Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2022 09:27
Behavioral task
behavioral1
Sample
7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe
Resource
win7-20220812-en
General
-
Target
7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe
-
Size
756KB
-
MD5
530c49bd38b31f7858a2ae6735defa70
-
SHA1
56c222a587fc3c14fc64bd249da8499b9172954a
-
SHA256
7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba
-
SHA512
6d8558e9afad76308823d8d1fd6a81beb35ef4d3b717dee5d1a4f3e629f7cafdc6eafcc3bc9a385d8e4ed5098cb4f52a664a2301f03589573f4007787ae33f2b
-
SSDEEP
12288:K9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h0:GZ1xuVVjfFoynPaVBUR8f+kN10EBW
Malware Config
Extracted
darkcomet
Hacker
leave1.no-ip.biz:1604
leave1.no-ip.biz:25565
DC_MUTEX-SF1AS3Y
-
InstallPath
Adobe.exe
-
gencode
v3wr0fYZFSSx
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
explorer
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe.exe" 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
Adobe.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Adobe.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Adobe.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" Adobe.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Adobe.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Adobe.exe -
Executes dropped EXE 1 IoCs
Processes:
Adobe.exepid process 4384 Adobe.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 3304 attrib.exe 4836 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exeAdobe.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe.exe" 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe.exe" Adobe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Adobe.exepid process 4384 Adobe.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exeAdobe.exedescription pid process Token: SeIncreaseQuotaPrivilege 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Token: SeSecurityPrivilege 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Token: SeTakeOwnershipPrivilege 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Token: SeLoadDriverPrivilege 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Token: SeSystemProfilePrivilege 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Token: SeSystemtimePrivilege 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Token: SeProfSingleProcessPrivilege 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Token: SeIncBasePriorityPrivilege 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Token: SeCreatePagefilePrivilege 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Token: SeBackupPrivilege 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Token: SeRestorePrivilege 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Token: SeShutdownPrivilege 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Token: SeDebugPrivilege 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Token: SeSystemEnvironmentPrivilege 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Token: SeChangeNotifyPrivilege 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Token: SeRemoteShutdownPrivilege 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Token: SeUndockPrivilege 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Token: SeManageVolumePrivilege 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Token: SeImpersonatePrivilege 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Token: SeCreateGlobalPrivilege 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Token: 33 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Token: 34 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Token: 35 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Token: 36 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Token: SeIncreaseQuotaPrivilege 4384 Adobe.exe Token: SeSecurityPrivilege 4384 Adobe.exe Token: SeTakeOwnershipPrivilege 4384 Adobe.exe Token: SeLoadDriverPrivilege 4384 Adobe.exe Token: SeSystemProfilePrivilege 4384 Adobe.exe Token: SeSystemtimePrivilege 4384 Adobe.exe Token: SeProfSingleProcessPrivilege 4384 Adobe.exe Token: SeIncBasePriorityPrivilege 4384 Adobe.exe Token: SeCreatePagefilePrivilege 4384 Adobe.exe Token: SeBackupPrivilege 4384 Adobe.exe Token: SeRestorePrivilege 4384 Adobe.exe Token: SeShutdownPrivilege 4384 Adobe.exe Token: SeDebugPrivilege 4384 Adobe.exe Token: SeSystemEnvironmentPrivilege 4384 Adobe.exe Token: SeChangeNotifyPrivilege 4384 Adobe.exe Token: SeRemoteShutdownPrivilege 4384 Adobe.exe Token: SeUndockPrivilege 4384 Adobe.exe Token: SeManageVolumePrivilege 4384 Adobe.exe Token: SeImpersonatePrivilege 4384 Adobe.exe Token: SeCreateGlobalPrivilege 4384 Adobe.exe Token: 33 4384 Adobe.exe Token: 34 4384 Adobe.exe Token: 35 4384 Adobe.exe Token: 36 4384 Adobe.