Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 18:33
Behavioral task
behavioral1
Sample
b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe
Resource
win10v2004-20220901-en
General
-
Target
b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe
-
Size
814KB
-
MD5
74230b48a3527617281d77d88a876591
-
SHA1
eb36e4e7a0a4a18cafe4405988542f3742aee86e
-
SHA256
b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964
-
SHA512
b3275c8f4d4069f81ac5467d641ef9fc7b36de8fcdfd97d2e47c22a3c894a494dc143cb4d5a4da85434f9d38a636ea2b31151c06e7d8f32f582fef0497dc9aec
-
SSDEEP
12288:LifsksSl+IUfUGkk0lzSqfJhUIgWc4S5m48kA+WWgNhUO2NncLBwvgRTGJIKW3/u:eHZUZNaqWHgRRORBwvgRuS/81L
Malware Config
Extracted
darkcomet
Server
thaneveenz.no-ip.biz:1604
DC_MUTEX-NZWP5K5
-
InstallPath
Program Files\winupdate\winupdate.exe
-
gencode
7Jojid436QAA
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Program Files\\winupdate\\winupdate.exe" b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe -
ModiLoader Second Stage 3 IoCs
Processes:
resource yara_rule C:\Program Files\winupdate\winupdate.exe modiloader_stage2 C:\Program Files\winupdate\winupdate.exe modiloader_stage2 C:\Program Files\winupdate\winupdate.exe modiloader_stage2 -
Executes dropped EXE 2 IoCs
Processes:
winupdate.exewinupdate.exepid process 4148 winupdate.exe 424 winupdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winupdate.exeb4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Program Files\\winupdate\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Program Files\\winupdate\\winupdate.exe" b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exewinupdate.exedescription pid process target process PID 2620 set thread context of 5068 2620 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe PID 4148 set thread context of 424 4148 winupdate.exe winupdate.exe -
Drops file in Program Files directory 3 IoCs
Processes:
b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exedescription ioc process File created C:\Program Files\winupdate\winupdate.exe b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe File opened for modification C:\Program Files\winupdate\winupdate.exe b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe File opened for modification C:\Program Files\winupdate\ b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exewinupdate.exedescription pid process Token: SeIncreaseQuotaPrivilege 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe Token: SeSecurityPrivilege 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe Token: SeTakeOwnershipPrivilege 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe Token: SeLoadDriverPrivilege 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe Token: SeSystemProfilePrivilege 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe Token: SeSystemtimePrivilege 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe Token: SeProfSingleProcessPrivilege 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe Token: SeIncBasePriorityPrivilege 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe Token: SeCreatePagefilePrivilege 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe Token: SeBackupPrivilege 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe Token: SeRestorePrivilege 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe Token: SeShutdownPrivilege 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe Token: SeDebugPrivilege 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe Token: SeSystemEnvironmentPrivilege 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe Token: SeChangeNotifyPrivilege 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe Token: SeRemoteShutdownPrivilege 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe Token: SeUndockPrivilege 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe Token: SeManageVolumePrivilege 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe Token: SeImpersonatePrivilege 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe Token: SeCreateGlobalPrivilege 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe Token: 33 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe Token: 34 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe Token: 35 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe Token: 36 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe Token: SeIncreaseQuotaPrivilege 424 winupdate.exe Token: SeSecurityPrivilege 424 winupdate.exe Token: SeTakeOwnershipPrivilege 424 winupdate.exe Token: SeLoadDriverPrivilege 424 winupdate.exe Token: SeSystemProfilePrivilege 424 winupdate.exe Token: SeSystemtimePrivilege 424 winupdate.exe Token: SeProfSingleProcessPrivilege 424 winupdate.exe Token: SeIncBasePriorityPrivilege 424 winupdate.exe Token: SeCreatePagefilePrivilege 424 winupdate.exe Token: SeBackupPrivilege 424 winupdate.exe Token: SeRestorePrivilege 424 winupdate.exe Token: SeShutdownPrivilege 424 winupdate.exe Token: SeDebugPrivilege 424 winupdate.exe Token: SeSystemEnvironmentPrivilege 424 winupdate.exe Token: SeChangeNotifyPrivilege 424 winupdate.exe Token: SeRemoteShutdownPrivilege 424 winupdate.exe Token: SeUndockPrivilege 424 winupdate.exe Token: SeManageVolumePrivilege 424 winupdate.exe Token: SeImpersonatePrivilege 424 winupdate.exe Token: SeCreateGlobalPrivilege 424 winupdate.exe Token: 33 424 winupdate.exe Token: 34 424 winupdate.exe Token: 35 424 winupdate.exe Token: 36 424 winupdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winupdate.exepid process 424 winupdate.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exeb4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exewinupdate.exewinupdate.exedescription pid process target process PID 2620 wrote to memory of 5068 2620 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe PID 2620 wrote to memory of 5068 2620 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe PID 2620 wrote to memory of 5068 2620 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe PID 2620 wrote to memory of 5068 2620 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe PID 2620 wrote to memory of 5068 2620 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe PID 5068 wrote to memory of 4148 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe winupdate.exe PID 5068 wrote to memory of 4148 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe winupdate.exe PID 5068 wrote to memory of 4148 5068 b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe winupdate.exe PID 4148 wrote to memory of 424 4148 winupdate.exe winupdate.exe PID 4148 wrote to memory of 424 4148 winupdate.exe winupdate.exe PID 4148 wrote to memory of 424 4148 winupdate.exe winupdate.exe PID 4148 wrote to memory of 424 4148 winupdate.exe winupdate.exe PID 4148 wrote to memory of 424 4148 winupdate.exe winupdate.exe PID 424 wrote to memory of 4636 424 winupdate.exe notepad.exe PID 424 wrote to memory of 4636 424 winupdate.exe notepad.exe PID 424 wrote to memory of 4636 424 winupdate.exe notepad.exe PID 424 wrote to memory of 4636 424 winupdate.exe notepad.exe PID 424 wrote to memory of 4636 424 winupdate.exe notepad.exe PID 424 wrote to memory of 4636 424 winupdate.exe notepad.exe PID 424 wrote to memory of 4636 424 winupdate.exe notepad.exe PID 424 wrote to memory of 4636 424 winupdate.exe notepad.exe PID 424 wrote to memory of 4636 424 winupdate.exe notepad.exe PID 424 wrote to memory of 4636 424 winupdate.exe notepad.exe PID 424 wrote to memory of 4636 424 winupdate.exe notepad.exe PID 424 wrote to memory of 4636 424 winupdate.exe notepad.exe PID 424 wrote to memory of 4636 424 winupdate.exe notepad.exe PID 424 wrote to memory of 4636 424 winupdate.exe notepad.exe PID 424 wrote to memory of 4636 424 winupdate.exe notepad.exe PID 424 wrote to memory of 4636 424 winupdate.exe notepad.exe PID 424 wrote to memory of 4636 424 winupdate.exe notepad.exe PID 424 wrote to memory of 4636 424 winupdate.exe notepad.exe PID 424 wrote to memory of 4636 424 winupdate.exe notepad.exe PID 424 wrote to memory of 4636 424 winupdate.exe notepad.exe PID 424 wrote to memory of 4636 424 winupdate.exe notepad.exe PID 424 wrote to memory of 4636 424 winupdate.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe"C:\Users\Admin\AppData\Local\Temp\b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe"C:\Users\Admin\AppData\Local\Temp\b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Program Files\winupdate\winupdate.exe"C:\Program Files\winupdate\winupdate.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Program Files\winupdate\winupdate.exe"C:\Program Files\winupdate\winupdate.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Windows\SysWOW64\notepad.exenotepad5⤵PID:4636
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\winupdate\winupdate.exeFilesize
814KB
MD574230b48a3527617281d77d88a876591
SHA1eb36e4e7a0a4a18cafe4405988542f3742aee86e
SHA256b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964
SHA512b3275c8f4d4069f81ac5467d641ef9fc7b36de8fcdfd97d2e47c22a3c894a494dc143cb4d5a4da85434f9d38a636ea2b31151c06e7d8f32f582fef0497dc9aec
-
C:\Program Files\winupdate\winupdate.exeFilesize
814KB
MD574230b48a3527617281d77d88a876591
SHA1eb36e4e7a0a4a18cafe4405988542f3742aee86e
SHA256b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964
SHA512b3275c8f4d4069f81ac5467d641ef9fc7b36de8fcdfd97d2e47c22a3c894a494dc143cb4d5a4da85434f9d38a636ea2b31151c06e7d8f32f582fef0497dc9aec
-
C:\Program Files\winupdate\winupdate.exeFilesize
814KB
MD574230b48a3527617281d77d88a876591
SHA1eb36e4e7a0a4a18cafe4405988542f3742aee86e
SHA256b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964
SHA512b3275c8f4d4069f81ac5467d641ef9fc7b36de8fcdfd97d2e47c22a3c894a494dc143cb4d5a4da85434f9d38a636ea2b31151c06e7d8f32f582fef0497dc9aec
-
memory/424-140-0x0000000000000000-mapping.dmp
-
memory/424-146-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/424-147-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/4148-137-0x0000000000000000-mapping.dmp
-
memory/4636-145-0x0000000000000000-mapping.dmp
-
memory/5068-135-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/5068-136-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/5068-134-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/5068-133-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/5068-132-0x0000000000000000-mapping.dmp