Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 01:41
Static task
static1
Behavioral task
behavioral1
Sample
c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe
Resource
win10v2004-20220901-en
General
-
Target
c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe
-
Size
449KB
-
MD5
e10ca314d5cc8d7643aff2acd14b8696
-
SHA1
ff0e4023caa46ba078be0645c132b072a945d4f3
-
SHA256
c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59
-
SHA512
6b0777d52ea3f4e96185ec826d4637fd4f32ae604eec05ee2a6e83ac28b85bbb7a1ecb1ed9d0eb5b2996243b6317c39ee995f5539ba06551e119dea7c163414b
-
SSDEEP
6144:59ts21gkJMMMyMEv1Goh7TJTX9sIsQkiFIk6/mFDe9Sqhq7nj/I0JIY7+qga:LtsiX2MFNgoRT1XasIk6CCVqA0Jd+q
Malware Config
Extracted
darkcomet
tell
ddos.duia.ro:443
DCMIN_MUTEX-E61LPZQ
-
InstallPath
notepad.exe
-
gencode
STE5MstR9N7H
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
Host process
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
FB_CBA2.tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\STE5MstR9N7H\\notepad.exe" FB_CBA2.tmp.exe -
ModiLoader Second Stage 7 IoCs
Processes:
resource yara_rule behavioral2/memory/3616-136-0x0000000000400000-0x0000000000448000-memory.dmp modiloader_stage2 behavioral2/memory/3616-138-0x0000000000400000-0x0000000000448000-memory.dmp modiloader_stage2 behavioral2/memory/3616-139-0x0000000000400000-0x0000000000448000-memory.dmp modiloader_stage2 C:\Users\Admin\AppData\Local\Temp\FB_CE81.tmp.exe modiloader_stage2 C:\Users\Admin\AppData\Local\Temp\FB_CE81.tmp.exe modiloader_stage2 C:\Users\Admin\AppData\Roaming\upfile.exe modiloader_stage2 C:\Users\Admin\AppData\Roaming\upfile.exe modiloader_stage2 -
Executes dropped EXE 4 IoCs
Processes:
FB_CBA2.tmp.exeFB_CE81.tmp.exeupfile.exenotepad.exepid process 1008 FB_CBA2.tmp.exe 1700 FB_CE81.tmp.exe 2356 upfile.exe 2392 notepad.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\FB_CBA2.tmp.exe upx C:\Users\Admin\AppData\Local\Temp\FB_CBA2.tmp.exe upx C:\Windows\SysWOW64\STE5MstR9N7H\notepad.exe upx C:\Windows\SysWOW64\STE5MstR9N7H\notepad.exe upx behavioral2/memory/2392-152-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/1008-153-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2392-155-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exeFB_CE81.tmp.exeFB_CBA2.tmp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation FB_CE81.tmp.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation FB_CBA2.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
FB_CBA2.tmp.exeupfile.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Host process = "C:\\Windows\\system32\\STE5MstR9N7H\\notepad.exe" FB_CBA2.tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\upfile = "C:\\Users\\Admin\\AppData\\Roaming\\upfile.exe" upfile.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sakura = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winog.exe" reg.exe -
Drops file in System32 directory 3 IoCs
Processes:
FB_CBA2.tmp.exedescription ioc process File created C:\Windows\SysWOW64\notepad.exe FB_CBA2.tmp.exe File created C:\Windows\SysWOW64\STE5MstR9N7H\notepad.exe FB_CBA2.tmp.exe File opened for modification C:\Windows\SysWOW64\STE5MstR9N7H\notepad.exe FB_CBA2.tmp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exedescription pid process target process PID 5060 set thread context of 3616 5060 c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe vbc.exe -
Drops file in Windows directory 2 IoCs
Processes:
c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
FB_CBA2.tmp.exenotepad.exedescription pid process Token: SeIncreaseQuotaPrivilege 1008 FB_CBA2.tmp.exe Token: SeSecurityPrivilege 1008 FB_CBA2.tmp.exe Token: SeTakeOwnershipPrivilege 1008 FB_CBA2.tmp.exe Token: SeLoadDriverPrivilege 1008 FB_CBA2.tmp.exe Token: SeSystemProfilePrivilege 1008 FB_CBA2.tmp.exe Token: SeSystemtimePrivilege 1008 FB_CBA2.tmp.exe Token: SeProfSingleProcessPrivilege 1008 FB_CBA2.tmp.exe Token: SeIncBasePriorityPrivilege 1008 FB_CBA2.tmp.exe Token: SeCreatePagefilePrivilege 1008 FB_CBA2.tmp.exe Token: SeBackupPrivilege 1008 FB_CBA2.tmp.exe Token: SeRestorePrivilege 1008 FB_CBA2.tmp.exe Token: SeShutdownPrivilege 1008 FB_CBA2.tmp.exe Token: SeDebugPrivilege 1008 FB_CBA2.tmp.exe Token: SeSystemEnvironmentPrivilege 1008 FB_CBA2.tmp.exe Token: SeChangeNotifyPrivilege 1008 FB_CBA2.tmp.exe Token: SeRemoteShutdownPrivilege 1008 FB_CBA2.tmp.exe Token: SeUndockPrivilege 1008 FB_CBA2.tmp.exe Token: SeManageVolumePrivilege 1008 FB_CBA2.tmp.exe Token: SeImpersonatePrivilege 1008 FB_CBA2.tmp.exe Token: SeCreateGlobalPrivilege 1008 FB_CBA2.tmp.exe Token: 33 1008 FB_CBA2.tmp.exe Token: 34 1008 FB_CBA2.tmp.exe Token: 35 1008 FB_CBA2.tmp.exe Token: 36 1008 FB_CBA2.tmp.exe Token: SeIncreaseQuotaPrivilege 2392 notepad.exe Token: SeSecurityPrivilege 2392 notepad.exe Token: SeTakeOwnershipPrivilege 2392 notepad.exe Token: SeLoadDriverPrivilege 2392 notepad.exe Token: SeSystemProfilePrivilege 2392 notepad.exe Token: SeSystemtimePrivilege 2392 notepad.exe Token: SeProfSingleProcessPrivilege 2392 notepad.exe Token: SeIncBasePriorityPrivilege 2392 notepad.exe Token: SeCreatePagefilePrivilege 2392 notepad.exe Token: SeBackupPrivilege 2392 notepad.exe Token: SeRestorePrivilege 2392 notepad.exe Token: SeShutdownPrivilege 2392 notepad.exe Token: SeDebugPrivilege 2392 notepad.exe Token: SeSystemEnvironmentPrivilege 2392 notepad.exe Token: SeChangeNotifyPrivilege 2392 notepad.exe Token: SeRemoteShutdownPrivilege 2392 notepad.exe Token: SeUndockPrivilege 2392 notepad.exe Token: SeManageVolumePrivilege 2392 notepad.exe Token: SeImpersonatePrivilege 2392 notepad.exe Token: SeCreateGlobalPrivilege 2392 notepad.exe Token: 33 2392 notepad.exe Token: 34 2392 notepad.exe Token: 35 2392 notepad.exe Token: 36 2392 notepad.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
notepad.exepid process 2392 notepad.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.execmd.exevbc.exeFB_CE81.tmp.exeFB_CBA2.tmp.exedescription pid process target process PID 5060 wrote to memory of 2820 5060 c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe cmd.exe PID 5060 wrote to memory of 2820 5060 c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe cmd.exe PID 5060 wrote to memory of 2820 5060 c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe cmd.exe PID 2820 wrote to memory of 4592 2820 cmd.exe reg.exe PID 2820 wrote to memory of 4592 2820 cmd.exe reg.exe PID 2820 wrote to memory of 4592 2820 cmd.exe reg.exe PID 5060 wrote to memory of 3616 5060 c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe vbc.exe PID 5060 wrote to memory of 3616 5060 c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe vbc.exe PID 5060 wrote to memory of 3616 5060 c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe vbc.exe PID 5060 wrote to memory of 3616 5060 c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe vbc.exe PID 5060 wrote to memory of 3616 5060 c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe vbc.exe PID 5060 wrote to memory of 3616 5060 c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe vbc.exe PID 5060 wrote to memory of 3616 5060 c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe vbc.exe PID 5060 wrote to memory of 3616 5060 c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe vbc.exe PID 5060 wrote to memory of 3616 5060 c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe vbc.exe PID 3616 wrote to memory of 1008 3616 vbc.exe FB_CBA2.tmp.exe PID 3616 wrote to memory of 1008 3616 vbc.exe FB_CBA2.tmp.exe PID 3616 wrote to memory of 1008 3616 vbc.exe FB_CBA2.tmp.exe PID 3616 wrote to memory of 1700 3616 vbc.exe FB_CE81.tmp.exe PID 3616 wrote to memory of 1700 3616 vbc.exe FB_CE81.tmp.exe PID 3616 wrote to memory of 1700 3616 vbc.exe FB_CE81.tmp.exe PID 1700 wrote to memory of 2356 1700 FB_CE81.tmp.exe upfile.exe PID 1700 wrote to memory of 2356 1700 FB_CE81.tmp.exe upfile.exe PID 1700 wrote to memory of 2356 1700 FB_CE81.tmp.exe upfile.exe PID 1008 wrote to memory of 2392 1008 FB_CBA2.tmp.exe notepad.exe PID 1008 wrote to memory of 2392 1008 FB_CBA2.tmp.exe notepad.exe PID 1008 wrote to memory of 2392 1008 FB_CBA2.tmp.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe"C:\Users\Admin\AppData\Local\Temp\c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Sakura" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\winog.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Sakura" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\winog.exe3⤵
- Adds Run key to start application
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FB_CBA2.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_CBA2.tmp.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\STE5MstR9N7H\notepad.exe"C:\Windows\system32\STE5MstR9N7H\notepad.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\FB_CE81.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_CE81.tmp.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\upfile.exe"C:\Users\Admin\AppData\Roaming\upfile.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FB_CBA2.tmp.exeFilesize
232KB
MD53a708b5ecb675e5a90647ef477ea63b9
SHA135179515c96d64212fdc2e5e6d441fbe4eba5318
SHA2567b6bf118dd160e3704100d26229dd0cc8bce0ed8ec95006a1c559ef6d836ccd4
SHA51244dd1d4bd9eb2b255575c3999682200e180a04c1e8b8612279fee362305b398dd320641d0c0ed3787e779b4a456357940eea66bdad54ebadd222be601a3ee68b
-
C:\Users\Admin\AppData\Local\Temp\FB_CBA2.tmp.exeFilesize
232KB
MD53a708b5ecb675e5a90647ef477ea63b9
SHA135179515c96d64212fdc2e5e6d441fbe4eba5318
SHA2567b6bf118dd160e3704100d26229dd0cc8bce0ed8ec95006a1c559ef6d836ccd4
SHA51244dd1d4bd9eb2b255575c3999682200e180a04c1e8b8612279fee362305b398dd320641d0c0ed3787e779b4a456357940eea66bdad54ebadd222be601a3ee68b
-
C:\Users\Admin\AppData\Local\Temp\FB_CE81.tmp.exeFilesize
36KB
MD5262d01e26ca4cc3c1892f412fdabdb2f
SHA130afa5bbafb1b789afe155fd609febfaa1df8881
SHA25615f411580e38c2cec70dc7fea580322cfd4ac60cb5db1a95d3c1ab0cfbb627be
SHA512d2e951e3a4b481f718b1e0e63d9530005bf8651f8991b3e4177ec84f25b4012928992f5b6fa4ad6da3922eea296b5db3c8b075b884889f91d2eb31b3e37a85e7
-
C:\Users\Admin\AppData\Local\Temp\FB_CE81.tmp.exeFilesize
36KB
MD5262d01e26ca4cc3c1892f412fdabdb2f
SHA130afa5bbafb1b789afe155fd609febfaa1df8881
SHA25615f411580e38c2cec70dc7fea580322cfd4ac60cb5db1a95d3c1ab0cfbb627be
SHA512d2e951e3a4b481f718b1e0e63d9530005bf8651f8991b3e4177ec84f25b4012928992f5b6fa4ad6da3922eea296b5db3c8b075b884889f91d2eb31b3e37a85e7
-
C:\Users\Admin\AppData\Roaming\upfile.exeFilesize
36KB
MD5262d01e26ca4cc3c1892f412fdabdb2f
SHA130afa5bbafb1b789afe155fd609febfaa1df8881
SHA25615f411580e38c2cec70dc7fea580322cfd4ac60cb5db1a95d3c1ab0cfbb627be
SHA512d2e951e3a4b481f718b1e0e63d9530005bf8651f8991b3e4177ec84f25b4012928992f5b6fa4ad6da3922eea296b5db3c8b075b884889f91d2eb31b3e37a85e7
-
C:\Users\Admin\AppData\Roaming\upfile.exeFilesize
36KB
MD5262d01e26ca4cc3c1892f412fdabdb2f
SHA130afa5bbafb1b789afe155fd609febfaa1df8881
SHA25615f411580e38c2cec70dc7fea580322cfd4ac60cb5db1a95d3c1ab0cfbb627be
SHA512d2e951e3a4b481f718b1e0e63d9530005bf8651f8991b3e4177ec84f25b4012928992f5b6fa4ad6da3922eea296b5db3c8b075b884889f91d2eb31b3e37a85e7
-
C:\Windows\SysWOW64\STE5MstR9N7H\notepad.exeFilesize
232KB
MD53a708b5ecb675e5a90647ef477ea63b9
SHA135179515c96d64212fdc2e5e6d441fbe4eba5318
SHA2567b6bf118dd160e3704100d26229dd0cc8bce0ed8ec95006a1c559ef6d836ccd4
SHA51244dd1d4bd9eb2b255575c3999682200e180a04c1e8b8612279fee362305b398dd320641d0c0ed3787e779b4a456357940eea66bdad54ebadd222be601a3ee68b
-
C:\Windows\SysWOW64\STE5MstR9N7H\notepad.exeFilesize
232KB
MD53a708b5ecb675e5a90647ef477ea63b9
SHA135179515c96d64212fdc2e5e6d441fbe4eba5318
SHA2567b6bf118dd160e3704100d26229dd0cc8bce0ed8ec95006a1c559ef6d836ccd4
SHA51244dd1d4bd9eb2b255575c3999682200e180a04c1e8b8612279fee362305b398dd320641d0c0ed3787e779b4a456357940eea66bdad54ebadd222be601a3ee68b
-
memory/1008-153-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1008-140-0x0000000000000000-mapping.dmp
-
memory/1700-143-0x0000000000000000-mapping.dmp
-
memory/2356-146-0x0000000000000000-mapping.dmp
-
memory/2392-149-0x0000000000000000-mapping.dmp
-
memory/2392-152-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2392-155-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2820-133-0x0000000000000000-mapping.dmp
-
memory/3616-139-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/3616-138-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/3616-136-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/3616-135-0x0000000000000000-mapping.dmp
-
memory/4592-134-0x0000000000000000-mapping.dmp
-
memory/5060-132-0x0000000074AC0000-0x0000000075071000-memory.dmpFilesize
5.7MB
-
memory/5060-154-0x0000000074AC0000-0x0000000075071000-memory.dmpFilesize
5.7MB