Analysis
-
max time kernel
158s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 12:06
Behavioral task
behavioral1
Sample
ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe
Resource
win7-20221111-en
General
-
Target
ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe
-
Size
668KB
-
MD5
6886a1bd5f1eb69d90d81f79638bf505
-
SHA1
fd957160ba84f51f5e29886008fc6eb6d48a3419
-
SHA256
ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c
-
SHA512
601b998b4236c63e6d06771a58f66436d744c972ff48671f3fad6626c7dfd4b988c0094583d7e2e4e38b8e0ff633d7f7773c002a76f5b9230e46ed53e21002a9
-
SSDEEP
12288:A9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hd:kZ1xuVVjfFoynPaVBUR8f+kN10EBf
Malware Config
Extracted
darkcomet
Coolpol
instealman.hopto.org:1604
DC_MUTEX-F6XBUWE
-
InstallPath
Windupdt\winupdate.exe
-
gencode
5FHnjxyRWMdT
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
winupdater
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
winupdate.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winupdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winupdate.exe -
Executes dropped EXE 1 IoCs
Processes:
winupdate.exepid process 760 winupdate.exe -
Loads dropped DLL 4 IoCs
Processes:
ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exewinupdate.exepid process 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe 760 winupdate.exe 760 winupdate.exe 760 winupdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winupdate.exeac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe -
Drops file in System32 directory 3 IoCs
Processes:
ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Windupdt\ ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exewinupdate.exedescription pid process Token: SeIncreaseQuotaPrivilege 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe Token: SeSecurityPrivilege 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe Token: SeTakeOwnershipPrivilege 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe Token: SeLoadDriverPrivilege 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe Token: SeSystemProfilePrivilege 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe Token: SeSystemtimePrivilege 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe Token: SeProfSingleProcessPrivilege 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe Token: SeIncBasePriorityPrivilege 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe Token: SeCreatePagefilePrivilege 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe Token: SeBackupPrivilege 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe Token: SeRestorePrivilege 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe Token: SeShutdownPrivilege 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe Token: SeDebugPrivilege 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe Token: SeSystemEnvironmentPrivilege 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe Token: SeChangeNotifyPrivilege 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe Token: SeRemoteShutdownPrivilege 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe Token: SeUndockPrivilege 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe Token: SeManageVolumePrivilege 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe Token: SeImpersonatePrivilege 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe Token: SeCreateGlobalPrivilege 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe Token: 33 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe Token: 34 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe Token: 35 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe Token: SeIncreaseQuotaPrivilege 760 winupdate.exe Token: SeSecurityPrivilege 760 winupdate.exe Token: SeTakeOwnershipPrivilege 760 winupdate.exe Token: SeLoadDriverPrivilege 760 winupdate.exe Token: SeSystemProfilePrivilege 760 winupdate.exe Token: SeSystemtimePrivilege 760 winupdate.exe Token: SeProfSingleProcessPrivilege 760 winupdate.exe Token: SeIncBasePriorityPrivilege 760 winupdate.exe Token: SeCreatePagefilePrivilege 760 winupdate.exe Token: SeBackupPrivilege 760 winupdate.exe Token: SeRestorePrivilege 760 winupdate.exe Token: SeShutdownPrivilege 760 winupdate.exe Token: SeDebugPrivilege 760 winupdate.exe Token: SeSystemEnvironmentPrivilege 760 winupdate.exe Token: SeChangeNotifyPrivilege 760 winupdate.exe Token: SeRemoteShutdownPrivilege 760 winupdate.exe Token: SeUndockPrivilege 760 winupdate.exe Token: SeManageVolumePrivilege 760 winupdate.exe Token: SeImpersonatePrivilege 760 winupdate.exe Token: SeCreateGlobalPrivilege 760 winupdate.exe Token: 33 760 winupdate.exe Token: 34 760 winupdate.exe Token: 35 760 winupdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winupdate.exepid process 760 winupdate.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exewinupdate.exedescription pid process target process PID 1120 wrote to memory of 760 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe winupdate.exe PID 1120 wrote to memory of 760 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe winupdate.exe PID 1120 wrote to memory of 760 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe winupdate.exe PID 1120 wrote to memory of 760 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe winupdate.exe PID 1120 wrote to memory of 760 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe winupdate.exe PID 1120 wrote to memory of 760 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe winupdate.exe PID 1120 wrote to memory of 760 1120 ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe winupdate.exe PID 760 wrote to memory of 1908 760 winupdate.exe notepad.exe PID 760 wrote to memory of 1908 760 winupdate.exe notepad.exe PID 760 wrote to memory of 1908 760 winupdate.exe notepad.exe PID 760 wrote to memory of 1908 760 winupdate.exe notepad.exe PID 760 wrote to memory of 1908 760 winupdate.exe notepad.exe PID 760 wrote to memory of 1908 760 winupdate.exe notepad.exe PID 760 wrote to memory of 1908 760 winupdate.exe notepad.exe PID 760 wrote to memory of 1908 760 winupdate.exe notepad.exe PID 760 wrote to memory of 1908 760 winupdate.exe notepad.exe PID 760 wrote to memory of 1908 760 winupdate.exe notepad.exe PID 760 wrote to memory of 1908 760 winupdate.exe notepad.exe PID 760 wrote to memory of 1908 760 winupdate.exe notepad.exe PID 760 wrote to memory of 1908 760 winupdate.exe notepad.exe PID 760 wrote to memory of 1908 760 winupdate.exe notepad.exe PID 760 wrote to memory of 1908 760 winupdate.exe notepad.exe PID 760 wrote to memory of 1908 760 winupdate.exe notepad.exe PID 760 wrote to memory of 1908 760 winupdate.exe notepad.exe PID 760 wrote to memory of 1908 760 winupdate.exe notepad.exe PID 760 wrote to memory of 1908 760 winupdate.exe notepad.exe PID 760 wrote to memory of 1908 760 winupdate.exe notepad.exe PID 760 wrote to memory of 1908 760 winupdate.exe notepad.exe PID 760 wrote to memory of 1908 760 winupdate.exe notepad.exe PID 760 wrote to memory of 1908 760 winupdate.exe notepad.exe PID 760 wrote to memory of 1908 760 winupdate.exe notepad.exe PID 760 wrote to memory of 1908 760 winupdate.exe notepad.exe PID 760 wrote to memory of 1908 760 winupdate.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe"C:\Users\Admin\AppData\Local\Temp\ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\Windupdt\winupdate.exeFilesize
668KB
MD56886a1bd5f1eb69d90d81f79638bf505
SHA1fd957160ba84f51f5e29886008fc6eb6d48a3419
SHA256ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c
SHA512601b998b4236c63e6d06771a58f66436d744c972ff48671f3fad6626c7dfd4b988c0094583d7e2e4e38b8e0ff633d7f7773c002a76f5b9230e46ed53e21002a9
-
C:\Windows\SysWOW64\Windupdt\winupdate.exeFilesize
668KB
MD56886a1bd5f1eb69d90d81f79638bf505
SHA1fd957160ba84f51f5e29886008fc6eb6d48a3419
SHA256ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c
SHA512601b998b4236c63e6d06771a58f66436d744c972ff48671f3fad6626c7dfd4b988c0094583d7e2e4e38b8e0ff633d7f7773c002a76f5b9230e46ed53e21002a9
-
\Windows\SysWOW64\Windupdt\winupdate.exeFilesize
668KB
MD56886a1bd5f1eb69d90d81f79638bf505
SHA1fd957160ba84f51f5e29886008fc6eb6d48a3419
SHA256ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c
SHA512601b998b4236c63e6d06771a58f66436d744c972ff48671f3fad6626c7dfd4b988c0094583d7e2e4e38b8e0ff633d7f7773c002a76f5b9230e46ed53e21002a9
-
\Windows\SysWOW64\Windupdt\winupdate.exeFilesize
668KB
MD56886a1bd5f1eb69d90d81f79638bf505
SHA1fd957160ba84f51f5e29886008fc6eb6d48a3419
SHA256ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c
SHA512601b998b4236c63e6d06771a58f66436d744c972ff48671f3fad6626c7dfd4b988c0094583d7e2e4e38b8e0ff633d7f7773c002a76f5b9230e46ed53e21002a9
-
\Windows\SysWOW64\Windupdt\winupdate.exeFilesize
668KB
MD56886a1bd5f1eb69d90d81f79638bf505
SHA1fd957160ba84f51f5e29886008fc6eb6d48a3419
SHA256ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c
SHA512601b998b4236c63e6d06771a58f66436d744c972ff48671f3fad6626c7dfd4b988c0094583d7e2e4e38b8e0ff633d7f7773c002a76f5b9230e46ed53e21002a9
-
\Windows\SysWOW64\Windupdt\winupdate.exeFilesize
668KB
MD56886a1bd5f1eb69d90d81f79638bf505
SHA1fd957160ba84f51f5e29886008fc6eb6d48a3419
SHA256ac8f48948073402bf3304f9912d2f9785dd5ea346aeb90991f76741b3701570c
SHA512601b998b4236c63e6d06771a58f66436d744c972ff48671f3fad6626c7dfd4b988c0094583d7e2e4e38b8e0ff633d7f7773c002a76f5b9230e46ed53e21002a9
-
memory/760-56-0x0000000000000000-mapping.dmp
-
memory/1120-54-0x0000000075291000-0x0000000075293000-memory.dmpFilesize
8KB
-
memory/1908-63-0x0000000000000000-mapping.dmp