Analysis
-
max time kernel
154s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2022 21:03
Static task
static1
Behavioral task
behavioral1
Sample
e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe
Resource
win7-20220901-en
General
-
Target
e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe
-
Size
555KB
-
MD5
0eb34141a4641bfed8aad9ff39e769c0
-
SHA1
1db95c652b573a812c54f0d43fee28817d001652
-
SHA256
e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21
-
SHA512
561aa2635ff79bb88724b38a195faaadb346c5ee4e6bee5f46d7e1bccc511b03edf58885478fd4aa7d8ca0c1f16db15d081440e14cdc70f209d4f1093cc2ad60
-
SSDEEP
12288:cgztz6C2jce9DKy4bi1De6wW2gIbJl0ekRzO0FzJAdq:F96zRl+d7luVKmUq
Malware Config
Extracted
darkcomet
Victime
taraji19.no-ip.org:81
DC_MUTEX-PJKYUUB
-
gencode
7uBzBgo1DC3L
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
cvtres.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile cvtres.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" cvtres.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" cvtres.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
cvtres.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" cvtres.exe -
Processes:
cvtres.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cvtres.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cvtres.exe -
Executes dropped EXE 1 IoCs
Processes:
Tempbackup.exepid process 2020 Tempbackup.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Tempbackup.exedescription pid process target process PID 2020 set thread context of 1880 2020 Tempbackup.exe cvtres.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
Tempbackup.exepid process 2020 Tempbackup.exe 2020 Tempbackup.exe 2020 Tempbackup.exe 2020 Tempbackup.exe 2020 Tempbackup.exe 2020 Tempbackup.exe 2020 Tempbackup.exe 2020 Tempbackup.exe 2020 Tempbackup.exe 2020 Tempbackup.exe 2020 Tempbackup.exe 2020 Tempbackup.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
Tempbackup.execvtres.exedescription pid process Token: SeDebugPrivilege 2020 Tempbackup.exe Token: SeIncreaseQuotaPrivilege 1880 cvtres.exe Token: SeSecurityPrivilege 1880 cvtres.exe Token: SeTakeOwnershipPrivilege 1880 cvtres.exe Token: SeLoadDriverPrivilege 1880 cvtres.exe Token: SeSystemProfilePrivilege 1880 cvtres.exe Token: SeSystemtimePrivilege 1880 cvtres.exe Token: SeProfSingleProcessPrivilege 1880 cvtres.exe Token: SeIncBasePriorityPrivilege 1880 cvtres.exe Token: SeCreatePagefilePrivilege 1880 cvtres.exe Token: SeBackupPrivilege 1880 cvtres.exe Token: SeRestorePrivilege 1880 cvtres.exe Token: SeShutdownPrivilege 1880 cvtres.exe Token: SeDebugPrivilege 1880 cvtres.exe Token: SeSystemEnvironmentPrivilege 1880 cvtres.exe Token: SeChangeNotifyPrivilege 1880 cvtres.exe Token: SeRemoteShutdownPrivilege 1880 cvtres.exe Token: SeUndockPrivilege 1880 cvtres.exe Token: SeManageVolumePrivilege 1880 cvtres.exe Token: SeImpersonatePrivilege 1880 cvtres.exe Token: SeCreateGlobalPrivilege 1880 cvtres.exe Token: 33 1880 cvtres.exe Token: 34 1880 cvtres.exe Token: 35 1880 cvtres.exe Token: 36 1880 cvtres.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cvtres.exepid process 1880 cvtres.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exeTempbackup.exedescription pid process target process PID 1828 wrote to memory of 2020 1828 e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe Tempbackup.exe PID 1828 wrote to memory of 2020 1828 e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe Tempbackup.exe PID 1828 wrote to memory of 2020 1828 e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe Tempbackup.exe PID 2020 wrote to memory of 1880 2020 Tempbackup.exe cvtres.exe PID 2020 wrote to memory of 1880 2020 Tempbackup.exe cvtres.exe PID 2020 wrote to memory of 1880 2020 Tempbackup.exe cvtres.exe PID 2020 wrote to memory of 1880 2020 Tempbackup.exe cvtres.exe PID 2020 wrote to memory of 1880 2020 Tempbackup.exe cvtres.exe PID 2020 wrote to memory of 1880 2020 Tempbackup.exe cvtres.exe PID 2020 wrote to memory of 1880 2020 Tempbackup.exe cvtres.exe PID 2020 wrote to memory of 1880 2020 Tempbackup.exe cvtres.exe PID 2020 wrote to memory of 1880 2020 Tempbackup.exe cvtres.exe PID 2020 wrote to memory of 1880 2020 Tempbackup.exe cvtres.exe PID 2020 wrote to memory of 1880 2020 Tempbackup.exe cvtres.exe PID 2020 wrote to memory of 1880 2020 Tempbackup.exe cvtres.exe PID 2020 wrote to memory of 1880 2020 Tempbackup.exe cvtres.exe PID 2020 wrote to memory of 1880 2020 Tempbackup.exe cvtres.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe"C:\Users\Admin\AppData\Local\Temp\e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Tempbackup.exe"C:\Users\Admin\AppData\Local\Tempbackup.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Tempbackup.exeFilesize
712KB
MD501fbb6e64191fa99010e6b9bd11e5897
SHA12c5d27b3c9065bebe9d5f8cda7e45dc63f2b88ef
SHA256cb38969a8bfb689ead2ffdd11007a96bd5291681f4fa635cd23742332ee79021
SHA512bfafa4b4eaf70edc5e741db405d6f5a99c7a6e8df909b69d1ec507522a886780275424a5b2fa7a944f3a4af0851947e50ab25b040989113fb024586532161083
-
C:\Users\Admin\AppData\Local\Tempbackup.exeFilesize
712KB
MD501fbb6e64191fa99010e6b9bd11e5897
SHA12c5d27b3c9065bebe9d5f8cda7e45dc63f2b88ef
SHA256cb38969a8bfb689ead2ffdd11007a96bd5291681f4fa635cd23742332ee79021
SHA512bfafa4b4eaf70edc5e741db405d6f5a99c7a6e8df909b69d1ec507522a886780275424a5b2fa7a944f3a4af0851947e50ab25b040989113fb024586532161083
-
memory/1828-136-0x00000000056E0000-0x00000000056EA000-memory.dmpFilesize
40KB
-
memory/1828-133-0x0000000005790000-0x000000000582C000-memory.dmpFilesize
624KB
-
memory/1828-132-0x0000000000CC0000-0x0000000000D50000-memory.dmpFilesize
576KB
-
memory/1828-137-0x0000000005830000-0x0000000005886000-memory.dmpFilesize
344KB
-
memory/1828-134-0x0000000005DE0000-0x0000000006384000-memory.dmpFilesize
5.6MB
-
memory/1828-135-0x00000000058D0000-0x0000000005962000-memory.dmpFilesize
584KB
-
memory/1880-143-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1880-142-0x0000000000000000-mapping.dmp
-
memory/1880-144-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1880-145-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1880-147-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1880-148-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2020-141-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/2020-138-0x0000000000000000-mapping.dmp
-
memory/2020-146-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB