Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-12-2024 15:15
Static task
static1
Behavioral task
behavioral1
Sample
GOlfito.exe
Resource
win7-20240903-en
General
-
Target
GOlfito.exe
-
Size
1.2MB
-
MD5
3bf77085d3cc3631dd2a29770f4d844e
-
SHA1
6049321e1ccb8d594ed3a9db7740b2aef1b0bed3
-
SHA256
ce26affefbe19a456afd7df6ebae922bc6d295195746130d32d7705a2954bb1b
-
SHA512
ccd7b8d07e41901b440e71bbf94c7ea2ebff3e0ab8b6b2406abede0b10acb57247fe5bd5af3b6bc1b8780a5f406434256bdef1766eade339a66b135e62159518
-
SSDEEP
24576:gHXBnBDLfLLK6Imt5SVxQRq1uGNmZ4sZPoy/yTL5Wdju7VuafQl5s4Uapw:gHRnxLfL2bmtQVxQM1uSaOBZ25s4UaG
Malware Config
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\Windupdt\\winupdate.exe" GOlfito.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winupdate.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe -
Disables Task Manager via registry modification
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate GOlfito.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation GOlfito.exe -
Executes dropped EXE 3 IoCs
pid Process 1176 MINIGOLF.EXE 2308 winupdate.exe 4852 winupdate.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\Windupdt\\winupdate.exe" GOlfito.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 840 set thread context of 3756 840 GOlfito.exe 90 PID 2308 set thread context of 4852 2308 winupdate.exe 100 -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Windupdt\winupdate.exe winupdate.exe File created C:\Windows\Windupdt\winupdate.exe GOlfito.exe File opened for modification C:\Windows\Windupdt\winupdate.exe GOlfito.exe File opened for modification C:\Windows\Windupdt\ GOlfito.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GOlfito.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GOlfito.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MINIGOLF.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GOlfito.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GOlfito.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier GOlfito.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier GOlfito.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier GOlfito.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ GOlfito.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4852 winupdate.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3756 GOlfito.exe Token: SeSecurityPrivilege 3756 GOlfito.exe Token: SeTakeOwnershipPrivilege 3756 GOlfito.exe Token: SeLoadDriverPrivilege 3756 GOlfito.exe Token: SeSystemProfilePrivilege 3756 GOlfito.exe Token: SeSystemtimePrivilege 3756 GOlfito.exe Token: SeProfSingleProcessPrivilege 3756 GOlfito.exe Token: SeIncBasePriorityPrivilege 3756 GOlfito.exe Token: SeCreatePagefilePrivilege 3756 GOlfito.exe Token: SeBackupPrivilege 3756 GOlfito.exe Token: SeRestorePrivilege 3756 GOlfito.exe Token: SeShutdownPrivilege 3756 GOlfito.exe Token: SeDebugPrivilege 3756 GOlfito.exe Token: SeSystemEnvironmentPrivilege 3756 GOlfito.exe Token: SeChangeNotifyPrivilege 3756 GOlfito.exe Token: SeRemoteShutdownPrivilege 3756 GOlfito.exe Token: SeUndockPrivilege 3756 GOlfito.exe Token: SeManageVolumePrivilege 3756 GOlfito.exe Token: SeImpersonatePrivilege 3756 GOlfito.exe Token: SeCreateGlobalPrivilege 3756 GOlfito.exe Token: 33 3756 GOlfito.exe Token: 34 3756 GOlfito.exe Token: 35 3756 GOlfito.exe Token: 36 3756 GOlfito.exe Token: 33 1828 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1828 AUDIODG.EXE Token: SeIncreaseQuotaPrivilege 4852 winupdate.exe Token: SeSecurityPrivilege 4852 winupdate.exe Token: SeTakeOwnershipPrivilege 4852 winupdate.exe Token: SeLoadDriverPrivilege 4852 winupdate.exe Token: SeSystemProfilePrivilege 4852 winupdate.exe Token: SeSystemtimePrivilege 4852 winupdate.exe Token: SeProfSingleProcessPrivilege 4852 winupdate.exe Token: SeIncBasePriorityPrivilege 4852 winupdate.exe Token: SeCreatePagefilePrivilege 4852 winupdate.exe Token: SeBackupPrivilege 4852 winupdate.exe Token: SeRestorePrivilege 4852 winupdate.exe Token: SeShutdownPrivilege 4852 winupdate.exe Token: SeDebugPrivilege 4852 winupdate.exe Token: SeSystemEnvironmentPrivilege 4852 winupdate.exe Token: SeChangeNotifyPrivilege 4852 winupdate.exe Token: SeRemoteShutdownPrivilege 4852 winupdate.exe Token: SeUndockPrivilege 4852 winupdate.exe Token: SeManageVolumePrivilege 4852 winupdate.exe Token: SeImpersonatePrivilege 4852 winupdate.exe Token: SeCreateGlobalPrivilege 4852 winupdate.exe Token: 33 4852 winupdate.exe Token: 34 4852 winupdate.exe Token: 35 4852 winupdate.exe Token: 36 4852 winupdate.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 840 GOlfito.exe 2308 winupdate.exe 4852 winupdate.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 840 wrote to memory of 3756 840 GOlfito.exe 90 PID 840 wrote to memory of 3756 840 GOlfito.exe 90 PID 840 wrote to memory of 3756 840 GOlfito.exe 90 PID 840 wrote to memory of 3756 840 GOlfito.exe 90 PID 840 wrote to memory of 3756 840 GOlfito.exe 90 PID 840 wrote to memory of 3756 840 GOlfito.exe 90 PID 840 wrote to memory of 3756 840 GOlfito.exe 90 PID 840 wrote to memory of 3756 840 GOlfito.exe 90 PID 840 wrote to memory of 3756 840 GOlfito.exe 90 PID 840 wrote to memory of 3756 840 GOlfito.exe 90 PID 840 wrote to memory of 3756 840 GOlfito.exe 90 PID 840 wrote to memory of 3756 840 GOlfito.exe 90 PID 840 wrote to memory of 3756 840 GOlfito.exe 90 PID 840 wrote to memory of 3756 840 GOlfito.exe 90 PID 3756 wrote to memory of 1176 3756 GOlfito.exe 91 PID 3756 wrote to memory of 1176 3756 GOlfito.exe 91 PID 3756 wrote to memory of 1176 3756 GOlfito.exe 91 PID 3756 wrote to memory of 2308 3756 GOlfito.exe 95 PID 3756 wrote to memory of 2308 3756 GOlfito.exe 95 PID 3756 wrote to memory of 2308 3756 GOlfito.exe 95 PID 2308 wrote to memory of 4852 2308 winupdate.exe 100 PID 2308 wrote to memory of 4852 2308 winupdate.exe 100 PID 2308 wrote to memory of 4852 2308 winupdate.exe 100 PID 2308 wrote to memory of 4852 2308 winupdate.exe 100 PID 2308 wrote to memory of 4852 2308 winupdate.exe 100 PID 2308 wrote to memory of 4852 2308 winupdate.exe 100 PID 2308 wrote to memory of 4852 2308 winupdate.exe 100 PID 2308 wrote to memory of 4852 2308 winupdate.exe 100 PID 2308 wrote to memory of 4852 2308 winupdate.exe 100 PID 2308 wrote to memory of 4852 2308 winupdate.exe 100 PID 2308 wrote to memory of 4852 2308 winupdate.exe 100 PID 2308 wrote to memory of 4852 2308 winupdate.exe 100 PID 2308 wrote to memory of 4852 2308 winupdate.exe 100 PID 2308 wrote to memory of 4852 2308 winupdate.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\GOlfito.exe"C:\Users\Admin\AppData\Local\Temp\GOlfito.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\GOlfito.exe"C:\Users\Admin\AppData\Local\Temp\GOlfito.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Users\Admin\AppData\Local\Temp\MINIGOLF.EXE"C:\Users\Admin\AppData\Local\Temp\MINIGOLF.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1176
-
-
C:\Windows\Windupdt\winupdate.exe"C:\Windows\Windupdt\winupdate.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\Windupdt\winupdate.exe"C:\Windows\Windupdt\winupdate.exe"4⤵
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4852
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x424 0x4701⤵
- Suspicious use of AdjustPrivilegeToken
PID:1828
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
609KB
MD51c689f0a57ae6034b57ae03f90d14554
SHA1acb756e5d26121f862794c069a4703ee636f8c8a
SHA256b5ff6fc4cb240f5071e160b28745747a015e81c0e34994ff84bf4a7593f5c7e7
SHA512d5b94d5f46c584568c5f400bd65c31df02885c5c7f2b51307e17d05b02ebb8b779fc25db76f47426e8268e3c681356dbc00c8391c6aa125a48b4590ebd7726b9
-
Filesize
1.2MB
MD53bf77085d3cc3631dd2a29770f4d844e
SHA16049321e1ccb8d594ed3a9db7740b2aef1b0bed3
SHA256ce26affefbe19a456afd7df6ebae922bc6d295195746130d32d7705a2954bb1b
SHA512ccd7b8d07e41901b440e71bbf94c7ea2ebff3e0ab8b6b2406abede0b10acb57247fe5bd5af3b6bc1b8780a5f406434256bdef1766eade339a66b135e62159518