Analysis
-
max time kernel
150s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 12:05
Static task
static1
Behavioral task
behavioral1
Sample
186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe
Resource
win7-20220901-en
General
-
Target
186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe
-
Size
851KB
-
MD5
11809afb3c3e1777e6efbb5a426641b0
-
SHA1
ef713e6840fa0a049af9816bbdbec262ac5af08e
-
SHA256
186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e
-
SHA512
31d67debfad7af652d494a02fba26bd6fe66900b7ef51769f3aed6b9329028d63a1ac55704ad3221f894e5d637ecbfab6a68b261ed232c30657247d3759ca8c3
-
SSDEEP
24576:A////c5a2YepX2JNU4G55l1FbHcoluFLhA:/HYepVj1Fb8o8
Malware Config
Extracted
darkcomet
New452012
airjosh977.no-ip.biz:100
DC_MUTEX-T577G6G
-
gencode
WrgUMHjTbCs4
-
install
false
-
offline_keylogger
true
-
password
0123456789
-
persistence
false
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" svchost.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" svchost.exe -
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 820 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exepid process 1300 186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe -
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exedescription pid process target process PID 1300 set thread context of 820 1300 186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exesvchost.exedescription pid process Token: SeDebugPrivilege 1300 186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe Token: SeIncreaseQuotaPrivilege 820 svchost.exe Token: SeSecurityPrivilege 820 svchost.exe Token: SeTakeOwnershipPrivilege 820 svchost.exe Token: SeLoadDriverPrivilege 820 svchost.exe Token: SeSystemProfilePrivilege 820 svchost.exe Token: SeSystemtimePrivilege 820 svchost.exe Token: SeProfSingleProcessPrivilege 820 svchost.exe Token: SeIncBasePriorityPrivilege 820 svchost.exe Token: SeCreatePagefilePrivilege 820 svchost.exe Token: SeBackupPrivilege 820 svchost.exe Token: SeRestorePrivilege 820 svchost.exe Token: SeShutdownPrivilege 820 svchost.exe Token: SeDebugPrivilege 820 svchost.exe Token: SeSystemEnvironmentPrivilege 820 svchost.exe Token: SeChangeNotifyPrivilege 820 svchost.exe Token: SeRemoteShutdownPrivilege 820 svchost.exe Token: SeUndockPrivilege 820 svchost.exe Token: SeManageVolumePrivilege 820 svchost.exe Token: SeImpersonatePrivilege 820 svchost.exe Token: SeCreateGlobalPrivilege 820 svchost.exe Token: 33 820 svchost.exe Token: 34 820 svchost.exe Token: 35 820 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 820 svchost.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exedescription pid process target process PID 1300 wrote to memory of 820 1300 186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe svchost.exe PID 1300 wrote to memory of 820 1300 186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe svchost.exe PID 1300 wrote to memory of 820 1300 186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe svchost.exe PID 1300 wrote to memory of 820 1300 186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe svchost.exe PID 1300 wrote to memory of 820 1300 186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe svchost.exe PID 1300 wrote to memory of 820 1300 186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe svchost.exe PID 1300 wrote to memory of 820 1300 186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe svchost.exe PID 1300 wrote to memory of 820 1300 186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe svchost.exe PID 1300 wrote to memory of 820 1300 186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe svchost.exe PID 1300 wrote to memory of 820 1300 186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe svchost.exe PID 1300 wrote to memory of 820 1300 186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe svchost.exe PID 1300 wrote to memory of 820 1300 186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe svchost.exe PID 1300 wrote to memory of 820 1300 186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe svchost.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe"C:\Users\Admin\AppData\Local\Temp\186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2
-
\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2
-
memory/820-66-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/820-71-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/820-58-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/820-60-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/820-62-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/820-64-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/820-79-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/820-67-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/820-69-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/820-57-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/820-72-0x0000000000490888-mapping.dmp
-
memory/820-74-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/820-78-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/820-77-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/1300-76-0x0000000074270000-0x000000007481B000-memory.dmpFilesize
5.7MB
-
memory/1300-55-0x0000000074270000-0x000000007481B000-memory.dmpFilesize
5.7MB
-
memory/1300-54-0x00000000757A1000-0x00000000757A3000-memory.dmpFilesize
8KB