Analysis
-
max time kernel
2s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2023 11:24
Behavioral task
behavioral1
Sample
343726e33afc7a951c5e9075a178b608.exe
Resource
win7-20231215-en
General
-
Target
343726e33afc7a951c5e9075a178b608.exe
-
Size
725KB
-
MD5
343726e33afc7a951c5e9075a178b608
-
SHA1
df3aefa08e35b55fade041ad740ae76b9cae6408
-
SHA256
9d05eb381c6e21b36c720b02cf48019ada67c029468b05f6aaaeee12a9fffe26
-
SHA512
b25579d32ffb3ce5485d959675b7738805caa13d7180e01fbbbd909306da20efa0a1641b6b7c682b07fa64d7d9d72503571e9435d9214e751bfa612307889879
-
SSDEEP
12288:h9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9EkNC/d:bZ1xuVVjfFoynPaVBUR8f+kN10Ed
Malware Config
Extracted
darkcomet
Sazan
127.0.0.1:1604
185.29.120.189:1604
DC_MUTEX-C85CWU2
-
InstallPath
S1\updater.exe
-
gencode
DlWfWyuahoYK
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Windows Firewall
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
343726e33afc7a951c5e9075a178b608.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\S1\\updater.exe" 343726e33afc7a951c5e9075a178b608.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1068 attrib.exe 4564 attrib.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
343726e33afc7a951c5e9075a178b608.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Firewall = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\S1\\updater.exe" 343726e33afc7a951c5e9075a178b608.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
343726e33afc7a951c5e9075a178b608.exedescription pid process Token: SeIncreaseQuotaPrivilege 1808 343726e33afc7a951c5e9075a178b608.exe Token: SeSecurityPrivilege 1808 343726e33afc7a951c5e9075a178b608.exe Token: SeTakeOwnershipPrivilege 1808 343726e33afc7a951c5e9075a178b608.exe Token: SeLoadDriverPrivilege 1808 343726e33afc7a951c5e9075a178b608.exe Token: SeSystemProfilePrivilege 1808 343726e33afc7a951c5e9075a178b608.exe Token: SeSystemtimePrivilege 1808 343726e33afc7a951c5e9075a178b608.exe Token: SeProfSingleProcessPrivilege 1808 343726e33afc7a951c5e9075a178b608.exe Token: SeIncBasePriorityPrivilege 1808 343726e33afc7a951c5e9075a178b608.exe Token: SeCreatePagefilePrivilege 1808 343726e33afc7a951c5e9075a178b608.exe Token: SeBackupPrivilege 1808 343726e33afc7a951c5e9075a178b608.exe Token: SeRestorePrivilege 1808 343726e33afc7a951c5e9075a178b608.exe Token: SeShutdownPrivilege 1808 343726e33afc7a951c5e9075a178b608.exe Token: SeDebugPrivilege 1808 343726e33afc7a951c5e9075a178b608.exe Token: SeSystemEnvironmentPrivilege 1808 343726e33afc7a951c5e9075a178b608.exe Token: SeChangeNotifyPrivilege 1808 343726e33afc7a951c5e9075a178b608.exe Token: SeRemoteShutdownPrivilege 1808 343726e33afc7a951c5e9075a178b608.exe Token: SeUndockPrivilege 1808 343726e33afc7a951c5e9075a178b608.exe Token: SeManageVolumePrivilege 1808 343726e33afc7a951c5e9075a178b608.exe Token: SeImpersonatePrivilege 1808 343726e33afc7a951c5e9075a178b608.exe Token: SeCreateGlobalPrivilege 1808 343726e33afc7a951c5e9075a178b608.exe Token: 33 1808 343726e33afc7a951c5e9075a178b608.exe Token: 34 1808 343726e33afc7a951c5e9075a178b608.exe Token: 35 1808 343726e33afc7a951c5e9075a178b608.exe Token: 36 1808 343726e33afc7a951c5e9075a178b608.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4564 attrib.exe 1068 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\343726e33afc7a951c5e9075a178b608.exe"C:\Users\Admin\AppData\Local\Temp\343726e33afc7a951c5e9075a178b608.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
-
C:\ProgramData\Microsoft\Windows\Start Menu\S1\updater.exe"C:\ProgramData\Microsoft\Windows\Start Menu\S1\updater.exe"2⤵
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\343726e33afc7a951c5e9075a178b608.exe" +s +h2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\343726e33afc7a951c5e9075a178b608.exe" +s +h1⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h1⤵
- Sets file to hidden
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1464-14-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB
-
memory/1464-18-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/1464-19-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/1804-3-0x0000000000F30000-0x0000000000F31000-memory.dmpFilesize
4KB
-
memory/1808-0-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/1808-16-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/1832-15-0x0000000000980000-0x0000000000981000-memory.dmpFilesize
4KB