Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
24/02/2024, 06:24
Static task
static1
Behavioral task
behavioral1
Sample
a12a55725a718d2a60609ee4abbbb445.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a12a55725a718d2a60609ee4abbbb445.exe
Resource
win10v2004-20240221-en
General
-
Target
a12a55725a718d2a60609ee4abbbb445.exe
-
Size
902KB
-
MD5
a12a55725a718d2a60609ee4abbbb445
-
SHA1
d429ca448c7ac0363280c10d82e36f92beff2614
-
SHA256
8928b45380323bdcfd83430c2f76bd5ea9b5d011b4b3c4e575dc13d98cb04f5d
-
SHA512
71730d78380a1bc455ec3e0eceb191041b8e64e8abf400f02b898e995d8f89574751c69ab8c4a42527469b78f661271aad652cfc063688401257a129c54cbe90
-
SSDEEP
12288:lZKhDHZODNZyY5qMeR59vz9jflkMY0rLnY9L73iW:8D5ONZyY5Fe39zHkMDrLY57SW
Malware Config
Extracted
darkcomet
1.2
ahmedb123.no-ip.info:100
DCMIN_MUTEX-78CGXEQ
-
gencode
lcvuN82zr4Gu
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftUpdate.exe a12a55725a718d2a60609ee4abbbb4451.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftUpdate.exe a12a55725a718d2a60609ee4abbbb4451.exe -
Executes dropped EXE 2 IoCs
pid Process 2512 Microsoft Office.exe 2488 a12a55725a718d2a60609ee4abbbb4451.exe -
Loads dropped DLL 3 IoCs
pid Process 2552 a12a55725a718d2a60609ee4abbbb445.exe 2552 a12a55725a718d2a60609ee4abbbb445.exe 2552 a12a55725a718d2a60609ee4abbbb445.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MicrosoftUpdate.exe" a12a55725a718d2a60609ee4abbbb445.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2552 set thread context of 2512 2552 a12a55725a718d2a60609ee4abbbb445.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2672 PING.EXE -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2512 Microsoft Office.exe Token: SeSecurityPrivilege 2512 Microsoft Office.exe Token: SeTakeOwnershipPrivilege 2512 Microsoft Office.exe Token: SeLoadDriverPrivilege 2512 Microsoft Office.exe Token: SeSystemProfilePrivilege 2512 Microsoft Office.exe Token: SeSystemtimePrivilege 2512 Microsoft Office.exe Token: SeProfSingleProcessPrivilege 2512 Microsoft Office.exe Token: SeIncBasePriorityPrivilege 2512 Microsoft Office.exe Token: SeCreatePagefilePrivilege 2512 Microsoft Office.exe Token: SeBackupPrivilege 2512 Microsoft Office.exe Token: SeRestorePrivilege 2512 Microsoft Office.exe Token: SeShutdownPrivilege 2512 Microsoft Office.exe Token: SeDebugPrivilege 2512 Microsoft Office.exe Token: SeSystemEnvironmentPrivilege 2512 Microsoft Office.exe Token: SeChangeNotifyPrivilege 2512 Microsoft Office.exe Token: SeRemoteShutdownPrivilege 2512 Microsoft Office.exe Token: SeUndockPrivilege 2512 Microsoft Office.exe Token: SeManageVolumePrivilege 2512 Microsoft Office.exe Token: SeImpersonatePrivilege 2512 Microsoft Office.exe Token: SeCreateGlobalPrivilege 2512 Microsoft Office.exe Token: 33 2512 Microsoft Office.exe Token: 34 2512 Microsoft Office.exe Token: 35 2512 Microsoft Office.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2512 Microsoft Office.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2552 wrote to memory of 2512 2552 a12a55725a718d2a60609ee4abbbb445.exe 28 PID 2552 wrote to memory of 2512 2552 a12a55725a718d2a60609ee4abbbb445.exe 28 PID 2552 wrote to memory of 2512 2552 a12a55725a718d2a60609ee4abbbb445.exe 28 PID 2552 wrote to memory of 2512 2552 a12a55725a718d2a60609ee4abbbb445.exe 28 PID 2552 wrote to memory of 2512 2552 a12a55725a718d2a60609ee4abbbb445.exe 28 PID 2552 wrote to memory of 2512 2552 a12a55725a718d2a60609ee4abbbb445.exe 28 PID 2552 wrote to memory of 2512 2552 a12a55725a718d2a60609ee4abbbb445.exe 28 PID 2552 wrote to memory of 2512 2552 a12a55725a718d2a60609ee4abbbb445.exe 28 PID 2552 wrote to memory of 2512 2552 a12a55725a718d2a60609ee4abbbb445.exe 28 PID 2552 wrote to memory of 2512 2552 a12a55725a718d2a60609ee4abbbb445.exe 28 PID 2552 wrote to memory of 2512 2552 a12a55725a718d2a60609ee4abbbb445.exe 28 PID 2552 wrote to memory of 2512 2552 a12a55725a718d2a60609ee4abbbb445.exe 28 PID 2552 wrote to memory of 2512 2552 