Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-10-2024 01:05
Static task
static1
Behavioral task
behavioral1
Sample
8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe
Resource
win7-20240729-en
General
-
Target
8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe
-
Size
520KB
-
MD5
a005168ca78727676148bcd8a93047de
-
SHA1
640b8c6ddeafb34f244584f99d779dd5c8cb4de2
-
SHA256
8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71
-
SHA512
6b84ba7944b2c8bff3037ccad0974a2ff8f8cf9a60576f9fd3c771c43f6e91e3680e9c015a8e0007a084a0a414213f07ad9845f650a5518e5c77563c1fff8131
-
SSDEEP
6144:f9GGo2CwtGg6eeihEfph2CMvvqqSaYwpncOeC66AOa0aFtVEQfTo1ozVqMb4:f9fC3hh29Ya77A90aFtDfT5IMb4
Malware Config
Extracted
darkcomet
PrivateEye
ratblackshades.no-ip.biz:1604
DC_MUTEX-ACC1R98
-
gencode
8GG5LVVGljSF
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
winupd.exewinupd.exewinupd.exepid Process 1392 winupd.exe 4620 winupd.exe 4560 winupd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exewinupd.exedescription pid Process procid_target PID 1440 set thread context of 3452 1440 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 100 PID 1392 set thread context of 4620 1392 winupd.exe 104 PID 1392 set thread context of 4560 1392 winupd.exe 105 -
Processes:
resource yara_rule behavioral2/memory/4560-29-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4560-36-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4560-33-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4560-39-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4560-38-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4560-41-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4560-40-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4560-44-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4560-45-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4560-46-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4560-47-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4560-48-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4560-49-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4560-50-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4560-51-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4560-52-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 528 116 WerFault.exe 106 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
winupd.exewinupd.exewinupd.exe8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid Process 116 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
winupd.exedescription pid Process Token: SeIncreaseQuotaPrivilege 4560 winupd.exe Token: SeSecurityPrivilege 4560 winupd.exe Token: SeTakeOwnershipPrivilege 4560 winupd.exe Token: SeLoadDriverPrivilege 4560 winupd.exe Token: SeSystemProfilePrivilege 4560 winupd.exe Token: SeSystemtimePrivilege 4560 winupd.exe Token: SeProfSingleProcessPrivilege 4560 winupd.exe Token: SeIncBasePriorityPrivilege 4560 winupd.exe Token: SeCreatePagefilePrivilege 4560 winupd.exe Token: SeBackupPrivilege 4560 winupd.exe Token: SeRestorePrivilege 4560 winupd.exe Token: SeShutdownPrivilege 4560 winupd.exe Token: SeDebugPrivilege 4560 winupd.exe Token: SeSystemEnvironmentPrivilege 4560 winupd.exe Token: SeChangeNotifyPrivilege 4560 winupd.exe Token: SeRemoteShutdownPrivilege 4560 winupd.exe Token: SeUndockPrivilege 4560 winupd.exe Token: SeManageVolumePrivilege 4560 winupd.exe Token: SeImpersonatePrivilege 4560 winupd.exe Token: SeCreateGlobalPrivilege 4560 winupd.exe Token: 33 4560 winupd.exe Token: 34 4560 winupd.exe Token: 35 4560 winupd.exe Token: 36 4560 winupd.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exewinupd.exewinupd.exewinupd.exepid Process 1440 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 3452 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 1392 winupd.exe 4620 winupd.exe 4560 winupd.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exewinupd.exewinupd.exedescription pid Process procid_target PID 1440 wrote to memory of 3452 1440 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 100 PID 1440 wrote to memory of 3452 1440 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 100 PID 1440 wrote to memory of 3452 1440 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 100 PID 1440 wrote to memory of 3452 1440 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 100 PID 1440 wrote to memory of 3452 1440 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 100 PID 1440 wrote to memory of 3452 1440 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 100 PID 1440 wrote to memory of 3452 1440 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 100 PID 1440 wrote to memory of 3452 1440 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 100 PID 3452 wrote to memory of 1392 3452 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 101 PID 3452 wrote to memory of 1392 3452 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 101 PID 3452 wrote to memory of 1392 3452 8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe 101 PID 1392 wrote to memory of 4620 1392 winupd.exe 104 PID 1392 wrote to memory of 4620 1392 winupd.exe 104 PID 1392 wrote to memory of 4620 1392 winupd.exe 104 PID 1392 wrote to memory of 4620 1392 winupd.exe 104 PID 1392 wrote to memory of 4620 1392 winupd.exe 104 PID 1392 wrote to memory of 4620 1392 winupd.exe 104 PID 1392 wrote to memory of 4620 1392 winupd.exe 104 PID 1392 wrote to memory of 4620 1392 winupd.exe 104 PID 1392 wrote to memory of 4560 1392 winupd.exe 105 PID 1392 wrote to memory of 4560 1392 winupd.exe 105 PID 1392 wrote to memory of 4560 1392 winupd.exe 105 PID 1392 wrote to memory of 4560 1392 winupd.exe 105 PID 1392 wrote to memory of 4560 1392 winupd.exe 105 PID 1392 wrote to memory of 4560 1392 winupd.exe 105 PID 1392 wrote to memory of 4560 1392 winupd.exe 105 PID 1392 wrote to memory of 4560 1392 winupd.exe 105 PID 4620 wrote to memory of 116 4620 winupd.exe 106 PID 4620 wrote to memory of 116 4620 winupd.exe 106 PID 4620 wrote to memory of 116 4620 winupd.exe 106 PID 4620 wrote to memory of 116 4620 winupd.exe 106 PID 4620 wrote to memory of 116 4620 winupd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe"C:\Users\Admin\AppData\Local\Temp\8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe"C:\Users\Admin\AppData\Local\Temp\8c9ff44e17e358515172280af70a9017cbf44e937146922750147476486e5d71.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeC:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe"5⤵
- Gathers network information
PID:116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 2726⤵
- Program crash
PID:528
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4560
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 116 -ip 1161⤵PID:3640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
520KB
MD5464cb6ea7e55d4d8f9ee1fc7f05bc3e4
SHA1b97ad43bc311381e9b4a21514973837207c05527
SHA2568012f074079c9bc7efdde01be5f849ec493e45ae5277d8e2481bfafe36b43f30
SHA512e56785ef75a61703eff52a7c40d408c641891159925331770ca68d181645b39f1bb062ee491ba1b81211b9014e67f44d227431d862b7d77a4a7642a506bc8494