Analysis
-
max time kernel
150s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 22:54
Static task
static1
Behavioral task
behavioral1
Sample
4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exe
Resource
win10v2004-20221111-en
General
-
Target
4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exe
-
Size
922KB
-
MD5
012318a76ded2c3f07bc87951161e230
-
SHA1
36b461903b381fd4c9d411dd9ba2de6f447f0c02
-
SHA256
4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b
-
SHA512
7335849867e421fdf1ea669faeb36e6cbfe43eea369fbb494254634557c2a8c62dcc8e1d209d3b7ee7aa978b2aac2ec9bc7caab61bb290ab421d128fcf78f40c
-
SSDEEP
24576:FRmJkcoQricOIQxiZY1/a3c9gEsKvNyG/dT:KJZoQrbTFZY1/aMfvzFT
Malware Config
Extracted
darkcomet
Zombie
crypto.zapto.org:10000
DC_MUTEX-17A0K8Q
-
gencode
d1zglQGL3Wry
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
BitLocker.exepid process 1200 BitLocker.exe -
Loads dropped DLL 1 IoCs
Processes:
4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exepid process 1016 4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
BitLocker.exe4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BitLocker Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\BitLocker\\BitLocker.exe" BitLocker.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BitLocker Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\BitLocker\\BitLocker.exe" 4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run BitLocker.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1016-55-0x0000000000400000-0x0000000000505000-memory.dmp autoit_exe \Users\Admin\AppData\Roaming\Microsoft\BitLocker\BitLocker.exe autoit_exe C:\Users\Admin\AppData\Roaming\Microsoft\BitLocker\BitLocker.exe autoit_exe behavioral1/memory/1016-60-0x0000000000400000-0x0000000000505000-memory.dmp autoit_exe C:\Users\Admin\AppData\Roaming\Microsoft\BitLocker\BitLocker.exe autoit_exe behavioral1/memory/1200-62-0x0000000000400000-0x0000000000505000-memory.dmp autoit_exe behavioral1/memory/1200-73-0x0000000000400000-0x0000000000505000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
BitLocker.exedescription pid process target process PID 1200 set thread context of 892 1200 BitLocker.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
BitLocker.exepid process 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe 1200 BitLocker.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
BitLocker.exepid process 1200 BitLocker.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
svchost.exedescription pid process Token: SeIncreaseQuotaPrivilege 892 svchost.exe Token: SeSecurityPrivilege 892 svchost.exe Token: SeTakeOwnershipPrivilege 892 svchost.exe Token: SeLoadDriverPrivilege 892 svchost.exe Token: SeSystemProfilePrivilege 892 svchost.exe Token: SeSystemtimePrivilege 892 svchost.exe Token: SeProfSingleProcessPrivilege 892 svchost.exe Token: SeIncBasePriorityPrivilege 892 svchost.exe Token: SeCreatePagefilePrivilege 892 svchost.exe Token: SeBackupPrivilege 892 svchost.exe Token: SeRestorePrivilege 892 svchost.exe Token: SeShutdownPrivilege 892 svchost.exe Token: SeDebugPrivilege 892 svchost.exe Token: SeSystemEnvironmentPrivilege 892 svchost.exe Token: SeChangeNotifyPrivilege 892 svchost.exe Token: SeRemoteShutdownPrivilege 892 svchost.exe Token: SeUndockPrivilege 892 svchost.exe Token: SeManageVolumePrivilege 892 svchost.exe Token: SeImpersonatePrivilege 892 svchost.exe Token: SeCreateGlobalPrivilege 892 svchost.exe Token: 33 892 svchost.exe Token: 34 892 svchost.exe Token: 35 892 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 892 svchost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exeBitLocker.exedescription pid process target process PID 1016 wrote to memory of 1200 1016 4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exe BitLocker.exe PID 1016 wrote to memory of 1200 1016 4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exe BitLocker.exe PID 1016 wrote to memory of 1200 1016 4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exe BitLocker.exe PID 1016 wrote to memory of 1200 1016 4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exe BitLocker.exe PID 1200 wrote to memory of 892 1200 BitLocker.exe svchost.exe PID 1200 wrote to memory of 892 1200 BitLocker.exe svchost.exe PID 1200 wrote to memory of 892 1200 BitLocker.exe svchost.exe PID 1200 wrote to memory of 892 1200 BitLocker.exe svchost.exe PID 1200 wrote to memory of 892 1200 BitLocker.exe svchost.exe PID 1200 wrote to memory of 892 1200 BitLocker.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exe"C:\Users\Admin\AppData\Local\Temp\4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\BitLocker\BitLocker.exeC:\Users\Admin\AppData\Roaming\Microsoft\BitLocker\BitLocker.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\BitLocker\BitLocker.exeFilesize
922KB
MD5012318a76ded2c3f07bc87951161e230
SHA136b461903b381fd4c9d411dd9ba2de6f447f0c02
SHA2564eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b
SHA5127335849867e421fdf1ea669faeb36e6cbfe43eea369fbb494254634557c2a8c62dcc8e1d209d3b7ee7aa978b2aac2ec9bc7caab61bb290ab421d128fcf78f40c
-
C:\Users\Admin\AppData\Roaming\Microsoft\BitLocker\BitLocker.exeFilesize
922KB
MD5012318a76ded2c3f07bc87951161e230
SHA136b461903b381fd4c9d411dd9ba2de6f447f0c02
SHA2564eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b
SHA5127335849867e421fdf1ea669faeb36e6cbfe43eea369fbb494254634557c2a8c62dcc8e1d209d3b7ee7aa978b2aac2ec9bc7caab61bb290ab421d128fcf78f40c
-
\Users\Admin\AppData\Roaming\Microsoft\BitLocker\BitLocker.exeFilesize
922KB
MD5012318a76ded2c3f07bc87951161e230
SHA136b461903b381fd4c9d411dd9ba2de6f447f0c02
SHA2564eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b
SHA5127335849867e421fdf1ea669faeb36e6cbfe43eea369fbb494254634557c2a8c62dcc8e1d209d3b7ee7aa978b2aac2ec9bc7caab61bb290ab421d128fcf78f40c
-
memory/892-63-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/892-65-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/892-66-0x00000000004AF1F6-mapping.dmp
-
memory/892-69-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/892-70-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/892-71-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/892-72-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/1016-60-0x0000000000400000-0x0000000000505000-memory.dmpFilesize
1.0MB
-
memory/1016-55-0x0000000000400000-0x0000000000505000-memory.dmpFilesize
1.0MB
-
memory/1016-54-0x00000000756B1000-0x00000000756B3000-memory.dmpFilesize
8KB
-
memory/1200-57-0x0000000000000000-mapping.dmp
-
memory/1200-62-0x0000000000400000-0x0000000000505000-memory.dmpFilesize
1.0MB
-
memory/1200-73-0x0000000000400000-0x0000000000505000-memory.dmpFilesize
1.0MB