Analysis
-
max time kernel
151s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
01-12-2022 07:04
Static task
static1
Behavioral task
behavioral1
Sample
879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe
Resource
win7-20220901-en
General
-
Target
879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe
-
Size
1.5MB
-
MD5
9f846304ca03af9cd8c24364305f51d6
-
SHA1
bf0f159c9f477058f6f4b1af7c91b18a3bfc4d49
-
SHA256
879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad
-
SHA512
d61ca65e9f0fec86f049f23b9913f7c56440b522a9636641e167f51b24cec36f6260d96905ecac1fdc28c1669094d6e574dcaa70d04ad3c3060912f437f1c77f
-
SSDEEP
24576:n/y/69r+q6e/2YeY+yTZ8h7IETl/GjNwBVSInELrKE0Wx8fglv/K:nKEiql2Y9iEGGjNxJXUIllv/K
Malware Config
Extracted
darkcomet
bot
canardwc.zapto.org:1604
DC_MUTEX-VSDJA8C
-
gencode
E9ARHzMPTXjL
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
patch.exepatch.exeCRACK_~1.EXEpid process 988 patch.exe 836 patch.exe 1884 CRACK_~1.EXE -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe upx C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe upx \Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe upx C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe upx \Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe upx behavioral1/memory/988-70-0x0000000000400000-0x000000000067E000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe upx behavioral1/memory/988-84-0x0000000000400000-0x000000000067E000-memory.dmp upx \Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe upx -
Loads dropped DLL 6 IoCs
Processes:
879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exepatch.exepatch.exeCRACK_~1.EXEpid process 1768 879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe 988 patch.exe 988 patch.exe 1768 879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe 836 patch.exe 1884 CRACK_~1.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exepatch.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run patch.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ecran = "\"\\.exeTrue\"" patch.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
patch.exedescription pid process target process PID 988 set thread context of 836 988 patch.exe patch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
patch.exedescription pid process Token: SeIncreaseQuotaPrivilege 836 patch.exe Token: SeSecurityPrivilege 836 patch.exe Token: SeTakeOwnershipPrivilege 836 patch.exe Token: SeLoadDriverPrivilege 836 patch.exe Token: SeSystemProfilePrivilege 836 patch.exe Token: SeSystemtimePrivilege 836 patch.exe Token: SeProfSingleProcessPrivilege 836 patch.exe Token: SeIncBasePriorityPrivilege 836 patch.exe Token: SeCreatePagefilePrivilege 836 patch.exe Token: SeBackupPrivilege 836 patch.exe Token: SeRestorePrivilege 836 patch.exe Token: SeShutdownPrivilege 836 patch.exe Token: SeDebugPrivilege 836 patch.exe Token: SeSystemEnvironmentPrivilege 836 patch.exe Token: SeChangeNotifyPrivilege 836 patch.exe Token: SeRemoteShutdownPrivilege 836 patch.exe Token: SeUndockPrivilege 836 patch.exe Token: SeManageVolumePrivilege 836 patch.exe Token: SeImpersonatePrivilege 836 patch.exe Token: SeCreateGlobalPrivilege 836 patch.exe Token: 33 836 patch.exe Token: 34 836 patch.exe Token: 35 836 patch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
patch.exepid process 836 patch.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exepatch.exedescription pid process target process PID 1768 wrote to memory of 988 1768 879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe patch.exe PID 1768 wrote to memory of 988 1768 879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe patch.exe PID 1768 wrote to memory of 988 1768 879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe patch.exe PID 1768 wrote to memory of 988 1768 879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe patch.exe PID 1768 wrote to memory of 988 1768 879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe patch.exe PID 1768 wrote to memory of 988 1768 879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe patch.exe PID 1768 wrote to memory of 988 1768 879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe patch.exe PID 988 wrote to memory of 836 988 patch.exe patch.exe PID 988 wrote to memory of 836 988 patch.exe patch.exe PID 988 wrote to memory of 836 988 patch.exe patch.exe PID 988 wrote to memory of 836 988 patch.exe patch.exe PID 988 wrote to memory of 836 988 patch.exe patch.exe PID 988 wrote to memory of 836 988 patch.exe patch.exe PID 988 wrote to memory of 836 988 patch.exe patch.exe PID 988 wrote to memory of 836 988 patch.exe patch.exe PID 988 wrote to memory of 836 988 patch.exe patch.exe PID 988 wrote to memory of 836 988 patch.exe patch.exe PID 988 wrote to memory of 836 988 patch.exe patch.exe PID 988 wrote to memory of 836 988 patch.exe patch.exe PID 988 wrote to memory of 836 988 patch.exe patch.exe PID 988 wrote to memory of 836 988 patch.exe patch.exe PID 988 wrote to memory of 836 988 patch.exe patch.exe PID 1768 wrote to memory of 1884 1768 879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe CRACK_~1.EXE PID 1768 wrote to memory of 1884 1768 879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe CRACK_~1.EXE PID 1768 wrote to memory of 1884 1768 879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe CRACK_~1.EXE PID 1768 wrote to memory of 1884 1768 879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe CRACK_~1.EXE PID 1768 wrote to memory of 1884 1768 879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe CRACK_~1.EXE PID 1768 wrote to memory of 1884 1768 879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe CRACK_~1.EXE PID 1768 wrote to memory of 1884 1768 879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe CRACK_~1.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe"C:\Users\Admin\AppData\Local\Temp\879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:836 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CRACK_~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CRACK_~1.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1884
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CRACK_~1.EXEFilesize
1.0MB
MD58a2b12a27fdf10348d290d79f9ec9e79
SHA113581a9f08ef3f16610ef14f3760b7d5bfdc4b38
SHA256a5fa1c7ae5396a27a9e746062060535ed77c6acf06da1cf783656e0066ad770b
SHA5124570dd1710895ea2de81c181bf1a015d4ef064cb5cfb536219f63ff07ba32030f3f1ec3b4574ad54f12a40bb719bd0798f7e22a6e7ac842f3966ad94067edfa3
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CRACK_~1.EXEFilesize
1.0MB
MD58a2b12a27fdf10348d290d79f9ec9e79
SHA113581a9f08ef3f16610ef14f3760b7d5bfdc4b38
SHA256a5fa1c7ae5396a27a9e746062060535ed77c6acf06da1cf783656e0066ad770b
SHA5124570dd1710895ea2de81c181bf1a015d4ef064cb5cfb536219f63ff07ba32030f3f1ec3b4574ad54f12a40bb719bd0798f7e22a6e7ac842f3966ad94067edfa3
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exeFilesize
1.0MB
MD59378cd24a793c9b90fddf97d92d1b09c
SHA1899eab9097900a28a294d0f63d480202b89be6fa
SHA256775e2482bc8399f664d447887707a2b796f059dd531a83d299179a64f31fbf58
SHA512600407dd8acacedac9415245492cf7a1e6f18418ef3faed72bf7c12579ad0616cc99278ba9b0988d8432c2d4d362a8059f02e4d95c9e7a85e660eace02c5cb12
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exeFilesize
1.0MB
MD59378cd24a793c9b90fddf97d92d1b09c
SHA1899eab9097900a28a294d0f63d480202b89be6fa
SHA256775e2482bc8399f664d447887707a2b796f059dd531a83d299179a64f31fbf58
SHA512600407dd8acacedac9415245492cf7a1e6f18418ef3faed72bf7c12579ad0616cc99278ba9b0988d8432c2d4d362a8059f02e4d95c9e7a85e660eace02c5cb12
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exeFilesize
1.0MB
MD59378cd24a793c9b90fddf97d92d1b09c
SHA1899eab9097900a28a294d0f63d480202b89be6fa
SHA256775e2482bc8399f664d447887707a2b796f059dd531a83d299179a64f31fbf58
SHA512600407dd8acacedac9415245492cf7a1e6f18418ef3faed72bf7c12579ad0616cc99278ba9b0988d8432c2d4d362a8059f02e4d95c9e7a85e660eace02c5cb12
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CRACK_~1.EXEFilesize
1.0MB
MD58a2b12a27fdf10348d290d79f9ec9e79
SHA113581a9f08ef3f16610ef14f3760b7d5bfdc4b38
SHA256a5fa1c7ae5396a27a9e746062060535ed77c6acf06da1cf783656e0066ad770b
SHA5124570dd1710895ea2de81c181bf1a015d4ef064cb5cfb536219f63ff07ba32030f3f1ec3b4574ad54f12a40bb719bd0798f7e22a6e7ac842f3966ad94067edfa3
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CRACK_~1.EXEFilesize
1.0MB
MD58a2b12a27fdf10348d290d79f9ec9e79
SHA113581a9f08ef3f16610ef14f3760b7d5bfdc4b38
SHA256a5fa1c7ae5396a27a9e746062060535ed77c6acf06da1cf783656e0066ad770b
SHA5124570dd1710895ea2de81c181bf1a015d4ef064cb5cfb536219f63ff07ba32030f3f1ec3b4574ad54f12a40bb719bd0798f7e22a6e7ac842f3966ad94067edfa3
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exeFilesize
1.0MB
MD59378cd24a793c9b90fddf97d92d1b09c
SHA1899eab9097900a28a294d0f63d480202b89be6fa
SHA256775e2482bc8399f664d447887707a2b796f059dd531a83d299179a64f31fbf58
SHA512600407dd8acacedac9415245492cf7a1e6f18418ef3faed72bf7c12579ad0616cc99278ba9b0988d8432c2d4d362a8059f02e4d95c9e7a85e660eace02c5cb12
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exeFilesize
1.0MB
MD59378cd24a793c9b90fddf97d92d1b09c
SHA1899eab9097900a28a294d0f63d480202b89be6fa
SHA256775e2482bc8399f664d447887707a2b796f059dd531a83d299179a64f31fbf58
SHA512600407dd8acacedac9415245492cf7a1e6f18418ef3faed72bf7c12579ad0616cc99278ba9b0988d8432c2d4d362a8059f02e4d95c9e7a85e660eace02c5cb12
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exeFilesize
1.0MB
MD59378cd24a793c9b90fddf97d92d1b09c
SHA1899eab9097900a28a294d0f63d480202b89be6fa
SHA256775e2482bc8399f664d447887707a2b796f059dd531a83d299179a64f31fbf58
SHA512600407dd8acacedac9415245492cf7a1e6f18418ef3faed72bf7c12579ad0616cc99278ba9b0988d8432c2d4d362a8059f02e4d95c9e7a85e660eace02c5cb12
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exeFilesize
1.0MB
MD59378cd24a793c9b90fddf97d92d1b09c
SHA1899eab9097900a28a294d0f63d480202b89be6fa
SHA256775e2482bc8399f664d447887707a2b796f059dd531a83d299179a64f31fbf58
SHA512600407dd8acacedac9415245492cf7a1e6f18418ef3faed72bf7c12579ad0616cc99278ba9b0988d8432c2d4d362a8059f02e4d95c9e7a85e660eace02c5cb12
-
memory/836-78-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/836-62-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/836-75-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/836-76-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/836-99-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/836-98-0x0000000000CD0000-0x0000000000F4E000-memory.dmpFilesize
2.5MB
-
memory/836-65-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/836-97-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/836-80-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/836-83-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/836-71-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/836-81-0x000000000048F888-mapping.dmp
-
memory/836-96-0x0000000000CD0000-0x0000000000F4E000-memory.dmpFilesize
2.5MB
-
memory/836-68-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/836-87-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/836-91-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/836-63-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/988-72-0x0000000000D90000-0x000000000100E000-memory.dmpFilesize
2.5MB
-
memory/988-56-0x0000000000000000-mapping.dmp
-
memory/988-84-0x0000000000400000-0x000000000067E000-memory.dmpFilesize
2.5MB
-
memory/988-70-0x0000000000400000-0x000000000067E000-memory.dmpFilesize
2.5MB
-
memory/988-74-0x0000000003690000-0x000000000390E000-memory.dmpFilesize
2.5MB
-
memory/1768-66-0x00000000024B0000-0x000000000272E000-memory.dmpFilesize
2.5MB
-
memory/1768-54-0x0000000076961000-0x0000000076963000-memory.dmpFilesize
8KB
-
memory/1884-88-0x0000000000000000-mapping.dmp