Analysis
-
max time kernel
188s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 22:54
Static task
static1
Behavioral task
behavioral1
Sample
4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exe
Resource
win10v2004-20221111-en
General
-
Target
4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exe
-
Size
922KB
-
MD5
012318a76ded2c3f07bc87951161e230
-
SHA1
36b461903b381fd4c9d411dd9ba2de6f447f0c02
-
SHA256
4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b
-
SHA512
7335849867e421fdf1ea669faeb36e6cbfe43eea369fbb494254634557c2a8c62dcc8e1d209d3b7ee7aa978b2aac2ec9bc7caab61bb290ab421d128fcf78f40c
-
SSDEEP
24576:FRmJkcoQricOIQxiZY1/a3c9gEsKvNyG/dT:KJZoQrbTFZY1/aMfvzFT
Malware Config
Extracted
darkcomet
Zombie
crypto.zapto.org:10000
DC_MUTEX-17A0K8Q
-
gencode
d1zglQGL3Wry
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
BitLocker.exepid process 3612 BitLocker.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exeBitLocker.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BitLocker Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\BitLocker\\BitLocker.exe" 4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run BitLocker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BitLocker Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\BitLocker\\BitLocker.exe" BitLocker.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/5000-132-0x0000000000400000-0x0000000000505000-memory.dmp autoit_exe C:\Users\Admin\AppData\Roaming\Microsoft\BitLocker\BitLocker.exe autoit_exe behavioral2/memory/5000-136-0x0000000000400000-0x0000000000505000-memory.dmp autoit_exe C:\Users\Admin\AppData\Roaming\Microsoft\BitLocker\BitLocker.exe autoit_exe behavioral2/memory/3612-137-0x0000000000400000-0x0000000000505000-memory.dmp autoit_exe behavioral2/memory/3612-145-0x0000000000400000-0x0000000000505000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
BitLocker.exedescription pid process target process PID 3612 set thread context of 3068 3612 BitLocker.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
BitLocker.exepid process 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe 3612 BitLocker.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
BitLocker.exepid process 3612 BitLocker.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
svchost.exedescription pid process Token: SeIncreaseQuotaPrivilege 3068 svchost.exe Token: SeSecurityPrivilege 3068 svchost.exe Token: SeTakeOwnershipPrivilege 3068 svchost.exe Token: SeLoadDriverPrivilege 3068 svchost.exe Token: SeSystemProfilePrivilege 3068 svchost.exe Token: SeSystemtimePrivilege 3068 svchost.exe Token: SeProfSingleProcessPrivilege 3068 svchost.exe Token: SeIncBasePriorityPrivilege 3068 svchost.exe Token: SeCreatePagefilePrivilege 3068 svchost.exe Token: SeBackupPrivilege 3068 svchost.exe Token: SeRestorePrivilege 3068 svchost.exe Token: SeShutdownPrivilege 3068 svchost.exe Token: SeDebugPrivilege 3068 svchost.exe Token: SeSystemEnvironmentPrivilege 3068 svchost.exe Token: SeChangeNotifyPrivilege 3068 svchost.exe Token: SeRemoteShutdownPrivilege 3068 svchost.exe Token: SeUndockPrivilege 3068 svchost.exe Token: SeManageVolumePrivilege 3068 svchost.exe Token: SeImpersonatePrivilege 3068 svchost.exe Token: SeCreateGlobalPrivilege 3068 svchost.exe Token: 33 3068 svchost.exe Token: 34 3068 svchost.exe Token: 35 3068 svchost.exe Token: 36 3068 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 3068 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exeBitLocker.exedescription pid process target process PID 5000 wrote to memory of 3612 5000 4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exe BitLocker.exe PID 5000 wrote to memory of 3612 5000 4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exe BitLocker.exe PID 5000 wrote to memory of 3612 5000 4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exe BitLocker.exe PID 3612 wrote to memory of 3068 3612 BitLocker.exe svchost.exe PID 3612 wrote to memory of 3068 3612 BitLocker.exe svchost.exe PID 3612 wrote to memory of 3068 3612 BitLocker.exe svchost.exe PID 3612 wrote to memory of 3068 3612 BitLocker.exe svchost.exe PID 3612 wrote to memory of 3068 3612 BitLocker.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exe"C:\Users\Admin\AppData\Local\Temp\4eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\BitLocker\BitLocker.exeC:\Users\Admin\AppData\Roaming\Microsoft\BitLocker\BitLocker.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\BitLocker\BitLocker.exeFilesize
922KB
MD5012318a76ded2c3f07bc87951161e230
SHA136b461903b381fd4c9d411dd9ba2de6f447f0c02
SHA2564eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b
SHA5127335849867e421fdf1ea669faeb36e6cbfe43eea369fbb494254634557c2a8c62dcc8e1d209d3b7ee7aa978b2aac2ec9bc7caab61bb290ab421d128fcf78f40c
-
C:\Users\Admin\AppData\Roaming\Microsoft\BitLocker\BitLocker.exeFilesize
922KB
MD5012318a76ded2c3f07bc87951161e230
SHA136b461903b381fd4c9d411dd9ba2de6f447f0c02
SHA2564eb72e48cfb33c9acef07a2e751778c015017c596c853c457480fc4789ace93b
SHA5127335849867e421fdf1ea669faeb36e6cbfe43eea369fbb494254634557c2a8c62dcc8e1d209d3b7ee7aa978b2aac2ec9bc7caab61bb290ab421d128fcf78f40c
-
memory/3068-142-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/3068-138-0x0000000000000000-mapping.dmp
-
memory/3068-139-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/3068-141-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/3068-143-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/3068-144-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/3612-133-0x0000000000000000-mapping.dmp
-
memory/3612-137-0x0000000000400000-0x0000000000505000-memory.dmpFilesize
1.0MB
-
memory/3612-145-0x0000000000400000-0x0000000000505000-memory.dmpFilesize
1.0MB
-
memory/5000-136-0x0000000000400000-0x0000000000505000-memory.dmpFilesize
1.0MB
-
memory/5000-132-0x0000000000400000-0x0000000000505000-memory.dmpFilesize
1.0MB