Analysis
-
max time kernel
134s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-12-2022 17:41
Static task
static1
Behavioral task
behavioral1
Sample
960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe
Resource
win7-20220812-en
General
-
Target
960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe
-
Size
1.0MB
-
MD5
c0304b43e6ce77d2f7f9458efe8cf746
-
SHA1
9e7d5e0f7f55ca1eac754d83b44d061e02605c2f
-
SHA256
960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba
-
SHA512
cf74cc38998c297d32d59639edfc61d8028427f7976b30f3a1f92368af1cabf6f72d3be8c982e555e4ffd9faec3e5a689703469a1617a60064b075eef694e814
-
SSDEEP
12288:maF3jFjW7S2Vt/e6ESi+cEhWKg58FsjGApV2Mnb9TLCmv1GT3eU0LoX5C:/TX6/QecEc5Z6ApV5b9TLCmv1GTecX5C
Malware Config
Extracted
darkcomet
RAT
ilya69.no-ip.info:1337
DCMIN_MUTEX-9HHY8YP
-
gencode
E7oxjPKu4NXN
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exedescription pid process target process PID 872 set thread context of 1900 872 960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe vbc.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1900 vbc.exe Token: SeSecurityPrivilege 1900 vbc.exe Token: SeTakeOwnershipPrivilege 1900 vbc.exe Token: SeLoadDriverPrivilege 1900 vbc.exe Token: SeSystemProfilePrivilege 1900 vbc.exe Token: SeSystemtimePrivilege 1900 vbc.exe Token: SeProfSingleProcessPrivilege 1900 vbc.exe Token: SeIncBasePriorityPrivilege 1900 vbc.exe Token: SeCreatePagefilePrivilege 1900 vbc.exe Token: SeBackupPrivilege 1900 vbc.exe Token: SeRestorePrivilege 1900 vbc.exe Token: SeShutdownPrivilege 1900 vbc.exe Token: SeDebugPrivilege 1900 vbc.exe Token: SeSystemEnvironmentPrivilege 1900 vbc.exe Token: SeChangeNotifyPrivilege 1900 vbc.exe Token: SeRemoteShutdownPrivilege 1900 vbc.exe Token: SeUndockPrivilege 1900 vbc.exe Token: SeManageVolumePrivilege 1900 vbc.exe Token: SeImpersonatePrivilege 1900 vbc.exe Token: SeCreateGlobalPrivilege 1900 vbc.exe Token: 33 1900 vbc.exe Token: 34 1900 vbc.exe Token: 35 1900 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 1900 vbc.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exedescription pid process target process PID 872 wrote to memory of 1900 872 960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe vbc.exe PID 872 wrote to memory of 1900 872 960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe vbc.exe PID 872 wrote to memory of 1900 872 960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe vbc.exe PID 872 wrote to memory of 1900 872 960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe vbc.exe PID 872 wrote to memory of 1900 872 960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe vbc.exe PID 872 wrote to memory of 1900 872 960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe vbc.exe PID 872 wrote to memory of 1900 872 960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe vbc.exe PID 872 wrote to memory of 1900 872 960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe vbc.exe PID 872 wrote to memory of 1900 872 960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe vbc.exe PID 872 wrote to memory of 1900 872 960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe vbc.exe PID 872 wrote to memory of 1900 872 960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe vbc.exe PID 872 wrote to memory of 1900 872 960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe vbc.exe PID 872 wrote to memory of 1900 872 960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe"C:\Users\Admin\AppData\Local\Temp\960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/872-54-0x0000000076181000-0x0000000076183000-memory.dmpFilesize
8KB
-
memory/872-55-0x0000000074FB0000-0x000000007555B000-memory.dmpFilesize
5.7MB
-
memory/872-76-0x0000000074FB0000-0x000000007555B000-memory.dmpFilesize
5.7MB
-
memory/1900-66-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1900-59-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1900-61-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1900-63-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1900-65-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1900-57-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1900-68-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1900-70-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1900-71-0x000000000048F888-mapping.dmp
-
memory/1900-72-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1900-74-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1900-75-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1900-56-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB