Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-03-2024 16:04
Behavioral task
behavioral1
Sample
c64c953eb21641cb9688d357578e08e3.exe
Resource
win7-20240215-en
5 signatures
150 seconds
General
-
Target
c64c953eb21641cb9688d357578e08e3.exe
-
Size
660KB
-
MD5
c64c953eb21641cb9688d357578e08e3
-
SHA1
3fbb9e6a87dd1c939a34cd70275ded8ca0d38111
-
SHA256
56ed81c9241e4d5f5aeff9f755dcd7fea618b64f24463f61836609a6f26eb04c
-
SHA512
492b1f3fd9ea4e542f9ae73da2b5280ac286895d24b7cb872a30a40bc1f5eff61946a36aff45e2666b49571bd9a41ce6e17797659fc38cbb1ab2aa2d0fe70d30
-
SSDEEP
12288:gXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452UQ:mnAw2WWeFcfbP9VPSPMTSPL/rWvzq4Jg
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
127.0.0.1:1604
Mutex
DC_MUTEX-F54S21D
Attributes
-
gencode
U3duTmZ5pURh
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
c64c953eb21641cb9688d357578e08e3.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts c64c953eb21641cb9688d357578e08e3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
c64c953eb21641cb9688d357578e08e3.exedescription pid process Token: SeIncreaseQuotaPrivilege 992 c64c953eb21641cb9688d357578e08e3.exe Token: SeSecurityPrivilege 992 c64c953eb21641cb9688d357578e08e3.exe Token: SeTakeOwnershipPrivilege 992 c64c953eb21641cb9688d357578e08e3.exe Token: SeLoadDriverPrivilege 992 c64c953eb21641cb9688d357578e08e3.exe Token: SeSystemProfilePrivilege 992 c64c953eb21641cb9688d357578e08e3.exe Token: SeSystemtimePrivilege 992 c64c953eb21641cb9688d357578e08e3.exe Token: SeProfSingleProcessPrivilege 992 c64c953eb21641cb9688d357578e08e3.exe Token: SeIncBasePriorityPrivilege 992 c64c953eb21641cb9688d357578e08e3.exe Token: SeCreatePagefilePrivilege 992 c64c953eb21641cb9688d357578e08e3.exe Token: SeBackupPrivilege 992 c64c953eb21641cb9688d357578e08e3.exe Token: SeRestorePrivilege 992 c64c953eb21641cb9688d357578e08e3.exe Token: SeShutdownPrivilege 992 c64c953eb21641cb9688d357578e08e3.exe Token: SeDebugPrivilege 992 c64c953eb21641cb9688d357578e08e3.exe Token: SeSystemEnvironmentPrivilege 992 c64c953eb21641cb9688d357578e08e3.exe Token: SeChangeNotifyPrivilege 992 c64c953eb21641cb9688d357578e08e3.exe Token: SeRemoteShutdownPrivilege 992 c64c953eb21641cb9688d357578e08e3.exe Token: SeUndockPrivilege 992 c64c953eb21641cb9688d357578e08e3.exe Token: SeManageVolumePrivilege 992 c64c953eb21641cb9688d357578e08e3.exe Token: SeImpersonatePrivilege 992 c64c953eb21641cb9688d357578e08e3.exe Token: SeCreateGlobalPrivilege 992 c64c953eb21641cb9688d357578e08e3.exe Token: 33 992 c64c953eb21641cb9688d357578e08e3.exe Token: 34 992 c64c953eb21641cb9688d357578e08e3.exe Token: 35 992 c64c953eb21641cb9688d357578e08e3.exe Token: 36 992 c64c953eb21641cb9688d357578e08e3.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
c64c953eb21641cb9688d357578e08e3.exepid process 992 c64c953eb21641cb9688d357578e08e3.exe