Analysis
-
max time kernel
192s -
max time network
235s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2022, 00:46
Static task
static1
Behavioral task
behavioral1
Sample
999edb0663eadfc252ed4223956c0ff20d976165e9c722eb6d4ff4e27f5eb605.exe
Resource
win7-20221111-en
General
-
Target
999edb0663eadfc252ed4223956c0ff20d976165e9c722eb6d4ff4e27f5eb605.exe
-
Size
1.3MB
-
MD5
0ca617961ceb2d4af6d3236678929fa3
-
SHA1
cd4f3061fe03338d12020d57ad30f916e410abc5
-
SHA256
999edb0663eadfc252ed4223956c0ff20d976165e9c722eb6d4ff4e27f5eb605
-
SHA512
bc22301ab9c50a0bc4fbb6777813d990d5d703b9baac6ecf1badfab82a81021e03af10bdb7955589f3c3b72ff0b6adc2dcf670cd9881e73fb254e92ed0d82f41
-
SSDEEP
24576:f2O/GluCNRbvqYRYIdpbweMK5bBWQtMXC6kK7g6zwm4m53Sb2M:HwRbSYmIXMeMuMuMX7kK5kFm53SyM
Malware Config
Extracted
darkcomet
Steve
slowburn.linkpc.net:6831
DC_MUTEX-A54SB6Z
-
gencode
VPCWgaglFLx7
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4160 ssabn.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 999edb0663eadfc252ed4223956c0ff20d976165e9c722eb6d4ff4e27f5eb605.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ssabn.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN ssabn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ssabn.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce ssabn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\79U5N7~1 = "C:\\Users\\Admin\\79U5N7~1\\pxu.vbs" ssabn.exe Key deleted \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN ssabn.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ssabn.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4160 set thread context of 2260 4160 ssabn.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe 4160 ssabn.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2260 RegSvcs.exe Token: SeSecurityPrivilege 2260 RegSvcs.exe Token: SeTakeOwnershipPrivilege 2260 RegSvcs.exe Token: SeLoadDriverPrivilege 2260 RegSvcs.exe Token: SeSystemProfilePrivilege 2260 RegSvcs.exe Token: SeSystemtimePrivilege 2260 RegSvcs.exe Token: SeProfSingleProcessPrivilege 2260 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2260 RegSvcs.exe Token: SeCreatePagefilePrivilege 2260 RegSvcs.exe Token: SeBackupPrivilege 2260 RegSvcs.exe Token: SeRestorePrivilege 2260 RegSvcs.exe Token: SeShutdownPrivilege 2260 RegSvcs.exe Token: SeDebugPrivilege 2260 RegSvcs.exe Token: SeSystemEnvironmentPrivilege 2260 RegSvcs.exe Token: SeChangeNotifyPrivilege 2260 RegSvcs.exe Token: SeRemoteShutdownPrivilege 2260 RegSvcs.exe Token: SeUndockPrivilege 2260 RegSvcs.exe Token: SeManageVolumePrivilege 2260 RegSvcs.exe Token: SeImpersonatePrivilege 2260 RegSvcs.exe Token: SeCreateGlobalPrivilege 2260 RegSvcs.exe Token: 33 2260 RegSvcs.exe Token: 34 2260 RegSvcs.exe Token: 35 2260 RegSvcs.exe Token: 36 2260 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2260 RegSvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4496 wrote to memory of 4160 4496 999edb0663eadfc252ed4223956c0ff20d976165e9c722eb6d4ff4e27f5eb605.exe 82 PID 4496 wrote to memory of 4160 4496 999edb0663eadfc252ed4223956c0ff20d976165e9c722eb6d4ff4e27f5eb605.exe 82 PID 4496 wrote to memory of 4160 4496 999edb0663eadfc252ed4223956c0ff20d976165e9c722eb6d4ff4e27f5eb605.exe 82 PID 4160 wrote to memory of 2260 4160 ssabn.exe 84 PID 4160 wrote to memory of 2260 4160 ssabn.exe 84 PID 4160 wrote to memory of 2260 4160 ssabn.exe 84 PID 4160 wrote to memory of 2260 4160 ssabn.exe 84 PID 4160 wrote to memory of 2260 4160 ssabn.exe 84 PID 4160 wrote to memory of 2260 4160 ssabn.exe 84 PID 4160 wrote to memory of 2260 4160 ssabn.exe 84 PID 4160 wrote to memory of 2260 4160 ssabn.exe 84 PID 4160 wrote to memory of 2260 4160 ssabn.exe 84 PID 4160 wrote to memory of 2260 4160 ssabn.exe 84 PID 4160 wrote to memory of 2260 4160 ssabn.exe 84 PID 4160 wrote to memory of 2260 4160 ssabn.exe 84 PID 4160 wrote to memory of 2260 4160 ssabn.exe 84 PID 4160 wrote to memory of 2260 4160 ssabn.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\999edb0663eadfc252ed4223956c0ff20d976165e9c722eb6d4ff4e27f5eb605.exe"C:\Users\Admin\AppData\Local\Temp\999edb0663eadfc252ed4223956c0ff20d976165e9c722eb6d4ff4e27f5eb605.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Users\Admin\79u5n7w6jl482w9\ssabn.exe"C:\Users\Admin\79u5n7w6jl482w9\ssabn.exe" cukgecuoogya2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2260
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
658KB
MD5e8afaca70cc46888b54ea4bd9ebc6705
SHA1b866de19be3f2fb570b5e9d569258c2fe39749e2
SHA25669fe0b3f9d856ec215d89c1340ba7dca7df1974a6b9b68a4f7d60faaf2cebed0
SHA5127bf904ff860ef64ec06d4d85f9749aecc7d893b3fd96061df4cb18cf36756bf5ff3d08a0bb3d25dd97a9d7aefe5caee62b4cd481615ef33492a326527376ea85
-
Filesize
148B
MD557507d84a3efe067809bfab7379e03b1
SHA1898e336c68da98d64789079e6624278601126864
SHA256b1cead5f1dea2ac047a1053c0bf4e281ae8d5021f2d11db1c656e650738a7b64
SHA5129875993fd4612edbc8000787fcf626dbb58eeb7ce5baadf2767d79dddbad258a97ca6cf58861d22ea15e587d49912d91e77f4f6f7d821988fb70968a706073ae
-
Filesize
219.0MB
MD562cc4a0b35a48f3cdfb2ce344e02e632
SHA18d100346d9a9367bd5a6b04d3f1e007ab04fd9ff
SHA2563355634c767eeb863d83e51a19e98bcadf62e86170c946e234358b9966be4e55
SHA5125de7df470eb6d5e6fde5dd4b9d3ec1022c13d9c394155fbe74492ab755de81937335e14a22a179bb999efb2ff0bd1d5f76143456aec1e5beac94b9b403e65e08
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59