Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
11-01-2024 20:05
Static task
static1
Behavioral task
behavioral1
Sample
53f9da2780b6f5a90cfa960a7ba80eef.exe
Resource
win7-20231129-en
General
-
Target
53f9da2780b6f5a90cfa960a7ba80eef.exe
-
Size
1.3MB
-
MD5
53f9da2780b6f5a90cfa960a7ba80eef
-
SHA1
797377e262f78ebcbb50203a286fdcbc76b45e81
-
SHA256
4764430a1dcd759ca63408103232d28a82c2e1ae3c1cc29a536fecdee9171fb3
-
SHA512
bced0651108eecdad60f6b9291e065877f9b7b43ae5edbf659d6028c192de918f11e8d6019cc5e287f9036f33825c52f5b34fce58d4d76f02c834aa16dfdaa41
-
SSDEEP
24576:Vt3Neacap5W/4UHRY2FhJvQywVLjaGVOUN6nyhkHgKU6Y:VtUaAwls+9j4HgK
Malware Config
Extracted
darkcomet
slave
ratting.no-ip.org:1605
DC_MUTEX-Q21PSYS
-
gencode
3xN2KEijP0Bj
-
install
false
-
offline_keylogger
true
-
password
darkcomet
-
persistence
false
Signatures
-
Disables RegEdit via registry modification 1 IoCs
Processes:
53f9da2780b6f5a90cfa960a7ba80eef.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 53f9da2780b6f5a90cfa960a7ba80eef.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2636 attrib.exe 2692 attrib.exe -
Executes dropped EXE 1 IoCs
Processes:
Crypted.exepid process 1948 Crypted.exe -
Loads dropped DLL 4 IoCs
Processes:
53f9da2780b6f5a90cfa960a7ba80eef.exetaskmgr.exepid process 2940 53f9da2780b6f5a90cfa960a7ba80eef.exe 2940 53f9da2780b6f5a90cfa960a7ba80eef.exe 1692 taskmgr.exe 1692 taskmgr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
53f9da2780b6f5a90cfa960a7ba80eef.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\53f9da2780b6f5a90cfa960a7ba80eef.exe" 53f9da2780b6f5a90cfa960a7ba80eef.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
53f9da2780b6f5a90cfa960a7ba80eef.exetaskmgr.exepid process 2940 53f9da2780b6f5a90cfa960a7ba80eef.exe 2940 53f9da2780b6f5a90cfa960a7ba80eef.exe 2940 53f9da2780b6f5a90cfa960a7ba80eef.exe 2940 53f9da2780b6f5a90cfa960a7ba80eef.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
Crypted.exetaskmgr.exepid process 1948 Crypted.exe 1692 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
Crypted.exe53f9da2780b6f5a90cfa960a7ba80eef.exetaskmgr.exedescription pid process Token: SeIncreaseQuotaPrivilege 1948 Crypted.exe Token: SeSecurityPrivilege 1948 Crypted.exe Token: SeTakeOwnershipPrivilege 1948 Crypted.exe Token: SeLoadDriverPrivilege 1948 Crypted.exe Token: SeSystemProfilePrivilege 1948 Crypted.exe Token: SeSystemtimePrivilege 1948 Crypted.exe Token: SeProfSingleProcessPrivilege 1948 Crypted.exe Token: SeIncBasePriorityPrivilege 1948 Crypted.exe Token: SeCreatePagefilePrivilege 1948 Crypted.exe Token: SeBackupPrivilege 1948 Crypted.exe Token: SeRestorePrivilege 1948 Crypted.exe Token: SeShutdownPrivilege 1948 Crypted.exe Token: SeDebugPrivilege 1948 Crypted.exe Token: SeSystemEnvironmentPrivilege 1948 Crypted.exe Token: SeChangeNotifyPrivilege 1948 Crypted.exe Token: SeRemoteShutdownPrivilege 1948 Crypted.exe Token: SeUndockPrivilege 1948 Crypted.exe Token: SeManageVolumePrivilege 1948 Crypted.exe Token: SeImpersonatePrivilege 1948 Crypted.exe Token: SeCreateGlobalPrivilege 1948 Crypted.exe Token: 33 1948 Crypted.exe Token: 34 1948 Crypted.exe Token: 35 1948 Crypted.exe Token: SeDebugPrivilege 2940 53f9da2780b6f5a90cfa960a7ba80eef.exe Token: SeDebugPrivilege 1692 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Crypted.exepid process 1948 Crypted.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
53f9da2780b6f5a90cfa960a7ba80eef.exeCrypted.execmd.execmd.exedescription pid process target process PID 2940 wrote to memory of 1948 2940 53f9da2780b6f5a90cfa960a7ba80eef.exe Crypted.exe PID 2940 wrote to memory of 1948 2940 53f9da2780b6f5a90cfa960a7ba80eef.exe Crypted.exe PID 2940 wrote to memory of 1948 2940 53f9da2780b6f5a90cfa960a7ba80eef.exe Crypted.exe PID 2940 wrote to memory of 1948 2940 53f9da2780b6f5a90cfa960a7ba80eef.exe Crypted.exe PID 1948 wrote to memory of 2756 1948 Crypted.exe cmd.exe PID 1948 wrote to memory of 2756 1948 Crypted.exe cmd.exe PID 1948 wrote to memory of 2756 1948 Crypted.exe cmd.exe PID 1948 wrote to memory of 2756 1948 Crypted.exe cmd.exe PID 1948 wrote to memory of 2588 1948 Crypted.exe cmd.exe PID 1948 wrote to memory of 2588 1948 Crypted.exe cmd.exe PID 1948 wrote to memory of 2588 1948 Crypted.exe cmd.exe PID 1948 wrote to memory of 2588 1948 Crypted.exe cmd.exe PID 2588 wrote to memory of 2692 2588 cmd.exe attrib.exe PID 2588 wrote to memory of 2692 2588 cmd.exe attrib.exe PID 2588 wrote to memory of 2692 2588 cmd.exe attrib.exe PID 2588 wrote to memory of 2692 2588 cmd.exe attrib.exe PID 2756 wrote to memory of 2636 2756 cmd.exe attrib.exe PID 2756 wrote to memory of 2636 2756 cmd.exe attrib.exe PID 2756 wrote to memory of 2636 2756 cmd.exe attrib.exe PID 2756 wrote to memory of 2636 2756 cmd.exe attrib.exe PID 2940 wrote to memory of 1692 2940 53f9da2780b6f5a90cfa960a7ba80eef.exe taskmgr.exe PID 2940 wrote to memory of 1692 2940 53f9da2780b6f5a90cfa960a7ba80eef.exe taskmgr.exe PID 2940 wrote to memory of 1692 2940 53f9da2780b6f5a90cfa960a7ba80eef.exe taskmgr.exe PID 2940 wrote to memory of 1692 2940 53f9da2780b6f5a90cfa960a7ba80eef.exe taskmgr.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2636 attrib.exe 2692 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\53f9da2780b6f5a90cfa960a7ba80eef.exe"C:\Users\Admin\AppData\Local\Temp\53f9da2780b6f5a90cfa960a7ba80eef.exe"1⤵
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Crypted.exe"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskmgr.exetaskmgr.exe2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\Crypted.exe" +s +h1⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h1⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\Crypted.exe" +s +h1⤵
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Crypted.exeFilesize
92KB
MD53fdc7383c3f2b2774d0b234023b16628
SHA14a9be3ebe15c0414cd9e38ca23124af55b6c1546
SHA256c98be69d2d04ed798f996bc0dcac6ab9a50915d3686a0a46f40a2f88dc20ddfd
SHA5125dc918046d00ec00c3d5da493af901d7d6c7ff12e5f8b3f85d3dc9ed06a0223162fd0202cee1b7d61eb1db1588281b0cbd817a4f34b33b4dd2e38c308beb1f1a
-
C:\Users\Admin\AppData\Local\Temp\Crypted.exeFilesize
381KB
MD5fb9934b7782dd8b063ba8b95cc966444
SHA1a44ebac936ea1899ed42c701f805e407b6b80e19
SHA256f700c76005751ef57d3bb53de3d2c9e621a604ddadc91b1eedca58baceb1404d
SHA512659a525a9b1d6c51806abd6660f0ee4fa937ce1a204c7ae1bda1f1061a651cc3aa2549ae880239f9f89fd11fcddeac9c288b60758a1d8f9f69b9a10ddf2fee43
-
\Users\Admin\AppData\Local\Temp\Crypted.exeFilesize
649KB
MD5c0cebd70cd9ab9af0582764101331351
SHA12e1308817abe1151fd63622b2316491e4a25de8e
SHA25684fd686a3ee7c0326ab6058bb49667c18250660a79c3f710730f8ef941028f92
SHA51289bed80bedc435e7b7c7a25ab6c4d2dff81d18c1fe550bd9ce3f8b21d5441ca7e764b23108979f3cec0fe7528ce163d8c6aeab61719aba690b9630883af765d6
-
memory/1948-24-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1948-21-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1948-31-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1948-30-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1948-14-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1948-17-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1948-29-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1948-28-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1948-20-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1948-12-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/1948-22-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1948-23-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1948-27-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1948-25-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1948-26-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/2940-0-0x0000000074F50000-0x00000000754FB000-memory.dmpFilesize
5.7MB
-
memory/2940-19-0x00000000000B0000-0x00000000000F0000-memory.dmpFilesize
256KB
-
memory/2940-18-0x0000000074F50000-0x00000000754FB000-memory.dmpFilesize
5.7MB
-
memory/2940-1-0x00000000000B0000-0x00000000000F0000-memory.dmpFilesize
256KB
-
memory/2940-2-0x0000000074F50000-0x00000000754FB000-memory.dmpFilesize
5.7MB