Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
13-03-2024 16:04
Behavioral task
behavioral1
Sample
c64c953eb21641cb9688d357578e08e3.exe
Resource
win7-20240215-en
5 signatures
150 seconds
General
-
Target
c64c953eb21641cb9688d357578e08e3.exe
-
Size
660KB
-
MD5
c64c953eb21641cb9688d357578e08e3
-
SHA1
3fbb9e6a87dd1c939a34cd70275ded8ca0d38111
-
SHA256
56ed81c9241e4d5f5aeff9f755dcd7fea618b64f24463f61836609a6f26eb04c
-
SHA512
492b1f3fd9ea4e542f9ae73da2b5280ac286895d24b7cb872a30a40bc1f5eff61946a36aff45e2666b49571bd9a41ce6e17797659fc38cbb1ab2aa2d0fe70d30
-
SSDEEP
12288:gXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452UQ:mnAw2WWeFcfbP9VPSPMTSPL/rWvzq4Jg
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
127.0.0.1:1604
Mutex
DC_MUTEX-F54S21D
Attributes
-
gencode
U3duTmZ5pURh
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
c64c953eb21641cb9688d357578e08e3.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts c64c953eb21641cb9688d357578e08e3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
c64c953eb21641cb9688d357578e08e3.exedescription pid process Token: SeIncreaseQuotaPrivilege 1600 c64c953eb21641cb9688d357578e08e3.exe Token: SeSecurityPrivilege 1600 c64c953eb21641cb9688d357578e08e3.exe Token: SeTakeOwnershipPrivilege 1600 c64c953eb21641cb9688d357578e08e3.exe Token: SeLoadDriverPrivilege 1600 c64c953eb21641cb9688d357578e08e3.exe Token: SeSystemProfilePrivilege 1600 c64c953eb21641cb9688d357578e08e3.exe Token: SeSystemtimePrivilege 1600 c64c953eb21641cb9688d357578e08e3.exe Token: SeProfSingleProcessPrivilege 1600 c64c953eb21641cb9688d357578e08e3.exe Token: SeIncBasePriorityPrivilege 1600 c64c953eb21641cb9688d357578e08e3.exe Token: SeCreatePagefilePrivilege 1600 c64c953eb21641cb9688d357578e08e3.exe Token: SeBackupPrivilege 1600 c64c953eb21641cb9688d357578e08e3.exe Token: SeRestorePrivilege 1600 c64c953eb21641cb9688d357578e08e3.exe Token: SeShutdownPrivilege 1600 c64c953eb21641cb9688d357578e08e3.exe Token: SeDebugPrivilege 1600 c64c953eb21641cb9688d357578e08e3.exe Token: SeSystemEnvironmentPrivilege 1600 c64c953eb21641cb9688d357578e08e3.exe Token: SeChangeNotifyPrivilege 1600 c64c953eb21641cb9688d357578e08e3.exe Token: SeRemoteShutdownPrivilege 1600 c64c953eb21641cb9688d357578e08e3.exe Token: SeUndockPrivilege 1600 c64c953eb21641cb9688d357578e08e3.exe Token: SeManageVolumePrivilege 1600 c64c953eb21641cb9688d357578e08e3.exe Token: SeImpersonatePrivilege 1600 c64c953eb21641cb9688d357578e08e3.exe Token: SeCreateGlobalPrivilege 1600 c64c953eb21641cb9688d357578e08e3.exe Token: 33 1600 c64c953eb21641cb9688d357578e08e3.exe Token: 34 1600 c64c953eb21641cb9688d357578e08e3.exe Token: 35 1600 c64c953eb21641cb9688d357578e08e3.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
c64c953eb21641cb9688d357578e08e3.exepid process 1600 c64c953eb21641cb9688d357578e08e3.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1600-0-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/1600-2-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1600-3-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1600-4-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/1600-12-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1600-14-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB