Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 04:13
Static task
static1
Behavioral task
behavioral1
Sample
94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe
Resource
win10v2004-20241007-en
General
-
Target
94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe
-
Size
1.7MB
-
MD5
7526bbadfc1a45ff7bbb10d9f6607116
-
SHA1
df6a5241e003e6a13334836409505647cc3af3ef
-
SHA256
94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19
-
SHA512
d75c3cdbec06374c6e89ca75ba29513cc55387c7a46732649fb8d571cc2d0374110bd9e0b4955f66b2cfc9634005996eba3c2a250d262e2267baed45d575dba9
-
SSDEEP
24576:qMyptg5dkAmL8jyLQLNW0yzotcSHVZwMz8gkyJ8fPe:3te3e
Malware Config
Extracted
darkcomet
1
anthraxgold.no-ip.info:666
DC_MUTEX-169BEXQ
-
gencode
M6QvjZgri1v2
-
install
false
-
offline_keylogger
false
-
persistence
false
Signatures
-
Darkcomet family
-
Executes dropped EXE 3 IoCs
pid Process 668 test.exe 1400 test.exe 2820 test.exe -
Loads dropped DLL 7 IoCs
pid Process 2732 94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe 2732 94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe 2732 94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe 2732 94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe 2732 94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe 668 test.exe 668 test.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\test\\test.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2704 set thread context of 2732 2704 94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe 30 PID 668 set thread context of 1400 668 test.exe 35 PID 668 set thread context of 2820 668 test.exe 36 -
resource yara_rule behavioral1/memory/2732-210-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2732-454-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2820-451-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1400-441-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1400-460-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2820-463-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language test.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language test.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language test.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2820 test.exe Token: SeSecurityPrivilege 2820 test.exe Token: SeTakeOwnershipPrivilege 2820 test.exe Token: SeLoadDriverPrivilege 2820 test.exe Token: SeSystemProfilePrivilege 2820 test.exe Token: SeSystemtimePrivilege 2820 test.exe Token: SeProfSingleProcessPrivilege 2820 test.exe Token: SeIncBasePriorityPrivilege 2820 test.exe Token: SeCreatePagefilePrivilege 2820 test.exe Token: SeBackupPrivilege 2820 test.exe Token: SeRestorePrivilege 2820 test.exe Token: SeShutdownPrivilege 2820 test.exe Token: SeDebugPrivilege 2820 test.exe Token: SeSystemEnvironmentPrivilege 2820 test.exe Token: SeChangeNotifyPrivilege 2820 test.exe Token: SeRemoteShutdownPrivilege 2820 test.exe Token: SeUndockPrivilege 2820 test.exe Token: SeManageVolumePrivilege 2820 test.exe Token: SeImpersonatePrivilege 2820 test.exe Token: SeCreateGlobalPrivilege 2820 test.exe Token: 33 2820 test.exe Token: 34 2820 test.exe Token: 35 2820 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe Token: SeDebugPrivilege 1400 test.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2704 94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe 2732 94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe 668 test.exe 1400 test.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2704 wrote to memory of 2732 2704 94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe 30 PID 2704 wrote to memory of 2732 2704 94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe 30 PID 2704 wrote to memory of 2732 2704 94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe 30 PID 2704 wrote to memory of 2732 2704 94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe 30 PID 2704 wrote to memory of 2732 2704 94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe 30 PID 2704 wrote to memory of 2732 2704 94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe 30 PID 2704 wrote to memory of 2732 2704 94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe 30 PID 2704 wrote to memory of 2732 2704 94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe 30 PID 2732 wrote to memory of 2192 2732 94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe 31 PID 2732 wrote to memory of 2192 2732 94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe 31 PID 2732 wrote to memory of 2192 2732 94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe 31 PID 2732 wrote to memory of 2192 2732 94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe 31 PID 2192 wrote to memory of 1256 2192 cmd.exe 33 PID 2192 wrote to memory of 1256 2192 cmd.exe 33 PID 2192 wrote to memory of 1256 2192 cmd.exe 33 PID 2192 wrote to memory of 1256 2192 cmd.exe 33 PID 2732 wrote to memory of 668 2732 94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe 34 PID 2732 wrote to memory of 668 2732 94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe 34 PID 2732 wrote to memory of 668 2732 94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe 34 PID 2732 wrote to memory of 668 2732 94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe 34 PID 668 wrote to memory of 1400 668 test.exe 35 PID 668 wrote to memory of 1400 668 test.exe 35 PID 668 wrote to memory of 1400 668 test.exe 35 PID 668 wrote to memory of 1400 668 test.exe 35 PID 668 wrote to memory of 1400 668 test.exe 35 PID 668 wrote to memory of 1400 668 test.exe 35 PID 668 wrote to memory of 1400 668 test.exe 35 PID 668 wrote to memory of 1400 668 test.exe 35 PID 668 wrote to memory of 2820 668 test.exe 36 PID 668 wrote to memory of 2820 668 test.exe 36 PID 668 wrote to memory of 2820 668 test.exe 36 PID 668 wrote to memory of 2820 668 test.exe 36 PID 668 wrote to memory of 2820 668 test.exe 36 PID 668 wrote to memory of 2820 668 test.exe 36 PID 668 wrote to memory of 2820 668 test.exe 36 PID 668 wrote to memory of 2820 668 test.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe"C:\Users\Admin\AppData\Local\Temp\94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe"C:\Users\Admin\AppData\Local\Temp\94cbafbad18227e619e73ee95ab4b97b1a4979e47695c0b06d8950c213c4ad19.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\IJGPB.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "svchost" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\test\test.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1256
-
-
-
C:\Users\Admin\AppData\Roaming\test\test.exe"C:\Users\Admin\AppData\Roaming\test\test.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Users\Admin\AppData\Roaming\test\test.exe"C:\Users\Admin\AppData\Roaming\test\test.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1400
-
-
C:\Users\Admin\AppData\Roaming\test\test.exe"C:\Users\Admin\AppData\Roaming\test\test.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138B
MD5527683c48cc4c7190219814c77b72fe0
SHA1d995878a8f4b9824a0508039eeada5376be9a52d
SHA256bbebf3e66136e700d8e3e2e0c8f461cdd9d7e68fe5a18a235afe86344932fb4b
SHA512408a53b240c23fa34153ccc2b2315f28a9741121ecc9b76d50267ee62d78230e65574327369f83c779c781802c0c28f6c578703c01a67de46c3d44f71b814fa6
-
Filesize
1.7MB
MD58fd0c103d25043b2b245f3663cb47a9c
SHA1858a70c83ba74753df68fca2a01fb1a5dffa8ce6
SHA256b8da5c88a13992a0cc288cc9565aa31a551a68aad80ed7c8f60972912f1f789e
SHA51247d0fe85fad64f06508e596790f40a3cbcfbc9a195ddbce3441ed871b8c72ccdb86972db1a1ff33d20f16b313aaf0fe9ebd9e50e49e05ac11d1c14ff085bac40