Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2022, 19:14
Static task
static1
Behavioral task
behavioral1
Sample
bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55.exe
Resource
win10v2004-20220901-en
General
-
Target
bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55.exe
-
Size
915KB
-
MD5
81d66a2e08aaf9b51a82b734b86c9e80
-
SHA1
48e5d46a6c5b95e1be88fa7a175a9d32358ec1dc
-
SHA256
bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55
-
SHA512
46c21077a8fe9523038c64e0c5aa85a801299ac809b771237a111becf4acbfaaa7ce6a45668bdeafa9949b34dccbc19424258c739334e3a7418b620ba1eb272d
-
SSDEEP
24576:5N1fAXro36rn7cdkr+HBYKMUkM0m+UaPtS:HqXrFLgyaqKHkhm+PPt
Malware Config
Extracted
darkcomet
WIFE-US
127.0.0.1:1604
linep.no-ip.org:1604
DC_MUTEX-AMR7Z0X
-
gencode
WDR3l3d5DWC1
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1668 UserLayout.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation UserLayout.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.com.url UserLayout.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\UserLayout.exe = "C:\\ProgramData\\UserLayout.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1668 set thread context of 3492 1668 UserLayout.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe 1668 UserLayout.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 4868 bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55.exe Token: SeDebugPrivilege 1668 UserLayout.exe Token: SeIncreaseQuotaPrivilege 3492 vbc.exe Token: SeSecurityPrivilege 3492 vbc.exe Token: SeTakeOwnershipPrivilege 3492 vbc.exe Token: SeLoadDriverPrivilege 3492 vbc.exe Token: SeSystemProfilePrivilege 3492 vbc.exe Token: SeSystemtimePrivilege 3492 vbc.exe Token: SeProfSingleProcessPrivilege 3492 vbc.exe Token: SeIncBasePriorityPrivilege 3492 vbc.exe Token: SeCreatePagefilePrivilege 3492 vbc.exe Token: SeBackupPrivilege 3492 vbc.exe Token: SeRestorePrivilege 3492 vbc.exe Token: SeShutdownPrivilege 3492 vbc.exe Token: SeDebugPrivilege 3492 vbc.exe Token: SeSystemEnvironmentPrivilege 3492 vbc.exe Token: SeChangeNotifyPrivilege 3492 vbc.exe Token: SeRemoteShutdownPrivilege 3492 vbc.exe Token: SeUndockPrivilege 3492 vbc.exe Token: SeManageVolumePrivilege 3492 vbc.exe Token: SeImpersonatePrivilege 3492 vbc.exe Token: SeCreateGlobalPrivilege 3492 vbc.exe Token: 33 3492 vbc.exe Token: 34 3492 vbc.exe Token: 35 3492 vbc.exe Token: 36 3492 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3492 vbc.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4868 wrote to memory of 1668 4868 bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55.exe 89 PID 4868 wrote to memory of 1668 4868 bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55.exe 89 PID 4868 wrote to memory of 1668 4868 bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55.exe 89 PID 1668 wrote to memory of 4048 1668 UserLayout.exe 90 PID 1668 wrote to memory of 4048 1668 UserLayout.exe 90 PID 1668 wrote to memory of 4048 1668 UserLayout.exe 90 PID 1668 wrote to memory of 3492 1668 UserLayout.exe 92 PID 1668 wrote to memory of 3492 1668 UserLayout.exe 92 PID 1668 wrote to memory of 3492 1668 UserLayout.exe 92 PID 1668 wrote to memory of 3492 1668 UserLayout.exe 92 PID 1668 wrote to memory of 3492 1668 UserLayout.exe 92 PID 1668 wrote to memory of 3492 1668 UserLayout.exe 92 PID 1668 wrote to memory of 3492 1668 UserLayout.exe 92 PID 1668 wrote to memory of 3492 1668 UserLayout.exe 92 PID 1668 wrote to memory of 3492 1668 UserLayout.exe 92 PID 1668 wrote to memory of 3492 1668 UserLayout.exe 92 PID 1668 wrote to memory of 3492 1668 UserLayout.exe 92 PID 1668 wrote to memory of 3492 1668 UserLayout.exe 92 PID 1668 wrote to memory of 3492 1668 UserLayout.exe 92 PID 1668 wrote to memory of 3492 1668 UserLayout.exe 92 PID 4048 wrote to memory of 2880 4048 cmd.exe 93 PID 4048 wrote to memory of 2880 4048 cmd.exe 93 PID 4048 wrote to memory of 2880 4048 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55.exe"C:\Users\Admin\AppData\Local\Temp\bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\ProgramData\UserLayout.exeC:\ProgramData\UserLayout.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /f /v "UserLayout.exe" /t REG_SZ /d "C:\ProgramData\UserLayout.exe" & exit3⤵
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /f /v "UserLayout.exe" /t REG_SZ /d "C:\ProgramData\UserLayout.exe"4⤵
- Adds Run key to start application
PID:2880
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3492
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
915KB
MD581d66a2e08aaf9b51a82b734b86c9e80
SHA148e5d46a6c5b95e1be88fa7a175a9d32358ec1dc
SHA256bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55
SHA51246c21077a8fe9523038c64e0c5aa85a801299ac809b771237a111becf4acbfaaa7ce6a45668bdeafa9949b34dccbc19424258c739334e3a7418b620ba1eb272d
-
Filesize
915KB
MD581d66a2e08aaf9b51a82b734b86c9e80
SHA148e5d46a6c5b95e1be88fa7a175a9d32358ec1dc
SHA256bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55
SHA51246c21077a8fe9523038c64e0c5aa85a801299ac809b771237a111becf4acbfaaa7ce6a45668bdeafa9949b34dccbc19424258c739334e3a7418b620ba1eb272d