Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-03-2024 04:33
General
-
Target
ESLgdmd.exe
-
Size
658KB
-
MD5
9a1296f15ba38db6500996f2ab63326b
-
SHA1
23fdace0f52b005b4a8c48f1e3d2328d1dc17daa
-
SHA256
4218376daccfef8f6ab886677d35f611742d87514f397ba364aecc31def43162
-
SHA512
4b95b505ad0c40a524106ecb74a21586076b3b83cce9039cb16890d91e62a7952a4bfcd55240ebad43af2f0a5dece71644e247983e89475bdddddda5ec5c1db1
-
SSDEEP
12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hxM:KZ1xuVVjfFoynPaVBUR8f+kN10EB7M
Malware Config
Extracted
darkcomet
Guest16
hacker201.no-ip.biz:1604
DC_MUTEX-5VHD9SM
-
InstallPath
Windupdt/winupdate.exe
-
gencode
0HWc2rAvaCd2
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
winupdater
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
ESLgdmd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\0HWc2rAvaCd2\\Windupdt/winupdate.exe" ESLgdmd.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
ESLgdmd.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" ESLgdmd.exe -
Processes:
ESLgdmd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ESLgdmd.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
ESLgdmd.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ESLgdmd.exe -
Processes:
ESLgdmd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ESLgdmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ESLgdmd.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\0HWc2rAvaCd2\\Windupdt/winupdate.exe" ESLgdmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
ESLgdmd.exedescription pid process Token: SeIncreaseQuotaPrivilege 3248 ESLgdmd.exe Token: SeSecurityPrivilege 3248 ESLgdmd.exe Token: SeTakeOwnershipPrivilege 3248 ESLgdmd.exe Token: SeLoadDriverPrivilege 3248 ESLgdmd.exe Token: SeSystemProfilePrivilege 3248 ESLgdmd.exe Token: SeSystemtimePrivilege 3248 ESLgdmd.exe Token: SeProfSingleProcessPrivilege 3248 ESLgdmd.exe Token: SeIncBasePriorityPrivilege 3248 ESLgdmd.exe Token: SeCreatePagefilePrivilege 3248 ESLgdmd.exe Token: SeBackupPrivilege 3248 ESLgdmd.exe Token: SeRestorePrivilege 3248 ESLgdmd.exe Token: SeShutdownPrivilege 3248 ESLgdmd.exe Token: SeDebugPrivilege 3248 ESLgdmd.exe Token: SeSystemEnvironmentPrivilege 3248 ESLgdmd.exe Token: SeChangeNotifyPrivilege 3248 ESLgdmd.exe Token: SeRemoteShutdownPrivilege 3248 ESLgdmd.exe Token: SeUndockPrivilege 3248 ESLgdmd.exe Token: SeManageVolumePrivilege 3248 ESLgdmd.exe Token: SeImpersonatePrivilege 3248 ESLgdmd.exe Token: SeCreateGlobalPrivilege 3248 ESLgdmd.exe Token: 33 3248 ESLgdmd.exe Token: 34 3248 ESLgdmd.exe Token: 35 3248 ESLgdmd.exe Token: 36 3248 ESLgdmd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ESLgdmd.exepid process 3248 ESLgdmd.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
ESLgdmd.exedescription pid process target process PID 3248 wrote to memory of 2400 3248 ESLgdmd.exe notepad.exe PID 3248 wrote to memory of 2400 3248 ESLgdmd.exe notepad.exe PID 3248 wrote to memory of 2400 3248 ESLgdmd.exe notepad.exe PID 3248 wrote to memory of 2400 3248 ESLgdmd.exe notepad.exe PID 3248 wrote to memory of 2400 3248 ESLgdmd.exe notepad.exe PID 3248 wrote to memory of 2400 3248 ESLgdmd.exe notepad.exe PID 3248 wrote to memory of 2400 3248 ESLgdmd.exe notepad.exe PID 3248 wrote to memory of 2400 3248 ESLgdmd.exe notepad.exe PID 3248 wrote to memory of 2400 3248 ESLgdmd.exe notepad.exe PID 3248 wrote to memory of 2400 3248 ESLgdmd.exe notepad.exe PID 3248 wrote to memory of 2400 3248 ESLgdmd.exe notepad.exe PID 3248 wrote to memory of 2400 3248 ESLgdmd.exe notepad.exe PID 3248 wrote to memory of 2400 3248 ESLgdmd.exe notepad.exe PID 3248 wrote to memory of 2400 3248 ESLgdmd.exe notepad.exe PID 3248 wrote to memory of 2400 3248 ESLgdmd.exe notepad.exe PID 3248 wrote to memory of 2400 3248 ESLgdmd.exe notepad.exe PID 3248 wrote to memory of 2400 3248 ESLgdmd.exe notepad.exe PID 3248 wrote to memory of 2400 3248 ESLgdmd.exe notepad.exe PID 3248 wrote to memory of 2400 3248 ESLgdmd.exe notepad.exe PID 3248 wrote to memory of 2400 3248 ESLgdmd.exe notepad.exe PID 3248 wrote to memory of 2400 3248 ESLgdmd.exe notepad.exe PID 3248 wrote to memory of 2400 3248 ESLgdmd.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ESLgdmd.exe"C:\Users\Admin\AppData\Local\Temp\ESLgdmd.exe"1⤵
- Modifies WinLogon for persistence
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2400-1-0x0000000000EF0000-0x0000000000EF1000-memory.dmpFilesize
4KB
-
memory/3248-8-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3248-7-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3248-3-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3248-4-0x0000000002500000-0x0000000002501000-memory.dmpFilesize
4KB
-
memory/3248-9-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3248-6-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3248-2-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3248-0-0x0000000002500000-0x0000000002501000-memory.dmpFilesize
4KB
-
memory/3248-5-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3248-10-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3248-11-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3248-12-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3248-13-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3248-14-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3248-15-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3248-16-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB