Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2024 03:43
Static task
static1
Behavioral task
behavioral1
Sample
c799cd2ae469bbf3de57eb92f53cbb9d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c799cd2ae469bbf3de57eb92f53cbb9d.exe
Resource
win10v2004-20240226-en
General
-
Target
c799cd2ae469bbf3de57eb92f53cbb9d.exe
-
Size
1.2MB
-
MD5
c799cd2ae469bbf3de57eb92f53cbb9d
-
SHA1
220907cfb0b1d69197a058e5ed93d19f199840eb
-
SHA256
262b8b6b24b3207d8dea4d204e51707472f6df35d77a71b9198aea9c1f412021
-
SHA512
949ba93b76e9bcdfc0d41ebb44f4f77c2f4d0cec3d9c8ba49891dce74e88ca3a00561c118c2441744cd5e69a85c7dfa3f7eb2171ab67b74c7d0d085bee4c32b2
-
SSDEEP
12288:0d2nCidaZdfUrcKUXGoVAYdMXDXQysHMGqUqSn1pQdICqBS9AtAxDfDBAn3NEF+/:bCEcKtb0yuEvmjscbGDns+UHj
Malware Config
Extracted
darkcomet
Guest16
146.185.24.209:1604
DC_MUTEX-6ZET9U3
-
gencode
rUvTH9YCGM3j
-
install
false
-
offline_keylogger
false
-
persistence
false
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c799cd2ae469bbf3de57eb92f53cbb9d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation c799cd2ae469bbf3de57eb92f53cbb9d.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c799cd2ae469bbf3de57eb92f53cbb9d.exec799cd2ae469bbf3de57eb92f53cbb9d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe-Flash-Update.exe" c799cd2ae469bbf3de57eb92f53cbb9d.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe-Flash-Update.exe" c799cd2ae469bbf3de57eb92f53cbb9d.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
c799cd2ae469bbf3de57eb92f53cbb9d.exec799cd2ae469bbf3de57eb92f53cbb9d.exedescription pid process target process PID 396 set thread context of 4560 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 2876 set thread context of 4856 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c799cd2ae469bbf3de57eb92f53cbb9d.exec799cd2ae469bbf3de57eb92f53cbb9d.exepid process 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
c799cd2ae469bbf3de57eb92f53cbb9d.exevbc.exec799cd2ae469bbf3de57eb92f53cbb9d.exevbc.exedescription pid process Token: SeDebugPrivilege 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe Token: SeIncreaseQuotaPrivilege 4560 vbc.exe Token: SeSecurityPrivilege 4560 vbc.exe Token: SeTakeOwnershipPrivilege 4560 vbc.exe Token: SeLoadDriverPrivilege 4560 vbc.exe Token: SeSystemProfilePrivilege 4560 vbc.exe Token: SeSystemtimePrivilege 4560 vbc.exe Token: SeProfSingleProcessPrivilege 4560 vbc.exe Token: SeIncBasePriorityPrivilege 4560 vbc.exe Token: SeCreatePagefilePrivilege 4560 vbc.exe Token: SeBackupPrivilege 4560 vbc.exe Token: SeRestorePrivilege 4560 vbc.exe Token: SeShutdownPrivilege 4560 vbc.exe Token: SeDebugPrivilege 4560 vbc.exe Token: SeSystemEnvironmentPrivilege 4560 vbc.exe Token: SeChangeNotifyPrivilege 4560 vbc.exe Token: SeRemoteShutdownPrivilege 4560 vbc.exe Token: SeUndockPrivilege 4560 vbc.exe Token: SeManageVolumePrivilege 4560 vbc.exe Token: SeImpersonatePrivilege 4560 vbc.exe Token: SeCreateGlobalPrivilege 4560 vbc.exe Token: 33 4560 vbc.exe Token: 34 4560 vbc.exe Token: 35 4560 vbc.exe Token: 36 4560 vbc.exe Token: SeDebugPrivilege 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe Token: SeIncreaseQuotaPrivilege 4856 vbc.exe Token: SeSecurityPrivilege 4856 vbc.exe Token: SeTakeOwnershipPrivilege 4856 vbc.exe Token: SeLoadDriverPrivilege 4856 vbc.exe Token: SeSystemProfilePrivilege 4856 vbc.exe Token: SeSystemtimePrivilege 4856 vbc.exe Token: SeProfSingleProcessPrivilege 4856 vbc.exe Token: SeIncBasePriorityPrivilege 4856 vbc.exe Token: SeCreatePagefilePrivilege 4856 vbc.exe Token: SeBackupPrivilege 4856 vbc.exe Token: SeRestorePrivilege 4856 vbc.exe Token: SeShutdownPrivilege 4856 vbc.exe Token: SeDebugPrivilege 4856 vbc.exe Token: SeSystemEnvironmentPrivilege 4856 vbc.exe Token: SeChangeNotifyPrivilege 4856 vbc.exe Token: SeRemoteShutdownPrivilege 4856 vbc.exe Token: SeUndockPrivilege 4856 vbc.exe Token: SeManageVolumePrivilege 4856 vbc.exe Token: SeImpersonatePrivilege 4856 vbc.exe Token: SeCreateGlobalPrivilege 4856 vbc.exe Token: 33 4856 vbc.exe Token: 34 4856 vbc.exe Token: 35 4856 vbc.exe Token: 36 4856 vbc.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
