Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-04-2024 02:19
Static task
static1
Behavioral task
behavioral1
Sample
ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe
Resource
win10v2004-20240226-en
General
-
Target
ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe
-
Size
324KB
-
MD5
1da9d5eb17a25c1dcd2d7028867904aa
-
SHA1
b75ab89bcf8306b9ef6d222478a004aba32ecd7f
-
SHA256
ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac
-
SHA512
68b49d817d381fdd4d108f9b86c8aeb4a743000247878412c30d671be78d9eb3c019db62a4cc61f207e556389b9b3ff012f1e4c77d822ea42132f6aa292a94d2
-
SSDEEP
6144:cvhFCYZdP5aHNn1s7C+3S4R5wQrV/YbZwZ3ssu4eqswN8s1Pf4NAGy5uRyXR6P+R:TQdwHNn1OCN4MQEZwUqsA
Malware Config
Extracted
darkcomet
Guest16
betclock.zapto.org:35000
DC_MUTEX-LCQCVNZ
-
gencode
MGDU5FhLNYez
-
install
false
-
offline_keylogger
true
-
password
0123456789
-
persistence
false
Signatures
-
UPX dump on OEP (original entry point) 29 IoCs
Processes:
resource yara_rule behavioral1/memory/2300-7-0x0000000000400000-0x0000000000410000-memory.dmp UPX behavioral1/memory/2300-11-0x0000000000400000-0x0000000000410000-memory.dmp UPX behavioral1/memory/2300-14-0x0000000000400000-0x0000000000410000-memory.dmp UPX behavioral1/memory/2300-17-0x0000000000400000-0x0000000000410000-memory.dmp UPX behavioral1/memory/2300-16-0x0000000000400000-0x0000000000410000-memory.dmp UPX behavioral1/memory/2508-73-0x0000000000400000-0x0000000000410000-memory.dmp UPX behavioral1/memory/2248-78-0x0000000000400000-0x00000000004B7000-memory.dmp UPX behavioral1/memory/2248-82-0x0000000000400000-0x00000000004B7000-memory.dmp UPX behavioral1/memory/2248-85-0x0000000000400000-0x00000000004B7000-memory.dmp UPX behavioral1/memory/2248-87-0x0000000000400000-0x00000000004B7000-memory.dmp UPX behavioral1/memory/2300-89-0x0000000000400000-0x0000000000410000-memory.dmp UPX behavioral1/memory/2248-91-0x0000000000400000-0x00000000004B7000-memory.dmp UPX behavioral1/memory/2248-92-0x0000000000400000-0x00000000004B7000-memory.dmp UPX behavioral1/memory/2248-93-0x0000000000400000-0x00000000004B7000-memory.dmp UPX behavioral1/memory/2248-95-0x0000000000400000-0x00000000004B7000-memory.dmp UPX behavioral1/memory/2248-96-0x0000000000400000-0x00000000004B7000-memory.dmp UPX behavioral1/memory/2508-97-0x0000000000400000-0x0000000000410000-memory.dmp UPX behavioral1/memory/2248-98-0x0000000000400000-0x00000000004B7000-memory.dmp UPX behavioral1/memory/2248-100-0x0000000000400000-0x00000000004B7000-memory.dmp UPX behavioral1/memory/2248-101-0x0000000000400000-0x00000000004B7000-memory.dmp UPX behavioral1/memory/2248-103-0x0000000000400000-0x00000000004B7000-memory.dmp UPX behavioral1/memory/2248-105-0x0000000000400000-0x00000000004B7000-memory.dmp UPX behavioral1/memory/2248-107-0x0000000000400000-0x00000000004B7000-memory.dmp UPX behavioral1/memory/2248-109-0x0000000000400000-0x00000000004B7000-memory.dmp UPX behavioral1/memory/2248-111-0x0000000000400000-0x00000000004B7000-memory.dmp UPX behavioral1/memory/2248-113-0x0000000000400000-0x00000000004B7000-memory.dmp UPX behavioral1/memory/2248-115-0x0000000000400000-0x00000000004B7000-memory.dmp UPX behavioral1/memory/2248-117-0x0000000000400000-0x00000000004B7000-memory.dmp UPX behavioral1/memory/2248-119-0x0000000000400000-0x00000000004B7000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
Processes:
Gpers.exeGpers.exeGpers.exepid Process 2616 Gpers.exe 2508 Gpers.exe 2248 Gpers.exe -
Loads dropped DLL 5 IoCs
Processes:
ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exepid Process 2300 ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe 2300 ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe 2300 ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe 2300 ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe 2300 ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe -
Processes:
resource yara_rule behavioral1/memory/2300-5-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2300-7-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2300-11-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2300-14-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2300-17-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2300-16-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2508-73-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2248-76-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2248-78-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2248-82-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2248-85-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2248-87-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2300-89-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2248-91-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2248-92-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2248-93-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2248-95-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2248-96-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2508-97-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2248-98-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2248-100-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2248-101-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2248-103-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2248-105-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2248-107-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2248-109-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2248-111-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2248-113-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2248-115-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2248-117-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2248-119-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Support GFX = "C:\\Users\\Admin\\AppData\\Roaming\\Xpers\\Gpers.