Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 05:50
Static task
static1
Behavioral task
behavioral1
Sample
aec5792af7af331e9f4202eac9bffec4949315426d5664b4bec4b92ef9d852ce.exe
Resource
win7-20221111-en
General
-
Target
aec5792af7af331e9f4202eac9bffec4949315426d5664b4bec4b92ef9d852ce.exe
-
Size
3.3MB
-
MD5
33cfb8a961ff5d36d4ccaa08a6c62d65
-
SHA1
530dd18398d48e0976561e4a0b099e7f20f05ec6
-
SHA256
aec5792af7af331e9f4202eac9bffec4949315426d5664b4bec4b92ef9d852ce
-
SHA512
87ee7154b678715fe1f669e1cff8b570eccccda6e5ebb0b21dcbc6202aab1eaff3eb0c0f5b38153f8f848f17596afd6b58e79b8415459c7c3ac90e59119f8b5c
-
SSDEEP
49152:gFpRSE2HtYhiLeCCEbaOWhxbgGzH97Z4a3syCyyIPo:cRSxHtWYCEbaOWhxbgy7tsnco
Malware Config
Extracted
darkcomet
Hardcore
darkcometi.no-ip.biz:1604
DC_MUTEX-F54S21D
-
gencode
oLPNrCVEbNtk
-
install
false
-
offline_keylogger
true
-
password
topfun3814
-
persistence
false
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
vbc.exeEPICBOT_520.EXEEPICBOT_520.EXEpid process 4720 vbc.exe 512 EPICBOT_520.EXE 5056 EPICBOT_520.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
vbc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation vbc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
aec5792af7af331e9f4202eac9bffec4949315426d5664b4bec4b92ef9d852ce.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Users\\Admin\\AppData\\Roaming\\aec5792af7af331e9f4202eac9bffec4949315426d5664b4bec4b92ef9d852ce.exe" aec5792af7af331e9f4202eac9bffec4949315426d5664b4bec4b92ef9d852ce.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
aec5792af7af331e9f4202eac9bffec4949315426d5664b4bec4b92ef9d852ce.exedescription pid process target process PID 2620 set thread context of 4720 2620 aec5792af7af331e9f4202eac9bffec4949315426d5664b4bec4b92ef9d852ce.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
EPICBOT_520.EXEEPICBOT_520.EXEpid process 512 EPICBOT_520.EXE 512 EPICBOT_520.EXE 512 EPICBOT_520.EXE 512 EPICBOT_520.EXE 5056 EPICBOT_520.EXE 5056 EPICBOT_520.EXE 5056 EPICBOT_520.EXE 5056 EPICBOT_520.EXE -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4720 vbc.exe Token: SeSecurityPrivilege 4720 vbc.exe Token: SeTakeOwnershipPrivilege 4720 vbc.exe Token: SeLoadDriverPrivilege 4720 vbc.exe Token: SeSystemProfilePrivilege 4720 vbc.exe Token: SeSystemtimePrivilege 4720 vbc.exe Token: SeProfSingleProcessPrivilege 4720 vbc.exe Token: SeIncBasePriorityPrivilege 4720 vbc.exe Token: SeCreatePagefilePrivilege 4720 vbc.exe Token: SeBackupPrivilege 4720 vbc.exe Token: SeRestorePrivilege 4720 vbc.exe Token: SeShutdownPrivilege 4720 vbc.exe Token: SeDebugPrivilege 4720 vbc.exe Token: SeSystemEnvironmentPrivilege 4720 vbc.exe Token: SeChangeNotifyPrivilege 4720 vbc.exe Token: SeRemoteShutdownPrivilege 4720 vbc.exe Token: SeUndockPrivilege 4720 vbc.exe Token: SeManageVolumePrivilege 4720 vbc.exe Token: SeImpersonatePrivilege 4720 vbc.exe Token: SeCreateGlobalPrivilege 4720 vbc.exe Token: 33 4720 vbc.exe Token: 34 4720 vbc.exe Token: 35 4720 vbc.exe Token: 36 4720 vbc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
vbc.exeEPICBOT_520.EXEpid process 4720 vbc.exe 5056 EPICBOT_520.EXE 5056 EPICBOT_520.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
aec5792af7af331e9f4202eac9bffec4949315426d5664b4bec4b92ef9d852ce.exevbc.exeEPICBOT_520.EXEdescription pid process target process PID 2620 wrote to memory of 4720 2620 aec5792af7af331e9f4202eac9bffec4949315426d5664b4bec4b92ef9d852ce.exe vbc.exe PID 2620 wrote to memory of 4720 2620 aec5792af7af331e9f4202eac9bffec4949315426d5664b4bec4b92ef9d852ce.exe vbc.exe PID 2620 wrote to memory of 4720 2620 aec5792af7af331e9f4202eac9bffec4949315426d5664b4bec4b92ef9d852ce.exe vbc.exe PID 2620 wrote to memory of 4720 2620 aec5792af7af331e9f4202eac9bffec4949315426d5664b4bec4b92ef9d852ce.exe vbc.exe PID 2620 wrote to memory of 4720 2620 aec5792af7af331e9f4202eac9bffec4949315426d5664b4bec4b92ef9d852ce.exe vbc.exe PID 2620 wrote to memory of 4720 2620 aec5792af7af331e9f4202eac9bffec4949315426d5664b4bec4b92ef9d852ce.exe vbc.exe PID 2620 wrote to memory of 4720 2620 aec5792af7af331e9f4202eac9bffec4949315426d5664b4bec4b92ef9d852ce.exe vbc.exe PID 2620 wrote to memory of 4720 2620 aec5792af7af331e9f4202eac9bffec4949315426d5664b4bec4b92ef9d852ce.exe vbc.exe PID 2620 wrote to memory of 4720 2620 aec5792af7af331e9f4202eac9bffec4949315426d5664b4bec4b92ef9d852ce.exe vbc.exe PID 2620 wrote to memory of 4720 2620 aec5792af7af331e9f4202eac9bffec4949315426d5664b4bec4b92ef9d852ce.exe vbc.exe PID 2620 wrote to memory of 4720 2620 aec5792af7af331e9f4202eac9bffec4949315426d5664b4bec4b92ef9d852ce.exe vbc.exe PID 2620 wrote to memory of 4720 2620 aec5792af7af331e9f4202eac9bffec4949315426d5664b4bec4b92ef9d852ce.exe vbc.exe PID 2620 wrote to memory of 4720 2620 aec5792af7af331e9f4202eac9bffec4949315426d5664b4bec4b92ef9d852ce.exe vbc.exe PID 2620 wrote to memory of 4720 2620 aec5792af7af331e9f4202eac9bffec4949315426d5664b4bec4b92ef9d852ce.exe vbc.exe PID 4720 wrote to memory of 512 4720 vbc.exe EPICBOT_520.EXE PID 4720 wrote to memory of 512 4720 vbc.exe EPICBOT_520.EXE PID 4720 wrote to memory of 512 4720 vbc.exe EPICBOT_520.EXE PID 512 wrote to memory of 5056 512 EPICBOT_520.EXE EPICBOT_520.EXE PID 512 wrote to memory of 5056 512 EPICBOT_520.EXE EPICBOT_520.EXE PID 512 wrote to memory of 5056 512 EPICBOT_520.EXE EPICBOT_520.EXE PID 4720 wrote to memory of 5024 4720 vbc.exe iexplore.exe PID 4720 wrote to memory of 5024 4720 vbc.exe iexplore.exe PID 4720 wrote to memory of 5024 4720 vbc.exe iexplore.exe PID 4720 wrote to memory of 5004 4720 vbc.exe explorer.exe PID 4720 wrote to memory of 5004 4720 vbc.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aec5792af7af331e9f4202eac9bffec4949315426d5664b4bec4b92ef9d852ce.exe"C:\Users\Admin\AppData\Local\Temp\aec5792af7af331e9f4202eac9bffec4949315426d5664b4bec4b92ef9d852ce.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vbc.exeC:\Users\Admin\AppData\Local\Temp\vbc.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\EPICBOT_520.EXE"C:\Users\Admin\AppData\Local\Temp\EPICBOT_520.EXE"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\EPICBOT_520.EXE"C:\Users\Admin\AppData\Local\Temp\EPICBOT_520.EXE" /wrapper /dir="C:\Users\Admin\AppData\Local\Temp\pkg_b4373760" /pproc="vbc.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\EPICBOT_520.EXEFilesize
1.6MB
MD50d51050931dd3a7ace5bbf95723d446e
SHA112f7032b0f90feafaecbca1fce3beffa6952cd0d
SHA2567a6946a968cdad50ee5d5b66c0d1a39960efe82c85c6e117427be95c76af9a8e
SHA512c2168e607659c1926d7fc30914908737f6d69cac2cfcecba5b2b444a0ecbfe30963daf5f51493772e2abfd941a998104acbdf6b5fc6bdf0d68400dcb0457db5a
-
C:\Users\Admin\AppData\Local\Temp\EPICBOT_520.EXEFilesize
1.6MB
MD50d51050931dd3a7ace5bbf95723d446e
SHA112f7032b0f90feafaecbca1fce3beffa6952cd0d
SHA2567a6946a968cdad50ee5d5b66c0d1a39960efe82c85c6e117427be95c76af9a8e
SHA512c2168e607659c1926d7fc30914908737f6d69cac2cfcecba5b2b444a0ecbfe30963daf5f51493772e2abfd941a998104acbdf6b5fc6bdf0d68400dcb0457db5a
-
C:\Users\Admin\AppData\Local\Temp\EPICBOT_520.EXEFilesize
1.6MB
MD50d51050931dd3a7ace5bbf95723d446e
SHA112f7032b0f90feafaecbca1fce3beffa6952cd0d
SHA2567a6946a968cdad50ee5d5b66c0d1a39960efe82c85c6e117427be95c76af9a8e
SHA512c2168e607659c1926d7fc30914908737f6d69cac2cfcecba5b2b444a0ecbfe30963daf5f51493772e2abfd941a998104acbdf6b5fc6bdf0d68400dcb0457db5a
-
C:\Users\Admin\AppData\Local\Temp\pkg_b4373760\autorun.txtFilesize
114B
MD5c819368178ce1e40fd55c813340a597a
SHA181aef3fd883c52de4fe211f3e43f70137cbccdf6
SHA2561334449583ff7823df9ba97e57bed51eaaba21eed4551e25b07794f1d48c3e31
SHA512753ce58ed7b76de63f8d68bf95949dfd772e805d0ab514f2706d72b2d504fb53e9beadaed0d34d933fee4f98d3ea13172c8b3a0e391bcab639c3d70003ec71a7
-
C:\Users\Admin\AppData\Local\Temp\pkg_b4373760\wrapper.xmlFilesize
798B
MD51d45a29e3511b982a1f91b33c70e964f
SHA1176a47b489be3f27dc354a2b9dd0b580bb2f3904
SHA2560a69c29fe16727b18425df8ded1cfe9d07a380b9f23f1beb32f60fefc000b3dc
SHA512c574719f56a9cc0a3c393001f0774a5826afa5972906d9d9d214a183724a9f7226483a7181a0030e0f801b481a19957761efc170a10850aec786623eb939eb69
-
C:\Users\Admin\AppData\Local\Temp\vbc.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
C:\Users\Admin\AppData\Local\Temp\vbc.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
memory/512-142-0x0000000000000000-mapping.dmp
-
memory/2620-140-0x00000000750D0000-0x0000000075681000-memory.dmpFilesize
5.7MB
-
memory/2620-132-0x00000000750D0000-0x0000000075681000-memory.dmpFilesize
5.7MB
-
memory/4720-141-0x0000000000400000-0x0000000000649000-memory.dmpFilesize
2.3MB
-
memory/4720-138-0x0000000000400000-0x0000000000649000-memory.dmpFilesize
2.3MB
-
memory/4720-143-0x0000000000400000-0x0000000000649000-memory.dmpFilesize
2.3MB
-
memory/4720-137-0x0000000000400000-0x0000000000649000-memory.dmpFilesize
2.3MB
-
memory/4720-134-0x0000000000400000-0x0000000000649000-memory.dmpFilesize
2.3MB
-
memory/4720-133-0x0000000000000000-mapping.dmp
-
memory/4720-151-0x0000000000400000-0x0000000000649000-memory.dmpFilesize
2.3MB
-
memory/5004-148-0x0000000000000000-mapping.dmp
-
memory/5056-146-0x0000000000000000-mapping.dmp