Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-03-2024 15:44
Static task
static1
Behavioral task
behavioral1
Sample
ce6de8599b565fddf67ee026ee4bc285.exe
Resource
win7-20240221-en
General
-
Target
ce6de8599b565fddf67ee026ee4bc285.exe
-
Size
232KB
-
MD5
ce6de8599b565fddf67ee026ee4bc285
-
SHA1
a6045faafaecb660b65d45759b13a38ea2a7ce23
-
SHA256
427f8b826a8cc9e9059fcd956636a37a6aab8a3162b1ad1a3cc24752f6e8f351
-
SHA512
192e3ce197a090904d5e3838eb411e38097c20d5d7efbc6d055140fcc88e0a4cef78293e8c1c9c8abaeec55f075e17456e7607b7eaad1ed3b87866aa648d2a71
-
SSDEEP
3072:SNztnBlBp9ALvNKMKWqXs8NqU+xwDbUe2WpZJmXHB8zrYqHphTfBsbOEU0+rDGLh:SNJfRAzNK5W/1WRmR4r7JhuyE8wPQ
Malware Config
Extracted
darkcomet
Guest16
trackingservice.zapto.org:1604
DC_MUTEX-Q0QBNJA
-
InstallPath
Windupdt\winupdate.exe
-
gencode
ujn2qDPvmCGP
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
winupdater
Extracted
latentbot
trackingservice.zapto.org
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
ce6de8599b565fddf67ee026ee4bc285.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" ce6de8599b565fddf67ee026ee4bc285.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
winupdate.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winupdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winupdate.exe -
Disables RegEdit via registry modification 2 IoCs
Processes:
iexplore.exewinupdate.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winupdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ce6de8599b565fddf67ee026ee4bc285.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation ce6de8599b565fddf67ee026ee4bc285.exe -
Executes dropped EXE 1 IoCs
Processes:
winupdate.exepid process 2120 winupdate.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
ce6de8599b565fddf67ee026ee4bc285.exewinupdate.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" ce6de8599b565fddf67ee026ee4bc285.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
winupdate.exedescription pid process target process PID 2120 set thread context of 1252 2120 winupdate.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
ce6de8599b565fddf67ee026ee4bc285.exewinupdate.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 4888 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeSecurityPrivilege 4888 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeTakeOwnershipPrivilege 4888 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeLoadDriverPrivilege 4888 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeSystemProfilePrivilege 4888 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeSystemtimePrivilege 4888 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeProfSingleProcessPrivilege 4888 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeIncBasePriorityPrivilege 4888 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeCreatePagefilePrivilege 4888 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeBackupPrivilege 4888 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeRestorePrivilege 4888 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeShutdownPrivilege 4888 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeDebugPrivilege 4888 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeSystemEnvironmentPrivilege 4888 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeChangeNotifyPrivilege 4888 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeRemoteShutdownPrivilege 4888 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeUndockPrivilege 4888 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeManageVolumePrivilege 4888 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeImpersonatePrivilege 4888 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeCreateGlobalPrivilege 4888 ce6de8599b565fddf67ee026ee4bc285.exe Token: 33 4888 ce6de8599b565fddf67ee026ee4bc285.exe Token: 34 4888 ce6de8599b565fddf67ee026ee4bc285.exe Token: 35 4888 ce6de8599b565fddf67ee026ee4bc285.exe Token: 36 4888 ce6de8599b565fddf67ee026ee4bc285.exe Token: SeIncreaseQuotaPrivilege 2120 winupdate.exe Token: SeSecurityPrivilege 2120 winupdate.exe Token: SeTakeOwnershipPrivilege 2120 winupdate.exe Token: SeLoadDriverPrivilege 2120 winupdate.exe Token: SeSystemProfilePrivilege 2120 winupdate.exe Token: SeSystemtimePrivilege 2120 winupdate.exe Token: SeProfSingleProcessPrivilege 2120 winupdate.exe Token: SeIncBasePriorityPrivilege 2120 winupdate.exe Token: SeCreatePagefilePrivilege 2120 winupdate.exe Token: SeBackupPrivilege 2120 winupdate.exe Token: SeRestorePrivilege 2120 winupdate.exe Token: SeShutdownPrivilege 2120 winupdate.exe Token: SeDebugPrivilege 2120 winupdate.exe Token: SeSystemEnvironmentPrivilege 2120 winupdate.exe Token: SeChangeNotifyPrivilege 2120 winupdate.exe Token: SeRemoteShutdownPrivilege 2120 winupdate.exe Token: SeUndockPrivilege 2120 winupdate.exe Token: SeManageVolumePrivilege 2120 winupdate.exe Token: SeImpersonatePrivilege 2120 winupdate.exe Token: SeCreateGlobalPrivilege 2120 winupdate.exe Token: 33 2120 winupdate.exe Token: 34 2120 winupdate.exe Token: 35 2120 winupdate.exe Token: 36 2120 winupdate.exe Token: SeIncreaseQuotaPrivilege 1252 iexplore.exe Token: SeSecurityPrivilege 1252 iexplore.exe Token: SeTakeOwnershipPrivilege 1252 iexplore.exe Token: SeLoadDriverPrivilege 1252 iexplore.exe Token: SeSystemProfilePrivilege 1252 iexplore.exe Token: SeSystemtimePrivilege 1252 iexplore.exe Token: SeProfSingleProcessPrivilege 1252 iexplore.exe Token: SeIncBasePriorityPrivilege 1252 iexplore.exe Token: SeCreatePagefilePrivilege 1252 iexplore.exe Token: SeBackupPrivilege 1252 iexplore.exe Token: SeRestorePrivilege 1252 iexplore.exe Token: SeShutdownPrivilege 1252 iexplore.exe Token: SeDebugPrivilege 1252 iexplore.exe Token: SeSystemEnvironmentPrivilege 1252 iexplore.exe Token: SeChangeNotifyPrivilege 1252 iexplore.exe Token: SeRemoteShutdownPrivilege 1252 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 1252 iexplore.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ce6de8599b565fddf67ee026ee4bc285.exewinupdate.exedescription pid process target process PID 4888 wrote to memory of 2120 4888 ce6de8599b565fddf67ee026ee4bc285.exe winupdate.exe PID 4888 wrote to memory of 2120 4888 ce6de8599b565fddf67ee026ee4bc285.exe winupdate.exe PID 4888 wrote to memory of 2120 4888 ce6de8599b565fddf67ee026ee4bc285.exe winupdate.exe PID 2120 wrote to memory of 1252 2120 winupdate.exe iexplore.exe PID 2120 wrote to memory of 1252 2120 winupdate.exe iexplore.exe PID 2120 wrote to memory of 1252 2120 winupdate.exe iexplore.exe PID 2120 wrote to memory of 1252 2120 winupdate.exe iexplore.exe PID 2120 wrote to memory of 1252 2120 winupdate.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce6de8599b565fddf67ee026ee4bc285.exe"C:\Users\Admin\AppData\Local\Temp\ce6de8599b565fddf67ee026ee4bc285.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"2⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windupdt\winupdate.exeFilesize
232KB
MD5ce6de8599b565fddf67ee026ee4bc285
SHA1a6045faafaecb660b65d45759b13a38ea2a7ce23
SHA256427f8b826a8cc9e9059fcd956636a37a6aab8a3162b1ad1a3cc24752f6e8f351
SHA512192e3ce197a090904d5e3838eb411e38097c20d5d7efbc6d055140fcc88e0a4cef78293e8c1c9c8abaeec55f075e17456e7607b7eaad1ed3b87866aa648d2a71
-
memory/2120-16-0x0000000002180000-0x0000000002181000-memory.dmpFilesize
4KB
-
memory/2120-18-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/4888-0-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/4888-1-0x00000000022B0000-0x00000000022B1000-memory.dmpFilesize
4KB
-
memory/4888-15-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB