Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-10-2024 00:58
Static task
static1
Behavioral task
behavioral1
Sample
8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe
Resource
win7-20241010-en
General
-
Target
8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe
-
Size
520KB
-
MD5
a005168ca78727676148bcd8a93047de
-
SHA1
640b8c6ddeafb34f244584f99d779dd5c8cb4de2
-
SHA256
8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71
-
SHA512
6b84ba7944b2c8bff3037ccad0974a2ff8f8cf9a60576f9fd3c771c43f6e91e3680e9c015a8e0007a084a0a414213f07ad9845f650a5518e5c77563c1fff8131
-
SSDEEP
6144:f9GGo2CwtGg6eeihEfph2CMvvqqSaYwpncOeC66AOa0aFtVEQfTo1ozVqMb4:f9fC3hh29Ya77A90aFtDfT5IMb4
Malware Config
Extracted
darkcomet
PrivateEye
ratblackshades.no-ip.biz:1604
DC_MUTEX-ACC1R98
-
gencode
8GG5LVVGljSF
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
winupd.exewinupd.exewinupd.exepid Process 636 winupd.exe 3304 winupd.exe 5108 winupd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exewinupd.exedescription pid Process procid_target PID 3888 set thread context of 2600 3888 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 94 PID 636 set thread context of 3304 636 winupd.exe 99 PID 636 set thread context of 5108 636 winupd.exe 100 -
Processes:
resource yara_rule behavioral2/memory/5108-32-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5108-35-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5108-38-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5108-36-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5108-40-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5108-39-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5108-29-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5108-43-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5108-44-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5108-45-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5108-46-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5108-47-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5108-48-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5108-49-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5108-50-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5108-51-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5108-52-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5108-53-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5108-54-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5108-55-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3972 1020 WerFault.exe 101 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exewinupd.exewinupd.exewinupd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupd.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid Process 1020 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
winupd.exedescription pid Process Token: SeIncreaseQuotaPrivilege 5108 winupd.exe Token: SeSecurityPrivilege 5108 winupd.exe Token: SeTakeOwnershipPrivilege 5108 winupd.exe Token: SeLoadDriverPrivilege 5108 winupd.exe Token: SeSystemProfilePrivilege 5108 winupd.exe Token: SeSystemtimePrivilege 5108 winupd.exe Token: SeProfSingleProcessPrivilege 5108 winupd.exe Token: SeIncBasePriorityPrivilege 5108 winupd.exe Token: SeCreatePagefilePrivilege 5108 winupd.exe Token: SeBackupPrivilege 5108 winupd.exe Token: SeRestorePrivilege 5108 winupd.exe Token: SeShutdownPrivilege 5108 winupd.exe Token: SeDebugPrivilege 5108 winupd.exe Token: SeSystemEnvironmentPrivilege 5108 winupd.exe Token: SeChangeNotifyPrivilege 5108 winupd.exe Token: SeRemoteShutdownPrivilege 5108 winupd.exe Token: SeUndockPrivilege 5108 winupd.exe Token: SeManageVolumePrivilege 5108 winupd.exe Token: SeImpersonatePrivilege 5108 winupd.exe Token: SeCreateGlobalPrivilege 5108 winupd.exe Token: 33 5108 winupd.exe Token: 34 5108 winupd.exe Token: 35 5108 winupd.exe Token: 36 5108 winupd.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exewinupd.exewinupd.exewinupd.exepid Process 3888 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 2600 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 636 winupd.exe 3304 winupd.exe 5108 winupd.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exewinupd.exewinupd.exedescription pid Process procid_target PID 3888 wrote to memory of 2600 3888 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 94 PID 3888 wrote to memory of 2600 3888 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 94 PID 3888 wrote to memory of 2600 3888 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 94 PID 3888 wrote to memory of 2600 3888 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 94 PID 3888 wrote to memory of 2600 3888 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 94 PID 3888 wrote to memory of 2600 3888 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 94 PID 3888 wrote to memory of 2600 3888 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 94 PID 3888 wrote to memory of 2600 3888 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 94 PID 2600 wrote to memory of 636 2600 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 95 PID 2600 wrote to memory of 636 2600 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 95 PID 2600 wrote to memory of 636 2600 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 95 PID 636 wrote to memory of 3304 636 winupd.exe 99 PID 636 wrote to memory of 3304 636 winupd.exe 99 PID 636 wrote to memory of 3304 636 winupd.exe 99 PID 636 wrote to memory of 3304 636 winupd.exe 99 PID 636 wrote to memory of 3304 636 winupd.exe 99 PID 636 wrote to memory of 3304 636 winupd.exe 99 PID 636 wrote to memory of 3304 636 winupd.exe 99 PID 636 wrote to memory of 3304 636 winupd.exe 99 PID 636 wrote to memory of 5108 636 winupd.exe 100 PID 636 wrote to memory of 5108 636 winupd.exe 100 PID 636 wrote to memory of 5108 636 winupd.exe 100 PID 636 wrote to memory of 5108 636 winupd.exe 100 PID 636 wrote to memory of 5108 636 winupd.exe 100 PID 636 wrote to memory of 5108 636 winupd.exe 100 PID 636 wrote to memory of 5108 636 winupd.exe 100 PID 636 wrote to memory of 5108 636 winupd.exe 100 PID 3304 wrote to memory of 1020 3304 winupd.exe 101 PID 3304 wrote to memory of 1020 3304 winupd.exe 101 PID 3304 wrote to memory of 1020 3304 winupd.exe 101 PID 3304 wrote to memory of 1020 3304 winupd.exe 101 PID 3304 wrote to memory of 1020 3304 winupd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe"C:\Users\Admin\AppData\Local\Temp\8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Users\Admin\AppData\Local\Temp\8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe"C:\Users\Admin\AppData\Local\Temp\8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeC:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe"5⤵
- Gathers network information
PID:1020 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 2726⤵
- Program crash
PID:3972
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5108
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1020 -ip 10201⤵PID:1940
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
520KB
MD5ec01ea3cd0f8aa7b0f5d907476cff742
SHA1808bc0de6badd3449fb2003f10d94f457b651c26
SHA256d25e1e20304c91a333378584b142fc1f37e76155b69b8eed0d25b86cfd9a2f90
SHA512ced5a72d6c8987223ca36d25e716b522068577ccd805716a83898779027167881dd1aab0defe88fab3822c5e6123e9b259e9682d3b4b929c3a4e0aba91b4cd3b