Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2024, 03:20
Static task
static1
Behavioral task
behavioral1
Sample
695b5698fecb86d51951ece5fe401935.exe
Resource
win7-20231215-en
General
-
Target
695b5698fecb86d51951ece5fe401935.exe
-
Size
768KB
-
MD5
695b5698fecb86d51951ece5fe401935
-
SHA1
e552edc1eceed54f17713ccf542b75fa4ff3ba2a
-
SHA256
29b9f898ac904dd12463af53e039cbc3de2ec0ef961bf8c840f2b0ecc16a2b49
-
SHA512
32a254c03f0c3a5b281a6ab9b672a7288b7c0750d8efb817ccf91194a53ce4a491fd77414e1bfb1f1f0f031e7162e000f70ca64444d151fd2c57f828ca3af047
-
SSDEEP
12288:LLHSAfiO9wMq//jFrfg3gGUrE3cYtGlq1RlNvKeB5uDaxo3N9JcLnI/cp:fLwMqXjPesYtsq1zna/+a4
Malware Config
Extracted
darkcomet
Profile
decoderxtreme.no-ip.biz:1604
DC_MUTEX-83RWAGL
-
gencode
atsLcH3dSuYm
-
install
false
-
offline_keylogger
true
-
password
123456
-
persistence
false
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation 695b5698fecb86d51951ece5fe401935.exe -
Executes dropped EXE 1 IoCs
pid Process 5068 file1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 5068 file1.exe Token: SeSecurityPrivilege 5068 file1.exe Token: SeTakeOwnershipPrivilege 5068 file1.exe Token: SeLoadDriverPrivilege 5068 file1.exe Token: SeSystemProfilePrivilege 5068 file1.exe Token: SeSystemtimePrivilege 5068 file1.exe Token: SeProfSingleProcessPrivilege 5068 file1.exe Token: SeIncBasePriorityPrivilege 5068 file1.exe Token: SeCreatePagefilePrivilege 5068 file1.exe Token: SeBackupPrivilege 5068 file1.exe Token: SeRestorePrivilege 5068 file1.exe Token: SeShutdownPrivilege 5068 file1.exe Token: SeDebugPrivilege 5068 file1.exe Token: SeSystemEnvironmentPrivilege 5068 file1.exe Token: SeChangeNotifyPrivilege 5068 file1.exe Token: SeRemoteShutdownPrivilege 5068 file1.exe Token: SeUndockPrivilege 5068 file1.exe Token: SeManageVolumePrivilege 5068 file1.exe Token: SeImpersonatePrivilege 5068 file1.exe Token: SeCreateGlobalPrivilege 5068 file1.exe Token: 33 5068 file1.exe Token: 34 5068 file1.exe Token: 35 5068 file1.exe Token: 36 5068 file1.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5068 file1.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4836 wrote to memory of 5068 4836 695b5698fecb86d51951ece5fe401935.exe 87 PID 4836 wrote to memory of 5068 4836 695b5698fecb86d51951ece5fe401935.exe 87 PID 4836 wrote to memory of 5068 4836 695b5698fecb86d51951ece5fe401935.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\695b5698fecb86d51951ece5fe401935.exe"C:\Users\Admin\AppData\Local\Temp\695b5698fecb86d51951ece5fe401935.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Users\Admin\AppData\Local\Temp\file1.exe"C:\Users\Admin\AppData\Local\Temp\file1.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5068
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
623KB
MD552da4aba83603d9cadf6e014755cabdf
SHA13d185b8b1808093dd20079e14c1e7d69375e647b
SHA256f87e3fa6a7724cc5c74f1eaafae9c7f15cf21676c3636cd3cd94cbd048c5e086
SHA5120463597e8bc7e6f29fa458e54d9d8f3ec14b5bf88d5dce15935dde657f733ba9f4297a885df268156b732218734b5dc63ae22bb123ed246e56e523448e4e704f
-
Filesize
649KB
MD5f644bdc34f6bffe661dc3d2f505fead4
SHA15f11c282608d364a47fb86b99861a828415fa82c
SHA256035639363398d2766097261ea32773d3e555b67c4a48c0f58f001b4cc34726a4
SHA512e78458c30c6260ad504813ff54aa951289f82ee3a7b7f2d035d732b913ebb73bf052b5927b5a5b0ea108a95cb60004f4a4f2671477e8b938f80ff696bc4773fe