Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
31-07-2024 13:10
Static task
static1
Behavioral task
behavioral1
Sample
ba1e42b0fc454c041dd89ab04d9615c0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
ba1e42b0fc454c041dd89ab04d9615c0N.exe
Resource
win10v2004-20240730-en
General
-
Target
ba1e42b0fc454c041dd89ab04d9615c0N.exe
-
Size
324KB
-
MD5
ba1e42b0fc454c041dd89ab04d9615c0
-
SHA1
6c1f08e8818f4f11cbd145ca6d159b20a87b9091
-
SHA256
40df0baf051090f518f217c285992c7ce6c432b6989412ae6ef512ab8fc29b70
-
SHA512
646800af399c03154a2c7add396687745064e99e677f4ca88e27e62559c6e9cf319c39257b695661da0c27d265204b7309cdfb4d680cfb7f54b7b5ea0aaffdbb
-
SSDEEP
6144:cvhFCYZdP5aHNn1s7C+3S4R5wQrV/YbZwZ3ssu4eqswN8s1Pf4NAGy5uRyXR6P+R:TQdwHNn1OCN4MQEZwUqsA
Malware Config
Extracted
darkcomet
Guest16
betclock.zapto.org:35000
DC_MUTEX-LCQCVNZ
-
gencode
MGDU5FhLNYez
-
install
false
-
offline_keylogger
true
-
password
0123456789
-
persistence
false
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Gpers.exeGpers.exeGpers.exepid process 2796 Gpers.exe 2764 Gpers.exe 2704 Gpers.exe -
Loads dropped DLL 5 IoCs
Processes:
ba1e42b0fc454c041dd89ab04d9615c0N.exepid process 3068 ba1e42b0fc454c041dd89ab04d9615c0N.exe 3068 ba1e42b0fc454c041dd89ab04d9615c0N.exe 3068 ba1e42b0fc454c041dd89ab04d9615c0N.exe 3068 ba1e42b0fc454c041dd89ab04d9615c0N.exe 3068 ba1e42b0fc454c041dd89ab04d9615c0N.exe -
Processes:
resource yara_rule behavioral1/memory/3068-16-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/3068-20-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/3068-15-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/3068-14-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/3068-12-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/3068-8-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/3068-6-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2704-82-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2704-77-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2704-74-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2704-97-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2704-96-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2704-95-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2704-94-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2704-93-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3068-89-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2704-88-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2704-86-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2704-98-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2764-99-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2704-100-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2704-102-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2704-103-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2704-105-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2704-107-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2704-109-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2704-111-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2704-113-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2704-115-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2704-117-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2704-119-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Support GFX = "C:\\Users\\Admin\\AppData\\Roaming\\Xpers\\Gpers.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ba1e42b0fc454c041dd89ab04d9615c0N.exeGpers.exedescription pid process target process PID 1672 set thread context of 3068 1672 ba1e42b0fc454c041dd89ab04d9615c0N.exe ba1e42b0fc454c041dd89ab04d9615c0N.exe PID 2796 set thread context of 2764 2796 Gpers.exe Gpers.exe PID 2796 set thread context of 2704 2796 Gpers.exe Gpers.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ba1e42b0fc454c041dd89ab04d9615c0N.execmd.exereg.exeGpers.exeGpers.exeGpers.exeba1e42b0fc454c041dd89ab04d9615c0N.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ba1e42b0fc454c041dd89ab04d9615c0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ba1e42b0fc454c041dd89ab04d9615c0N.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Gpers.exeGpers.exedescription pid process Token: SeIncreaseQuotaPrivilege 2704 Gpers.exe Token: SeSecurityPrivilege 2704 Gpers.exe Token: SeTakeOwnershipPrivilege 2704 Gpers.exe Token: SeLoadDriverPrivilege 2704 Gpers.exe Token: SeSystemProfilePrivilege 2704 Gpers.exe Token: SeSystemtimePrivilege 2704 Gpers.exe Token: SeProfSingleProcessPrivilege 2704 Gpers.exe Token: SeIncBasePriorityPrivilege 2704 Gpers.exe Token: SeCreatePagefilePrivilege 2704 Gpers.exe Token: SeBackupPrivilege 2704 Gpers.exe Token: SeRestorePrivilege 2704 Gpers.exe Token: SeShutdownPrivilege 2704 Gpers.exe Token: SeDebugPrivilege 2704 Gpers.exe Token: SeSystemEnvironmentPrivilege 2704 Gpers.exe Token: SeChangeNotifyPrivilege 2704 Gpers.exe Token: SeRemoteShutdownPrivilege 2704 Gpers.exe Token: SeUndockPrivilege 2704 Gpers.exe Token: SeManageVolumePrivilege 2704 Gpers.exe Token: SeImpersonatePrivilege 2704 Gpers.exe Token: SeCreateGlobalPrivilege 2704 Gpers.exe Token: 33 2704 Gpers.exe Token: 34 2704 Gpers.exe Token: 35 2704 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe Token: SeDebugPrivilege 2764 Gpers.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
ba1e42b0fc454c041dd89ab04d9615c0N.exeba1e42b0fc454c041dd89ab04d9615c0N.exeGpers.exeGpers.exeGpers.exepid process 1672 ba1e42b0fc454c041dd89ab04d9615c0N.exe 3068 ba1e42b0fc454c041dd89ab04d9615c0N.exe 2796 Gpers.exe 2764 Gpers.exe 2704 Gpers.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
ba1e42b0fc454c041dd89ab04d9615c0N.exeba1e42b0fc454c041dd89ab04d9615c0N.execmd.exeGpers.exedescription pid process target process PID 1672 wrote to memory of 3068 1672 ba1e42b0fc454c041dd89ab04d9615c0N.exe ba1e42b0fc454c041dd89ab04d9615c0N.exe PID 1672 wrote to memory of 3068 1672 ba1e42b0fc454c041dd89ab04d9615c0N.exe ba1e42b0fc454c041dd89ab04d9615c0N.exe PID 1672 wrote to memory of 3068 1672 ba1e42b0fc454c041dd89ab04d9615c0N.exe ba1e42b0fc454c041dd89ab04d9615c0N.exe PID 1672 wrote to memory of 3068 1672 ba1e42b0fc454c041dd89ab04d9615c0N.exe ba1e42b0fc454c041dd89ab04d9615c0N.exe PID 1672 wrote to memory of 3068 1672 ba1e42b0fc454c041dd89ab04d9615c0N.exe ba1e42b0fc454c041dd89ab04d9615c0N.exe PID 1672 wrote to memory of 3068 1672 ba1e42b0fc454c041dd89ab04d9615c0N.exe ba1e42b0fc454c041dd89ab04d9615c0N.exe PID 1672 wrote to memory of 3068 1672 ba1e42b0fc454c041dd89ab04d9615c0N.exe ba1e42b0fc454c041dd89ab04d9615c0N.exe PID 1672 wrote to memory of 3068 1672 ba1e42b0fc454c041dd89ab04d9615c0N.exe ba1e42b0fc454c041dd89ab04d9615c0N.exe PID 3068 wrote to memory of 2792 3068 ba1e42b0fc454c041dd89ab04d9615c0N.exe cmd.exe PID 3068 wrote to memory of 2792 3068 ba1e42b0fc454c041dd89ab04d9615c0N.exe cmd.exe PID 3068 wrote to memory of 2792 3068 ba1e42b0fc454c041dd89ab04d9615c0N.exe cmd.exe PID 3068 wrote to memory of 2792 3068 ba1e42b0fc454c041dd89ab04d9615c0N.exe cmd.exe PID 2792 wrote to memory of 2952 2792 cmd.exe reg.exe PID 2792 wrote to memory of 2952 2792 cmd.exe reg.exe PID 2792 wrote to memory of 2952 2792 cmd.exe reg.exe PID 2792 wrote to memory of 2952 2792 cmd.exe reg.exe PID 3068 wrote to memory of 2796 3068 ba1e42b0fc454c041dd89ab04d9615c0N.exe Gpers.exe PID 3068 wrote to memory of 2796 3068 ba1e42b0fc454c041dd89ab04d9615c0N.exe Gpers.exe PID 3068 wrote to memory of 2796 3068 ba1e42b0fc454c041dd89ab04d9615c0N.exe Gpers.exe PID 3068 wrote to memory of 2796 3068 ba1e42b0fc454c041dd89ab04d9615c0N.exe Gpers.exe PID 2796 wrote to memory of 2764 2796 Gpers.exe Gpers.exe PID 2796 wrote to memory of 2764 2796 Gpers.exe Gpers.exe PID 2796 wrote to memory of 2764 2796 Gpers.exe Gpers.exe PID 2796 wrote to memory of 2764 2796 Gpers.exe Gpers.exe PID 2796 wrote to memory of 2764 2796 Gpers.exe Gpers.exe PID 2796 wrote to memory of 2764 2796 Gpers.exe Gpers.exe PID 2796 wrote to memory of 2764 2796 Gpers.exe Gpers.exe PID 2796 wrote to memory of 2764 2796 Gpers.exe Gpers.exe PID 2796 wrote to memory of 2704 2796 Gpers.exe Gpers.exe PID 2796 wrote to memory of 2704 2796 Gpers.exe Gpers.exe PID 2796 wrote to memory of 2704 2796 Gpers.exe Gpers.exe PID 2796 wrote to memory of 2704 2796 Gpers.exe Gpers.exe PID 2796 wrote to memory of 2704 2796 Gpers.exe Gpers.exe PID 2796 wrote to memory of 2704 2796 Gpers.exe Gpers.exe PID 2796 wrote to memory of 2704 2796 Gpers.exe Gpers.exe PID 2796 wrote to memory of 2704 2796 Gpers.exe Gpers.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba1e42b0fc454c041dd89ab04d9615c0N.exe"C:\Users\Admin\AppData\Local\Temp\ba1e42b0fc454c041dd89ab04d9615c0N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\ba1e42b0fc454c041dd89ab04d9615c0N.exe"C:\Users\Admin\AppData\Local\Temp\ba1e42b0fc454c041dd89ab04d9615c0N.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\TTFNE.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Support GFX" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2764 -
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD51967df2848438f32a1572914428221ae
SHA1cd88b3e8351f3685c22a2db7f67e5b9b2777fa13
SHA2561236575bc8ddb8a9e4509ce7491a67ca57c14c9f1a5bed19e23e4bd721a99574
SHA512b16afa9bd878c4ddfccc6765c25e2774e3e1b9a65c06f18de1a048ea73e110aa41ffd4fb0d24ce3c13c792766e273459b3217a0275ea652646b648d9c6bf6dd3
-
Filesize
324KB
MD533d89699c0f4801ea2fb997714a38e7c
SHA137c40a7e7024e38e911150e3ed708f3e89fc4860
SHA256a5c42ab6cec3973a59d2dfeae4300f1415eff646506e6e06eb349fc23870837e
SHA512cf8ee6909ae358d2bd5ee7a87f9ea90ff6da786b9c79bf7ab51bad0c2237a09efd1296706f4f177ce213d06fcdd2d5feef6984b26cf0f8ca7cf03fbf065eacfb