Analysis
-
max time kernel
151s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
08-11-2022 21:03
Static task
static1
Behavioral task
behavioral1
Sample
e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe
Resource
win7-20220901-en
General
-
Target
e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe
-
Size
555KB
-
MD5
0eb34141a4641bfed8aad9ff39e769c0
-
SHA1
1db95c652b573a812c54f0d43fee28817d001652
-
SHA256
e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21
-
SHA512
561aa2635ff79bb88724b38a195faaadb346c5ee4e6bee5f46d7e1bccc511b03edf58885478fd4aa7d8ca0c1f16db15d081440e14cdc70f209d4f1093cc2ad60
-
SSDEEP
12288:cgztz6C2jce9DKy4bi1De6wW2gIbJl0ekRzO0FzJAdq:F96zRl+d7luVKmUq
Malware Config
Extracted
darkcomet
Victime
taraji19.no-ip.org:81
DC_MUTEX-PJKYUUB
-
gencode
7uBzBgo1DC3L
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
cvtres.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile cvtres.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" cvtres.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" cvtres.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
cvtres.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" cvtres.exe -
Processes:
cvtres.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cvtres.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cvtres.exe -
Executes dropped EXE 1 IoCs
Processes:
Tempbackup.exepid process 2024 Tempbackup.exe -
Loads dropped DLL 2 IoCs
Processes:
e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exepid process 1200 e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe 1200 e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Tempbackup.exedescription pid process target process PID 2024 set thread context of 1112 2024 Tempbackup.exe cvtres.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
Tempbackup.exepid process 2024 Tempbackup.exe 2024 Tempbackup.exe 2024 Tempbackup.exe 2024 Tempbackup.exe 2024 Tempbackup.exe 2024 Tempbackup.exe 2024 Tempbackup.exe 2024 Tempbackup.exe 2024 Tempbackup.exe 2024 Tempbackup.exe 2024 Tempbackup.exe 2024 Tempbackup.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
Tempbackup.execvtres.exedescription pid process Token: SeDebugPrivilege 2024 Tempbackup.exe Token: SeIncreaseQuotaPrivilege 1112 cvtres.exe Token: SeSecurityPrivilege 1112 cvtres.exe Token: SeTakeOwnershipPrivilege 1112 cvtres.exe Token: SeLoadDriverPrivilege 1112 cvtres.exe Token: SeSystemProfilePrivilege 1112 cvtres.exe Token: SeSystemtimePrivilege 1112 cvtres.exe Token: SeProfSingleProcessPrivilege 1112 cvtres.exe Token: SeIncBasePriorityPrivilege 1112 cvtres.exe Token: SeCreatePagefilePrivilege 1112 cvtres.exe Token: SeBackupPrivilege 1112 cvtres.exe Token: SeRestorePrivilege 1112 cvtres.exe Token: SeShutdownPrivilege 1112 cvtres.exe Token: SeDebugPrivilege 1112 cvtres.exe Token: SeSystemEnvironmentPrivilege 1112 cvtres.exe Token: SeChangeNotifyPrivilege 1112 cvtres.exe Token: SeRemoteShutdownPrivilege 1112 cvtres.exe Token: SeUndockPrivilege 1112 cvtres.exe Token: SeManageVolumePrivilege 1112 cvtres.exe Token: SeImpersonatePrivilege 1112 cvtres.exe Token: SeCreateGlobalPrivilege 1112 cvtres.exe Token: 33 1112 cvtres.exe Token: 34 1112 cvtres.exe Token: 35 1112 cvtres.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cvtres.exepid process 1112 cvtres.