Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
10-08-2024 15:45
General
-
Target
rhdidhsesdhsdeshs12.exe
-
Size
756KB
-
MD5
eb355d5dda76a9500df1635e8f1d4bb6
-
SHA1
820b148cc3cac94013a6c1d4cd77c09bf3a6c226
-
SHA256
605eeb72a321ff834774898607a7cca0ce71d417116be4851ba77c3258196e65
-
SHA512
7edc27fb2af3fc5b985e5682b460d2bcaec58c788d13d94520c5751df04db4c83908aba38f973b449a98378f6f4b063ae01d10ba43138cc5cdae14f83b8d7feb
-
SSDEEP
12288:29HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hvqMd0QZhk:SZ1xuVVjfFoynPaVBUR8f+kN10EBND07
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-UEGPA9X
-
gencode
ahC4rsPiXNu5
-
install
false
-
offline_keylogger
true
-
password
0123456789
-
persistence
false
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rhdidhsesdhsdeshs12.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rhdidhsesdhsdeshs12.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 1680 notepad.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
taskmgr.exepid process 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 2288 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
rhdidhsesdhsdeshs12.exetaskmgr.exedescription pid process Token: SeIncreaseQuotaPrivilege 2544 rhdidhsesdhsdeshs12.exe Token: SeSecurityPrivilege 2544 rhdidhsesdhsdeshs12.exe Token: SeTakeOwnershipPrivilege 2544 rhdidhsesdhsdeshs12.exe Token: SeLoadDriverPrivilege 2544 rhdidhsesdhsdeshs12.exe Token: SeSystemProfilePrivilege 2544 rhdidhsesdhsdeshs12.exe Token: SeSystemtimePrivilege 2544 rhdidhsesdhsdeshs12.exe Token: SeProfSingleProcessPrivilege 2544 rhdidhsesdhsdeshs12.exe Token: SeIncBasePriorityPrivilege 2544 rhdidhsesdhsdeshs12.exe Token: SeCreatePagefilePrivilege 2544 rhdidhsesdhsdeshs12.exe Token: SeBackupPrivilege 2544 rhdidhsesdhsdeshs12.exe Token: SeRestorePrivilege 2544 rhdidhsesdhsdeshs12.exe Token: SeShutdownPrivilege 2544 rhdidhsesdhsdeshs12.exe Token: SeDebugPrivilege 2544 rhdidhsesdhsdeshs12.exe Token: SeSystemEnvironmentPrivilege 2544 rhdidhsesdhsdeshs12.exe Token: SeChangeNotifyPrivilege 2544 rhdidhsesdhsdeshs12.exe Token: SeRemoteShutdownPrivilege 2544 rhdidhsesdhsdeshs12.exe Token: SeUndockPrivilege 2544 rhdidhsesdhsdeshs12.exe Token: SeManageVolumePrivilege 2544 rhdidhsesdhsdeshs12.exe Token: SeImpersonatePrivilege 2544 rhdidhsesdhsdeshs12.exe Token: SeCreateGlobalPrivilege 2544 rhdidhsesdhsdeshs12.exe Token: 33 2544 rhdidhsesdhsdeshs12.exe Token: 34 2544 rhdidhsesdhsdeshs12.exe Token: 35 2544 rhdidhsesdhsdeshs12.exe Token: SeDebugPrivilege 2288 taskmgr.exe -
Suspicious use of FindShellTrayWindow 56 IoCs
Processes:
taskmgr.exepid process 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe -
Suspicious use of SendNotifyMessage 56 IoCs
Processes:
taskmgr.exepid process 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe 2288 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
rhdidhsesdhsdeshs12.exepid process 2544 rhdidhsesdhsdeshs12.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\rhdidhsesdhsdeshs12.exe"C:\Users\Admin\AppData\Local\Temp\rhdidhsesdhsdeshs12.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2544
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2288
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Desktop\ConvertToStop.ps1"1⤵
- Opens file in notepad (likely ransom note)
PID:1680
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\Desktop\CopyResume.bat" "1⤵PID:2784