Analysis
-
max time kernel
153s -
max time network
195s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 02:04
Behavioral task
behavioral1
Sample
5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe
Resource
win7-20221111-en
General
-
Target
5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe
-
Size
933KB
-
MD5
36fe326cc9fde6ad8bbda623c506d1c7
-
SHA1
79b1a31910a011b6103677fd31459c6563a459b3
-
SHA256
5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38
-
SHA512
960d8a20f82ecb74b5bee34960668433685eb907199db46feb84d5e193b44d8900bff1ca4149df6be295b70dfcc43c83ef089ae92845ac6570c22872e6238d7b
-
SSDEEP
24576:WZ1xuVVjfFoynPaVBUR8f+kN10EBvaU5Y/ZR:mQDgok30wzY/ZR
Malware Config
Extracted
darkcomet
Hacker
leave1.no-ip.biz:1604
leave1.no-ip.biz:25565
DC_MUTEX-42Q3MLQ
-
InstallPath
Adobe.exe
-
gencode
z5FhgdoHdgW9
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
explorer
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe.exe" 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
Adobe.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Adobe.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Adobe.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" Adobe.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Adobe.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Adobe.exe -
Executes dropped EXE 1 IoCs
Processes:
Adobe.exepid process 1688 Adobe.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1440 attrib.exe 828 attrib.exe -
Loads dropped DLL 2 IoCs
Processes:
5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exepid process 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exeAdobe.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe.exe" 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe.exe" Adobe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Adobe.exepid process 1688 Adobe.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exeAdobe.exedescription pid process Token: SeIncreaseQuotaPrivilege 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeSecurityPrivilege 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeTakeOwnershipPrivilege 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeLoadDriverPrivilege 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeSystemProfilePrivilege 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeSystemtimePrivilege 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeProfSingleProcessPrivilege 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeIncBasePriorityPrivilege 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeCreatePagefilePrivilege 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeBackupPrivilege 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeRestorePrivilege 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeShutdownPrivilege 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeDebugPrivilege 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeSystemEnvironmentPrivilege 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeChangeNotifyPrivilege 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeRemoteShutdownPrivilege 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeUndockPrivilege 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeManageVolumePrivilege 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeImpersonatePrivilege 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeCreateGlobalPrivilege 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: 33 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: 34 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: 35 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeIncreaseQuotaPrivilege 1688 Adobe.exe Token: SeSecurityPrivilege 1688 Adobe.exe Token: SeTakeOwnershipPrivilege 1688 Adobe.exe Token: SeLoadDriverPrivilege 1688 Adobe.exe Token: SeSystemProfilePrivilege 1688 Adobe.exe Token: SeSystemtimePrivilege 1688 Adobe.exe Token: SeProfSingleProcessPrivilege 1688 Adobe.exe Token: SeIncBasePriorityPrivilege 1688 Adobe.exe Token: SeCreatePagefilePrivilege 1688 Adobe.exe Token: SeBackupPrivilege 1688 Adobe.exe Token: SeRestorePrivilege 1688 Adobe.exe Token: SeShutdownPrivilege 1688 Adobe.exe Token: SeDebugPrivilege 1688 Adobe.exe Token: SeSystemEnvironmentPrivilege 1688 Adobe.exe Token: SeChangeNotifyPrivilege 1688 Adobe.exe Token: SeRemoteShutdownPrivilege 1688 Adobe.exe Token: SeUndockPrivilege 1688 Adobe.exe Token: SeManageVolumePrivilege 1688 Adobe.exe Token: SeImpersonatePrivilege 1688 Adobe.exe Token: SeCreateGlobalPrivilege 1688 Adobe.exe Token: 33 1688 Adobe.exe Token: 34 1688 Adobe.exe Token: 35 1688 Adobe.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Adobe.exepid process 1688 Adobe.