Analysis
-
max time kernel
231s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
02-12-2022 23:28
Static task
static1
Behavioral task
behavioral1
Sample
ae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d.exe
Resource
win7-20221111-en
General
-
Target
ae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d.exe
-
Size
534KB
-
MD5
8093d7e4d74c549ee8c185c655f47e65
-
SHA1
4cefa845db22a23f0cb5e1b99ad8a1bcd5795ccc
-
SHA256
ae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d
-
SHA512
954e90d6b857e8cac84137e12ddb9d775ece68eabbebdea5a5651a172b7a52f76443ba0cbeef980161839b2192e0be9e0903808d0544e49b92ee02ce2cbb474d
-
SSDEEP
12288:Hhqmauq42dSMeIdh07uRCxBzh9pVnfLSPijpmcUHlMSn8qcpuT:HhqmauqW8tAxBLdjpmoI08
Malware Config
Extracted
darkcomet
HF
cyber-dos.no-ip.org:1337
DC_MUTEX-EYQES59
-
InstallPath
java32\java.exe
-
gencode
vP5N1dBnHx0W
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
java
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\java32\\java.exe" vbc.exe -
Executes dropped EXE 1 IoCs
Processes:
java.exepid process 928 java.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1548 attrib.exe 1680 attrib.exe -
Processes:
resource yara_rule behavioral1/memory/664-57-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/664-59-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/664-60-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/664-62-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/664-64-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/664-65-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/664-68-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
vbc.exepid process 664 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vbc.exeae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\system32\\java32\\java.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindosU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WindosU.exe" ae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
ae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d.exedescription ioc process File opened for modification C:\autorun.inf ae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d.exe File created D:\autorun.inf ae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d.exe File opened for modification D:\autorun.inf ae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d.exe File created C:\autorun.inf ae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d.exe -
Drops file in System32 directory 3 IoCs
Processes:
vbc.exedescription ioc process File created C:\Windows\SysWOW64\java32\java.exe vbc.exe File opened for modification C:\Windows\SysWOW64\java32\java.exe vbc.exe File opened for modification C:\Windows\SysWOW64\java32\ vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d.exedescription pid process target process PID 572 set thread context of 664 572 ae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d.exe vbc.exe -
Drops file in Windows directory 2 IoCs
Processes:
attrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe attrib.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 664 vbc.exe Token: SeSecurityPrivilege 664 vbc.exe Token: SeTakeOwnershipPrivilege 664 vbc.exe Token: SeLoadDriverPrivilege 664 vbc.exe Token: SeSystemProfilePrivilege 664 vbc.exe Token: SeSystemtimePrivilege 664 vbc.exe Token: SeProfSingleProcessPrivilege 664 vbc.exe Token: SeIncBasePriorityPrivilege 664 vbc.exe Token: SeCreatePagefilePrivilege 664 vbc.exe Token: SeBackupPrivilege 664 vbc.exe Token: SeRestorePrivilege 664 vbc.exe Token: SeShutdownPrivilege 664 vbc.exe Token: SeDebugPrivilege 664 vbc.exe Token: SeSystemEnvironmentPrivilege 664 vbc.exe Token: SeChangeNotifyPrivilege 664 vbc.exe Token: SeRemoteShutdownPrivilege 664 vbc.exe Token: SeUndockPrivilege 664 vbc.exe Token: SeManageVolumePrivilege 664 vbc.exe Token: SeImpersonatePrivilege 664 vbc.exe Token: SeCreateGlobalPrivilege 664 vbc.exe Token: 33 664 vbc.exe Token: 34 664 vbc.exe Token: 35 664 vbc.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
ae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d.exevbc.execmd.execmd.exedescription pid process target process PID 572 wrote to memory of 664 572 ae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d.exe vbc.exe PID 572 wrote to memory of 664 572 ae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d.exe vbc.exe PID 572 wrote to memory of 664 572 ae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d.exe vbc.exe PID 572 wrote to memory of 664 572 ae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d.exe vbc.exe PID 572 wrote to memory of 664 572 ae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d.exe vbc.exe PID 572 wrote to memory of 664 572 ae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d.exe vbc.exe PID 572 wrote to memory of 664 572 ae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d.exe vbc.exe PID 572 wrote to memory of 664 572 ae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d.exe vbc.exe PID 664 wrote to memory of 1280 664 vbc.exe cmd.exe PID 664 wrote to memory of 1280 664 vbc.exe cmd.exe PID 664 wrote to memory of 1280 664 vbc.exe cmd.exe PID 664 wrote to memory of 1280 664 vbc.exe cmd.exe PID 664 wrote to memory of 776 664 vbc.exe cmd.exe PID 664 wrote to memory of 776 664 vbc.exe cmd.exe PID 664 wrote to memory of 776 664 vbc.exe cmd.exe PID 664 wrote to memory of 776 664 vbc.exe cmd.exe PID 776 wrote to memory of 1680 776 cmd.exe attrib.exe PID 776 wrote to memory of 1680 776 cmd.exe attrib.exe PID 776 wrote to memory of 1680 776 cmd.exe attrib.exe PID 776 wrote to memory of 1680 776 cmd.exe attrib.exe PID 1280 wrote to memory of 1548 1280 cmd.exe attrib.exe PID 1280 wrote to memory of 1548 1280 cmd.exe attrib.exe PID 1280 wrote to memory of 1548 1280 cmd.exe attrib.exe PID 1280 wrote to memory of 1548 1280 cmd.exe attrib.exe PID 664 wrote to memory of 928 664 vbc.exe java.exe PID 664 wrote to memory of 928 664 vbc.exe java.exe PID 664 wrote to memory of 928 664 vbc.exe java.exe PID 664 wrote to memory of 928 664 vbc.exe java.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1548 attrib.exe 1680 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d.exe"C:\Users\Admin\AppData\Local\Temp\ae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\java32\java.exe"C:\Windows\system32\java32\java.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\java32\java.exeFilesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
C:\Windows\SysWOW64\java32\java.exeFilesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
\Windows\SysWOW64\java32\java.exeFilesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
memory/572-55-0x0000000074AD0000-0x000000007507B000-memory.dmpFilesize
5.7MB
-
memory/572-75-0x0000000074AD0000-0x000000007507B000-memory.dmpFilesize
5.7MB
-
memory/572-54-0x0000000075C11000-0x0000000075C13000-memory.dmpFilesize
8KB
-
memory/664-61-0x00000000004B57A0-mapping.dmp
-
memory/664-64-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/664-65-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/664-62-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/664-68-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/664-56-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/664-57-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/664-60-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/664-59-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/776-67-0x0000000000000000-mapping.dmp
-
memory/928-72-0x0000000000000000-mapping.dmp
-
memory/1280-66-0x0000000000000000-mapping.dmp
-
memory/1548-70-0x0000000000000000-mapping.dmp
-
memory/1680-69-0x0000000000000000-mapping.dmp