Analysis
-
max time kernel
130s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 14:16
Behavioral task
behavioral1
Sample
27b100ab3073fc1b0b7459862930687aed91aa3fb1770e07472ac8a041fdb87f.doc
Resource
win7-20221111-en
General
-
Target
27b100ab3073fc1b0b7459862930687aed91aa3fb1770e07472ac8a041fdb87f.doc
-
Size
4.0MB
-
MD5
3b25dfdf3f89b0a1e161d442d1fd2227
-
SHA1
964cae96ec5364a84b13edaa305e4e3fb35fa208
-
SHA256
27b100ab3073fc1b0b7459862930687aed91aa3fb1770e07472ac8a041fdb87f
-
SHA512
cb0dcc230066c146926ffc158d47f48c33ba67970963ce72afcef3bb63166996e969f7d0318f6fb604fff54962cc8e934f55079bccec0f2a8f22e4e14ffef2d4
-
SSDEEP
24576:pVfxRoAIj5FBCQELbeNJDIe5uocMALTipn5yZ0h1j8KmGN2zbRtG23zxQ0atoYBq:9p
Malware Config
Extracted
darkcomet
doc
67.242.194.118:1604
DC_MUTEX-W3TT9NP
-
gencode
QMYYWMGSMDbi
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
dnyoxbau.exeXVeObc.exepid process 848 dnyoxbau.exe 2772 XVeObc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dnyoxbau.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation dnyoxbau.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
XVeObc.exesvchost.exedescription pid process target process PID 2772 set thread context of 404 2772 XVeObc.exe svchost.exe PID 404 set thread context of 4016 404 svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3404 WINWORD.EXE 3404 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
XVeObc.exesvchost.exepid process 2772 XVeObc.exe 2772 XVeObc.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
svchost.exedescription pid process Token: SeIncreaseQuotaPrivilege 4016 svchost.exe Token: SeSecurityPrivilege 4016 svchost.exe Token: SeTakeOwnershipPrivilege 4016 svchost.exe Token: SeLoadDriverPrivilege 4016 svchost.exe Token: SeSystemProfilePrivilege 4016 svchost.exe Token: SeSystemtimePrivilege 4016 svchost.exe Token: SeProfSingleProcessPrivilege 4016 svchost.exe Token: SeIncBasePriorityPrivilege 4016 svchost.exe Token: SeCreatePagefilePrivilege 4016 svchost.exe Token: SeBackupPrivilege 4016 svchost.exe Token: SeRestorePrivilege 4016 svchost.exe Token: SeShutdownPrivilege 4016 svchost.exe Token: SeDebugPrivilege 4016 svchost.exe Token: SeSystemEnvironmentPrivilege 4016 svchost.exe Token: SeChangeNotifyPrivilege 4016 svchost.exe Token: SeRemoteShutdownPrivilege 4016 svchost.exe Token: SeUndockPrivilege 4016 svchost.exe Token: SeManageVolumePrivilege 4016 svchost.exe Token: SeImpersonatePrivilege 4016 svchost.exe Token: SeCreateGlobalPrivilege 4016 svchost.exe Token: 33 4016 svchost.exe Token: 34 4016 svchost.exe Token: 35 4016 svchost.exe Token: 36 4016 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
WINWORD.EXEsvchost.exesvchost.exepid process 3404 WINWORD.EXE 3404 WINWORD.EXE 3404 WINWORD.EXE 3404 WINWORD.EXE 3404 WINWORD.EXE 3404 WINWORD.EXE 3404 WINWORD.EXE 3404 WINWORD.EXE 404 svchost.exe 4016 svchost.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
WINWORD.EXEdnyoxbau.exeXVeObc.exesvchost.exedescription pid process target process PID 3404 wrote to memory of 848 3404 WINWORD.EXE dnyoxbau.exe PID 3404 wrote to memory of 848 3404 WINWORD.EXE dnyoxbau.exe PID 3404 wrote to memory of 848 3404 WINWORD.EXE dnyoxbau.exe PID 848 wrote to memory of 2772 848 dnyoxbau.exe XVeObc.exe PID 848 wrote to memory of 2772 848 dnyoxbau.exe XVeObc.exe PID 848 wrote to memory of 2772 848 dnyoxbau.exe XVeObc.exe PID 2772 wrote to memory of 404 2772 XVeObc.exe svchost.exe PID 2772 wrote to memory of 404 2772 XVeObc.exe svchost.exe PID 2772 wrote to memory of 404 2772 XVeObc.exe svchost.exe PID 2772 wrote to memory of 404 2772 XVeObc.exe svchost.exe PID 2772 wrote to memory of 404 2772 XVeObc.exe svchost.exe PID 2772 wrote to memory of 404 2772 XVeObc.exe svchost.exe PID 2772 wrote to memory of 404 2772 XVeObc.exe svchost.exe PID 2772 wrote to memory of 404 2772 XVeObc.exe svchost.exe PID 404 wrote to memory of 4016 404 svchost.exe svchost.exe PID 404 wrote to memory of 4016 404 svchost.exe svchost.exe PID 404 wrote to memory of 4016 404 svchost.exe svchost.exe PID 404 wrote to memory of 4016 404 svchost.exe svchost.exe PID 404 wrote to memory of 4016 404 svchost.exe svchost.exe PID 404 wrote to memory of 4016 404 svchost.exe svchost.exe PID 404 wrote to memory of 4016 404 svchost.exe svchost.exe PID 404 wrote to memory of 4016 404 svchost.exe svchost.exe PID 404 wrote to memory of 4016 404 svchost.exe svchost.exe PID 404 wrote to memory of 4016 404 svchost.exe svchost.exe PID 404 wrote to memory of 4016 404 svchost.exe svchost.exe PID 404 wrote to memory of 4016 404 svchost.exe svchost.exe PID 404 wrote to memory of 4016 404 svchost.exe svchost.exe PID 404 wrote to memory of 4016 404 svchost.exe svchost.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\27b100ab3073fc1b0b7459862930687aed91aa3fb1770e07472ac8a041fdb87f.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\dnyoxbau.exeC:\Users\Admin\dnyoxbau.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\XVeObc.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\XVeObc.exe" "kcwtNy"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MrHFkS.exeFilesize
102KB
MD50df564f1184ac289b353baed6e2a0c46
SHA1d492f51df890f436f5e0e994b0f19e14e3001f88
SHA256330df2f54fb09d6d1344668ef458c45af620c2254fbc45e75b68444f963dc5bb
SHA51230f55f79bd6e7b6f7715f20856614778d3e97a59f8c642c4659690b3f99d3153bbd98bf4e5b96704c6f1698b135d63e8280260bcf6e9cdc040fc0fe7279b0fb9
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\XVeObc.exeFilesize
510KB
MD501d151ccd2a75bd713b8ce81d6509eb8
SHA1c751680d504bece45dc84e363e9e976fe77a8eac
SHA256a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801
SHA5128d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\XVeObc.exeFilesize
510KB
MD501d151ccd2a75bd713b8ce81d6509eb8
SHA1c751680d504bece45dc84e363e9e976fe77a8eac
SHA256a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801
SHA5128d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\YKPZyv.txtFilesize
3.3MB
MD5efa2349c70a2c2c7a187bd2dc56badd6
SHA147b39c026aba067f081659fff5b9c79228868c0c
SHA256fa343af9019e2f80fc56c1eee777b329322ebb1dc8351895769167313b370127
SHA5123f51edca1aa4de85d45e1e1f39e1515d95f83b82bf5a50cd9e951221f4719da7f54cb7d7f116b72afee58a1c6dee4f99894beab20294b425b5db7acced280b3d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\kcwtNyFilesize
6KB
MD5374b7508bc86f61e1fbffb4bda3543ac
SHA195bbd530b272f276d9553d90472234565a0172e7
SHA256f578c2c0db2e328c94892faace17565e6b1396337c47215b8e6a27ab7d95a77e
SHA5129b4d9647a0ac7c2853fb4d31d7fede4064068445ac20c2f95d5203eda615178833459b59691fd77709fb4786ba9b0ef7ffcd89713d641143dfd15ce9b3d3c692
-
C:\Users\Admin\dnyoxbau.exeFilesize
1001KB
MD5fdfe234a413d0d7ceaa619162ee41b55
SHA1d90a8dc1600bd451d8b3eecbce2fb8b6992bf4de
SHA256b0ec5dca6b01d5a346bfa663d6ae277ef63ac65e7cc0110376e70786d3a7d90d
SHA5129b5c3392de845fd9444a3d812efd0925dda81795e4af1733f6621b86b2964a37a90dab9074d2572de062a3785353c8a56be27471d64666653bbed7c37e7c2b65
-
C:\Users\Admin\dnyoxbau.exeFilesize
1001KB
MD5fdfe234a413d0d7ceaa619162ee41b55
SHA1d90a8dc1600bd451d8b3eecbce2fb8b6992bf4de
SHA256b0ec5dca6b01d5a346bfa663d6ae277ef63ac65e7cc0110376e70786d3a7d90d
SHA5129b5c3392de845fd9444a3d812efd0925dda81795e4af1733f6621b86b2964a37a90dab9074d2572de062a3785353c8a56be27471d64666653bbed7c37e7c2b65
-
memory/404-161-0x0000000000400000-0x0000000000575000-memory.dmpFilesize
1.5MB
-
memory/404-155-0x0000000000400000-0x0000000000575000-memory.dmpFilesize
1.5MB
-
memory/404-152-0x0000000000400000-0x0000000000575000-memory.dmpFilesize
1.5MB
-
memory/404-150-0x0000000000400000-0x0000000000575000-memory.dmpFilesize
1.5MB
-
memory/404-149-0x0000000000000000-mapping.dmp
-
memory/848-140-0x0000000000000000-mapping.dmp
-
memory/2772-143-0x0000000000000000-mapping.dmp
-
memory/3404-136-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmpFilesize
64KB
-
memory/3404-139-0x0000020CAFD6B000-0x0000020CAFD6D000-memory.dmpFilesize
8KB
-
memory/3404-138-0x00007FF8D50A0000-0x00007FF8D50B0000-memory.dmpFilesize
64KB
-
memory/3404-137-0x00007FF8D50A0000-0x00007FF8D50B0000-memory.dmpFilesize
64KB
-
memory/3404-135-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmpFilesize
64KB
-
memory/3404-133-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmpFilesize
64KB
-
memory/3404-134-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmpFilesize
64KB
-
memory/3404-132-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmpFilesize
64KB
-
memory/3404-167-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmpFilesize
64KB
-
memory/3404-166-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmpFilesize
64KB
-
memory/3404-164-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmpFilesize
64KB
-
memory/3404-165-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmpFilesize
64KB
-
memory/4016-156-0x0000000000000000-mapping.dmp
-
memory/4016-162-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4016-160-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4016-159-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4016-157-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4016-158-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB