780 vbc.exe Token: SeImpersonatePrivilege 1780 vbc.exe Token: SeCreateGlobalPrivilege 1780 vbc.exe Token: 33 1780 vbc.exe Token: 34 1780 vbc.exe Token: 35 1780 vbc.exe Token: 36 1780 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1780 vbc.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1556 wrote to memory of 4896 1556 f85a49531e9d2b8fba2f505b6199111d3eb7ec20c3226278ec631e868a5c6f1f.exe 80 PID 1556 wrote to memory of 4896 1556 f85a49531e9d2b8fba2f505b6199111d3eb7ec20c3226278ec631e868a5c6f1f.exe 80 PID 1556 wrote to memory of 4896 1556 f85a49531e9d2b8fba2f505b6199111d3eb7ec20c3226278ec631e868a5c6f1f.exe 80 PID 1556 wrote to memory of 4896 1556 f85a49531e9d2b8fba2f505b6199111d3eb7ec20c3226278ec631e868a5c6f1f.exe 80 PID 1556 wrote to memory of 4896 1556 f85a49531e9d2b8fba2f505b6199111d3eb7ec20c3226278ec631e868a5c6f1f.exe 80 PID 1556 wrote to memory of 4896 1556 f85a49531e9d2b8fba2f505b6199111d3eb7ec20c3226278ec631e868a5c6f1f.exe 80 PID 1556 wrote to memory of 4896 1556 f85a49531e9d2b8fba2f505b6199111d3eb7ec20c3226278ec631e868a5c6f1f.exe 80 PID 1556 wrote to memory of 4896 1556 f85a49531e9d2b8fba2f505b6199111d3eb7ec20c3226278ec631e868a5c6f1f.exe 80 PID 1556 wrote to memory of 4896 1556 f85a49531e9d2b8fba2f505b6199111d3eb7ec20c3226278ec631e868a5c6f1f.exe 80 PID 1556 wrote to memory of 4896 1556 f85a49531e9d2b8fba2f505b6199111d3eb7ec20c3226278ec631e868a5c6f1f.exe 80 PID 1556 wrote to memory of 4896 1556 f85a49531e9d2b8fba2f505b6199111d3eb7ec20c3226278ec631e868a5c6f1f.exe 80 PID 1556 wrote to memory of 4896 1556 f85a49531e9d2b8fba2f505b6199111d3eb7ec20c3226278ec631e868a5c6f1f.exe 80 PID 1556 wrote to memory of 4896 1556 f85a49531e9d2b8fba2f505b6199111d3eb7ec20c3226278ec631e868a5c6f1f.exe 80 PID 1556 wrote to memory of 4896 1556 f85a49531e9d2b8fba2f505b6199111d3eb7ec20c3226278ec631e868a5c6f1f.exe 80 PID 1556 wrote to memory of 4896 1556 f85a49531e9d2b8fba2f505b6199111d3eb7ec20c3226278ec631e868a5c6f1f.exe 80 PID 1556 wrote to memory of 4896 1556 f85a49531e9d2b8fba2f505b6199111d3eb7ec20c3226278ec631e868a5c6f1f.exe 80 PID 4896 wrote to memory of 920 4896 vbc.exe 81 PID 4896 wrote to memory of 920 4896 vbc.exe 81 PID 4896 wrote to memory of 920 4896 vbc.exe 81 PID 920 wrote to memory of 1780 920 rundll32.exe 82 PID 920 wrote to memory of 1780 920 rundll32.exe 82 PID 920 wrote to memory of 1780 920 rundll32.exe 82 PID 920 wrote to memory of 1780 920 rundll32.exe 82 PID 920 wrote to memory of 1780 920 rundll32.exe 82 PID 920 wrote to memory of 1780 920 rundll32.exe 82 PID 920 wrote to memory of 1780 920 rundll32.exe 82 PID 920 wrote to memory of 1780 920 rundll32.exe 82 PID 920 wrote to memory of 1780 920 rundll32.exe 82 PID 920 wrote to memory of 1780 920 rundll32.exe 82 PID 920 wrote to memory of 1780 920 rundll32.exe 82 PID 920 wrote to memory of 1780 920 rundll32.exe 82 PID 920 wrote to memory of 1780 920 rundll32.exe 82 PID 920 wrote to memory of 1780 920 rundll32.exe 82 PID 920 wrote to memory of 1780 920 rundll32.exe 82 PID 920 wrote to memory of 1780 920 rundll32.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\f85a49531e9d2b8fba2f505b6199111d3eb7ec20c3226278ec631e868a5c6f1f.exe"C:\Users\Admin\AppData\Local\Temp\f85a49531e9d2b8fba2f505b6199111d3eb7ec20c3226278ec631e868a5c6f1f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\WinDir\rundll32.exe"C:\Users\Admin\AppData\Local\Temp\WinDir\rundll32.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe4⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1780
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5f1dce02270c994b295f4e0c501a68688
SHA10dbfe5bc38fc766fec9da4dc9bad677733c44dad
SHA256f85a49531e9d2b8fba2f505b6199111d3eb7ec20c3226278ec631e868a5c6f1f
SHA51274a04f4a78a94c8c35d203dd348cc42147a51e8255c3317b37449be934a4f60f5dbf4a9d0d15ef4ae4b5c3577b5428d9f12c34213642897ad37732d4654695cf
-
Filesize
1.4MB
MD5f1dce02270c994b295f4e0c501a68688
SHA10dbfe5bc38fc766fec9da4dc9bad677733c44dad
SHA256f85a49531e9d2b8fba2f505b6199111d3eb7ec20c3226278ec631e868a5c6f1f
SHA51274a04f4a78a94c8c35d203dd348cc42147a51e8255c3317b37449be934a4f60f5dbf4a9d0d15ef4ae4b5c3577b5428d9f12c34213642897ad37732d4654695cf