Analysis
-
max time kernel
140s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27-07-2024 15:15
General
-
Target
yle.exe
-
Size
658KB
-
MD5
36f32d50a76c85e4e53815019095db18
-
SHA1
88e9a942bcaeb6aa641748b3acba44063732a784
-
SHA256
20ce41d2b94dfa4efcdb3e7d87a235e7eff9afe46496d7724ec74b1e6cc63f5a
-
SHA512
12e1cf81067edbea489d2308f428f1d9dffbdf627bd0d931ff88faecbd6fcaa356305eeae7a7ec7ed356886257775949eb389606254229b23c404895dc099bac
-
SSDEEP
12288:K9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hN:GZ1xuVVjfFoynPaVBUR8f+kN10EBX
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
7.tcp.eu.ngrok.io:1121
Mutex
DC_MUTEX-SEVF84J
Attributes
-
gencode
PQAtJlbrDr7F
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
yle.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yle.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
yle.exedescription pid process Token: SeIncreaseQuotaPrivilege 4260 yle.exe Token: SeSecurityPrivilege 4260 yle.exe Token: SeTakeOwnershipPrivilege 4260 yle.exe Token: SeLoadDriverPrivilege 4260 yle.exe Token: SeSystemProfilePrivilege 4260 yle.exe Token: SeSystemtimePrivilege 4260 yle.exe Token: SeProfSingleProcessPrivilege 4260 yle.exe Token: SeIncBasePriorityPrivilege 4260 yle.exe Token: SeCreatePagefilePrivilege 4260 yle.exe Token: SeBackupPrivilege 4260 yle.exe Token: SeRestorePrivilege 4260 yle.exe Token: SeShutdownPrivilege 4260 yle.exe Token: SeDebugPrivilege 4260 yle.exe Token: SeSystemEnvironmentPrivilege 4260 yle.exe Token: SeChangeNotifyPrivilege 4260 yle.exe Token: SeRemoteShutdownPrivilege 4260 yle.exe Token: SeUndockPrivilege 4260 yle.exe Token: SeManageVolumePrivilege 4260 yle.exe Token: SeImpersonatePrivilege 4260 yle.exe Token: SeCreateGlobalPrivilege 4260 yle.exe Token: 33 4260 yle.exe Token: 34 4260 yle.exe Token: 35 4260 yle.exe Token: 36 4260 yle.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
yle.exepid process 4260 yle.exe