Analysis
-
max time kernel
190s -
max time network
231s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 14:11
Behavioral task
behavioral1
Sample
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Resource
win10v2004-20221111-en
General
-
Target
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
-
Size
756KB
-
MD5
7492e20402c6b8b0a59e276bda7319b8
-
SHA1
fbaa2a0b58d6728b0e1dc08d13f9a9132277016e
-
SHA256
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237
-
SHA512
02dfff656da997e75ca0ab99f6f8b51d5cf4d9cd709ff5779a36a8d57a386382c270a06ba31d89f9a417c24ffbb7230238f005815889844c5a38edd7814faa9f
-
SSDEEP
12288:09HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hfU:4Z1xuVVjfFoynPaVBUR8f+kN10EBu
Malware Config
Extracted
darkcomet
Kurban
emincan.no-ip.org:1604
127.0.0.1:1604
DC_MUTEX-YSZXZA3
-
InstallPath
Windupdt\winupdate.exe
-
gencode
EXR6B1nK6pfE
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
Winupdater
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\Windupdt\\winupdate.exe" cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe -
Executes dropped EXE 1 IoCs
Processes:
winupdate.exepid process 2288 winupdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winupdater = "C:\\Windows\\Windupdt\\winupdate.exe" cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe -
Drops file in Windows directory 3 IoCs
Processes:
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exedescription ioc process File opened for modification C:\Windows\Windupdt\ cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe File created C:\Windows\Windupdt\winupdate.exe cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe File opened for modification C:\Windows\Windupdt\winupdate.exe cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exewinupdate.exedescription pid process Token: SeIncreaseQuotaPrivilege 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeSecurityPrivilege 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeTakeOwnershipPrivilege 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeLoadDriverPrivilege 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeSystemProfilePrivilege 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeSystemtimePrivilege 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeProfSingleProcessPrivilege 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeIncBasePriorityPrivilege 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeCreatePagefilePrivilege 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeBackupPrivilege 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeRestorePrivilege 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeShutdownPrivilege 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeDebugPrivilege 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeSystemEnvironmentPrivilege 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeChangeNotifyPrivilege 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeRemoteShutdownPrivilege 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeUndockPrivilege 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeManageVolumePrivilege 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeImpersonatePrivilege 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeCreateGlobalPrivilege 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: 33 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: 34 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: 35 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: 36 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe Token: SeIncreaseQuotaPrivilege 2288 winupdate.exe Token: SeSecurityPrivilege 2288 winupdate.exe Token: SeTakeOwnershipPrivilege 2288 winupdate.exe Token: SeLoadDriverPrivilege 2288 winupdate.exe Token: SeSystemProfilePrivilege 2288 winupdate.exe Token: SeSystemtimePrivilege 2288 winupdate.exe Token: SeProfSingleProcessPrivilege 2288 winupdate.exe Token: SeIncBasePriorityPrivilege 2288 winupdate.exe Token: SeCreatePagefilePrivilege 2288 winupdate.exe Token: SeBackupPrivilege 2288 winupdate.exe Token: SeRestorePrivilege 2288 winupdate.exe Token: SeShutdownPrivilege 2288 winupdate.exe Token: SeDebugPrivilege 2288 winupdate.exe Token: SeSystemEnvironmentPrivilege 2288 winupdate.exe Token: SeChangeNotifyPrivilege 2288 winupdate.exe Token: SeRemoteShutdownPrivilege 2288 winupdate.exe Token: SeUndockPrivilege 2288 winupdate.exe Token: SeManageVolumePrivilege 2288 winupdate.exe Token: SeImpersonatePrivilege 2288 winupdate.exe Token: SeCreateGlobalPrivilege 2288 winupdate.exe Token: 33 2288 winupdate.exe Token: 34 2288 winupdate.exe Token: 35 2288 winupdate.exe Token: 36 2288 winupdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winupdate.exepid process 2288 winupdate.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exedescription pid process target process PID 2444 wrote to memory of 3528 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 2444 wrote to memory of 3528 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 2444 wrote to memory of 3528 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 2444 wrote to memory of 3528 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 2444 wrote to memory of 3528 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 2444 wrote to memory of 3528 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 2444 wrote to memory of 3528 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 2444 wrote to memory of 3528 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 2444 wrote to memory of 3528 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 2444 wrote to memory of 3528 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 2444 wrote to memory of 3528 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 2444 wrote to memory of 3528 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 2444 wrote to memory of 3528 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 2444 wrote to memory of 3528 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 2444 wrote to memory of 3528 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 2444 wrote to memory of 3528 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 2444 wrote to memory of 3528 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe notepad.exe PID 2444 wrote to memory of 2288 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe winupdate.exe PID 2444 wrote to memory of 2288 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe winupdate.exe PID 2444 wrote to memory of 2288 2444 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe winupdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe"C:\Users\Admin\AppData\Local\Temp\cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
-
C:\Windows\Windupdt\winupdate.exe"C:\Windows\Windupdt\winupdate.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Windupdt\winupdate.exeFilesize
756KB
MD57492e20402c6b8b0a59e276bda7319b8
SHA1fbaa2a0b58d6728b0e1dc08d13f9a9132277016e
SHA256cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237
SHA51202dfff656da997e75ca0ab99f6f8b51d5cf4d9cd709ff5779a36a8d57a386382c270a06ba31d89f9a417c24ffbb7230238f005815889844c5a38edd7814faa9f
-
C:\Windows\Windupdt\winupdate.exeFilesize
756KB
MD57492e20402c6b8b0a59e276bda7319b8
SHA1fbaa2a0b58d6728b0e1dc08d13f9a9132277016e
SHA256cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237
SHA51202dfff656da997e75ca0ab99f6f8b51d5cf4d9cd709ff5779a36a8d57a386382c270a06ba31d89f9a417c24ffbb7230238f005815889844c5a38edd7814faa9f
-
memory/2288-133-0x0000000000000000-mapping.dmp
-
memory/3528-132-0x0000000000000000-mapping.dmp