Analysis
-
max time kernel
151s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 05:26
Static task
static1
Behavioral task
behavioral1
Sample
ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe
Resource
win7-20220812-en
General
-
Target
ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe
-
Size
775KB
-
MD5
4059d073c931d0996feb311816b5c546
-
SHA1
e7eb04125e7ee439a38ede9f518f8fcc019300bf
-
SHA256
ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929
-
SHA512
16381dcdfae9841550a4ab8899f87416cd19c1262f7121b011f299aa892a9e6b043677901ebb3be7248d6f824e91ef48d01f1736644f50a9e6b12b2cc3ca316d
-
SSDEEP
12288:qUpaRMVTqS0f5Uvq0sCw168EqURAW6Sk/TmdWh/AGtBRJucBs2CNBDZgs:q5RMVPubVCwxXQRMAWh/ttBtBiFH
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-0DW527V
-
gencode
TlzkHYZvMND7
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exedescription pid process target process PID 1004 set thread context of 1636 1004 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exedescription pid process Token: SeIncreaseQuotaPrivilege 1636 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe Token: SeSecurityPrivilege 1636 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe Token: SeTakeOwnershipPrivilege 1636 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe Token: SeLoadDriverPrivilege 1636 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe Token: SeSystemProfilePrivilege 1636 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe Token: SeSystemtimePrivilege 1636 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe Token: SeProfSingleProcessPrivilege 1636 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe Token: SeIncBasePriorityPrivilege 1636 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe Token: SeCreatePagefilePrivilege 1636 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe Token: SeBackupPrivilege 1636 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe Token: SeRestorePrivilege 1636 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe Token: SeShutdownPrivilege 1636 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe Token: SeDebugPrivilege 1636 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe Token: SeSystemEnvironmentPrivilege 1636 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe Token: SeChangeNotifyPrivilege 1636 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe Token: SeRemoteShutdownPrivilege 1636 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe Token: SeUndockPrivilege 1636 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe Token: SeManageVolumePrivilege 1636 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe Token: SeImpersonatePrivilege 1636 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe Token: SeCreateGlobalPrivilege 1636 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe Token: 33 1636 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe Token: 34 1636 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe Token: 35 1636 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exeae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exepid process 1004 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe 1636 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exedescription pid process target process PID 1004 wrote to memory of 1636 1004 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe PID 1004 wrote to memory of 1636 1004 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe PID 1004 wrote to memory of 1636 1004 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe PID 1004 wrote to memory of 1636 1004 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe PID 1004 wrote to memory of 1636 1004 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe PID 1004 wrote to memory of 1636 1004 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe PID 1004 wrote to memory of 1636 1004 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe PID 1004 wrote to memory of 1636 1004 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe PID 1004 wrote to memory of 1636 1004 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe PID 1004 wrote to memory of 1636 1004 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe PID 1004 wrote to memory of 1636 1004 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe PID 1004 wrote to memory of 1636 1004 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe PID 1004 wrote to memory of 1636 1004 ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe"C:\Users\Admin\AppData\Local\Temp\ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ae707a3769d55080d8c6de07bc0ce03c5f12e375725da4a5fd06bae674123929.exe
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1636-56-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/1636-57-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/1636-59-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/1636-61-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/1636-63-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/1636-65-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/1636-66-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/1636-68-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/1636-70-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/1636-71-0x000000000048D888-mapping.dmp
-
memory/1636-72-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/1636-73-0x0000000075211000-0x0000000075213000-memory.dmpFilesize
8KB
-
memory/1636-74-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/1636-75-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/1636-76-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB