Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20/01/2024, 03:20
Static task
static1
Behavioral task
behavioral1
Sample
695b5698fecb86d51951ece5fe401935.exe
Resource
win7-20231215-en
General
-
Target
695b5698fecb86d51951ece5fe401935.exe
-
Size
768KB
-
MD5
695b5698fecb86d51951ece5fe401935
-
SHA1
e552edc1eceed54f17713ccf542b75fa4ff3ba2a
-
SHA256
29b9f898ac904dd12463af53e039cbc3de2ec0ef961bf8c840f2b0ecc16a2b49
-
SHA512
32a254c03f0c3a5b281a6ab9b672a7288b7c0750d8efb817ccf91194a53ce4a491fd77414e1bfb1f1f0f031e7162e000f70ca64444d151fd2c57f828ca3af047
-
SSDEEP
12288:LLHSAfiO9wMq//jFrfg3gGUrE3cYtGlq1RlNvKeB5uDaxo3N9JcLnI/cp:fLwMqXjPesYtsq1zna/+a4
Malware Config
Extracted
darkcomet
Profile
decoderxtreme.no-ip.biz:1604
DC_MUTEX-83RWAGL
-
gencode
atsLcH3dSuYm
-
install
false
-
offline_keylogger
true
-
password
123456
-
persistence
false
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2912 file1.exe -
Loads dropped DLL 2 IoCs
pid Process 2532 695b5698fecb86d51951ece5fe401935.exe 2532 695b5698fecb86d51951ece5fe401935.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2912 file1.exe Token: SeSecurityPrivilege 2912 file1.exe Token: SeTakeOwnershipPrivilege 2912 file1.exe Token: SeLoadDriverPrivilege 2912 file1.exe Token: SeSystemProfilePrivilege 2912 file1.exe Token: SeSystemtimePrivilege 2912 file1.exe Token: SeProfSingleProcessPrivilege 2912 file1.exe Token: SeIncBasePriorityPrivilege 2912 file1.exe Token: SeCreatePagefilePrivilege 2912 file1.exe Token: SeBackupPrivilege 2912 file1.exe Token: SeRestorePrivilege 2912 file1.exe Token: SeShutdownPrivilege 2912 file1.exe Token: SeDebugPrivilege 2912 file1.exe Token: SeSystemEnvironmentPrivilege 2912 file1.exe Token: SeChangeNotifyPrivilege 2912 file1.exe Token: SeRemoteShutdownPrivilege 2912 file1.exe Token: SeUndockPrivilege 2912 file1.exe Token: SeManageVolumePrivilege 2912 file1.exe Token: SeImpersonatePrivilege 2912 file1.exe Token: SeCreateGlobalPrivilege 2912 file1.exe Token: 33 2912 file1.exe Token: 34 2912 file1.exe Token: 35 2912 file1.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2912 file1.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2912 2532 695b5698fecb86d51951ece5fe401935.exe 28 PID 2532 wrote to memory of 2912 2532 695b5698fecb86d51951ece5fe401935.exe 28 PID 2532 wrote to memory of 2912 2532 695b5698fecb86d51951ece5fe401935.exe 28 PID 2532 wrote to memory of 2912 2532 695b5698fecb86d51951ece5fe401935.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\695b5698fecb86d51951ece5fe401935.exe"C:\Users\Admin\AppData\Local\Temp\695b5698fecb86d51951ece5fe401935.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\file1.exe"C:\Users\Admin\AppData\Local\Temp\file1.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2912
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649KB
MD5f644bdc34f6bffe661dc3d2f505fead4
SHA15f11c282608d364a47fb86b99861a828415fa82c
SHA256035639363398d2766097261ea32773d3e555b67c4a48c0f58f001b4cc34726a4
SHA512e78458c30c6260ad504813ff54aa951289f82ee3a7b7f2d035d732b913ebb73bf052b5927b5a5b0ea108a95cb60004f4a4f2671477e8b938f80ff696bc4773fe