Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2024, 10:30
Static task
static1
Behavioral task
behavioral1
Sample
6a30b320446a423c14f5c2eb1e69bde8.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
6a30b320446a423c14f5c2eb1e69bde8.exe
Resource
win10v2004-20231215-en
General
-
Target
6a30b320446a423c14f5c2eb1e69bde8.exe
-
Size
946KB
-
MD5
6a30b320446a423c14f5c2eb1e69bde8
-
SHA1
5eb9991fbdd44574984b569498eb71586cde8c9b
-
SHA256
9a9d814c6d40bb1f2b5b1efb69041afff09b3c41fc618bd79bb8053205a08a24
-
SHA512
ea43756d7a3d1b55d9cc86cec0bba3e8bd4e7a59a8841d29ddfc53091791c1e61e3e66c55c17adfddc510892f518685f4b4e1984ed6350191d5f85c2f9172140
-
SSDEEP
12288:mUmKtThdsnPbLoTXPThJj9Hjdv5c6Z4EvZq0qcaSB0KdqgSdzRrrB5zMPq39zivZ:DtnsnPHohJj90nEvpuYqggVrrTYPhx
Malware Config
Extracted
darkcomet
rsman
internetconnection.no-ip.info:8889
DCMIN_MUTEX-FKV7NNB
-
gencode
sdDYWLgbyDpT
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif help.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif 6a30b320446a423c14f5c2eb1e69bde8.exe -
Executes dropped EXE 2 IoCs
pid Process 5016 help.exe 3840 help.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Windows\\InstallDir\\help.exe" help.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Windows\\InstallDir\\help.exe" help.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5016 set thread context of 4328 5016 help.exe 92 PID 5016 set thread context of 3840 5016 help.exe 96 -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\InstallDir\help.exe help.exe File opened for modification C:\Windows\InstallDir 6a30b320446a423c14f5c2eb1e69bde8.exe File created C:\Windows\InstallDir\help.exe 6a30b320446a423c14f5c2eb1e69bde8.exe File opened for modification C:\Windows\InstallDir\help.exe 6a30b320446a423c14f5c2eb1e69bde8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "412511597" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E9DB9F90-B77E-11EE-B6AD-F68B0B0A1028} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31083403" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3210954794" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31083403" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3194236489" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3194236489" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31083403" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3992 6a30b320446a423c14f5c2eb1e69bde8.exe 3992 6a30b320446a423c14f5c2eb1e69bde8.exe 5016 help.exe 5016 help.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3840 help.exe Token: SeSecurityPrivilege 3840 help.exe Token: SeTakeOwnershipPrivilege 3840 help.exe Token: SeLoadDriverPrivilege 3840 help.exe Token: SeSystemProfilePrivilege 3840 help.exe Token: SeSystemtimePrivilege 3840 help.exe Token: SeProfSingleProcessPrivilege 3840 help.exe Token: SeIncBasePriorityPrivilege 3840 help.exe Token: SeCreatePagefilePrivilege 3840 help.exe Token: SeBackupPrivilege 3840 help.exe Token: SeRestorePrivilege 3840 help.exe Token: SeShutdownPrivilege 3840 help.exe Token: SeDebugPrivilege 3840 help.exe Token: SeSystemEnvironmentPrivilege 3840 help.exe Token: SeChangeNotifyPrivilege 3840 help.exe Token: SeRemoteShutdownPrivilege 3840 help.exe Token: SeUndockPrivilege 3840 help.exe Token: SeManageVolumePrivilege 3840 help.exe Token: SeImpersonatePrivilege 3840 help.exe Token: SeCreateGlobalPrivilege 3840 help.exe Token: 33 3840 help.exe Token: 34 3840 help.exe Token: 35 3840 help.exe Token: 36 3840 help.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4328 iexplore.