Analysis
-
max time kernel
153s -
max time network
85s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
01-12-2022 10:15
Behavioral task
behavioral1
Sample
b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411.exe
Resource
win7-20221111-en
General
-
Target
b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411.exe
-
Size
411KB
-
MD5
8ad534532990d0621cf1786d380ae9dd
-
SHA1
9c1ccd4ff0874f2912dadebd318bf44886d9f1f4
-
SHA256
b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411
-
SHA512
3a36a93740e2cd8805372522bfe7149802f0891977e2a0dbb2b50362966fa586e4854807bdabcdc9fdd34a40908d607343cfda1a2c27174b8aeaea4ee296c7dc
-
SSDEEP
12288:mlghoSqHNJ/Jj0l5e7kurPQHr5wv1hlajScDlu:sg2HNb0lM7z0Wv6Dlu
Malware Config
Extracted
darkcomet
Main
youknowwhat.zapto.org:8568
DC_MUTEX-RSSVB20
-
gencode
1cfcWSgmK4PV
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Stage2.exeStage1.exepid process 1456 Stage2.exe 1580 Stage1.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1340 attrib.exe 932 attrib.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Stage2.exe upx \Users\Admin\AppData\Local\Temp\Stage2.exe upx C:\Users\Admin\AppData\Local\Temp\Stage2.exe upx C:\Users\Admin\AppData\Local\Temp\Stage2.exe upx behavioral1/memory/972-60-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/1456-63-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1456-64-0x0000000000400000-0x0000000000443000-memory.dmp upx -
Loads dropped DLL 4 IoCs
Processes:
b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411.exepid process 972 b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411.exe 972 b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411.exe 972 b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411.exe 972 b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Stage1.exepid process 1580 Stage1.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
Stage1.exedescription pid process Token: SeIncreaseQuotaPrivilege 1580 Stage1.exe Token: SeSecurityPrivilege 1580 Stage1.exe Token: SeTakeOwnershipPrivilege 1580 Stage1.exe Token: SeLoadDriverPrivilege 1580 Stage1.exe Token: SeSystemProfilePrivilege 1580 Stage1.exe Token: SeSystemtimePrivilege 1580 Stage1.exe Token: SeProfSingleProcessPrivilege 1580 Stage1.exe Token: SeIncBasePriorityPrivilege 1580 Stage1.exe Token: SeCreatePagefilePrivilege 1580 Stage1.exe Token: SeBackupPrivilege 1580 Stage1.exe Token: SeRestorePrivilege 1580 Stage1.exe Token: SeShutdownPrivilege 1580 Stage1.exe Token: SeDebugPrivilege 1580 Stage1.exe Token: SeSystemEnvironmentPrivilege 1580 Stage1.exe Token: SeChangeNotifyPrivilege 1580 Stage1.exe Token: SeRemoteShutdownPrivilege 1580 Stage1.exe Token: SeUndockPrivilege 1580 Stage1.exe Token: SeManageVolumePrivilege 1580 Stage1.exe Token: SeImpersonatePrivilege 1580 Stage1.exe Token: SeCreateGlobalPrivilege 1580 Stage1.exe Token: 33 1580 Stage1.exe Token: 34 1580 Stage1.exe Token: 35 1580 Stage1.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Stage1.exepid process 1580 Stage1.exe -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411.exeStage1.execmd.execmd.exedescription pid process target process PID 972 wrote to memory of 1456 972 b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411.exe Stage2.exe PID 972 wrote to memory of 1456 972 b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411.exe Stage2.exe PID 972 wrote to memory of 1456 972 b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411.exe Stage2.exe PID 972 wrote to memory of 1456 972 b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411.exe Stage2.exe PID 972 wrote to memory of 1580 972 b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411.exe Stage1.exe PID 972 wrote to memory of 1580 972 b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411.exe Stage1.exe PID 972 wrote to memory of 1580 972 b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411.exe Stage1.exe PID 972 wrote to memory of 1580 972 b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411.exe Stage1.exe PID 1580 wrote to memory of 1524 1580 Stage1.exe cmd.exe PID 1580 wrote to memory of 1524 1580 Stage1.exe cmd.exe PID 1580 wrote to memory of 1524 1580 Stage1.exe cmd.exe PID 1580 wrote to memory of 1524 1580 Stage1.exe cmd.exe PID 1580 wrote to memory of 276 1580 Stage1.exe cmd.exe PID 1580 wrote to memory of 276 1580 Stage1.exe cmd.exe PID 1580 wrote to memory of 276 1580 Stage1.exe cmd.exe PID 1580 wrote to memory of 276 1580 Stage1.exe cmd.exe PID 276 wrote to memory of 1340 276 cmd.exe attrib.exe PID 276 wrote to memory of 1340 276 cmd.exe attrib.exe PID 276 wrote to memory of 1340 276 cmd.exe attrib.exe PID 276 wrote to memory of 1340 276 cmd.exe attrib.exe PID 1524 wrote to memory of 932 1524 cmd.exe attrib.exe PID 1524 wrote to memory of 932 1524 cmd.exe attrib.exe PID 1524 wrote to memory of 932 1524 cmd.exe attrib.exe PID 1524 wrote to memory of 932 1524 cmd.exe attrib.exe PID 1580 wrote to memory of 1576 1580 Stage1.exe notepad.exe PID 1580 wrote to memory of 1576 1580 Stage1.exe notepad.exe PID 1580 wrote to memory of 1576 1580 Stage1.exe notepad.exe PID 1580 wrote to memory of 1576 1580 Stage1.exe notepad.exe PID 1580 wrote to memory of 1576 1580 Stage1.exe notepad.exe PID 1580 wrote to memory of 1576 1580 Stage1.exe notepad.exe PID 1580 wrote to memory of 1576 1580 Stage1.exe notepad.exe PID 1580 wrote to memory of 1576 1580 Stage1.exe notepad.exe PID 1580 wrote to memory of 1576 1580 Stage1.exe notepad.exe PID 1580 wrote to memory of 1576 1580 Stage1.exe notepad.exe PID 1580 wrote to memory of 1576 1580 Stage1.exe notepad.exe PID 1580 wrote to memory of 1576 1580 Stage1.exe notepad.exe PID 1580 wrote to memory of 1576 1580 Stage1.exe notepad.exe PID 1580 wrote to memory of 1576 1580 Stage1.exe notepad.exe PID 1580 wrote to memory of 1576 1580 Stage1.exe notepad.exe PID 1580 wrote to memory of 1576 1580 Stage1.exe notepad.exe PID 1580 wrote to memory of 1576 1580 Stage1.exe notepad.exe PID 1580 wrote to memory of 1576 1580 Stage1.exe notepad.exe PID 1580 wrote to memory of 1576 1580 Stage1.exe notepad.exe PID 1580 wrote to memory of 1576 1580 Stage1.exe notepad.exe PID 1580 wrote to memory of 1576 1580 Stage1.exe notepad.exe PID 1580 wrote to memory of 1576 1580 Stage1.exe notepad.exe PID 1580 wrote to memory of 1576 1580 Stage1.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1340 attrib.exe 932 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411.exe"C:\Users\Admin\AppData\Local\Temp\b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Stage2.exe"C:\Users\Admin\AppData\Local\Temp\Stage2.exe" x -y -oC:\Users\Admin\AppData\Local\Temp -pxnq8rPMxVI87ciGwWJHxRTy3iauHcIirteOOELv3B5vkS9kJoHBUAahY1dWxj8yA2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Stage1.exe"C:\Users\Admin\AppData\Local\Temp\Stage1.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\Stage1.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\Stage1.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Stage1.exeFilesize
691KB
MD5c4d571eb966b037c2061aa29fb01943f
SHA1f802ea85030ddfde9e642b7b38c9e28bb65c03e8
SHA2563fd7ce3f71f9b39db14f25dffe37cbc64f7959e34ecedf6b2ae5139d46805ab0
SHA51246899fbfe5bdeeb5043c205ca5e10c76e54a4c7976ec012d466a097b334502228485fc2b5343f97eaa40f2ef8f9120fa601b60dc8f6a53b7b8c41a8820ab8ab1
-
C:\Users\Admin\AppData\Local\Temp\Stage1.exeFilesize
691KB
MD5c4d571eb966b037c2061aa29fb01943f
SHA1f802ea85030ddfde9e642b7b38c9e28bb65c03e8
SHA2563fd7ce3f71f9b39db14f25dffe37cbc64f7959e34ecedf6b2ae5139d46805ab0
SHA51246899fbfe5bdeeb5043c205ca5e10c76e54a4c7976ec012d466a097b334502228485fc2b5343f97eaa40f2ef8f9120fa601b60dc8f6a53b7b8c41a8820ab8ab1
-
C:\Users\Admin\AppData\Local\Temp\Stage2.exeFilesize
364KB
MD5955ec61291fa76ee822e2153f7fe6d51
SHA192502e7d90dffcfb116415c4972fcb348f4df3e3
SHA25608dcd36115164e9d44cd2d28dd4e2ac89783f1246cdcde6ebc5f3a4e16752c96
SHA512754c8e20539826ad207187e6bff2801faf106eef86fe0864992528d1b45e74e540002e7862202564cdec0733c0793dee839fbab7b5ab764c0dc3a7a9c41ab610
-
C:\Users\Admin\AppData\Local\Temp\Stage2.exeFilesize
364KB
MD5955ec61291fa76ee822e2153f7fe6d51
SHA192502e7d90dffcfb116415c4972fcb348f4df3e3
SHA25608dcd36115164e9d44cd2d28dd4e2ac89783f1246cdcde6ebc5f3a4e16752c96
SHA512754c8e20539826ad207187e6bff2801faf106eef86fe0864992528d1b45e74e540002e7862202564cdec0733c0793dee839fbab7b5ab764c0dc3a7a9c41ab610
-
\Users\Admin\AppData\Local\Temp\Stage1.exeFilesize
691KB
MD5c4d571eb966b037c2061aa29fb01943f
SHA1f802ea85030ddfde9e642b7b38c9e28bb65c03e8
SHA2563fd7ce3f71f9b39db14f25dffe37cbc64f7959e34ecedf6b2ae5139d46805ab0
SHA51246899fbfe5bdeeb5043c205ca5e10c76e54a4c7976ec012d466a097b334502228485fc2b5343f97eaa40f2ef8f9120fa601b60dc8f6a53b7b8c41a8820ab8ab1
-
\Users\Admin\AppData\Local\Temp\Stage1.exeFilesize
691KB
MD5c4d571eb966b037c2061aa29fb01943f
SHA1f802ea85030ddfde9e642b7b38c9e28bb65c03e8
SHA2563fd7ce3f71f9b39db14f25dffe37cbc64f7959e34ecedf6b2ae5139d46805ab0
SHA51246899fbfe5bdeeb5043c205ca5e10c76e54a4c7976ec012d466a097b334502228485fc2b5343f97eaa40f2ef8f9120fa601b60dc8f6a53b7b8c41a8820ab8ab1
-
\Users\Admin\AppData\Local\Temp\Stage2.exeFilesize
364KB
MD5955ec61291fa76ee822e2153f7fe6d51
SHA192502e7d90dffcfb116415c4972fcb348f4df3e3
SHA25608dcd36115164e9d44cd2d28dd4e2ac89783f1246cdcde6ebc5f3a4e16752c96
SHA512754c8e20539826ad207187e6bff2801faf106eef86fe0864992528d1b45e74e540002e7862202564cdec0733c0793dee839fbab7b5ab764c0dc3a7a9c41ab610
-
\Users\Admin\AppData\Local\Temp\Stage2.exeFilesize
364KB
MD5955ec61291fa76ee822e2153f7fe6d51
SHA192502e7d90dffcfb116415c4972fcb348f4df3e3
SHA25608dcd36115164e9d44cd2d28dd4e2ac89783f1246cdcde6ebc5f3a4e16752c96
SHA512754c8e20539826ad207187e6bff2801faf106eef86fe0864992528d1b45e74e540002e7862202564cdec0733c0793dee839fbab7b5ab764c0dc3a7a9c41ab610
-
memory/276-72-0x0000000000000000-mapping.dmp
-
memory/932-74-0x0000000000000000-mapping.dmp
-
memory/972-62-0x00000000023F0000-0x0000000002433000-memory.dmpFilesize
268KB
-
memory/972-61-0x00000000023F0000-0x0000000002433000-memory.dmpFilesize
268KB
-
memory/972-60-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/972-54-0x0000000075D01000-0x0000000075D03000-memory.dmpFilesize
8KB
-
memory/1340-73-0x0000000000000000-mapping.dmp
-
memory/1456-64-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/1456-57-0x0000000000000000-mapping.dmp
-
memory/1456-63-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/1524-71-0x0000000000000000-mapping.dmp
-
memory/1576-75-0x0000000000000000-mapping.dmp
-
memory/1580-68-0x0000000000000000-mapping.dmp