Analysis
-
max time kernel
152s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 06:07
Static task
static1
Behavioral task
behavioral1
Sample
bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe
Resource
win10v2004-20221111-en
General
-
Target
bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe
-
Size
519KB
-
MD5
0a576752b14445994e436a13e1d5f010
-
SHA1
ee7a1f32ac798dfbb11657e20ed240590bf6ef0b
-
SHA256
bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e
-
SHA512
704bdf6fb715d4b9579f6331e538c2bcdbea7b3c4541a1736838a632358fcbf3ca4070f6c5840636d3746507b7172332480b8669dbd602ea10662be54947e536
-
SSDEEP
12288:yiATy7mBkza8SK0Gs1QEqAXIMco0MbW4GkRklOVd4:lATh6ly1zXhcabWuklOb4
Malware Config
Extracted
darkcomet
HaCkeD By mrChpap'
misteryou.zapto.org:1604
DC_MUTEX-ZEHUWKF
-
InstallPath
SVCHOST\svchost.exe
-
gencode
0onH4gcghlfP
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
svchost
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
cvtres.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\SVCHOST\\svchost.exe" cvtres.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2088 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
cvtres.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\SVCHOST\\svchost.exe" cvtres.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exedescription pid process target process PID 4564 set thread context of 2488 4564 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe -
Drops file in Windows directory 2 IoCs
Processes:
bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe -
Modifies registry class 1 IoCs
Processes:
cvtres.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cvtres.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exepid process 4564 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.execvtres.exedescription pid process Token: SeDebugPrivilege 4564 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe Token: SeIncreaseQuotaPrivilege 2488 cvtres.exe Token: SeSecurityPrivilege 2488 cvtres.exe Token: SeTakeOwnershipPrivilege 2488 cvtres.exe Token: SeLoadDriverPrivilege 2488 cvtres.exe Token: SeSystemProfilePrivilege 2488 cvtres.exe Token: SeSystemtimePrivilege 2488 cvtres.exe Token: SeProfSingleProcessPrivilege 2488 cvtres.exe Token: SeIncBasePriorityPrivilege 2488 cvtres.exe Token: SeCreatePagefilePrivilege 2488 cvtres.exe Token: SeBackupPrivilege 2488 cvtres.exe Token: SeRestorePrivilege 2488 cvtres.exe Token: SeShutdownPrivilege 2488 cvtres.exe Token: SeDebugPrivilege 2488 cvtres.exe Token: SeSystemEnvironmentPrivilege 2488 cvtres.exe Token: SeChangeNotifyPrivilege 2488 cvtres.exe Token: SeRemoteShutdownPrivilege 2488 cvtres.exe Token: SeUndockPrivilege 2488 cvtres.exe Token: SeManageVolumePrivilege 2488 cvtres.exe Token: SeImpersonatePrivilege 2488 cvtres.exe Token: SeCreateGlobalPrivilege 2488 cvtres.exe Token: 33 2488 cvtres.exe Token: 34 2488 cvtres.exe Token: 35 2488 cvtres.exe Token: 36 2488 cvtres.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.execvtres.exedescription pid process target process PID 4564 wrote to memory of 2488 4564 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 4564 wrote to memory of 2488 4564 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 4564 wrote to memory of 2488 4564 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 4564 wrote to memory of 2488 4564 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 4564 wrote to memory of 2488 4564 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 4564 wrote to memory of 2488 4564 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 4564 wrote to memory of 2488 4564 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 4564 wrote to memory of 2488 4564 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 4564 wrote to memory of 2488 4564 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 4564 wrote to memory of 2488 4564 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 4564 wrote to memory of 2488 4564 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 4564 wrote to memory of 2488 4564 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 4564 wrote to memory of 2488 4564 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 4564 wrote to memory of 2488 4564 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe cvtres.exe PID 2488 wrote to memory of 2088 2488 cvtres.exe svchost.exe PID 2488 wrote to memory of 2088 2488 cvtres.exe svchost.exe PID 2488 wrote to memory of 2088 2488 cvtres.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe"C:\Users\Admin\AppData\Local\Temp\bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe"1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\SVCHOST\svchost.exe"C:\SVCHOST\svchost.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\SVCHOST\svchost.exeFilesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
C:\SVCHOST\svchost.exeFilesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
memory/2088-139-0x0000000000000000-mapping.dmp
-
memory/2488-134-0x0000000000000000-mapping.dmp
-
memory/2488-135-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/2488-136-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/2488-137-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/2488-138-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/4564-132-0x0000000074EA0000-0x0000000075451000-memory.dmpFilesize
5.7MB
-
memory/4564-133-0x0000000074EA0000-0x0000000075451000-memory.dmpFilesize
5.7MB
-
memory/4564-142-0x0000000074EA0000-0x0000000075451000-memory.dmpFilesize
5.7MB