Analysis
-
max time kernel
28s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-12-2023 04:25
Static task
static1
Behavioral task
behavioral1
Sample
53f9da2780b6f5a90cfa960a7ba80eef.exe
Resource
win7-20231215-en
General
-
Target
53f9da2780b6f5a90cfa960a7ba80eef.exe
-
Size
1.3MB
-
MD5
53f9da2780b6f5a90cfa960a7ba80eef
-
SHA1
797377e262f78ebcbb50203a286fdcbc76b45e81
-
SHA256
4764430a1dcd759ca63408103232d28a82c2e1ae3c1cc29a536fecdee9171fb3
-
SHA512
bced0651108eecdad60f6b9291e065877f9b7b43ae5edbf659d6028c192de918f11e8d6019cc5e287f9036f33825c52f5b34fce58d4d76f02c834aa16dfdaa41
-
SSDEEP
24576:Vt3Neacap5W/4UHRY2FhJvQywVLjaGVOUN6nyhkHgKU6Y:VtUaAwls+9j4HgK
Malware Config
Extracted
darkcomet
slave
ratting.no-ip.org:1605
DC_MUTEX-Q21PSYS
-
gencode
3xN2KEijP0Bj
-
install
false
-
offline_keylogger
true
-
password
darkcomet
-
persistence
false
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2680 attrib.exe 2216 attrib.exe -
Executes dropped EXE 1 IoCs
Processes:
Crypted.exepid process 2624 Crypted.exe -
Loads dropped DLL 2 IoCs
Processes:
53f9da2780b6f5a90cfa960a7ba80eef.exepid process 1488 53f9da2780b6f5a90cfa960a7ba80eef.exe 1488 53f9da2780b6f5a90cfa960a7ba80eef.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
Crypted.exedescription pid process Token: SeIncreaseQuotaPrivilege 2624 Crypted.exe Token: SeSecurityPrivilege 2624 Crypted.exe Token: SeTakeOwnershipPrivilege 2624 Crypted.exe Token: SeLoadDriverPrivilege 2624 Crypted.exe Token: SeSystemProfilePrivilege 2624 Crypted.exe Token: SeSystemtimePrivilege 2624 Crypted.exe Token: SeProfSingleProcessPrivilege 2624 Crypted.exe Token: SeIncBasePriorityPrivilege 2624 Crypted.exe Token: SeCreatePagefilePrivilege 2624 Crypted.exe Token: SeBackupPrivilege 2624 Crypted.exe Token: SeRestorePrivilege 2624 Crypted.exe Token: SeShutdownPrivilege 2624 Crypted.exe Token: SeDebugPrivilege 2624 Crypted.exe Token: SeSystemEnvironmentPrivilege 2624 Crypted.exe Token: SeChangeNotifyPrivilege 2624 Crypted.exe Token: SeRemoteShutdownPrivilege 2624 Crypted.exe Token: SeUndockPrivilege 2624 Crypted.exe Token: SeManageVolumePrivilege 2624 Crypted.exe Token: SeImpersonatePrivilege 2624 Crypted.exe Token: SeCreateGlobalPrivilege 2624 Crypted.exe Token: 33 2624 Crypted.exe Token: 34 2624 Crypted.exe Token: 35 2624 Crypted.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Crypted.exepid process 2624 Crypted.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
53f9da2780b6f5a90cfa960a7ba80eef.exeCrypted.execmd.execmd.exedescription pid process target process PID 1488 wrote to memory of 2624 1488 53f9da2780b6f5a90cfa960a7ba80eef.exe Crypted.exe PID 1488 wrote to memory of 2624 1488 53f9da2780b6f5a90cfa960a7ba80eef.exe Crypted.exe PID 1488 wrote to memory of 2624 1488 53f9da2780b6f5a90cfa960a7ba80eef.exe Crypted.exe PID 1488 wrote to memory of 2624 1488 53f9da2780b6f5a90cfa960a7ba80eef.exe Crypted.exe PID 2624 wrote to memory of 2664 2624 Crypted.exe cmd.exe PID 2624 wrote to memory of 2664 2624 Crypted.exe cmd.exe PID 2624 wrote to memory of 2664 2624 Crypted.exe cmd.exe PID 2624 wrote to memory of 2664 2624 Crypted.exe cmd.exe PID 2624 wrote to memory of 2628 2624 Crypted.exe cmd.exe PID 2624 wrote to memory of 2628 2624 Crypted.exe cmd.exe PID 2624 wrote to memory of 2628 2624 Crypted.exe cmd.exe PID 2624 wrote to memory of 2628 2624 Crypted.exe cmd.exe PID 2664 wrote to memory of 2680 2664 cmd.exe attrib.exe PID 2664 wrote to memory of 2680 2664 cmd.exe attrib.exe PID 2664 wrote to memory of 2680 2664 cmd.exe attrib.exe PID 2664 wrote to memory of 2680 2664 cmd.exe attrib.exe PID 2628 wrote to memory of 2216 2628 cmd.exe attrib.exe PID 2628 wrote to memory of 2216 2628 cmd.exe attrib.exe PID 2628 wrote to memory of 2216 2628 cmd.exe attrib.exe PID 2628 wrote to memory of 2216 2628 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2216 attrib.exe 2680 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\53f9da2780b6f5a90cfa960a7ba80eef.exe"C:\Users\Admin\AppData\Local\Temp\53f9da2780b6f5a90cfa960a7ba80eef.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\Crypted.exe"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\Crypted.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\taskmgr.exetaskmgr.exe2⤵PID:2992
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2216
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\Crypted.exe" +s +h1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1488-16-0x0000000074B10000-0x00000000750BB000-memory.dmpFilesize
5.7MB
-
memory/1488-2-0x0000000000290000-0x00000000002D0000-memory.dmpFilesize
256KB
-
memory/1488-1-0x0000000074B10000-0x00000000750BB000-memory.dmpFilesize
5.7MB
-
memory/1488-0-0x0000000074B10000-0x00000000750BB000-memory.dmpFilesize
5.7MB
-
memory/1488-18-0x0000000000290000-0x00000000002D0000-memory.dmpFilesize
256KB
-
memory/1488-15-0x0000000074B10000-0x00000000750BB000-memory.dmpFilesize
5.7MB
-
memory/2624-20-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/2624-25-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/2624-17-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/2624-19-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/2624-12-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/2624-23-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/2624-24-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/2624-14-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/2624-26-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/2624-27-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/2624-28-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/2624-29-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/2624-30-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/2624-31-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/2624-32-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB