Analysis
-
max time kernel
143s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
15/10/2023, 19:38
Static task
static1
Behavioral task
behavioral1
Sample
5cc7988d8c232b5cf79f18a102783dc0_exe32.exe
Resource
win7-20230831-en
General
-
Target
5cc7988d8c232b5cf79f18a102783dc0_exe32.exe
-
Size
6.9MB
-
MD5
5cc7988d8c232b5cf79f18a102783dc0
-
SHA1
4885b54a9d4cb1ded609b2f08e7a04c93e515eba
-
SHA256
34a7e2ae2fcc13123fc013b7848c4832879cc4095dd1a9abd4b51e7e4181d97c
-
SHA512
667c13613502dcea3b1706b6cb06f5c91196bb830734bdce3f25628820e95f5424200dd47cf94938b6fca3c584b35ad27f391d7d23ac921ef388c60a692a7c65
-
SSDEEP
6144:6t2Ic0GfHIUWA0rJ5b7gvq5eyzaM+zN00qFTaUfwUY2z9GAR2OWq7me:6t24G8fQtk+B00ODfXZGGWwme
Malware Config
Extracted
darkcomet
Guest16
192.168.56.1:1604
DC_MUTEX-AZQPD9H
-
gencode
MRV9Pgf6cfGj
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2436 StubSoftware.exe 2604 aha.exe -
Loads dropped DLL 2 IoCs
pid Process 2436 StubSoftware.exe 2436 StubSoftware.exe -
resource yara_rule behavioral1/files/0x0009000000016c2b-15.dat upx behavioral1/files/0x0009000000016c2b-19.dat upx behavioral1/files/0x0009000000016c2b-17.dat upx behavioral1/memory/2604-25-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/files/0x0009000000016c2b-23.dat upx behavioral1/files/0x0009000000016c2b-29.dat upx behavioral1/memory/2604-30-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2604-34-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2604-36-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2724 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 1188 5cc7988d8c232b5cf79f18a102783dc0_exe32.exe Token: SeDebugPrivilege 2436 StubSoftware.exe Token: SeIncreaseQuotaPrivilege 2604 aha.exe Token: SeSecurityPrivilege 2604 aha.exe Token: SeTakeOwnershipPrivilege 2604 aha.exe Token: SeLoadDriverPrivilege 2604 aha.exe Token: SeSystemProfilePrivilege 2604 aha.exe Token: SeSystemtimePrivilege 2604 aha.exe Token: SeProfSingleProcessPrivilege 2604 aha.exe Token: SeIncBasePriorityPrivilege 2604 aha.exe Token: SeCreatePagefilePrivilege 2604 aha.exe Token: SeBackupPrivilege 2604 aha.exe Token: SeRestorePrivilege 2604 aha.exe Token: SeShutdownPrivilege 2604 aha.exe Token: SeDebugPrivilege 2604 aha.exe Token: SeSystemEnvironmentPrivilege 2604 aha.exe Token: SeChangeNotifyPrivilege 2604 aha.exe Token: SeRemoteShutdownPrivilege 2604 aha.exe Token: SeUndockPrivilege 2604 aha.exe Token: SeManageVolumePrivilege 2604 aha.exe Token: SeImpersonatePrivilege 2604 aha.exe Token: SeCreateGlobalPrivilege 2604 aha.exe Token: 33 2604 aha.exe Token: 34 2604 aha.exe Token: 35 2604 aha.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2604 aha.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1188 wrote to memory of 2436 1188 5cc7988d8c232b5cf79f18a102783dc0_exe32.exe 28 PID 1188 wrote to memory of 2436 1188 5cc7988d8c232b5cf79f18a102783dc0_exe32.exe 28 PID 1188 wrote to memory of 2436 1188 5cc7988d8c232b5cf79f18a102783dc0_exe32.exe 28 PID 1188 wrote to memory of 2436 1188 5cc7988d8c232b5cf79f18a102783dc0_exe32.exe 28 PID 2436 wrote to memory of 2604 2436 StubSoftware.exe 29 PID 2436 wrote to memory of 2604 2436 StubSoftware.exe 29 PID 2436 wrote to memory of 2604 2436 StubSoftware.exe 29 PID 2436 wrote to memory of 2604 2436 StubSoftware.exe 29 PID 2436 wrote to memory of 2724 2436 StubSoftware.exe 30 PID 2436 wrote to memory of 2724 2436 StubSoftware.exe 30 PID 2436 wrote to memory of 2724 2436 StubSoftware.exe 30 PID 2436 wrote to memory of 2724 2436 StubSoftware.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cc7988d8c232b5cf79f18a102783dc0_exe32.exe"C:\Users\Admin\AppData\Local\Temp\5cc7988d8c232b5cf79f18a102783dc0_exe32.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\StubSoftware.exe"C:\Users\Admin\AppData\Local\Temp\StubSoftware.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\aha.exe"C:\Users\Admin\AppData\Local\Temp\aha.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2604
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\benikoy.txt3⤵
- Opens file in notepad (likely ransom note)
PID:2724
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD51eddb798932c03c648f979280f1eaef0
SHA133aa6a523e7dcf606904da08fa05be7a124d1b63
SHA256e90a4265d7d5d8c487943578b6e3ee32cf24e0aad1c08e7a5493bc04f1fb45b0
SHA512047e7115bc44b9b326b4f5aad88ab020025bfc5c13c937ba943fb166cb5c4fb544319787436d0df80a76616853b856fc1942a3dd96f94f32a2f447370d19e429
-
Filesize
344KB
MD51eddb798932c03c648f979280f1eaef0
SHA133aa6a523e7dcf606904da08fa05be7a124d1b63
SHA256e90a4265d7d5d8c487943578b6e3ee32cf24e0aad1c08e7a5493bc04f1fb45b0
SHA512047e7115bc44b9b326b4f5aad88ab020025bfc5c13c937ba943fb166cb5c4fb544319787436d0df80a76616853b856fc1942a3dd96f94f32a2f447370d19e429
-
Filesize
251KB
MD5c2686a32d56b8cd68232cbcdcacb80dd
SHA1075163408035986a03f81b0e355d39f2af516749
SHA2564986b828079a0bda3cec1abecf91786d1b9c43ad8712c6784a517c10e6d5256a
SHA512e1be8a7f99c6e745462e3e01d1e5a3dc8581c08fda58d37e620abfd1817812134d59d557ee5ec52cef34823135e29831d165bc6f40bf2a03bfa79cbf891a3b77
-
Filesize
251KB
MD5c2686a32d56b8cd68232cbcdcacb80dd
SHA1075163408035986a03f81b0e355d39f2af516749
SHA2564986b828079a0bda3cec1abecf91786d1b9c43ad8712c6784a517c10e6d5256a
SHA512e1be8a7f99c6e745462e3e01d1e5a3dc8581c08fda58d37e620abfd1817812134d59d557ee5ec52cef34823135e29831d165bc6f40bf2a03bfa79cbf891a3b77
-
Filesize
251KB
MD5c2686a32d56b8cd68232cbcdcacb80dd
SHA1075163408035986a03f81b0e355d39f2af516749
SHA2564986b828079a0bda3cec1abecf91786d1b9c43ad8712c6784a517c10e6d5256a
SHA512e1be8a7f99c6e745462e3e01d1e5a3dc8581c08fda58d37e620abfd1817812134d59d557ee5ec52cef34823135e29831d165bc6f40bf2a03bfa79cbf891a3b77
-
Filesize
41B
MD5fd7e8e2625a01067bda87e6d8ca5925a
SHA19758ba9764e2f2383a5a5d83eae5e7c56ac6d14d
SHA25674169b65c8bcb49612b2473f1be2547ac7b6e6e4cd515850f3010a191a96e466
SHA51240edde31b10e33d41c035998d4169eedbbc1711fca6a5a30a9676ddb756fce5ced7879ee3e91dd0d27c38402d45d8777199d1b8a8495c969d1af9277bc97a0f3
-
Filesize
251KB
MD5c2686a32d56b8cd68232cbcdcacb80dd
SHA1075163408035986a03f81b0e355d39f2af516749
SHA2564986b828079a0bda3cec1abecf91786d1b9c43ad8712c6784a517c10e6d5256a
SHA512e1be8a7f99c6e745462e3e01d1e5a3dc8581c08fda58d37e620abfd1817812134d59d557ee5ec52cef34823135e29831d165bc6f40bf2a03bfa79cbf891a3b77
-
Filesize
251KB
MD5c2686a32d56b8cd68232cbcdcacb80dd
SHA1075163408035986a03f81b0e355d39f2af516749
SHA2564986b828079a0bda3cec1abecf91786d1b9c43ad8712c6784a517c10e6d5256a
SHA512e1be8a7f99c6e745462e3e01d1e5a3dc8581c08fda58d37e620abfd1817812134d59d557ee5ec52cef34823135e29831d165bc6f40bf2a03bfa79cbf891a3b77