Analysis
-
max time kernel
192s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 15:02
Static task
static1
Behavioral task
behavioral1
Sample
a029c91d07df53bb4e724184ad01a764363e7d0195890683ae4191ca19481453.exe
Resource
win7-20221111-en
General
-
Target
a029c91d07df53bb4e724184ad01a764363e7d0195890683ae4191ca19481453.exe
-
Size
578KB
-
MD5
2d13c3a38b55a070d9e61fccbbbd8993
-
SHA1
607f920a98692246daefcc5459383d054f095d71
-
SHA256
a029c91d07df53bb4e724184ad01a764363e7d0195890683ae4191ca19481453
-
SHA512
8dd1de589cf104a5d572cb9d352617c105c061500b862301e583c624cb6740a883fbf07173f31bbcb2228b32b6a04610b53a24296d75b6444649b53661ec109d
-
SSDEEP
12288:kjzbCJ6ZP75FamPi2eNi8nKEaWMugN6WzzugmYj6weqcZRKLbUL:kjHU6pGy5etKEaWMP6WzWi4J
Malware Config
Extracted
darkcomet
Guest16
thefinalblood1.no-ip.biz:1604
DC_MUTEX-QY19XK4
-
gencode
XlKMq2Lwge2E
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2560 attrib.exe 2584 attrib.exe -
Processes:
resource yara_rule behavioral2/memory/2104-133-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2104-134-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2104-136-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2104-138-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2104-139-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
a029c91d07df53bb4e724184ad01a764363e7d0195890683ae4191ca19481453.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a029c91d07df53bb4e724184ad01a764363e7d0195890683ae4191ca19481453.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Acrobat = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\System\\Services\\Adobe Acrobat.exe" a029c91d07df53bb4e724184ad01a764363e7d0195890683ae4191ca19481453.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run a029c91d07df53bb4e724184ad01a764363e7d0195890683ae4191ca19481453.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe Acrobat = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\System\\Services\\Adobe Acrobat.exe" a029c91d07df53bb4e724184ad01a764363e7d0195890683ae4191ca19481453.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a029c91d07df53bb4e724184ad01a764363e7d0195890683ae4191ca19481453.exedescription pid process target process PID 1520 set thread context of 2104 1520 a029c91d07df53bb4e724184ad01a764363e7d0195890683ae4191ca19481453.exe vbc.exe -
Drops file in Windows directory 2 IoCs
Processes:
attrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 2104 vbc.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2104 vbc.exe Token: SeSecurityPrivilege 2104 vbc.exe Token: SeTakeOwnershipPrivilege 2104 vbc.exe Token: SeLoadDriverPrivilege 2104 vbc.exe Token: SeSystemProfilePrivilege 2104 vbc.exe Token: SeSystemtimePrivilege 2104 vbc.exe Token: SeProfSingleProcessPrivilege 2104 vbc.exe Token: SeIncBasePriorityPrivilege 2104 vbc.exe Token: SeCreatePagefilePrivilege 2104 vbc.exe Token: SeBackupPrivilege 2104 vbc.exe Token: SeRestorePrivilege 2104 vbc.exe Token: SeShutdownPrivilege 2104 vbc.exe Token: SeDebugPrivilege 2104 vbc.exe Token: SeSystemEnvironmentPrivilege 2104 vbc.exe Token: SeChangeNotifyPrivilege 2104 vbc.exe Token: SeRemoteShutdownPrivilege 2104 vbc.exe Token: SeUndockPrivilege 2104 vbc.exe Token: SeManageVolumePrivilege 2104 vbc.exe Token: SeImpersonatePrivilege 2104 vbc.exe Token: SeCreateGlobalPrivilege 2104 vbc.exe Token: 33 2104 vbc.exe Token: 34 2104 vbc.exe Token: 35 2104 vbc.exe Token: 36 2104 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 2104 vbc.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
a029c91d07df53bb4e724184ad01a764363e7d0195890683ae4191ca19481453.exevbc.execmd.execmd.exedescription pid process target process PID 1520 wrote to memory of 2104 1520 a029c91d07df53bb4e724184ad01a764363e7d0195890683ae4191ca19481453.exe vbc.exe PID 1520 wrote to memory of 2104 1520 a029c91d07df53bb4e724184ad01a764363e7d0195890683ae4191ca19481453.exe vbc.exe PID 1520 wrote to memory of 2104 1520 a029c91d07df53bb4e724184ad01a764363e7d0195890683ae4191ca19481453.exe vbc.exe PID 1520 wrote to memory of 2104 1520 a029c91d07df53bb4e724184ad01a764363e7d0195890683ae4191ca19481453.exe vbc.exe PID 1520 wrote to memory of 2104 1520 a029c91d07df53bb4e724184ad01a764363e7d0195890683ae4191ca19481453.exe vbc.exe PID 1520 wrote to memory of 2104 1520 a029c91d07df53bb4e724184ad01a764363e7d0195890683ae4191ca19481453.exe vbc.exe PID 1520 wrote to memory of 2104 1520 a029c91d07df53bb4e724184ad01a764363e7d0195890683ae4191ca19481453.exe vbc.exe PID 1520 wrote to memory of 2104 1520 a029c91d07df53bb4e724184ad01a764363e7d0195890683ae4191ca19481453.exe vbc.exe PID 2104 wrote to memory of 3880 2104 vbc.exe cmd.exe PID 2104 wrote to memory of 3880 2104 vbc.exe cmd.exe PID 2104 wrote to memory of 3880 2104 vbc.exe cmd.exe PID 2104 wrote to memory of 3604 2104 vbc.exe cmd.exe PID 2104 wrote to memory of 3604 2104 vbc.exe cmd.exe PID 2104 wrote to memory of 3604 2104 vbc.exe cmd.exe PID 3880 wrote to memory of 2584 3880 cmd.exe attrib.exe PID 3880 wrote to memory of 2584 3880 cmd.exe attrib.exe PID 3880 wrote to memory of 2584 3880 cmd.exe attrib.exe PID 3604 wrote to memory of 2560 3604 cmd.exe attrib.exe PID 3604 wrote to memory of 2560 3604 cmd.exe attrib.exe PID 3604 wrote to memory of 2560 3604 cmd.exe attrib.exe PID 2104 wrote to memory of 3272 2104 vbc.exe notepad.exe PID 2104 wrote to memory of 3272 2104 vbc.exe notepad.exe PID 2104 wrote to memory of 3272 2104 vbc.exe notepad.exe PID 2104 wrote to memory of 3272 2104 vbc.exe notepad.exe PID 2104 wrote to memory of 3272 2104 vbc.exe notepad.exe PID 2104 wrote to memory of 3272 2104 vbc.exe notepad.exe PID 2104 wrote to memory of 3272 2104 vbc.exe notepad.exe PID 2104 wrote to memory of 3272 2104 vbc.exe notepad.exe PID 2104 wrote to memory of 3272 2104 vbc.exe notepad.exe PID 2104 wrote to memory of 3272 2104 vbc.exe notepad.exe PID 2104 wrote to memory of 3272 2104 vbc.exe notepad.exe PID 2104 wrote to memory of 3272 2104 vbc.exe notepad.exe PID 2104 wrote to memory of 3272 2104 vbc.exe notepad.exe PID 2104 wrote to memory of 3272 2104 vbc.exe notepad.exe PID 2104 wrote to memory of 3272 2104 vbc.exe notepad.exe PID 2104 wrote to memory of 3272 2104 vbc.exe notepad.exe PID 2104 wrote to memory of 3272 2104 vbc.exe notepad.exe PID 2104 wrote to memory of 3272 2104 vbc.exe notepad.exe PID 2104 wrote to memory of 3272 2104 vbc.exe notepad.exe PID 2104 wrote to memory of 3272 2104 vbc.exe notepad.exe PID 2104 wrote to memory of 3272 2104 vbc.exe notepad.exe PID 2104 wrote to memory of 3272 2104 vbc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2560 attrib.exe 2584 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a029c91d07df53bb4e724184ad01a764363e7d0195890683ae4191ca19481453.exe"C:\Users\Admin\AppData\Local\Temp\a029c91d07df53bb4e724184ad01a764363e7d0195890683ae4191ca19481453.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1520-135-0x00000000746D0000-0x0000000074C81000-memory.dmpFilesize
5.7MB
-
memory/1520-137-0x00000000746D0000-0x0000000074C81000-memory.dmpFilesize
5.7MB
-
memory/2104-138-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2104-134-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2104-133-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2104-136-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2104-132-0x0000000000000000-mapping.dmp
-
memory/2104-139-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2560-143-0x0000000000000000-mapping.dmp
-
memory/2584-142-0x0000000000000000-mapping.dmp
-
memory/3272-144-0x0000000000000000-mapping.dmp
-
memory/3604-141-0x0000000000000000-mapping.dmp
-
memory/3880-140-0x0000000000000000-mapping.dmp