Analysis
-
max time kernel
152s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 02:29
Static task
static1
Behavioral task
behavioral1
Sample
4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe
Resource
win7-20221111-en
General
-
Target
4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe
-
Size
772KB
-
MD5
68e8582308a2f05401ef6d076facd012
-
SHA1
2b2c9ed47453a7b8ef988da3d74af01e6d4340e6
-
SHA256
4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f
-
SHA512
14bd663c9c9ee8f4ac12774a14fd7a33108cf1fe7fed7afc8730719585e00521c4b12f03c5aba993f0ce98b6532794163b69c5a8bed84f71965c2d3f6e4fdcbc
-
SSDEEP
12288:7CuQHZyt8xPBhU2BNt1tBPOVsoaDWal2fdFP/Jh+xD6ikf:7CBxZjBl2DaOfTnbYW5f
Malware Config
Extracted
darkcomet
giriamo
178.239.178.177:200
DC_MUTEX-MBX97KS
-
gencode
RTdAVRUtBLYH
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WinUpdate.exepid process 4516 WinUpdate.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 4072 attrib.exe 3424 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WinUpdate.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation WinUpdate.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exedescription ioc process File created C:\Windows\assembly\Desktop.ini 4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe File opened for modification C:\Windows\assembly\Desktop.ini 4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exedescription pid process target process PID 448 set thread context of 4516 448 4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe WinUpdate.exe -
Drops file in Windows directory 3 IoCs
Processes:
4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exedescription ioc process File opened for modification C:\Windows\assembly 4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe File created C:\Windows\assembly\Desktop.ini 4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe File opened for modification C:\Windows\assembly\Desktop.ini 4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exepid process 448 4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exeWinUpdate.exedescription pid process Token: SeDebugPrivilege 448 4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe Token: SeIncreaseQuotaPrivilege 4516 WinUpdate.exe Token: SeSecurityPrivilege 4516 WinUpdate.exe Token: SeTakeOwnershipPrivilege 4516 WinUpdate.exe Token: SeLoadDriverPrivilege 4516 WinUpdate.exe Token: SeSystemProfilePrivilege 4516 WinUpdate.exe Token: SeSystemtimePrivilege 4516 WinUpdate.exe Token: SeProfSingleProcessPrivilege 4516 WinUpdate.exe Token: SeIncBasePriorityPrivilege 4516 WinUpdate.exe Token: SeCreatePagefilePrivilege 4516 WinUpdate.exe Token: SeBackupPrivilege 4516 WinUpdate.exe Token: SeRestorePrivilege 4516 WinUpdate.exe Token: SeShutdownPrivilege 4516 WinUpdate.exe Token: SeDebugPrivilege 4516 WinUpdate.exe Token: SeSystemEnvironmentPrivilege 4516 WinUpdate.exe Token: SeChangeNotifyPrivilege 4516 WinUpdate.exe Token: SeRemoteShutdownPrivilege 4516 WinUpdate.exe Token: SeUndockPrivilege 4516 WinUpdate.exe Token: SeManageVolumePrivilege 4516 WinUpdate.exe Token: SeImpersonatePrivilege 4516 WinUpdate.exe Token: SeCreateGlobalPrivilege 4516 WinUpdate.exe Token: 33 4516 WinUpdate.exe Token: 34 4516 WinUpdate.exe Token: 35 4516 WinUpdate.exe Token: 36 4516 WinUpdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
WinUpdate.exepid process 4516 WinUpdate.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exeWinUpdate.execmd.execmd.exedescription pid process target process PID 448 wrote to memory of 4516 448 4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe WinUpdate.exe PID 448 wrote to memory of 4516 448 4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe WinUpdate.exe PID 448 wrote to memory of 4516 448 4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe WinUpdate.exe PID 448 wrote to memory of 4516 448 4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe WinUpdate.exe PID 448 wrote to memory of 4516 448 4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe WinUpdate.exe PID 448 wrote to memory of 4516 448 4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe WinUpdate.exe PID 448 wrote to memory of 4516 448 4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe WinUpdate.exe PID 448 wrote to memory of 4516 448 4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe WinUpdate.exe PID 448 wrote to memory of 4516 448 4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe WinUpdate.exe PID 448 wrote to memory of 4516 448 4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe WinUpdate.exe PID 448 wrote to memory of 4516 448 4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe WinUpdate.exe PID 448 wrote to memory of 4516 448 4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe WinUpdate.exe PID 448 wrote to memory of 4516 448 4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe WinUpdate.exe PID 448 wrote to memory of 4516 448 4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe WinUpdate.exe PID 4516 wrote to memory of 4984 4516 WinUpdate.exe cmd.exe PID 4516 wrote to memory of 4984 4516 WinUpdate.exe cmd.exe PID 4516 wrote to memory of 4984 4516 WinUpdate.exe cmd.exe PID 4516 wrote to memory of 3888 4516 WinUpdate.exe cmd.exe PID 4516 wrote to memory of 3888 4516 WinUpdate.exe cmd.exe PID 4516 wrote to memory of 3888 4516 WinUpdate.exe cmd.exe PID 4984 wrote to memory of 4072 4984 cmd.exe attrib.exe PID 4984 wrote to memory of 4072 4984 cmd.exe attrib.exe PID 4984 wrote to memory of 4072 4984 cmd.exe attrib.exe PID 3888 wrote to memory of 3424 3888 cmd.exe attrib.exe PID 3888 wrote to memory of 3424 3888 cmd.exe attrib.exe PID 3888 wrote to memory of 3424 3888 cmd.exe attrib.exe PID 4516 wrote to memory of 3440 4516 WinUpdate.exe notepad.exe PID 4516 wrote to memory of 3440 4516 WinUpdate.exe notepad.exe PID 4516 wrote to memory of 3440 4516 WinUpdate.exe notepad.exe PID 4516 wrote to memory of 3440 4516 WinUpdate.exe notepad.exe PID 4516 wrote to memory of 3440 4516 WinUpdate.exe notepad.exe PID 4516 wrote to memory of 3440 4516 WinUpdate.exe notepad.exe PID 4516 wrote to memory of 3440 4516 WinUpdate.exe notepad.exe PID 4516 wrote to memory of 3440 4516 WinUpdate.exe notepad.exe PID 4516 wrote to memory of 3440 4516 WinUpdate.exe notepad.exe PID 4516 wrote to memory of 3440 4516 WinUpdate.exe notepad.exe PID 4516 wrote to memory of 3440 4516 WinUpdate.exe notepad.exe PID 4516 wrote to memory of 3440 4516 WinUpdate.exe notepad.exe PID 4516 wrote to memory of 3440 4516 WinUpdate.exe notepad.exe PID 4516 wrote to memory of 3440 4516 WinUpdate.exe notepad.exe PID 4516 wrote to memory of 3440 4516 WinUpdate.exe notepad.exe PID 4516 wrote to memory of 3440 4516 WinUpdate.exe notepad.exe PID 4516 wrote to memory of 3440 4516 WinUpdate.exe notepad.exe PID 4516 wrote to memory of 3440 4516 WinUpdate.exe notepad.exe PID 4516 wrote to memory of 3440 4516 WinUpdate.exe notepad.exe PID 4516 wrote to memory of 3440 4516 WinUpdate.exe notepad.exe PID 4516 wrote to memory of 3440 4516 WinUpdate.exe notepad.exe PID 4516 wrote to memory of 3440 4516 WinUpdate.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4072 attrib.exe 3424 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe"C:\Users\Admin\AppData\Local\Temp\4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AppLunch\WinUpdate.exeC:\Users\Admin\AppData\Local\Temp\\AppLunch\WinUpdate.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\AppLunch\WinUpdate.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\AppLunch\WinUpdate.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\AppLunch" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\AppLunch" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AppLunch\WinUpdate.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
C:\Users\Admin\AppData\Local\Temp\AppLunch\WinUpdate.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
memory/448-133-0x0000000075190000-0x0000000075741000-memory.dmpFilesize
5.7MB
-
memory/448-132-0x0000000075190000-0x0000000075741000-memory.dmpFilesize
5.7MB
-
memory/3424-147-0x0000000000000000-mapping.dmp
-
memory/3440-148-0x0000000000000000-mapping.dmp
-
memory/3888-145-0x0000000000000000-mapping.dmp
-
memory/4072-146-0x0000000000000000-mapping.dmp
-
memory/4516-139-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/4516-141-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/4516-142-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/4516-143-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/4516-138-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/4516-135-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/4516-134-0x0000000000000000-mapping.dmp
-
memory/4984-144-0x0000000000000000-mapping.dmp