Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
16-01-2024 00:15
Static task
static1
Behavioral task
behavioral1
Sample
5e7599beee5b23858e1339c802a2b42e.exe
Resource
win7-20231215-en
General
-
Target
5e7599beee5b23858e1339c802a2b42e.exe
-
Size
272KB
-
MD5
5e7599beee5b23858e1339c802a2b42e
-
SHA1
6f1f1f6d8c15582ae44d9312c07bcf771e63983b
-
SHA256
63cbb50418ff9617182869680dd65862f27eba39adf6b4405ff8449f5973c37d
-
SHA512
8c52a4ae02dc889aa178fcd89c0af2b61ef9bb389330b4338c2759424298480835540d523caf5a573cd50f60896d2f771861128320fad434677efaf5a2213332
-
SSDEEP
6144:stN2PXzg+qNDf24M4IlzR7eSSpYBRKL0LNxVIBqW/p:st40THI5RaRp9QZxOBq
Malware Config
Extracted
darkcomet
Sazan
2.tcp.ngrok.io:11956
DC_MUTEX-9YWB9EB
-
gencode
svYKFqnCzhWk
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Deneme Server.exepid process 2756 Deneme Server.exe -
Processes:
resource yara_rule C:\Users\Admin\Desktop\Deneme Server.exe upx behavioral1/memory/2756-12-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral1/memory/2756-16-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral1/memory/2756-26-0x0000000000400000-0x00000000004E8000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
5e7599beee5b23858e1339c802a2b42e.exepid process 2296 5e7599beee5b23858e1339c802a2b42e.exe 2296 5e7599beee5b23858e1339c802a2b42e.exe 2296 5e7599beee5b23858e1339c802a2b42e.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
5e7599beee5b23858e1339c802a2b42e.exeDeneme Server.exedescription pid process Token: SeDebugPrivilege 2296 5e7599beee5b23858e1339c802a2b42e.exe Token: SeIncreaseQuotaPrivilege 2756 Deneme Server.exe Token: SeSecurityPrivilege 2756 Deneme Server.exe Token: SeTakeOwnershipPrivilege 2756 Deneme Server.exe Token: SeLoadDriverPrivilege 2756 Deneme Server.exe Token: SeSystemProfilePrivilege 2756 Deneme Server.exe Token: SeSystemtimePrivilege 2756 Deneme Server.exe Token: SeProfSingleProcessPrivilege 2756 Deneme Server.exe Token: SeIncBasePriorityPrivilege 2756 Deneme Server.exe Token: SeCreatePagefilePrivilege 2756 Deneme Server.exe Token: SeBackupPrivilege 2756 Deneme Server.exe Token: SeRestorePrivilege 2756 Deneme Server.exe Token: SeShutdownPrivilege 2756 Deneme Server.exe Token: SeDebugPrivilege 2756 Deneme Server.exe Token: SeSystemEnvironmentPrivilege 2756 Deneme Server.exe Token: SeChangeNotifyPrivilege 2756 Deneme Server.exe Token: SeRemoteShutdownPrivilege 2756 Deneme Server.exe Token: SeUndockPrivilege 2756 Deneme Server.exe Token: SeManageVolumePrivilege 2756 Deneme Server.exe Token: SeImpersonatePrivilege 2756 Deneme Server.exe Token: SeCreateGlobalPrivilege 2756 Deneme Server.exe Token: 33 2756 Deneme Server.exe Token: 34 2756 Deneme Server.exe Token: 35 2756 Deneme Server.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Deneme Server.exepid process 2756 Deneme Server.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
5e7599beee5b23858e1339c802a2b42e.exedescription pid process target process PID 2296 wrote to memory of 2756 2296 5e7599beee5b23858e1339c802a2b42e.exe Deneme Server.exe PID 2296 wrote to memory of 2756 2296 5e7599beee5b23858e1339c802a2b42e.exe Deneme Server.exe PID 2296 wrote to memory of 2756 2296 5e7599beee5b23858e1339c802a2b42e.exe Deneme Server.exe PID 2296 wrote to memory of 2756 2296 5e7599beee5b23858e1339c802a2b42e.exe Deneme Server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e7599beee5b23858e1339c802a2b42e.exe"C:\Users\Admin\AppData\Local\Temp\5e7599beee5b23858e1339c802a2b42e.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\Deneme Server.exe"C:\Users\Admin\Desktop\Deneme Server.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\Deneme Server.exeFilesize
349KB
MD5c7f0a3e8111658ee68aaff70cbb8c762
SHA11b8d8a570f6e4ddca60e8701e17c3cb8f29fbfae
SHA256da5a459d79af026e43ed00845a93b407b2da2ed2da9731df63fefea8d1a0fb93
SHA5127354ad99e45bda9f7ea5c44787dea0c0c83728ec3e46c2be5840c07952ec390325cc41b28f360876238643613e40ff9d84100763d3379d51de9c60d56c95aa95
-
memory/2296-0-0x000000013F3C0000-0x000000013F408000-memory.dmpFilesize
288KB
-
memory/2296-1-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmpFilesize
9.9MB
-
memory/2296-2-0x0000000000960000-0x00000000009E0000-memory.dmpFilesize
512KB
-
memory/2296-3-0x0000000000960000-0x00000000009E0000-memory.dmpFilesize
512KB
-
memory/2296-13-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmpFilesize
9.9MB
-
memory/2756-12-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/2756-14-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/2756-16-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/2756-18-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/2756-26-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB