Analysis
-
max time kernel
243s -
max time network
177s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
01-12-2022 10:03
Behavioral task
behavioral1
Sample
45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe
Resource
win7-20221111-en
General
-
Target
45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe
-
Size
660KB
-
MD5
0092838bfe137c5b3cb81384cc752a10
-
SHA1
58135f256464a3b4fc82473244f45da8dadd0048
-
SHA256
45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae
-
SHA512
452aa9eab9363ce4cc0d763632389496905aa46def3d2338831175d6a90f1466bf96914b759b18892e00933db6b83bcbdae266f515bf6259ce88905784323155
-
SSDEEP
12288:0XhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452UG:inAw2WWeFcfbP9VPSPMTSPL/rWvzq4JW
Malware Config
Extracted
darkcomet
Tim
trollo.zapto.org:1605
DC_MUTEX-4CC7RLB
-
InstallPath
svhost\svhost.exe
-
gencode
iKWKGxcC6jL6
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
svhost
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost\\svhost.exe" 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
svhost.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile svhost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" svhost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" svhost.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
svhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" svhost.exe -
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svhost.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
svhost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" svhost.exe -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 1908 svhost.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 676 attrib.exe 888 attrib.exe -
Loads dropped DLL 2 IoCs
Processes:
45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exepid process 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe -
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost\\svhost.exe" 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svhost.exepid process 1908 svhost.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exesvhost.exedescription pid process Token: SeIncreaseQuotaPrivilege 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe Token: SeSecurityPrivilege 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe Token: SeTakeOwnershipPrivilege 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe Token: SeLoadDriverPrivilege 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe Token: SeSystemProfilePrivilege 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe Token: SeSystemtimePrivilege 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe Token: SeProfSingleProcessPrivilege 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe Token: SeIncBasePriorityPrivilege 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe Token: SeCreatePagefilePrivilege 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe Token: SeBackupPrivilege 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe Token: SeRestorePrivilege 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe Token: SeShutdownPrivilege 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe Token: SeDebugPrivilege 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe Token: SeSystemEnvironmentPrivilege 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe Token: SeChangeNotifyPrivilege 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe Token: SeRemoteShutdownPrivilege 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe Token: SeUndockPrivilege 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe Token: SeManageVolumePrivilege 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe Token: SeImpersonatePrivilege 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe Token: SeCreateGlobalPrivilege 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe Token: 33 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe Token: 34 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe Token: 35 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe Token: SeIncreaseQuotaPrivilege 1908 svhost.exe Token: SeSecurityPrivilege 1908 svhost.exe Token: SeTakeOwnershipPrivilege 1908 svhost.exe Token: SeLoadDriverPrivilege 1908 svhost.exe Token: SeSystemProfilePrivilege 1908 svhost.exe Token: SeSystemtimePrivilege 1908 svhost.exe Token: SeProfSingleProcessPrivilege 1908 svhost.exe Token: SeIncBasePriorityPrivilege 1908 svhost.exe Token: SeCreatePagefilePrivilege 1908 svhost.exe Token: SeBackupPrivilege 1908 svhost.exe Token: SeRestorePrivilege 1908 svhost.exe Token: SeShutdownPrivilege 1908 svhost.exe Token: SeDebugPrivilege 1908 svhost.exe Token: SeSystemEnvironmentPrivilege 1908 svhost.exe Token: SeChangeNotifyPrivilege 1908 svhost.exe Token: SeRemoteShutdownPrivilege 1908 svhost.exe Token: SeUndockPrivilege 1908 svhost.exe Token: SeManageVolumePrivilege 1908 svhost.exe Token: SeImpersonatePrivilege 1908 svhost.exe Token: SeCreateGlobalPrivilege 1908 svhost.exe Token: 33 1908 svhost.exe Token: 34 1908 svhost.exe Token: 35 1908 svhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svhost.exepid process 1908 svhost.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.execmd.execmd.exesvhost.exedescription pid process target process PID 964 wrote to memory of 720 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe cmd.exe PID 964 wrote to memory of 720 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe cmd.exe PID 964 wrote to memory of 720 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe cmd.exe PID 964 wrote to memory of 720 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe cmd.exe PID 964 wrote to memory of 1112 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe cmd.exe PID 964 wrote to memory of 1112 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe cmd.exe PID 964 wrote to memory of 1112 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe cmd.exe PID 964 wrote to memory of 1112 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe cmd.exe PID 720 wrote to memory of 676 720 cmd.exe attrib.exe PID 720 wrote to memory of 676 720 cmd.exe attrib.exe PID 720 wrote to memory of 676 720 cmd.exe attrib.exe PID 720 wrote to memory of 676 720 cmd.exe attrib.exe PID 1112 wrote to memory of 888 1112 cmd.exe attrib.exe PID 1112 wrote to memory of 888 1112 cmd.exe attrib.exe PID 1112 wrote to memory of 888 1112 cmd.exe attrib.exe PID 1112 wrote to memory of 888 1112 cmd.exe attrib.exe PID 964 wrote to memory of 1908 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe svhost.exe PID 964 wrote to memory of 1908 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe svhost.exe PID 964 wrote to memory of 1908 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe svhost.exe PID 964 wrote to memory of 1908 964 45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe svhost.exe PID 1908 wrote to memory of 528 1908 svhost.exe notepad.exe PID 1908 wrote to memory of 528 1908 svhost.exe notepad.exe PID 1908 wrote to memory of 528 1908 svhost.exe notepad.exe PID 1908 wrote to memory of 528 1908 svhost.exe notepad.exe PID 1908 wrote to memory of 528 1908 svhost.exe notepad.exe PID 1908 wrote to memory of 528 1908 svhost.exe notepad.exe PID 1908 wrote to memory of 528 1908 svhost.exe notepad.exe PID 1908 wrote to memory of 528 1908 svhost.exe notepad.exe PID 1908 wrote to memory of 528 1908 svhost.exe notepad.exe PID 1908 wrote to memory of 528 1908 svhost.exe notepad.exe PID 1908 wrote to memory of 528 1908 svhost.exe notepad.exe PID 1908 wrote to memory of 528 1908 svhost.exe notepad.exe PID 1908 wrote to memory of 528 1908 svhost.exe notepad.exe PID 1908 wrote to memory of 528 1908 svhost.exe notepad.exe PID 1908 wrote to memory of 528 1908 svhost.exe notepad.exe PID 1908 wrote to memory of 528 1908 svhost.exe notepad.exe PID 1908 wrote to memory of 528 1908 svhost.exe notepad.exe PID 1908 wrote to memory of 528 1908 svhost.exe notepad.exe PID 1908 wrote to memory of 528 1908 svhost.exe notepad.exe PID 1908 wrote to memory of 528 1908 svhost.exe notepad.exe PID 1908 wrote to memory of 528 1908 svhost.exe notepad.exe PID 1908 wrote to memory of 528 1908 svhost.exe notepad.exe PID 1908 wrote to memory of 528 1908 svhost.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 888 attrib.exe 676 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe"C:\Users\Admin\AppData\Local\Temp\45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\45f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\svhost\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost\svhost.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svhost\svhost.exeFilesize
660KB
MD50092838bfe137c5b3cb81384cc752a10
SHA158135f256464a3b4fc82473244f45da8dadd0048
SHA25645f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae
SHA512452aa9eab9363ce4cc0d763632389496905aa46def3d2338831175d6a90f1466bf96914b759b18892e00933db6b83bcbdae266f515bf6259ce88905784323155
-
\Users\Admin\AppData\Local\Temp\svhost\svhost.exeFilesize
660KB
MD50092838bfe137c5b3cb81384cc752a10
SHA158135f256464a3b4fc82473244f45da8dadd0048
SHA25645f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae
SHA512452aa9eab9363ce4cc0d763632389496905aa46def3d2338831175d6a90f1466bf96914b759b18892e00933db6b83bcbdae266f515bf6259ce88905784323155
-
\Users\Admin\AppData\Local\Temp\svhost\svhost.exeFilesize
660KB
MD50092838bfe137c5b3cb81384cc752a10
SHA158135f256464a3b4fc82473244f45da8dadd0048
SHA25645f86cc0ed0de5f415a780debfbed189cef5baf07276af805e16513a5c4ccbae
SHA512452aa9eab9363ce4cc0d763632389496905aa46def3d2338831175d6a90f1466bf96914b759b18892e00933db6b83bcbdae266f515bf6259ce88905784323155
-
memory/528-64-0x0000000000000000-mapping.dmp
-
memory/676-57-0x0000000000000000-mapping.dmp
-
memory/720-55-0x0000000000000000-mapping.dmp
-
memory/888-58-0x0000000000000000-mapping.dmp
-
memory/964-54-0x0000000076771000-0x0000000076773000-memory.dmpFilesize
8KB
-
memory/1112-56-0x0000000000000000-mapping.dmp
-
memory/1908-61-0x0000000000000000-mapping.dmp