Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
30-07-2024 19:30
Static task
static1
Behavioral task
behavioral1
Sample
1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe
Resource
win10v2004-20240730-en
General
-
Target
1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe
-
Size
324KB
-
MD5
32b849828ee6e240d562771b7e09fdcd
-
SHA1
2c701b47a58399459686bc9d3591f35d9bfcc001
-
SHA256
1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde
-
SHA512
064c1d215ced3da9539efc13076c04b8341b15a2e48f861fb73d7b5f5054a3fa3789ff9afdeaa2014a3f1b15d52d976fb582b4013aa716ba01ac56c46f783420
-
SSDEEP
6144:cvhFCYZdP5aHNn1s7C+3S4R5wQrV/YbZwZ3ssu4eqswN8s1Pf4NAGy5uRyXR6P+R:TQdwHNn1OCN4MQEZwUqsA
Malware Config
Extracted
darkcomet
Guest16
betclock.zapto.org:35000
DC_MUTEX-LCQCVNZ
-
gencode
MGDU5FhLNYez
-
install
false
-
offline_keylogger
true
-
password
0123456789
-
persistence
false
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Gpers.exeGpers.exeGpers.exepid process 2720 Gpers.exe 1148 Gpers.exe 1528 Gpers.exe -
Loads dropped DLL 5 IoCs
Processes:
1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exepid process 2688 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe 2688 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe 2688 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe 2688 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe 2688 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe -
Processes:
resource yara_rule behavioral1/memory/2688-12-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2688-8-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2688-6-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2688-17-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2688-16-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2688-14-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/1528-75-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1528-85-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1528-82-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1528-78-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2688-87-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/1528-89-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1528-90-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1528-91-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1528-92-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1528-93-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1148-94-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/1528-95-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1528-97-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1528-99-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1528-101-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1528-103-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1528-105-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1528-107-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1528-109-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1528-111-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1528-113-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1528-115-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Support GFX = "C:\\Users\\Admin\\AppData\\Roaming\\Xpers\\Gpers.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exeGpers.exedescription pid process target process PID 2372 set thread context of 2688 2372 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe PID 2720 set thread context of 1148 2720 Gpers.exe Gpers.exe PID 2720 set thread context of 1528 2720 Gpers.exe Gpers.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.execmd.exereg.exeGpers.exeGpers.exeGpers.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpers.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Gpers.exeGpers.exedescription pid process Token: SeIncreaseQuotaPrivilege 1528 Gpers.exe Token: SeSecurityPrivilege 1528 Gpers.exe Token: SeTakeOwnershipPrivilege 1528 Gpers.exe Token: SeLoadDriverPrivilege 1528 Gpers.exe Token: SeSystemProfilePrivilege 1528 Gpers.exe Token: SeSystemtimePrivilege 1528 Gpers.exe Token: SeProfSingleProcessPrivilege 1528 Gpers.exe Token: SeIncBasePriorityPrivilege 1528 Gpers.exe Token: SeCreatePagefilePrivilege 1528 Gpers.exe Token: SeBackupPrivilege 1528 Gpers.exe Token: SeRestorePrivilege 1528 Gpers.exe Token: SeShutdownPrivilege 1528 Gpers.exe Token: SeDebugPrivilege 1528 Gpers.exe Token: SeSystemEnvironmentPrivilege 1528 Gpers.exe Token: SeChangeNotifyPrivilege 1528 Gpers.exe Token: SeRemoteShutdownPrivilege 1528 Gpers.exe Token: SeUndockPrivilege 1528 Gpers.exe Token: SeManageVolumePrivilege 1528 Gpers.exe Token: SeImpersonatePrivilege 1528 Gpers.exe Token: SeCreateGlobalPrivilege 1528 Gpers.exe Token: 33 1528 Gpers.exe Token: 34 1528 Gpers.exe Token: 35 1528 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe Token: SeDebugPrivilege 1148 Gpers.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exeGpers.exeGpers.exeGpers.exepid process 2372 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe 2688 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe 2720 Gpers.exe 1148 Gpers.exe 1528 Gpers.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.execmd.exeGpers.exedescription pid process target process PID 2372 wrote to memory of 2688 2372 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe PID 2372 wrote to memory of 2688 2372 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe PID 2372 wrote to memory of 2688 2372 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe PID 2372 wrote to memory of 2688 2372 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe PID 2372 wrote to memory of 2688 2372 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe PID 2372 wrote to memory of 2688 2372 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe PID 2372 wrote to memory of 2688 2372 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe PID 2372 wrote to memory of 2688 2372 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe PID 2688 wrote to memory of 2936 2688 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe cmd.exe PID 2688 wrote to memory of 2936 2688 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe cmd.exe PID 2688 wrote to memory of 2936 2688 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe cmd.exe PID 2688 wrote to memory of 2936 2688 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe cmd.exe PID 2936 wrote to memory of 2592 2936 cmd.exe reg.exe PID 2936 wrote to memory of 2592 2936 cmd.exe reg.exe PID 2936 wrote to memory of 2592 2936 cmd.exe reg.exe PID 2936 wrote to memory of 2592 2936 cmd.exe reg.exe PID 2688 wrote to memory of 2720 2688 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe Gpers.exe PID 2688 wrote to memory of 2720 2688 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe Gpers.exe PID 2688 wrote to memory of 2720 2688 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe Gpers.exe PID 2688 wrote to memory of 2720 2688 1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe Gpers.exe PID 2720 wrote to memory of 1148 2720 Gpers.exe Gpers.exe PID 2720 wrote to memory of 1148 2720 Gpers.exe Gpers.exe PID 2720 wrote to memory of 1148 2720 Gpers.exe Gpers.exe PID 2720 wrote to memory of 1148 2720 Gpers.exe Gpers.exe PID 2720 wrote to memory of 1148 2720 Gpers.exe Gpers.exe PID 2720 wrote to memory of 1148 2720 Gpers.exe Gpers.exe PID 2720 wrote to memory of 1148 2720 Gpers.exe Gpers.exe PID 2720 wrote to memory of 1148 2720 Gpers.exe Gpers.exe PID 2720 wrote to memory of 1528 2720 Gpers.exe Gpers.exe PID 2720 wrote to memory of 1528 2720 Gpers.exe Gpers.exe PID 2720 wrote to memory of 1528 2720 Gpers.exe Gpers.exe PID 2720 wrote to memory of 1528 2720 Gpers.exe Gpers.exe PID 2720 wrote to memory of 1528 2720 Gpers.exe Gpers.exe PID 2720 wrote to memory of 1528 2720 Gpers.exe Gpers.exe PID 2720 wrote to memory of 1528 2720 Gpers.exe Gpers.exe PID 2720 wrote to memory of 1528 2720 Gpers.exe Gpers.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe"C:\Users\Admin\AppData\Local\Temp\1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe"C:\Users\Admin\AppData\Local\Temp\1d0e911fab58ded2be33b6fe01bd49754dc45fa3564b61a93078b872ee0a1dde.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\LKXEN.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Support GFX" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1148 -
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD51967df2848438f32a1572914428221ae
SHA1cd88b3e8351f3685c22a2db7f67e5b9b2777fa13
SHA2561236575bc8ddb8a9e4509ce7491a67ca57c14c9f1a5bed19e23e4bd721a99574
SHA512b16afa9bd878c4ddfccc6765c25e2774e3e1b9a65c06f18de1a048ea73e110aa41ffd4fb0d24ce3c13c792766e273459b3217a0275ea652646b648d9c6bf6dd3
-
Filesize
324KB
MD5ef9467269ddd55abe588ac4d350460e2
SHA142575cf04f67d86df25c12a44e408bf8a602cbfe
SHA256be780a1931803df6729cd6b7ae095ad1157880ec219f164e21998d5b7895adfa
SHA51208b5331a196eeae9b9f704c149a26461718a7d26d580c2dba8064db68a0b8efe17656a00b6c1a51bbf144a2ffdbc5c53f8511ddfd88a9c44bb650a0e7403f773