Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 15:01
Static task
static1
Behavioral task
behavioral1
Sample
Butterfly Knife Slaughter/Butterfly Knife Slaughter Skins.exe
Resource
win7-20240221-en
General
-
Target
Butterfly Knife Slaughter/Butterfly Knife Slaughter Skins.exe
-
Size
870KB
-
MD5
e96b3ac179c7c1e81d52967064f829fa
-
SHA1
f4e95f4d5c7f4cabf52b1c28b6fde5ab3699d7a3
-
SHA256
d0460663f8f6a1dbdd87f4970e347db55667f4e70e120777d43958986579319b
-
SHA512
2f98d46dfcb37dc78aaf0d6ecbb40cf4b7f9713329c6bcea059e00cdd1e4417987024ab4e53901d241f14373691d9c9f26784061385f022ad369f3426d9a6b23
-
SSDEEP
12288:Vj4O4UIGXLgOhMnV2xwRI7A2Jx+SrgmljgHbi2+TRL70/:VESXLPh2Qn+SM6Z2WRL7c
Malware Config
Extracted
darkcomet
Sexbombe
rat-darkcomet766.no-ip.org:1604
DC_MUTEX-B3RTF03
-
gencode
YVAJXNGg52FS
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
vbc.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile vbc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" vbc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" vbc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" vbc.exe -
Processes:
vbc.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vbc.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
vbc.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vbc.exe -
Disables Task Manager via registry modification
-
Processes:
resource yara_rule behavioral2/memory/4120-5-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral2/memory/4120-6-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral2/memory/4120-8-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral2/memory/4120-10-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral2/memory/4120-14-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral2/memory/4120-16-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral2/memory/4120-18-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral2/memory/4120-17-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral2/memory/4120-15-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral2/memory/4120-21-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral2/memory/4120-20-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral2/memory/4120-19-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral2/memory/4120-22-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral2/memory/4120-24-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral2/memory/4120-26-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral2/memory/4120-28-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral2/memory/4120-30-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral2/memory/4120-32-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral2/memory/4120-34-0x0000000000400000-0x00000000004BA000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Butterfly Knife Slaughter Skins.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsUpdate.exe\"" Butterfly Knife Slaughter Skins.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Butterfly Knife Slaughter Skins.exedescription pid Process procid_target PID 808 set thread context of 4120 808 Butterfly Knife Slaughter Skins.exe 94 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid Process 4120 vbc.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
vbc.exedescription pid Process Token: SeIncreaseQuotaPrivilege 4120 vbc.exe Token: SeSecurityPrivilege 4120 vbc.exe Token: SeTakeOwnershipPrivilege 4120 vbc.exe Token: SeLoadDriverPrivilege 4120 vbc.exe Token: SeSystemProfilePrivilege 4120 vbc.exe Token: SeSystemtimePrivilege 4120 vbc.exe Token: SeProfSingleProcessPrivilege 4120 vbc.exe Token: SeIncBasePriorityPrivilege 4120 vbc.exe Token: SeCreatePagefilePrivilege 4120 vbc.exe Token: SeBackupPrivilege 4120 vbc.exe Token: SeRestorePrivilege 4120 vbc.exe Token: SeShutdownPrivilege 4120 vbc.exe Token: SeDebugPrivilege 4120 vbc.exe Token: SeSystemEnvironmentPrivilege 4120 vbc.exe Token: SeChangeNotifyPrivilege 4120 vbc.exe Token: SeRemoteShutdownPrivilege 4120 vbc.exe Token: SeUndockPrivilege 4120 vbc.exe Token: SeManageVolumePrivilege 4120 vbc.exe Token: SeImpersonatePrivilege 4120 vbc.exe Token: SeCreateGlobalPrivilege 4120 vbc.exe Token: 33 4120 vbc.exe Token: 34 4120 vbc.exe Token: 35 4120 vbc.exe Token: 36 4120 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid Process 4120 vbc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Butterfly Knife Slaughter Skins.exedescription pid Process procid_target PID 808 wrote to memory of 4120 808 Butterfly Knife Slaughter Skins.exe 94 PID 808 wrote to memory of 4120 808 Butterfly Knife Slaughter Skins.exe 94 PID 808 wrote to memory of 4120 808 Butterfly Knife Slaughter Skins.exe 94 PID 808 wrote to memory of 4120 808 Butterfly Knife Slaughter Skins.exe 94 PID 808 wrote to memory of 4120 808 Butterfly Knife Slaughter Skins.exe 94 PID 808 wrote to memory of 4120 808 Butterfly Knife Slaughter Skins.exe 94 PID 808 wrote to memory of 4120 808 Butterfly Knife Slaughter Skins.exe 94 PID 808 wrote to memory of 4120 808 Butterfly Knife Slaughter Skins.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\Butterfly Knife Slaughter\Butterfly Knife Slaughter Skins.exe"C:\Users\Admin\AppData\Local\Temp\Butterfly Knife Slaughter\Butterfly Knife Slaughter Skins.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4120
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2