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exeGpers.exedescription pid Process procid_target PID 2976 set thread context of 2300 2976 ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe 28 PID 2616 set thread context of 2508 2616 Gpers.exe 33 PID 2616 set thread context of 2248 2616 Gpers.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Gpers.exeGpers.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2248 Gpers.exe Token: SeSecurityPrivilege 2248 Gpers.exe Token: SeTakeOwnershipPrivilege 2248 Gpers.exe Token: SeLoadDriverPrivilege 2248 Gpers.exe Token: SeSystemProfilePrivilege 2248 Gpers.exe Token: SeSystemtimePrivilege 2248 Gpers.exe Token: SeProfSingleProcessPrivilege 2248 Gpers.exe Token: SeIncBasePriorityPrivilege 2248 Gpers.exe Token: SeCreatePagefilePrivilege 2248 Gpers.exe Token: SeBackupPrivilege 2248 Gpers.exe Token: SeRestorePrivilege 2248 Gpers.exe Token: SeShutdownPrivilege 2248 Gpers.exe Token: SeDebugPrivilege 2248 Gpers.exe Token: SeSystemEnvironmentPrivilege 2248 Gpers.exe Token: SeChangeNotifyPrivilege 2248 Gpers.exe Token: SeRemoteShutdownPrivilege 2248 Gpers.exe Token: SeUndockPrivilege 2248 Gpers.exe Token: SeManageVolumePrivilege 2248 Gpers.exe Token: SeImpersonatePrivilege 2248 Gpers.exe Token: SeCreateGlobalPrivilege 2248 Gpers.exe Token: 33 2248 Gpers.exe Token: 34 2248 Gpers.exe Token: 35 2248 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe Token: SeDebugPrivilege 2508 Gpers.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exeac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exeGpers.exeGpers.exeGpers.exepid Process 2976 ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe 2300 ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe 2616 Gpers.exe 2508 Gpers.exe 2248 Gpers.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exeac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.execmd.exeGpers.exedescription pid Process procid_target PID 2976 wrote to memory of 2300 2976 ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe 28 PID 2976 wrote to memory of 2300 2976 ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe 28 PID 2976 wrote to memory of 2300 2976 ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe 28 PID 2976 wrote to memory of 2300 2976 ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe 28 PID 2976 wrote to memory of 2300 2976 ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe 28 PID 2976 wrote to memory of 2300 2976 ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe 28 PID 2976 wrote to memory of 2300 2976 ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe 28 PID 2976 wrote to memory of 2300 2976 ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe 28 PID 2300 wrote to memory of 2612 2300 ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe 29 PID 2300 wrote to memory of 2612 2300 ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe 29 PID 2300 wrote to memory of 2612 2300 ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe 29 PID 2300 wrote to memory of 2612 2300 ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe 29 PID 2612 wrote to memory of 2672 2612 cmd.exe 31 PID 2612 wrote to memory of 2672 2612 cmd.exe 31 PID 2612 wrote to memory of 2672 2612 cmd.exe 31 PID 2612 wrote to memory of 2672 2612 cmd.exe 31 PID 2300 wrote to memory of 2616 2300 ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe 32 PID 2300 wrote to memory of 2616 2300 ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe 32 PID 2300 wrote to memory of 2616 2300 ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe 32 PID 2300 wrote to memory of 2616 2300 ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe 32 PID 2616 wrote to memory of 2508 2616 Gpers.exe 33 PID 2616 wrote to memory of 2508 2616 Gpers.exe 33 PID 2616 wrote to memory of 2508 2616 Gpers.exe 33 PID 2616 wrote to memory of 2508 2616 Gpers.exe 33 PID 2616 wrote to memory of 2508 2616 Gpers.exe 33 PID 2616 wrote to memory of 2508 2616 Gpers.exe 33 PID 2616 wrote to memory of 2508 2616 Gpers.exe 33 PID 2616 wrote to memory of 2508 2616 Gpers.exe 33 PID 2616 wrote to memory of 2248 2616 Gpers.exe 34 PID 2616 wrote to memory of 2248 2616 Gpers.exe 34 PID 2616 wrote to memory of 2248 2616 Gpers.exe 34 PID 2616 wrote to memory of 2248 2616 Gpers.exe 34 PID 2616 wrote to memory of 2248 2616 Gpers.exe 34 PID 2616 wrote to memory of 2248 2616 Gpers.exe 34 PID 2616 wrote to memory of 2248 2616 Gpers.exe 34 PID 2616 wrote to memory of 2248 2616 Gpers.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe"C:\Users\Admin\AppData\Local\Temp\ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe"C:\Users\Admin\AppData\Local\Temp\ac1f09d0a797d231ac40d98c74851efbb1325d8c6351ddc251e0369c2f20c0ac.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\QDFAA.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Support GFX" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe" /f4⤵
- Adds Run key to start application
PID:2672
-
-
-
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2508
-
-
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2248
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD51967df2848438f32a1572914428221ae
SHA1cd88b3e8351f3685c22a2db7f67e5b9b2777fa13
SHA2561236575bc8ddb8a9e4509ce7491a67ca57c14c9f1a5bed19e23e4bd721a99574
SHA512b16afa9bd878c4ddfccc6765c25e2774e3e1b9a65c06f18de1a048ea73e110aa41ffd4fb0d24ce3c13c792766e273459b3217a0275ea652646b648d9c6bf6dd3
-
Filesize
324KB
MD5c12626b5146ef258948b949a966fea2f
SHA108737a905946a60ff1bcdab43ddce558be2e8f8b
SHA2567283b05bd580e15af53017fd671056a44b43819176172eaff76e42d2318a0377
SHA51212d9e91671a1ca5e2bafad87a8b8c50b13e0fd1fbe15e28e7e9730a9660beabb8e3e53bb04ed7e40b6a8d661d531cb785324927f75dbabba172684f9b4894e93