Analysis
-
max time kernel
146s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
10-08-2024 16:03
General
-
Target
GeoIP.dat.exe
-
Size
658KB
-
MD5
773337c85cf79e1af4c604fd44924f25
-
SHA1
3ce6e2c2661679caa4911f1b5588ac816db91ed8
-
SHA256
ca0ca21d2dae0588f4ab2a83e1c68f49eed195fd88d61ec2be2d7445a9095d22
-
SHA512
974c9c6b040e871eba8cf202df5dcdd39e8170df00ad863dc3f4c7ae00c6a75fd032c6632fdaead37ed568b4b357b05fb838839af214a37f4b93d873111ff730
-
SSDEEP
12288:i9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hA:OZ1xuVVjfFoynPaVBUR8f+kN10EBq
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-Y40X8WQ
-
gencode
HuyzjRxRwYmK
-
install
false
-
offline_keylogger
true
-
password
0123456789
-
persistence
false
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
GeoIP.dat.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GeoIP.dat.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
GeoIP.dat.exedescription pid process Token: SeIncreaseQuotaPrivilege 4156 GeoIP.dat.exe Token: SeSecurityPrivilege 4156 GeoIP.dat.exe Token: SeTakeOwnershipPrivilege 4156 GeoIP.dat.exe Token: SeLoadDriverPrivilege 4156 GeoIP.dat.exe Token: SeSystemProfilePrivilege 4156 GeoIP.dat.exe Token: SeSystemtimePrivilege 4156 GeoIP.dat.exe Token: SeProfSingleProcessPrivilege 4156 GeoIP.dat.exe Token: SeIncBasePriorityPrivilege 4156 GeoIP.dat.exe Token: SeCreatePagefilePrivilege 4156 GeoIP.dat.exe Token: SeBackupPrivilege 4156 GeoIP.dat.exe Token: SeRestorePrivilege 4156 GeoIP.dat.exe Token: SeShutdownPrivilege 4156 GeoIP.dat.exe Token: SeDebugPrivilege 4156 GeoIP.dat.exe Token: SeSystemEnvironmentPrivilege 4156 GeoIP.dat.exe Token: SeChangeNotifyPrivilege 4156 GeoIP.dat.exe Token: SeRemoteShutdownPrivilege 4156 GeoIP.dat.exe Token: SeUndockPrivilege 4156 GeoIP.dat.exe Token: SeManageVolumePrivilege 4156 GeoIP.dat.exe Token: SeImpersonatePrivilege 4156 GeoIP.dat.exe Token: SeCreateGlobalPrivilege 4156 GeoIP.dat.exe Token: 33 4156 GeoIP.dat.exe Token: 34 4156 GeoIP.dat.exe Token: 35 4156 GeoIP.dat.exe Token: 36 4156 GeoIP.dat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
GeoIP.dat.exepid process 4156 GeoIP.dat.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe"C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4156
-
C:\Windows\System32\DataExchangeHost.exeC:\Windows\System32\DataExchangeHost.exe -Embedding1⤵PID:4760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
365KB
MD5fc1a9fe4e0bbe4300bca5898007e1b6f
SHA18fc589e9da845015ada24386d18384237024b39d
SHA2566f1811a2c098cf4b6a536c686e5f78b630b9dada4a0c64e9859cdb3c29455750
SHA51200cb3a784a2532dccb811727d490bf7735ac741de891d5bced9149be04de8d7e0ae1e9c7b2ae2a85371fdfcc48794b7b155b343ea4fdc3d999407ffc383685b1
-
Filesize
196KB
MD526847010e60a1c94e26e750e4079ba76
SHA196aee5c06d51c8aaae6354720a9743673d59716c
SHA256d04250913e102e8dd9452b7ac0a50b756f0c0d3d6c080773faa65f01a576d00a
SHA51209fde30f4e3c1dab8f0f313ded304e19206dc8ec6f401fd2a3f20c10e4b956f204cf9cd712a7feaef9084f47bc0082a987a1a1d4316abc63a44d2e7b4050dd79
-
Filesize
398KB
MD5e850e1476faeea48e3f69544a8f7a87e
SHA10a97e460f926889ecd43d3982d73f06025faf3b8
SHA2564c85893a754ffe24304ea074f779380cca71d0a96b61c53c98318ecedc0721df
SHA512cffab3fb45056a9d93d18604349f6f043e580f39760a4e6afa5cdb2e671dd4be518d172229fbd2570f725c42cd23b3630982c46eeb0d32b0ea6cf0f9d3e9764c
-
Filesize
376KB
MD5b5e4695b905dd5c711535e05f034aee2
SHA138854c3601c4132e624629e41168b6d7eb9ec5c5
SHA2569557e559bdf36ce8ca15b677aa9978912a9a16cf05864161db6477cb9ea9337f
SHA5123fe496a45109bc5aa4bdeccaee29777681be3b0d671a460346d35f40f148fd9cb4e6f664fa6b0112d482559ef93915926869bfc097c00e9d4f3102bf33d736c2
-
Filesize
252KB
MD5e14951168f9383004c87210dde4445f1
SHA1c0799dff0f90c38939333f50f07ddcc35b2017e1
SHA256c7f98fe6a2dbc1f2496e036c364df1c1062de43c054d12461df80a3bdb72df5d
SHA512245f52a1de17bd99c40dd7d1f4114bbb71f05d6857d71eea66b38ac33217b3ed604e004af0dbb8e79f211e89089e2dc08f9bc55f42d6750f89db2873d3242b85
-
Filesize
387KB
MD5c0690398ec857a032c36ef8875b559ed
SHA1ea8954bc6bff1b2530527f4e9ace772ef87086a9
SHA25678bd8bd8c58d52aacf644d4595677937893a41de4178977998029a916ba24c7d
SHA512c62af79e568bb9d6caa941016a6a6f0e7f49fce9abd37ea99c6eae5da5dc61f7c317b3d6e06d9d742defd42bf15b6b4e75a8b5fcaa4c5d217ac215cf54800bdc
-
Filesize
151KB
MD53490fd006a30294ab88a8f94f9c73de1
SHA16258539be375b0f879adea1bdce14fcd66a932b3
SHA256b60a005d9244509f089663e3fbb4d3a4c7218861579b3f88db2b198021bc64cd
SHA512dff505f254f2dda01d17fcb4dfd342492660c96eeeeda2c9a8b876d402645d4e9209206c05d042b5074264015844fcc4b3b4619aa6ca30dbfc1a546e5c10b0b6
-
Filesize
595KB
MD5855d166542c222fe8a220924c73ef184
SHA18c6165a12a3edb31b821bbac12f0463d9f14312d
SHA2561f5786268b8cd3da51ad86e419b49a0ec01f217c389bbb54d1793ab6d74edcfe
SHA512ee3fa6238d21f9f63c2604d5945ead52da4cce7ae412e566edfdfeac4ccc5601411ec1e1a79804602c0f7a3256e2c433767d7c8fe77a6a16306e5d61463423e0
-
Filesize
219KB
MD5b5dea194bb43193390b1c9103b4a732e
SHA1cd4607514f7770b03c46b2d08acaab1165711b57
SHA256acb610ed2684d3d0fae797eb4d545c0439ddfaafc7a565ae8639e68f872b7d50
SHA51245f04a2900d1c9fa54009bafa25cd26cd919b91684be3aae12452ce2a3d152b57ba72ce8b9d5374a25ecfed267ed27aacb368f8298832a4a2e4ef37fccb257d9
-
Filesize
353KB
MD51cc8f4f9436b3a273195c1f5049c4601
SHA1693b596e295da459d1f687d69db28d74ae869307
SHA25618eb031a1d6f4ef2701d7153802cbee02119f034db89c0447c47a430700aa0f5
SHA5122a99cfe3bf250829741a3baf5f4f19488b5e5c815d69a209853bb7b9756ffd7a6599a7e9123e719c64486f4f7577834eb36dc13b8733b2a83f7577f6e8285e93
-
Filesize
174KB
MD5c47b299befdfa21d58f91bac72d96de1
SHA1a40803a933879de0832c29201c5bcb6b252e6189
SHA256d3e134dbd33fa461610cb3495eaee3e55f43a7cf66a592a7ddf9164fd0953ec9
SHA512e724b1d2ed7c9ad144514627a2c63138552399e101914fa66ef5331e7ed42c0b811125a880f6a52879778b5f196dff2f38e6fce12bdd815eebf2fc8533cd6541
-
Filesize
421KB
MD5af5e875bd5a108de6c881237c2ed9c3c
SHA18bd25d9e5aa7019f360cc24eb96ab83f92af3bdf
SHA25624b18341dd2c02779e333732faf5647b2079500e896d1c58aa6ea470e173bf15
SHA51235f701357ff32f5b37448753cd1d5ac5d7aefa14d167c673c0770f72e39f4327c5ea0e32e0ef3f6bf502c4a4b61ebc4fcf651fbd1512ecbc704545c2d4890214
-
Filesize
410KB
MD588957384243c4e4b26342a407ba069c4
SHA166219781d7ecdd057da52234b4cb727d28784a19
SHA256549bc194c0d80103ce254405aba467a2ce3afd50a25f45a13e03e5ef34984955
SHA512a1b27c6319394a398a79dba7cc66d8b545fcb7ea0781614568e48669189a6358abbfb33eb6a61fcc946fd57a0fd1599e412b176951e5751f681e2f3cea74044b
-
Filesize
241KB
MD5377fe264cfcee1cdbfd6adb8c7375bb4
SHA16c782adea9723ef6cec96acbc74d2e88415a05ba
SHA256219306b805ef93ee52c0cc7f801b0b48629f19e9622cb54eedfde68a42625dc2
SHA5129842755e2e376dae31a1fd27f08c95f5e5a6d7a2c2d0f9b3a58c2ca3180567822ef7c0bd612134ddb9a0093b4021e7b3e24ac06a899bca47face032173ea5301
-
Filesize
207KB
MD5df6e02e7ad9dbef70b698a4b75c75bf4
SHA16334228adae92b2f620f4083285c3428e1d57461
SHA2569b31cbf0d7ddb4d4646e6005839af6fd2e3372631ee6bbd768634d2727fc6865
SHA512799e49f48069fa256a5e1b71fa45f2fab4dd62c4e251263b75ab5f536f7d437d870992206dba9d6ea4934fedc0e7eafba063e52f39f873fa8ea78b6ad3b99903
-
Filesize
162KB
MD5b91b107f90f1270bf5030498f2bcdcb7
SHA190c5730c70cce85733b10466e1a01f3ffc5f0678
SHA2569a14a455a25ce21cb1babb5e6202303a42234173f042de7b5e11515d03cc2389
SHA5125846e4d918f24bed7bd48a8e7369b4afdbf430b0773739c8224974d296bb3f85aab68fc14cf3225a65661689eb2e825f65d54992046eec4f741e06e01a3d5881
-
Filesize
320KB
MD59ca2530a7bd34b2fa0d8707e13cbef8f
SHA1e99b1e24cdbd2ab11da2876299f38499d1da5e43
SHA256805b9bcca3839294ec0f65879a18b39e4fcb917f89a5492fbe009d4735853e2c
SHA512d33b66388fbab61eb5881d8c03b9330de8e8fc5327d3a7c7c44a201b8ca0d2124bdee18b9d6961266a80fd7129559e097d728757de3a45969f5dde7e3c563374
-
Filesize
230KB
MD5e7171eaf64bc7bdef4e6ad6818f4fee3
SHA193e10c4ff478a897cfd4ae9c1971f0374976882d
SHA25632d6da9398182621ed44d01674fde90fc4ad122c78d7c9765988917762bd4160
SHA512b4a2d3ec7d495269cd3de7658412b4f2db1ac1300b8c381e9069f92d8bc6fb4cc3ba74272e0fa5b8181f7ca4662d19389aafab45ac9e68613dd4c0d8b47f93c6
-
Filesize
286KB
MD5e5679f40583f5c551877eda26e7df384
SHA1297055518c84c8cdfcd52ab37801c1a0086ba81a
SHA2565f96d54fc20ddaa10a3fe4a11fb1e8ff9a02ce09eab6fe37bb5e15f2c9a7578d
SHA512ada811885d5b2c4683cf1c6dcf094482c939057b0bb48d8b66292d4991f5de186b8b0f5330b79a39f1cda8ceb876ac121917eb1adf23febbf5f6938312e306c2
-
Filesize
309KB
MD5014225827862358aa6c29ec6ac1663ca
SHA143812b84eec73e27a47d4e7723cad3e926c17de8
SHA2560001f6bc45fdae8becf2f880e4e2b087a34341b4b4bad34c59a29d7041974c63
SHA5127d842ee612a71ff6f2bedd6e735ffa7712774cd0568e866b4a08d57e3d4d9ace6d596eb56b86263dcbf1c0803809f67451c469d0cf4ad7da72f75a71b9586aab
-
Filesize
432KB
MD5214f24f121ec1e1344ab1d02258c47c1
SHA1ec237d8304da048243a2daa41aab0d3bee41b0af
SHA2561481bfeae50ec98f4f4f706c1ca506e5e8efe52a73fe8ec31456024c593e26e9
SHA512188a462707c57495f7f3f40911c11238e273cfdae6459e39f3dac84e6f2671f9d2942567e477bc47464d456c3cc69580887e781d4dbd546aac9b43b3aacf6b1d
-
Filesize
297KB
MD516ecc1ceac7aee5d407ecbbcf199a9ab
SHA19f07dc9aa07bee8a0cbbeda04ab8bf32e64ec29a
SHA2561a3bc200cd92e8ef5ab7325229e6bb614eb1bf090793e7df78f28f911296961a
SHA51251d8ec01409861cdfabf4327ce0ef3a67d24428fc61f814ae287ec48e9801fad366340e40fe3c7d31179e6b18e52825adb8078a40ccfc7923b723447465d43e2
-
Filesize
185KB
MD58432cf94420d9b42a93e61ef6a23e49f
SHA1f65e41ae03cdf109c175f739f26e8d5d29547e07
SHA256c97b7c06cff104e5c73b75bca04980a875b705758b27f53057ffa4f0f23fb995
SHA5128a79da70764e36c36aa7f2f4e777e42a8d1b34c1310152822c77c72b821a38f2fbe2616f549f4420d696da9e753ac561e28c3aad37f935ce06e28e451d8fa467
-
Filesize
275KB
MD5e19ead919ec0d7067060e70d72f522c3
SHA1e41a788387cf666d8cfaa0af53c832937caec5fe
SHA256fc875535e3c8fc16229e1a54eef027122b04d618cc6f43d9441bcaab463438c1
SHA5126032bc8f1c3a1416229b06b76345d15c34b2d523125105ebb108f8c09ed7a0824afeb98c6860a845f618a44398bd033384925a03d810d639febbb7d96f456d34
-
Filesize
331KB
MD52d9f1e301a47cfd7f2f041ca59056eae
SHA13ca5f428c650511380d84e711b55b6f46d8b4acf
SHA2566c34dd08f11b98ca3e99867e8e5427af712546ff7199094202e1f453a17f66a8
SHA512beb96fafb1d04beafc2232b6f58381fd8473631f26a5bf6fb30fa608942eb9224d6853e15b25d03bac860d0b235e378123fb4b0fece4f257f52359cdf9ea1562
-
Filesize
342KB
MD5749e66ca058e0c83dd8f25ef6eae8e5f
SHA106bdf9d305afc4a8a016c081db395eaf2eb764a6
SHA2564a164882964e837656937e70ebe75525f0cedabfa14678bd59c0316298361d99
SHA5120d2dbe279d869f462f71026d2999766f2a87191f9a5b84abf1e3c0144c289f17046f68e8448bb5bcab193a8d3f86d3b7d5c12b769a776a7cc689e26a63fe8c95