Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2024, 06:24
Static task
static1
Behavioral task
behavioral1
Sample
a12a55725a718d2a60609ee4abbbb445.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a12a55725a718d2a60609ee4abbbb445.exe
Resource
win10v2004-20240221-en
General
-
Target
a12a55725a718d2a60609ee4abbbb445.exe
-
Size
902KB
-
MD5
a12a55725a718d2a60609ee4abbbb445
-
SHA1
d429ca448c7ac0363280c10d82e36f92beff2614
-
SHA256
8928b45380323bdcfd83430c2f76bd5ea9b5d011b4b3c4e575dc13d98cb04f5d
-
SHA512
71730d78380a1bc455ec3e0eceb191041b8e64e8abf400f02b898e995d8f89574751c69ab8c4a42527469b78f661271aad652cfc063688401257a129c54cbe90
-
SSDEEP
12288:lZKhDHZODNZyY5qMeR59vz9jflkMY0rLnY9L73iW:8D5ONZyY5Fe39zHkMDrLY57SW
Malware Config
Extracted
darkcomet
1.2
ahmedb123.no-ip.info:100
DCMIN_MUTEX-78CGXEQ
-
gencode
lcvuN82zr4Gu
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation a12a55725a718d2a60609ee4abbbb445.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftUpdate.exe a12a55725a718d2a60609ee4abbbb4451.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftUpdate.exe a12a55725a718d2a60609ee4abbbb4451.exe -
Executes dropped EXE 2 IoCs
pid Process 868 Microsoft Office.exe 4796 a12a55725a718d2a60609ee4abbbb4451.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MicrosoftUpdate.exe" a12a55725a718d2a60609ee4abbbb445.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2860 set thread context of 868 2860 a12a55725a718d2a60609ee4abbbb445.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4776 PING.EXE -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 868 Microsoft Office.exe Token: SeSecurityPrivilege 868 Microsoft Office.exe Token: SeTakeOwnershipPrivilege 868 Microsoft Office.exe Token: SeLoadDriverPrivilege 868 Microsoft Office.exe Token: SeSystemProfilePrivilege 868 Microsoft Office.exe Token: SeSystemtimePrivilege 868 Microsoft Office.exe Token: SeProfSingleProcessPrivilege 868 Microsoft Office.exe Token: SeIncBasePriorityPrivilege 868 Microsoft Office.exe Token: SeCreatePagefilePrivilege 868 Microsoft Office.exe Token: SeBackupPrivilege 868 Microsoft Office.exe Token: SeRestorePrivilege 868 Microsoft Office.exe Token: SeShutdownPrivilege 868 Microsoft Office.exe Token: SeDebugPrivilege 868 Microsoft Office.exe Token: SeSystemEnvironmentPrivilege 868 Microsoft Office.exe Token: SeChangeNotifyPrivilege 868 Microsoft Office.exe Token: SeRemoteShutdownPrivilege 868 Microsoft Office.exe Token: SeUndockPrivilege 868 Microsoft Office.exe Token: SeManageVolumePrivilege 868 Microsoft Office.exe Token: SeImpersonatePrivilege 868 Microsoft Office.exe Token: SeCreateGlobalPrivilege 868 Microsoft Office.exe Token: 33 868 Microsoft Office.exe Token: 34 868 Microsoft Office.exe Token: 35 868 Microsoft Office.exe Token: 36 868 Microsoft Office.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 868 Microsoft Office.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2860 wrote to memory of 868 2860 a12a55725a718d2a60609ee4abbbb445.exe 90 PID 2860 wrote to memory of 868 2860 a12a55725a718d2a60609ee4abbbb445.exe 90 PID 2860 wrote to memory of 868 2860 a12a55725a718d2a60609ee4abbbb445.exe 90 PID 2860 wrote to memory of 868 2860 a12a55725a718d2a60609ee4abbbb445.exe 90 PID 2860 wrote to memory of 868 2860 a12a55725a718d2a60609ee4abbbb445.exe 90 PID 2860 wrote to memory of 868 2860 a12a55725a718d2a60609ee4abbbb445.exe 90 PID 2860 wrote to memory of 868 2860 a12a55725a718d2a60609ee4abbbb445.exe 90 PID 2860 wrote to memory of 868 2860 a12a55725a718d2a60609ee4abbbb445.exe 90 PID 2860 wrote to memory of 868 2860 a12a55725a718d2a60609ee4abbbb445.exe 90 PID 2860 wrote to memory of 868 2860 a12a55725a718d2a60609ee4abbbb445.exe 90 PID 2860 wrote to memory of 868 2860 a12a55725a718d2a60609ee4abbbb445.exe 90 PID 2860 wrote to memory of 868 2860 a12a55725a718d2a60609ee4abbbb445.exe 90 PID 2860 wrote to