Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24-12-2023 17:05
Static task
static1
Behavioral task
behavioral1
Sample
075448d611663baa510daefcb583469a.exe
Resource
win7-20231215-en
General
-
Target
075448d611663baa510daefcb583469a.exe
-
Size
548KB
-
MD5
075448d611663baa510daefcb583469a
-
SHA1
c523655c92dbcc28b1a1fb2dd1f95e4333597f49
-
SHA256
6d0ce472e07e0bcedad9f932e82512e2f4dd3db90afa0b7004d736b4b7fe7672
-
SHA512
4caf88720b3d2306e2e006ca9bbc12373d9b088c09218c642feaf142023265fa9bbf0b057e86225adb8799b35d3070d9560709b198c4fea182b6047d161435ec
-
SSDEEP
12288:HC8+l4wxUipjq5+Mou292BPMusotX6rwzW6XVFJ04qp4OsYOhg59AoWmO:Kq292BPTf0npPv4mO
Malware Config
Extracted
darkcomet
Slave
darkcometramon.zapto.org:1604
DC_MUTEX-WACNQ32
-
InstallPath
MSDCSC\Update.exe
-
gencode
1Zo5tGcdvz3w
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
WindowsUpdater
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Update.exe" vbc.exe -
Executes dropped EXE 2 IoCs
Processes:
vbc.exeUpdate.exepid process 2436 vbc.exe 2836 Update.exe -
Loads dropped DLL 2 IoCs
Processes:
075448d611663baa510daefcb583469a.exevbc.exepid process 2668 075448d611663baa510daefcb583469a.exe 2436 vbc.exe -
Processes:
resource yara_rule behavioral1/memory/2436-11-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2436-12-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2436-16-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2436-18-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2436-19-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2436-21-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2436-23-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2436-22-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2436-34-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vbc.exe075448d611663baa510daefcb583469a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Update.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\075448d611663baa510daefcb583469a.exe" 075448d611663baa510daefcb583469a.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
075448d611663baa510daefcb583469a.exedescription pid process target process PID 2668 set thread context of 2436 2668 075448d611663baa510daefcb583469a.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2436 vbc.exe Token: SeSecurityPrivilege 2436 vbc.exe Token: SeTakeOwnershipPrivilege 2436 vbc.exe Token: SeLoadDriverPrivilege 2436 vbc.exe Token: SeSystemProfilePrivilege 2436 vbc.exe Token: SeSystemtimePrivilege 2436 vbc.exe Token: SeProfSingleProcessPrivilege 2436 vbc.exe Token: SeIncBasePriorityPrivilege 2436 vbc.exe Token: SeCreatePagefilePrivilege 2436 vbc.exe Token: SeBackupPrivilege 2436 vbc.exe Token: SeRestorePrivilege 2436 vbc.exe Token: SeShutdownPrivilege 2436 vbc.exe Token: SeDebugPrivilege 2436 vbc.exe Token: SeSystemEnvironmentPrivilege 2436 vbc.exe Token: SeChangeNotifyPrivilege 2436 vbc.exe Token: SeRemoteShutdownPrivilege 2436 vbc.exe Token: SeUndockPrivilege 2436 vbc.exe Token: SeManageVolumePrivilege 2436 vbc.exe Token: SeImpersonatePrivilege 2436 vbc.exe Token: SeCreateGlobalPrivilege 2436 vbc.exe Token: 33 2436 vbc.exe Token: 34 2436 vbc.exe Token: 35 2436 vbc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
075448d611663baa510daefcb583469a.exevbc.exedescription pid process target process PID 2668 wrote to memory of 2436 2668 075448d611663baa510daefcb583469a.exe vbc.exe PID 2668 wrote to memory of 2436 2668 075448d611663baa510daefcb583469a.exe vbc.exe PID 2668 wrote to memory of 2436 2668 075448d611663baa510daefcb583469a.exe vbc.exe PID 2668 wrote to memory of 2436 2668 075448d611663baa510daefcb583469a.exe vbc.exe PID 2668 wrote to memory of 2436 2668 075448d611663baa510daefcb583469a.exe vbc.exe PID 2668 wrote to memory of 2436 2668 075448d611663baa510daefcb583469a.exe vbc.exe PID 2668 wrote to memory of 2436 2668 075448d611663baa510daefcb583469a.exe vbc.exe PID 2668 wrote to memory of 2436 2668 075448d611663baa510daefcb583469a.exe vbc.exe PID 2436 wrote to memory of 2836 2436 vbc.exe Update.exe PID 2436 wrote to memory of 2836 2436 vbc.exe Update.exe PID 2436 wrote to memory of 2836 2436 vbc.exe Update.exe PID 2436 wrote to memory of 2836 2436 vbc.exe Update.exe PID 2436 wrote to memory of 2836 2436 vbc.exe Update.exe PID 2436 wrote to memory of 2836 2436 vbc.exe Update.exe PID 2436 wrote to memory of 2836 2436 vbc.exe Update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\075448d611663baa510daefcb583469a.exe"C:\Users\Admin\AppData\Local\Temp\075448d611663baa510daefcb583469a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\vbc.exeC:\Users\Admin\AppData\Local\Temp\vbc.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exe"3⤵
- Executes dropped EXE
PID:2836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\vbc.exeFilesize
599KB
MD56dcc16b60b937c4369e029c55105f436
SHA199f56934b570f60253f006bc2a831ab19767c82c
SHA256773a87e783703f39b4e63158a1dcfef35e4583f6dd62180a2a8d45ca8b191d20
SHA5127e1352886d04f0822ed66c6120af155f2dd1fb2868d9516379ae8df08c78f8e2441ecece51fe5e54710cdc7da9a46f1ca0cea8e250b3eb77b4d73feda34b07ca
-
C:\Users\Admin\AppData\Local\Temp\vbc.exeFilesize
231KB
MD55d36a703b589ba58eb1d63eec2951d15
SHA173254a61c2f0bb36012eae547f6dcbee00ea54e4
SHA256a10940a8ff9c5956e63ce418595cf867030c29a2b9cc9fea10aad19887b60563
SHA512c8b8ef41fb4b59b2f86b7a4eadc1e9dd9cb984376b4c256a627e0d6eb62785d146095669e1a5704a6b2ed8619f655993ef54dda2a8feacaf1705bce7206a4e08
-
C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exeFilesize
167KB
MD52340e61d4874052d2d1d360f95b7a733
SHA13ff2bcbc4d2f919cc3b26ac55e2021afa2e81723
SHA2564a110c574db45c64f6aa4106861e3b9873ec5aa127f2ba833e54fd9faf4f2a56
SHA512ad3347ce5040dc2cb9719672b1964068a29992fda5744824267f6825cfe39b47500a53b9f0d83ecbfa7a3d8f76a41933150bc2e1e83378af56a6842f53b11018
-
C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exeFilesize
444KB
MD5a53a95adcef19717a57f3901b198c265
SHA13e71962af0698c48e58febb4cbeb90dcef33e614
SHA2567b9bb56bd1de872740e424ee3a450dbcd940faab42465851be7ad407024db1d4
SHA512aa04ecf6aec98653f115732245fffe0832d446fc0fae920a346133ddb2e5e4bb4a483078e090a914ff8b7a023693b42d409477f538dae9b112468b482a4ddc8c
-
C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exeFilesize
350KB
MD55a894af884e1f42f39abbe4e8b55acd7
SHA106430df9e49bc099c83f7005752ee83a8a754ff7
SHA256173d37af32b02f2d1274a7e6de8093a61e9037f5ef85dc2c7eff11ee6b8242ab
SHA5126c941d5130f029039a12ce8da019737c7784c685c68a1776b57aeaddb3cd9b1f1a4e2c54c0c00181b10877a72fffc08fbb8eac31fa6f7259b7da04314629f44e
-
\Users\Admin\AppData\Local\Temp\vbc.exeFilesize
986KB
MD576a48c74b566a995edd6fd2a5c45e6e6
SHA11eed56446df3c465a2a8cf2167dd75822a990e19
SHA25670e16fb0ee9014a105fbf3e103e303fb2ab885457d7b3654a4d18eac0e6a8f6a
SHA512418b18cfad96fc0008f6060a7d16b030f9bd0ed3bdc58f87a18d2ac82ec6e0aa0bc758991cafda172aff9fc68ee90ba3aa2b06d0cedb26f531eb07064e1d2bc9
-
\Users\Admin\AppData\Roaming\MSDCSC\Update.exeFilesize
361KB
MD5970a1ee386d518de3dba0b1720ba17f8
SHA141a0fb50674d9ef42aaca180d27224c987c8b676
SHA256256e21e0e69d751cdbc5c7ea77b52e91533fdccec442f2aa9dd353ed97545073
SHA512fe5717a6b7bc1fe6294b0a25d65d97e3949300a162f70a992f495f19f297b5031934f98b26f8adeb5cec17987b7ad201c142046d4297ef9bee07bcf76f016b65
-
memory/2436-19-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2436-12-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2436-18-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2436-34-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2436-9-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2436-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2436-21-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2436-23-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2436-24-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB
-
memory/2436-22-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2436-16-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2436-11-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2668-20-0x0000000074C90000-0x000000007523B000-memory.dmpFilesize
5.7MB
-
memory/2668-2-0x0000000000360000-0x00000000003A0000-memory.dmpFilesize
256KB
-
memory/2668-1-0x0000000074C90000-0x000000007523B000-memory.dmpFilesize
5.7MB
-
memory/2668-0-0x0000000074C90000-0x000000007523B000-memory.dmpFilesize
5.7MB