Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
29-07-2024 23:51
Static task
static1
Behavioral task
behavioral1
Sample
925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe
Resource
win10v2004-20240709-en
General
-
Target
925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe
-
Size
324KB
-
MD5
7a818afd49b8d5f2da89797e113f3003
-
SHA1
060a96b386f8e347a175c93cad3dd606e607c9eb
-
SHA256
925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35
-
SHA512
b62207b148aa3f8f558fae8ad392aabfe67b55a07ee9f315c1da9ae8eee0be5b45344165db03d09aebca243f35948c2b19c7d0fe47407c50ab8c95291f796852
-
SSDEEP
6144:cvhFCYZdP5aHNn1s7C+3S4R5wQrV/YbZwZ3ssu4eqswN8s1Pf4NAGy5uRyXR6P+R:TQdwHNn1OCN4MQEZwUqsA
Malware Config
Extracted
darkcomet
Guest16
betclock.zapto.org:35000
DC_MUTEX-LCQCVNZ
-
gencode
MGDU5FhLNYez
-
install
false
-
offline_keylogger
true
-
password
0123456789
-
persistence
false
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Gpers.exeGpers.exeGpers.exepid process 2924 Gpers.exe 2548 Gpers.exe 3004 Gpers.exe -
Loads dropped DLL 5 IoCs
Processes:
925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exepid process 2360 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe 2360 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe 2360 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe 2360 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe 2360 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe -
Processes:
resource yara_rule behavioral1/memory/2360-13-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2360-18-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2360-17-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2360-15-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2360-9-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2360-7-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/3004-76-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3004-82-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3004-95-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3004-94-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3004-93-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3004-92-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3004-91-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2360-87-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/3004-85-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3004-79-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3004-75-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2548-96-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/3004-97-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3004-99-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3004-101-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3004-103-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3004-105-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3004-107-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3004-109-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3004-111-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3004-113-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3004-115-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3004-117-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Support GFX = "C:\\Users\\Admin\\AppData\\Roaming\\Xpers\\Gpers.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exeGpers.exedescription pid process target process PID 2988 set thread context of 2360 2988 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe PID 2924 set thread context of 2548 2924 Gpers.exe Gpers.exe PID 2924 set thread context of 3004 2924 Gpers.exe Gpers.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.execmd.exereg.exeGpers.exeGpers.exeGpers.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpers.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Gpers.exeGpers.exedescription pid process Token: SeIncreaseQuotaPrivilege 3004 Gpers.exe Token: SeSecurityPrivilege 3004 Gpers.exe Token: SeTakeOwnershipPrivilege 3004 Gpers.exe Token: SeLoadDriverPrivilege 3004 Gpers.exe Token: SeSystemProfilePrivilege 3004 Gpers.exe Token: SeSystemtimePrivilege 3004 Gpers.exe Token: SeProfSingleProcessPrivilege 3004 Gpers.exe Token: SeIncBasePriorityPrivilege 3004 Gpers.exe Token: SeCreatePagefilePrivilege 3004 Gpers.exe Token: SeBackupPrivilege 3004 Gpers.exe Token: SeRestorePrivilege 3004 Gpers.exe Token: SeShutdownPrivilege 3004 Gpers.exe Token: SeDebugPrivilege 3004 Gpers.exe Token: SeSystemEnvironmentPrivilege 3004 Gpers.exe Token: SeChangeNotifyPrivilege 3004 Gpers.exe Token: SeRemoteShutdownPrivilege 3004 Gpers.exe Token: SeUndockPrivilege 3004 Gpers.exe Token: SeManageVolumePrivilege 3004 Gpers.exe Token: SeImpersonatePrivilege 3004 Gpers.exe Token: SeCreateGlobalPrivilege 3004 Gpers.exe Token: 33 3004 Gpers.exe Token: 34 3004 Gpers.exe Token: 35 3004 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe Token: SeDebugPrivilege 2548 Gpers.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exeGpers.exeGpers.exeGpers.exepid process 2988 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe 2360 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe 2924 Gpers.exe 2548 Gpers.exe 3004 Gpers.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.execmd.exeGpers.exedescription pid process target process PID 2988 wrote to memory of 2360 2988 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe PID 2988 wrote to memory of 2360 2988 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe PID 2988 wrote to memory of 2360 2988 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe PID 2988 wrote to memory of 2360 2988 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe PID 2988 wrote to memory of 2360 2988 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe PID 2988 wrote to memory of 2360 2988 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe PID 2988 wrote to memory of 2360 2988 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe PID 2988 wrote to memory of 2360 2988 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe PID 2360 wrote to memory of 2752 2360 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe cmd.exe PID 2360 wrote to memory of 2752 2360 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe cmd.exe PID 2360 wrote to memory of 2752 2360 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe cmd.exe PID 2360 wrote to memory of 2752 2360 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe cmd.exe PID 2752 wrote to memory of 2700 2752 cmd.exe reg.exe PID 2752 wrote to memory of 2700 2752 cmd.exe reg.exe PID 2752 wrote to memory of 2700 2752 cmd.exe reg.exe PID 2752 wrote to memory of 2700 2752 cmd.exe reg.exe PID 2360 wrote to memory of 2924 2360 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe Gpers.exe PID 2360 wrote to memory of 2924 2360 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe Gpers.exe PID 2360 wrote to memory of 2924 2360 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe Gpers.exe PID 2360 wrote to memory of 2924 2360 925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe Gpers.exe PID 2924 wrote to memory of 2548 2924 Gpers.exe Gpers.exe PID 2924 wrote to memory of 2548 2924 Gpers.exe Gpers.exe PID 2924 wrote to memory of 2548 2924 Gpers.exe Gpers.exe PID 2924 wrote to memory of 2548 2924 Gpers.exe Gpers.exe PID 2924 wrote to memory of 2548 2924 Gpers.exe Gpers.exe PID 2924 wrote to memory of 2548 2924 Gpers.exe Gpers.exe PID 2924 wrote to memory of 2548 2924 Gpers.exe Gpers.exe PID 2924 wrote to memory of 2548 2924 Gpers.exe Gpers.exe PID 2924 wrote to memory of 3004 2924 Gpers.exe Gpers.exe PID 2924 wrote to memory of 3004 2924 Gpers.exe Gpers.exe PID 2924 wrote to memory of 3004 2924 Gpers.exe Gpers.exe PID 2924 wrote to memory of 3004 2924 Gpers.exe Gpers.exe PID 2924 wrote to memory of 3004 2924 Gpers.exe Gpers.exe PID 2924 wrote to memory of 3004 2924 Gpers.exe Gpers.exe PID 2924 wrote to memory of 3004 2924 Gpers.exe Gpers.exe PID 2924 wrote to memory of 3004 2924 Gpers.exe Gpers.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe"C:\Users\Admin\AppData\Local\Temp\925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe"C:\Users\Admin\AppData\Local\Temp\925e94c05a473aec0cc87d5ecbffbd6556246617e7f7984af5cc3eec56983c35.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\HJWXE.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Support GFX" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2548 -
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3004
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD51967df2848438f32a1572914428221ae
SHA1cd88b3e8351f3685c22a2db7f67e5b9b2777fa13
SHA2561236575bc8ddb8a9e4509ce7491a67ca57c14c9f1a5bed19e23e4bd721a99574
SHA512b16afa9bd878c4ddfccc6765c25e2774e3e1b9a65c06f18de1a048ea73e110aa41ffd4fb0d24ce3c13c792766e273459b3217a0275ea652646b648d9c6bf6dd3
-
Filesize
324KB
MD5e9a867ec98f92faa07850f654e11c23a
SHA1b757c5a85180e435db8a2a918a939a2c23b329ef
SHA25618b657be555f999d5cdeedc3e8aec580793587bb3d1924ae2c6b6869fdab6f60
SHA512f1333e13c8f44f392c8f1d462fe55cf665060a974a84f0be42053de60ac5314f71a97b3fe3b50f6f18b08e3c7501ca8eb5841d3f01e8c34280815a87c36aeee7