memory of 868 2860 a12a55725a718d2a60609ee4abbbb445.exe 90 PID 2860 wrote to memory of 868 2860 a12a55725a718d2a60609ee4abbbb445.exe 90 PID 2860 wrote to memory of 3168 2860 a12a55725a718d2a60609ee4abbbb445.exe 91 PID 2860 wrote to memory of 3168 2860 a12a55725a718d2a60609ee4abbbb445.exe 91 PID 2860 wrote to memory of 3168 2860 a12a55725a718d2a60609ee4abbbb445.exe 91 PID 3168 wrote to memory of 2660 3168 vbc.exe 94 PID 3168 wrote to memory of 2660 3168 vbc.exe 94 PID 3168 wrote to memory of 2660 3168 vbc.exe 94 PID 2860 wrote to memory of 4796 2860 a12a55725a718d2a60609ee4abbbb445.exe 96 PID 2860 wrote to memory of 4796 2860 a12a55725a718d2a60609ee4abbbb445.exe 96 PID 2860 wrote to memory of 4796 2860 a12a55725a718d2a60609ee4abbbb445.exe 96 PID 2860 wrote to memory of 2584 2860 a12a55725a718d2a60609ee4abbbb445.exe 97 PID 2860 wrote to memory of 2584 2860 a12a55725a718d2a60609ee4abbbb445.exe 97 PID 2860 wrote to memory of 2584 2860 a12a55725a718d2a60609ee4abbbb445.exe 97 PID 2584 wrote to memory of 4776 2584 cmd.exe 99 PID 2584 wrote to memory of 4776 2584 cmd.exe 99 PID 2584 wrote to memory of 4776 2584 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe"C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\plugtemp\Microsoft Office.exe"C:\Users\Admin\AppData\Local\Temp\\plugtemp\Microsoft Office.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:868
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pq92skjx.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6EA8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc89BD032B62EB4EBF8E7DE94FE74E14B5.TMP"3⤵PID:2660
-
-
-
C:\Users\Admin\AppData\Roaming\a12a55725a718d2a60609ee4abbbb4451.exe"C:\Users\Admin\AppData\Roaming\a12a55725a718d2a60609ee4abbbb4451.exe"2⤵
- Drops startup file
- Executes dropped EXE
PID:4796
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\a12a55725a718d2a60609ee4abbbb445.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
PID:4776
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5675d49b973583edba9076b9a6fd024f7
SHA1885e5e27f90555d11ae30670dd962d3072fb9e78
SHA256a2500bc9b5ba2012d769954cd68249d44238d7d03309edcf283275c8876e8b82
SHA512cc53b9d9d0485f6729b27ef304dc0e07e3ac5de1722f7723a73c45f22d90392f2733a612335ab486ef71cf641c61d800fee6515e5af43c8dd83a6af00f3015b7
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
Filesize
336B
MD5c2252ef57f687d457944080f94288704
SHA1eb46293069494d72dd95cc1a94a0d8b9637ead05
SHA256bfe7a40827afd7051edc6dc0262ef77d99ef437783b621cae8874d132898cd45
SHA512ea57e6f61171cbee3f73ef0ef350db9e4ddfce44cc513c1b1dde8bb4e7007bdf2a29754a9fe279398fbd188dcc0fe278525733dbc74fa4e5474fe384bf9f429b
-
Filesize
221B
MD51034477c1b5be2dfb055e2099f1652ff
SHA1a37ef8d38e80839d1f27edf2ab500e07f0ad85d1
SHA2560e6b23b64974e5b725196b3029d73d46a4ab58210e62f54b17c419b90af3df06
SHA512e15d1e97da005f174f105c896888790f4b0b390c75b4a40550f4cf416542ff676459b267f680aa7b7c827aa57ca624f839274f788c190941c99de43d7e1be59a
-
Filesize
748B
MD51a72a5149e0b64b0dec97862c05507f9
SHA1daf3596436d8fc0870276d2db1e7c4411f85bc12
SHA2567e67b10eaad4f0ef01f9d1f7e24e33ed4d03559434545fc350b8f4905c398984
SHA512cda0d39904a285fac076e7acec7982a5c5b950b3ca92352a5b9e3802054fb8dd80c68c80408cda306d439bd5cca5071d7b865745e98c4887303873e87326f298
-
Filesize
902KB
MD5a12a55725a718d2a60609ee4abbbb445
SHA1d429ca448c7ac0363280c10d82e36f92beff2614
SHA2568928b45380323bdcfd83430c2f76bd5ea9b5d011b4b3c4e575dc13d98cb04f5d
SHA51271730d78380a1bc455ec3e0eceb191041b8e64e8abf400f02b898e995d8f89574751c69ab8c4a42527469b78f661271aad652cfc063688401257a129c54cbe90
-
Filesize
6KB
MD5b8d4e4655a5b96d1d4bbef121c4cad6c
SHA10732100715de94800f43b1f161c09a39141a8bdc
SHA2560dded2fdd38a2881c575befeaea84fa981ef7e6a54f308079345db9485f032ac
SHA51253d7d58d85278dd709e1b51e1e4c64da1956966eb4d8ba8306ff9e3f5d34b38d250fc2311e06cdae9699090731ca9fe36807c3a62944f568a54c85f4c3566d12