Resubmissions
19-02-2024 05:10
240219-ftyd4shh9y 10Analysis
-
max time kernel
75s -
max time network
75s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-02-2024 05:10
Static task
static1
General
-
Target
$$dinamikCristal$$.exe
-
Size
746KB
-
MD5
54090521d667d44350d72b066c6f242a
-
SHA1
20424c81eb3b6bd68467333f7e45e60f7571518a
-
SHA256
1c21cb19240f4e2b1ec3490c54a437b84345f41298ccc3d5c17fe8bf3dd16ba3
-
SHA512
fde7c2f5f2558bf315e567898f93bffa9320670ebddb6bbba66541c3a93f21737398ed7d1dd134086bb9e9cdd00f580f434ac210dd68e57a371df855af3222bc
-
SSDEEP
12288:jBdlwHRn+WlYV+8T+tkpeZuCWbKeYQjL7niHpwrcURuwSs/Y:jBkVdlYAKc1WmEjL7niHpwrcU2s/Y
Malware Config
Extracted
darkcomet
Guest16
4.tcp.eu.ngrok.io:16885
4.tcp.eu.ngrok.io:1604
DC_MUTEX-Z4PMKKC
-
gencode
42mAfR1mKy33
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
dinamikPack.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile dinamikPack.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" dinamikPack.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" dinamikPack.exe -
Processes:
dinamikPack.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dinamikPack.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
dinamikPack.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dinamikPack.exe -
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2260 attrib.exe 1688 attrib.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
$$dinamikCristal$$.exedinamikPack.sfx.exedinamikPack.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation $$dinamikCristal$$.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation dinamikPack.sfx.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation dinamikPack.exe -
Executes dropped EXE 2 IoCs
Processes:
dinamikPack.sfx.exedinamikPack.exepid process 2540 dinamikPack.sfx.exe 3576 dinamikPack.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\dinamikPack.exe upx behavioral1/memory/3576-23-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3576-26-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Processes:
dinamikPack.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dinamikPack.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Drops file in Windows directory 5 IoCs
Processes:
$$dinamikCristal$$.exedescription ioc process File created C:\Windows\dinamikPack.sfx.exe $$dinamikCristal$$.exe File opened for modification C:\Windows\dinamikPack.sfx.exe $$dinamikCristal$$.exe File created C:\Windows\dinamikPack.bat $$dinamikCristal$$.exe File opened for modification C:\Windows\dinamikPack.bat $$dinamikCristal$$.exe File created C:\Windows\__tmp_rar_sfx_access_check_240602359 $$dinamikCristal$$.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dinamikPack.exepid process 3576 dinamikPack.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
dinamikPack.exedescription pid process Token: SeIncreaseQuotaPrivilege 3576 dinamikPack.exe Token: SeSecurityPrivilege 3576 dinamikPack.exe Token: SeTakeOwnershipPrivilege 3576 dinamikPack.exe Token: SeLoadDriverPrivilege 3576 dinamikPack.exe Token: SeSystemProfilePrivilege 3576 dinamikPack.exe Token: SeSystemtimePrivilege 3576 dinamikPack.exe Token: SeProfSingleProcessPrivilege 3576 dinamikPack.exe Token: SeIncBasePriorityPrivilege 3576 dinamikPack.exe Token: SeCreatePagefilePrivilege 3576 dinamikPack.exe Token: SeBackupPrivilege 3576 dinamikPack.exe Token: SeRestorePrivilege 3576 dinamikPack.exe Token: SeShutdownPrivilege 3576 dinamikPack.exe Token: SeDebugPrivilege 3576 dinamikPack.exe Token: SeSystemEnvironmentPrivilege 3576 dinamikPack.exe Token: SeChangeNotifyPrivilege 3576 dinamikPack.exe Token: SeRemoteShutdownPrivilege 3576 dinamikPack.exe Token: SeUndockPrivilege 3576 dinamikPack.exe Token: SeManageVolumePrivilege 3576 dinamikPack.exe Token: SeImpersonatePrivilege 3576 dinamikPack.exe Token: SeCreateGlobalPrivilege 3576 dinamikPack.exe Token: 33 3576 dinamikPack.exe Token: 34 3576 dinamikPack.exe Token: 35 3576 dinamikPack.exe Token: 36 3576 dinamikPack.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
dinamikPack.exepid process 3576 dinamikPack.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
