Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2022 10:03
Behavioral task
behavioral1
Sample
3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
Resource
win7-20220901-en
windows7-x64
12 signatures
150 seconds
General
-
Target
3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
-
Size
356KB
-
MD5
6665f5e35cc8a79573b7a60f42793ad5
-
SHA1
38f5f0131b63098f9fab7f6cdfb91b80999d4d94
-
SHA256
3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53
-
SHA512
0a2578d4f15a2fb755a299b21fa5492b42e4c943178ad075a44412a0161aea6580d19543a06bff00c6f62d2626a678b0c0c2b802253312b042e06a98dc5adecf
-
SSDEEP
6144:BcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL378CfCY:BcW7KEZlPzCy378kC
Malware Config
Extracted
Family
darkcomet
Botnet
nmp1
C2
nhatnhoa.no-ip.org:9998
Mutex
DC_MUTEX-6SF0UYS
Attributes
-
InstallPath
MSDCSC\svhost.exe
-
gencode
f9Jslnn1jp65
-
install
true
-
offline_keylogger
true
-
password
jimmynmp
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\svhost.exe" 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe -
Executes dropped EXE 1 IoCs
pid Process 308 svhost.exe -
resource yara_rule behavioral2/memory/4252-132-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/files/0x0002000000022e63-134.dat upx behavioral2/files/0x0002000000022e63-135.dat upx behavioral2/memory/308-136-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/308-137-0x0000000000400000-0x00000000004EA000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\svhost.exe" 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 308 set thread context of 916 308 svhost.exe 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 916 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe Token: SeSecurityPrivilege 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe Token: SeTakeOwnershipPrivilege 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe Token: SeLoadDriverPrivilege 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe Token: SeSystemProfilePrivilege 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe Token: SeSystemtimePrivilege 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe Token: SeProfSingleProcessPrivilege 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe Token: SeIncBasePriorityPrivilege 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe Token: SeCreatePagefilePrivilege 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe Token: SeBackupPrivilege 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe Token: SeRestorePrivilege 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe Token: SeShutdownPrivilege 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe Token: SeDebugPrivilege 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe Token: SeSystemEnvironmentPrivilege 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe Token: SeChangeNotifyPrivilege 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe Token: SeRemoteShutdownPrivilege 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe Token: SeUndockPrivilege 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe Token: SeManageVolumePrivilege 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe Token: SeImpersonatePrivilege 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe Token: SeCreateGlobalPrivilege 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe Token: 33 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe Token: 34 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe Token: 35 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe Token: 36 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe Token: SeIncreaseQuotaPrivilege 308 svhost.exe Token: SeSecurityPrivilege 308 svhost.exe Token: SeTakeOwnershipPrivilege 308 svhost.exe Token: SeLoadDriverPrivilege 308 svhost.exe Token: SeSystemProfilePrivilege 308 svhost.exe Token: SeSystemtimePrivilege 308 svhost.exe Token: SeProfSingleProcessPrivilege 308 svhost.exe Token: SeIncBasePriorityPrivilege 308 svhost.exe Token: SeCreatePagefilePrivilege 308 svhost.exe Token: SeBackupPrivilege 308 svhost.exe Token: SeRestorePrivilege 308 svhost.exe Token: SeShutdownPrivilege 308 svhost.exe Token: SeDebugPrivilege 308 svhost.exe Token: SeSystemEnvironmentPrivilege 308 svhost.exe Token: SeChangeNotifyPrivilege 308 svhost.exe Token: SeRemoteShutdownPrivilege 308 svhost.exe Token: SeUndockPrivilege 308 svhost.exe Token: SeManageVolumePrivilege 308 svhost.exe Token: SeImpersonatePrivilege 308 svhost.exe Token: SeCreateGlobalPrivilege 308 svhost.exe Token: 33 308 svhost.exe Token: 34 308 svhost.exe Token: 35 308 svhost.exe Token: 36 308 svhost.exe Token: SeIncreaseQuotaPrivilege 916 iexplore.exe Token: SeSecurityPrivilege 916 iexplore.exe Token: SeTakeOwnershipPrivilege 916 iexplore.exe Token: SeLoadDriverPrivilege 916 iexplore.exe Token: SeSystemProfilePrivilege 916 iexplore.exe Token: SeSystemtimePrivilege 916 iexplore.exe Token: SeProfSingleProcessPrivilege 916 iexplore.exe Token: SeIncBasePriorityPrivilege 916 iexplore.exe Token: SeCreatePagefilePrivilege 916 iexplore.exe Token: SeBackupPrivilege 916 iexplore.exe Token: SeRestorePrivilege 916 iexplore.exe Token: SeShutdownPrivilege 916 iexplore.exe Token: SeDebugPrivilege 916 iexplore.exe Token: SeSystemEnvironmentPrivilege 916 iexplore.exe Token: SeChangeNotifyPrivilege 916 iexplore.exe Token: SeRemoteShutdownPrivilege 916 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 916 iexplore.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4252 wrote to memory of 308 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe 81 PID 4252 wrote to memory of 308 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe 81 PID 4252 wrote to memory of 308 4252 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe 81 PID 308 wrote to memory of 916 308 svhost.exe 82 PID 308 wrote to memory of 916 308 svhost.exe 82 PID 308 wrote to memory of 916 308 svhost.exe 82 PID 308 wrote to memory of 916 308 svhost.exe 82 PID 308 wrote to memory of 916 308 svhost.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe"C:\Users\Admin\AppData\Local\Temp\3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Users\Admin\Documents\MSDCSC\svhost.exe"C:\Users\Admin\Documents\MSDCSC\svhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:916
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
356KB
MD56665f5e35cc8a79573b7a60f42793ad5
SHA138f5f0131b63098f9fab7f6cdfb91b80999d4d94
SHA2563696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53
SHA5120a2578d4f15a2fb755a299b21fa5492b42e4c943178ad075a44412a0161aea6580d19543a06bff00c6f62d2626a678b0c0c2b802253312b042e06a98dc5adecf
-
Filesize
356KB
MD56665f5e35cc8a79573b7a60f42793ad5
SHA138f5f0131b63098f9fab7f6cdfb91b80999d4d94
SHA2563696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53
SHA5120a2578d4f15a2fb755a299b21fa5492b42e4c943178ad075a44412a0161aea6580d19543a06bff00c6f62d2626a678b0c0c2b802253312b042e06a98dc5adecf