Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
28-07-2024 20:03
Static task
static1
Behavioral task
behavioral1
Sample
27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe
Resource
win10v2004-20240709-en
General
-
Target
27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe
-
Size
324KB
-
MD5
570fe4fb06f3fff1d46ad7eeb3f156c3
-
SHA1
e613c9164ce5e03ba9d5cdf8389d5a9b11d4f132
-
SHA256
27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb
-
SHA512
e321a3ad01b919bd0e31b204b4cadf364076b40624e649130bc150bc2f35460e7ad7ffccfb1bb24db1738866841bdcc0ab4d29932e2ec6ab7c8c216c20aa75df
-
SSDEEP
6144:cvhFCYZdP5aHNn1s7C+3S4R5wQrV/YbZwZ3ssu4eqswN8s1Pf4NAGy5uRyXR6P+R:TQdwHNn1OCN4MQEZwUqsA
Malware Config
Extracted
darkcomet
Guest16
betclock.zapto.org:35000
DC_MUTEX-LCQCVNZ
-
gencode
MGDU5FhLNYez
-
install
false
-
offline_keylogger
true
-
password
0123456789
-
persistence
false
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Gpers.exeGpers.exeGpers.exepid process 2860 Gpers.exe 2768 Gpers.exe 2716 Gpers.exe -
Loads dropped DLL 5 IoCs
Processes:
27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exepid process 2096 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe 2096 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe 2096 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe 2096 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe 2096 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe -
Processes:
resource yara_rule behavioral1/memory/2096-12-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2096-16-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2096-8-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2096-6-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2096-17-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2096-18-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2096-19-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2716-85-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2716-81-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2716-77-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2716-76-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2716-96-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2716-95-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2716-94-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2716-93-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2716-92-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2096-88-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2716-87-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2768-97-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2716-98-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2716-100-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2716-102-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2716-104-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2716-106-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2716-108-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2716-110-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2716-112-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2716-114-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2716-116-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2716-118-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Support GFX = "C:\\Users\\Admin\\AppData\\Roaming\\Xpers\\Gpers.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exeGpers.exedescription pid process target process PID 2508 set thread context of 2096 2508 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe PID 2860 set thread context of 2768 2860 Gpers.exe Gpers.exe PID 2860 set thread context of 2716 2860 Gpers.exe Gpers.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Gpers.exeGpers.exeGpers.exe27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.execmd.exereg.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Gpers.exeGpers.exedescription pid process Token: SeIncreaseQuotaPrivilege 2716 Gpers.exe Token: SeSecurityPrivilege 2716 Gpers.exe Token: SeTakeOwnershipPrivilege 2716 Gpers.exe Token: SeLoadDriverPrivilege 2716 Gpers.exe Token: SeSystemProfilePrivilege 2716 Gpers.exe Token: SeSystemtimePrivilege 2716 Gpers.exe Token: SeProfSingleProcessPrivilege 2716 Gpers.exe Token: SeIncBasePriorityPrivilege 2716 Gpers.exe Token: SeCreatePagefilePrivilege 2716 Gpers.exe Token: SeBackupPrivilege 2716 Gpers.exe Token: SeRestorePrivilege 2716 Gpers.exe Token: SeShutdownPrivilege 2716 Gpers.exe Token: SeDebugPrivilege 2716 Gpers.exe Token: SeSystemEnvironmentPrivilege 2716 Gpers.exe Token: SeChangeNotifyPrivilege 2716 Gpers.exe Token: SeRemoteShutdownPrivilege 2716 Gpers.exe Token: SeUndockPrivilege 2716 Gpers.exe Token: SeManageVolumePrivilege 2716 Gpers.exe Token: SeImpersonatePrivilege 2716 Gpers.exe Token: SeCreateGlobalPrivilege 2716 Gpers.exe Token: 33 2716 Gpers.exe Token: 34 2716 Gpers.exe Token: 35 2716 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe Token: SeDebugPrivilege 2768 Gpers.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exeGpers.exeGpers.exeGpers.exepid process 2508 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe 2096 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe 2860 Gpers.exe 2768 Gpers.exe 2716 Gpers.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.execmd.exeGpers.exedescription pid process target process PID 2508 wrote to memory of 2096 2508 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe PID 2508 wrote to memory of 2096 2508 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe PID 2508 wrote to memory of 2096 2508 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe PID 2508 wrote to memory of 2096 2508 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe PID 2508 wrote to memory of 2096 2508 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe PID 2508 wrote to memory of 2096 2508 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe PID 2508 wrote to memory of 2096 2508 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe PID 2508 wrote to memory of 2096 2508 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe PID 2096 wrote to memory of 2208 2096 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe cmd.exe PID 2096 wrote to memory of 2208 2096 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe cmd.exe PID 2096 wrote to memory of 2208 2096 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe cmd.exe PID 2096 wrote to memory of 2208 2096 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe cmd.exe PID 2208 wrote to memory of 2864 2208 cmd.exe reg.exe PID 2208 wrote to memory of 2864 2208 cmd.exe reg.exe PID 2208 wrote to memory of 2864 2208 cmd.exe reg.exe PID 2208 wrote to memory of 2864 2208 cmd.exe reg.exe PID 2096 wrote to memory of 2860 2096 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe Gpers.exe PID 2096 wrote to memory of 2860 2096 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe Gpers.exe PID 2096 wrote to memory of 2860 2096 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe Gpers.exe PID 2096 wrote to memory of 2860 2096 27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe Gpers.exe PID 2860 wrote to memory of 2768 2860 Gpers.exe Gpers.exe PID 2860 wrote to memory of 2768 2860 Gpers.exe Gpers.exe PID 2860 wrote to memory of 2768 2860 Gpers.exe Gpers.exe PID 2860 wrote to memory of 2768 2860 Gpers.exe Gpers.exe PID 2860 wrote to memory of 2768 2860 Gpers.exe Gpers.exe PID 2860 wrote to memory of 2768 2860 Gpers.exe Gpers.exe PID 2860 wrote to memory of 2768 2860 Gpers.exe Gpers.exe PID 2860 wrote to memory of 2768 2860 Gpers.exe Gpers.exe PID 2860 wrote to memory of 2716 2860 Gpers.exe Gpers.exe PID 2860 wrote to memory of 2716 2860 Gpers.exe Gpers.exe PID 2860 wrote to memory of 2716 2860 Gpers.exe Gpers.exe PID 2860 wrote to memory of 2716 2860 Gpers.exe Gpers.exe PID 2860 wrote to memory of 2716 2860 Gpers.exe Gpers.exe PID 2860 wrote to memory of 2716 2860 Gpers.exe Gpers.exe PID 2860 wrote to memory of 2716 2860 Gpers.exe Gpers.exe PID 2860 wrote to memory of 2716 2860 Gpers.exe Gpers.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe"C:\Users\Admin\AppData\Local\Temp\27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe"C:\Users\Admin\AppData\Local\Temp\27d98f3fcddf6c70273510a771369d1ecea614ed54a08422bfce9ba9de1934eb.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BEUQR.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Support GFX" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2768 -
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD51967df2848438f32a1572914428221ae
SHA1cd88b3e8351f3685c22a2db7f67e5b9b2777fa13
SHA2561236575bc8ddb8a9e4509ce7491a67ca57c14c9f1a5bed19e23e4bd721a99574
SHA512b16afa9bd878c4ddfccc6765c25e2774e3e1b9a65c06f18de1a048ea73e110aa41ffd4fb0d24ce3c13c792766e273459b3217a0275ea652646b648d9c6bf6dd3
-
Filesize
324KB
MD5f634ca78798e321789b11f45cf2d4c8d
SHA1d6041cb2be3960e94270d6535b74d09d7ca082e6
SHA2562df7e9ed27e74bf2e29db39729209737d2f5748609f0bf6cc9c240ab9ee00df2
SHA51284cabce0948800a7a1a6a30bbb2d8ec1a0f0d3fbcfbcc5573cc97d771ea4ea0f32084cb4419feb91b729d87c26e497bc7d48c3aa00d49347555e1ecdc4524cb9