Analysis
-
max time kernel
154s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 02:04
Behavioral task
behavioral1
Sample
5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe
Resource
win7-20221111-en
General
-
Target
5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe
-
Size
933KB
-
MD5
36fe326cc9fde6ad8bbda623c506d1c7
-
SHA1
79b1a31910a011b6103677fd31459c6563a459b3
-
SHA256
5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38
-
SHA512
960d8a20f82ecb74b5bee34960668433685eb907199db46feb84d5e193b44d8900bff1ca4149df6be295b70dfcc43c83ef089ae92845ac6570c22872e6238d7b
-
SSDEEP
24576:WZ1xuVVjfFoynPaVBUR8f+kN10EBvaU5Y/ZR:mQDgok30wzY/ZR
Malware Config
Extracted
darkcomet
Hacker
leave1.no-ip.biz:1604
leave1.no-ip.biz:25565
DC_MUTEX-42Q3MLQ
-
InstallPath
Adobe.exe
-
gencode
z5FhgdoHdgW9
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
explorer
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe.exe" 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
Adobe.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" Adobe.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Adobe.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Adobe.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Adobe.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Adobe.exe -
Executes dropped EXE 1 IoCs
Processes:
Adobe.exepid process 480 Adobe.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 3400 attrib.exe 1920 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exeAdobe.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe.exe" 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe.exe" Adobe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Adobe.exepid process 480 Adobe.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exeAdobe.exedescription pid process Token: SeIncreaseQuotaPrivilege 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeSecurityPrivilege 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeTakeOwnershipPrivilege 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeLoadDriverPrivilege 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeSystemProfilePrivilege 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeSystemtimePrivilege 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeProfSingleProcessPrivilege 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeIncBasePriorityPrivilege 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeCreatePagefilePrivilege 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeBackupPrivilege 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeRestorePrivilege 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeShutdownPrivilege 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeDebugPrivilege 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeSystemEnvironmentPrivilege 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeChangeNotifyPrivilege 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeRemoteShutdownPrivilege 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeUndockPrivilege 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeManageVolumePrivilege 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeImpersonatePrivilege 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeCreateGlobalPrivilege 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: 33 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: 34 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: 35 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: 36 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Token: SeIncreaseQuotaPrivilege 480 Adobe.exe Token: SeSecurityPrivilege 480 Adobe.exe Token: SeTakeOwnershipPrivilege 480 Adobe.exe Token: SeLoadDriverPrivilege 480 Adobe.exe Token: SeSystemProfilePrivilege 480 Adobe.exe Token: SeSystemtimePrivilege 480 Adobe.exe Token: SeProfSingleProcessPrivilege 480 Adobe.exe Token: SeIncBasePriorityPrivilege 480 Adobe.exe Token: SeCreatePagefilePrivilege 480 Adobe.exe Token: SeBackupPrivilege 480 Adobe.exe Token: SeRestorePrivilege 480 Adobe.exe Token: SeShutdownPrivilege 480 Adobe.exe Token: SeDebugPrivilege 480 Adobe.exe Token: SeSystemEnvironmentPrivilege 480 Adobe.exe Token: SeChangeNotifyPrivilege 480 Adobe.exe Token: SeRemoteShutdownPrivilege 480 Adobe.exe Token: SeUndockPrivilege 480 Adobe.exe Token: SeManageVolumePrivilege 480 Adobe.exe Token: SeImpersonatePrivilege 480 Adobe.exe Token: SeCreateGlobalPrivilege 480 Adobe.exe Token: 33 480 Adobe.exe Token: 34 480 Adobe.exe Token: 35 480 Adobe.exe Token: 36 480 Adobe.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Adobe.exepid process 480 Adobe.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.execmd.execmd.exeAdobe.exedescription pid process target process PID 5048 wrote to memory of 3448 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe cmd.exe PID 5048 wrote to memory of 3448 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe cmd.exe PID 5048 wrote to memory of 3448 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe cmd.exe PID 5048 wrote to memory of 3552 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe cmd.exe PID 5048 wrote to memory of 3552 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe cmd.exe PID 5048 wrote to memory of 3552 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe cmd.exe PID 3448 wrote to memory of 1920 3448 cmd.exe attrib.exe PID 3448 wrote to memory of 1920 3448 cmd.exe attrib.exe PID 3448 wrote to memory of 1920 3448 cmd.exe attrib.exe PID 3552 wrote to memory of 3400 3552 cmd.exe attrib.exe PID 3552 wrote to memory of 3400 3552 cmd.exe attrib.exe PID 3552 wrote to memory of 3400 3552 cmd.exe attrib.exe PID 5048 wrote to memory of 480 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Adobe.exe PID 5048 wrote to memory of 480 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Adobe.exe PID 5048 wrote to memory of 480 5048 5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe Adobe.exe PID 480 wrote to memory of 1676 480 Adobe.exe notepad.exe PID 480 wrote to memory of 1676 480 Adobe.exe notepad.exe PID 480 wrote to memory of 1676 480 Adobe.exe notepad.exe PID 480 wrote to memory of 1676 480 Adobe.exe notepad.exe PID 480 wrote to memory of 1676 480 Adobe.exe notepad.exe PID 480 wrote to memory of 1676 480 Adobe.exe notepad.exe PID 480 wrote to memory of 1676 480 Adobe.exe notepad.exe PID 480 wrote to memory of 1676 480 Adobe.exe notepad.exe PID 480 wrote to memory of 1676 480 Adobe.exe notepad.exe PID 480 wrote to memory of 1676 480 Adobe.exe notepad.exe PID 480 wrote to memory of 1676 480 Adobe.exe notepad.exe PID 480 wrote to memory of 1676 480 Adobe.exe notepad.exe PID 480 wrote to memory of 1676 480 Adobe.exe notepad.exe PID 480 wrote to memory of 1676 480 Adobe.exe notepad.exe PID 480 wrote to memory of 1676 480 Adobe.exe notepad.exe PID 480 wrote to memory of 1676 480 Adobe.exe notepad.exe PID 480 wrote to memory of 1676 480 Adobe.exe notepad.exe PID 480 wrote to memory of 1676 480 Adobe.exe notepad.exe PID 480 wrote to memory of 1676 480 Adobe.exe notepad.exe PID 480 wrote to memory of 1676 480 Adobe.exe notepad.exe PID 480 wrote to memory of 1676 480 Adobe.exe notepad.exe PID 480 wrote to memory of 1676 480 Adobe.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Adobe.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion Adobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern Adobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" Adobe.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1920 attrib.exe 3400 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe"C:\Users\Admin\AppData\Local\Temp\5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\5fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\Adobe.exe"C:\Users\Admin\AppData\Local\Temp\Adobe.exe"2⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Adobe.exeFilesize
933KB
MD536fe326cc9fde6ad8bbda623c506d1c7
SHA179b1a31910a011b6103677fd31459c6563a459b3
SHA2565fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38
SHA512960d8a20f82ecb74b5bee34960668433685eb907199db46feb84d5e193b44d8900bff1ca4149df6be295b70dfcc43c83ef089ae92845ac6570c22872e6238d7b
-
C:\Users\Admin\AppData\Local\Temp\Adobe.exeFilesize
933KB
MD536fe326cc9fde6ad8bbda623c506d1c7
SHA179b1a31910a011b6103677fd31459c6563a459b3
SHA2565fac4ef49e661a2b661a5f3827a4db2c4b05fd00ad0b05793fcdb859b343ad38
SHA512960d8a20f82ecb74b5bee34960668433685eb907199db46feb84d5e193b44d8900bff1ca4149df6be295b70dfcc43c83ef089ae92845ac6570c22872e6238d7b
-
memory/480-136-0x0000000000000000-mapping.dmp
-
memory/1676-139-0x0000000000000000-mapping.dmp
-
memory/1920-134-0x0000000000000000-mapping.dmp
-
memory/3400-135-0x0000000000000000-mapping.dmp
-
memory/3448-132-0x0000000000000000-mapping.dmp
-
memory/3552-133-0x0000000000000000-mapping.dmp