Analysis
-
max time kernel
159s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 18:34
Static task
static1
Behavioral task
behavioral1
Sample
06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Resource
win7-20221111-en
General
-
Target
06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
-
Size
967KB
-
MD5
245d2cec5bb0f3cb375028c72ef684f0
-
SHA1
e4030d976f994697dd482fdae62258b55b0c3eed
-
SHA256
06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66
-
SHA512
59658b4db272d15b4680f6546168f72ea34c7125e45fa91b0694443cb020f1fe2fb92e88e01ca545cc2ccb1420aa208fee4019436a3c9c0947a04a8465e04a59
-
SSDEEP
24576:gRmJkcoQricOIQxiZY1iavReA7pZk0/arYy:VJZoQrbTFZY1iavRtpTcYy
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:321
DC_MUTEX-R0X7EMW
-
gencode
8wq0x7iUlHMN
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3140-138-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3140-139-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3140-140-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3140-141-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3140-143-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3140-144-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Suspicious use of SetThreadContext 2 IoCs
Processes:
06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exedescription pid process target process PID 2268 set thread context of 5076 2268 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe PID 5076 set thread context of 3140 5076 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exedescription pid process Token: SeIncreaseQuotaPrivilege 3140 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe Token: SeSecurityPrivilege 3140 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe Token: SeTakeOwnershipPrivilege 3140 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe Token: SeLoadDriverPrivilege 3140 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe Token: SeSystemProfilePrivilege 3140 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe Token: SeSystemtimePrivilege 3140 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe Token: SeProfSingleProcessPrivilege 3140 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe Token: SeIncBasePriorityPrivilege 3140 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe Token: SeCreatePagefilePrivilege 3140 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe Token: SeBackupPrivilege 3140 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe Token: SeRestorePrivilege 3140 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe Token: SeShutdownPrivilege 3140 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe Token: SeDebugPrivilege 3140 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe Token: SeSystemEnvironmentPrivilege 3140 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe Token: SeChangeNotifyPrivilege 3140 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe Token: SeRemoteShutdownPrivilege 3140 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe Token: SeUndockPrivilege 3140 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe Token: SeManageVolumePrivilege 3140 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe Token: SeImpersonatePrivilege 3140 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe Token: SeCreateGlobalPrivilege 3140 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe Token: 33 3140 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe Token: 34 3140 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe Token: 35 3140 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe Token: 36 3140 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exepid process 5076 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe 3140 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exedescription pid process target process PID 2268 wrote to memory of 5076 2268 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe PID 2268 wrote to memory of 5076 2268 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe PID 2268 wrote to memory of 5076 2268 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe PID 2268 wrote to memory of 5076 2268 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe PID 2268 wrote to memory of 5076 2268 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe PID 5076 wrote to memory of 3140 5076 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe PID 5076 wrote to memory of 3140 5076 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe PID 5076 wrote to memory of 3140 5076 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe PID 5076 wrote to memory of 3140 5076 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe PID 5076 wrote to memory of 3140 5076 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe PID 5076 wrote to memory of 3140 5076 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe PID 5076 wrote to memory of 3140 5076 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe PID 5076 wrote to memory of 3140 5076 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe"C:\Users\Admin\AppData\Local\Temp\06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe"C:\Users\Admin\AppData\Local\Temp\06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3140-137-0x0000000000000000-mapping.dmp
-
memory/3140-138-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3140-139-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3140-140-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3140-141-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3140-143-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3140-144-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5076-132-0x0000000000000000-mapping.dmp
-
memory/5076-133-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/5076-142-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB