Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 19:55
Static task
static1
Behavioral task
behavioral1
Sample
4be3a6686a4ea050f870f1bafb1cb6a63549e525f4215af3ff26a3de545908ffN.exe
Resource
win7-20240729-en
General
-
Target
4be3a6686a4ea050f870f1bafb1cb6a63549e525f4215af3ff26a3de545908ffN.exe
-
Size
520KB
-
MD5
f27c83ca93b05f487a02bf6729e45c96
-
SHA1
ed0cad92fff0d485a3e3b2234ea6404350ee4cd1
-
SHA256
37ad37d2b58bc6bb5f13cbadb8e97b66b7a04541b8bba4a7e8c07c98dd356c26
-
SHA512
63d5ddcd9d1d0a23e917853cabce96058cd926f06b4d66f4b026b61a577689c687493146321058bdda271e8fd85374586169416d9b5b01b5b53031d8c80570f4
-
SSDEEP
6144:f9GGo2CwtGg6eeihEfph2CMvvqqSaYwpncOeC66AOa0aFtVEQfTo1ozVqMbL:f9fC3hh29Ya77A90aFtDfT5IMbL
Malware Config
Extracted
darkcomet
PrivateEye
ratblackshades.no-ip.biz:1604
DC_MUTEX-ACC1R98
-
gencode
8GG5LVVGljSF
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Darkcomet family
-
Executes dropped EXE 3 IoCs
pid Process 4092 winupd.exe 3724 winupd.exe 1084 winupd.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2344 set thread context of 4572 2344 4be3a6686a4ea050f870f1bafb1cb6a63549e525f4215af3ff26a3de545908ffN.exe 95 PID 4092 set thread context of 3724 4092 winupd.exe 97 PID 4092 set thread context of 1084 4092 winupd.exe 98 -
resource yara_rule behavioral2/memory/1084-29-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/1084-31-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/1084-33-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/1084-37-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/1084-38-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/1084-40-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/1084-39-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/1084-43-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/1084-44-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/1084-45-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/1084-46-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 408 2976 WerFault.exe 99 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4be3a6686a4ea050f870f1bafb1cb6a63549e525f4215af3ff26a3de545908ffN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4be3a6686a4ea050f870f1bafb1cb6a63549e525f4215af3ff26a3de545908ffN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupd.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2976 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1084 winupd.exe Token: SeSecurityPrivilege 1084 winupd.exe Token: SeTakeOwnershipPrivilege 1084 winupd.exe Token: SeLoadDriverPrivilege 1084 winupd.exe Token: SeSystemProfilePrivilege 1084 winupd.exe Token: SeSystemtimePrivilege 1084 winupd.exe Token: SeProfSingleProcessPrivilege 1084 winupd.exe Token: SeIncBasePriorityPrivilege 1084 winupd.exe Token: SeCreatePagefilePrivilege 1084 winupd.exe Token: SeBackupPrivilege 1084 winupd.exe Token: SeRestorePrivilege 1084 winupd.exe Token: SeShutdownPrivilege 1084 winupd.exe Token: SeDebugPrivilege 1084 winupd.exe Token: SeSystemEnvironmentPrivilege 1084 winupd.exe Token: SeChangeNotifyPrivilege 1084 winupd.exe Token: SeRemoteShutdownPrivilege 1084 winupd.exe Token: SeUndockPrivilege 1084 winupd.exe Token: SeManageVolumePrivilege 1084 winupd.exe Token: SeImpersonatePrivilege 1084 winupd.exe Token: SeCreateGlobalPrivilege 1084 winupd.exe Token: 33 1084 winupd.exe Token: 34 1084 winupd.exe Token: 35 1084 winupd.exe Token: 36 1084 winupd.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2344 4be3a6686a4ea050f870f1bafb1cb6a63549e525f4215af3ff26a3de545908ffN.exe 4572 4be3a6686a4ea050f870f1bafb1cb6a63549e525f4215af3ff26a3de545908ffN.exe 4092 winupd.exe 3724 winupd.exe 1084 winupd.