Analysis
-
max time kernel
189s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 06:02
Static task
static1
Behavioral task
behavioral1
Sample
bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe
Resource
win10v2004-20220812-en
General
-
Target
bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe
-
Size
1.4MB
-
MD5
9dd38615196e4992a915698ed23d2aff
-
SHA1
67b50b4aa1b9e738b1c7d902e10dc66b6ab52681
-
SHA256
bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54
-
SHA512
1d4e280a002dd09ac102b1790f27fb68a28b0d1b1c6f73c7c25ca1f20971a5d09ed172888fe8317803600826d1a7cf4ae4f808652999bab418c1c52ceb1fdaf8
-
SSDEEP
24576:/SY34IXoDdLgzm1mvPJvVp9q8x2OVdtX95rZBlKsKEw2RTISmO:/NITovPJvHn28R/bLRTI
Malware Config
Extracted
darkcomet
minecraftgett0111
qwertyfuck.no-ip.biz:1604
DC_MUTEX-GNGL16E
-
gencode
EbPKlSTAN5A7
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Minecraft Launcher by AnjoCaido.exepid process 4124 Minecraft Launcher by AnjoCaido.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1608 attrib.exe 2492 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinDefender.Exe" bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exedescription pid process target process PID 2128 set thread context of 4136 2128 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe -
Drops file in Windows directory 2 IoCs
Processes:
attrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 4136 vbc.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4136 vbc.exe Token: SeSecurityPrivilege 4136 vbc.exe Token: SeTakeOwnershipPrivilege 4136 vbc.exe Token: SeLoadDriverPrivilege 4136 vbc.exe Token: SeSystemProfilePrivilege 4136 vbc.exe Token: SeSystemtimePrivilege 4136 vbc.exe Token: SeProfSingleProcessPrivilege 4136 vbc.exe Token: SeIncBasePriorityPrivilege 4136 vbc.exe Token: SeCreatePagefilePrivilege 4136 vbc.exe Token: SeBackupPrivilege 4136 vbc.exe Token: SeRestorePrivilege 4136 vbc.exe Token: SeShutdownPrivilege 4136 vbc.exe Token: SeDebugPrivilege 4136 vbc.exe Token: SeSystemEnvironmentPrivilege 4136 vbc.exe Token: SeChangeNotifyPrivilege 4136 vbc.exe Token: SeRemoteShutdownPrivilege 4136 vbc.exe Token: SeUndockPrivilege 4136 vbc.exe Token: SeManageVolumePrivilege 4136 vbc.exe Token: SeImpersonatePrivilege 4136 vbc.exe Token: SeCreateGlobalPrivilege 4136 vbc.exe Token: 33 4136 vbc.exe Token: 34 4136 vbc.exe Token: 35 4136 vbc.exe Token: 36 4136 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 4136 vbc.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exevbc.execmd.execmd.exedescription pid process target process PID 2128 wrote to memory of 4136 2128 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 2128 wrote to memory of 4136 2128 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 2128 wrote to memory of 4136 2128 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 2128 wrote to memory of 4136 2128 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 2128 wrote to memory of 4136 2128 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 2128 wrote to memory of 4136 2128 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 2128 wrote to memory of 4136 2128 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 2128 wrote to memory of 4136 2128 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 2128 wrote to memory of 4136 2128 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 2128 wrote to memory of 4136 2128 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 2128 wrote to memory of 4136 2128 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 2128 wrote to memory of 4136 2128 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 2128 wrote to memory of 4136 2128 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 2128 wrote to memory of 4136 2128 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe vbc.exe PID 4136 wrote to memory of 2704 4136 vbc.exe cmd.exe PID 4136 wrote to memory of 2704 4136 vbc.exe cmd.exe PID 4136 wrote to memory of 2704 4136 vbc.exe cmd.exe PID 2128 wrote to memory of 