Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 21:11
Static task
static1
Behavioral task
behavioral1
Sample
cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe
Resource
win10v2004-20220901-en
General
-
Target
cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe
-
Size
769KB
-
MD5
ffc476cc5de1540f3e0d41d4b87b66c9
-
SHA1
fd8891cd1474bad8defe4f99386cb505b7f8b577
-
SHA256
cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d
-
SHA512
0953fefc861cca9aa818079962990653815d93be50de058e50e1d5d668f2d3616679473aad677649401464882637b985d712ae5a8d3155f5993ed9cc93bc7f26
-
SSDEEP
24576:LTvW/wxXSknYDkoR4HTaF1nP9tXGVnmpW:LTvW/wxTnYoTS1P6gpW
Malware Config
Extracted
darkcomet
XP
fahimjan.no-ip.biz:1008
DC_MUTEX-DSCVTSP
-
gencode
g901jEZ864Tb
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
wab32.exeDirectDB.exepid process 4788 wab32.exe 4588 DirectDB.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exewab32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation wab32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
wab32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wab32.exe" wab32.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exeDirectDB.exedescription pid process target process PID 1484 set thread context of 1628 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe AppLaunch.exe PID 4588 set thread context of 1412 4588 DirectDB.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exewab32.exeDirectDB.exepid process 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 4788 wab32.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 4788 wab32.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 4788 wab32.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 4788 wab32.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 4788 wab32.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 4788 wab32.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 4788 wab32.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 4588 DirectDB.exe 4788 wab32.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 4588 DirectDB.exe 4788 wab32.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 4588 DirectDB.exe 4788 wab32.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 4588 DirectDB.exe 4788 wab32.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 4588 DirectDB.exe 4788 wab32.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 4588 DirectDB.exe 4788 wab32.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 4588 DirectDB.exe 4788 wab32.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 4588 DirectDB.exe 4788 wab32.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 4588 DirectDB.exe 4788 wab32.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 4588 DirectDB.exe 4788 wab32.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 4588 DirectDB.exe 4788 wab32.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 4588 DirectDB.exe 4788 wab32.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 4588 DirectDB.exe 4788 wab32.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe 4588 DirectDB.exe 4788 wab32.exe 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exeAppLaunch.exewab32.exeDirectDB.exeAppLaunch.exedescription pid process Token: SeDebugPrivilege 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe Token: SeIncreaseQuotaPrivilege 1628 AppLaunch.exe Token: SeSecurityPrivilege 1628 AppLaunch.exe Token: SeTakeOwnershipPrivilege 1628 AppLaunch.exe Token: SeLoadDriverPrivilege 1628 AppLaunch.exe Token: SeSystemProfilePrivilege 1628 AppLaunch.exe Token: SeSystemtimePrivilege 1628 AppLaunch.exe Token: SeProfSingleProcessPrivilege 1628 AppLaunch.exe Token: SeIncBasePriorityPrivilege 1628 AppLaunch.exe Token: SeCreatePagefilePrivilege 1628 AppLaunch.exe Token: SeBackupPrivilege 1628 AppLaunch.exe Token: SeRestorePrivilege 1628 AppLaunch.exe Token: SeShutdownPrivilege 1628 AppLaunch.exe Token: SeDebugPrivilege 1628 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 1628 AppLaunch.exe Token: SeChangeNotifyPrivilege 1628 AppLaunch.exe Token: SeRemoteShutdownPrivilege 1628 AppLaunch.exe Token: SeUndockPrivilege 1628 AppLaunch.exe Token: SeManageVolumePrivilege 1628 AppLaunch.exe Token: SeImpersonatePrivilege 1628 AppLaunch.exe Token: SeCreateGlobalPrivilege 1628 AppLaunch.exe Token: 33 1628 AppLaunch.exe Token: 34 1628 AppLaunch.exe Token: 35 1628 AppLaunch.exe Token: 36 1628 AppLaunch.exe Token: SeDebugPrivilege 4788 wab32.exe Token: SeDebugPrivilege 4588 DirectDB.exe Token: SeIncreaseQuotaPrivilege 1412 AppLaunch.exe Token: SeSecurityPrivilege 1412 AppLaunch.exe Token: SeTakeOwnershipPrivilege 1412 AppLaunch.exe Token: SeLoadDriverPrivilege 1412 AppLaunch.exe Token: SeSystemProfilePrivilege 1412 AppLaunch.exe Token: SeSystemtimePrivilege 1412 AppLaunch.exe Token: SeProfSingleProcessPrivilege 1412 AppLaunch.exe Token: SeIncBasePriorityPrivilege 1412 AppLaunch.exe Token: SeCreatePagefilePrivilege 1412 AppLaunch.exe Token: SeBackupPrivilege 1412 AppLaunch.exe Token: SeRestorePrivilege 1412 AppLaunch.exe Token: SeShutdownPrivilege 1412 AppLaunch.exe Token: SeDebugPrivilege 1412 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 1412 AppLaunch.exe Token: SeChangeNotifyPrivilege 1412 AppLaunch.exe Token: SeRemoteShutdownPrivilege 1412 AppLaunch.exe Token: SeUndockPrivilege 1412 AppLaunch.exe Token: SeManageVolumePrivilege 1412 AppLaunch.exe Token: SeImpersonatePrivilege 1412 AppLaunch.exe Token: SeCreateGlobalPrivilege 1412 AppLaunch.exe Token: 33 1412 AppLaunch.exe Token: 34 1412 AppLaunch.exe Token: 35 1412 AppLaunch.exe Token: 36 1412 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
AppLaunch.exepid process 1628 AppLaunch.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exewab32.exeDirectDB.exedescription pid process target process PID 1484 wrote to memory of 1628 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe AppLaunch.exe PID 1484 wrote to memory of 1628 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe AppLaunch.exe PID 1484 wrote to memory of 1628 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe AppLaunch.exe PID 1484 wrote to memory of 1628 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe AppLaunch.exe PID 1484 wrote to memory of 1628 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe AppLaunch.exe PID 1484 wrote to memory of 1628 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe AppLaunch.exe PID 1484 wrote to memory of 1628 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe AppLaunch.exe PID 1484 wrote to memory of 1628 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe AppLaunch.exe PID 1484 wrote to memory of 1628 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe AppLaunch.exe PID 1484 wrote to memory of 1628 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe AppLaunch.exe PID 1484 wrote to memory of 1628 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe AppLaunch.exe PID 1484 wrote to memory of 1628 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe AppLaunch.exe PID 1484 wrote to memory of 1628 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe AppLaunch.exe PID 1484 wrote to memory of 1628 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe AppLaunch.exe PID 1484 wrote to memory of 4788 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe wab32.exe PID 1484 wrote to memory of 4788 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe wab32.exe PID 1484 wrote to memory of 4788 1484 cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe wab32.exe PID 4788 wrote to memory of 4588 4788 wab32.exe DirectDB.exe PID 4788 wrote to memory of 4588 4788 wab32.exe DirectDB.exe PID 4788 wrote to memory of 4588 4788 wab32.exe DirectDB.exe PID 4588 wrote to memory of 1412 4588 DirectDB.exe AppLaunch.exe PID 4588 wrote to memory of 1412 4588 DirectDB.exe AppLaunch.exe PID 4588 wrote to memory of 1412 4588 DirectDB.exe AppLaunch.exe PID 4588 wrote to memory of 1412 4588 DirectDB.exe AppLaunch.exe PID 4588 wrote to memory of 1412 4588 DirectDB.exe AppLaunch.exe PID 4588 wrote to memory of 1412 4588 DirectDB.exe AppLaunch.exe PID 4588 wrote to memory of 1412 4588 DirectDB.exe AppLaunch.exe PID 4588 wrote to memory of 1412 4588 DirectDB.exe AppLaunch.exe PID 4588 wrote to memory of 1412 4588 DirectDB.exe AppLaunch.exe PID 4588 wrote to memory of 1412 4588 DirectDB.exe AppLaunch.exe PID 4588 wrote to memory of 1412 4588 DirectDB.exe AppLaunch.exe PID 4588 wrote to memory of 1412 4588 DirectDB.exe AppLaunch.exe PID 4588 wrote to memory of 1412 4588 DirectDB.exe AppLaunch.exe PID 4588 wrote to memory of 1412 4588 DirectDB.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe"C:\Users\Admin\AppData\Local\Temp\cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wab32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wab32.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DirectDB.exe"C:\Users\Admin\AppData\Local\Temp\DirectDB.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DirectDB.exeFilesize
769KB
MD5ffc476cc5de1540f3e0d41d4b87b66c9
SHA1fd8891cd1474bad8defe4f99386cb505b7f8b577
SHA256cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d
SHA5120953fefc861cca9aa818079962990653815d93be50de058e50e1d5d668f2d3616679473aad677649401464882637b985d712ae5a8d3155f5993ed9cc93bc7f26
-
C:\Users\Admin\AppData\Local\Temp\DirectDB.exeFilesize
769KB
MD5ffc476cc5de1540f3e0d41d4b87b66c9
SHA1fd8891cd1474bad8defe4f99386cb505b7f8b577
SHA256cc0598c56a2723f4fb2d2d37fa29508fa7b14b28fa50e0eeac67b4102c9fd50d
SHA5120953fefc861cca9aa818079962990653815d93be50de058e50e1d5d668f2d3616679473aad677649401464882637b985d712ae5a8d3155f5993ed9cc93bc7f26
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wab32.exeFilesize
19KB
MD550b774e30409d714dddd23e638629cf8
SHA1a6ae1975c08e993cf6ee0c340bc7027aed4cd751
SHA25634517399a1b2ca0d2ecfa1cc866c1531ddab22fa7b3d414be88c4b6ee96dc457
SHA512126b672a550c37376fcf9e99e43df16df92e34f89d583760ed12f268a0c7599298edd425d01f7ab421639ebaad50d4123005f187289130f018acb7a4de2f41d8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wab32.exeFilesize
19KB
MD550b774e30409d714dddd23e638629cf8
SHA1a6ae1975c08e993cf6ee0c340bc7027aed4cd751
SHA25634517399a1b2ca0d2ecfa1cc866c1531ddab22fa7b3d414be88c4b6ee96dc457
SHA512126b672a550c37376fcf9e99e43df16df92e34f89d583760ed12f268a0c7599298edd425d01f7ab421639ebaad50d4123005f187289130f018acb7a4de2f41d8
-
memory/1412-144-0x0000000000000000-mapping.dmp
-
memory/1484-134-0x00000000754A0000-0x0000000075A51000-memory.dmpFilesize
5.7MB
-
memory/1484-149-0x00000000754A0000-0x0000000075A51000-memory.dmpFilesize
5.7MB
-
memory/1628-136-0x0000000000400000-0x00000000004B4000-memory.dmpFilesize
720KB
-
memory/1628-135-0x0000000000400000-0x00000000004B4000-memory.dmpFilesize
720KB
-
memory/1628-133-0x0000000000400000-0x00000000004B4000-memory.dmpFilesize
720KB
-
memory/1628-132-0x0000000000000000-mapping.dmp
-
memory/4588-141-0x0000000000000000-mapping.dmp
-
memory/4588-148-0x00000000754A0000-0x0000000075A51000-memory.dmpFilesize
5.7MB
-
memory/4588-151-0x00000000754A0000-0x0000000075A51000-memory.dmpFilesize
5.7MB
-
memory/4788-137-0x0000000000000000-mapping.dmp
-
memory/4788-143-0x00000000754A0000-0x0000000075A51000-memory.dmpFilesize
5.7MB
-
memory/4788-150-0x00000000754A0000-0x0000000075A51000-memory.dmpFilesize
5.7MB