Analysis
-
max time kernel
120s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 01:18
Static task
static1
Behavioral task
behavioral1
Sample
46dd4bd57b1a79b0cd006e9157c909f0N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
46dd4bd57b1a79b0cd006e9157c909f0N.exe
Resource
win10v2004-20240709-en
General
-
Target
46dd4bd57b1a79b0cd006e9157c909f0N.exe
-
Size
324KB
-
MD5
46dd4bd57b1a79b0cd006e9157c909f0
-
SHA1
c2b18df0be98864ce174846cdeed8b22d37cf943
-
SHA256
2198b1e583ed283cedcd9e5d4031d905400fff6e52fb54fe129094524aa588b3
-
SHA512
e069d5bb65df3c21f5e595ca2351ab35c833aa8e52e549890f53882d8c3c7a312511a6656c85f2eee2479d8d1811b52aa80b2394495b79a7ddb66950428257ca
-
SSDEEP
6144:cvhFCYZdP5aHNn1s7C+3S4R5wQrV/YbZwZ3ssu4eqswN8s1Pf4NAGy5uRyXR6P+R:TQdwHNn1OCN4MQEZwUqsA
Malware Config
Extracted
darkcomet
Guest16
betclock.zapto.org:35000
DC_MUTEX-LCQCVNZ
-
gencode
MGDU5FhLNYez
-
install
false
-
offline_keylogger
true
-
password
0123456789
-
persistence
false
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Gpers.exeGpers.exeGpers.exepid process 3004 Gpers.exe 2080 Gpers.exe 1780 Gpers.exe -
Loads dropped DLL 5 IoCs
Processes:
46dd4bd57b1a79b0cd006e9157c909f0N.exepid process 3060 46dd4bd57b1a79b0cd006e9157c909f0N.exe 3060 46dd4bd57b1a79b0cd006e9157c909f0N.exe 3060 46dd4bd57b1a79b0cd006e9157c909f0N.exe 3060 46dd4bd57b1a79b0cd006e9157c909f0N.exe 3060 46dd4bd57b1a79b0cd006e9157c909f0N.exe -
Processes:
resource yara_rule behavioral1/memory/3060-6-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/3060-8-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/3060-14-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/3060-18-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/3060-17-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/3060-15-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/3060-12-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/1780-85-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1780-84-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3060-89-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/1780-77-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1780-80-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1780-75-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1780-92-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1780-94-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1780-93-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1780-96-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1780-95-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2080-97-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/1780-98-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1780-100-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1780-102-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1780-104-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1780-106-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1780-108-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1780-110-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1780-112-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1780-114-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1780-116-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1780-118-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Support GFX = "C:\\Users\\Admin\\AppData\\Roaming\\Xpers\\Gpers.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
46dd4bd57b1a79b0cd006e9157c909f0N.exeGpers.exedescription pid process target process PID 904 set thread context of 3060 904 46dd4bd57b1a79b0cd006e9157c909f0N.exe 46dd4bd57b1a79b0cd006e9157c909f0N.exe PID 3004 set thread context of 2080 3004 Gpers.exe Gpers.exe PID 3004 set thread context of 1780 3004 Gpers.exe Gpers.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Gpers.exe46dd4bd57b1a79b0cd006e9157c909f0N.exe46dd4bd57b1a79b0cd006e9157c909f0N.execmd.exereg.exeGpers.exeGpers.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46dd4bd57b1a79b0cd006e9157c909f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46dd4bd57b1a79b0cd006e9157c909f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpers.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Gpers.exeGpers.exedescription pid process Token: SeIncreaseQuotaPrivilege 1780 Gpers.exe Token: SeSecurityPrivilege 1780 Gpers.exe Token: SeTakeOwnershipPrivilege 1780 Gpers.exe Token: SeLoadDriverPrivilege 1780 Gpers.exe Token: SeSystemProfilePrivilege 1780 Gpers.exe Token: SeSystemtimePrivilege 1780 Gpers.exe Token: SeProfSingleProcessPrivilege 1780 Gpers.exe Token: SeIncBasePriorityPrivilege 1780 Gpers.exe Token: SeCreatePagefilePrivilege 1780 Gpers.exe Token: SeBackupPrivilege 1780 Gpers.exe Token: SeRestorePrivilege 1780 Gpers.exe Token: SeShutdownPrivilege 1780 Gpers.exe Token: SeDebugPrivilege 1780 Gpers.exe Token: SeSystemEnvironmentPrivilege 1780 Gpers.exe Token: SeChangeNotifyPrivilege 1780 Gpers.exe Token: SeRemoteShutdownPrivilege 1780 Gpers.exe Token: SeUndockPrivilege 1780 Gpers.exe Token: SeManageVolumePrivilege 1780 Gpers.exe Token: SeImpersonatePrivilege 1780 Gpers.exe Token: SeCreateGlobalPrivilege 1780 Gpers.exe Token: 33 1780 Gpers.exe Token: 34 1780 Gpers.exe Token: 35 1780 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe Token: SeDebugPrivilege 2080 Gpers.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
46dd4bd57b1a79b0cd006e9157c909f0N.exe46dd4bd57b1a79b0cd006e9157c909f0N.exeGpers.exeGpers.exeGpers.exepid process 904 46dd4bd57b1a79b0cd006e9157c909f0N.exe 3060 46dd4bd57b1a79b0cd006e9157c909f0N.exe 3004 Gpers.exe 2080 Gpers.exe 1780 Gpers.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
46dd4bd57b1a79b0cd006e9157c909f0N.exe46dd4bd57b1a79b0cd006e9157c909f0N.execmd.exeGpers.exedescription pid process target process PID 904 wrote to memory of 3060 904 46dd4bd57b1a79b0cd006e9157c909f0N.exe 46dd4bd57b1a79b0cd006e9157c909f0N.exe PID 904 wrote to memory of 3060 904 46dd4bd57b1a79b0cd006e9157c909f0N.exe 46dd4bd57b1a79b0cd006e9157c909f0N.exe PID 904 wrote to memory of 3060 904 46dd4bd57b1a79b0cd006e9157c909f0N.exe 46dd4bd57b1a79b0cd006e9157c909f0N.exe PID 904 wrote to memory of 3060 904 46dd4bd57b1a79b0cd006e9157c909f0N.exe 46dd4bd57b1a79b0cd006e9157c909f0N.exe PID 904 wrote to memory of 3060 904 46dd4bd57b1a79b0cd006e9157c909f0N.exe 46dd4bd57b1a79b0cd006e9157c909f0N.exe PID 904 wrote to memory of 3060 904 46dd4bd57b1a79b0cd006e9157c909f0N.exe 46dd4bd57b1a79b0cd006e9157c909f0N.exe PID 904 wrote to memory of 3060 904 46dd4bd57b1a79b0cd006e9157c909f0N.exe 46dd4bd57b1a79b0cd006e9157c909f0N.exe PID 904 wrote to memory of 3060 904 46dd4bd57b1a79b0cd006e9157c909f0N.exe 46dd4bd57b1a79b0cd006e9157c909f0N.exe PID 3060 wrote to memory of 2832 3060 46dd4bd57b1a79b0cd006e9157c909f0N.exe cmd.exe PID 3060 wrote to memory of 2832 3060 46dd4bd57b1a79b0cd006e9157c909f0N.exe cmd.exe PID 3060 wrote to memory of 2832 3060 46dd4bd57b1a79b0cd006e9157c909f0N.exe cmd.exe PID 3060 wrote to memory of 2832 3060 46dd4bd57b1a79b0cd006e9157c909f0N.exe cmd.exe PID 2832 wrote to memory of 2868 2832 cmd.exe reg.exe PID 2832 wrote to memory of 2868 2832 cmd.exe reg.exe PID 2832 wrote to memory of 2868 2832 cmd.exe reg.exe PID 2832 wrote to memory of 2868 2832 cmd.exe reg.exe PID 3060 wrote to memory of 3004 3060 46dd4bd57b1a79b0cd006e9157c909f0N.exe Gpers.exe PID 3060 wrote to memory of 3004 3060 46dd4bd57b1a79b0cd006e9157c909f0N.exe Gpers.exe PID 3060 wrote to memory of 3004 3060 46dd4bd57b1a79b0cd006e9157c909f0N.exe Gpers.exe PID 3060 wrote to memory of 3004 3060 46dd4bd57b1a79b0cd006e9157c909f0N.exe Gpers.exe PID 3004 wrote to memory of 2080 3004 Gpers.exe Gpers.exe PID 3004 wrote to memory of 2080 3004 Gpers.exe Gpers.exe PID 3004 wrote to memory of 2080 3004 Gpers.exe Gpers.exe PID 3004 wrote to memory of 2080 3004 Gpers.exe Gpers.exe PID 3004 wrote to memory of 2080 3004 Gpers.exe Gpers.exe PID 3004 wrote to memory of 2080 3004 Gpers.exe Gpers.exe PID 3004 wrote to memory of 2080 3004 Gpers.exe Gpers.exe PID 3004 wrote to memory of 2080 3004 Gpers.exe Gpers.exe PID 3004 wrote to memory of 1780 3004 Gpers.exe Gpers.exe PID 3004 wrote to memory of 1780 3004 Gpers.exe Gpers.exe PID 3004 wrote to memory of 1780 3004 Gpers.exe Gpers.exe PID 3004 wrote to memory of 1780 3004 Gpers.exe Gpers.exe PID 3004 wrote to memory of 1780 3004 Gpers.exe Gpers.exe PID 3004 wrote to memory of 1780 3004 Gpers.exe Gpers.exe PID 3004 wrote to memory of 1780 3004 Gpers.exe Gpers.exe PID 3004 wrote to memory of 1780 3004 Gpers.exe Gpers.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\46dd4bd57b1a79b0cd006e9157c909f0N.exe"C:\Users\Admin\AppData\Local\Temp\46dd4bd57b1a79b0cd006e9157c909f0N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Users\Admin\AppData\Local\Temp\46dd4bd57b1a79b0cd006e9157c909f0N.exe"C:\Users\Admin\AppData\Local\Temp\46dd4bd57b1a79b0cd006e9157c909f0N.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\EIYWF.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Support GFX" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2080 -
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD51967df2848438f32a1572914428221ae
SHA1cd88b3e8351f3685c22a2db7f67e5b9b2777fa13
SHA2561236575bc8ddb8a9e4509ce7491a67ca57c14c9f1a5bed19e23e4bd721a99574
SHA512b16afa9bd878c4ddfccc6765c25e2774e3e1b9a65c06f18de1a048ea73e110aa41ffd4fb0d24ce3c13c792766e273459b3217a0275ea652646b648d9c6bf6dd3
-
Filesize
324KB
MD54fe5af5dc1af33bd190391195b0c73b2
SHA12989538eef0f629f3275afd83ad93a51da482cb4
SHA256bc59d0b9db54ba2e8d3ef50800d38cfa102549d0bb57bfd645f09a1047726ce9
SHA512f682ac515e05d7a7fdb55ac3d1109b5677d55bb5c93f9632ccacc365e0e8f382f3f7eca4a8003e78b034dd5384c4c6241e4843669d66d4f8529d679f7d200804