Analysis
-
max time kernel
151s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2022, 16:01
Behavioral task
behavioral1
Sample
22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe
Resource
win7-20220812-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral2
Sample
22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe
-
Size
931KB
-
MD5
0c6822b399ad20c163522393db577547
-
SHA1
51b2579d90e7028723d6e6c7249e49b12e0d491b
-
SHA256
22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822
-
SHA512
22137c4ae81e46c4edc8dfeb5b7038aed0d449b03a3314809440af500dab66f42d7954d081343aceb7fb14a8e6f3e55f45617d5c13c36f5867eacc4dfcd0a722
-
SSDEEP
24576:DZ1xuVVjfFoynPaVBUR8f+kN10EB1hoM/kp7wZ4:1QDgok30ehAp
Score
10/10
Malware Config
Extracted
Family
darkcomet
Botnet
PointBlank
C2
wcturkojan.zapto.org:1604
Mutex
DC_MUTEX-1Z2Y4KL
Attributes
-
InstallPath
WRent\svchost.exe
-
gencode
w1WmBozs2uF8
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\WRent\\svchost.exe" 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" svchost.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" svchost.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" svchost.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 4644 svchost.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 3884 attrib.exe 1292 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WRent\\svchost.exe" 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WRent\\svchost.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4644 svchost.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe Token: SeSecurityPrivilege 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe Token: SeTakeOwnershipPrivilege 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe Token: SeLoadDriverPrivilege 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe Token: SeSystemProfilePrivilege 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe Token: SeSystemtimePrivilege 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe Token: SeProfSingleProcessPrivilege 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe Token: SeIncBasePriorityPrivilege 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe Token: SeCreatePagefilePrivilege 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe Token: SeBackupPrivilege 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe Token: SeRestorePrivilege 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe Token: SeShutdownPrivilege 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe Token: SeDebugPrivilege 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe Token: SeSystemEnvironmentPrivilege 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe Token: SeChangeNotifyPrivilege 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe Token: SeRemoteShutdownPrivilege 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe Token: SeUndockPrivilege 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe Token: SeManageVolumePrivilege 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe Token: SeImpersonatePrivilege 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe Token: SeCreateGlobalPrivilege 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe Token: 33 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe Token: 34 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe Token: 35 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe Token: 36 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe Token: SeIncreaseQuotaPrivilege 4644 svchost.exe Token: SeSecurityPrivilege 4644 svchost.exe Token: SeTakeOwnershipPrivilege 4644 svchost.exe Token: SeLoadDriverPrivilege 4644 svchost.exe Token: SeSystemProfilePrivilege 4644 svchost.exe Token: SeSystemtimePrivilege 4644 svchost.exe Token: SeProfSingleProcessPrivilege 4644 svchost.exe Token: SeIncBasePriorityPrivilege 4644 svchost.exe Token: SeCreatePagefilePrivilege 4644 svchost.exe Token: SeBackupPrivilege 4644 svchost.exe Token: SeRestorePrivilege 4644 svchost.exe Token: SeShutdownPrivilege 4644 svchost.exe Token: SeDebugPrivilege 4644 svchost.exe Token: SeSystemEnvironmentPrivilege 4644 svchost.exe Token: SeChangeNotifyPrivilege 4644 svchost.exe Token: SeRemoteShutdownPrivilege 4644 svchost.exe Token: SeUndockPrivilege 4644 svchost.exe Token: SeManageVolumePrivilege 4644 svchost.exe Token: SeImpersonatePrivilege 4644 svchost.exe Token: SeCreateGlobalPrivilege 4644 svchost.exe Token: 33 4644 svchost.exe Token: 34 4644 svchost.exe Token: 35 4644 svchost.exe Token: 36 4644 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4644 svchost.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 1652 wrote to memory of 4812 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe 80 PID 1652 wrote to memory of 4812 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe 80 PID 1652 wrote to memory of 4812 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe 80 PID 1652 wrote to memory of 4844 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe 81 PID 1652 wrote to memory of 4844 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe 81 PID 1652 wrote to memory of 4844 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe 81 PID 4812 wrote to memory of 3884 4812 cmd.exe 84 PID 4812 wrote to memory of 3884 4812 cmd.exe 84 PID 4812 wrote to memory of 3884 4812 cmd.exe 84 PID 4844 wrote to memory of 1292 4844 cmd.exe 85 PID 4844 wrote to memory of 1292 4844 cmd.exe 85 PID 4844 wrote to memory of 1292 4844 cmd.exe 85 PID 1652 wrote to memory of 4644 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe 86 PID 1652 wrote to memory of 4644 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe 86 PID 1652 wrote to memory of 4644 1652 22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe 86 PID 4644 wrote to memory of 1140 4644 svchost.exe 87 PID 4644 wrote to memory of 1140 4644 svchost.exe 87 PID 4644 wrote to memory of 1140 4644 svchost.exe 87 PID 4644 wrote to memory of 1140 4644 svchost.exe 87 PID 4644 wrote to memory of 1140 4644 svchost.exe 87 PID 4644 wrote to memory of 1140 4644 svchost.exe 87 PID 4644 wrote to memory of 1140 4644 svchost.exe 87 PID 4644 wrote to memory of 1140 4644 svchost.exe 87 PID 4644 wrote to memory of 1140 4644 svchost.exe 87 PID 4644 wrote to memory of 1140 4644 svchost.exe 87 PID 4644 wrote to memory of 1140 4644 svchost.exe 87 PID 4644 wrote to memory of 1140 4644 svchost.exe 87 PID 4644 wrote to memory of 1140 4644 svchost.exe 87 PID 4644 wrote to memory of 1140 4644 svchost.exe 87 PID 4644 wrote to memory of 1140 4644 svchost.exe 87 PID 4644 wrote to memory of 1140 4644 svchost.exe 87 PID 4644 wrote to memory of 1140 4644 svchost.exe 87 PID 4644 wrote to memory of 1140 4644 svchost.exe 87 PID 4644 wrote to memory of 1140 4644 svchost.exe 87 PID 4644 wrote to memory of 1140 4644 svchost.exe 87 PID 4644 wrote to memory of 1140 4644 svchost.exe 87 PID 4644 wrote to memory of 1140 4644 svchost.exe 87 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion svchost.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1292 attrib.exe 3884 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe"C:\Users\Admin\AppData\Local\Temp\22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\22688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3884
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1292
-
-
-
C:\Users\Admin\AppData\Roaming\WRent\svchost.exe"C:\Users\Admin\AppData\Roaming\WRent\svchost.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4644 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:1140
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
931KB
MD50c6822b399ad20c163522393db577547
SHA151b2579d90e7028723d6e6c7249e49b12e0d491b
SHA25622688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822
SHA51222137c4ae81e46c4edc8dfeb5b7038aed0d449b03a3314809440af500dab66f42d7954d081343aceb7fb14a8e6f3e55f45617d5c13c36f5867eacc4dfcd0a722
-
Filesize
931KB
MD50c6822b399ad20c163522393db577547
SHA151b2579d90e7028723d6e6c7249e49b12e0d491b
SHA25622688d00a7f7a5b417510b1678a294d04344874473ef8516757ee97c189a9822
SHA51222137c4ae81e46c4edc8dfeb5b7038aed0d449b03a3314809440af500dab66f42d7954d081343aceb7fb14a8e6f3e55f45617d5c13c36f5867eacc4dfcd0a722