Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-03-2024 15:44
Static task
static1
Behavioral task
behavioral1
Sample
ce6de8599b565fddf67ee026ee4bc285.exe
Resource
win7-20240221-en
General
-
Target
ce6de8599b565fddf67ee026ee4bc285.exe
-
Size
232KB
-
MD5
ce6de8599b565fddf67ee026ee4bc285
-
SHA1
a6045faafaecb660b65d45759b13a38ea2a7ce23
-
SHA256
427f8b826a8cc9e9059fcd956636a37a6aab8a3162b1ad1a3cc24752f6e8f351
-
SHA512
192e3ce197a090904d5e3838eb411e38097c20d5d7efbc6d055140fcc88e0a4cef78293e8c1c9c8abaeec55f075e17456e7607b7eaad1ed3b87866aa648d2a71
-
SSDEEP
3072:SNztnBlBp9ALvNKMKWqXs8NqU+xwDbUe2WpZJmXHB8zrYqHphTfBsbOEU0+rDGLh:SNJfRAzNK5W/1WRmR4r7JhuyE8wPQ
Malware Config
Extracted
darkcomet
Guest16
trackingservice.zapto.org:1604
DC_MUTEX-Q0QBNJA
-
InstallPath
Windupdt\winupdate.exe
-
gencode
ujn2qDPvmCGP
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
winupdater
Extracted
latentbot
trackingservice.zapto.org
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
ce6de8599b565fddf67ee026ee4bc285.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" ce6de8599b565fddf67ee026ee4bc285.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
winupdate.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winupdate.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
winupdate.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winupdate.exe -
Executes dropped EXE 1 IoCs
Processes:
winupdate.exepid process 2028 winupdate.exe -
Loads dropped DLL 4 IoCs
Processes:
ce6de8599b565fddf67ee026ee4bc285.exewinupdate.exepid process 2484 ce6de8599b565fddf67ee026ee4bc285.exe 2028 winupdate.exe 2028 winupdate.exe 2028 winupdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ce6de8599b565fddf67ee026ee4bc285.exewinupdate.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" ce6de8599b565fddf67ee026ee4bc285.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" winupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
ce6de8599b565fddf67ee026ee4bc285.exewinupdate.exedescription pid process Token: SeIncreaseQuotaPrivilege 2484 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeSecurityPrivilege 2484 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeTakeOwnershipPrivilege 2484 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeLoadDriverPrivilege 2484 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeSystemProfilePrivilege 2484 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeSystemtimePrivilege 2484 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeProfSingleProcessPrivilege 2484 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeIncBasePriorityPrivilege 2484 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeCreatePagefilePrivilege 2484 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeBackupPrivilege 2484 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeRestorePrivilege 2484 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeShutdownPrivilege 2484 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeDebugPrivilege 2484 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeSystemEnvironmentPrivilege 2484 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeChangeNotifyPrivilege 2484 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeRemoteShutdownPrivilege 2484 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeUndockPrivilege 2484 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeManageVolumePrivilege 2484 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeImpersonatePrivilege 2484 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeCreateGlobalPrivilege 2484 ce6de8599b565fddf67ee026ee4bc285.exe Token: 33 2484 ce6de8599b565fddf67ee026ee4bc285.exe Token: 34 2484 ce6de8599b565fddf67ee026ee4bc285.exe Token: 35 2484 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeIncreaseQuotaPrivilege 2028 winupdate.exe Token: SeSecurityPrivilege 2028 winupdate.exe Token: SeTakeOwnershipPrivilege 2028 winupdate.exe Token: SeLoadDriverPrivilege 2028 winupdate.exe Token: SeSystemProfilePrivilege 2028 winupdate.exe Token: SeSystemtimePrivilege 2028 winupdate.exe Token: SeProfSingleProcessPrivilege 2028 winupdate.exe Token: SeIncBasePriorityPrivilege 2028 winupdate.exe Token: SeCreatePagefilePrivilege 2028 winupdate.exe Token: SeBackupPrivilege 2028 winupdate.exe Token: SeRestorePrivilege 2028 winupdate.exe Token: SeShutdownPrivilege 2028 winupdate.exe Token: SeDebugPrivilege 2028 winupdate.exe Token: SeSystemEnvironmentPrivilege 2028 winupdate.exe Token: SeChangeNotifyPrivilege 2028 winupdate.exe Token: SeRemoteShutdownPrivilege 2028 winupdate.exe Token: SeUndockPrivilege 2028 winupdate.exe Token: SeManageVolumePrivilege 2028 winupdate.exe Token: SeImpersonatePrivilege 2028 winupdate.exe Token: SeCreateGlobalPrivilege 2028 winupdate.exe Token: 33 2028 winupdate.exe Token: 34 2028 winupdate.exe Token: 35 2028 winupdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winupdate.exepid process 2028 winupdate.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
ce6de8599b565fddf67ee026ee4bc285.exewinupdate.exedescription pid process target process PID 2484 wrote to memory of 2028 2484 ce6de8599b565fddf67ee026ee4bc285.exe winupdate.exe PID 2484 wrote to memory of 2028 2484 ce6de8599b565fddf67ee026ee4bc285.exe winupdate.exe PID 2484 wrote to memory of 2028 2484 ce6de8599b565fddf67ee026ee4bc285.exe winupdate.exe PID 2484 wrote to memory of 2028 2484 ce6de8599b565fddf67ee026ee4bc285.exe winupdate.exe PID 2484 wrote to memory of 2028 2484 ce6de8599b565fddf67ee026ee4bc285.exe winupdate.exe PID 2484 wrote to memory of 2028 2484 ce6de8599b565fddf67ee026ee4bc285.exe winupdate.exe PID 2484 wrote to memory of 2028 2484 ce6de8599b565fddf67ee026ee4bc285.exe winupdate.exe PID 2028 wrote to memory of 2552 2028 winupdate.exe iexplore.exe PID 2028 wrote to memory of 2552 2028 winupdate.exe iexplore.exe PID 2028 wrote to memory of 2552 2028 winupdate.exe iexplore.exe PID 2028 wrote to memory of 2552 2028 winupdate.exe iexplore.exe PID 2028 wrote to memory of 2552 2028 winupdate.exe iexplore.exe PID 2028 wrote to memory of 2552 2028 winupdate.exe iexplore.exe PID 2028 wrote to memory of 2552 2028 winupdate.exe iexplore.exe PID 2028 wrote to memory of 2548 2028 winupdate.exe explorer.exe PID 2028 wrote to memory of 2548 2028 winupdate.exe explorer.exe PID 2028 wrote to memory of 2548 2028 winupdate.exe explorer.exe PID 2028 wrote to memory of 2548 2028 winupdate.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce6de8599b565fddf67ee026ee4bc285.exe"C:\Users\Admin\AppData\Local\Temp\ce6de8599b565fddf67ee026ee4bc285.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"2⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵PID:2552
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵PID:2548
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\Windupdt\winupdate.exeFilesize
232KB
MD5ce6de8599b565fddf67ee026ee4bc285
SHA1a6045faafaecb660b65d45759b13a38ea2a7ce23
SHA256427f8b826a8cc9e9059fcd956636a37a6aab8a3162b1ad1a3cc24752f6e8f351
SHA512192e3ce197a090904d5e3838eb411e38097c20d5d7efbc6d055140fcc88e0a4cef78293e8c1c9c8abaeec55f075e17456e7607b7eaad1ed3b87866aa648d2a71
-
memory/2028-25-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/2028-37-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/2028-11-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/2028-16-0x0000000000230000-0x00000000002E3000-memory.dmpFilesize
716KB
-
memory/2028-17-0x0000000000230000-0x00000000002E3000-memory.dmpFilesize
716KB
-
memory/2028-24-0x0000000000230000-0x00000000002E3000-memory.dmpFilesize
716KB
-
memory/2028-18-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/2028-20-0x0000000000360000-0x0000000000361000-memory.dmpFilesize
4KB
-
memory/2028-19-0x0000000000230000-0x00000000002E3000-memory.dmpFilesize
716KB
-
memory/2028-21-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/2028-22-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/2028-23-0x0000000000230000-0x00000000002E3000-memory.dmpFilesize
716KB
-
memory/2028-39-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/2028-38-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/2028-30-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/2028-27-0x0000000000230000-0x00000000002E3000-memory.dmpFilesize
716KB
-
memory/2028-28-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/2028-29-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/2028-26-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/2028-31-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/2028-32-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/2028-33-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/2028-34-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/2028-35-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/2028-36-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/2484-0-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/2484-1-0x00000000003C0000-0x00000000003C1000-memory.dmpFilesize
4KB
-
memory/2484-10-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB