Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 15:36
Static task
static1
Behavioral task
behavioral1
Sample
98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe
Resource
win7-20221111-en
General
-
Target
98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe
-
Size
2.2MB
-
MD5
39d4cbc86f45b0efedc6f01881412e73
-
SHA1
a8d339b3f8d798160f71ee88e36b2a6efa76dded
-
SHA256
98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd
-
SHA512
333711526622d8e5f02c95a8587bd29e4900757566d9f040ec5f14292640a0c6edead0e933d42ced60c7f0b1ae131cecb06ac206d29d52f4983e40ebecf3b5ce
-
SSDEEP
49152:N1vqjd/QNzVG3W34pd9S7TWFrSLRRJN3TCt/RsbMBBdtt:N1vqjV344zeK5SLhRTCtkM5
Malware Config
Extracted
darkcomet
teste
hack256.no-ip.biz:1604
DC_MUTEX-CT50HLM
-
gencode
U7iklaRPqE51
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
NOVOSERVIDORFUNCIONANDO.EXEpid process 916 NOVOSERVIDORFUNCIONANDO.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exedescription pid process target process PID 3404 set thread context of 4092 3404 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
NOVOSERVIDORFUNCIONANDO.EXEdescription pid process Token: SeIncreaseQuotaPrivilege 916 NOVOSERVIDORFUNCIONANDO.EXE Token: SeSecurityPrivilege 916 NOVOSERVIDORFUNCIONANDO.EXE Token: SeTakeOwnershipPrivilege 916 NOVOSERVIDORFUNCIONANDO.EXE Token: SeLoadDriverPrivilege 916 NOVOSERVIDORFUNCIONANDO.EXE Token: SeSystemProfilePrivilege 916 NOVOSERVIDORFUNCIONANDO.EXE Token: SeSystemtimePrivilege 916 NOVOSERVIDORFUNCIONANDO.EXE Token: SeProfSingleProcessPrivilege 916 NOVOSERVIDORFUNCIONANDO.EXE Token: SeIncBasePriorityPrivilege 916 NOVOSERVIDORFUNCIONANDO.EXE Token: SeCreatePagefilePrivilege 916 NOVOSERVIDORFUNCIONANDO.EXE Token: SeBackupPrivilege 916 NOVOSERVIDORFUNCIONANDO.EXE Token: SeRestorePrivilege 916 NOVOSERVIDORFUNCIONANDO.EXE Token: SeShutdownPrivilege 916 NOVOSERVIDORFUNCIONANDO.EXE Token: SeDebugPrivilege 916 NOVOSERVIDORFUNCIONANDO.EXE Token: SeSystemEnvironmentPrivilege 916 NOVOSERVIDORFUNCIONANDO.EXE Token: SeChangeNotifyPrivilege 916 NOVOSERVIDORFUNCIONANDO.EXE Token: SeRemoteShutdownPrivilege 916 NOVOSERVIDORFUNCIONANDO.EXE Token: SeUndockPrivilege 916 NOVOSERVIDORFUNCIONANDO.EXE Token: SeManageVolumePrivilege 916 NOVOSERVIDORFUNCIONANDO.EXE Token: SeImpersonatePrivilege 916 NOVOSERVIDORFUNCIONANDO.EXE Token: SeCreateGlobalPrivilege 916 NOVOSERVIDORFUNCIONANDO.EXE Token: 33 916 NOVOSERVIDORFUNCIONANDO.EXE Token: 34 916 NOVOSERVIDORFUNCIONANDO.EXE Token: 35 916 NOVOSERVIDORFUNCIONANDO.EXE Token: 36 916 NOVOSERVIDORFUNCIONANDO.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exepid process 3404 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe 3404 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe 3404 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe 3404 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exepid process 3404 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe 3404 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe 3404 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe 3404 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
NOVOSERVIDORFUNCIONANDO.EXEpid process 916 NOVOSERVIDORFUNCIONANDO.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exedescription pid process target process PID 3404 wrote to memory of 4092 3404 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe PID 3404 wrote to memory of 4092 3404 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe PID 3404 wrote to memory of 4092 3404 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe PID 3404 wrote to memory of 4092 3404 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe PID 3404 wrote to memory of 4092 3404 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe PID 3404 wrote to memory of 4092 3404 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe PID 3404 wrote to memory of 4092 3404 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe PID 3404 wrote to memory of 4092 3404 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe PID 3404 wrote to memory of 4092 3404 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe PID 4092 wrote to memory of 916 4092 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe NOVOSERVIDORFUNCIONANDO.EXE PID 4092 wrote to memory of 916 4092 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe NOVOSERVIDORFUNCIONANDO.EXE PID 4092 wrote to memory of 916 4092 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe NOVOSERVIDORFUNCIONANDO.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe"C:\Users\Admin\AppData\Local\Temp\98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe"C:\Users\Admin\AppData\Local\Temp\98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Users\Admin\AppData\Local\Temp\NOVOSERVIDORFUNCIONANDO.EXE"C:\Users\Admin\AppData\Local\Temp\NOVOSERVIDORFUNCIONANDO.EXE"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:916
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\NOVOSERVIDORFUNCIONANDO.EXEFilesize
660KB
MD5c5550cb60687459f2232cc395c8769ff
SHA17f4199e40ec42b01a937039bfe06237d6f41212a
SHA256a94cb8f4c4d61331554dcd3dafc17c07404f1a1a41f127168efd22dcd8b6ce8d
SHA51206c25796d771be8e48296fea9f7bef5c69e10c1a2ee5cf21f40fbfcaf498cae2081ff9930e84e02252dc8bf7d17505b8f2092211d8556197c232436f8652f7b8
-
C:\Users\Admin\AppData\Local\Temp\NOVOSERVIDORFUNCIONANDO.EXEFilesize
660KB
MD5c5550cb60687459f2232cc395c8769ff
SHA17f4199e40ec42b01a937039bfe06237d6f41212a
SHA256a94cb8f4c4d61331554dcd3dafc17c07404f1a1a41f127168efd22dcd8b6ce8d
SHA51206c25796d771be8e48296fea9f7bef5c69e10c1a2ee5cf21f40fbfcaf498cae2081ff9930e84e02252dc8bf7d17505b8f2092211d8556197c232436f8652f7b8
-
memory/916-137-0x0000000000000000-mapping.dmp
-
memory/4092-132-0x0000000000000000-mapping.dmp
-
memory/4092-133-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4092-134-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4092-135-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4092-136-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4092-140-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB