Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-04-2024 01:27
Behavioral task
behavioral1
Sample
079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe
Resource
win7-20240221-en
General
-
Target
079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe
-
Size
756KB
-
MD5
7f63869a181a8ebb360a89b58c739648
-
SHA1
83e0504e36530cf417aee9cf6cfac90d0f21a451
-
SHA256
079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030
-
SHA512
5c1c5aaa55c3ea87138aaca88d771abb4d80d319abce0235f9ad5d6ad63c74d082c933366c7ea927fac80ef8d0874a71e9a67bb316355a8b31fd4cd060e67b86
-
SSDEEP
12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hgqMd0QZhJ:KZ1xuVVjfFoynPaVBUR8f+kN10EBqD0e
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-Z5HMAL1
-
gencode
L2p2T15qZDML
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 3068 attrib.exe 2568 attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exepid process 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exedescription pid process Token: SeIncreaseQuotaPrivilege 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe Token: SeSecurityPrivilege 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe Token: SeTakeOwnershipPrivilege 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe Token: SeLoadDriverPrivilege 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe Token: SeSystemProfilePrivilege 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe Token: SeSystemtimePrivilege 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe Token: SeProfSingleProcessPrivilege 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe Token: SeIncBasePriorityPrivilege 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe Token: SeCreatePagefilePrivilege 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe Token: SeBackupPrivilege 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe Token: SeRestorePrivilege 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe Token: SeShutdownPrivilege 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe Token: SeDebugPrivilege 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe Token: SeSystemEnvironmentPrivilege 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe Token: SeChangeNotifyPrivilege 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe Token: SeRemoteShutdownPrivilege 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe Token: SeUndockPrivilege 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe Token: SeManageVolumePrivilege 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe Token: SeImpersonatePrivilege 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe Token: SeCreateGlobalPrivilege 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe Token: 33 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe Token: 34 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe Token: 35 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exepid process 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.execmd.execmd.exedescription pid process target process PID 2308 wrote to memory of 2196 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe cmd.exe PID 2308 wrote to memory of 2196 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe cmd.exe PID 2308 wrote to memory of 2196 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe cmd.exe PID 2308 wrote to memory of 2196 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe cmd.exe PID 2308 wrote to memory of 2032 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe cmd.exe PID 2308 wrote to memory of 2032 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe cmd.exe PID 2308 wrote to memory of 2032 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe cmd.exe PID 2308 wrote to memory of 2032 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe cmd.exe PID 2308 wrote to memory of 2640 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe notepad.exe PID 2308 wrote to memory of 2640 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe notepad.exe PID 2308 wrote to memory of 2640 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe notepad.exe PID 2308 wrote to memory of 2640 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe notepad.exe PID 2308 wrote to memory of 2640 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe notepad.exe PID 2032 wrote to memory of 2568 2032 cmd.exe attrib.exe PID 2032 wrote to memory of 2568 2032 cmd.exe attrib.exe PID 2032 wrote to memory of 2568 2032 cmd.exe attrib.exe PID 2032 wrote to memory of 2568 2032 cmd.exe attrib.exe PID 2196 wrote to memory of 3068 2196 cmd.exe attrib.exe PID 2196 wrote to memory of 3068 2196 cmd.exe attrib.exe PID 2196 wrote to memory of 3068 2196 cmd.exe attrib.exe PID 2196 wrote to memory of 3068 2196 cmd.exe attrib.exe PID 2308 wrote to memory of 2640 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe notepad.exe PID 2308 wrote to memory of 2640 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe notepad.exe PID 2308 wrote to memory of 2640 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe notepad.exe PID 2308 wrote to memory of 2640 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe notepad.exe PID 2308 wrote to memory of 2640 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe notepad.exe PID 2308 wrote to memory of 2640 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe notepad.exe PID 2308 wrote to memory of 2640 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe notepad.exe PID 2308 wrote to memory of 2640 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe notepad.exe PID 2308 wrote to memory of 2640 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe notepad.exe PID 2308 wrote to memory of 2640 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe notepad.exe PID 2308 wrote to memory of 2640 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe notepad.exe PID 2308 wrote to memory of 2640 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe notepad.exe PID 2308 wrote to memory of 2640 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe notepad.exe PID 2308 wrote to memory of 2640 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe notepad.exe PID 2308 wrote to memory of 2640 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe notepad.exe PID 2308 wrote to memory of 2640 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe notepad.exe PID 2308 wrote to memory of 2640 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe notepad.exe PID 2308 wrote to memory of 2640 2308 079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3068 attrib.exe 2568 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe"C:\Users\Admin\AppData\Local\Temp\079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2308-0-0x00000000002F0000-0x00000000002F1000-memory.dmpFilesize
4KB
-
memory/2308-35-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/2308-36-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/2308-37-0x00000000002F0000-0x00000000002F1000-memory.dmpFilesize
4KB
-
memory/2308-38-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/2308-45-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/2308-48-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/2308-49-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/2640-1-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/2640-34-0x0000000000D50000-0x0000000000D51000-memory.dmpFilesize
4KB