Analysis
-
max time kernel
153s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 14:47
Static task
static1
Behavioral task
behavioral1
Sample
21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe
Resource
win10v2004-20220812-en
General
-
Target
21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe
-
Size
839KB
-
MD5
716a5a605210a120fbf1ff9e5c51f05f
-
SHA1
b471a3fdea022668e3f57c9c1f0172f821b3e9d2
-
SHA256
21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855
-
SHA512
e867601e8648e2508961a26d9bd33f560165425f16dfbd695ecf7d9d54052cbfeb35bcbed316eb3116fb236b4987a2b238cf7f62c046a4bd534b30105979ba82
-
SSDEEP
12288:QTIHhdXKcl+XRhORnhRZxdGJAVGWuCAIMd0coVXi3W8vsoxDrS7YlX:Qq3XK6+X3OR3Zxd6UwCydGVkW83Dr
Malware Config
Extracted
darkcomet
Victims
mrchbk.noip.me:2123
DC_MUTEX-EZ6YFTY
-
gencode
4FUM8Qy2Ej7F
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
WUDHost.exeAcctres.exeWUDHost.exepid process 4780 WUDHost.exe 3296 Acctres.exe 4640 WUDHost.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Acctres.exe21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exeWUDHost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Acctres.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation WUDHost.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WUDHost.exeWUDHost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Boot File Servicing Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\WUDHost.exe" WUDHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Boot File Servicing Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\WUDHost.exe" WUDHost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exeAcctres.exedescription pid process target process PID 1308 set thread context of 1936 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe vbc.exe PID 3296 set thread context of 1712 3296 Acctres.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exepid process 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exevbc.exeWUDHost.exeAcctres.exevbc.exeWUDHost.exedescription pid process Token: SeDebugPrivilege 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe Token: SeIncreaseQuotaPrivilege 1936 vbc.exe Token: SeSecurityPrivilege 1936 vbc.exe Token: SeTakeOwnershipPrivilege 1936 vbc.exe Token: SeLoadDriverPrivilege 1936 vbc.exe Token: SeSystemProfilePrivilege 1936 vbc.exe Token: SeSystemtimePrivilege 1936 vbc.exe Token: SeProfSingleProcessPrivilege 1936 vbc.exe Token: SeIncBasePriorityPrivilege 1936 vbc.exe Token: SeCreatePagefilePrivilege 1936 vbc.exe Token: SeBackupPrivilege 1936 vbc.exe Token: SeRestorePrivilege 1936 vbc.exe Token: SeShutdownPrivilege 1936 vbc.exe Token: SeDebugPrivilege 1936 vbc.exe Token: SeSystemEnvironmentPrivilege 1936 vbc.exe Token: SeChangeNotifyPrivilege 1936 vbc.exe Token: SeRemoteShutdownPrivilege 1936 vbc.exe Token: SeUndockPrivilege 1936 vbc.exe Token: SeManageVolumePrivilege 1936 vbc.exe Token: SeImpersonatePrivilege 1936 vbc.exe Token: SeCreateGlobalPrivilege 1936 vbc.exe Token: 33 1936 vbc.exe Token: 34 1936 vbc.exe Token: 35 1936 vbc.exe Token: 36 1936 vbc.exe Token: SeDebugPrivilege 4780 WUDHost.exe Token: SeDebugPrivilege 3296 Acctres.exe Token: SeIncreaseQuotaPrivilege 1712 vbc.exe Token: SeSecurityPrivilege 1712 vbc.exe Token: SeTakeOwnershipPrivilege 1712 vbc.exe Token: SeLoadDriverPrivilege 1712 vbc.exe Token: SeSystemProfilePrivilege 1712 vbc.exe Token: SeSystemtimePrivilege 1712 vbc.exe Token: SeProfSingleProcessPrivilege 1712 vbc.exe Token: SeIncBasePriorityPrivilege 1712 vbc.exe Token: SeCreatePagefilePrivilege 1712 vbc.exe Token: SeBackupPrivilege 1712 vbc.exe Token: SeRestorePrivilege 1712 vbc.exe Token: SeShutdownPrivilege 1712 vbc.exe Token: SeDebugPrivilege 1712 vbc.exe Token: SeSystemEnvironmentPrivilege 1712 vbc.exe Token: SeChangeNotifyPrivilege 1712 vbc.exe Token: SeRemoteShutdownPrivilege 1712 vbc.exe Token: SeUndockPrivilege 1712 vbc.exe Token: SeManageVolumePrivilege 1712 vbc.exe Token: SeImpersonatePrivilege 1712 vbc.exe Token: SeCreateGlobalPrivilege 1712 vbc.exe Token: 33 1712 vbc.exe Token: 34 1712 vbc.exe Token: 35 1712 vbc.exe Token: 36 1712 vbc.exe Token: SeDebugPrivilege 4640 WUDHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 1936 vbc.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exeWUDHost.exeAcctres.exedescription pid process target process PID 1308 wrote to memory of 1936 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe vbc.exe PID 1308 wrote to memory of 1936 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe vbc.exe PID 1308 wrote to memory of 1936 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe vbc.exe PID 1308 wrote to memory of 1936 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe vbc.exe PID 1308 wrote to memory of 1936 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe vbc.exe PID 1308 wrote to memory of 1936 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe vbc.exe PID 1308 wrote to memory of 1936 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe vbc.exe PID 1308 wrote to memory of 1936 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe vbc.exe PID 1308 wrote to memory of 1936 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe vbc.exe PID 1308 wrote to memory of 1936 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe vbc.exe PID 1308 wrote to memory of 1936 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe vbc.exe PID 1308 wrote to memory of 1936 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe vbc.exe PID 1308 wrote to memory of 4780 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe WUDHost.exe PID 1308 wrote to memory of 4780 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe WUDHost.exe PID 1308 wrote to memory of 4780 1308 21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe WUDHost.exe PID 4780 wrote to memory of 3296 4780 WUDHost.exe Acctres.exe PID 4780 wrote to memory of 3296 4780 WUDHost.exe Acctres.exe PID 4780 wrote to memory of 3296 4780 WUDHost.exe Acctres.exe PID 3296 wrote to memory of 1712 3296 Acctres.exe vbc.exe PID 3296 wrote to memory of 1712 3296 Acctres.exe vbc.exe PID 3296 wrote to memory of 1712 3296 Acctres.exe vbc.exe PID 3296 wrote to memory of 1712 3296 Acctres.exe vbc.exe PID 3296 wrote to memory of 1712 3296 Acctres.exe vbc.exe PID 3296 wrote to memory of 1712 3296 Acctres.exe vbc.exe PID 3296 wrote to memory of 1712 3296 Acctres.exe vbc.exe PID 3296 wrote to memory of 1712 3296 Acctres.exe vbc.exe PID 3296 wrote to memory of 1712 3296 Acctres.exe vbc.exe PID 3296 wrote to memory of 1712 3296 Acctres.exe vbc.exe PID 3296 wrote to memory of 1712 3296 Acctres.exe vbc.exe PID 3296 wrote to memory of 1712 3296 Acctres.exe vbc.exe PID 3296 wrote to memory of 4640 3296 Acctres.exe WUDHost.exe PID 3296 wrote to memory of 4640 3296 Acctres.exe WUDHost.exe PID 3296 wrote to memory of 4640 3296 Acctres.exe WUDHost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe"C:\Users\Admin\AppData\Local\Temp\21cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1936 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128B
MD5a5dcc7c9c08af7dddd82be5b036a4416
SHA14f998ca1526d199e355ffb435bae111a2779b994
SHA256e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5
SHA51256035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a
-
Filesize
839KB
MD5716a5a605210a120fbf1ff9e5c51f05f
SHA1b471a3fdea022668e3f57c9c1f0172f821b3e9d2
SHA25621cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855
SHA512e867601e8648e2508961a26d9bd33f560165425f16dfbd695ecf7d9d54052cbfeb35bcbed316eb3116fb236b4987a2b238cf7f62c046a4bd534b30105979ba82
-
Filesize
839KB
MD5716a5a605210a120fbf1ff9e5c51f05f
SHA1b471a3fdea022668e3f57c9c1f0172f821b3e9d2
SHA25621cabd77124daa5365171111e599e0d1451b11f2d8d051eef184fac01837f855
SHA512e867601e8648e2508961a26d9bd33f560165425f16dfbd695ecf7d9d54052cbfeb35bcbed316eb3116fb236b4987a2b238cf7f62c046a4bd534b30105979ba82
-
Filesize
6KB
MD5c677bce7b149928e92e3dd82986b5de6
SHA14918e2da147258648fb783d4bf0690651184438c
SHA256d3c76f694a366c6faf639fe422479abda26c3fc139969fa1cff2d315af2029ef
SHA512255458271f88a0dc63ae36a6fa0a062e8e2531ba27046184934a558dd57412977f70aba5476cc60d65c32e8c1ce4d050d7a511bd18c880c9137f3c7e0e038ef8
-
Filesize
6KB
MD5c677bce7b149928e92e3dd82986b5de6
SHA14918e2da147258648fb783d4bf0690651184438c
SHA256d3c76f694a366c6faf639fe422479abda26c3fc139969fa1cff2d315af2029ef
SHA512255458271f88a0dc63ae36a6fa0a062e8e2531ba27046184934a558dd57412977f70aba5476cc60d65c32e8c1ce4d050d7a511bd18c880c9137f3c7e0e038ef8
-
Filesize
6KB
MD5c677bce7b149928e92e3dd82986b5de6
SHA14918e2da147258648fb783d4bf0690651184438c
SHA256d3c76f694a366c6faf639fe422479abda26c3fc139969fa1cff2d315af2029ef
SHA512255458271f88a0dc63ae36a6fa0a062e8e2531ba27046184934a558dd57412977f70aba5476cc60d65c32e8c1ce4d050d7a511bd18c880c9137f3c7e0e038ef8
-
Filesize
6KB
MD5c677bce7b149928e92e3dd82986b5de6
SHA14918e2da147258648fb783d4bf0690651184438c
SHA256d3c76f694a366c6faf639fe422479abda26c3fc139969fa1cff2d315af2029ef
SHA512255458271f88a0dc63ae36a6fa0a062e8e2531ba27046184934a558dd57412977f70aba5476cc60d65c32e8c1ce4d050d7a511bd18c880c9137f3c7e0e038ef8