Analysis
-
max time kernel
296s -
max time network
357s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 02:01
Behavioral task
behavioral1
Sample
f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Resource
win10v2004-20221111-en
General
-
Target
f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
-
Size
658KB
-
MD5
3127bfcb04c1efdf78534610c0f6e46b
-
SHA1
fd0e2e9ea3b1563706145362f9fccb610653d6f9
-
SHA256
f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18
-
SHA512
36119a3e441efc57b2e96e7a7bcb8c3902eec6bb5faf418fc9859ae351e667a0ced45a765ce634dc01e3a1662bddb7a15ea40ac979bd5496935f006e7a0880f1
-
SSDEEP
12288:y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h6:eZ1xuVVjfFoynPaVBUR8f+kN10EB8
Malware Config
Extracted
darkcomet
Victime
23.95.52.24:1604
MUTEX-GURB7WX
-
InstallPath
Microsoft\windowsupdate.com
-
gencode
hkdEYJPYqYa3
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Windows
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Microsoft\\windowsupdate.com" f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe -
Executes dropped EXE 1 IoCs
Processes:
windowsupdate.compid process 3936 windowsupdate.com -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exewindowsupdate.comdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Windows\\system32\\Microsoft\\windowsupdate.com" f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Windows\\system32\\Microsoft\\windowsupdate.com" windowsupdate.com -
Drops file in System32 directory 3 IoCs
Processes:
f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exedescription ioc process File created C:\Windows\SysWOW64\Microsoft\windowsupdate.com f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe File opened for modification C:\Windows\SysWOW64\Microsoft\windowsupdate.com f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe File opened for modification C:\Windows\SysWOW64\Microsoft\ f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exewindowsupdate.comdescription pid process Token: SeIncreaseQuotaPrivilege 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe Token: SeSecurityPrivilege 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe Token: SeTakeOwnershipPrivilege 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe Token: SeLoadDriverPrivilege 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe Token: SeSystemProfilePrivilege 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe Token: SeSystemtimePrivilege 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe Token: SeProfSingleProcessPrivilege 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe Token: SeIncBasePriorityPrivilege 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe Token: SeCreatePagefilePrivilege 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe Token: SeBackupPrivilege 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe Token: SeRestorePrivilege 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe Token: SeShutdownPrivilege 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe Token: SeDebugPrivilege 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe Token: SeSystemEnvironmentPrivilege 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe Token: SeChangeNotifyPrivilege 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe Token: SeRemoteShutdownPrivilege 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe Token: SeUndockPrivilege 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe Token: SeManageVolumePrivilege 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe Token: SeImpersonatePrivilege 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe Token: SeCreateGlobalPrivilege 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe Token: 33 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe Token: 34 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe Token: 35 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe Token: 36 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe Token: SeIncreaseQuotaPrivilege 3936 windowsupdate.com Token: SeSecurityPrivilege 3936 windowsupdate.com Token: SeTakeOwnershipPrivilege 3936 windowsupdate.com Token: SeLoadDriverPrivilege 3936 windowsupdate.com Token: SeSystemProfilePrivilege 3936 windowsupdate.com Token: SeSystemtimePrivilege 3936 windowsupdate.com Token: SeProfSingleProcessPrivilege 3936 windowsupdate.com Token: SeIncBasePriorityPrivilege 3936 windowsupdate.com Token: SeCreatePagefilePrivilege 3936 windowsupdate.com Token: SeBackupPrivilege 3936 windowsupdate.com Token: SeRestorePrivilege 3936 windowsupdate.com Token: SeShutdownPrivilege 3936 windowsupdate.com Token: SeDebugPrivilege 3936 windowsupdate.com Token: SeSystemEnvironmentPrivilege 3936 windowsupdate.com Token: SeChangeNotifyPrivilege 3936 windowsupdate.com Token: SeRemoteShutdownPrivilege 3936 windowsupdate.com Token: SeUndockPrivilege 3936 windowsupdate.com Token: SeManageVolumePrivilege 3936 windowsupdate.com Token: SeImpersonatePrivilege 3936 windowsupdate.com Token: SeCreateGlobalPrivilege 3936 windowsupdate.com Token: 33 3936 windowsupdate.com Token: 34 3936 windowsupdate.com Token: 35 3936 windowsupdate.com Token: 36 3936 windowsupdate.com -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
windowsupdate.compid process 3936 windowsupdate.com -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exedescription pid process target process PID 5092 wrote to memory of 3376 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe notepad.exe PID 5092 wrote to memory of 3376 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe notepad.exe PID 5092 wrote to memory of 3376 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe notepad.exe PID 5092 wrote to memory of 3376 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe notepad.exe PID 5092 wrote to memory of 3376 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe notepad.exe PID 5092 wrote to memory of 3376 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe notepad.exe PID 5092 wrote to memory of 3376 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe notepad.exe PID 5092 wrote to memory of 3376 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe notepad.exe PID 5092 wrote to memory of 3376 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe notepad.exe PID 5092 wrote to memory of 3376 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe notepad.exe PID 5092 wrote to memory of 3376 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe notepad.exe PID 5092 wrote to memory of 3376 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe notepad.exe PID 5092 wrote to memory of 3376 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe notepad.exe PID 5092 wrote to memory of 3376 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe notepad.exe PID 5092 wrote to memory of 3376 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe notepad.exe PID 5092 wrote to memory of 3376 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe notepad.exe PID 5092 wrote to memory of 3376 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe notepad.exe PID 5092 wrote to memory of 3936 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe windowsupdate.com PID 5092 wrote to memory of 3936 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe windowsupdate.com PID 5092 wrote to memory of 3936 5092 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe windowsupdate.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe"C:\Users\Admin\AppData\Local\Temp\f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
-
C:\Windows\SysWOW64\Microsoft\windowsupdate.com"C:\Windows\system32\Microsoft\windowsupdate.com"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\Microsoft\windowsupdate.comFilesize
658KB
MD53127bfcb04c1efdf78534610c0f6e46b
SHA1fd0e2e9ea3b1563706145362f9fccb610653d6f9
SHA256f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18
SHA51236119a3e441efc57b2e96e7a7bcb8c3902eec6bb5faf418fc9859ae351e667a0ced45a765ce634dc01e3a1662bddb7a15ea40ac979bd5496935f006e7a0880f1
-
C:\Windows\SysWOW64\Microsoft\windowsupdate.comFilesize
658KB
MD53127bfcb04c1efdf78534610c0f6e46b
SHA1fd0e2e9ea3b1563706145362f9fccb610653d6f9
SHA256f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18
SHA51236119a3e441efc57b2e96e7a7bcb8c3902eec6bb5faf418fc9859ae351e667a0ced45a765ce634dc01e3a1662bddb7a15ea40ac979bd5496935f006e7a0880f1
-
memory/3376-132-0x0000000000000000-mapping.dmp
-
memory/3936-133-0x0000000000000000-mapping.dmp