$$dinamikCristal$$.execmd.exedinamikPack.sfx.exedinamikPack.execmd.execmd.exedescription pid process target process PID 2936 wrote to memory of 4232 2936 $$dinamikCristal$$.exe cmd.exe PID 2936 wrote to memory of 4232 2936 $$dinamikCristal$$.exe cmd.exe PID 2936 wrote to memory of 4232 2936 $$dinamikCristal$$.exe cmd.exe PID 4232 wrote to memory of 2540 4232 cmd.exe dinamikPack.sfx.exe PID 4232 wrote to memory of 2540 4232 cmd.exe dinamikPack.sfx.exe PID 4232 wrote to memory of 2540 4232 cmd.exe dinamikPack.sfx.exe PID 2540 wrote to memory of 3576 2540 dinamikPack.sfx.exe dinamikPack.exe PID 2540 wrote to memory of 3576 2540 dinamikPack.sfx.exe dinamikPack.exe PID 2540 wrote to memory of 3576 2540 dinamikPack.sfx.exe dinamikPack.exe PID 3576 wrote to memory of 976 3576 dinamikPack.exe cmd.exe PID 3576 wrote to memory of 976 3576 dinamikPack.exe cmd.exe PID 3576 wrote to memory of 976 3576 dinamikPack.exe cmd.exe PID 3576 wrote to memory of 920 3576 dinamikPack.exe cmd.exe PID 3576 wrote to memory of 920 3576 dinamikPack.exe cmd.exe PID 3576 wrote to memory of 920 3576 dinamikPack.exe cmd.exe PID 3576 wrote to memory of 2476 3576 dinamikPack.exe notepad.exe PID 3576 wrote to memory of 2476 3576 dinamikPack.exe notepad.exe PID 3576 wrote to memory of 2476 3576 dinamikPack.exe notepad.exe PID 3576 wrote to memory of 2476 3576 dinamikPack.exe notepad.exe PID 3576 wrote to memory of 2476 3576 dinamikPack.exe notepad.exe PID 3576 wrote to memory of 2476 3576 dinamikPack.exe notepad.exe PID 3576 wrote to memory of 2476 3576 dinamikPack.exe notepad.exe PID 3576 wrote to memory of 2476 3576 dinamikPack.exe notepad.exe PID 3576 wrote to memory of 2476 3576 dinamikPack.exe notepad.exe PID 3576 wrote to memory of 2476 3576 dinamikPack.exe notepad.exe PID 3576 wrote to memory of 2476 3576 dinamikPack.exe notepad.exe PID 3576 wrote to memory of 2476 3576 dinamikPack.exe notepad.exe PID 3576 wrote to memory of 2476 3576 dinamikPack.exe notepad.exe PID 3576 wrote to memory of 2476 3576 dinamikPack.exe notepad.exe PID 3576 wrote to memory of 2476 3576 dinamikPack.exe notepad.exe PID 3576 wrote to memory of 2476 3576 dinamikPack.exe notepad.exe PID 3576 wrote to memory of 2476 3576 dinamikPack.exe notepad.exe PID 3576 wrote to memory of 2476 3576 dinamikPack.exe notepad.exe PID 3576 wrote to memory of 2476 3576 dinamikPack.exe notepad.exe PID 3576 wrote to memory of 2476 3576 dinamikPack.exe notepad.exe PID 3576 wrote to memory of 2476 3576 dinamikPack.exe notepad.exe PID 3576 wrote to memory of 2476 3576 dinamikPack.exe notepad.exe PID 976 wrote to memory of 2260 976 cmd.exe attrib.exe PID 976 wrote to memory of 2260 976 cmd.exe attrib.exe PID 976 wrote to memory of 2260 976 cmd.exe attrib.exe PID 920 wrote to memory of 1688 920 cmd.exe attrib.exe PID 920 wrote to memory of 1688 920 cmd.exe attrib.exe PID 920 wrote to memory of 1688 920 cmd.exe attrib.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
dinamikPack.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion dinamikPack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern dinamikPack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" dinamikPack.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2260 attrib.exe 1688 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\$$dinamikCristal$$.exe"C:\Users\Admin\AppData\Local\Temp\$$dinamikCristal$$.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\dinamikPack.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\dinamikPack.sfx.exedinamikPack.sfx -p320232023202 dC:\Users\Admin\AppData\Local\Temp3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dinamikPack.exe"C:\Users\Admin\AppData\Local\Temp\dinamikPack.exe"4⤵
- Modifies firewall policy service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\dinamikPack.exe" +s +h5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\dinamikPack.exe" +s +h6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dinamikPack.exeFilesize
251KB
MD5cb93d92a764597510929423bf7b276a2
SHA10d436dc6657b49b95baa9880c0485e28ce5ba4fc
SHA25620a207641e090e8ba7172e95efd4e7f9315a19bb6d15344997c1aa68b0e6a633
SHA51258eb408c6f309e8e47b71877064d487aa05ba2a8c4d06d3c7ca624de1219568fc38b8ecea3321726cf275e6abb4d7e5b39fc312d592156b99d0d60366618112d
-
C:\Windows\dinamikPack.batFilesize
55B
MD5e69d25e8e79b1e64ab95cc95c63e1216
SHA1f6ddca5d2683871e1385a87fb7a4449340dd0438
SHA256bdf4826ae25feeb71f77a509b155f1d83adc4fa3024af979f638e185762171d6
SHA5121f6179c5f1ea54ada17ab55b75be8b49f9ff5928ea827462be34b14298efe62b9a052c7ec5fdc698102cbe83b43458a9dee22bf5afcf8c3df7f31bca6f01af70
-
C:\Windows\dinamikPack.sfx.exeFilesize
573KB
MD577a913f94788fafc3bb9e6dd345cb3e2
SHA12a032a19f432a29717907d8e1fb3ee825d3bf3ff
SHA25613a368a0959150310e8d0b3f6118e0d0930acf3e61057787cb9c81e6b88bd65d
SHA5122aec5e05c7b5c3dab2fec683f662663e539e247628695df4d2ae43a16f8b79e80ed9b1fd944c03401e37be540196ef77767ee6dc66900306df352f1381eb93a8
-
memory/2476-25-0x0000000000AA0000-0x0000000000AA1000-memory.dmpFilesize
4KB
-
memory/3576-23-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3576-24-0x00000000026D0000-0x00000000026D1000-memory.dmpFilesize
4KB
-
memory/3576-26-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB