Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
04-08-2024 23:10
Static task
static1
Behavioral task
behavioral1
Sample
18a211d12eaed4e3bf7a70af05ea49a0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
18a211d12eaed4e3bf7a70af05ea49a0N.exe
Resource
win10v2004-20240802-en
General
-
Target
18a211d12eaed4e3bf7a70af05ea49a0N.exe
-
Size
324KB
-
MD5
18a211d12eaed4e3bf7a70af05ea49a0
-
SHA1
a68cbc3efb8a5d5a8a790f52153be7970743de29
-
SHA256
46fb2d4dfe0f33b2e07f806174768bb81724000025faf487d593bb7ad2f7b2ef
-
SHA512
d937da7312156504e3ba6bb52d0cb4247a2b7e25a87e3300bbd09dc409c25928fa968e74e945b54cd0492378285b37cf1f93ec1c399ed622edc7c43166d5a51f
-
SSDEEP
6144:cvhFCYZdP5aHNn1s7C+3S4R5wQrV/YbZwZ3ssu4eqswN8s1Pf4NAGy5uRyXR6P+R:TQdwHNn1OCN4MQEZwUqsA
Malware Config
Extracted
darkcomet
Guest16
betclock.zapto.org:35000
DC_MUTEX-LCQCVNZ
-
gencode
MGDU5FhLNYez
-
install
false
-
offline_keylogger
true
-
password
0123456789
-
persistence
false
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Gpers.exeGpers.exeGpers.exepid process 2864 Gpers.exe 976 Gpers.exe 2412 Gpers.exe -
Loads dropped DLL 5 IoCs
Processes:
18a211d12eaed4e3bf7a70af05ea49a0N.exepid process 2328 18a211d12eaed4e3bf7a70af05ea49a0N.exe 2328 18a211d12eaed4e3bf7a70af05ea49a0N.exe 2328 18a211d12eaed4e3bf7a70af05ea49a0N.exe 2328 18a211d12eaed4e3bf7a70af05ea49a0N.exe 2328 18a211d12eaed4e3bf7a70af05ea49a0N.exe -
Processes:
resource yara_rule behavioral1/memory/2328-6-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2328-12-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2328-16-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2328-18-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2328-8-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2328-15-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2328-90-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2412-91-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2412-87-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2412-81-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/976-77-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2412-76-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2412-74-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2412-85-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2412-94-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2412-93-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2412-95-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2412-96-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/976-97-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2412-98-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2412-100-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2412-102-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2412-104-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2412-106-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2412-108-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2412-110-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2412-112-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2412-114-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2412-116-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Support GFX = "C:\\Users\\Admin\\AppData\\Roaming\\Xpers\\Gpers.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
18a211d12eaed4e3bf7a70af05ea49a0N.exeGpers.exedescription pid process target process PID 708 set thread context of 2328 708 18a211d12eaed4e3bf7a70af05ea49a0N.exe 18a211d12eaed4e3bf7a70af05ea49a0N.exe PID 2864 set thread context of 976 2864 Gpers.exe Gpers.exe PID 2864 set thread context of 2412 2864 Gpers.exe Gpers.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
18a211d12eaed4e3bf7a70af05ea49a0N.execmd.exereg.exeGpers.exeGpers.exeGpers.exe18a211d12eaed4e3bf7a70af05ea49a0N.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 18a211d12eaed4e3bf7a70af05ea49a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 18a211d12eaed4e3bf7a70af05ea49a0N.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Gpers.exeGpers.exedescription pid process Token: SeIncreaseQuotaPrivilege 2412 Gpers.exe Token: SeSecurityPrivilege 2412 Gpers.exe Token: SeTakeOwnershipPrivilege 2412 Gpers.exe Token: SeLoadDriverPrivilege 2412 Gpers.exe Token: SeSystemProfilePrivilege 2412 Gpers.exe Token: SeSystemtimePrivilege 2412 Gpers.exe Token: SeProfSingleProcessPrivilege 2412 Gpers.exe Token: SeIncBasePriorityPrivilege 2412 Gpers.exe Token: SeCreatePagefilePrivilege 2412 Gpers.exe Token: SeBackupPrivilege 2412 Gpers.exe Token: SeRestorePrivilege 2412 Gpers.exe Token: SeShutdownPrivilege 2412 Gpers.exe Token: SeDebugPrivilege 2412 Gpers.exe Token: SeSystemEnvironmentPrivilege 2412 Gpers.exe Token: SeChangeNotifyPrivilege 2412 Gpers.exe Token: SeRemoteShutdownPrivilege 2412 Gpers.exe Token: SeUndockPrivilege 2412 Gpers.exe Token: SeManageVolumePrivilege 2412 Gpers.exe Token: SeImpersonatePrivilege 2412 Gpers.exe Token: SeCreateGlobalPrivilege 2412 Gpers.exe Token: 33 2412 Gpers.exe Token: 34 2412 Gpers.exe Token: 35 2412 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe Token: SeDebugPrivilege 976 Gpers.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
18a211d12eaed4e3bf7a70af05ea49a0N.exe18a211d12eaed4e3bf7a70af05ea49a0N.exeGpers.exeGpers.exeGpers.exepid process 708 18a211d12eaed4e3bf7a70af05ea49a0N.exe 2328 18a211d12eaed4e3bf7a70af05ea49a0N.exe 2864 Gpers.exe 976 Gpers.exe 2412 Gpers.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
18a211d12eaed4e3bf7a70af05ea49a0N.exe18a211d12eaed4e3bf7a70af05ea49a0N.execmd.exeGpers.exedescription pid process target process PID 708 wrote to memory of 2328 708 18a211d12eaed4e3bf7a70af05ea49a0N.exe 18a211d12eaed4e3bf7a70af05ea49a0N.exe PID 708 wrote to memory of 2328 708 18a211d12eaed4e3bf7a70af05ea49a0N.exe 18a211d12eaed4e3bf7a70af05ea49a0N.exe PID 708 wrote to memory of 2328 708 18a211d12eaed4e3bf7a70af05ea49a0N.exe 18a211d12eaed4e3bf7a70af05ea49a0N.exe PID 708 wrote to memory of 2328 708 18a211d12eaed4e3bf7a70af05ea49a0N.exe 18a211d12eaed4e3bf7a70af05ea49a0N.exe PID 708 wrote to memory of 2328 708 18a211d12eaed4e3bf7a70af05ea49a0N.exe 18a211d12eaed4e3bf7a70af05ea49a0N.exe PID 708 wrote to memory of 2328 708 18a211d12eaed4e3bf7a70af05ea49a0N.exe 18a211d12eaed4e3bf7a70af05ea49a0N.exe PID 708 wrote to memory of 2328 708 18a211d12eaed4e3bf7a70af05ea49a0N.exe 18a211d12eaed4e3bf7a70af05ea49a0N.exe PID 708 wrote to memory of 2328 708 18a211d12eaed4e3bf7a70af05ea49a0N.exe 18a211d12eaed4e3bf7a70af05ea49a0N.exe PID 2328 wrote to memory of 2804 2328 18a211d12eaed4e3bf7a70af05ea49a0N.exe cmd.exe PID 2328 wrote to memory of 2804 2328 18a211d12eaed4e3bf7a70af05ea49a0N.exe cmd.exe PID 2328 wrote to memory of 2804 2328 18a211d12eaed4e3bf7a70af05ea49a0N.exe cmd.exe PID 2328 wrote to memory of 2804 2328 18a211d12eaed4e3bf7a70af05ea49a0N.exe cmd.exe PID 2804 wrote to memory of 2684 2804 cmd.exe reg.exe PID 2804 wrote to memory of 2684 2804 cmd.exe reg.exe PID 2804 wrote to memory of 2684 2804 cmd.exe reg.exe PID 2804 wrote to memory of 2684 2804 cmd.exe reg.exe PID 2328 wrote to memory of 2864 2328 18a211d12eaed4e3bf7a70af05ea49a0N.exe Gpers.exe PID 2328 wrote to memory of 2864 2328 18a211d12eaed4e3bf7a70af05ea49a0N.exe Gpers.exe PID 2328 wrote to memory of 2864 2328 18a211d12eaed4e3bf7a70af05ea49a0N.exe Gpers.exe PID 2328 wrote to memory of 2864 2328 18a211d12eaed4e3bf7a70af05ea49a0N.exe Gpers.exe PID 2864 wrote to memory of 976 2864 Gpers.exe Gpers.exe PID 2864 wrote to memory of 976 2864 Gpers.exe Gpers.exe PID 2864 wrote to memory of 976 2864 Gpers.exe Gpers.exe PID 2864 wrote to memory of 976 2864 Gpers.exe Gpers.exe PID 2864 wrote to memory of 976 2864 Gpers.exe Gpers.exe PID 2864 wrote to memory of 976 2864 Gpers.exe Gpers.exe PID 2864 wrote to memory of 976 2864 Gpers.exe Gpers.exe PID 2864 wrote to memory of 976 2864 Gpers.exe Gpers.exe PID 2864 wrote to memory of 2412 2864 Gpers.exe Gpers.exe PID 2864 wrote to memory of 2412 2864 Gpers.exe Gpers.exe PID 2864 wrote to memory of 2412 2864 Gpers.exe Gpers.exe PID 2864 wrote to memory of 2412 2864 Gpers.exe Gpers.exe PID 2864 wrote to memory of 2412 2864 Gpers.exe Gpers.exe PID 2864 wrote to memory of 2412 2864 Gpers.exe Gpers.exe PID 2864 wrote to memory of 2412 2864 Gpers.exe Gpers.exe PID 2864 wrote to memory of 2412 2864 Gpers.exe Gpers.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18a211d12eaed4e3bf7a70af05ea49a0N.exe"C:\Users\Admin\AppData\Local\Temp\18a211d12eaed4e3bf7a70af05ea49a0N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Users\Admin\AppData\Local\Temp\18a211d12eaed4e3bf7a70af05ea49a0N.exe"C:\Users\Admin\AppData\Local\Temp\18a211d12eaed4e3bf7a70af05ea49a0N.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BVTRW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Support GFX" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:976 -
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD51967df2848438f32a1572914428221ae
SHA1cd88b3e8351f3685c22a2db7f67e5b9b2777fa13
SHA2561236575bc8ddb8a9e4509ce7491a67ca57c14c9f1a5bed19e23e4bd721a99574
SHA512b16afa9bd878c4ddfccc6765c25e2774e3e1b9a65c06f18de1a048ea73e110aa41ffd4fb0d24ce3c13c792766e273459b3217a0275ea652646b648d9c6bf6dd3
-
Filesize
324KB
MD5c94c0a9dc1d0b4d7c341db951523fb37
SHA10943951a0a26d13bd84508245994ff0cfe65b0d3
SHA256720c595ae7332e0ba14a2807733d1458a7aedbf97dd2ec4413013d48a9f70738
SHA51246137a879d0baecebb6aa18da3297a20f0087bc7c8228f72c319b76f08b51bc0e7e85f9571856f5f0864ea27efe4552e7216bc0fada28c29c266c1c7ac512a48