Analysis
-
max time kernel
186s -
max time network
181s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 06:02
Static task
static1
Behavioral task
behavioral1
Sample
bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe
Resource
win10v2004-20220812-en
General
-
Target
bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe
-
Size
1.4MB
-
MD5
9dd38615196e4992a915698ed23d2aff
-
SHA1
67b50b4aa1b9e738b1c7d902e10dc66b6ab52681
-
SHA256
bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54
-
SHA512
1d4e280a002dd09ac102b1790f27fb68a28b0d1b1c6f73c7c25ca1f20971a5d09ed172888fe8317803600826d1a7cf4ae4f808652999bab418c1c52ceb1fdaf8
-
SSDEEP
24576:/SY34IXoDdLgzm1mvPJvVp9q8x2OVdtX95rZBlKsKEw2RTISmO:/NITovPJvHn28R/bLRTI
Malware Config
Extracted
darkcomet
minecraftgett0111
qwertyfuck.no-ip.biz:1604
DC_MUTEX-GNGL16E
-
gencode
EbPKlSTAN5A7
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Minecraft Launcher by AnjoCaido.exepid process 876 Minecraft Launcher by AnjoCaido.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1404 attrib.exe 992 attrib.exe -
Loads dropped DLL 1 IoCs
Processes:
bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exepid process 1896 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinDefender.Exe" bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exedescription pid process target process PID 1896 set thread context of 1712 1896 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe -
Drops file in Windows directory 2 IoCs
Processes:
attrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1712 vbc.exe Token: SeSecurityPrivilege 1712 vbc.exe Token: SeTakeOwnershipPrivilege 1712 vbc.exe Token: SeLoadDriverPrivilege 1712 vbc.exe Token: SeSystemProfilePrivilege 1712 vbc.exe Token: SeSystemtimePrivilege 1712 vbc.exe Token: SeProfSingleProcessPrivilege 1712 vbc.exe Token: SeIncBasePriorityPrivilege 1712 vbc.exe Token: SeCreatePagefilePrivilege 1712 vbc.exe Token: SeBackupPrivilege 1712 vbc.exe Token: SeRestorePrivilege 1712 vbc.exe Token: SeShutdownPrivilege 1712 vbc.exe Token: SeDebugPrivilege 1712 vbc.exe Token: SeSystemEnvironmentPrivilege 1712 vbc.exe Token: SeChangeNotifyPrivilege 1712 vbc.exe Token: SeRemoteShutdownPrivilege 1712 vbc.exe Token: SeUndockPrivilege 1712 vbc.exe Token: SeManageVolumePrivilege 1712 vbc.exe Token: SeImpersonatePrivilege 1712 vbc.exe Token: SeCreateGlobalPrivilege 1712 vbc.exe Token: 33 1712 vbc.exe Token: 34 1712 vbc.exe Token: 35 1712 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 1712 vbc.exe -
Suspicious use of WriteProcessMemory 59 IoCs
Processes:
bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exevbc.execmd.execmd.exedescription pid process target process PID 1896 wrote to memory of 1712 1896 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 1896 wrote to memory of 1712 1896 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 1896 wrote to memory of 1712 1896 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 1896 wrote to memory of 1712 1896 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 1896 wrote to memory of 1712 1896 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 1896 wrote to memory of 1712 1896 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 1896 wrote to memory of 1712 1896 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 1896 wrote to memory of 1712 1896 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 1896 wrote to memory of 1712 1896 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 1896 wrote to memory of 1712 1896 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 1896 wrote to memory of 1712 1896 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 1896 wrote to memory of 1712 1896 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 1896 wrote to memory of 1712 1896 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 1712 wrote to memory of 1768 1712 vbc.exe cmd.exe PID 1712 wrote to memory of 1768 1712 vbc.exe cmd.exe PID 1712 wrote to memory of 1768 1712 vbc.exe cmd.exe PID 1712 wrote to memory of 1768 1712 vbc.exe cmd.exe PID 1712 wrote to memory of 1884 1712 vbc.exe cmd.exe PID 1712 wrote to memory of 1884 1712 vbc.exe cmd.exe PID 1712 wrote to memory of 1884 1712 vbc.exe cmd.exe PID 1712 wrote to memory of 1884 1712 vbc.exe cmd.exe PID 1712 wrote to memory of 1316 1712 vbc.exe notepad.exe PID 1712 wrote to memory of 1316 1712 vbc.exe notepad.exe PID 1712 wrote to memory of 1316 1712 vbc.exe notepad.exe PID 1712 wrote to memory of 1316 1712 vbc.exe notepad.exe PID 1712 wrote to memory of 1316 1712 vbc.exe notepad.exe PID 1712 wrote to memory of 1316 1712 vbc.exe notepad.exe PID 1712 wrote to memory of 1316 1712 vbc.exe notepad.exe PID 1712 wrote to memory of 1316 1712 vbc.exe notepad.exe PID 1712 wrote to memory of 1316 1712 vbc.exe notepad.exe PID 1712 wrote to memory of 1316 1712 vbc.exe notepad.exe PID 1712 wrote to memory of 1316 1712 vbc.exe notepad.exe PID 1712 wrote to memory of 1316 1712 vbc.exe notepad.exe PID 1712 wrote to memory of 1316 1712 vbc.exe notepad.exe PID 1712 wrote to memory of 1316 1712 vbc.exe notepad.exe PID 1712 wrote to memory of 1316 1712 vbc.exe notepad.exe PID 1712 wrote to memory of 1316 1712 vbc.exe notepad.exe PID 1712 wrote to memory of 1316 1712 vbc.exe notepad.exe PID 1712 wrote to memory of 1316 1712 vbc.exe notepad.exe PID 1712 wrote to memory of 1316 1712 vbc.exe notepad.exe PID 1712 wrote to memory of 1316 1712 vbc.exe notepad.exe PID 1712 wrote to memory of 1316 1712 vbc.exe notepad.exe PID 1712 wrote to memory of 1316 1712 vbc.exe notepad.exe PID 1712 wrote to memory of 1316 1712 vbc.exe notepad.exe PID 1896 wrote to memory of 876 1896 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe Minecraft Launcher by AnjoCaido.exe PID 1896 wrote to memory of 876 1896 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe Minecraft Launcher by AnjoCaido.exe PID 1896 wrote to memory of 876 1896 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe Minecraft Launcher by AnjoCaido.exe PID 1896 wrote to memory of 876 1896 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe Minecraft Launcher by AnjoCaido.exe PID 1896 wrote to memory of 876 1896 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe Minecraft Launcher by AnjoCaido.exe PID 1896 wrote to memory of 876 1896 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe Minecraft Launcher by AnjoCaido.exe PID 1896 wrote to memory of 876 1896 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe Minecraft Launcher by AnjoCaido.exe PID 1884 wrote to memory of 992 1884 cmd.exe attrib.exe PID 1884 wrote to memory of 992 1884 cmd.exe attrib.exe PID 1884 wrote to memory of 992 1884 cmd.exe attrib.exe PID 1884 wrote to memory of 992 1884 cmd.exe attrib.exe PID 1768 wrote to memory of 1404 1768 cmd.exe attrib.exe PID 1768 wrote to memory of 1404 1768 cmd.exe attrib.exe PID 1768 wrote to memory of 1404 1768 cmd.exe attrib.exe PID 1768 wrote to memory of 1404 1768 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1404 attrib.exe 992 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe"C:\Users\Admin\AppData\Local\Temp\bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Users\Admin\AppData\Local\Temp\Minecraft Launcher by AnjoCaido.exe"C:\Users\Admin\AppData\Local\Temp\Minecraft Launcher by AnjoCaido.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Minecraft Launcher by AnjoCaido.exeFilesize
679KB
MD5605a171c61a0607bdcf6be80ed07cf95
SHA1477d4391b0d84406127e43ead289a3596ac1e5e5
SHA25609b78dc85713ca0f27f17d94c939cc606a59847c1f2b5cdd281b52a48cdaeab9
SHA5123b32197d76951d0e1cd7043758af9b33be12b30c03df00a3ef36078205fa95b1582f65bdf4437a1b879a922d2950868e905bcd2227ce3816d5437556b103d338
-
C:\Users\Admin\AppData\Local\Temp\Minecraft Launcher by AnjoCaido.exeFilesize
679KB
MD5605a171c61a0607bdcf6be80ed07cf95
SHA1477d4391b0d84406127e43ead289a3596ac1e5e5
SHA25609b78dc85713ca0f27f17d94c939cc606a59847c1f2b5cdd281b52a48cdaeab9
SHA5123b32197d76951d0e1cd7043758af9b33be12b30c03df00a3ef36078205fa95b1582f65bdf4437a1b879a922d2950868e905bcd2227ce3816d5437556b103d338
-
\Users\Admin\AppData\Local\Temp\Minecraft Launcher by AnjoCaido.exeFilesize
679KB
MD5605a171c61a0607bdcf6be80ed07cf95
SHA1477d4391b0d84406127e43ead289a3596ac1e5e5
SHA25609b78dc85713ca0f27f17d94c939cc606a59847c1f2b5cdd281b52a48cdaeab9
SHA5123b32197d76951d0e1cd7043758af9b33be12b30c03df00a3ef36078205fa95b1582f65bdf4437a1b879a922d2950868e905bcd2227ce3816d5437556b103d338
-
memory/876-82-0x0000000000000000-mapping.dmp
-
memory/992-86-0x0000000000000000-mapping.dmp
-
memory/1316-79-0x0000000000000000-mapping.dmp
-
memory/1404-87-0x0000000000000000-mapping.dmp
-
memory/1712-63-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1712-74-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1712-67-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1712-68-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1712-70-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1712-73-0x000000000048F888-mapping.dmp
-
memory/1712-72-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1712-88-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1712-76-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1712-91-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1712-58-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1712-65-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1712-61-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1712-59-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1768-77-0x0000000000000000-mapping.dmp
-
memory/1884-78-0x0000000000000000-mapping.dmp
-
memory/1896-54-0x0000000076871000-0x0000000076873000-memory.dmpFilesize
8KB
-
memory/1896-55-0x0000000074EE0000-0x000000007548B000-memory.dmpFilesize
5.7MB
-
memory/1896-89-0x0000000074EE0000-0x000000007548B000-memory.dmpFilesize
5.7MB
-
memory/1896-56-0x0000000002295000-0x00000000022A6000-memory.dmpFilesize
68KB
-
memory/1896-90-0x0000000002295000-0x00000000022A6000-memory.dmpFilesize
68KB
-
memory/1896-57-0x0000000074EE0000-0x000000007548B000-memory.dmpFilesize
5.7MB