Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 12:56
Static task
static1
Behavioral task
behavioral1
Sample
dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26.exe
Resource
win10v2004-20220901-en
General
-
Target
dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26.exe
-
Size
1013KB
-
MD5
eebf02768297ef104a07d6bb59069f25
-
SHA1
fcfc068313e49d0643bd63e4b7e80412b0fc9772
-
SHA256
dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26
-
SHA512
925e6924999346f05fd0489defdc136cba638af3e7a05546555539c6ee95a45f224f77465374e1092973049fc300fac9a7fe5eeecb2020f9679afe2f3bd9c089
-
SSDEEP
24576:Vby5T5OBt/EmYDSD+CEOkLr15FlKXkKJED:VbWT5mEmULrGBKD
Malware Config
Extracted
darkcomet
ilikedicks
98.236.11.150:1604
DCMIN_MUTEX-9TZK8AZ
-
gencode
MReDlsnviHt7
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
required.exerequired.exepid process 3340 required.exe 616 required.exe -
Drops startup file 1 IoCs
Processes:
dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Required.vbs dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
required.exedescription pid process target process PID 3340 set thread context of 616 3340 required.exe required.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
required.exepid process 3340 required.exe 3340 required.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
required.exedescription pid process Token: SeIncreaseQuotaPrivilege 616 required.exe Token: SeSecurityPrivilege 616 required.exe Token: SeTakeOwnershipPrivilege 616 required.exe Token: SeLoadDriverPrivilege 616 required.exe Token: SeSystemProfilePrivilege 616 required.exe Token: SeSystemtimePrivilege 616 required.exe Token: SeProfSingleProcessPrivilege 616 required.exe Token: SeIncBasePriorityPrivilege 616 required.exe Token: SeCreatePagefilePrivilege 616 required.exe Token: SeBackupPrivilege 616 required.exe Token: SeRestorePrivilege 616 required.exe Token: SeShutdownPrivilege 616 required.exe Token: SeDebugPrivilege 616 required.exe Token: SeSystemEnvironmentPrivilege 616 required.exe Token: SeChangeNotifyPrivilege 616 required.exe Token: SeRemoteShutdownPrivilege 616 required.exe Token: SeUndockPrivilege 616 required.exe Token: SeManageVolumePrivilege 616 required.exe Token: SeImpersonatePrivilege 616 required.exe Token: SeCreateGlobalPrivilege 616 required.exe Token: 33 616 required.exe Token: 34 616 required.exe Token: 35 616 required.exe Token: 36 616 required.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
required.exepid process 616 required.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26.exerequired.exedescription pid process target process PID 4928 wrote to memory of 3340 4928 dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26.exe required.exe PID 4928 wrote to memory of 3340 4928 dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26.exe required.exe PID 4928 wrote to memory of 3340 4928 dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26.exe required.exe PID 3340 wrote to memory of 616 3340 required.exe required.exe PID 3340 wrote to memory of 616 3340 required.exe required.exe PID 3340 wrote to memory of 616 3340 required.exe required.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26.exe"C:\Users\Admin\AppData\Local\Temp\dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26.exe"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\dcpower\required.exe"C:\Users\Admin\AppData\Roaming\dcpower\required.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\dcpower\required.exe"C:\Users\Admin\AppData\Roaming\dcpower\required.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\dcpower\required.exeFilesize
1013KB
MD5eebf02768297ef104a07d6bb59069f25
SHA1fcfc068313e49d0643bd63e4b7e80412b0fc9772
SHA256dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26
SHA512925e6924999346f05fd0489defdc136cba638af3e7a05546555539c6ee95a45f224f77465374e1092973049fc300fac9a7fe5eeecb2020f9679afe2f3bd9c089
-
C:\Users\Admin\AppData\Roaming\dcpower\required.exeFilesize
1013KB
MD5eebf02768297ef104a07d6bb59069f25
SHA1fcfc068313e49d0643bd63e4b7e80412b0fc9772
SHA256dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26
SHA512925e6924999346f05fd0489defdc136cba638af3e7a05546555539c6ee95a45f224f77465374e1092973049fc300fac9a7fe5eeecb2020f9679afe2f3bd9c089
-
C:\Users\Admin\AppData\Roaming\dcpower\required.exeFilesize
1013KB
MD5eebf02768297ef104a07d6bb59069f25
SHA1fcfc068313e49d0643bd63e4b7e80412b0fc9772
SHA256dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26
SHA512925e6924999346f05fd0489defdc136cba638af3e7a05546555539c6ee95a45f224f77465374e1092973049fc300fac9a7fe5eeecb2020f9679afe2f3bd9c089
-
memory/616-135-0x0000000000000000-mapping.dmp
-
memory/616-137-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3340-132-0x0000000000000000-mapping.dmp