4124 2128 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe Minecraft Launcher by AnjoCaido.exe PID 2128 wrote to memory of 4124 2128 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe Minecraft Launcher by AnjoCaido.exe PID 2128 wrote to memory of 4124 2128 bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe Minecraft Launcher by AnjoCaido.exe PID 4136 wrote to memory of 4188 4136 vbc.exe cmd.exe PID 4136 wrote to memory of 4188 4136 vbc.exe cmd.exe PID 4136 wrote to memory of 4188 4136 vbc.exe cmd.exe PID 4136 wrote to memory of 224 4136 vbc.exe notepad.exe PID 4136 wrote to memory of 224 4136 vbc.exe notepad.exe PID 4136 wrote to memory of 224 4136 vbc.exe notepad.exe PID 4136 wrote to memory of 224 4136 vbc.exe notepad.exe PID 4136 wrote to memory of 224 4136 vbc.exe notepad.exe PID 4136 wrote to memory of 224 4136 vbc.exe notepad.exe PID 4136 wrote to memory of 224 4136 vbc.exe notepad.exe PID 4136 wrote to memory of 224 4136 vbc.exe notepad.exe PID 4136 wrote to memory of 224 4136 vbc.exe notepad.exe PID 4136 wrote to memory of 224 4136 vbc.exe notepad.exe PID 4136 wrote to memory of 224 4136 vbc.exe notepad.exe PID 4136 wrote to memory of 224 4136 vbc.exe notepad.exe PID 4136 wrote to memory of 224 4136 vbc.exe notepad.exe PID 4136 wrote to memory of 224 4136 vbc.exe notepad.exe PID 4136 wrote to memory of 224 4136 vbc.exe notepad.exe PID 4136 wrote to memory of 224 4136 vbc.exe notepad.exe PID 4136 wrote to memory of 224 4136 vbc.exe notepad.exe PID 4136 wrote to memory of 224 4136 vbc.exe notepad.exe PID 4136 wrote to memory of 224 4136 vbc.exe notepad.exe PID 4136 wrote to memory of 224 4136 vbc.exe notepad.exe PID 4136 wrote to memory of 224 4136 vbc.exe notepad.exe PID 4136 wrote to memory of 224 4136 vbc.exe notepad.exe PID 2704 wrote to memory of 1608 2704 cmd.exe attrib.exe PID 2704 wrote to memory of 1608 2704 cmd.exe attrib.exe PID 2704 wrote to memory of 1608 2704 cmd.exe attrib.exe PID 4188 wrote to memory of 2492 4188 cmd.exe attrib.exe PID 4188 wrote to memory of 2492 4188 cmd.exe attrib.exe PID 4188 wrote to memory of 2492 4188 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1608 attrib.exe 2492 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe"C:\Users\Admin\AppData\Local\Temp\bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\Minecraft Launcher by AnjoCaido.exe"C:\Users\Admin\AppData\Local\Temp\Minecraft Launcher by AnjoCaido.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Minecraft Launcher by AnjoCaido.exeFilesize
679KB
MD5605a171c61a0607bdcf6be80ed07cf95
SHA1477d4391b0d84406127e43ead289a3596ac1e5e5
SHA25609b78dc85713ca0f27f17d94c939cc606a59847c1f2b5cdd281b52a48cdaeab9
SHA5123b32197d76951d0e1cd7043758af9b33be12b30c03df00a3ef36078205fa95b1582f65bdf4437a1b879a922d2950868e905bcd2227ce3816d5437556b103d338
-
C:\Users\Admin\AppData\Local\Temp\Minecraft Launcher by AnjoCaido.exeFilesize
679KB
MD5605a171c61a0607bdcf6be80ed07cf95
SHA1477d4391b0d84406127e43ead289a3596ac1e5e5
SHA25609b78dc85713ca0f27f17d94c939cc606a59847c1f2b5cdd281b52a48cdaeab9
SHA5123b32197d76951d0e1cd7043758af9b33be12b30c03df00a3ef36078205fa95b1582f65bdf4437a1b879a922d2950868e905bcd2227ce3816d5437556b103d338
-
memory/224-143-0x0000000000000000-mapping.dmp
-
memory/1608-145-0x0000000000000000-mapping.dmp
-
memory/2128-142-0x00000000750A0000-0x0000000075651000-memory.dmpFilesize
5.7MB
-
memory/2128-132-0x00000000750A0000-0x0000000075651000-memory.dmpFilesize
5.7MB
-
memory/2492-146-0x0000000000000000-mapping.dmp
-
memory/2704-137-0x0000000000000000-mapping.dmp
-
memory/4124-138-0x0000000000000000-mapping.dmp
-
memory/4136-136-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4136-135-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4136-144-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4136-134-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4136-133-0x0000000000000000-mapping.dmp
-
memory/4136-147-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4188-141-0x0000000000000000-mapping.dmp