Analysis
-
max time kernel
0s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-12-2023 23:43
Static task
static1
Behavioral task
behavioral1
Sample
075448d611663baa510daefcb583469a.exe
Resource
win7-20231215-en
General
-
Target
075448d611663baa510daefcb583469a.exe
-
Size
548KB
-
MD5
075448d611663baa510daefcb583469a
-
SHA1
c523655c92dbcc28b1a1fb2dd1f95e4333597f49
-
SHA256
6d0ce472e07e0bcedad9f932e82512e2f4dd3db90afa0b7004d736b4b7fe7672
-
SHA512
4caf88720b3d2306e2e006ca9bbc12373d9b088c09218c642feaf142023265fa9bbf0b057e86225adb8799b35d3070d9560709b198c4fea182b6047d161435ec
-
SSDEEP
12288:HC8+l4wxUipjq5+Mou292BPMusotX6rwzW6XVFJ04qp4OsYOhg59AoWmO:Kq292BPTf0npPv4mO
Malware Config
Extracted
darkcomet
Slave
darkcometramon.zapto.org:1604
DC_MUTEX-WACNQ32
-
InstallPath
MSDCSC\Update.exe
-
gencode
1Zo5tGcdvz3w
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
WindowsUpdater
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Update.exe" vbc.exe -
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 3100 vbc.exe -
Processes:
resource yara_rule behavioral2/memory/3100-10-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3100-15-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3100-17-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3100-16-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3100-12-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3100-7-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3100-31-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
075448d611663baa510daefcb583469a.exevbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\075448d611663baa510daefcb583469a.exe" 075448d611663baa510daefcb583469a.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Update.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
075448d611663baa510daefcb583469a.exedescription pid process target process PID 1028 set thread context of 3100 1028 075448d611663baa510daefcb583469a.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 3100 vbc.exe Token: SeSecurityPrivilege 3100 vbc.exe Token: SeTakeOwnershipPrivilege 3100 vbc.exe Token: SeLoadDriverPrivilege 3100 vbc.exe Token: SeSystemProfilePrivilege 3100 vbc.exe Token: SeSystemtimePrivilege 3100 vbc.exe Token: SeProfSingleProcessPrivilege 3100 vbc.exe Token: SeIncBasePriorityPrivilege 3100 vbc.exe Token: SeCreatePagefilePrivilege 3100 vbc.exe Token: SeBackupPrivilege 3100 vbc.exe Token: SeRestorePrivilege 3100 vbc.exe Token: SeShutdownPrivilege 3100 vbc.exe Token: SeDebugPrivilege 3100 vbc.exe Token: SeSystemEnvironmentPrivilege 3100 vbc.exe Token: SeChangeNotifyPrivilege 3100 vbc.exe Token: SeRemoteShutdownPrivilege 3100 vbc.exe Token: SeUndockPrivilege 3100 vbc.exe Token: SeManageVolumePrivilege 3100 vbc.exe Token: SeImpersonatePrivilege 3100 vbc.exe Token: SeCreateGlobalPrivilege 3100 vbc.exe Token: 33 3100 vbc.exe Token: 34 3100 vbc.exe Token: 35 3100 vbc.exe Token: 36 3100 vbc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
075448d611663baa510daefcb583469a.exedescription pid process target process PID 1028 wrote to memory of 3100 1028 075448d611663baa510daefcb583469a.exe vbc.exe PID 1028 wrote to memory of 3100 1028 075448d611663baa510daefcb583469a.exe vbc.exe PID 1028 wrote to memory of 3100 1028 075448d611663baa510daefcb583469a.exe vbc.exe PID 1028 wrote to memory of 3100 1028 075448d611663baa510daefcb583469a.exe vbc.exe PID 1028 wrote to memory of 3100 1028 075448d611663baa510daefcb583469a.exe vbc.exe PID 1028 wrote to memory of 3100 1028 075448d611663baa510daefcb583469a.exe vbc.exe PID 1028 wrote to memory of 3100 1028 075448d611663baa510daefcb583469a.exe vbc.exe PID 1028 wrote to memory of 3100 1028 075448d611663baa510daefcb583469a.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\075448d611663baa510daefcb583469a.exe"C:\Users\Admin\AppData\Local\Temp\075448d611663baa510daefcb583469a.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Users\Admin\AppData\Local\Temp\vbc.exeC:\Users\Admin\AppData\Local\Temp\vbc.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3100
-
C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exe"1⤵PID:3760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1028-2-0x0000000000FD0000-0x0000000000FE0000-memory.dmpFilesize
64KB
-
memory/1028-1-0x0000000074670000-0x0000000074C21000-memory.dmpFilesize
5.7MB
-
memory/1028-13-0x0000000074670000-0x0000000074C21000-memory.dmpFilesize
5.7MB
-
memory/1028-0-0x0000000074670000-0x0000000074C21000-memory.dmpFilesize
5.7MB
-
memory/3100-10-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3100-15-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3100-18-0x0000000000C00000-0x0000000000C01000-memory.dmpFilesize
4KB
-
memory/3100-17-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3100-16-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3100-12-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3100-7-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3100-31-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB