Analysis
-
max time kernel
153s -
max time network
66s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 19:41
Static task
static1
Behavioral task
behavioral1
Sample
308c9be2323a416b1c1297238b4197ee58e7442c82a22490f96b9d7a3f69be80.exe
Resource
win7-20220812-en
General
-
Target
308c9be2323a416b1c1297238b4197ee58e7442c82a22490f96b9d7a3f69be80.exe
-
Size
1.1MB
-
MD5
77d59df8f968d49b824598d9b4734e61
-
SHA1
f9f0d73cae09fbfc49fe6a58d7edcbbd57594064
-
SHA256
308c9be2323a416b1c1297238b4197ee58e7442c82a22490f96b9d7a3f69be80
-
SHA512
dea1defa24137b301d5c5d5777e6ad0c7129d0d8305810c68b09e0030a9f0d0f96c154887402ec107ed3b727d1a684313610008c98a05ec107ffc7169840efc4
-
SSDEEP
24576:Jw1lDrobPKhS0/FzDzQ0ae4iIKcRC7lZ87:iDUG/qm
Malware Config
Extracted
darkcomet
Bot
thescienceguy.no-ip.biz:6754
DC_MUTEX-XTMDCH5
-
InstallPath
AVG Tray Utilities\
-
gencode
2d4YgnBQzJYv
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
AVGTrayUtils
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\AVG Tray Utilities\\2d4YgnBQzJYv\\" vbc.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile vbc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" vbc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" vbc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" vbc.exe -
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vbc.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
vbc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vbc.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
AVG Tray Utility.exepid process 948 AVG Tray Utility.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 832 attrib.exe 1156 attrib.exe -
Loads dropped DLL 2 IoCs
Processes:
308c9be2323a416b1c1297238b4197ee58e7442c82a22490f96b9d7a3f69be80.exepid process 908 308c9be2323a416b1c1297238b4197ee58e7442c82a22490f96b9d7a3f69be80.exe 908 308c9be2323a416b1c1297238b4197ee58e7442c82a22490f96b9d7a3f69be80.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
AVG Tray Utility.exevbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVG Tray Utility = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AVG Tray Utility.exe\"" AVG Tray Utility.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVGTrayUtils = "C:\\Users\\Admin\\Documents\\AVG Tray Utilities\\2d4YgnBQzJYv\\" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
AVG Tray Utility.exedescription pid process target process PID 948 set thread context of 904 948 AVG Tray Utility.exe vbc.exe -
Drops file in Windows directory 2 IoCs
Processes:
attrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
308c9be2323a416b1c1297238b4197ee58e7442c82a22490f96b9d7a3f69be80.exeAVG Tray Utility.exepid process 908 308c9be2323a416b1c1297238b4197ee58e7442c82a22490f96b9d7a3f69be80.exe 908 308c9be2323a416b1c1297238b4197ee58e7442c82a22490f96b9d7a3f69be80.exe 948 AVG Tray Utility.exe 948 AVG Tray Utility.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
308c9be2323a416b1c1297238b4197ee58e7442c82a22490f96b9d7a3f69be80.exeAVG Tray Utility.exevbc.exedescription pid process Token: SeDebugPrivilege 908 308c9be2323a416b1c1297238b4197ee58e7442c82a22490f96b9d7a3f69be80.exe Token: SeDebugPrivilege 948 AVG Tray Utility.exe Token: SeIncreaseQuotaPrivilege 904 vbc.exe Token: SeSecurityPrivilege 904 vbc.exe Token: SeTakeOwnershipPrivilege 904 vbc.exe Token: SeLoadDriverPrivilege 904 vbc.exe Token: SeSystemProfilePrivilege 904 vbc.exe Token: SeSystemtimePrivilege 904 vbc.exe Token: SeProfSingleProcessPrivilege 904 vbc.exe Token: SeIncBasePriorityPrivilege 904 vbc.exe Token: SeCreatePagefilePrivilege 904 vbc.exe Token: SeBackupPrivilege 904 vbc.exe Token: SeRestorePrivilege 904 vbc.exe Token: SeShutdownPrivilege 904 vbc.exe Token: SeDebugPrivilege 904 vbc.exe Token: SeSystemEnvironmentPrivilege 904 vbc.exe Token: SeChangeNotifyPrivilege 904 vbc.exe Token: SeRemoteShutdownPrivilege 904 vbc.exe Token: SeUndockPrivilege 904 vbc.exe Token: SeManageVolumePrivilege 904 vbc.exe Token: SeImpersonatePrivilege 904 vbc.exe Token: SeCreateGlobalPrivilege 904 vbc.exe Token: 33 904 vbc.exe Token: 34 904 vbc.exe Token: 35 904 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 904 vbc.exe -
Suspicious use of WriteProcessMemory 58 IoCs
Processes:
308c9be2323a416b1c1297238b4197ee58e7442c82a22490f96b9d7a3f69be80.exeAVG Tray Utility.exevbc.execmd.execmd.exedescription pid process target process PID 908 wrote to memory of 948 908 308c9be2323a416b1c1297238b4197ee58e7442c82a22490f96b9d7a3f69be80.exe AVG Tray Utility.exe PID 908 wrote to memory of 948 908 308c9be2323a416b1c1297238b4197ee58e7442c82a22490f96b9d7a3f69be80.exe AVG Tray Utility.exe PID 908 wrote to memory of 948 908 308c9be2323a416b1c1297238b4197ee58e7442c82a22490f96b9d7a3f69be80.exe AVG Tray Utility.exe PID 908 wrote to memory of 948 908 308c9be2323a416b1c1297238b4197ee58e7442c82a22490f96b9d7a3f69be80.exe AVG Tray Utility.exe PID 948 wrote to memory of 904 948 AVG Tray Utility.exe vbc.exe PID 948 wrote to memory of 904 948 AVG Tray Utility.exe vbc.exe PID 948 wrote to memory of 904 948 AVG Tray Utility.exe vbc.exe PID 948 wrote to memory of 904 948 AVG Tray Utility.exe vbc.exe PID 948 wrote to memory of 904 948 AVG Tray Utility.exe vbc.exe PID 948 wrote to memory of 904 948 AVG Tray Utility.exe vbc.exe PID 948 wrote to memory of 904 948 AVG Tray Utility.exe vbc.exe PID 948 wrote to memory of 904 948 AVG Tray Utility.exe vbc.exe PID 948 wrote to memory of 904 948 AVG Tray Utility.exe vbc.exe PID 948 wrote to memory of 904 948 AVG Tray Utility.exe vbc.exe PID 948 wrote to memory of 904 948 AVG Tray Utility.exe vbc.exe PID 948 wrote to memory of 904 948 AVG Tray Utility.exe vbc.exe PID 948 wrote to memory of 904 948 AVG Tray Utility.exe vbc.exe PID 948 wrote to memory of 904 948 AVG Tray Utility.exe vbc.exe PID 948 wrote to memory of 904 948 AVG Tray Utility.exe vbc.exe PID 904 wrote to memory of 1476 904 vbc.exe cmd.exe PID 904 wrote to memory of 1476 904 vbc.exe cmd.exe PID 904 wrote to memory of 1476 904 vbc.exe cmd.exe PID 904 wrote to memory of 1476 904 vbc.exe cmd.exe PID 904 wrote to memory of 1144 904 vbc.exe cmd.exe PID 904 wrote to memory of 1144 904 vbc.exe cmd.exe PID 904 wrote to memory of 1144 904 vbc.exe cmd.exe PID 904 wrote to memory of 1144 904 vbc.exe cmd.exe PID 904 wrote to memory of 972 904 vbc.exe notepad.exe PID 904 wrote to memory of 972 904 vbc.exe notepad.exe PID 904 wrote to memory of 972 904 vbc.exe notepad.exe PID 904 wrote to memory of 972 904 vbc.exe notepad.exe PID 1144 wrote to memory of 1156 1144 cmd.exe attrib.exe PID 1144 wrote to memory of 1156 1144 cmd.exe attrib.exe PID 1144 wrote to memory of 1156 1144 cmd.exe attrib.exe PID 1144 wrote to memory of 1156 1144 cmd.exe attrib.exe PID 1476 wrote to memory of 832 1476 cmd.exe attrib.exe PID 1476 wrote to memory of 832 1476 cmd.exe attrib.exe PID 1476 wrote to memory of 832 1476 cmd.exe attrib.exe PID 1476 wrote to memory of 832 1476 cmd.exe attrib.exe PID 904 wrote to memory of 972 904 vbc.exe notepad.exe PID 904 wrote to memory of 972 904 vbc.exe notepad.exe PID 904 wrote to memory of 972 904 vbc.exe notepad.exe PID 904 wrote to memory of 972 904 vbc.exe notepad.exe PID 904 wrote to memory of 972 904 vbc.exe notepad.exe PID 904 wrote to memory of 972 904 vbc.exe notepad.exe PID 904 wrote to memory of 972 904 vbc.exe notepad.exe PID 904 wrote to memory of 972 904 vbc.exe notepad.exe PID 904 wrote to memory of 972 904 vbc.exe notepad.exe PID 904 wrote to memory of 972 904 vbc.exe notepad.exe PID 904 wrote to memory of 972 904 vbc.exe notepad.exe PID 904 wrote to memory of 972 904 vbc.exe notepad.exe PID 904 wrote to memory of 972 904 vbc.exe notepad.exe PID 904 wrote to memory of 972 904 vbc.exe notepad.exe PID 904 wrote to memory of 972 904 vbc.exe notepad.exe PID 904 wrote to memory of 972 904 vbc.exe notepad.exe PID 904 wrote to memory of 972 904 vbc.exe notepad.exe PID 904 wrote to memory of 972 904 vbc.exe notepad.exe PID 904 wrote to memory of 972 904 vbc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 832 attrib.exe 1156 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\308c9be2323a416b1c1297238b4197ee58e7442c82a22490f96b9d7a3f69be80.exe"C:\Users\Admin\AppData\Local\Temp\308c9be2323a416b1c1297238b4197ee58e7442c82a22490f96b9d7a3f69be80.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\AVG Tray Utility.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AVG Tray Utility.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h5⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h5⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\AVG Tray Utility.exeFilesize
1.1MB
MD577d59df8f968d49b824598d9b4734e61
SHA1f9f0d73cae09fbfc49fe6a58d7edcbbd57594064
SHA256308c9be2323a416b1c1297238b4197ee58e7442c82a22490f96b9d7a3f69be80
SHA512dea1defa24137b301d5c5d5777e6ad0c7129d0d8305810c68b09e0030a9f0d0f96c154887402ec107ed3b727d1a684313610008c98a05ec107ffc7169840efc4
-
C:\Users\Admin\AppData\Roaming\Microsoft\AVG Tray Utility.exeFilesize
1.1MB
MD577d59df8f968d49b824598d9b4734e61
SHA1f9f0d73cae09fbfc49fe6a58d7edcbbd57594064
SHA256308c9be2323a416b1c1297238b4197ee58e7442c82a22490f96b9d7a3f69be80
SHA512dea1defa24137b301d5c5d5777e6ad0c7129d0d8305810c68b09e0030a9f0d0f96c154887402ec107ed3b727d1a684313610008c98a05ec107ffc7169840efc4
-
\Users\Admin\AppData\Roaming\Microsoft\AVG Tray Utility.exeFilesize
1.1MB
MD577d59df8f968d49b824598d9b4734e61
SHA1f9f0d73cae09fbfc49fe6a58d7edcbbd57594064
SHA256308c9be2323a416b1c1297238b4197ee58e7442c82a22490f96b9d7a3f69be80
SHA512dea1defa24137b301d5c5d5777e6ad0c7129d0d8305810c68b09e0030a9f0d0f96c154887402ec107ed3b727d1a684313610008c98a05ec107ffc7169840efc4
-
\Users\Admin\AppData\Roaming\Microsoft\AVG Tray Utility.exeFilesize
1.1MB
MD577d59df8f968d49b824598d9b4734e61
SHA1f9f0d73cae09fbfc49fe6a58d7edcbbd57594064
SHA256308c9be2323a416b1c1297238b4197ee58e7442c82a22490f96b9d7a3f69be80
SHA512dea1defa24137b301d5c5d5777e6ad0c7129d0d8305810c68b09e0030a9f0d0f96c154887402ec107ed3b727d1a684313610008c98a05ec107ffc7169840efc4
-
memory/832-76-0x0000000000000000-mapping.dmp
-
memory/904-66-0x000000000048F888-mapping.dmp
-
memory/904-65-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/904-78-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/904-71-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/904-70-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/904-67-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/908-54-0x00000000761F1000-0x00000000761F3000-memory.dmpFilesize
8KB
-
memory/908-64-0x00000000748F0000-0x0000000074E9B000-memory.dmpFilesize
5.7MB
-
memory/908-63-0x00000000748F0000-0x0000000074E9B000-memory.dmpFilesize
5.7MB
-
memory/908-55-0x00000000748F0000-0x0000000074E9B000-memory.dmpFilesize
5.7MB
-
memory/948-58-0x0000000000000000-mapping.dmp
-
memory/948-68-0x00000000748F0000-0x0000000074E9B000-memory.dmpFilesize
5.7MB
-
memory/948-62-0x00000000748F0000-0x0000000074E9B000-memory.dmpFilesize
5.7MB
-
memory/972-74-0x0000000000000000-mapping.dmp
-
memory/1144-73-0x0000000000000000-mapping.dmp
-
memory/1156-75-0x0000000000000000-mapping.dmp
-
memory/1476-72-0x0000000000000000-mapping.dmp