c799cd2ae469bbf3de57eb92f53cbb9d.exec799cd2ae469bbf3de57eb92f53cbb9d.exedescription pid process target process PID 396 wrote to memory of 4560 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 396 wrote to memory of 4560 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 396 wrote to memory of 4560 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 396 wrote to memory of 4560 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 396 wrote to memory of 4560 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 396 wrote to memory of 4560 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 396 wrote to memory of 4560 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 396 wrote to memory of 4560 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 396 wrote to memory of 4560 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 396 wrote to memory of 4560 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 396 wrote to memory of 4560 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 396 wrote to memory of 4560 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 396 wrote to memory of 4560 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 396 wrote to memory of 4560 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 396 wrote to memory of 2876 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe c799cd2ae469bbf3de57eb92f53cbb9d.exe PID 396 wrote to memory of 2876 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe c799cd2ae469bbf3de57eb92f53cbb9d.exe PID 396 wrote to memory of 2876 396 c799cd2ae469bbf3de57eb92f53cbb9d.exe c799cd2ae469bbf3de57eb92f53cbb9d.exe PID 2876 wrote to memory of 4856 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 2876 wrote to memory of 4856 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 2876 wrote to memory of 4856 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 2876 wrote to memory of 4856 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 2876 wrote to memory of 4856 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 2876 wrote to memory of 4856 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 2876 wrote to memory of 4856 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 2876 wrote to memory of 4856 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 2876 wrote to memory of 4856 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 2876 wrote to memory of 4856 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 2876 wrote to memory of 4856 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 2876 wrote to memory of 4856 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 2876 wrote to memory of 4856 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe PID 2876 wrote to memory of 4856 2876 c799cd2ae469bbf3de57eb92f53cbb9d.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c799cd2ae469bbf3de57eb92f53cbb9d.exe"C:\Users\Admin\AppData\Local\Temp\c799cd2ae469bbf3de57eb92f53cbb9d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\c799cd2ae469bbf3de57eb92f53cbb9d.exe"C:\Users\Admin\AppData\Local\Temp\c799cd2ae469bbf3de57eb92f53cbb9d.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/396-1-0x00000000747A0000-0x0000000074D51000-memory.dmpFilesize
5.7MB
-
memory/396-2-0x0000000000E40000-0x0000000000E50000-memory.dmpFilesize
64KB
-
memory/396-23-0x0000000000E40000-0x0000000000E50000-memory.dmpFilesize
64KB
-
memory/396-0-0x00000000747A0000-0x0000000074D51000-memory.dmpFilesize
5.7MB
-
memory/396-22-0x00000000747A0000-0x0000000074D51000-memory.dmpFilesize
5.7MB
-
memory/396-20-0x00000000747A0000-0x0000000074D51000-memory.dmpFilesize
5.7MB
-
memory/2876-12-0x00000000747A0000-0x0000000074D51000-memory.dmpFilesize
5.7MB
-
memory/2876-26-0x0000000000BE0000-0x0000000000BF0000-memory.dmpFilesize
64KB
-
memory/2876-25-0x00000000747A0000-0x0000000074D51000-memory.dmpFilesize
5.7MB
-
memory/2876-10-0x00000000747A0000-0x0000000074D51000-memory.dmpFilesize
5.7MB
-
memory/2876-11-0x0000000000BE0000-0x0000000000BF0000-memory.dmpFilesize
64KB
-
memory/4560-7-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4560-6-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4560-37-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4560-35-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4560-9-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4560-21-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4560-8-0x00000000022A0000-0x00000000022A1000-memory.dmpFilesize
4KB
-
memory/4560-31-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4560-5-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4560-4-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4560-27-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4560-29-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4856-16-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4856-17-0x0000000000780000-0x0000000000781000-memory.dmpFilesize
4KB
-
memory/4856-18-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB