Analysis
-
max time kernel
151s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-01-2023 04:29
Static task
static1
Behavioral task
behavioral1
Sample
2ca24c1e0fb9e88ff4227cdd9e1ad4138f16ed205ccd7da2e5efde99f56db15e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2ca24c1e0fb9e88ff4227cdd9e1ad4138f16ed205ccd7da2e5efde99f56db15e.exe
Resource
win10v2004-20221111-en
General
-
Target
2ca24c1e0fb9e88ff4227cdd9e1ad4138f16ed205ccd7da2e5efde99f56db15e.exe
-
Size
1.6MB
-
MD5
ef90e677a1fe066069f7d0eca00f2ae3
-
SHA1
5075ecff900debac18b2d134580f44babac4c3ab
-
SHA256
2ca24c1e0fb9e88ff4227cdd9e1ad4138f16ed205ccd7da2e5efde99f56db15e
-
SHA512
5b40b7daeb46887e93b43b11d2d5e5eea20fd34105de52ad01f41d34791475f7d5e26d249d329634831cdcaed6b910bf0a9726c81ed5202a1823b25f0a0e4876
-
SSDEEP
49152:5JZoQrbTFZY1iaY5r3DRpB1hJ5QpyR+pc:5trbTA1OrTRpB3J5Qpyec
Malware Config
Extracted
darkcomet
Pro
huyenluv.no-ip.biz:100
DC_MUTEX-Q3BWVNG
-
gencode
6s7WlMNw108w
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
rundll32.exerundll32.exepid process 904 rundll32.exe 1076 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
2ca24c1e0fb9e88ff4227cdd9e1ad4138f16ed205ccd7da2e5efde99f56db15e.exerundll32.exepid process 1844 2ca24c1e0fb9e88ff4227cdd9e1ad4138f16ed205ccd7da2e5efde99f56db15e.exe 904 rundll32.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Roaming\\rundll32.exe" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Roaming\\rundll32.exe" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run rundll32.exe -
AutoIT Executable 5 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\rundll32.exe autoit_exe C:\Users\Admin\AppData\Roaming\rundll32.exe autoit_exe C:\Users\Admin\AppData\Roaming\rundll32.exe autoit_exe \Users\Admin\AppData\Roaming\rundll32.exe autoit_exe C:\Users\Admin\AppData\Roaming\rundll32.exe autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 904 set thread context of 1076 904 rundll32.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2ca24c1e0fb9e88ff4227cdd9e1ad4138f16ed205ccd7da2e5efde99f56db15e.exerundll32.exepid process 1844 2ca24c1e0fb9e88ff4227cdd9e1ad4138f16ed205ccd7da2e5efde99f56db15e.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe 904 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
rundll32.exedescription pid process Token: SeIncreaseQuotaPrivilege 1076 rundll32.exe Token: SeSecurityPrivilege 1076 rundll32.exe Token: SeTakeOwnershipPrivilege 1076 rundll32.exe Token: SeLoadDriverPrivilege 1076 rundll32.exe Token: SeSystemProfilePrivilege 1076 rundll32.exe Token: SeSystemtimePrivilege 1076 rundll32.exe Token: SeProfSingleProcessPrivilege 1076 rundll32.exe Token: SeIncBasePriorityPrivilege 1076 rundll32.exe Token: SeCreatePagefilePrivilege 1076 rundll32.exe Token: SeBackupPrivilege 1076 rundll32.exe Token: SeRestorePrivilege 1076 rundll32.exe Token: SeShutdownPrivilege 1076 rundll32.exe Token: SeDebugPrivilege 1076 rundll32.exe Token: SeSystemEnvironmentPrivilege 1076 rundll32.exe Token: SeChangeNotifyPrivilege 1076 rundll32.exe Token: SeRemoteShutdownPrivilege 1076 rundll32.exe Token: SeUndockPrivilege 1076 rundll32.exe Token: SeManageVolumePrivilege 1076 rundll32.exe Token: SeImpersonatePrivilege 1076 rundll32.exe Token: SeCreateGlobalPrivilege 1076 rundll32.exe Token: 33 1076 rundll32.exe Token: 34 1076 rundll32.exe Token: 35 1076 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
rundll32.exepid process 1076 rundll32.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
2ca24c1e0fb9e88ff4227cdd9e1ad4138f16ed205ccd7da2e5efde99f56db15e.exerundll32.exedescription pid process target process PID 1844 wrote to memory of 904 1844 2ca24c1e0fb9e88ff4227cdd9e1ad4138f16ed205ccd7da2e5efde99f56db15e.exe rundll32.exe PID 1844 wrote to memory of 904 1844 2ca24c1e0fb9e88ff4227cdd9e1ad4138f16ed205ccd7da2e5efde99f56db15e.exe rundll32.exe PID 1844 wrote to memory of 904 1844 2ca24c1e0fb9e88ff4227cdd9e1ad4138f16ed205ccd7da2e5efde99f56db15e.exe rundll32.exe PID 1844 wrote to memory of 904 1844 2ca24c1e0fb9e88ff4227cdd9e1ad4138f16ed205ccd7da2e5efde99f56db15e.exe rundll32.exe PID 1844 wrote to memory of 904 1844 2ca24c1e0fb9e88ff4227cdd9e1ad4138f16ed205ccd7da2e5efde99f56db15e.exe rundll32.exe PID 1844 wrote to memory of 904 1844 2ca24c1e0fb9e88ff4227cdd9e1ad4138f16ed205ccd7da2e5efde99f56db15e.exe rundll32.exe PID 1844 wrote to memory of 904 1844 2ca24c1e0fb9e88ff4227cdd9e1ad4138f16ed205ccd7da2e5efde99f56db15e.exe rundll32.exe PID 904 wrote to memory of 1076 904 rundll32.exe rundll32.exe PID 904 wrote to memory of 1076 904 rundll32.exe rundll32.exe PID 904 wrote to memory of 1076 904 rundll32.exe rundll32.exe PID 904 wrote to memory of 1076 904 rundll32.exe rundll32.exe PID 904 wrote to memory of 1076 904 rundll32.exe rundll32.exe PID 904 wrote to memory of 1076 904 rundll32.exe rundll32.exe PID 904 wrote to memory of 1076 904 rundll32.exe rundll32.exe PID 904 wrote to memory of 1076 904 rundll32.exe rundll32.exe PID 904 wrote to memory of 1076 904 rundll32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ca24c1e0fb9e88ff4227cdd9e1ad4138f16ed205ccd7da2e5efde99f56db15e.exe"C:\Users\Admin\AppData\Local\Temp\2ca24c1e0fb9e88ff4227cdd9e1ad4138f16ed205ccd7da2e5efde99f56db15e.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\rundll32.exeC:\Users\Admin\AppData\Roaming\rundll32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\rundll32.exe"C:\Users\Admin\AppData\Roaming\rundll32.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\rundll32.exeFilesize
1.6MB
MD5ef90e677a1fe066069f7d0eca00f2ae3
SHA15075ecff900debac18b2d134580f44babac4c3ab
SHA2562ca24c1e0fb9e88ff4227cdd9e1ad4138f16ed205ccd7da2e5efde99f56db15e
SHA5125b40b7daeb46887e93b43b11d2d5e5eea20fd34105de52ad01f41d34791475f7d5e26d249d329634831cdcaed6b910bf0a9726c81ed5202a1823b25f0a0e4876
-
C:\Users\Admin\AppData\Roaming\rundll32.exeFilesize
1.6MB
MD5ef90e677a1fe066069f7d0eca00f2ae3
SHA15075ecff900debac18b2d134580f44babac4c3ab
SHA2562ca24c1e0fb9e88ff4227cdd9e1ad4138f16ed205ccd7da2e5efde99f56db15e
SHA5125b40b7daeb46887e93b43b11d2d5e5eea20fd34105de52ad01f41d34791475f7d5e26d249d329634831cdcaed6b910bf0a9726c81ed5202a1823b25f0a0e4876
-
C:\Users\Admin\AppData\Roaming\rundll32.exeFilesize
1.6MB
MD5ef90e677a1fe066069f7d0eca00f2ae3
SHA15075ecff900debac18b2d134580f44babac4c3ab
SHA2562ca24c1e0fb9e88ff4227cdd9e1ad4138f16ed205ccd7da2e5efde99f56db15e
SHA5125b40b7daeb46887e93b43b11d2d5e5eea20fd34105de52ad01f41d34791475f7d5e26d249d329634831cdcaed6b910bf0a9726c81ed5202a1823b25f0a0e4876
-
\Users\Admin\AppData\Roaming\rundll32.exeFilesize
1.6MB
MD5ef90e677a1fe066069f7d0eca00f2ae3
SHA15075ecff900debac18b2d134580f44babac4c3ab
SHA2562ca24c1e0fb9e88ff4227cdd9e1ad4138f16ed205ccd7da2e5efde99f56db15e
SHA5125b40b7daeb46887e93b43b11d2d5e5eea20fd34105de52ad01f41d34791475f7d5e26d249d329634831cdcaed6b910bf0a9726c81ed5202a1823b25f0a0e4876
-
\Users\Admin\AppData\Roaming\rundll32.exeFilesize
1.6MB
MD5ef90e677a1fe066069f7d0eca00f2ae3
SHA15075ecff900debac18b2d134580f44babac4c3ab
SHA2562ca24c1e0fb9e88ff4227cdd9e1ad4138f16ed205ccd7da2e5efde99f56db15e
SHA5125b40b7daeb46887e93b43b11d2d5e5eea20fd34105de52ad01f41d34791475f7d5e26d249d329634831cdcaed6b910bf0a9726c81ed5202a1823b25f0a0e4876
-
memory/904-56-0x0000000000000000-mapping.dmp
-
memory/1076-61-0x00000000000D0000-0x0000000000182000-memory.dmpFilesize
712KB
-
memory/1076-63-0x00000000000D0000-0x0000000000182000-memory.dmpFilesize
712KB
-
memory/1076-64-0x000000000015F888-mapping.dmp
-
memory/1076-66-0x00000000000D0000-0x0000000000182000-memory.dmpFilesize
712KB
-
memory/1076-68-0x00000000000D0000-0x0000000000182000-memory.dmpFilesize
712KB
-
memory/1076-70-0x00000000000D0000-0x0000000000182000-memory.dmpFilesize
712KB
-
memory/1076-71-0x00000000000D0000-0x0000000000182000-memory.dmpFilesize
712KB
-
memory/1076-72-0x00000000000D0000-0x0000000000182000-memory.dmpFilesize
712KB
-
memory/1844-54-0x0000000075B41000-0x0000000075B43000-memory.dmpFilesize
8KB