Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
28-07-2024 03:56
Static task
static1
Behavioral task
behavioral1
Sample
47fcd83ce2b013158b3d836c1c0f9400N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
47fcd83ce2b013158b3d836c1c0f9400N.exe
Resource
win10v2004-20240709-en
General
-
Target
47fcd83ce2b013158b3d836c1c0f9400N.exe
-
Size
324KB
-
MD5
47fcd83ce2b013158b3d836c1c0f9400
-
SHA1
90938cd42c1c07ecdcb60eb75c62bd01439eeb9d
-
SHA256
d93cae682a4b9bbde68d66031951a608daa6b7ff31cae6facb5d9e7022055778
-
SHA512
07aee1293706a221b26efb951f36914bdfd5440c9963d4e88e7759917fd17100fdb3af1f69156c9b7300a5b18a95f2634cc5d097f0ff3809b109ad5f0642c6cb
-
SSDEEP
6144:cvhFCYZdP5aHNn1s7C+3S4R5wQrV/YbZwZ3ssu4eqswN8s1Pf4NAGy5uRyXR6P+R:TQdwHNn1OCN4MQEZwUqsA
Malware Config
Extracted
darkcomet
Guest16
betclock.zapto.org:35000
DC_MUTEX-LCQCVNZ
-
gencode
MGDU5FhLNYez
-
install
false
-
offline_keylogger
true
-
password
0123456789
-
persistence
false
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Gpers.exeGpers.exeGpers.exepid process 2732 Gpers.exe 2772 Gpers.exe 2628 Gpers.exe -
Loads dropped DLL 5 IoCs
Processes:
47fcd83ce2b013158b3d836c1c0f9400N.exepid process 2064 47fcd83ce2b013158b3d836c1c0f9400N.exe 2064 47fcd83ce2b013158b3d836c1c0f9400N.exe 2064 47fcd83ce2b013158b3d836c1c0f9400N.exe 2064 47fcd83ce2b013158b3d836c1c0f9400N.exe 2064 47fcd83ce2b013158b3d836c1c0f9400N.exe -
Processes:
resource yara_rule behavioral1/memory/2064-14-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2064-16-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2064-20-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2064-15-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2064-12-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2064-8-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2064-7-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2628-82-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2628-85-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2628-86-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2628-79-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2628-75-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2628-88-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2628-92-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2628-91-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2064-90-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2628-94-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2628-95-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2628-97-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2772-96-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2628-99-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2628-100-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2628-102-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2628-104-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2628-106-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2628-108-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2628-110-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2628-112-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2628-114-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2628-116-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Support GFX = "C:\\Users\\Admin\\AppData\\Roaming\\Xpers\\Gpers.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
47fcd83ce2b013158b3d836c1c0f9400N.exeGpers.exedescription pid process target process PID 2232 set thread context of 2064 2232 47fcd83ce2b013158b3d836c1c0f9400N.exe 47fcd83ce2b013158b3d836c1c0f9400N.exe PID 2732 set thread context of 2772 2732 Gpers.exe Gpers.exe PID 2732 set thread context of 2628 2732 Gpers.exe Gpers.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exereg.exeGpers.exeGpers.exeGpers.exe47fcd83ce2b013158b3d836c1c0f9400N.exe47fcd83ce2b013158b3d836c1c0f9400N.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 47fcd83ce2b013158b3d836c1c0f9400N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 47fcd83ce2b013158b3d836c1c0f9400N.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Gpers.exeGpers.exedescription pid process Token: SeIncreaseQuotaPrivilege 2628 Gpers.exe Token: SeSecurityPrivilege 2628 Gpers.exe Token: SeTakeOwnershipPrivilege 2628 Gpers.exe Token: SeLoadDriverPrivilege 2628 Gpers.exe Token: SeSystemProfilePrivilege 2628 Gpers.exe Token: SeSystemtimePrivilege 2628 Gpers.exe Token: SeProfSingleProcessPrivilege 2628 Gpers.exe Token: SeIncBasePriorityPrivilege 2628 Gpers.exe Token: SeCreatePagefilePrivilege 2628 Gpers.exe Token: SeBackupPrivilege 2628 Gpers.exe Token: SeRestorePrivilege 2628 Gpers.exe Token: SeShutdownPrivilege 2628 Gpers.exe Token: SeDebugPrivilege 2628 Gpers.exe Token: SeSystemEnvironmentPrivilege 2628 Gpers.exe Token: SeChangeNotifyPrivilege 2628 Gpers.exe Token: SeRemoteShutdownPrivilege 2628 Gpers.exe Token: SeUndockPrivilege 2628 Gpers.exe Token: SeManageVolumePrivilege 2628 Gpers.exe Token: SeImpersonatePrivilege 2628 Gpers.exe Token: SeCreateGlobalPrivilege 2628 Gpers.exe Token: 33 2628 Gpers.exe Token: 34 2628 Gpers.exe Token: 35 2628 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe Token: SeDebugPrivilege 2772 Gpers.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
47fcd83ce2b013158b3d836c1c0f9400N.exe47fcd83ce2b013158b3d836c1c0f9400N.exeGpers.exeGpers.exeGpers.exepid process 2232 47fcd83ce2b013158b3d836c1c0f9400N.exe 2064 47fcd83ce2b013158b3d836c1c0f9400N.exe 2732 Gpers.exe 2772 Gpers.exe 2628 Gpers.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
47fcd83ce2b013158b3d836c1c0f9400N.exe47fcd83ce2b013158b3d836c1c0f9400N.execmd.exeGpers.exedescription pid process target process PID 2232 wrote to memory of 2064 2232 47fcd83ce2b013158b3d836c1c0f9400N.exe 47fcd83ce2b013158b3d836c1c0f9400N.exe PID 2232 wrote to memory of 2064 2232 47fcd83ce2b013158b3d836c1c0f9400N.exe 47fcd83ce2b013158b3d836c1c0f9400N.exe PID 2232 wrote to memory of 2064 2232 47fcd83ce2b013158b3d836c1c0f9400N.exe 47fcd83ce2b013158b3d836c1c0f9400N.exe PID 2232 wrote to memory of 2064 2232 47fcd83ce2b013158b3d836c1c0f9400N.exe 47fcd83ce2b013158b3d836c1c0f9400N.exe PID 2232 wrote to memory of 2064 2232 47fcd83ce2b013158b3d836c1c0f9400N.exe 47fcd83ce2b013158b3d836c1c0f9400N.exe PID 2232 wrote to memory of 2064 2232 47fcd83ce2b013158b3d836c1c0f9400N.exe 47fcd83ce2b013158b3d836c1c0f9400N.exe PID 2232 wrote to memory of 2064 2232 47fcd83ce2b013158b3d836c1c0f9400N.exe 47fcd83ce2b013158b3d836c1c0f9400N.exe PID 2232 wrote to memory of 2064 2232 47fcd83ce2b013158b3d836c1c0f9400N.exe 47fcd83ce2b013158b3d836c1c0f9400N.exe PID 2064 wrote to memory of 2288 2064 47fcd83ce2b013158b3d836c1c0f9400N.exe cmd.exe PID 2064 wrote to memory of 2288 2064 47fcd83ce2b013158b3d836c1c0f9400N.exe cmd.exe PID 2064 wrote to memory of 2288 2064 47fcd83ce2b013158b3d836c1c0f9400N.exe cmd.exe PID 2064 wrote to memory of 2288 2064 47fcd83ce2b013158b3d836c1c0f9400N.exe cmd.exe PID 2288 wrote to memory of 2756 2288 cmd.exe reg.exe PID 2288 wrote to memory of 2756 2288 cmd.exe reg.exe PID 2288 wrote to memory of 2756 2288 cmd.exe reg.exe PID 2288 wrote to memory of 2756 2288 cmd.exe reg.exe PID 2064 wrote to memory of 2732 2064 47fcd83ce2b013158b3d836c1c0f9400N.exe Gpers.exe PID 2064 wrote to memory of 2732 2064 47fcd83ce2b013158b3d836c1c0f9400N.exe Gpers.exe PID 2064 wrote to memory of 2732 2064 47fcd83ce2b013158b3d836c1c0f9400N.exe Gpers.exe PID 2064 wrote to memory of 2732 2064 47fcd83ce2b013158b3d836c1c0f9400N.exe Gpers.exe PID 2732 wrote to memory of 2772 2732 Gpers.exe Gpers.exe PID 2732 wrote to memory of 2772 2732 Gpers.exe Gpers.exe PID 2732 wrote to memory of 2772 2732 Gpers.exe Gpers.exe PID 2732 wrote to memory of 2772 2732 Gpers.exe Gpers.exe PID 2732 wrote to memory of 2772 2732 Gpers.exe Gpers.exe PID 2732 wrote to memory of 2772 2732 Gpers.exe Gpers.exe PID 2732 wrote to memory of 2772 2732 Gpers.exe Gpers.exe PID 2732 wrote to memory of 2772 2732 Gpers.exe Gpers.exe PID 2732 wrote to memory of 2628 2732 Gpers.exe Gpers.exe PID 2732 wrote to memory of 2628 2732 Gpers.exe Gpers.exe PID 2732 wrote to memory of 2628 2732 Gpers.exe Gpers.exe PID 2732 wrote to memory of 2628 2732 Gpers.exe Gpers.exe PID 2732 wrote to memory of 2628 2732 Gpers.exe Gpers.exe PID 2732 wrote to memory of 2628 2732 Gpers.exe Gpers.exe PID 2732 wrote to memory of 2628 2732 Gpers.exe Gpers.exe PID 2732 wrote to memory of 2628 2732 Gpers.exe Gpers.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\47fcd83ce2b013158b3d836c1c0f9400N.exe"C:\Users\Admin\AppData\Local\Temp\47fcd83ce2b013158b3d836c1c0f9400N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\47fcd83ce2b013158b3d836c1c0f9400N.exe"C:\Users\Admin\AppData\Local\Temp\47fcd83ce2b013158b3d836c1c0f9400N.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\LKXEO.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Support GFX" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2772 -
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD51967df2848438f32a1572914428221ae
SHA1cd88b3e8351f3685c22a2db7f67e5b9b2777fa13
SHA2561236575bc8ddb8a9e4509ce7491a67ca57c14c9f1a5bed19e23e4bd721a99574
SHA512b16afa9bd878c4ddfccc6765c25e2774e3e1b9a65c06f18de1a048ea73e110aa41ffd4fb0d24ce3c13c792766e273459b3217a0275ea652646b648d9c6bf6dd3
-
Filesize
324KB
MD5b7927c87696db3e947bcf1548eadb921
SHA179df6a5e419a7a0de91ef209d7fba196e978b5d2
SHA25695ce787f711d7fa6d0678386489383976c3fd21423e93b251f0f8c57163ef184
SHA5120f7941898f8ea29a3d2f8eb617c29171c463cd18fe1e3c33577d57f08d2c9dc2657885bb9925db5f0d5c7b6f0da7999aedc8a4fdf25dc13bccdb18247dbb8606