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.execmd.execmd.exeAdobe.exedescription pid process target process PID 884 wrote to memory of 1464 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe cmd.exe PID 884 wrote to memory of 1464 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe cmd.exe PID 884 wrote to memory of 1464 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe cmd.exe PID 884 wrote to memory of 1464 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe cmd.exe PID 884 wrote to memory of 1520 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe cmd.exe PID 884 wrote to memory of 1520 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe cmd.exe PID 884 wrote to memory of 1520 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe cmd.exe PID 884 wrote to memory of 1520 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe cmd.exe PID 1464 wrote to memory of 1440 1464 cmd.exe attrib.exe PID 1464 wrote to memory of 1440 1464 cmd.exe attrib.exe PID 1464 wrote to memory of 1440 1464 cmd.exe attrib.exe PID 1464 wrote to memory of 1440 1464 cmd.exe attrib.exe PID 1520 wrote to memory of 828 1520 cmd.exe attrib.exe PID 1520 wrote to memory of 828 1520 cmd.exe attrib.exe PID 1520 wrote to memory of 828 1520 cmd.exe attrib.exe PID 1520 wrote to memory of 828 1520 cmd.exe attrib.exe PID 884 wrote to memory of 1688 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Adobe.exe PID 884 wrote to memory of 1688 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Adobe.exe PID 884 wrote to memory of 1688 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Adobe.exe PID 884 wrote to memory of 1688 884 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Adobe.exe PID 1688 wrote to memory of 1312 1688 Adobe.exe notepad.exe PID 1688 wrote to memory of 1312 1688 Adobe.exe notepad.exe PID 1688 wrote to memory of 1312 1688 Adobe.exe notepad.exe PID 1688 wrote to memory of 1312 1688 Adobe.exe notepad.exe PID 1688 wrote to memory of 1312 1688 Adobe.exe notepad.exe PID 1688 wrote to memory of 1312 1688 Adobe.exe notepad.exe PID 1688 wrote to memory of 1312 1688 Adobe.exe notepad.exe PID 1688 wrote to memory of 1312 1688 Adobe.exe notepad.exe PID 1688 wrote to memory of 1312 1688 Adobe.exe notepad.exe PID 1688 wrote to memory of 1312 1688 Adobe.exe notepad.exe PID 1688 wrote to memory of 1312 1688 Adobe.exe notepad.exe PID 1688 wrote to memory of 1312 1688 Adobe.exe notepad.exe PID 1688 wrote to memory of 1312 1688 Adobe.exe notepad.exe PID 1688 wrote to memory of 1312 1688 Adobe.exe notepad.exe PID 1688 wrote to memory of 1312 1688 Adobe.exe notepad.exe PID 1688 wrote to memory of 1312 1688 Adobe.exe notepad.exe PID 1688 wrote to memory of 1312 1688 Adobe.exe notepad.exe PID 1688 wrote to memory of 1312 1688 Adobe.exe notepad.exe PID 1688 wrote to memory of 1312 1688 Adobe.exe notepad.exe PID 1688 wrote to memory of 1312 1688 Adobe.exe notepad.exe PID 1688 wrote to memory of 1312 1688 Adobe.exe notepad.exe PID 1688 wrote to memory of 1312 1688 Adobe.exe notepad.exe PID 1688 wrote to memory of 1312 1688 Adobe.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Adobe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" Adobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion Adobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern Adobe.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1440 attrib.exe 828 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe"C:\Users\Admin\AppData\Local\Temp\5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\Adobe.exe"C:\Users\Admin\AppData\Local\Temp\Adobe.exe"2⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Adobe.exeFilesize
933KB
MD536fe326cc9fde6ad8bbda623c506d1c7
SHA179b1a31910a011b6103677fd31459c6563a459b3
SHA2565fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38
SHA512960d8a20f82ecb74b5bee34960668433685eb907199db46feb84d5e193b44d8900bff1ca4149df6be295b70dfcc43c83ef089ae92845ac6570c22872e6238d7b
-
C:\Users\Admin\AppData\Local\Temp\Adobe.exeFilesize
933KB
MD536fe326cc9fde6ad8bbda623c506d1c7
SHA179b1a31910a011b6103677fd31459c6563a459b3
SHA2565fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38
SHA512960d8a20f82ecb74b5bee34960668433685eb907199db46feb84d5e193b44d8900bff1ca4149df6be295b70dfcc43c83ef089ae92845ac6570c22872e6238d7b
-
\Users\Admin\AppData\Local\Temp\Adobe.exeFilesize
933KB
MD536fe326cc9fde6ad8bbda623c506d1c7
SHA179b1a31910a011b6103677fd31459c6563a459b3
SHA2565fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38
SHA512960d8a20f82ecb74b5bee34960668433685eb907199db46feb84d5e193b44d8900bff1ca4149df6be295b70dfcc43c83ef089ae92845ac6570c22872e6238d7b
-
\Users\Admin\AppData\Local\Temp\Adobe.exeFilesize
933KB
MD536fe326cc9fde6ad8bbda623c506d1c7
SHA179b1a31910a011b6103677fd31459c6563a459b3
SHA2565fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38
SHA512960d8a20f82ecb74b5bee34960668433685eb907199db46feb84d5e193b44d8900bff1ca4149df6be295b70dfcc43c83ef089ae92845ac6570c22872e6238d7b
-
memory/828-58-0x0000000000000000-mapping.dmp
-
memory/884-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/1312-65-0x0000000000000000-mapping.dmp
-
memory/1440-57-0x0000000000000000-mapping.dmp
-
memory/1464-55-0x0000000000000000-mapping.dmp
-
memory/1520-56-0x0000000000000000-mapping.dmp
-
memory/1688-61-0x0000000000000000-mapping.dmp