Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29-12-2023 23:43
Static task
static1
Behavioral task
behavioral1
Sample
075448d611663baa510daefcb583469a.exe
Resource
win7-20231215-en
General
-
Target
075448d611663baa510daefcb583469a.exe
-
Size
548KB
-
MD5
075448d611663baa510daefcb583469a
-
SHA1
c523655c92dbcc28b1a1fb2dd1f95e4333597f49
-
SHA256
6d0ce472e07e0bcedad9f932e82512e2f4dd3db90afa0b7004d736b4b7fe7672
-
SHA512
4caf88720b3d2306e2e006ca9bbc12373d9b088c09218c642feaf142023265fa9bbf0b057e86225adb8799b35d3070d9560709b198c4fea182b6047d161435ec
-
SSDEEP
12288:HC8+l4wxUipjq5+Mou292BPMusotX6rwzW6XVFJ04qp4OsYOhg59AoWmO:Kq292BPTf0npPv4mO
Malware Config
Extracted
darkcomet
Slave
darkcometramon.zapto.org:1604
DC_MUTEX-WACNQ32
-
InstallPath
MSDCSC\Update.exe
-
gencode
1Zo5tGcdvz3w
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
WindowsUpdater
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Update.exe" vbc.exe -
Executes dropped EXE 2 IoCs
Processes:
vbc.exeUpdate.exepid process 2760 vbc.exe 2560 Update.exe -
Loads dropped DLL 2 IoCs
Processes:
075448d611663baa510daefcb583469a.exevbc.exepid process 2876 075448d611663baa510daefcb583469a.exe 2760 vbc.exe -
Processes:
resource yara_rule behavioral1/memory/2760-11-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2760-12-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2760-15-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2760-18-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2760-19-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2760-21-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2760-22-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2760-33-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
075448d611663baa510daefcb583469a.exevbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\075448d611663baa510daefcb583469a.exe" 075448d611663baa510daefcb583469a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Update.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
075448d611663baa510daefcb583469a.exedescription pid process target process PID 2876 set thread context of 2760 2876 075448d611663baa510daefcb583469a.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2760 vbc.exe Token: SeSecurityPrivilege 2760 vbc.exe Token: SeTakeOwnershipPrivilege 2760 vbc.exe Token: SeLoadDriverPrivilege 2760 vbc.exe Token: SeSystemProfilePrivilege 2760 vbc.exe Token: SeSystemtimePrivilege 2760 vbc.exe Token: SeProfSingleProcessPrivilege 2760 vbc.exe Token: SeIncBasePriorityPrivilege 2760 vbc.exe Token: SeCreatePagefilePrivilege 2760 vbc.exe Token: SeBackupPrivilege 2760 vbc.exe Token: SeRestorePrivilege 2760 vbc.exe Token: SeShutdownPrivilege 2760 vbc.exe Token: SeDebugPrivilege 2760 vbc.exe Token: SeSystemEnvironmentPrivilege 2760 vbc.exe Token: SeChangeNotifyPrivilege 2760 vbc.exe Token: SeRemoteShutdownPrivilege 2760 vbc.exe Token: SeUndockPrivilege 2760 vbc.exe Token: SeManageVolumePrivilege 2760 vbc.exe Token: SeImpersonatePrivilege 2760 vbc.exe Token: SeCreateGlobalPrivilege 2760 vbc.exe Token: 33 2760 vbc.exe Token: 34 2760 vbc.exe Token: 35 2760 vbc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
075448d611663baa510daefcb583469a.exevbc.exedescription pid process target process PID 2876 wrote to memory of 2760 2876 075448d611663baa510daefcb583469a.exe vbc.exe PID 2876 wrote to memory of 2760 2876 075448d611663baa510daefcb583469a.exe vbc.exe PID 2876 wrote to memory of 2760 2876 075448d611663baa510daefcb583469a.exe vbc.exe PID 2876 wrote to memory of 2760 2876 075448d611663baa510daefcb583469a.exe vbc.exe PID 2876 wrote to memory of 2760 2876 075448d611663baa510daefcb583469a.exe vbc.exe PID 2876 wrote to memory of 2760 2876 075448d611663baa510daefcb583469a.exe vbc.exe PID 2876 wrote to memory of 2760 2876 075448d611663baa510daefcb583469a.exe vbc.exe PID 2876 wrote to memory of 2760 2876 075448d611663baa510daefcb583469a.exe vbc.exe PID 2760 wrote to memory of 2560 2760 vbc.exe Update.exe PID 2760 wrote to memory of 2560 2760 vbc.exe Update.exe PID 2760 wrote to memory of 2560 2760 vbc.exe Update.exe PID 2760 wrote to memory of 2560 2760 vbc.exe Update.exe PID 2760 wrote to memory of 2560 2760 vbc.exe Update.exe PID 2760 wrote to memory of 2560 2760 vbc.exe Update.exe PID 2760 wrote to memory of 2560 2760 vbc.exe Update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\075448d611663baa510daefcb583469a.exe"C:\Users\Admin\AppData\Local\Temp\075448d611663baa510daefcb583469a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vbc.exeC:\Users\Admin\AppData\Local\Temp\vbc.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\vbc.exeFilesize
538KB
MD5ba07f88539f8228bf1dec2e49db44c93
SHA19f5754b92b7d7995e18c69333ad88dfd946dc87b
SHA25689ea45527349edd4f8d29005101f8e054b740f47fe3cddbe8b270aca78540576
SHA512b201b1a16780ca02a8522cecacfe197ef10b96c71298ba838f674c59db0234d81aaf81c9126d7c047edb26131a229efcc2307f3a8d368be841a7e0cdd6c8a99b
-
C:\Users\Admin\AppData\Local\Temp\vbc.exeFilesize
280KB
MD5d2a998e3e082ef6c6959a3147316e334
SHA1ac6f78dc3b743606bb782a6ed7e11cb8a2027dcd
SHA256d3cb9258c16a00f721131280f2a377483492136151a3eeee6d4e62c3a92e506d
SHA512c81ffc520b92fdaf1164f82a505f7d3511bd2b314a244d314790f53a337688d2dfda317a56c851f84392952a6a871cc8778c01b51bc319a279c2a88b091b2795
-
C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exeFilesize
260KB
MD5d4ac18673e0c2c4b65de91c1cde98381
SHA1a87aa33819bf32efd3c6ef09ee6302e2baa58d41
SHA2565a164d9ecd8a964ddb589a9a2395d8994f0f191977299d50ee986699140711a4
SHA512dccb1cc3123645b32ae8204daa03f40c430bc132149f56a55e53d337ca3b80350ad631ee7dd81599ba68a355e4bcb4d6788e58d5e2047fa22907a22284a296a9
-
C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exeFilesize
219KB
MD5b4dd8c188219c8895e36cad8bafa4ae6
SHA1a3ce35f8df703426cba49e332e0bfb4952adcef0
SHA25661f6eb8b6cd6fc413a121dbca53d7925eda05cc16311e30df1ce8ef44f0d2e3e
SHA5128cccb78f09ee4d5535b5baa29a4f72c867bc302ea3f3b77735551c7f3734220cc51299a17b304555a9d2916401955bfdfe203a3552a63e7df5e75232ab8cc31a
-
C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exeFilesize
201KB
MD51cdb2ccc6197f95c7551e5201935a5cd
SHA1bbfaad6b7d9f2eb24cb356c1c2b08b1aaafde4b2
SHA2564bde3cb25f2c8ecd3850012c705af2f769df56149bbe8689349621a746871e2d
SHA512dad2e3a6995badceef1f5aa2b8df384fda851b046acf718d044873a47a1b4d2945aca0182fe25a48ce4a191e9356764a24c544b5d96e6c788d80c293ec0c2f49
-
\Users\Admin\AppData\Local\Temp\vbc.exeFilesize
1.1MB
MD51dee45d107029f270afddfbb9d791d50
SHA1aa647fb7e5aebf1412b6890bd565ffa96749d5c1
SHA25650fcb8cef6d552536e1f4bc963b330e9b2aee6dff863f9246d6ca0bdcf821630
SHA51230848be2101b007282ea1f4efb6709e66bd5e0e8f2b3b7f3de50976932b4ec7ffd03646be8de85f3ccf44d46a3081d4adfc6c3c2a1d45e1c1ee894ca98c8b510
-
\Users\Admin\AppData\Roaming\MSDCSC\Update.exeFilesize
261KB
MD58b43349b274c4a5c6e436cc453b0f17a
SHA1aee3906c1dc9d0de5f4d58bcbf39520ca98a49b8
SHA2567b71767d513e6d1dc564cc61717ea11947c8ca6657601d5200004da0056e2bb0
SHA51210417dca8a498d1b7a60fa17be509353ff0eb5a501352a6debbfa4d9cdb246544169f4f1da17b9e0da5e7d469916f26dd29e456d2b75c569e23910170a1eed77
-
memory/2760-18-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2760-22-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2760-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2760-33-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2760-19-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2760-21-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2760-9-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2760-15-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2760-23-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/2760-12-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2760-11-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2876-20-0x0000000074B00000-0x00000000750AB000-memory.dmpFilesize
5.7MB
-
memory/2876-2-0x00000000001B0000-0x00000000001F0000-memory.dmpFilesize
256KB
-
memory/2876-1-0x0000000074B00000-0x00000000750AB000-memory.dmpFilesize
5.7MB
-
memory/2876-0-0x0000000074B00000-0x00000000750AB000-memory.dmpFilesize
5.7MB