Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 18:12
Static task
static1
Behavioral task
behavioral1
Sample
60c0a1e3171459a4a8131d5def02d41f92346bb510892dee14f1f41d60c233d4N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
60c0a1e3171459a4a8131d5def02d41f92346bb510892dee14f1f41d60c233d4N.exe
Resource
win10v2004-20241007-en
General
-
Target
60c0a1e3171459a4a8131d5def02d41f92346bb510892dee14f1f41d60c233d4N.exe
-
Size
1.5MB
-
MD5
b8b46b60f639dead446a53248de82e80
-
SHA1
cc79968f543e3e094b97f9dd2137fc29d642306e
-
SHA256
60c0a1e3171459a4a8131d5def02d41f92346bb510892dee14f1f41d60c233d4
-
SHA512
3e360a51dd7edb8305e72705e41670dd6a0ba6dedf3a292eeb6709362a6493cf18e749456b627153da061ca602f8ce70c0ee764dcb674c90c06eb1d2ad879966
-
SSDEEP
12288:z+Qf9NxkERr1JzrDTzz7wHxhW88KH6Yn77TCNp8jToZGrhR0Zz:Dx0j8KaYnfTYp8/oZMGZz
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe = "C:\\Users\\Admin\\AppData\\Roaming\\darkeye-nosttingspersistent2.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\winlogon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe:*:Enabled:Windows Messanger" reg.exe -
Executes dropped EXE 3 IoCs
pid Process 2724 winlogon.exe 2452 winlogon.exe 2784 winlogon.exe -
Loads dropped DLL 7 IoCs
pid Process 2372 60c0a1e3171459a4a8131d5def02d41f92346bb510892dee14f1f41d60c233d4N.exe 2372 60c0a1e3171459a4a8131d5def02d41f92346bb510892dee14f1f41d60c233d4N.exe 2372 60c0a1e3171459a4a8131d5def02d41f92346bb510892dee14f1f41d60c233d4N.exe 2372 60c0a1e3171459a4a8131d5def02d41f92346bb510892dee14f1f41d60c233d4N.exe 2372 60c0a1e3171459a4a8131d5def02d41f92346bb510892dee14f1f41d60c233d4N.exe 2724 winlogon.exe 2724 winlogon.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2724 set thread context of 2452 2724 winlogon.exe 34 PID 2724 set thread context of 2784 2724 winlogon.exe 35 -
resource yara_rule behavioral1/memory/2452-53-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2452-60-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2452-59-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2784-56-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2452-52-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2452-51-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2784-64-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2784-68-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2784-65-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2452-69-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2784-70-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2452-71-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2452-73-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2452-76-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2452-78-0x0000000000400000-0x000000000045D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60c0a1e3171459a4a8131d5def02d41f92346bb510892dee14f1f41d60c233d4N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 1648 reg.exe 340 reg.exe 1624 reg.exe 2308 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 2452 winlogon.exe Token: SeCreateTokenPrivilege 2452 winlogon.exe Token: SeAssignPrimaryTokenPrivilege 2452 winlogon.exe Token: SeLockMemoryPrivilege 2452 winlogon.exe Token: SeIncreaseQuotaPrivilege 2452 winlogon.exe Token: SeMachineAccountPrivilege 2452 winlogon.exe Token: SeTcbPrivilege 2452 winlogon.exe Token: SeSecurityPrivilege 2452 winlogon.exe Token: SeTakeOwnershipPrivilege 2452 winlogon.exe Token: SeLoadDriverPrivilege 2452 winlogon.exe Token: SeSystemProfilePrivilege 2452 winlogon.exe Token: SeSystemtimePrivilege 2452 winlogon.exe Token: SeProfSingleProcessPrivilege 2452 winlogon.exe Token: SeIncBasePriorityPrivilege 2452 winlogon.exe Token: SeCreatePagefilePrivilege 2452 winlogon.exe Token: SeCreatePermanentPrivilege 2452 winlogon.exe Token: SeBackupPrivilege 2452 winlogon.exe Token: SeRestorePrivilege 2452 winlogon.exe Token: SeShutdownPrivilege 2452 winlogon.exe Token: SeDebugPrivilege 2452 winlogon.exe Token: SeAuditPrivilege 2452 winlogon.exe Token: SeSystemEnvironmentPrivilege 2452 winlogon.exe Token: SeChangeNotifyPrivilege 2452 winlogon.exe Token: SeRemoteShutdownPrivilege 2452 winlogon.exe Token: SeUndockPrivilege 2452 winlogon.exe Token: SeSyncAgentPrivilege 2452 winlogon.exe Token: SeEnableDelegationPrivilege 2452 winlogon.exe Token: SeManageVolumePrivilege 2452 winlogon.exe Token: SeImpersonatePrivilege 2452 winlogon.exe Token: SeCreateGlobalPrivilege 2452 winlogon.exe Token: 31 2452 winlogon.exe Token: 32 2452 winlogon.exe Token: 33 2452 winlogon.exe Token: 34 2452 winlogon.exe Token: 35 2452 winlogon.exe Token: SeDebugPrivilege 2784 winlogon.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2372 60c0a1e3171459a4a8131d5def02d41f92346bb510892dee14f1f41d60c233d4N.exe 2724 winlogon.exe 2452 winlogon.exe 2452 winlogon.exe 2452 winlogon.exe 2784 winlogon.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 2372 wrote to memory of 3012 2372 60c0a1e3171459a4a8131d5def02d41f92346bb510892dee14f1f41d60c233d4N.exe 30 PID 2372 wrote to memory of 3012 2372 60c0a1e3171459a4a8131d5def02d41f92346bb510892dee14f1f41d60c233d4N.exe 30 PID 2372 wrote to memory of 3012 2372 60c0a1e3171459a4a8131d5def02d41f92346bb510892dee14f1f41d60c233d4N.exe 30 PID 2372 wrote to memory of 3012 2372 60c0a1e3171459a4a8131d5def02d41f92346bb510892dee14f1f41d60c233d4N.exe 30 PID 3012 wrote to memory of 2972 3012 cmd.exe 32 PID 3012 wrote to memory of 2972 3012 cmd.exe 32 PID 3012 wrote to memory of 2972 3012 cmd.exe 32 PID 3012 wrote to memory of 2972 3012 cmd.exe 32 PID 2372 wrote to memory of 2724 2372 60c0a1e3171459a4a8131d5def02d41f92346bb510892dee14f1f41d60c233d4N.exe 33 PID 2372 wrote to memory of 2724 2372 60c0a1e3171459a4a8131d5def02d41f92346bb510892dee14f1f41d60c233d4N.exe 33 PID 2372 wrote to memory of 2724 2372 60c0a1e3171459a4a8131d5def02d41f92346bb510892dee14f1f41d60c233d4N.exe 33 PID 2372 wrote to memory of 2724 2372 60c0a1e3171459a4a8131d5def02d41f92346bb510892dee14f1f41d60c233d4N.exe 33 PID 2724 wrote to memory of 2452 2724 winlogon.exe 34 PID 2724 wrote to memory of 2452 2724 winlogon.exe 34 PID 2724 wrote to memory of 2452 2724 winlogon.exe 34 PID 2724 wrote to memory of 2452 2724 winlogon.exe 34 PID 2724 wrote to memory of 2452 2724 winlogon.exe 34 PID 2724 wrote to memory of 2452 2724 winlogon.exe 34 PID 2724 wrote to memory of 2452 2724 winlogon.exe 34 PID 2724 wrote to memory of 2452 2724 winlogon.exe 34 PID 2724 wrote to memory of 2452 2724 winlogon.exe 34 PID 2724 wrote to memory of 2784 2724 winlogon.exe 35 PID 2724 wrote to memory of 2784 2724 winlogon.exe 35 PID 2724 wrote to memory of 2784 2724 winlogon.exe 35 PID 2724 wrote to memory of 2784 2724 winlogon.exe 35 PID 2724 wrote to memory of 2784 2724 winlogon.exe 35 PID 2724 wrote to memory of 2784 2724 winlogon.exe 35 PID 2724 wrote to memory of 2784 2724 winlogon.exe 35 PID 2724 wrote to memory of 2784 2724 winlogon.exe 35 PID 2724 wrote to memory of 2784 2724 winlogon.exe 35 PID 2452 wrote to memory of 596 2452 winlogon.exe 36 PID 2452 wrote to memory of 596 2452 winlogon.exe 36 PID 2452 wrote to memory of 596 2452 winlogon.exe 36 PID 2452 wrote to memory of 596 2452 winlogon.exe 36 PID 2452 wrote to memory of 332 2452 winlogon.exe 37 PID 2452 wrote to memory of 332 2452 winlogon.exe 37 PID 2452 wrote to memory of 332 2452 winlogon.exe 37 PID 2452 wrote to memory of 332 2452 winlogon.exe 37 PID 2452 wrote to memory of 484 2452 winlogon.exe 38 PID 2452 wrote to memory of 484 2452 winlogon.exe 38 PID 2452 wrote to memory of 484 2452 winlogon.exe 38 PID 2452 wrote to memory of 484 2452 winlogon.exe 38 PID 2452 wrote to memory of 600 2452 winlogon.exe 40 PID 2452 wrote to memory of 600 2452 winlogon.exe 40 PID 2452 wrote to memory of 600 2452 winlogon.exe 40 PID 2452 wrote to memory of 600 2452 winlogon.exe 40 PID 332 wrote to memory of 2308 332 cmd.exe 44 PID 332 wrote to memory of 2308 332 cmd.exe 44 PID 332 wrote to memory of 2308 332 cmd.exe 44 PID 332 wrote to memory of 2308 332 cmd.exe 44 PID 596 wrote to memory of 1624 596 cmd.exe 45 PID 596 wrote to memory of 1624 596 cmd.exe 45 PID 596 wrote to memory of 1624 596 cmd.exe 45 PID 596 wrote to memory of 1624 596 cmd.exe 45 PID 484 wrote to memory of 340 484 cmd.exe 46 PID 484 wrote to memory of 340 484 cmd.exe 46 PID 484 wrote to memory of 340 484 cmd.exe 46 PID 484 wrote to memory of 340 484 cmd.exe 46 PID 600 wrote to memory of 1648 600 cmd.exe 47 PID 600 wrote to memory of 1648 600 cmd.exe 47 PID 600 wrote to memory of 1648 600 cmd.exe 47 PID 600 wrote to memory of 1648 600 cmd.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\60c0a1e3171459a4a8131d5def02d41f92346bb510892dee14f1f41d60c233d4N.exe"C:\Users\Admin\AppData\Local\Temp\60c0a1e3171459a4a8131d5def02d41f92346bb510892dee14f1f41d60c233d4N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ucLqK.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Winlogon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2972
-
-
-
C:\Users\Admin\AppData\Roaming\winlogon.exe"C:\Users\Admin\AppData\Roaming\winlogon.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Roaming\winlogon.exeC:\Users\Admin\AppData\Roaming\winlogon.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1624
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2308
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:340
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1648
-
-
-
-
C:\Users\Admin\AppData\Roaming\winlogon.exeC:\Users\Admin\AppData\Roaming\winlogon.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2784
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138B
MD54da6717f2c70f4bd32ad33a227a2ff47
SHA13d7f7159e1f695bd469287d1ad4ffa0841b407a8
SHA256a12bb2e5d2fb0b3c400ce311fae72995a00b57a97d23e4b9effec47cff189d07
SHA5126765314054ad9bf2164058248f3d3a17775176925abbe4376aec030dca3a5e59be8b9e96139941fec2b2e1a9bff38f87abdb29ea09a299d8ab7e23ecec4083df
-
Filesize
1.5MB
MD58de9f42a930f36a73c094129afc809b6
SHA17c83e7e552b56b1a4638638817aa87b33932f411
SHA2568c7ffde7f1ba5d4204100a202caf67cbd5eb7943a859fbc25a587be36c7b4a06
SHA512ef07819b97addcec3d7cbec003d2f60e69d0de7079e87959f3b17b2fff2d20facc47d61384ea45f021ca09fdb97bc74487118f5df390959afc8508f169bc494f