Analysis
-
max time kernel
150s -
max time network
79s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 04:48
Static task
static1
Behavioral task
behavioral1
Sample
1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe
Resource
win7-20220812-en
General
-
Target
1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe
-
Size
343KB
-
MD5
69661f894bc24159f7796f022db64c67
-
SHA1
733c507e16327c2db7715c2704db3b4bff01e026
-
SHA256
1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6
-
SHA512
3b918d4faff57c5d6da75c0b94d84f69220555c9a4522d780a1764b5612261971a0b162546d5b3404198e1920c475194dc07c6019dff6d3bb778e14dfbf2fe3c
-
SSDEEP
6144:xMaed6qRf1VYOnThmxoTfqlac/lTcspV+qrjQKcW:xMnvRfblF5tyxfkqrcK
Malware Config
Extracted
darkcomet
NEWS
informer.ddns.net:1605
informer.ddns.net:1606
DC_MUTEX-L6AVTYM
-
gencode
kNGa0laUgQF5
-
install
false
-
offline_keylogger
true
-
password
chinelo4545
-
persistence
false
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1188-63-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1188-65-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1188-66-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1188-68-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1188-70-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1188-71-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1188-72-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1188-73-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exepid process 900 1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\DuQJPLSJGc = "C:\\Users\\Admin\\AppData\\Roaming\\AyKBCyAXeK\\HLAxvijPIM.exe.lnk" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exedescription pid process target process PID 900 set thread context of 1188 900 1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exepid process 900 1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exevbc.exedescription pid process Token: SeDebugPrivilege 900 1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe Token: SeIncreaseQuotaPrivilege 1188 vbc.exe Token: SeSecurityPrivilege 1188 vbc.exe Token: SeTakeOwnershipPrivilege 1188 vbc.exe Token: SeLoadDriverPrivilege 1188 vbc.exe Token: SeSystemProfilePrivilege 1188 vbc.exe Token: SeSystemtimePrivilege 1188 vbc.exe Token: SeProfSingleProcessPrivilege 1188 vbc.exe Token: SeIncBasePriorityPrivilege 1188 vbc.exe Token: SeCreatePagefilePrivilege 1188 vbc.exe Token: SeBackupPrivilege 1188 vbc.exe Token: SeRestorePrivilege 1188 vbc.exe Token: SeShutdownPrivilege 1188 vbc.exe Token: SeDebugPrivilege 1188 vbc.exe Token: SeSystemEnvironmentPrivilege 1188 vbc.exe Token: SeChangeNotifyPrivilege 1188 vbc.exe Token: SeRemoteShutdownPrivilege 1188 vbc.exe Token: SeUndockPrivilege 1188 vbc.exe Token: SeManageVolumePrivilege 1188 vbc.exe Token: SeImpersonatePrivilege 1188 vbc.exe Token: SeCreateGlobalPrivilege 1188 vbc.exe Token: 33 1188 vbc.exe Token: 34 1188 vbc.exe Token: 35 1188 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 1188 vbc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.execmd.exedescription pid process target process PID 900 wrote to memory of 612 900 1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe cmd.exe PID 900 wrote to memory of 612 900 1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe cmd.exe PID 900 wrote to memory of 612 900 1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe cmd.exe PID 900 wrote to memory of 612 900 1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe cmd.exe PID 612 wrote to memory of 1260 612 cmd.exe reg.exe PID 612 wrote to memory of 1260 612 cmd.exe reg.exe PID 612 wrote to memory of 1260 612 cmd.exe reg.exe PID 612 wrote to memory of 1260 612 cmd.exe reg.exe PID 900 wrote to memory of 1188 900 1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe vbc.exe PID 900 wrote to memory of 1188 900 1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe vbc.exe PID 900 wrote to memory of 1188 900 1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe vbc.exe PID 900 wrote to memory of 1188 900 1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe vbc.exe PID 900 wrote to memory of 1188 900 1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe vbc.exe PID 900 wrote to memory of 1188 900 1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe vbc.exe PID 900 wrote to memory of 1188 900 1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe vbc.exe PID 900 wrote to memory of 1188 900 1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe"C:\Users\Admin\AppData\Local\Temp\1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "DuQJPLSJGc" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\AyKBCyAXeK\HLAxvijPIM.exe.lnk"2⤵
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "DuQJPLSJGc" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\AyKBCyAXeK\HLAxvijPIM.exe.lnk"3⤵
- Adds Run key to start application
PID:1260 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1188
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\AyKBCyAXeK\HLAxvijPIM.exeFilesize
343KB
MD569661f894bc24159f7796f022db64c67
SHA1733c507e16327c2db7715c2704db3b4bff01e026
SHA2561487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6
SHA5123b918d4faff57c5d6da75c0b94d84f69220555c9a4522d780a1764b5612261971a0b162546d5b3404198e1920c475194dc07c6019dff6d3bb778e14dfbf2fe3c
-
memory/612-60-0x0000000000000000-mapping.dmp
-
memory/900-54-0x0000000075C61000-0x0000000075C63000-memory.dmpFilesize
8KB
-
memory/900-55-0x0000000074D70000-0x000000007531B000-memory.dmpFilesize
5.7MB
-
memory/900-56-0x00000000004B6000-0x00000000004C7000-memory.dmpFilesize
68KB
-
memory/900-57-0x0000000074D70000-0x000000007531B000-memory.dmpFilesize
5.7MB
-
memory/900-58-0x00000000004B6000-0x00000000004C7000-memory.dmpFilesize
68KB
-
memory/1188-62-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1188-63-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1188-65-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1188-66-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1188-67-0x00000000004B56A0-mapping.dmp
-
memory/1188-68-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1188-70-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1188-71-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1188-72-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1188-73-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1260-61-0x0000000000000000-mapping.dmp