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Adobe.exepid process 4384 Adobe.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.execmd.execmd.exeAdobe.exedescription pid process target process PID 400 wrote to memory of 3952 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe cmd.exe PID 400 wrote to memory of 3952 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe cmd.exe PID 400 wrote to memory of 3952 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe cmd.exe PID 400 wrote to memory of 2348 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe cmd.exe PID 400 wrote to memory of 2348 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe cmd.exe PID 400 wrote to memory of 2348 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe cmd.exe PID 3952 wrote to memory of 3304 3952 cmd.exe attrib.exe PID 3952 wrote to memory of 3304 3952 cmd.exe attrib.exe PID 3952 wrote to memory of 3304 3952 cmd.exe attrib.exe PID 2348 wrote to memory of 4836 2348 cmd.exe attrib.exe PID 2348 wrote to memory of 4836 2348 cmd.exe attrib.exe PID 2348 wrote to memory of 4836 2348 cmd.exe attrib.exe PID 400 wrote to memory of 4384 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Adobe.exe PID 400 wrote to memory of 4384 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Adobe.exe PID 400 wrote to memory of 4384 400 7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe Adobe.exe PID 4384 wrote to memory of 4956 4384 Adobe.exe notepad.exe PID 4384 wrote to memory of 4956 4384 Adobe.exe notepad.exe PID 4384 wrote to memory of 4956 4384 Adobe.exe notepad.exe PID 4384 wrote to memory of 4956 4384 Adobe.exe notepad.exe PID 4384 wrote to memory of 4956 4384 Adobe.exe notepad.exe PID 4384 wrote to memory of 4956 4384 Adobe.exe notepad.exe PID 4384 wrote to memory of 4956 4384 Adobe.exe notepad.exe PID 4384 wrote to memory of 4956 4384 Adobe.exe notepad.exe PID 4384 wrote to memory of 4956 4384 Adobe.exe notepad.exe PID 4384 wrote to memory of 4956 4384 Adobe.exe notepad.exe PID 4384 wrote to memory of 4956 4384 Adobe.exe notepad.exe PID 4384 wrote to memory of 4956 4384 Adobe.exe notepad.exe PID 4384 wrote to memory of 4956 4384 Adobe.exe notepad.exe PID 4384 wrote to memory of 4956 4384 Adobe.exe notepad.exe PID 4384 wrote to memory of 4956 4384 Adobe.exe notepad.exe PID 4384 wrote to memory of 4956 4384 Adobe.exe notepad.exe PID 4384 wrote to memory of 4956 4384 Adobe.exe notepad.exe PID 4384 wrote to memory of 4956 4384 Adobe.exe notepad.exe PID 4384 wrote to memory of 4956 4384 Adobe.exe notepad.exe PID 4384 wrote to memory of 4956 4384 Adobe.exe notepad.exe PID 4384 wrote to memory of 4956 4384 Adobe.exe notepad.exe PID 4384 wrote to memory of 4956 4384 Adobe.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Adobe.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern Adobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" Adobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion Adobe.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3304 attrib.exe 4836 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe"C:\Users\Admin\AppData\Local\Temp\7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\7a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\Adobe.exe"C:\Users\Admin\AppData\Local\Temp\Adobe.exe"2⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Adobe.exeFilesize
756KB
MD5530c49bd38b31f7858a2ae6735defa70
SHA156c222a587fc3c14fc64bd249da8499b9172954a
SHA2567a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba
SHA5126d8558e9afad76308823d8d1fd6a81beb35ef4d3b717dee5d1a4f3e629f7cafdc6eafcc3bc9a385d8e4ed5098cb4f52a664a2301f03589573f4007787ae33f2b
-
C:\Users\Admin\AppData\Local\Temp\Adobe.exeFilesize
756KB
MD5530c49bd38b31f7858a2ae6735defa70
SHA156c222a587fc3c14fc64bd249da8499b9172954a
SHA2567a39658c3e764db49a93f8246dc600cdd6dfe5472b376ea1f0f50f378c4d5cba
SHA5126d8558e9afad76308823d8d1fd6a81beb35ef4d3b717dee5d1a4f3e629f7cafdc6eafcc3bc9a385d8e4ed5098cb4f52a664a2301f03589573f4007787ae33f2b
-
memory/2348-133-0x0000000000000000-mapping.dmp
-
memory/3304-134-0x0000000000000000-mapping.dmp
-
memory/3952-132-0x0000000000000000-mapping.dmp
-
memory/4384-136-0x0000000000000000-mapping.dmp
-
memory/4836-135-0x0000000000000000-mapping.dmp
-
memory/4956-139-0x0000000000000000-mapping.dmp