Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30/10/2022, 19:14
Static task
static1
Behavioral task
behavioral1
Sample
bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55.exe
Resource
win10v2004-20220901-en
General
-
Target
bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55.exe
-
Size
915KB
-
MD5
81d66a2e08aaf9b51a82b734b86c9e80
-
SHA1
48e5d46a6c5b95e1be88fa7a175a9d32358ec1dc
-
SHA256
bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55
-
SHA512
46c21077a8fe9523038c64e0c5aa85a801299ac809b771237a111becf4acbfaaa7ce6a45668bdeafa9949b34dccbc19424258c739334e3a7418b620ba1eb272d
-
SSDEEP
24576:5N1fAXro36rn7cdkr+HBYKMUkM0m+UaPtS:HqXrFLgyaqKHkhm+PPt
Malware Config
Extracted
darkcomet
WIFE-US
127.0.0.1:1604
linep.no-ip.org:1604
DC_MUTEX-AMR7Z0X
-
gencode
WDR3l3d5DWC1
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1520 UserLayout.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.com.url UserLayout.exe -
Loads dropped DLL 2 IoCs
pid Process 2000 bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55.exe 2000 bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\UserLayout.exe = "C:\\ProgramData\\UserLayout.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1520 set thread context of 976 1520 UserLayout.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe 1520 UserLayout.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2000 bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55.exe Token: SeDebugPrivilege 1520 UserLayout.exe Token: SeIncreaseQuotaPrivilege 976 vbc.exe Token: SeSecurityPrivilege 976 vbc.exe Token: SeTakeOwnershipPrivilege 976 vbc.exe Token: SeLoadDriverPrivilege 976 vbc.exe Token: SeSystemProfilePrivilege 976 vbc.exe Token: SeSystemtimePrivilege 976 vbc.exe Token: SeProfSingleProcessPrivilege 976 vbc.exe Token: SeIncBasePriorityPrivilege 976 vbc.exe Token: SeCreatePagefilePrivilege 976 vbc.exe Token: SeBackupPrivilege 976 vbc.exe Token: SeRestorePrivilege 976 vbc.exe Token: SeShutdownPrivilege 976 vbc.exe Token: SeDebugPrivilege 976 vbc.exe Token: SeSystemEnvironmentPrivilege 976 vbc.exe Token: SeChangeNotifyPrivilege 976 vbc.exe Token: SeRemoteShutdownPrivilege 976 vbc.exe Token: SeUndockPrivilege 976 vbc.exe Token: SeManageVolumePrivilege 976 vbc.exe Token: SeImpersonatePrivilege 976 vbc.exe Token: SeCreateGlobalPrivilege 976 vbc.exe Token: 33 976 vbc.exe Token: 34 976 vbc.exe Token: 35 976 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 976 vbc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2000 wrote to memory of 1520 2000 bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55.exe 28 PID 2000 wrote to memory of 1520 2000 bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55.exe 28 PID 2000 wrote to memory of 1520 2000 bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55.exe 28 PID 2000 wrote to memory of 1520 2000 bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55.exe 28 PID 1520 wrote to memory of 1420 1520 UserLayout.exe 29 PID 1520 wrote to memory of 1420 1520 UserLayout.exe 29 PID 1520 wrote to memory of 1420 1520 UserLayout.exe 29 PID 1520 wrote to memory of 1420 1520 UserLayout.exe 29 PID 1420 wrote to memory of 2028 1420 cmd.exe 31 PID 1420 wrote to memory of 2028 1420 cmd.exe 31 PID 1420 wrote to memory of 2028 1420 cmd.exe 31 PID 1420 wrote to memory of 2028 1420 cmd.exe 31 PID 1520 wrote to memory of 976 1520 UserLayout.exe 32 PID 1520 wrote to memory of 976 1520 UserLayout.exe 32 PID 1520 wrote to memory of 976 1520 UserLayout.exe 32 PID 1520 wrote to memory of 976 1520 UserLayout.exe 32 PID 1520 wrote to memory of 976 1520 UserLayout.exe 32 PID 1520 wrote to memory of 976 1520 UserLayout.exe 32 PID 1520 wrote to memory of 976 1520 UserLayout.exe 32 PID 1520 wrote to memory of 976 1520 UserLayout.exe 32 PID 1520 wrote to memory of 976 1520 UserLayout.exe 32 PID 1520 wrote to memory of 976 1520 UserLayout.exe 32 PID 1520 wrote to memory of 976 1520 UserLayout.exe 32 PID 1520 wrote to memory of 976 1520 UserLayout.exe 32 PID 1520 wrote to memory of 976 1520 UserLayout.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55.exe"C:\Users\Admin\AppData\Local\Temp\bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\ProgramData\UserLayout.exeC:\ProgramData\UserLayout.exe2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /f /v "UserLayout.exe" /t REG_SZ /d "C:\ProgramData\UserLayout.exe" & exit3⤵
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /f /v "UserLayout.exe" /t REG_SZ /d "C:\ProgramData\UserLayout.exe"4⤵
- Adds Run key to start application
PID:2028
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:976
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
915KB
MD581d66a2e08aaf9b51a82b734b86c9e80
SHA148e5d46a6c5b95e1be88fa7a175a9d32358ec1dc
SHA256bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55
SHA51246c21077a8fe9523038c64e0c5aa85a801299ac809b771237a111becf4acbfaaa7ce6a45668bdeafa9949b34dccbc19424258c739334e3a7418b620ba1eb272d
-
Filesize
915KB
MD581d66a2e08aaf9b51a82b734b86c9e80
SHA148e5d46a6c5b95e1be88fa7a175a9d32358ec1dc
SHA256bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55
SHA51246c21077a8fe9523038c64e0c5aa85a801299ac809b771237a111becf4acbfaaa7ce6a45668bdeafa9949b34dccbc19424258c739334e3a7418b620ba1eb272d
-
Filesize
915KB
MD581d66a2e08aaf9b51a82b734b86c9e80
SHA148e5d46a6c5b95e1be88fa7a175a9d32358ec1dc
SHA256bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55
SHA51246c21077a8fe9523038c64e0c5aa85a801299ac809b771237a111becf4acbfaaa7ce6a45668bdeafa9949b34dccbc19424258c739334e3a7418b620ba1eb272d
-
Filesize
915KB
MD581d66a2e08aaf9b51a82b734b86c9e80
SHA148e5d46a6c5b95e1be88fa7a175a9d32358ec1dc
SHA256bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55
SHA51246c21077a8fe9523038c64e0c5aa85a801299ac809b771237a111becf4acbfaaa7ce6a45668bdeafa9949b34dccbc19424258c739334e3a7418b620ba1eb272d