Analysis
-
max time kernel
121s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 05:17
Static task
static1
Behavioral task
behavioral1
Sample
075448d611663baa510daefcb583469a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
075448d611663baa510daefcb583469a.exe
Resource
win10v2004-20231215-en
General
-
Target
075448d611663baa510daefcb583469a.exe
-
Size
548KB
-
MD5
075448d611663baa510daefcb583469a
-
SHA1
c523655c92dbcc28b1a1fb2dd1f95e4333597f49
-
SHA256
6d0ce472e07e0bcedad9f932e82512e2f4dd3db90afa0b7004d736b4b7fe7672
-
SHA512
4caf88720b3d2306e2e006ca9bbc12373d9b088c09218c642feaf142023265fa9bbf0b057e86225adb8799b35d3070d9560709b198c4fea182b6047d161435ec
-
SSDEEP
12288:HC8+l4wxUipjq5+Mou292BPMusotX6rwzW6XVFJ04qp4OsYOhg59AoWmO:Kq292BPTf0npPv4mO
Malware Config
Extracted
darkcomet
Slave
darkcometramon.zapto.org:1604
DC_MUTEX-WACNQ32
-
InstallPath
MSDCSC\Update.exe
-
gencode
1Zo5tGcdvz3w
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
WindowsUpdater
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Update.exe" vbc.exe -
Executes dropped EXE 2 IoCs
Processes:
vbc.exeUpdate.exepid process 2748 vbc.exe 2744 Update.exe -
Loads dropped DLL 2 IoCs
Processes:
075448d611663baa510daefcb583469a.exevbc.exepid process 3016 075448d611663baa510daefcb583469a.exe 2748 vbc.exe -
Processes:
resource yara_rule behavioral1/memory/2748-18-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2748-19-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2748-16-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2748-13-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2748-21-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2748-11-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2748-23-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2748-24-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2748-22-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2748-35-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
075448d611663baa510daefcb583469a.exevbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\075448d611663baa510daefcb583469a.exe" 075448d611663baa510daefcb583469a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Update.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
075448d611663baa510daefcb583469a.exedescription pid process target process PID 3016 set thread context of 2748 3016 075448d611663baa510daefcb583469a.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2748 vbc.exe Token: SeSecurityPrivilege 2748 vbc.exe Token: SeTakeOwnershipPrivilege 2748 vbc.exe Token: SeLoadDriverPrivilege 2748 vbc.exe Token: SeSystemProfilePrivilege 2748 vbc.exe Token: SeSystemtimePrivilege 2748 vbc.exe Token: SeProfSingleProcessPrivilege 2748 vbc.exe Token: SeIncBasePriorityPrivilege 2748 vbc.exe Token: SeCreatePagefilePrivilege 2748 vbc.exe Token: SeBackupPrivilege 2748 vbc.exe Token: SeRestorePrivilege 2748 vbc.exe Token: SeShutdownPrivilege 2748 vbc.exe Token: SeDebugPrivilege 2748 vbc.exe Token: SeSystemEnvironmentPrivilege 2748 vbc.exe Token: SeChangeNotifyPrivilege 2748 vbc.exe Token: SeRemoteShutdownPrivilege 2748 vbc.exe Token: SeUndockPrivilege 2748 vbc.exe Token: SeManageVolumePrivilege 2748 vbc.exe Token: SeImpersonatePrivilege 2748 vbc.exe Token: SeCreateGlobalPrivilege 2748 vbc.exe Token: 33 2748 vbc.exe Token: 34 2748 vbc.exe Token: 35 2748 vbc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
075448d611663baa510daefcb583469a.exevbc.exedescription pid process target process PID 3016 wrote to memory of 2748 3016 075448d611663baa510daefcb583469a.exe vbc.exe PID 3016 wrote to memory of 2748 3016 075448d611663baa510daefcb583469a.exe vbc.exe PID 3016 wrote to memory of 2748 3016 075448d611663baa510daefcb583469a.exe vbc.exe PID 3016 wrote to memory of 2748 3016 075448d611663baa510daefcb583469a.exe vbc.exe PID 3016 wrote to memory of 2748 3016 075448d611663baa510daefcb583469a.exe vbc.exe PID 3016 wrote to memory of 2748 3016 075448d611663baa510daefcb583469a.exe vbc.exe PID 3016 wrote to memory of 2748 3016 075448d611663baa510daefcb583469a.exe vbc.exe PID 3016 wrote to memory of 2748 3016 075448d611663baa510daefcb583469a.exe vbc.exe PID 2748 wrote to memory of 2744 2748 vbc.exe Update.exe PID 2748 wrote to memory of 2744 2748 vbc.exe Update.exe PID 2748 wrote to memory of 2744 2748 vbc.exe Update.exe PID 2748 wrote to memory of 2744 2748 vbc.exe Update.exe PID 2748 wrote to memory of 2744 2748 vbc.exe Update.exe PID 2748 wrote to memory of 2744 2748 vbc.exe Update.exe PID 2748 wrote to memory of 2744 2748 vbc.exe Update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\075448d611663baa510daefcb583469a.exe"C:\Users\Admin\AppData\Local\Temp\075448d611663baa510daefcb583469a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vbc.exeC:\Users\Admin\AppData\Local\Temp\vbc.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2748-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2748-24-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2748-35-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2748-9-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2748-13-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2748-22-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2748-19-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2748-21-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2748-25-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/2748-18-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2748-16-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2748-11-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2748-23-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3016-2-0x0000000000A20000-0x0000000000A60000-memory.dmpFilesize
256KB
-
memory/3016-1-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB
-
memory/3016-20-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB
-
memory/3016-0-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB