Analysis
-
max time kernel
153s -
max time network
199s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 22:07
Static task
static1
Behavioral task
behavioral1
Sample
8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe
Resource
win7-20220901-en
General
-
Target
8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe
-
Size
991KB
-
MD5
11e3b2761607342d846c806d3751449d
-
SHA1
bfe6ed2330a60bd526b5d8539ad2b42234eaf485
-
SHA256
8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4
-
SHA512
3da48d314f4ef8ae143269316b675f45ab33bca167ea38f9b2842480e240598144e4c742320d73c9c0aed78b8de5667426c79cb08ce33b4122db3b743aab80b1
-
SSDEEP
24576:dysHFwrLe9O5VqIuJo9j9GzqlQ5VqIuJ:wslwLe97IuJo9j9BZIuJ
Malware Config
Extracted
darkcomet
Guest16
titus.no-ip.biz:1604
DC_MUTEX-ZHXEX9Y
-
gencode
2gyJ6nSw7VhP
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
TOKPIC.scrMsCtfMonitor.exertscom.exepid process 2752 TOKPIC.scr 4444 MsCtfMonitor.exe 4712 rtscom.exe -
Processes:
resource yara_rule behavioral2/memory/3664-140-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral2/memory/3664-141-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral2/memory/3664-142-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral2/memory/3664-144-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral2/memory/3664-143-0x0000000000400000-0x00000000004BA000-memory.dmp upx -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exeTOKPIC.scrMsCtfMonitor.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation TOKPIC.scr Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation MsCtfMonitor.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MsCtfMonitor.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Activex Application Updater = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\MsCtfMonitor.exe" MsCtfMonitor.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
TOKPIC.scrrtscom.exedescription pid process target process PID 2752 set thread context of 3664 2752 TOKPIC.scr AppLaunch.exe PID 4712 set thread context of 856 4712 rtscom.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
TOKPIC.scrMsCtfMonitor.exepid process 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 4444 MsCtfMonitor.exe 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr 2752 TOKPIC.scr -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exeTOKPIC.scrAppLaunch.exeMsCtfMonitor.exertscom.exeAppLaunch.exedescription pid process Token: SeDebugPrivilege 4812 8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe Token: SeDebugPrivilege 2752 TOKPIC.scr Token: SeIncreaseQuotaPrivilege 3664 AppLaunch.exe Token: SeSecurityPrivilege 3664 AppLaunch.exe Token: SeTakeOwnershipPrivilege 3664 AppLaunch.exe Token: SeLoadDriverPrivilege 3664 AppLaunch.exe Token: SeSystemProfilePrivilege 3664 AppLaunch.exe Token: SeSystemtimePrivilege 3664 AppLaunch.exe Token: SeProfSingleProcessPrivilege 3664 AppLaunch.exe Token: SeIncBasePriorityPrivilege 3664 AppLaunch.exe Token: SeCreatePagefilePrivilege 3664 AppLaunch.exe Token: SeBackupPrivilege 3664 AppLaunch.exe Token: SeRestorePrivilege 3664 AppLaunch.exe Token: SeShutdownPrivilege 3664 AppLaunch.exe Token: SeDebugPrivilege 3664 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 3664 AppLaunch.exe Token: SeChangeNotifyPrivilege 3664 AppLaunch.exe Token: SeRemoteShutdownPrivilege 3664 AppLaunch.exe Token: SeUndockPrivilege 3664 AppLaunch.exe Token: SeManageVolumePrivilege 3664 AppLaunch.exe Token: SeImpersonatePrivilege 3664 AppLaunch.exe Token: SeCreateGlobalPrivilege 3664 AppLaunch.exe Token: 33 3664 AppLaunch.exe Token: 34 3664 AppLaunch.exe Token: 35 3664 AppLaunch.exe Token: 36 3664 AppLaunch.exe Token: SeDebugPrivilege 4444 MsCtfMonitor.exe Token: SeDebugPrivilege 4712 rtscom.exe Token: SeIncreaseQuotaPrivilege 856 AppLaunch.exe Token: SeSecurityPrivilege 856 AppLaunch.exe Token: SeTakeOwnershipPrivilege 856 AppLaunch.exe Token: SeLoadDriverPrivilege 856 AppLaunch.exe Token: SeSystemProfilePrivilege 856 AppLaunch.exe Token: SeSystemtimePrivilege 856 AppLaunch.exe Token: SeProfSingleProcessPrivilege 856 AppLaunch.exe Token: SeIncBasePriorityPrivilege 856 AppLaunch.exe Token: SeCreatePagefilePrivilege 856 AppLaunch.exe Token: SeBackupPrivilege 856 AppLaunch.exe Token: SeRestorePrivilege 856 AppLaunch.exe Token: SeShutdownPrivilege 856 AppLaunch.exe Token: SeDebugPrivilege 856 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 856 AppLaunch.exe Token: SeChangeNotifyPrivilege 856 AppLaunch.exe Token: SeRemoteShutdownPrivilege 856 AppLaunch.exe Token: SeUndockPrivilege 856 AppLaunch.exe Token: SeManageVolumePrivilege 856 AppLaunch.exe Token: SeImpersonatePrivilege 856 AppLaunch.exe Token: SeCreateGlobalPrivilege 856 AppLaunch.exe Token: 33 856 AppLaunch.exe Token: 34 856 AppLaunch.exe Token: 35 856 AppLaunch.exe Token: 36 856 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
AppLaunch.exepid process 3664 AppLaunch.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exeTOKPIC.scrMsCtfMonitor.exertscom.exedescription pid process target process PID 4812 wrote to memory of 2752 4812 8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe TOKPIC.scr PID 4812 wrote to memory of 2752 4812 8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe TOKPIC.scr PID 4812 wrote to memory of 2752 4812 8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe TOKPIC.scr PID 2752 wrote to memory of 3664 2752 TOKPIC.scr AppLaunch.exe PID 2752 wrote to memory of 3664 2752 TOKPIC.scr AppLaunch.exe PID 2752 wrote to memory of 3664 2752 TOKPIC.scr AppLaunch.exe PID 2752 wrote to memory of 3664 2752 TOKPIC.scr AppLaunch.exe PID 2752 wrote to memory of 3664 2752 TOKPIC.scr AppLaunch.exe PID 2752 wrote to memory of 3664 2752 TOKPIC.scr AppLaunch.exe PID 2752 wrote to memory of 3664 2752 TOKPIC.scr AppLaunch.exe PID 2752 wrote to memory of 3664 2752 TOKPIC.scr AppLaunch.exe PID 2752 wrote to memory of 4444 2752 TOKPIC.scr MsCtfMonitor.exe PID 2752 wrote to memory of 4444 2752 TOKPIC.scr MsCtfMonitor.exe PID 2752 wrote to memory of 4444 2752 TOKPIC.scr MsCtfMonitor.exe PID 4444 wrote to memory of 4712 4444 MsCtfMonitor.exe rtscom.exe PID 4444 wrote to memory of 4712 4444 MsCtfMonitor.exe rtscom.exe PID 4444 wrote to memory of 4712 4444 MsCtfMonitor.exe rtscom.exe PID 4712 wrote to memory of 856 4712 rtscom.exe AppLaunch.exe PID 4712 wrote to memory of 856 4712 rtscom.exe AppLaunch.exe PID 4712 wrote to memory of 856 4712 rtscom.exe AppLaunch.exe PID 4712 wrote to memory of 856 4712 rtscom.exe AppLaunch.exe PID 4712 wrote to memory of 856 4712 rtscom.exe AppLaunch.exe PID 4712 wrote to memory of 856 4712 rtscom.exe AppLaunch.exe PID 4712 wrote to memory of 856 4712 rtscom.exe AppLaunch.exe PID 4712 wrote to memory of 856 4712 rtscom.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe"C:\Users\Admin\AppData\Local\Temp\8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Software\TOKPIC.scr"C:\Users\Admin\AppData\Local\Temp\Software\TOKPIC.scr" /S2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MsCtfMonitor.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MsCtfMonitor.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rtscom.exe"C:\Users\Admin\AppData\Local\Temp\rtscom.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe5⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Software\TOKPIC.scrFilesize
657KB
MD562c2c86b953dd04cf32e9fee22d76230
SHA1ffbd19d2258626e428fde9d2bd0ef1490c51dc27
SHA2561d2c4a3a598236deb6f734232e5b7b488af4cdf1e2fb3e8140723f6ddb4a0482
SHA5126021dc679b6467467a5b552e6a8ea2aa76dbd077cd98f4def606b81cee521d48d217cfb81cd7150b68edd6024284db23be68bc4f794169bc4672dc4251c44c52
-
C:\Users\Admin\AppData\Local\Temp\Software\TOKPIC.scrFilesize
657KB
MD562c2c86b953dd04cf32e9fee22d76230
SHA1ffbd19d2258626e428fde9d2bd0ef1490c51dc27
SHA2561d2c4a3a598236deb6f734232e5b7b488af4cdf1e2fb3e8140723f6ddb4a0482
SHA5126021dc679b6467467a5b552e6a8ea2aa76dbd077cd98f4def606b81cee521d48d217cfb81cd7150b68edd6024284db23be68bc4f794169bc4672dc4251c44c52
-
C:\Users\Admin\AppData\Local\Temp\rtscom.exeFilesize
657KB
MD562c2c86b953dd04cf32e9fee22d76230
SHA1ffbd19d2258626e428fde9d2bd0ef1490c51dc27
SHA2561d2c4a3a598236deb6f734232e5b7b488af4cdf1e2fb3e8140723f6ddb4a0482
SHA5126021dc679b6467467a5b552e6a8ea2aa76dbd077cd98f4def606b81cee521d48d217cfb81cd7150b68edd6024284db23be68bc4f794169bc4672dc4251c44c52
-
C:\Users\Admin\AppData\Local\Temp\rtscom.exeFilesize
657KB
MD562c2c86b953dd04cf32e9fee22d76230
SHA1ffbd19d2258626e428fde9d2bd0ef1490c51dc27
SHA2561d2c4a3a598236deb6f734232e5b7b488af4cdf1e2fb3e8140723f6ddb4a0482
SHA5126021dc679b6467467a5b552e6a8ea2aa76dbd077cd98f4def606b81cee521d48d217cfb81cd7150b68edd6024284db23be68bc4f794169bc4672dc4251c44c52
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MsCtfMonitor.exeFilesize
8KB
MD5893651b0ac929b3280f1345e1b5e0133
SHA1363d729f2474a0f71d30a790d90f36e69def86bf
SHA256f103179a7579ac464240ff1bc31be932d50eabe2df0bbe4f8b5c85e43415ffc9
SHA512a76e0a6f47d6c1ebe847d5bf650ba60c5bc9c2e33988db7e626affd0e8534882e9367448bb3215bd4515e9159c616d5202456992bce7bcdb3dd19070fc7ab606
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MsCtfMonitor.exeFilesize
8KB
MD5893651b0ac929b3280f1345e1b5e0133
SHA1363d729f2474a0f71d30a790d90f36e69def86bf
SHA256f103179a7579ac464240ff1bc31be932d50eabe2df0bbe4f8b5c85e43415ffc9
SHA512a76e0a6f47d6c1ebe847d5bf650ba60c5bc9c2e33988db7e626affd0e8534882e9367448bb3215bd4515e9159c616d5202456992bce7bcdb3dd19070fc7ab606
-
memory/856-155-0x0000000000000000-mapping.dmp
-
memory/2752-138-0x0000000075000000-0x00000000755B1000-memory.dmpFilesize
5.7MB
-
memory/2752-137-0x0000000075000000-0x00000000755B1000-memory.dmpFilesize
5.7MB
-
memory/2752-133-0x0000000000000000-mapping.dmp
-
memory/3664-143-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/3664-140-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/3664-139-0x0000000000000000-mapping.dmp
-
memory/3664-141-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/3664-142-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/3664-144-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/4444-151-0x0000000075000000-0x00000000755B1000-memory.dmpFilesize
5.7MB
-
memory/4444-145-0x0000000000000000-mapping.dmp
-
memory/4444-153-0x0000000075000000-0x00000000755B1000-memory.dmpFilesize
5.7MB
-
memory/4712-149-0x0000000000000000-mapping.dmp
-
memory/4712-152-0x0000000075000000-0x00000000755B1000-memory.dmpFilesize
5.7MB
-
memory/4712-154-0x0000000075000000-0x00000000755B1000-memory.dmpFilesize
5.7MB
-
memory/4812-136-0x0000000075000000-0x00000000755B1000-memory.dmpFilesize
5.7MB
-
memory/4812-132-0x0000000075000000-0x00000000755B1000-memory.dmpFilesize
5.7MB