Analysis
-
max time kernel
143s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21-01-2024 11:59
Static task
static1
Behavioral task
behavioral1
Sample
6d4166ae6ee8d6ec5af09d73d256bd83.exe
Resource
win7-20231215-en
General
-
Target
6d4166ae6ee8d6ec5af09d73d256bd83.exe
-
Size
278KB
-
MD5
6d4166ae6ee8d6ec5af09d73d256bd83
-
SHA1
8392c338cbaa7fe0787eef96bbca84c483e50d33
-
SHA256
10f2e75aeb164c1771cf3392cecdb50f0e5d22331654075a88bc691eb0602ce5
-
SHA512
a789f6a2fc9227f483e11adae0c69e3d2216911524dfc02a7a74e9a236edb25bbb468c3d9280f828333fab11f3f295c1498597ead61da225455b62590e89f8d4
-
SSDEEP
6144:r5C4JCWTWFjtT2VUnw/6knPrCVsoSortxBFzNKNzKz/:r5UWTWEURGjCaoSortVgQz
Malware Config
Extracted
darkcomet
Sazan
2.tcp.ngrok.io:11956
DC_MUTEX-9YWB9EB
-
gencode
svYKFqnCzhWk
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Deneme Server 2.exeDeneme Server.exepid process 1344 Deneme Server 2.exe 2748 Deneme Server.exe -
Loads dropped DLL 1 IoCs
Processes:
6d4166ae6ee8d6ec5af09d73d256bd83.exepid process 2168 6d4166ae6ee8d6ec5af09d73d256bd83.exe -
Processes:
resource yara_rule C:\Users\Admin\Desktop\Deneme Server.exe upx behavioral1/memory/2748-24-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral1/memory/2748-28-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral1/memory/2748-40-0x0000000000400000-0x00000000004E8000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
6d4166ae6ee8d6ec5af09d73d256bd83.exeDeneme Server 2.exepid process 2168 6d4166ae6ee8d6ec5af09d73d256bd83.exe 2168 6d4166ae6ee8d6ec5af09d73d256bd83.exe 1344 Deneme Server 2.exe 1344 Deneme Server 2.exe 1344 Deneme Server 2.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
6d4166ae6ee8d6ec5af09d73d256bd83.exeDeneme Server 2.exeDeneme Server.exedescription pid process Token: SeDebugPrivilege 2168 6d4166ae6ee8d6ec5af09d73d256bd83.exe Token: SeDebugPrivilege 1344 Deneme Server 2.exe Token: SeIncreaseQuotaPrivilege 2748 Deneme Server.exe Token: SeSecurityPrivilege 2748 Deneme Server.exe Token: SeTakeOwnershipPrivilege 2748 Deneme Server.exe Token: SeLoadDriverPrivilege 2748 Deneme Server.exe Token: SeSystemProfilePrivilege 2748 Deneme Server.exe Token: SeSystemtimePrivilege 2748 Deneme Server.exe Token: SeProfSingleProcessPrivilege 2748 Deneme Server.exe Token: SeIncBasePriorityPrivilege 2748 Deneme Server.exe Token: SeCreatePagefilePrivilege 2748 Deneme Server.exe Token: SeBackupPrivilege 2748 Deneme Server.exe Token: SeRestorePrivilege 2748 Deneme Server.exe Token: SeShutdownPrivilege 2748 Deneme Server.exe Token: SeDebugPrivilege 2748 Deneme Server.exe Token: SeSystemEnvironmentPrivilege 2748 Deneme Server.exe Token: SeChangeNotifyPrivilege 2748 Deneme Server.exe Token: SeRemoteShutdownPrivilege 2748 Deneme Server.exe Token: SeUndockPrivilege 2748 Deneme Server.exe Token: SeManageVolumePrivilege 2748 Deneme Server.exe Token: SeImpersonatePrivilege 2748 Deneme Server.exe Token: SeCreateGlobalPrivilege 2748 Deneme Server.exe Token: 33 2748 Deneme Server.exe Token: 34 2748 Deneme Server.exe Token: 35 2748 Deneme Server.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Deneme Server.exepid process 2748 Deneme Server.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
6d4166ae6ee8d6ec5af09d73d256bd83.exeDeneme Server 2.exedescription pid process target process PID 2168 wrote to memory of 1344 2168 6d4166ae6ee8d6ec5af09d73d256bd83.exe Deneme Server 2.exe PID 2168 wrote to memory of 1344 2168 6d4166ae6ee8d6ec5af09d73d256bd83.exe Deneme Server 2.exe PID 2168 wrote to memory of 1344 2168 6d4166ae6ee8d6ec5af09d73d256bd83.exe Deneme Server 2.exe PID 1344 wrote to memory of 2748 1344 Deneme Server 2.exe Deneme Server.exe PID 1344 wrote to memory of 2748 1344 Deneme Server 2.exe Deneme Server.exe PID 1344 wrote to memory of 2748 1344 Deneme Server 2.exe Deneme Server.exe PID 1344 wrote to memory of 2748 1344 Deneme Server 2.exe Deneme Server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d4166ae6ee8d6ec5af09d73d256bd83.exe"C:\Users\Admin\AppData\Local\Temp\6d4166ae6ee8d6ec5af09d73d256bd83.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\Deneme Server 2.exe"C:\Users\Admin\Desktop\Deneme Server 2.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\Deneme Server.exe"C:\Users\Admin\Desktop\Deneme Server.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\Deneme Server.exeFilesize
349KB
MD5c7f0a3e8111658ee68aaff70cbb8c762
SHA11b8d8a570f6e4ddca60e8701e17c3cb8f29fbfae
SHA256da5a459d79af026e43ed00845a93b407b2da2ed2da9731df63fefea8d1a0fb93
SHA5127354ad99e45bda9f7ea5c44787dea0c0c83728ec3e46c2be5840c07952ec390325cc41b28f360876238643613e40ff9d84100763d3379d51de9c60d56c95aa95
-
\Users\Admin\Desktop\Deneme Server 2.exeFilesize
272KB
MD55e7599beee5b23858e1339c802a2b42e
SHA16f1f1f6d8c15582ae44d9312c07bcf771e63983b
SHA25663cbb50418ff9617182869680dd65862f27eba39adf6b4405ff8449f5973c37d
SHA5128c52a4ae02dc889aa178fcd89c0af2b61ef9bb389330b4338c2759424298480835540d523caf5a573cd50f60896d2f771861128320fad434677efaf5a2213332
-
memory/1344-17-0x000000001B990000-0x000000001BA10000-memory.dmpFilesize
512KB
-
memory/1344-25-0x000007FEF5880000-0x000007FEF626C000-memory.dmpFilesize
9.9MB
-
memory/1344-16-0x000000001B990000-0x000000001BA10000-memory.dmpFilesize
512KB
-
memory/1344-11-0x000000013F2D0000-0x000000013F318000-memory.dmpFilesize
288KB
-
memory/1344-15-0x000007FEF5880000-0x000007FEF626C000-memory.dmpFilesize
9.9MB
-
memory/2168-12-0x000007FEF5880000-0x000007FEF626C000-memory.dmpFilesize
9.9MB
-
memory/2168-0-0x000000013FD80000-0x000000013FDCA000-memory.dmpFilesize
296KB
-
memory/2168-2-0x000000001B9D0000-0x000000001BA50000-memory.dmpFilesize
512KB
-
memory/2168-1-0x000007FEF5880000-0x000007FEF626C000-memory.dmpFilesize
9.9MB
-
memory/2168-3-0x000000001B9D0000-0x000000001BA50000-memory.dmpFilesize
512KB
-
memory/2748-24-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/2748-26-0x00000000003C0000-0x00000000003C1000-memory.dmpFilesize
4KB
-
memory/2748-28-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/2748-40-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB