Analysis
-
max time kernel
163s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 14:12
Behavioral task
behavioral1
Sample
cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe
Resource
win10v2004-20220901-en
General
-
Target
cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe
-
Size
756KB
-
MD5
861bd0deacbaa5ba7f5fe80f78d1f5b4
-
SHA1
59792a6b68904c29cf3baad77f033b64dcca3f5c
-
SHA256
cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5
-
SHA512
d0766f0147e5a2f302cd4adf7be5c34c158b42f78de18ae8731d8274ce9a20cadbd568400953a5382c48780136795bb4f0483612c3ac149fecb9a4b51c09de91
-
SSDEEP
12288:u9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hA:6Z1xuVVjfFoynPaVBUR8f+kN10EBq
Malware Config
Extracted
darkcomet
DrHacker
drhacker.no-ip.info:81
DC_MUTEX-4FCVTUB
-
InstallPath
system.exe
-
gencode
y381anlYCr2s
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
system
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe" cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe -
Executes dropped EXE 1 IoCs
Processes:
system.exepid process 2384 system.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe" cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
system.exedescription pid process target process PID 2384 set thread context of 2816 2384 system.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 2816 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exesystem.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe Token: SeSecurityPrivilege 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe Token: SeTakeOwnershipPrivilege 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe Token: SeLoadDriverPrivilege 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe Token: SeSystemProfilePrivilege 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe Token: SeSystemtimePrivilege 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe Token: SeProfSingleProcessPrivilege 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe Token: SeIncBasePriorityPrivilege 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe Token: SeCreatePagefilePrivilege 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe Token: SeBackupPrivilege 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe Token: SeRestorePrivilege 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe Token: SeShutdownPrivilege 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe Token: SeDebugPrivilege 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe Token: SeSystemEnvironmentPrivilege 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe Token: SeChangeNotifyPrivilege 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe Token: SeRemoteShutdownPrivilege 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe Token: SeUndockPrivilege 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe Token: SeManageVolumePrivilege 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe Token: SeImpersonatePrivilege 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe Token: SeCreateGlobalPrivilege 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe Token: 33 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe Token: 34 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe Token: 35 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe Token: 36 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe Token: SeIncreaseQuotaPrivilege 2384 system.exe Token: SeSecurityPrivilege 2384 system.exe Token: SeTakeOwnershipPrivilege 2384 system.exe Token: SeLoadDriverPrivilege 2384 system.exe Token: SeSystemProfilePrivilege 2384 system.exe Token: SeSystemtimePrivilege 2384 system.exe Token: SeProfSingleProcessPrivilege 2384 system.exe Token: SeIncBasePriorityPrivilege 2384 system.exe Token: SeCreatePagefilePrivilege 2384 system.exe Token: SeBackupPrivilege 2384 system.exe Token: SeRestorePrivilege 2384 system.exe Token: SeShutdownPrivilege 2384 system.exe Token: SeDebugPrivilege 2384 system.exe Token: SeSystemEnvironmentPrivilege 2384 system.exe Token: SeChangeNotifyPrivilege 2384 system.exe Token: SeRemoteShutdownPrivilege 2384 system.exe Token: SeUndockPrivilege 2384 system.exe Token: SeManageVolumePrivilege 2384 system.exe Token: SeImpersonatePrivilege 2384 system.exe Token: SeCreateGlobalPrivilege 2384 system.exe Token: 33 2384 system.exe Token: 34 2384 system.exe Token: 35 2384 system.exe Token: 36 2384 system.exe Token: SeIncreaseQuotaPrivilege 2816 iexplore.exe Token: SeSecurityPrivilege 2816 iexplore.exe Token: SeTakeOwnershipPrivilege 2816 iexplore.exe Token: SeLoadDriverPrivilege 2816 iexplore.exe Token: SeSystemProfilePrivilege 2816 iexplore.exe Token: SeSystemtimePrivilege 2816 iexplore.exe Token: SeProfSingleProcessPrivilege 2816 iexplore.exe Token: SeIncBasePriorityPrivilege 2816 iexplore.exe Token: SeCreatePagefilePrivilege 2816 iexplore.exe Token: SeBackupPrivilege 2816 iexplore.exe Token: SeRestorePrivilege 2816 iexplore.exe Token: SeShutdownPrivilege 2816 iexplore.exe Token: SeDebugPrivilege 2816 iexplore.exe Token: SeSystemEnvironmentPrivilege 2816 iexplore.exe Token: SeChangeNotifyPrivilege 2816 iexplore.exe Token: SeRemoteShutdownPrivilege 2816 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 2816 iexplore.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exesystem.exedescription pid process target process PID 3068 wrote to memory of 2384 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe system.exe PID 3068 wrote to memory of 2384 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe system.exe PID 3068 wrote to memory of 2384 3068 cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe system.exe PID 2384 wrote to memory of 2816 2384 system.exe iexplore.exe PID 2384 wrote to memory of 2816 2384 system.exe iexplore.exe PID 2384 wrote to memory of 2816 2384 system.exe iexplore.exe PID 2384 wrote to memory of 2816 2384 system.exe iexplore.exe PID 2384 wrote to memory of 2816 2384 system.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe"C:\Users\Admin\AppData\Local\Temp\cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\system.exe"C:\Users\Admin\AppData\Local\Temp\system.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\system.exeFilesize
756KB
MD5861bd0deacbaa5ba7f5fe80f78d1f5b4
SHA159792a6b68904c29cf3baad77f033b64dcca3f5c
SHA256cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5
SHA512d0766f0147e5a2f302cd4adf7be5c34c158b42f78de18ae8731d8274ce9a20cadbd568400953a5382c48780136795bb4f0483612c3ac149fecb9a4b51c09de91
-
C:\Users\Admin\AppData\Local\Temp\system.exeFilesize
756KB
MD5861bd0deacbaa5ba7f5fe80f78d1f5b4
SHA159792a6b68904c29cf3baad77f033b64dcca3f5c
SHA256cac92ba7a226d877c369403c880f4251391c88409159509e378724b32e57dac5
SHA512d0766f0147e5a2f302cd4adf7be5c34c158b42f78de18ae8731d8274ce9a20cadbd568400953a5382c48780136795bb4f0483612c3ac149fecb9a4b51c09de91
-
memory/2384-132-0x0000000000000000-mapping.dmp