Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20/01/2024, 19:06
Behavioral task
behavioral1
Sample
MSRSAAP.EXE.exe
Resource
win7-20231215-en
6 signatures
150 seconds
General
-
Target
MSRSAAP.EXE.exe
-
Size
349KB
-
MD5
6049d329c2052677fe798039939ad26d
-
SHA1
476f3abe525221661686a0b93f4e0e4049e652df
-
SHA256
0cbf9454358f9770b1165a1e8df830d359d513ececa0e4adef67bfa3f0545a0d
-
SHA512
2c4c52bc727b8613c3eeb85f601680211898b7ac51f6f303aac6251617f661e08fc916588965a5a084abd0f736600dbbc535c0bc23140b1090e02e54fd72a49d
-
SSDEEP
6144:9cNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37ZSoBLLjMdWnpQZh9h4:9cW7KEZlPzCy37ZSolMd0QZh9u
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
5.tcp.eu.ngrok.io:16834
Mutex
DC_MUTEX-2TZ2B4A
Attributes
-
gencode
AsLmq7l6VSTm
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
resource yara_rule behavioral1/memory/1372-0-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral1/memory/1372-2-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral1/memory/1372-10-0x0000000000400000-0x00000000004E8000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1372 MSRSAAP.EXE.exe Token: SeSecurityPrivilege 1372 MSRSAAP.EXE.exe Token: SeTakeOwnershipPrivilege 1372 MSRSAAP.EXE.exe Token: SeLoadDriverPrivilege 1372 MSRSAAP.EXE.exe Token: SeSystemProfilePrivilege 1372 MSRSAAP.EXE.exe Token: SeSystemtimePrivilege 1372 MSRSAAP.EXE.exe Token: SeProfSingleProcessPrivilege 1372 MSRSAAP.EXE.exe Token: SeIncBasePriorityPrivilege 1372 MSRSAAP.EXE.exe Token: SeCreatePagefilePrivilege 1372 MSRSAAP.EXE.exe Token: SeBackupPrivilege 1372 MSRSAAP.EXE.exe Token: SeRestorePrivilege 1372 MSRSAAP.EXE.exe Token: SeShutdownPrivilege 1372 MSRSAAP.EXE.exe Token: SeDebugPrivilege 1372 MSRSAAP.EXE.exe Token: SeSystemEnvironmentPrivilege 1372 MSRSAAP.EXE.exe Token: SeChangeNotifyPrivilege 1372 MSRSAAP.EXE.exe Token: SeRemoteShutdownPrivilege 1372 MSRSAAP.EXE.exe Token: SeUndockPrivilege 1372 MSRSAAP.EXE.exe Token: SeManageVolumePrivilege 1372 MSRSAAP.EXE.exe Token: SeImpersonatePrivilege 1372 MSRSAAP.EXE.exe Token: SeCreateGlobalPrivilege 1372 MSRSAAP.EXE.exe Token: 33 1372 MSRSAAP.EXE.exe Token: 34 1372 MSRSAAP.EXE.exe Token: 35 1372 MSRSAAP.EXE.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1372 MSRSAAP.EXE.exe