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exeTempbackup.exedescription pid process target process PID 1200 wrote to memory of 2024 1200 e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe Tempbackup.exe PID 1200 wrote to memory of 2024 1200 e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe Tempbackup.exe PID 1200 wrote to memory of 2024 1200 e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe Tempbackup.exe PID 1200 wrote to memory of 2024 1200 e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe Tempbackup.exe PID 2024 wrote to memory of 1112 2024 Tempbackup.exe cvtres.exe PID 2024 wrote to memory of 1112 2024 Tempbackup.exe cvtres.exe PID 2024 wrote to memory of 1112 2024 Tempbackup.exe cvtres.exe PID 2024 wrote to memory of 1112 2024 Tempbackup.exe cvtres.exe PID 2024 wrote to memory of 1112 2024 Tempbackup.exe cvtres.exe PID 2024 wrote to memory of 1112 2024 Tempbackup.exe cvtres.exe PID 2024 wrote to memory of 1112 2024 Tempbackup.exe cvtres.exe PID 2024 wrote to memory of 1112 2024 Tempbackup.exe cvtres.exe PID 2024 wrote to memory of 1112 2024 Tempbackup.exe cvtres.exe PID 2024 wrote to memory of 1112 2024 Tempbackup.exe cvtres.exe PID 2024 wrote to memory of 1112 2024 Tempbackup.exe cvtres.exe PID 2024 wrote to memory of 1112 2024 Tempbackup.exe cvtres.exe PID 2024 wrote to memory of 1112 2024 Tempbackup.exe cvtres.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe"C:\Users\Admin\AppData\Local\Temp\e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Tempbackup.exe"C:\Users\Admin\AppData\Local\Tempbackup.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Tempbackup.exeFilesize
712KB
MD501fbb6e64191fa99010e6b9bd11e5897
SHA12c5d27b3c9065bebe9d5f8cda7e45dc63f2b88ef
SHA256cb38969a8bfb689ead2ffdd11007a96bd5291681f4fa635cd23742332ee79021
SHA512bfafa4b4eaf70edc5e741db405d6f5a99c7a6e8df909b69d1ec507522a886780275424a5b2fa7a944f3a4af0851947e50ab25b040989113fb024586532161083
-
C:\Users\Admin\AppData\Local\Tempbackup.exeFilesize
712KB
MD501fbb6e64191fa99010e6b9bd11e5897
SHA12c5d27b3c9065bebe9d5f8cda7e45dc63f2b88ef
SHA256cb38969a8bfb689ead2ffdd11007a96bd5291681f4fa635cd23742332ee79021
SHA512bfafa4b4eaf70edc5e741db405d6f5a99c7a6e8df909b69d1ec507522a886780275424a5b2fa7a944f3a4af0851947e50ab25b040989113fb024586532161083
-
\Users\Admin\AppData\Local\Tempbackup.exeFilesize
712KB
MD501fbb6e64191fa99010e6b9bd11e5897
SHA12c5d27b3c9065bebe9d5f8cda7e45dc63f2b88ef
SHA256cb38969a8bfb689ead2ffdd11007a96bd5291681f4fa635cd23742332ee79021
SHA512bfafa4b4eaf70edc5e741db405d6f5a99c7a6e8df909b69d1ec507522a886780275424a5b2fa7a944f3a4af0851947e50ab25b040989113fb024586532161083
-
\Users\Admin\AppData\Local\Tempbackup.exeFilesize
712KB
MD501fbb6e64191fa99010e6b9bd11e5897
SHA12c5d27b3c9065bebe9d5f8cda7e45dc63f2b88ef
SHA256cb38969a8bfb689ead2ffdd11007a96bd5291681f4fa635cd23742332ee79021
SHA512bfafa4b4eaf70edc5e741db405d6f5a99c7a6e8df909b69d1ec507522a886780275424a5b2fa7a944f3a4af0851947e50ab25b040989113fb024586532161083
-
memory/1112-75-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1112-70-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1112-84-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1112-83-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1112-63-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1112-64-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1112-66-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1112-68-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1112-72-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1112-82-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1112-73-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1112-79-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1112-78-0x000000000048F888-mapping.dmp
-
memory/1112-77-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1200-54-0x0000000000100000-0x0000000000190000-memory.dmpFilesize
576KB
-
memory/1200-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmpFilesize
8KB
-
memory/1200-56-0x0000000004ED0000-0x0000000004F86000-memory.dmpFilesize
728KB
-
memory/2024-80-0x0000000074340000-0x00000000748EB000-memory.dmpFilesize
5.7MB
-
memory/2024-59-0x0000000000000000-mapping.dmp