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4328 iexplore.exe 4328 iexplore.exe 3840 help.exe 1524 IEXPLORE.EXE 1524 IEXPLORE.EXE 1524 IEXPLORE.EXE 1524 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3992 wrote to memory of 5016 3992 6a30b320446a423c14f5c2eb1e69bde8.exe 89 PID 3992 wrote to memory of 5016 3992 6a30b320446a423c14f5c2eb1e69bde8.exe 89 PID 3992 wrote to memory of 5016 3992 6a30b320446a423c14f5c2eb1e69bde8.exe 89 PID 5016 wrote to memory of 3924 5016 help.exe 90 PID 5016 wrote to memory of 3924 5016 help.exe 90 PID 5016 wrote to memory of 3924 5016 help.exe 90 PID 5016 wrote to memory of 4328 5016 help.exe 92 PID 5016 wrote to memory of 4328 5016 help.exe 92 PID 5016 wrote to memory of 4328 5016 help.exe 92 PID 5016 wrote to memory of 4328 5016 help.exe 92 PID 5016 wrote to memory of 4328 5016 help.exe 92 PID 5016 wrote to memory of 4328 5016 help.exe 92 PID 5016 wrote to memory of 4328 5016 help.exe 92 PID 5016 wrote to memory of 4328 5016 help.exe 92 PID 5016 wrote to memory of 4328 5016 help.exe 92 PID 5016 wrote to memory of 4328 5016 help.exe 92 PID 5016 wrote to memory of 4328 5016 help.exe 92 PID 5016 wrote to memory of 4328 5016 help.exe 92 PID 5016 wrote to memory of 4328 5016 help.exe 92 PID 3924 wrote to memory of 1632 3924 cmd.exe 93 PID 3924 wrote to memory of 1632 3924 cmd.exe 93 PID 3924 wrote to memory of 1632 3924 cmd.exe 93 PID 1632 wrote to memory of 4812 1632 net.exe 94 PID 1632 wrote to memory of 4812 1632 net.exe 94 PID 1632 wrote to memory of 4812 1632 net.exe 94 PID 4328 wrote to memory of 1524 4328 iexplore.exe 95 PID 4328 wrote to memory of 1524 4328 iexplore.exe 95 PID 4328 wrote to memory of 1524 4328 iexplore.exe 95 PID 5016 wrote to memory of 3840 5016 help.exe 96 PID 5016 wrote to memory of 3840 5016 help.exe 96 PID 5016 wrote to memory of 3840 5016 help.exe 96 PID 5016 wrote to memory of 3840 5016 help.exe 96 PID 5016 wrote to memory of 3840 5016 help.exe 96 PID 5016 wrote to memory of 3840 5016 help.exe 96 PID 5016 wrote to memory of 3840 5016 help.exe 96 PID 5016 wrote to memory of 3840 5016 help.exe 96 PID 5016 wrote to memory of 3840 5016 help.exe 96 PID 5016 wrote to memory of 3840 5016 help.exe 96 PID 5016 wrote to memory of 3840 5016 help.exe 96 PID 5016 wrote to memory of 3840 5016 help.exe 96 PID 5016 wrote to memory of 3840 5016 help.exe 96 PID 5016 wrote to memory of 3840 5016 help.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe"C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe"1⤵
- Drops startup file
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\InstallDir\help.exeC:\Windows\InstallDir\help.exe2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc3⤵
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\net.exenet stop MpsSvc4⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc5⤵PID:4812
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4328 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1524
-
-
-
C:\Windows\InstallDir\help.exeC:\Windows\InstallDir\help.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3840
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5062fdbb9bb3c118fcc66827cdc26e6f0
SHA12033529788108b0514b5acae2b0ed3b7e051c318
SHA25610a79f11b599e86eb9a03e62f1969485589597cef2b4d8b2a7f1133736e97c22
SHA51233ecbc35c98d8aa24f24e420dd352fb35048696fdc96cafe15bdae131cc18f81426bc515393a3b940519f289d3b0585516eced7b692ff607bd9ef366db098810
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5dd36d6dc06c6c289c31e35f398170a2e
SHA1e375b39a129249b04977a0d541197dd21569074b
SHA25612fe7b98965525cd62ea653f3e895e55b9eaf0109b819a860f3d98805df41ed2
SHA5126832bb0130ce122c80a33da82acd1c2a7ecca8f7bc144e513ef923559166b793fb01f9461e71e1b8d4238f51cc11ca24af3d5e3cfe7223088d4aad37b7d7fcd0
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
946KB
MD56a30b320446a423c14f5c2eb1e69bde8
SHA15eb9991fbdd44574984b569498eb71586cde8c9b
SHA2569a9d814c6d40bb1f2b5b1efb69041afff09b3c41fc618bd79bb8053205a08a24
SHA512ea43756d7a3d1b55d9cc86cec0bba3e8bd4e7a59a8841d29ddfc53091791c1e61e3e66c55c17adfddc510892f518685f4b4e1984ed6350191d5f85c2f9172140