Analysis
-
max time kernel
161s -
max time network
210s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 02:59
Static task
static1
Behavioral task
behavioral1
Sample
9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe
Resource
win7-20221111-en
General
-
Target
9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe
-
Size
742KB
-
MD5
3d9fb784d8bad35e1fc6f114092b0e61
-
SHA1
21950040713e37949c80b75e4c15fa6163ef67b2
-
SHA256
9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504
-
SHA512
9c80a51a0849195f6cac34a8cba53229d05a900d29ba8a327418d5502ee559485b8b1637f07be43404fe737f29a669412e11ffd329b210f04ebd040493230f85
-
SSDEEP
12288:J08Xr7FoMtKhx92E7eosUsF4hxekb7NKiMRFhoE3KK1:m8b7FoGKX8KeosUO4hwktKbhou/1
Malware Config
Extracted
darkcomet
Guest16
188.190.86.62:1604
DC_MUTEX-W0U2X3G
-
gencode
ApppNhBV8t9f
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
bac.exepid process 1496 bac.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe -
Loads dropped DLL 2 IoCs
Processes:
9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exepid process 1244 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe 1244 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exedescription pid process target process PID 1216 set thread context of 1244 1216 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exepid process 1244 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe 1244 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe 1244 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe 1244 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe 1244 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe 1244 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe 1244 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
bac.exedescription pid process Token: SeIncreaseQuotaPrivilege 1496 bac.exe Token: SeSecurityPrivilege 1496 bac.exe Token: SeTakeOwnershipPrivilege 1496 bac.exe Token: SeLoadDriverPrivilege 1496 bac.exe Token: SeSystemProfilePrivilege 1496 bac.exe Token: SeSystemtimePrivilege 1496 bac.exe Token: SeProfSingleProcessPrivilege 1496 bac.exe Token: SeIncBasePriorityPrivilege 1496 bac.exe Token: SeCreatePagefilePrivilege 1496 bac.exe Token: SeBackupPrivilege 1496 bac.exe Token: SeRestorePrivilege 1496 bac.exe Token: SeShutdownPrivilege 1496 bac.exe Token: SeDebugPrivilege 1496 bac.exe Token: SeSystemEnvironmentPrivilege 1496 bac.exe Token: SeChangeNotifyPrivilege 1496 bac.exe Token: SeRemoteShutdownPrivilege 1496 bac.exe Token: SeUndockPrivilege 1496 bac.exe Token: SeManageVolumePrivilege 1496 bac.exe Token: SeImpersonatePrivilege 1496 bac.exe Token: SeCreateGlobalPrivilege 1496 bac.exe Token: 33 1496 bac.exe Token: 34 1496 bac.exe Token: 35 1496 bac.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exebac.exepid process 1216 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe 1496 bac.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exedescription pid process target process PID 1216 wrote to memory of 1244 1216 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe PID 1216 wrote to memory of 1244 1216 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe PID 1216 wrote to memory of 1244 1216 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe PID 1216 wrote to memory of 1244 1216 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe PID 1216 wrote to memory of 1244 1216 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe PID 1216 wrote to memory of 1244 1216 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe PID 1216 wrote to memory of 1244 1216 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe PID 1216 wrote to memory of 1244 1216 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe PID 1244 wrote to memory of 1496 1244 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe bac.exe PID 1244 wrote to memory of 1496 1244 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe bac.exe PID 1244 wrote to memory of 1496 1244 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe bac.exe PID 1244 wrote to memory of 1496 1244 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe bac.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe"C:\Users\Admin\AppData\Local\Temp\9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe"C:\Users\Admin\AppData\Local\Temp\9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe"2⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bac.exe"C:\Users\Admin\AppData\Local\Temp\bac.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bac.exeFilesize
658KB
MD5d37899867bdc4398f4f8d32970532df0
SHA10e9280bb97c025182cc5627b6b3c0f0285c3b3cb
SHA256d82d52a01d5f2975d94e35866cb3af0123f9f7ab2668865e458832eace80e39a
SHA5126924fac44bc33880bb731ba0a158e92d39aad1bd6d04d1484e3c2f33a4e6f6bd82d740c31923078dbcbc5755f4f6476fa7d1538cf9cd040f6689ea68e0528c84
-
C:\Users\Admin\AppData\Local\Temp\bac.exeFilesize
658KB
MD5d37899867bdc4398f4f8d32970532df0
SHA10e9280bb97c025182cc5627b6b3c0f0285c3b3cb
SHA256d82d52a01d5f2975d94e35866cb3af0123f9f7ab2668865e458832eace80e39a
SHA5126924fac44bc33880bb731ba0a158e92d39aad1bd6d04d1484e3c2f33a4e6f6bd82d740c31923078dbcbc5755f4f6476fa7d1538cf9cd040f6689ea68e0528c84
-
\Users\Admin\AppData\Local\Temp\bac.exeFilesize
658KB
MD5d37899867bdc4398f4f8d32970532df0
SHA10e9280bb97c025182cc5627b6b3c0f0285c3b3cb
SHA256d82d52a01d5f2975d94e35866cb3af0123f9f7ab2668865e458832eace80e39a
SHA5126924fac44bc33880bb731ba0a158e92d39aad1bd6d04d1484e3c2f33a4e6f6bd82d740c31923078dbcbc5755f4f6476fa7d1538cf9cd040f6689ea68e0528c84
-
\Users\Admin\AppData\Local\Temp\bac.exeFilesize
658KB
MD5d37899867bdc4398f4f8d32970532df0
SHA10e9280bb97c025182cc5627b6b3c0f0285c3b3cb
SHA256d82d52a01d5f2975d94e35866cb3af0123f9f7ab2668865e458832eace80e39a
SHA5126924fac44bc33880bb731ba0a158e92d39aad1bd6d04d1484e3c2f33a4e6f6bd82d740c31923078dbcbc5755f4f6476fa7d1538cf9cd040f6689ea68e0528c84
-
memory/1244-61-0x00000000004FF1C0-mapping.dmp
-
memory/1244-63-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/1244-64-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/1244-65-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/1244-66-0x0000000074F01000-0x0000000074F03000-memory.dmpFilesize
8KB
-
memory/1244-56-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/1244-60-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/1244-59-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/1244-57-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/1244-73-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/1244-74-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/1496-69-0x0000000000000000-mapping.dmp