a12a55725a718d2a60609ee4abbbb445.exe 28 PID 2552 wrote to memory of 2408 2552 a12a55725a718d2a60609ee4abbbb445.exe 29 PID 2552 wrote to memory of 2408 2552 a12a55725a718d2a60609ee4abbbb445.exe 29 PID 2552 wrote to memory of 2408 2552 a12a55725a718d2a60609ee4abbbb445.exe 29 PID 2552 wrote to memory of 2408 2552 a12a55725a718d2a60609ee4abbbb445.exe 29 PID 2408 wrote to memory of 2372 2408 vbc.exe 31 PID 2408 wrote to memory of 2372 2408 vbc.exe 31 PID 2408 wrote to memory of 2372 2408 vbc.exe 31 PID 2408 wrote to memory of 2372 2408 vbc.exe 31 PID 2552 wrote to memory of 2488 2552 a12a55725a718d2a60609ee4abbbb445.exe 32 PID 2552 wrote to memory of 2488 2552 a12a55725a718d2a60609ee4abbbb445.exe 32 PID 2552 wrote to memory of 2488 2552 a12a55725a718d2a60609ee4abbbb445.exe 32 PID 2552 wrote to memory of 2488 2552 a12a55725a718d2a60609ee4abbbb445.exe 32 PID 2552 wrote to memory of 1800 2552 a12a55725a718d2a60609ee4abbbb445.exe 34 PID 2552 wrote to memory of 1800 2552 a12a55725a718d2a60609ee4abbbb445.exe 34 PID 2552 wrote to memory of 1800 2552 a12a55725a718d2a60609ee4abbbb445.exe 34 PID 2552 wrote to memory of 1800 2552 a12a55725a718d2a60609ee4abbbb445.exe 34 PID 1800 wrote to memory of 2672 1800 cmd.exe 35 PID 1800 wrote to memory of 2672 1800 cmd.exe 35 PID 1800 wrote to memory of 2672 1800 cmd.exe 35 PID 1800 wrote to memory of 2672 1800 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe"C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe"C:\Users\Admin\AppData\Local\Temp\\plugtemp\Microsoft Office.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2512
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\brs23-ga.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES17A7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc17A6.tmp"3⤵PID:2372
-
-
-
C:\Users\Admin\AppData\Roaming\a12a55725a718d2a60609ee4abbbb4451.exe"C:\Users\Admin\AppData\Roaming\a12a55725a718d2a60609ee4abbbb4451.exe"2⤵
- Drops startup file
- Executes dropped EXE
PID:2488
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
PID:2672
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a8c43f6c3303e85813ad456c50734074
SHA1f622d952d843d1da77b3a078203e20721dd11e0b
SHA256d0a82ad3ec98957cf626ec3a513a09947b97a874c64edb4052f54e080ed74bb9
SHA512b0a78d5357de8a3c550fa7ba125a4c03eb44b7efad44eef61c853f4db6dd638def2982d68bf4163af21c5439555e4429558d69e43351b4fd1d18187648865136
-
Filesize
336B
MD5c2252ef57f687d457944080f94288704
SHA1eb46293069494d72dd95cc1a94a0d8b9637ead05
SHA256bfe7a40827afd7051edc6dc0262ef77d99ef437783b621cae8874d132898cd45
SHA512ea57e6f61171cbee3f73ef0ef350db9e4ddfce44cc513c1b1dde8bb4e7007bdf2a29754a9fe279398fbd188dcc0fe278525733dbc74fa4e5474fe384bf9f429b
-
Filesize
221B
MD57b4b2d9f5b0e3ea6f2c4fb3fcdbdff95
SHA10755e1e459638b74d367e69a9859372310e63b37
SHA2563f1ab6e67d51ec8fcb1943bfe559b16cb169865eaeaee50b4e7a6fee3087b70f
SHA5122798cc1146bc01517eb83fb0946df3b3a2cce386e30b9bb7b144cddc6c28d177c15379b7276a5ab73ac9cd748f7d4df2a485a0a56c83894fc4aa915d3d6e64d1
-
Filesize
748B
MD51a72a5149e0b64b0dec97862c05507f9
SHA1daf3596436d8fc0870276d2db1e7c4411f85bc12
SHA2567e67b10eaad4f0ef01f9d1f7e24e33ed4d03559434545fc350b8f4905c398984
SHA512cda0d39904a285fac076e7acec7982a5c5b950b3ca92352a5b9e3802054fb8dd80c68c80408cda306d439bd5cca5071d7b865745e98c4887303873e87326f298
-
Filesize
902KB
MD5a12a55725a718d2a60609ee4abbbb445
SHA1d429ca448c7ac0363280c10d82e36f92beff2614
SHA2568928b45380323bdcfd83430c2f76bd5ea9b5d011b4b3c4e575dc13d98cb04f5d
SHA51271730d78380a1bc455ec3e0eceb191041b8e64e8abf400f02b898e995d8f89574751c69ab8c4a42527469b78f661271aad652cfc063688401257a129c54cbe90
-
Filesize
6KB
MD5ca46e339b8d38edcc5d34ef61b8fac3d
SHA161323d491cad81f8dfdec83dd30c13e01cbc2572
SHA25657aa3b6858347dcd8b247c1b68473657f8bfd2e733d22cdca01a571c6ac32101
SHA512246ae3e0114b81718424dff3ffcad5bc47eb3f02d2ac3ffba94a1a1f36d4dd9d5da7c71a2ac5fa000cd8cf422bab6e261f759e0c8ec04cfe4f4ed3a5c1f8d74d
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98