Analysis
-
max time kernel
150s -
max time network
85s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 18:33
Static task
static1
Behavioral task
behavioral1
Sample
cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe
Resource
win10v2004-20220812-en
General
-
Target
cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe
-
Size
485KB
-
MD5
a026aec96f86b5aa9a5865d1077dae0e
-
SHA1
cf2e36d388a7f845387a97f3f0c77c77b1c55988
-
SHA256
cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0
-
SHA512
c77974434c2f065bcfe6e5bf32e097a0c2d35d05cc0f20e75a421ff9c0a76034f4a72a33ed295c147800f6b937c7f9b4b25dd2ef6d28472b234a0a1ba18a06d0
-
SSDEEP
12288:xNMAK4dRRmq28Q3v1GxBMsE6dQs4Hc61JX2Upy+:xNn3c/UMsE/cAmS
Malware Config
Extracted
darkcomet
Bot
takeit23.chickenkiller.com:6993
DC_MUTEX-HEN14M3
-
gencode
9M36A1ngLJGa
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exepid process 1976 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp\\GoogleUpdate.exe.lnk" reg.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exedescription pid process target process PID 1976 set thread context of 1256 1976 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exepid process 1976 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.execdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exedescription pid process Token: SeDebugPrivilege 1976 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe Token: SeIncreaseQuotaPrivilege 1256 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe Token: SeSecurityPrivilege 1256 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe Token: SeTakeOwnershipPrivilege 1256 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe Token: SeLoadDriverPrivilege 1256 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe Token: SeSystemProfilePrivilege 1256 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe Token: SeSystemtimePrivilege 1256 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe Token: SeProfSingleProcessPrivilege 1256 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe Token: SeIncBasePriorityPrivilege 1256 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe Token: SeCreatePagefilePrivilege 1256 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe Token: SeBackupPrivilege 1256 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe Token: SeRestorePrivilege 1256 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe Token: SeShutdownPrivilege 1256 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe Token: SeDebugPrivilege 1256 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe Token: SeSystemEnvironmentPrivilege 1256 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe Token: SeChangeNotifyPrivilege 1256 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe Token: SeRemoteShutdownPrivilege 1256 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe Token: SeUndockPrivilege 1256 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe Token: SeManageVolumePrivilege 1256 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe Token: SeImpersonatePrivilege 1256 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe Token: SeCreateGlobalPrivilege 1256 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe Token: 33 1256 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe Token: 34 1256 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe Token: 35 1256 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exepid process 1256 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.execmd.exedescription pid process target process PID 1976 wrote to memory of 608 1976 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe cmd.exe PID 1976 wrote to memory of 608 1976 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe cmd.exe PID 1976 wrote to memory of 608 1976 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe cmd.exe PID 1976 wrote to memory of 608 1976 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe cmd.exe PID 608 wrote to memory of 1140 608 cmd.exe reg.exe PID 608 wrote to memory of 1140 608 cmd.exe reg.exe PID 608 wrote to memory of 1140 608 cmd.exe reg.exe PID 608 wrote to memory of 1140 608 cmd.exe reg.exe PID 1976 wrote to memory of 1256 1976 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe PID 1976 wrote to memory of 1256 1976 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe PID 1976 wrote to memory of 1256 1976 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe PID 1976 wrote to memory of 1256 1976 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe PID 1976 wrote to memory of 1256 1976 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe PID 1976 wrote to memory of 1256 1976 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe PID 1976 wrote to memory of 1256 1976 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe PID 1976 wrote to memory of 1256 1976 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe PID 1976 wrote to memory of 1256 1976 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe PID 1976 wrote to memory of 1256 1976 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe PID 1976 wrote to memory of 1256 1976 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe PID 1976 wrote to memory of 1256 1976 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe PID 1976 wrote to memory of 1256 1976 cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe"C:\Users\Admin\AppData\Local\Temp\cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "GoogleUpdate" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exe.lnk"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "GoogleUpdate" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exe.lnk"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe"C:\Users\Admin\AppData\Local\Temp\cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exeFilesize
485KB
MD5a026aec96f86b5aa9a5865d1077dae0e
SHA1cf2e36d388a7f845387a97f3f0c77c77b1c55988
SHA256cdf1fc89d06955c1c4974ed8c229c4eecf8bba4ffdbe99be47cdea71378a16d0
SHA512c77974434c2f065bcfe6e5bf32e097a0c2d35d05cc0f20e75a421ff9c0a76034f4a72a33ed295c147800f6b937c7f9b4b25dd2ef6d28472b234a0a1ba18a06d0
-
memory/608-59-0x0000000000000000-mapping.dmp
-
memory/1140-60-0x0000000000000000-mapping.dmp
-
memory/1256-66-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1256-71-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1256-81-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1256-80-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1256-61-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1256-62-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1256-64-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1256-79-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1256-68-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1256-77-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1256-70-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1256-73-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1256-75-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1256-76-0x000000000048F888-mapping.dmp
-
memory/1976-57-0x0000000073E20000-0x00000000743CB000-memory.dmpFilesize
5.7MB
-
memory/1976-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmpFilesize
8KB
-
memory/1976-55-0x0000000073E20000-0x00000000743CB000-memory.dmpFilesize
5.7MB
-
memory/1976-56-0x00000000005F6000-0x0000000000607000-memory.dmpFilesize
68KB