Analysis
-
max time kernel
45s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 06:07
Static task
static1
Behavioral task
behavioral1
Sample
bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe
Resource
win10v2004-20221111-en
General
-
Target
bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe
-
Size
519KB
-
MD5
0a576752b14445994e436a13e1d5f010
-
SHA1
ee7a1f32ac798dfbb11657e20ed240590bf6ef0b
-
SHA256
bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e
-
SHA512
704bdf6fb715d4b9579f6331e538c2bcdbea7b3c4541a1736838a632358fcbf3ca4070f6c5840636d3746507b7172332480b8669dbd602ea10662be54947e536
-
SSDEEP
12288:yiATy7mBkza8SK0Gs1QEqAXIMco0MbW4GkRklOVd4:lATh6ly1zXhcabWuklOb4
Malware Config
Extracted
darkcomet
HaCkeD By mrChpap'
misteryou.zapto.org:1604
DC_MUTEX-ZEHUWKF
-
InstallPath
SVCHOST\svchost.exe
-
gencode
0onH4gcghlfP
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
svchost
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
cvtres.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\SVCHOST\\svchost.exe" cvtres.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 896 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
cvtres.exepid process 1764 cvtres.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
cvtres.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\SVCHOST\\svchost.exe" cvtres.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exedescription pid process target process PID 1184 set thread context of 1764 1184 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe -
Drops file in Windows directory 2 IoCs
Processes:
bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exepid process 1184 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.execvtres.exedescription pid process Token: SeDebugPrivilege 1184 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe Token: SeIncreaseQuotaPrivilege 1764 cvtres.exe Token: SeSecurityPrivilege 1764 cvtres.exe Token: SeTakeOwnershipPrivilege 1764 cvtres.exe Token: SeLoadDriverPrivilege 1764 cvtres.exe Token: SeSystemProfilePrivilege 1764 cvtres.exe Token: SeSystemtimePrivilege 1764 cvtres.exe Token: SeProfSingleProcessPrivilege 1764 cvtres.exe Token: SeIncBasePriorityPrivilege 1764 cvtres.exe Token: SeCreatePagefilePrivilege 1764 cvtres.exe Token: SeBackupPrivilege 1764 cvtres.exe Token: SeRestorePrivilege 1764 cvtres.exe Token: SeShutdownPrivilege 1764 cvtres.exe Token: SeDebugPrivilege 1764 cvtres.exe Token: SeSystemEnvironmentPrivilege 1764 cvtres.exe Token: SeChangeNotifyPrivilege 1764 cvtres.exe Token: SeRemoteShutdownPrivilege 1764 cvtres.exe Token: SeUndockPrivilege 1764 cvtres.exe Token: SeManageVolumePrivilege 1764 cvtres.exe Token: SeImpersonatePrivilege 1764 cvtres.exe Token: SeCreateGlobalPrivilege 1764 cvtres.exe Token: 33 1764 cvtres.exe Token: 34 1764 cvtres.exe Token: 35 1764 cvtres.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.execvtres.exedescription pid process target process PID 1184 wrote to memory of 1764 1184 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 1184 wrote to memory of 1764 1184 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 1184 wrote to memory of 1764 1184 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 1184 wrote to memory of 1764 1184 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 1184 wrote to memory of 1764 1184 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 1184 wrote to memory of 1764 1184 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 1184 wrote to memory of 1764 1184 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 1184 wrote to memory of 1764 1184 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 1184 wrote to memory of 1764 1184 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 1184 wrote to memory of 1764 1184 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 1184 wrote to memory of 1764 1184 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 1184 wrote to memory of 1764 1184 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 1184 wrote to memory of 1764 1184 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 1764 wrote to memory of 896 1764 cvtres.exe svchost.exe PID 1764 wrote to memory of 896 1764 cvtres.exe svchost.exe PID 1764 wrote to memory of 896 1764 cvtres.exe svchost.exe PID 1764 wrote to memory of 896 1764 cvtres.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe"C:\Users\Admin\AppData\Local\Temp\bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe"1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\SVCHOST\svchost.exe"C:\SVCHOST\svchost.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\SVCHOST\svchost.exeFilesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2
-
\SVCHOST\svchost.exeFilesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2
-
memory/896-81-0x0000000000000000-mapping.dmp
-
memory/1184-74-0x0000000000BE5000-0x0000000000BF6000-memory.dmpFilesize
68KB
-
memory/1184-55-0x0000000074A60000-0x000000007500B000-memory.dmpFilesize
5.7MB
-
memory/1184-54-0x00000000767F1000-0x00000000767F3000-memory.dmpFilesize
8KB
-
memory/1184-77-0x0000000074A60000-0x000000007500B000-memory.dmpFilesize
5.7MB
-
memory/1184-76-0x0000000000BE5000-0x0000000000BF6000-memory.dmpFilesize
68KB
-
memory/1184-75-0x0000000074A60000-0x000000007500B000-memory.dmpFilesize
5.7MB
-
memory/1764-61-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1764-71-0x000000000048F888-mapping.dmp
-
memory/1764-70-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1764-72-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1764-68-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1764-66-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1764-65-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1764-63-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1764-78-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1764-79-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1764-59-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1764-57-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1764-56-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB