Analysis
-
max time kernel
171s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2022, 02:02
Behavioral task
behavioral1
Sample
ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe
Resource
win7-20220812-en
windows7-x64
17 signatures
150 seconds
General
-
Target
ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe
-
Size
658KB
-
MD5
9db93053edb1959b74c37ad2cc3bb1f6
-
SHA1
41f9d424a6d955aaf331b9fafccde0851034d124
-
SHA256
ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22
-
SHA512
b6b091a0f645da4b4395b069475e5e6b6a75a82a5163e5ae54b9c5ae5864c7f40bd0555c084ca751c0e05ebc50a1bd74d85585d5ee1706744925704ae289f7e9
-
SSDEEP
12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h2:KZ1xuVVjfFoynPaVBUR8f+kN10EBM
Malware Config
Extracted
Family
darkcomet
Botnet
Testing
C2
94.180.46.70:1604
Mutex
DC_MUTEX-LA3W6ZH
Attributes
-
InstallPath
windlogon.exe
-
gencode
toVoioq0vtnE
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
windlogon
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\windlogon.exe" ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile windlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" windlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" windlogon.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" windlogon.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" windlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" windlogon.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" windlogon.exe -
Executes dropped EXE 1 IoCs
pid Process 1832 windlogon.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 3140 attrib.exe 4480 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" windlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" windlogon.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windlogon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windlogon.exe" ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe Token: SeSecurityPrivilege 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe Token: SeTakeOwnershipPrivilege 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe Token: SeLoadDriverPrivilege 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe Token: SeSystemProfilePrivilege 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe Token: SeSystemtimePrivilege 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe Token: SeProfSingleProcessPrivilege 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe Token: SeIncBasePriorityPrivilege 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe Token: SeCreatePagefilePrivilege 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe Token: SeBackupPrivilege 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe Token: SeRestorePrivilege 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe Token: SeShutdownPrivilege 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe Token: SeDebugPrivilege 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe Token: SeSystemEnvironmentPrivilege 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe Token: SeChangeNotifyPrivilege 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe Token: SeRemoteShutdownPrivilege 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe Token: SeUndockPrivilege 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe Token: SeManageVolumePrivilege 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe Token: SeImpersonatePrivilege 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe Token: SeCreateGlobalPrivilege 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe Token: 33 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe Token: 34 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe Token: 35 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe Token: 36 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe Token: SeIncreaseQuotaPrivilege 1832 windlogon.exe Token: SeSecurityPrivilege 1832 windlogon.exe Token: SeTakeOwnershipPrivilege 1832 windlogon.exe Token: SeLoadDriverPrivilege 1832 windlogon.exe Token: SeSystemProfilePrivilege 1832 windlogon.exe Token: SeSystemtimePrivilege 1832 windlogon.exe Token: SeProfSingleProcessPrivilege 1832 windlogon.exe Token: SeIncBasePriorityPrivilege 1832 windlogon.exe Token: SeCreatePagefilePrivilege 1832 windlogon.exe Token: SeBackupPrivilege 1832 windlogon.exe Token: SeRestorePrivilege 1832 windlogon.exe Token: SeShutdownPrivilege 1832 windlogon.exe Token: SeDebugPrivilege 1832 windlogon.exe Token: SeSystemEnvironmentPrivilege 1832 windlogon.exe Token: SeChangeNotifyPrivilege 1832 windlogon.exe Token: SeRemoteShutdownPrivilege 1832 windlogon.exe Token: SeUndockPrivilege 1832 windlogon.exe Token: SeManageVolumePrivilege 1832 windlogon.exe Token: SeImpersonatePrivilege 1832 windlogon.exe Token: SeCreateGlobalPrivilege 1832 windlogon.exe Token: 33 1832 windlogon.exe Token: 34 1832 windlogon.exe Token: 35 1832 windlogon.exe Token: 36 1832 windlogon.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1832 windlogon.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 2236 wrote to memory of 3896 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe 83 PID 2236 wrote to memory of 3896 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe 83 PID 2236 wrote to memory of 3896 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe 83 PID 2236 wrote to memory of 3856 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe 84 PID 2236 wrote to memory of 3856 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe 84 PID 2236 wrote to memory of 3856 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe 84 PID 3896 wrote to memory of 3140 3896 cmd.exe 87 PID 3896 wrote to memory of 3140 3896 cmd.exe 87 PID 3896 wrote to memory of 3140 3896 cmd.exe 87 PID 3856 wrote to memory of 4480 3856 cmd.exe 88 PID 3856 wrote to memory of 4480 3856 cmd.exe 88 PID 3856 wrote to memory of 4480 3856 cmd.exe 88 PID 2236 wrote to memory of 1832 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe 89 PID 2236 wrote to memory of 1832 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe 89 PID 2236 wrote to memory of 1832 2236 ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe 89 PID 1832 wrote to memory of 4156 1832 windlogon.exe 90 PID 1832 wrote to memory of 4156 1832 windlogon.exe 90 PID 1832 wrote to memory of 4156 1832 windlogon.exe 90 PID 1832 wrote to memory of 4156 1832 windlogon.exe 90 PID 1832 wrote to memory of 4156 1832 windlogon.exe 90 PID 1832 wrote to memory of 4156 1832 windlogon.exe 90 PID 1832 wrote to memory of 4156 1832 windlogon.exe 90 PID 1832 wrote to memory of 4156 1832 windlogon.exe 90 PID 1832 wrote to memory of 4156 1832 windlogon.exe 90 PID 1832 wrote to memory of 4156 1832 windlogon.exe 90 PID 1832 wrote to memory of 4156 1832 windlogon.exe 90 PID 1832 wrote to memory of 4156 1832 windlogon.exe 90 PID 1832 wrote to memory of 4156 1832 windlogon.exe 90 PID 1832 wrote to memory of 4156 1832 windlogon.exe 90 PID 1832 wrote to memory of 4156 1832 windlogon.exe 90 PID 1832 wrote to memory of 4156 1832 windlogon.exe 90 PID 1832 wrote to memory of 4156 1832 windlogon.exe 90 PID 1832 wrote to memory of 4156 1832 windlogon.exe 90 PID 1832 wrote to memory of 4156 1832 windlogon.exe 90 PID 1832 wrote to memory of 4156 1832 windlogon.exe 90 PID 1832 wrote to memory of 4156 1832 windlogon.exe 90 PID 1832 wrote to memory of 4156 1832 windlogon.exe 90 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion windlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern windlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" windlogon.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 3140 attrib.exe 4480 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe"C:\Users\Admin\AppData\Local\Temp\ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3140
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4480
-
-
-
C:\Users\Admin\AppData\Local\Temp\windlogon.exe"C:\Users\Admin\AppData\Local\Temp\windlogon.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1832 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:4156
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
658KB
MD59db93053edb1959b74c37ad2cc3bb1f6
SHA141f9d424a6d955aaf331b9fafccde0851034d124
SHA256ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22
SHA512b6b091a0f645da4b4395b069475e5e6b6a75a82a5163e5ae54b9c5ae5864c7f40bd0555c084ca751c0e05ebc50a1bd74d85585d5ee1706744925704ae289f7e9
-
Filesize
658KB
MD59db93053edb1959b74c37ad2cc3bb1f6
SHA141f9d424a6d955aaf331b9fafccde0851034d124
SHA256ccd8065caadac9a0ee5f67424be2fe53730e596d15868d19721d8af7ba946b22
SHA512b6b091a0f645da4b4395b069475e5e6b6a75a82a5163e5ae54b9c5ae5864c7f40bd0555c084ca751c0e05ebc50a1bd74d85585d5ee1706744925704ae289f7e9