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2344 wrote to memory of 4572 2344 4be3a6686a4ea050f870f1bafb1cb6a63549e525f4215af3ff26a3de545908ffN.exe 95 PID 2344 wrote to memory of 4572 2344 4be3a6686a4ea050f870f1bafb1cb6a63549e525f4215af3ff26a3de545908ffN.exe 95 PID 2344 wrote to memory of 4572 2344 4be3a6686a4ea050f870f1bafb1cb6a63549e525f4215af3ff26a3de545908ffN.exe 95 PID 2344 wrote to memory of 4572 2344 4be3a6686a4ea050f870f1bafb1cb6a63549e525f4215af3ff26a3de545908ffN.exe 95 PID 2344 wrote to memory of 4572 2344 4be3a6686a4ea050f870f1bafb1cb6a63549e525f4215af3ff26a3de545908ffN.exe 95 PID 2344 wrote to memory of 4572 2344 4be3a6686a4ea050f870f1bafb1cb6a63549e525f4215af3ff26a3de545908ffN.exe 95 PID 2344 wrote to memory of 4572 2344 4be3a6686a4ea050f870f1bafb1cb6a63549e525f4215af3ff26a3de545908ffN.exe 95 PID 2344 wrote to memory of 4572 2344 4be3a6686a4ea050f870f1bafb1cb6a63549e525f4215af3ff26a3de545908ffN.exe 95 PID 4572 wrote to memory of 4092 4572 4be3a6686a4ea050f870f1bafb1cb6a63549e525f4215af3ff26a3de545908ffN.exe 96 PID 4572 wrote to memory of 4092 4572 4be3a6686a4ea050f870f1bafb1cb6a63549e525f4215af3ff26a3de545908ffN.exe 96 PID 4572 wrote to memory of 4092 4572 4be3a6686a4ea050f870f1bafb1cb6a63549e525f4215af3ff26a3de545908ffN.exe 96 PID 4092 wrote to memory of 3724 4092 winupd.exe 97 PID 4092 wrote to memory of 3724 4092 winupd.exe 97 PID 4092 wrote to memory of 3724 4092 winupd.exe 97 PID 4092 wrote to memory of 3724 4092 winupd.exe 97 PID 4092 wrote to memory of 3724 4092 winupd.exe 97 PID 4092 wrote to memory of 3724 4092 winupd.exe 97 PID 4092 wrote to memory of 3724 4092 winupd.exe 97 PID 4092 wrote to memory of 3724 4092 winupd.exe 97 PID 4092 wrote to memory of 1084 4092 winupd.exe 98 PID 4092 wrote to memory of 1084 4092 winupd.exe 98 PID 4092 wrote to memory of 1084 4092 winupd.exe 98 PID 4092 wrote to memory of 1084 4092 winupd.exe 98 PID 4092 wrote to memory of 1084 4092 winupd.exe 98 PID 4092 wrote to memory of 1084 4092 winupd.exe 98 PID 4092 wrote to memory of 1084 4092 winupd.exe 98 PID 4092 wrote to memory of 1084 4092 winupd.exe 98 PID 3724 wrote to memory of 2976 3724 winupd.exe 99 PID 3724 wrote to memory of 2976 3724 winupd.exe 99 PID 3724 wrote to memory of 2976 3724 winupd.exe 99 PID 3724 wrote to memory of 2976 3724 winupd.exe 99 PID 3724 wrote to memory of 2976 3724 winupd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\4be3a6686a4ea050f870f1bafb1cb6a63549e525f4215af3ff26a3de545908ffN.exe"C:\Users\Admin\AppData\Local\Temp\4be3a6686a4ea050f870f1bafb1cb6a63549e525f4215af3ff26a3de545908ffN.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\4be3a6686a4ea050f870f1bafb1cb6a63549e525f4215af3ff26a3de545908ffN.exe"C:\Users\Admin\AppData\Local\Temp\4be3a6686a4ea050f870f1bafb1cb6a63549e525f4215af3ff26a3de545908ffN.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeC:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe"5⤵
- Gathers network information
PID:2976 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 2726⤵
- Program crash
PID:408
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1084
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2976 -ip 29761⤵PID:4444
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
520KB
MD515be7b0e22a3bcd3936acf9e7d8ed02b
SHA1534146cb32fce82eaafadb1e11473aac0a85aff3
SHA256b02e84c0cbf46e8f64c6498c0604aa0c2dc000709319d012091842d90a160b71
SHA512f051c0b6ceab5d580d99443346b0ef7dd5a8d44e336f8d83154e9d16267de4ae877151f83ee2adc904424a91f3c43d1e2d620ebaf4fbe77e476b43ea00ba1785