Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2024, 04:27
Behavioral task
behavioral1
Sample
loader_cheat.exe
Resource
win7-20231215-en
General
-
Target
loader_cheat.exe
-
Size
408KB
-
MD5
e2df2edc888e3c84bf1bd728c6e42100
-
SHA1
9568c9f3ba712bf403ac7aa7af90241d79d6ea46
-
SHA256
1d47db6e436daec107ca6166a1e61cbec6d12121fb5fa0664191d37e79256e4c
-
SHA512
70070da3988e3ebd40de675f384d93f5fe1e6aa2944e5843736505b708a1b55167dfcc2540965bbe0636125049c791d4d39fe3b60db1bd41e93dd3f0712ec354
-
SSDEEP
6144:KcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37zAtyhb8yBUs9P0wkDLDv:KcW7KEZlPzCy37zAtyhb9BRCwCvv
Malware Config
Extracted
darkcomet
Guest16
tadaronneeng.ddns.net:5353
DC_MUTEX-2C4PPGM
-
gencode
6EN5BFnr5B4P
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation loader_cheat.exe -
Executes dropped EXE 1 IoCs
pid Process 2164 LOADER_BUILD.EXE -
resource yara_rule behavioral2/memory/3268-0-0x0000000000400000-0x000000000050B000-memory.dmp upx behavioral2/memory/3268-13-0x0000000000400000-0x000000000050B000-memory.dmp upx behavioral2/memory/3268-16-0x0000000000400000-0x000000000050B000-memory.dmp upx behavioral2/memory/3268-18-0x0000000000400000-0x000000000050B000-memory.dmp upx behavioral2/memory/3268-33-0x0000000000400000-0x000000000050B000-memory.dmp upx behavioral2/memory/3268-35-0x0000000000400000-0x000000000050B000-memory.dmp upx behavioral2/memory/3268-37-0x0000000000400000-0x000000000050B000-memory.dmp upx behavioral2/memory/3268-39-0x0000000000400000-0x000000000050B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3268 loader_cheat.exe Token: SeSecurityPrivilege 3268 loader_cheat.exe Token: SeTakeOwnershipPrivilege 3268 loader_cheat.exe Token: SeLoadDriverPrivilege 3268 loader_cheat.exe Token: SeSystemProfilePrivilege 3268 loader_cheat.exe Token: SeSystemtimePrivilege 3268 loader_cheat.exe Token: SeProfSingleProcessPrivilege 3268 loader_cheat.exe Token: SeIncBasePriorityPrivilege 3268 loader_cheat.exe Token: SeCreatePagefilePrivilege 3268 loader_cheat.exe Token: SeBackupPrivilege 3268 loader_cheat.exe Token: SeRestorePrivilege 3268 loader_cheat.exe Token: SeShutdownPrivilege 3268 loader_cheat.exe Token: SeDebugPrivilege 3268 loader_cheat.exe Token: SeSystemEnvironmentPrivilege 3268 loader_cheat.exe Token: SeChangeNotifyPrivilege 3268 loader_cheat.exe Token: SeRemoteShutdownPrivilege 3268 loader_cheat.exe Token: SeUndockPrivilege 3268 loader_cheat.exe Token: SeManageVolumePrivilege 3268 loader_cheat.exe Token: SeImpersonatePrivilege 3268 loader_cheat.exe Token: SeCreateGlobalPrivilege 3268 loader_cheat.exe Token: 33 3268 loader_cheat.exe Token: 34 3268 loader_cheat.exe Token: 35 3268 loader_cheat.exe Token: 36 3268 loader_cheat.exe Token: SeDebugPrivilege 3248 taskmgr.exe Token: SeSystemProfilePrivilege 3248 taskmgr.exe Token: SeCreateGlobalPrivilege 3248 taskmgr.exe Token: 33 3248 taskmgr.exe Token: SeIncBasePriorityPrivilege 3248 taskmgr.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe -
Suspicious use of SendNotifyMessage 35 IoCs
pid Process 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe 3248 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3268 loader_cheat.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3268 wrote to memory of 2164 3268 loader_cheat.exe 93 PID 3268 wrote to memory of 2164 3268 loader_cheat.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\loader_cheat.exe"C:\Users\Admin\AppData\Local\Temp\loader_cheat.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Users\Admin\AppData\Local\Temp\LOADER_BUILD.EXE"C:\Users\Admin\AppData\Local\Temp\LOADER_BUILD.EXE"2⤵
- Executes dropped EXE
PID:2164
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3248
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139KB
MD5974463c392b19373ffdddd7394a1c120
SHA1af1d97fdaa881b92c2bdf8915562f139943da45b
SHA256c35b92c5c836152290d90ad1cea75b18cb24e3271886473c976812384369eb5e
SHA5129b39edd75c8ccfcce109d4a84ca58e92ac47a49eb8663dcfd3b60ca4b616f8092af6c86bb933a4a41d75029a4783d6ed71966b0b25ca4a152afc654e357e15c9