Analysis
-
max time kernel
190s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 14:11
Behavioral task
behavioral1
Sample
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Resource
win10v2004-20221111-en
General
-
Target
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
-
Size
756KB
-
MD5
7492e20402c6b8b0a59e276bda7319b8
-
SHA1
fbaa2a0b58d6728b0e1dc08d13f9a9132277016e
-
SHA256
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237
-
SHA512
02dfff656da997e75ca0ab99f6f8b51d5cf4d9cd709ff5779a36a8d57a386382c270a06ba31d89f9a417c24ffbb7230238f005815889844c5a38edd7814faa9f
-
SSDEEP
12288:09HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hfU:4Z1xuVVjfFoynPaVBUR8f+kN10EBu
Malware Config
Extracted
darkcomet
Kurban
emincan.no-ip.org:1604
127.0.0.1:1604
DC_MUTEX-YSZXZA3
-
InstallPath
Windupdt\winupdate.exe
-
gencode
EXR6B1nK6pfE
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
Winupdater
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\Windupdt\\winupdate.exe" cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe -
Executes dropped EXE 1 IoCs
Processes:
winupdate.exepid process 828 winupdate.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 1488 notepad.exe -
Loads dropped DLL 4 IoCs
Processes:
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exewinupdate.exepid process 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe 828 winupdate.exe 828 winupdate.exe 828 winupdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winupdater = "C:\\Windows\\Windupdt\\winupdate.exe" cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe -
Drops file in Windows directory 3 IoCs
Processes:
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exedescription ioc process File created C:\Windows\Windupdt\winupdate.exe cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe File opened for modification C:\Windows\Windupdt\winupdate.exe cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe File opened for modification C:\Windows\Windupdt\ cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exewinupdate.exedescription pid process Token: SeIncreaseQuotaPrivilege 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeSecurityPrivilege 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeTakeOwnershipPrivilege 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeLoadDriverPrivilege 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeSystemProfilePrivilege 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeSystemtimePrivilege 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeProfSingleProcessPrivilege 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeIncBasePriorityPrivilege 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeCreatePagefilePrivilege 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeBackupPrivilege 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeRestorePrivilege 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeShutdownPrivilege 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeDebugPrivilege 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeSystemEnvironmentPrivilege 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeChangeNotifyPrivilege 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeRemoteShutdownPrivilege 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeUndockPrivilege 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeManageVolumePrivilege 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeImpersonatePrivilege 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeCreateGlobalPrivilege 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: 33 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: 34 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: 35 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeIncreaseQuotaPrivilege 828 winupdate.exe Token: SeSecurityPrivilege 828 winupdate.exe Token: SeTakeOwnershipPrivilege 828 winupdate.exe Token: SeLoadDriverPrivilege 828 winupdate.exe Token: SeSystemProfilePrivilege 828 winupdate.exe Token: SeSystemtimePrivilege 828 winupdate.exe Token: SeProfSingleProcessPrivilege 828 winupdate.exe Token: SeIncBasePriorityPrivilege 828 winupdate.exe Token: SeCreatePagefilePrivilege 828 winupdate.exe Token: SeBackupPrivilege 828 winupdate.exe Token: SeRestorePrivilege 828 winupdate.exe Token: SeShutdownPrivilege 828 winupdate.exe Token: SeDebugPrivilege 828 winupdate.exe Token: SeSystemEnvironmentPrivilege 828 winupdate.exe Token: SeChangeNotifyPrivilege 828 winupdate.exe Token: SeRemoteShutdownPrivilege 828 winupdate.exe Token: SeUndockPrivilege 828 winupdate.exe Token: SeManageVolumePrivilege 828 winupdate.exe Token: SeImpersonatePrivilege 828 winupdate.exe Token: SeCreateGlobalPrivilege 828 winupdate.exe Token: 33 828 winupdate.exe Token: 34 828 winupdate.exe Token: 35 828 winupdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winupdate.exepid process 828 winupdate.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exedescription pid process target process PID 520 wrote to memory of 1488 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 520 wrote to memory of 1488 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 520 wrote to memory of 1488 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 520 wrote to memory of 1488 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 520 wrote to memory of 1488 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 520 wrote to memory of 1488 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 520 wrote to memory of 1488 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 520 wrote to memory of 1488 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 520 wrote to memory of 1488 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 520 wrote to memory of 1488 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 520 wrote to memory of 1488 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 520 wrote to memory of 1488 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 520 wrote to memory of 1488 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 520 wrote to memory of 1488 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 520 wrote to memory of 1488 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 520 wrote to memory of 1488 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 520 wrote to memory of 1488 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 520 wrote to memory of 1488 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 520 wrote to memory of 828 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe winupdate.exe PID 520 wrote to memory of 828 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe winupdate.exe PID 520 wrote to memory of 828 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe winupdate.exe PID 520 wrote to memory of 828 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe winupdate.exe PID 520 wrote to memory of 828 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe winupdate.exe PID 520 wrote to memory of 828 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe winupdate.exe PID 520 wrote to memory of 828 520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe winupdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe"C:\Users\Admin\AppData\Local\Temp\cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
-
C:\Windows\Windupdt\winupdate.exe"C:\Windows\Windupdt\winupdate.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Windupdt\winupdate.exeFilesize
756KB
MD57492e20402c6b8b0a59e276bda7319b8
SHA1fbaa2a0b58d6728b0e1dc08d13f9a9132277016e
SHA256cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237
SHA51202dfff656da997e75ca0ab99f6f8b51d5cf4d9cd709ff5779a36a8d57a386382c270a06ba31d89f9a417c24ffbb7230238f005815889844c5a38edd7814faa9f
-
C:\Windows\Windupdt\winupdate.exeFilesize
756KB
MD57492e20402c6b8b0a59e276bda7319b8
SHA1fbaa2a0b58d6728b0e1dc08d13f9a9132277016e
SHA256cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237
SHA51202dfff656da997e75ca0ab99f6f8b51d5cf4d9cd709ff5779a36a8d57a386382c270a06ba31d89f9a417c24ffbb7230238f005815889844c5a38edd7814faa9f
-
\Windows\Windupdt\winupdate.exeFilesize
756KB
MD57492e20402c6b8b0a59e276bda7319b8
SHA1fbaa2a0b58d6728b0e1dc08d13f9a9132277016e
SHA256cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237
SHA51202dfff656da997e75ca0ab99f6f8b51d5cf4d9cd709ff5779a36a8d57a386382c270a06ba31d89f9a417c24ffbb7230238f005815889844c5a38edd7814faa9f
-
\Windows\Windupdt\winupdate.exeFilesize
756KB
MD57492e20402c6b8b0a59e276bda7319b8
SHA1fbaa2a0b58d6728b0e1dc08d13f9a9132277016e
SHA256cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237
SHA51202dfff656da997e75ca0ab99f6f8b51d5cf4d9cd709ff5779a36a8d57a386382c270a06ba31d89f9a417c24ffbb7230238f005815889844c5a38edd7814faa9f
-
\Windows\Windupdt\winupdate.exeFilesize
756KB
MD57492e20402c6b8b0a59e276bda7319b8
SHA1fbaa2a0b58d6728b0e1dc08d13f9a9132277016e
SHA256cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237
SHA51202dfff656da997e75ca0ab99f6f8b51d5cf4d9cd709ff5779a36a8d57a386382c270a06ba31d89f9a417c24ffbb7230238f005815889844c5a38edd7814faa9f
-
\Windows\Windupdt\winupdate.exeFilesize
756KB
MD57492e20402c6b8b0a59e276bda7319b8
SHA1fbaa2a0b58d6728b0e1dc08d13f9a9132277016e
SHA256cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237
SHA51202dfff656da997e75ca0ab99f6f8b51d5cf4d9cd709ff5779a36a8d57a386382c270a06ba31d89f9a417c24ffbb7230238f005815889844c5a38edd7814faa9f
-
memory/520-54-0x0000000075351000-0x0000000075353000-memory.dmpFilesize
8KB
-
memory/828-58-0x0000000000000000-mapping.dmp
-
memory/1488-55-0x0000000000000000-mapping.dmp