Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 04:28
Static task
static1
Behavioral task
behavioral1
Sample
b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe
Resource
win10v2004-20221111-en
General
-
Target
b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe
-
Size
1.6MB
-
MD5
fb464794c924adf0e9d448f904bcbc0e
-
SHA1
23838f0309e313efbf87ceede73c526e7d69725a
-
SHA256
b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de
-
SHA512
9c48678ca011dd86b66e7a240edf21e7c2117e3f0cd25e3e993468c9628857c16e2d8d460bf965ae8b5037f9769b2e2f002c4ca07729d3bb12afdf859521530c
-
SSDEEP
24576:ktb20pkaCqT5TBWgNQ7a+WLqYe39oH8y5Prv6F81MGhuKSdNz56A:NVg5tQ7a+EdH8y5PryFoduxV5
Malware Config
Extracted
darkcomet
General
microsoftcorperation.ddns.net:1337
DC_MUTEX-G0M1A4H
-
gencode
gLZapf5KJLR9
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
11723.exepid process 1888 11723.exe -
Loads dropped DLL 4 IoCs
Processes:
b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exepid process 1280 b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe 1280 b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe 1280 b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe 1280 b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
11723.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 11723.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WerFault = "C:\\Users\\Admin\\AppData\\Roaming\\11723.exe" 11723.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\11723.exe autoit_exe \Users\Admin\AppData\Roaming\11723.exe autoit_exe \Users\Admin\AppData\Roaming\11723.exe autoit_exe \Users\Admin\AppData\Roaming\11723.exe autoit_exe C:\Users\Admin\AppData\Roaming\11723.exe autoit_exe C:\Users\Admin\AppData\Roaming\11723.exe autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
11723.exedescription pid process target process PID 1888 set thread context of 1752 1888 11723.exe WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 3 IoCs
Processes:
b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe11723.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\11723.exe\:Zone.Identifier:$DATA b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe File opened for modification C:\Users\Admin\AppData\Roaming\11723.exe:Zone.Identifier:$DATA 11723.exe File created C:\Users\Admin\AppData\Local\Temp\b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe:Zone.Identifier:$DATA b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe11723.exepid process 1280 b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe 1280 b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe 1280 b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe 1888 11723.exe 1888 11723.exe 1888 11723.exe -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe11723.exepid process 1280 b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe 1280 b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe 1280 b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe 1888 11723.exe 1888 11723.exe 1888 11723.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe11723.exedescription pid process target process PID 1280 wrote to memory of 1888 1280 b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe 11723.exe PID 1280 wrote to memory of 1888 1280 b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe 11723.exe PID 1280 wrote to memory of 1888 1280 b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe 11723.exe PID 1280 wrote to memory of 1888 1280 b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe 11723.exe PID 1888 wrote to memory of 1752 1888 11723.exe WerFault.exe PID 1888 wrote to memory of 1752 1888 11723.exe WerFault.exe PID 1888 wrote to memory of 1752 1888 11723.exe WerFault.exe PID 1888 wrote to memory of 1752 1888 11723.exe WerFault.exe PID 1888 wrote to memory of 1752 1888 11723.exe WerFault.exe PID 1888 wrote to memory of 1752 1888 11723.exe WerFault.exe PID 1888 wrote to memory of 1752 1888 11723.exe WerFault.exe PID 1888 wrote to memory of 1752 1888 11723.exe WerFault.exe PID 1888 wrote to memory of 1752 1888 11723.exe WerFault.exe PID 1888 wrote to memory of 1752 1888 11723.exe WerFault.exe PID 1888 wrote to memory of 1752 1888 11723.exe WerFault.exe PID 1888 wrote to memory of 1752 1888 11723.exe WerFault.exe PID 1888 wrote to memory of 1752 1888 11723.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe"C:\Users\Admin\AppData\Local\Temp\b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe"1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\11723.exe"C:\Users\Admin\AppData\Roaming\11723.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exe"C:\Windows\SysWOW64\WerFault.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\rrFilesize
658KB
MD554225836659df587e8963022b29770ef
SHA1b1850d7fb99ff5313d0ecd2d1d858d12ea13987b
SHA2562a3cae68cf9160fbb4b8162d3d5deef8d4c3f34e9b73007d47f520d392a67263
SHA5120ce718d2bea6a9f193af3c8e4471dc7f8e106acfb0c6a96af676e0829ef96d1ad2a8f0788c2c6407c04f94f962a7111bf43a73da4b2a1443ecab5c6a338c838d
-
C:\Users\Admin\AppData\Roaming\11723.exeFilesize
1.6MB
MD5fb464794c924adf0e9d448f904bcbc0e
SHA123838f0309e313efbf87ceede73c526e7d69725a
SHA256b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de
SHA5129c48678ca011dd86b66e7a240edf21e7c2117e3f0cd25e3e993468c9628857c16e2d8d460bf965ae8b5037f9769b2e2f002c4ca07729d3bb12afdf859521530c
-
C:\Users\Admin\AppData\Roaming\11723.exeFilesize
1.6MB
MD5fb464794c924adf0e9d448f904bcbc0e
SHA123838f0309e313efbf87ceede73c526e7d69725a
SHA256b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de
SHA5129c48678ca011dd86b66e7a240edf21e7c2117e3f0cd25e3e993468c9628857c16e2d8d460bf965ae8b5037f9769b2e2f002c4ca07729d3bb12afdf859521530c
-
\Users\Admin\AppData\Roaming\11723.exeFilesize
1.6MB
MD5fb464794c924adf0e9d448f904bcbc0e
SHA123838f0309e313efbf87ceede73c526e7d69725a
SHA256b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de
SHA5129c48678ca011dd86b66e7a240edf21e7c2117e3f0cd25e3e993468c9628857c16e2d8d460bf965ae8b5037f9769b2e2f002c4ca07729d3bb12afdf859521530c
-
\Users\Admin\AppData\Roaming\11723.exeFilesize
1.6MB
MD5fb464794c924adf0e9d448f904bcbc0e
SHA123838f0309e313efbf87ceede73c526e7d69725a
SHA256b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de
SHA5129c48678ca011dd86b66e7a240edf21e7c2117e3f0cd25e3e993468c9628857c16e2d8d460bf965ae8b5037f9769b2e2f002c4ca07729d3bb12afdf859521530c
-
\Users\Admin\AppData\Roaming\11723.exeFilesize
1.6MB
MD5fb464794c924adf0e9d448f904bcbc0e
SHA123838f0309e313efbf87ceede73c526e7d69725a
SHA256b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de
SHA5129c48678ca011dd86b66e7a240edf21e7c2117e3f0cd25e3e993468c9628857c16e2d8d460bf965ae8b5037f9769b2e2f002c4ca07729d3bb12afdf859521530c
-
\Users\Admin\AppData\Roaming\11723.exeFilesize
1.6MB
MD5fb464794c924adf0e9d448f904bcbc0e
SHA123838f0309e313efbf87ceede73c526e7d69725a
SHA256b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de
SHA5129c48678ca011dd86b66e7a240edf21e7c2117e3f0cd25e3e993468c9628857c16e2d8d460bf965ae8b5037f9769b2e2f002c4ca07729d3bb12afdf859521530c
-
memory/1280-54-0x0000000075811000-0x0000000075813000-memory.dmpFilesize
8KB
-
memory/1752-74-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1752-64-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1752-65-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1752-67-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1752-69-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1752-71-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1752-73-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1752-76-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1752-78-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1752-79-0x000000000048F888-mapping.dmp
-
memory/1752-80-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1752-81-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1888-59-0x0000000000000000-mapping.dmp