Analysis
-
max time kernel
147s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 21:59
Static task
static1
Behavioral task
behavioral1
Sample
d554af13be05f937bf8445f164b2331f78c6d6caa0d8e6c7daa4b6306a41d630.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
d554af13be05f937bf8445f164b2331f78c6d6caa0d8e6c7daa4b6306a41d630.exe
Resource
win10v2004-20220812-en
General
-
Target
d554af13be05f937bf8445f164b2331f78c6d6caa0d8e6c7daa4b6306a41d630.exe
-
Size
723KB
-
MD5
99bbae87448fa2afbe14f94c8c4d6c35
-
SHA1
711df984d7b34528783726288bc40c412c2e96f2
-
SHA256
d554af13be05f937bf8445f164b2331f78c6d6caa0d8e6c7daa4b6306a41d630
-
SHA512
2d8b67a9f4ecb2a82965901441a784557602e0005be5dfd3c022e135a3dee677f61f48f1301dd7111f4a54905854d81f4e2afec886e32b611fe742c26cd2832c
-
SSDEEP
12288:1RZ+IoG/n9IQxW3OBsemwxbFzSq0JmNxJWK/sd5JazbuOg4mCOiu8pMbBi:92G/nvxW3WbNZvLQIzbu58Ojbdi
Malware Config
Extracted
darkcomet
Sazan
0.tcp.ngrok.io:19553
DC_MUTEX-LQR29VS
-
InstallPath
MSDCSC\WindowsUpdater.exe
-
gencode
90gqTdCABW5t
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
WindowsUpdater
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Spoofer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\WindowsUpdater.exe" Spoofer.exe -
Executes dropped EXE 3 IoCs
Processes:
Spoofer1.exeSpoofer.exeWindowsUpdater.exepid process 4896 Spoofer1.exe 4704 Spoofer.exe 2320 WindowsUpdater.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d554af13be05f937bf8445f164b2331f78c6d6caa0d8e6c7daa4b6306a41d630.exeSpoofer1.exeSpoofer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation d554af13be05f937bf8445f164b2331f78c6d6caa0d8e6c7daa4b6306a41d630.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Spoofer1.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Spoofer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Spoofer.exeWindowsUpdater.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "C:\\Windows\\system32\\MSDCSC\\WindowsUpdater.exe" Spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "C:\\Windows\\system32\\MSDCSC\\WindowsUpdater.exe" WindowsUpdater.exe -
Drops file in System32 directory 3 IoCs
Processes:
Spoofer.exedescription ioc process File created C:\Windows\SysWOW64\MSDCSC\WindowsUpdater.exe Spoofer.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\WindowsUpdater.exe Spoofer.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ Spoofer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
Spoofer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Spoofer.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
Spoofer.exeWindowsUpdater.exedescription pid process Token: SeIncreaseQuotaPrivilege 4704 Spoofer.exe Token: SeSecurityPrivilege 4704 Spoofer.exe Token: SeTakeOwnershipPrivilege 4704 Spoofer.exe Token: SeLoadDriverPrivilege 4704 Spoofer.exe Token: SeSystemProfilePrivilege 4704 Spoofer.exe Token: SeSystemtimePrivilege 4704 Spoofer.exe Token: SeProfSingleProcessPrivilege 4704 Spoofer.exe Token: SeIncBasePriorityPrivilege 4704 Spoofer.exe Token: SeCreatePagefilePrivilege 4704 Spoofer.exe Token: SeBackupPrivilege 4704 Spoofer.exe Token: SeRestorePrivilege 4704 Spoofer.exe Token: SeShutdownPrivilege 4704 Spoofer.exe Token: SeDebugPrivilege 4704 Spoofer.exe Token: SeSystemEnvironmentPrivilege 4704 Spoofer.exe Token: SeChangeNotifyPrivilege 4704 Spoofer.exe Token: SeRemoteShutdownPrivilege 4704 Spoofer.exe Token: SeUndockPrivilege 4704 Spoofer.exe Token: SeManageVolumePrivilege 4704 Spoofer.exe Token: SeImpersonatePrivilege 4704 Spoofer.exe Token: SeCreateGlobalPrivilege 4704 Spoofer.exe Token: 33 4704 Spoofer.exe Token: 34 4704 Spoofer.exe Token: 35 4704 Spoofer.exe Token: 36 4704 Spoofer.exe Token: SeIncreaseQuotaPrivilege 2320 WindowsUpdater.exe Token: SeSecurityPrivilege 2320 WindowsUpdater.exe Token: SeTakeOwnershipPrivilege 2320 WindowsUpdater.exe Token: SeLoadDriverPrivilege 2320 WindowsUpdater.exe Token: SeSystemProfilePrivilege 2320 WindowsUpdater.exe Token: SeSystemtimePrivilege 2320 WindowsUpdater.exe Token: SeProfSingleProcessPrivilege 2320 WindowsUpdater.exe Token: SeIncBasePriorityPrivilege 2320 WindowsUpdater.exe Token: SeCreatePagefilePrivilege 2320 WindowsUpdater.exe Token: SeBackupPrivilege 2320 WindowsUpdater.exe Token: SeRestorePrivilege 2320 WindowsUpdater.exe Token: SeShutdownPrivilege 2320 WindowsUpdater.exe Token: SeDebugPrivilege 2320 WindowsUpdater.exe Token: SeSystemEnvironmentPrivilege 2320 WindowsUpdater.exe Token: SeChangeNotifyPrivilege 2320 WindowsUpdater.exe Token: SeRemoteShutdownPrivilege 2320 WindowsUpdater.exe Token: SeUndockPrivilege 2320 WindowsUpdater.exe Token: SeManageVolumePrivilege 2320 WindowsUpdater.exe Token: SeImpersonatePrivilege 2320 WindowsUpdater.exe Token: SeCreateGlobalPrivilege 2320 WindowsUpdater.exe Token: 33 2320 WindowsUpdater.exe Token: 34 2320 WindowsUpdater.exe Token: 35 2320 WindowsUpdater.exe Token: 36 2320 WindowsUpdater.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
WindowsUpdater.exepid process 2320 WindowsUpdater.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
d554af13be05f937bf8445f164b2331f78c6d6caa0d8e6c7daa4b6306a41d630.execmd.exeSpoofer1.exeSpoofer.exeWindowsUpdater.exedescription pid process target process PID 4284 wrote to memory of 4280 4284 d554af13be05f937bf8445f164b2331f78c6d6caa0d8e6c7daa4b6306a41d630.exe cmd.exe PID 4284 wrote to memory of 4280 4284 d554af13be05f937bf8445f164b2331f78c6d6caa0d8e6c7daa4b6306a41d630.exe cmd.exe PID 4284 wrote to memory of 4280 4284 d554af13be05f937bf8445f164b2331f78c6d6caa0d8e6c7daa4b6306a41d630.exe cmd.exe PID 4280 wrote to memory of 4896 4280 cmd.exe Spoofer1.exe PID 4280 wrote to memory of 4896 4280 cmd.exe Spoofer1.exe PID 4280 wrote to memory of 4896 4280 cmd.exe Spoofer1.exe PID 4896 wrote to memory of 4704 4896 Spoofer1.exe Spoofer.exe PID 4896 wrote to memory of 4704 4896 Spoofer1.exe Spoofer.exe PID 4896 wrote to memory of 4704 4896 Spoofer1.exe Spoofer.exe PID 4704 wrote to memory of 2320 4704 Spoofer.exe WindowsUpdater.exe PID 4704 wrote to memory of 2320 4704 Spoofer.exe WindowsUpdater.exe PID 4704 wrote to memory of 2320 4704 Spoofer.exe WindowsUpdater.exe PID 2320 wrote to memory of 1316 2320 WindowsUpdater.exe iexplore.exe PID 2320 wrote to memory of 1316 2320 WindowsUpdater.exe iexplore.exe PID 2320 wrote to memory of 1316 2320 WindowsUpdater.exe iexplore.exe PID 2320 wrote to memory of 1440 2320 WindowsUpdater.exe explorer.exe PID 2320 wrote to memory of 1440 2320 WindowsUpdater.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d554af13be05f937bf8445f164b2331f78c6d6caa0d8e6c7daa4b6306a41d630.exe"C:\Users\Admin\AppData\Local\Temp\d554af13be05f937bf8445f164b2331f78c6d6caa0d8e6c7daa4b6306a41d630.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Spoofer2.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Spoofer1.exeSpoofer1.exe -ptest -dC:\Users\Admin\AppData\Local\Temp3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Spoofer.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Spoofer.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\MSDCSC\WindowsUpdater.exe"C:\Windows\system32\MSDCSC\WindowsUpdater.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"6⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"6⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Spoofer1.exeFilesize
594KB
MD572b0278cdf387b4a6f9d88cb49c300bd
SHA19f8fc1ef81acabfcced71c2ef4cc939a9f661d4c
SHA256719757595e34756ec7921f18616705329d89decf0abac12c62008f26bbe1e314
SHA512507db098dbb387bb35a37c3378f20856c132efb447f248159aac2b763fe46a32824242c991063cd9fa1c1b09c0a2a67d4e411954b6a907343d713189f1a50050
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Spoofer1.exeFilesize
594KB
MD572b0278cdf387b4a6f9d88cb49c300bd
SHA19f8fc1ef81acabfcced71c2ef4cc939a9f661d4c
SHA256719757595e34756ec7921f18616705329d89decf0abac12c62008f26bbe1e314
SHA512507db098dbb387bb35a37c3378f20856c132efb447f248159aac2b763fe46a32824242c991063cd9fa1c1b09c0a2a67d4e411954b6a907343d713189f1a50050
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Spoofer2.batFilesize
28B
MD5ae3a7b2a8b2e73eb2924f8e32953c097
SHA1d8e0f10d1700dfd048e70bd4ef22952033c0a17a
SHA256da3b56eec658808aaacdf2917280ac656fafaf746510d58917c97181c08dc1c0
SHA512fd58d2c8d876079814aab198d30508332eb4427dd0f084a8686669bf86e71ad4b30968dbfbcf3b65cef56a467561cac56254fd3c7e86490103c96810f8121499
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Spoofer.exeFilesize
690KB
MD508ad2de1afdb29ff6341b747c2c6ee69
SHA15f3fa1dfc34a8739b8e137cf1c1cb7d62adc0f24
SHA256cc23c1104a969be4255c43200fd7ca4d1d81512f7d0d84a1205ed61e3b175770
SHA512a9bace8378722fc01dbc9eb56c6cee82cd9ff1c3b6e330b9f71fec190bef478ec5819a824dfc6c47c771f011bc05ff8c60384f6c2b7b106fa872f3b8e13f5ee6
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Spoofer.exeFilesize
690KB
MD508ad2de1afdb29ff6341b747c2c6ee69
SHA15f3fa1dfc34a8739b8e137cf1c1cb7d62adc0f24
SHA256cc23c1104a969be4255c43200fd7ca4d1d81512f7d0d84a1205ed61e3b175770
SHA512a9bace8378722fc01dbc9eb56c6cee82cd9ff1c3b6e330b9f71fec190bef478ec5819a824dfc6c47c771f011bc05ff8c60384f6c2b7b106fa872f3b8e13f5ee6
-
C:\Windows\SysWOW64\MSDCSC\WindowsUpdater.exeFilesize
690KB
MD508ad2de1afdb29ff6341b747c2c6ee69
SHA15f3fa1dfc34a8739b8e137cf1c1cb7d62adc0f24
SHA256cc23c1104a969be4255c43200fd7ca4d1d81512f7d0d84a1205ed61e3b175770
SHA512a9bace8378722fc01dbc9eb56c6cee82cd9ff1c3b6e330b9f71fec190bef478ec5819a824dfc6c47c771f011bc05ff8c60384f6c2b7b106fa872f3b8e13f5ee6
-
C:\Windows\SysWOW64\MSDCSC\WindowsUpdater.exeFilesize
690KB
MD508ad2de1afdb29ff6341b747c2c6ee69
SHA15f3fa1dfc34a8739b8e137cf1c1cb7d62adc0f24
SHA256cc23c1104a969be4255c43200fd7ca4d1d81512f7d0d84a1205ed61e3b175770
SHA512a9bace8378722fc01dbc9eb56c6cee82cd9ff1c3b6e330b9f71fec190bef478ec5819a824dfc6c47c771f011bc05ff8c60384f6c2b7b106fa872f3b8e13f5ee6
-
memory/1440-143-0x0000000000000000-mapping.dmp
-
memory/2320-140-0x0000000000000000-mapping.dmp
-
memory/4280-132-0x0000000000000000-mapping.dmp
-
memory/4704-137-0x0000000000000000-mapping.dmp
-
memory/4896-134-0x0000000000000000-mapping.dmp