Analysis
-
max time kernel
151s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 15:45
Static task
static1
Behavioral task
behavioral1
Sample
e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe
Resource
win10v2004-20221111-en
General
-
Target
e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe
-
Size
503KB
-
MD5
0d2092c561a5d13999a1eb567e9f55f4
-
SHA1
0fc352cb69b361aa9bd0e21f79835bbea6acb611
-
SHA256
e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db
-
SHA512
36c7d49ec7ab85561385ef7b360c4e971aa1335c545ce557254963485373a146023ec06d75003cfb50bf5c54aed81728a48a313860edbafe301d3cd41cd63647
-
SSDEEP
12288:DrrulTXRTvTeQpVR48PYyfumA5nCuSWQotT48uHZGsF:/r6TBTvNrRsWWnCuyoDu5GsF
Malware Config
Extracted
darkcomet
19/7
spotcrabs.twilightparadox.com:1500
DC_MUTEX-HEZHVLE
-
gencode
deGNxbQZUbYS
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp\\GoogleUpdate.exe,explorer.exe" reg.exe -
Executes dropped EXE 1 IoCs
Processes:
e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exepid process 1196 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe -
Loads dropped DLL 2 IoCs
Processes:
e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exepid process 1140 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe 1140 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exedescription pid process target process PID 1140 set thread context of 1196 1140 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exepid process 1140 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exee2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exedescription pid process Token: SeDebugPrivilege 1140 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe Token: SeIncreaseQuotaPrivilege 1196 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe Token: SeSecurityPrivilege 1196 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe Token: SeTakeOwnershipPrivilege 1196 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe Token: SeLoadDriverPrivilege 1196 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe Token: SeSystemProfilePrivilege 1196 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe Token: SeSystemtimePrivilege 1196 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe Token: SeProfSingleProcessPrivilege 1196 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe Token: SeIncBasePriorityPrivilege 1196 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe Token: SeCreatePagefilePrivilege 1196 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe Token: SeBackupPrivilege 1196 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe Token: SeRestorePrivilege 1196 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe Token: SeShutdownPrivilege 1196 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe Token: SeDebugPrivilege 1196 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe Token: SeSystemEnvironmentPrivilege 1196 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe Token: SeChangeNotifyPrivilege 1196 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe Token: SeRemoteShutdownPrivilege 1196 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe Token: SeUndockPrivilege 1196 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe Token: SeManageVolumePrivilege 1196 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe Token: SeImpersonatePrivilege 1196 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe Token: SeCreateGlobalPrivilege 1196 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe Token: 33 1196 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe Token: 34 1196 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe Token: 35 1196 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exepid process 1196 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.execmd.exedescription pid process target process PID 1140 wrote to memory of 584 1140 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe cmd.exe PID 1140 wrote to memory of 584 1140 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe cmd.exe PID 1140 wrote to memory of 584 1140 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe cmd.exe PID 1140 wrote to memory of 584 1140 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe cmd.exe PID 584 wrote to memory of 544 584 cmd.exe reg.exe PID 584 wrote to memory of 544 584 cmd.exe reg.exe PID 584 wrote to memory of 544 584 cmd.exe reg.exe PID 584 wrote to memory of 544 584 cmd.exe reg.exe PID 1140 wrote to memory of 1196 1140 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe PID 1140 wrote to memory of 1196 1140 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe PID 1140 wrote to memory of 1196 1140 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe PID 1140 wrote to memory of 1196 1140 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe PID 1140 wrote to memory of 1196 1140 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe PID 1140 wrote to memory of 1196 1140 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe PID 1140 wrote to memory of 1196 1140 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe PID 1140 wrote to memory of 1196 1140 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe PID 1140 wrote to memory of 1196 1140 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe PID 1140 wrote to memory of 1196 1140 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe PID 1140 wrote to memory of 1196 1140 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe PID 1140 wrote to memory of 1196 1140 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe PID 1140 wrote to memory of 1196 1140 e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe"C:\Users\Admin\AppData\Local\Temp\e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exe,explorer.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exe,explorer.exe"3⤵
- Modifies WinLogon for persistence
PID:544 -
C:\Users\Admin\AppData\Local\Temp\e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe"C:\Users\Admin\AppData\Local\Temp\e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1196
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe
Filesize503KB
MD50d2092c561a5d13999a1eb567e9f55f4
SHA10fc352cb69b361aa9bd0e21f79835bbea6acb611
SHA256e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db
SHA51236c7d49ec7ab85561385ef7b360c4e971aa1335c545ce557254963485373a146023ec06d75003cfb50bf5c54aed81728a48a313860edbafe301d3cd41cd63647
-
\Users\Admin\AppData\Local\Temp\e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db.exe
Filesize503KB
MD50d2092c561a5d13999a1eb567e9f55f4
SHA10fc352cb69b361aa9bd0e21f79835bbea6acb611
SHA256e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db
SHA51236c7d49ec7ab85561385ef7b360c4e971aa1335c545ce557254963485373a146023ec06d75003cfb50bf5c54aed81728a48a313860edbafe301d3cd41cd63647
-
Filesize
503KB
MD50d2092c561a5d13999a1eb567e9f55f4
SHA10fc352cb69b361aa9bd0e21f79835bbea6acb611
SHA256e2d8e1808e5ee515d30b8a88a8141f422505f4a8f4adfe9fd546fddf0de893db
SHA51236c7d49ec7ab85561385ef7b360c4e971aa1335c545ce557254963485373a146023ec06d75003cfb50bf5c54aed81728a48a313860edbafe301d3cd41cd63647