Analysis
-
max time kernel
154s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 20:17
Static task
static1
Behavioral task
behavioral1
Sample
89da62d223755847c74cc8dd33afa6120efd33b66e087f701748659d27df5e4e.exe
Resource
win7-20220812-en
General
-
Target
89da62d223755847c74cc8dd33afa6120efd33b66e087f701748659d27df5e4e.exe
-
Size
664KB
-
MD5
8eb6a2700352d17d461213477e70ba2f
-
SHA1
adc7a744c8b7ca15135e47db44be6ccd2614bec7
-
SHA256
89da62d223755847c74cc8dd33afa6120efd33b66e087f701748659d27df5e4e
-
SHA512
71c9222131e72b80ae850e18a30466c013c2cd43f914156685b9e1da7a569b94e01682b0254e746f0cc0b5f90a7eb2b9a8947725cb723865563c53f6f23985a4
-
SSDEEP
12288:9IWId8kNmDiaUgb0ovPCn7xTKX6WJyqLJVln+iRoKf6YDKmg9fQINvz:GTmDias7xKX1V+imUH+mH4
Malware Config
Extracted
darkcomet
DC
WalruusHOST.NO-IP.Biz:1604
DC_MUTEX-TLS5WDH
-
gencode
x3l1XdbXHCdo
-
install
false
-
offline_keylogger
false
-
persistence
false
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3228-134-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3228-135-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3228-137-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3228-138-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3228-139-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3228-140-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
89da62d223755847c74cc8dd33afa6120efd33b66e087f701748659d27df5e4e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BOOT-IN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BOOT-IN.exe" 89da62d223755847c74cc8dd33afa6120efd33b66e087f701748659d27df5e4e.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
89da62d223755847c74cc8dd33afa6120efd33b66e087f701748659d27df5e4e.exedescription pid process target process PID 4308 set thread context of 3228 4308 89da62d223755847c74cc8dd33afa6120efd33b66e087f701748659d27df5e4e.exe vbc.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 3228 vbc.exe Token: SeSecurityPrivilege 3228 vbc.exe Token: SeTakeOwnershipPrivilege 3228 vbc.exe Token: SeLoadDriverPrivilege 3228 vbc.exe Token: SeSystemProfilePrivilege 3228 vbc.exe Token: SeSystemtimePrivilege 3228 vbc.exe Token: SeProfSingleProcessPrivilege 3228 vbc.exe Token: SeIncBasePriorityPrivilege 3228 vbc.exe Token: SeCreatePagefilePrivilege 3228 vbc.exe Token: SeBackupPrivilege 3228 vbc.exe Token: SeRestorePrivilege 3228 vbc.exe Token: SeShutdownPrivilege 3228 vbc.exe Token: SeDebugPrivilege 3228 vbc.exe Token: SeSystemEnvironmentPrivilege 3228 vbc.exe Token: SeChangeNotifyPrivilege 3228 vbc.exe Token: SeRemoteShutdownPrivilege 3228 vbc.exe Token: SeUndockPrivilege 3228 vbc.exe Token: SeManageVolumePrivilege 3228 vbc.exe Token: SeImpersonatePrivilege 3228 vbc.exe Token: SeCreateGlobalPrivilege 3228 vbc.exe Token: 33 3228 vbc.exe Token: 34 3228 vbc.exe Token: 35 3228 vbc.exe Token: 36 3228 vbc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
89da62d223755847c74cc8dd33afa6120efd33b66e087f701748659d27df5e4e.exedescription pid process target process PID 4308 wrote to memory of 3228 4308 89da62d223755847c74cc8dd33afa6120efd33b66e087f701748659d27df5e4e.exe vbc.exe PID 4308 wrote to memory of 3228 4308 89da62d223755847c74cc8dd33afa6120efd33b66e087f701748659d27df5e4e.exe vbc.exe PID 4308 wrote to memory of 3228 4308 89da62d223755847c74cc8dd33afa6120efd33b66e087f701748659d27df5e4e.exe vbc.exe PID 4308 wrote to memory of 3228 4308 89da62d223755847c74cc8dd33afa6120efd33b66e087f701748659d27df5e4e.exe vbc.exe PID 4308 wrote to memory of 3228 4308 89da62d223755847c74cc8dd33afa6120efd33b66e087f701748659d27df5e4e.exe vbc.exe PID 4308 wrote to memory of 3228 4308 89da62d223755847c74cc8dd33afa6120efd33b66e087f701748659d27df5e4e.exe vbc.exe PID 4308 wrote to memory of 3228 4308 89da62d223755847c74cc8dd33afa6120efd33b66e087f701748659d27df5e4e.exe vbc.exe PID 4308 wrote to memory of 3228 4308 89da62d223755847c74cc8dd33afa6120efd33b66e087f701748659d27df5e4e.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\89da62d223755847c74cc8dd33afa6120efd33b66e087f701748659d27df5e4e.exe"C:\Users\Admin\AppData\Local\Temp\89da62d223755847c74cc8dd33afa6120efd33b66e087f701748659d27df5e4e.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3228-133-0x0000000000000000-mapping.dmp
-
memory/3228-134-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3228-135-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3228-137-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3228-138-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3228-139-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3228-140-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4308-132-0x0000000075180000-0x0000000075731000-memory.dmpFilesize
5.7MB
-
memory/4308-136-0x0000000075180000-0x0000000075731000-memory.dmpFilesize
5.7MB