Analysis
-
max time kernel
61s -
max time network
66s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
15-04-2024 23:28
Behavioral task
behavioral1
Sample
DarkNight.exe
Resource
win7-20240221-en
General
-
Target
DarkNight.exe
-
Size
3.9MB
-
MD5
d396e70e3da1b5c0c8414a524971b83e
-
SHA1
928fcd454a00ec2141fa0b1966ae509235c4c6c7
-
SHA256
b8022c1aa5f5f6220ffce8f3f473bb8078bbf171fa00e50823bc0c79946c1121
-
SHA512
dd66a02df8456876b89fc913d4e0e3c60324cb4adb4dd4c3a39babf0a70a6f4f10eb9d610a6aa86576746e5d9e458c85fbc320b708949a164c43588c9aaf9d4b
-
SSDEEP
98304:8O6Dchp3YEtEbfY514GcOIjRy9NcrMcLAAW8bapEUyB3pm1:8OakRObogOdDcNL08ILyu
Malware Config
Extracted
darkcomet
DN2
80.93.220.228:1605
DC_MUTEX-X39FPQJ
-
gencode
UxJtmrp9botj
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
DarkNight.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DarkNight.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
DarkNight.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions DarkNight.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
DarkNight.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools DarkNight.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
DarkNight.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DarkNight.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DarkNight.exe -
Processes:
resource yara_rule behavioral2/memory/1308-10-0x0000000000820000-0x00000000011C2000-memory.dmp themida behavioral2/memory/1308-11-0x0000000000820000-0x00000000011C2000-memory.dmp themida -
Processes:
DarkNight.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DarkNight.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 26 wtfismyip.com 27 wtfismyip.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
DarkNight.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DarkNight.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DarkNight.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DarkNight.exedescription pid Process procid_target PID 1308 set thread context of 3776 1308 DarkNight.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
DarkNight.exepid Process 1308 DarkNight.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
DarkNight.exeDarkNight.exeWMIC.exedescription pid Process Token: SeDebugPrivilege 1308 DarkNight.exe Token: SeIncreaseQuotaPrivilege 3776 DarkNight.exe Token: SeSecurityPrivilege 3776 DarkNight.exe Token: SeTakeOwnershipPrivilege 3776 DarkNight.exe Token: SeLoadDriverPrivilege 3776 DarkNight.exe Token: SeSystemProfilePrivilege 3776 DarkNight.exe Token: SeSystemtimePrivilege 3776 DarkNight.exe Token: SeProfSingleProcessPrivilege 3776 DarkNight.exe Token: SeIncBasePriorityPrivilege 3776 DarkNight.exe Token: SeCreatePagefilePrivilege 3776 DarkNight.exe Token: SeBackupPrivilege 3776 DarkNight.exe Token: SeRestorePrivilege 3776 DarkNight.exe Token: SeShutdownPrivilege 3776 DarkNight.exe Token: SeDebugPrivilege 3776 DarkNight.exe Token: SeSystemEnvironmentPrivilege 3776 DarkNight.exe Token: SeChangeNotifyPrivilege 3776 DarkNight.exe Token: SeRemoteShutdownPrivilege 3776 DarkNight.exe Token: SeUndockPrivilege 3776 DarkNight.exe Token: SeManageVolumePrivilege 3776 DarkNight.exe Token: SeImpersonatePrivilege 3776 DarkNight.exe Token: SeCreateGlobalPrivilege 3776 DarkNight.exe Token: 33 3776 DarkNight.exe Token: 34 3776 DarkNight.exe Token: 35 3776 DarkNight.exe Token: 36 3776 DarkNight.exe Token: SeIncreaseQuotaPrivilege 2600 WMIC.exe Token: SeSecurityPrivilege 2600 WMIC.exe Token: SeTakeOwnershipPrivilege 2600 WMIC.exe Token: SeLoadDriverPrivilege 2600 WMIC.exe Token: SeSystemProfilePrivilege 2600 WMIC.exe Token: SeSystemtimePrivilege 2600 WMIC.exe Token: SeProfSingleProcessPrivilege 2600 WMIC.exe Token: SeIncBasePriorityPrivilege 2600 WMIC.exe Token: SeCreatePagefilePrivilege 2600 WMIC.exe Token: SeBackupPrivilege 2600 WMIC.exe Token: SeRestorePrivilege 2600 WMIC.exe Token: SeShutdownPrivilege 2600 WMIC.exe Token: SeDebugPrivilege 2600 WMIC.exe Token: SeSystemEnvironmentPrivilege 2600 WMIC.exe Token: SeRemoteShutdownPrivilege 2600 WMIC.exe Token: SeUndockPrivilege 2600 WMIC.exe Token: SeManageVolumePrivilege 2600 WMIC.exe Token: 33 2600 WMIC.exe Token: 34 2600 WMIC.exe Token: 35 2600 WMIC.exe Token: 36 2600 WMIC.exe Token: SeIncreaseQuotaPrivilege 2600 WMIC.exe Token: SeSecurityPrivilege 2600 WMIC.exe Token: SeTakeOwnershipPrivilege 2600 WMIC.exe Token: SeLoadDriverPrivilege 2600 WMIC.exe Token: SeSystemProfilePrivilege 2600 WMIC.exe Token: SeSystemtimePrivilege 2600 WMIC.exe Token: SeProfSingleProcessPrivilege 2600 WMIC.exe Token: SeIncBasePriorityPrivilege 2600 WMIC.exe Token: SeCreatePagefilePrivilege 2600 WMIC.exe Token: SeBackupPrivilege 2600 WMIC.exe Token: SeRestorePrivilege 2600 WMIC.exe Token: SeShutdownPrivilege 2600 WMIC.exe Token: SeDebugPrivilege 2600 WMIC.exe Token: SeSystemEnvironmentPrivilege 2600 WMIC.exe Token: SeRemoteShutdownPrivilege 2600 WMIC.exe Token: SeUndockPrivilege 2600 WMIC.exe Token: SeManageVolumePrivilege 2600 WMIC.exe Token: 33 2600 WMIC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
DarkNight.exepid Process 3776 DarkNight.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
DarkNight.exeCMD.exeCMD.exedescription pid Process procid_target PID 1308 wrote to memory of 3776 1308 DarkNight.exe 90 PID 1308 wrote to memory of 3776 1308 DarkNight.exe 90 PID 1308 wrote to memory of 3776 1308 DarkNight.exe 90 PID 1308 wrote to memory of 3776 1308 DarkNight.exe 90 PID 1308 wrote to memory of 3776 1308 DarkNight.exe 90 PID 1308 wrote to memory of 3776 1308 DarkNight.exe 90 PID 1308 wrote to memory of 3776 1308 DarkNight.exe 90 PID 1308 wrote to memory of 3776 1308 DarkNight.exe 90 PID 1308 wrote to memory of 3776 1308 DarkNight.exe 90 PID 1308 wrote to memory of 3776 1308 DarkNight.exe 90 PID 1308 wrote to memory of 3776 1308 DarkNight.exe 90 PID 1308 wrote to memory of 3776 1308 DarkNight.exe 90 PID 1308 wrote to memory of 3776 1308 DarkNight.exe 90 PID 1308 wrote to memory of 3776 1308 DarkNight.exe 90 PID 1308 wrote to memory of 4544 1308 DarkNight.exe 92 PID 1308 wrote to memory of 4544 1308 DarkNight.exe 92 PID 1308 wrote to memory of 4544 1308 DarkNight.exe 92 PID 4544 wrote to memory of 2600 4544 CMD.exe 94 PID 4544 wrote to memory of 2600 4544 CMD.exe 94 PID 4544 wrote to memory of 2600 4544 CMD.exe 94 PID 1308 wrote to memory of 3420 1308 DarkNight.exe 95 PID 1308 wrote to memory of 3420 1308 DarkNight.exe 95 PID 1308 wrote to memory of 3420 1308 DarkNight.exe 95 PID 3420 wrote to memory of 812 3420 CMD.exe 97 PID 3420 wrote to memory of 812 3420 CMD.exe 97 PID 3420 wrote to memory of 812 3420 CMD.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\DarkNight.exe"C:\Users\Admin\AppData\Local\Temp\DarkNight.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\DarkNight.exeC:\Users\Admin\AppData\Local\Temp\DarkNight.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3776
-
-
C:\Windows\SysWOW64\CMD.exe"CMD.exe" /C WMIC COMPUTERSYSTEM GET MODEL2⤵
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC COMPUTERSYSTEM GET MODEL3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
-
C:\Windows\SysWOW64\CMD.exe"CMD.exe" /C WMIC BIOS GET VERSION2⤵
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC BIOS GET VERSION3⤵PID:812
-
-