Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-12-2024 03:01
Static task
static1
Behavioral task
behavioral1
Sample
fba9123755068d98735d9c5a00d99abd57a90acaccce9b1a0549c1aeb76613dcN.exe
Resource
win7-20240903-en
General
-
Target
fba9123755068d98735d9c5a00d99abd57a90acaccce9b1a0549c1aeb76613dcN.exe
-
Size
718KB
-
MD5
cc2f7185c6f4fb6308920d5a5676a600
-
SHA1
2b5d0eb8e5cd4f76b3504e5011d8eed711c9fcb5
-
SHA256
fba9123755068d98735d9c5a00d99abd57a90acaccce9b1a0549c1aeb76613dc
-
SHA512
ffa55b7d96a57213c98374332d26463b9779bcaff52a509df9e523f8e4171770859666bcf07a7215c4c31941269c8d4d89f142d04df8337d7ff174859bf7c67a
-
SSDEEP
12288:QL88mbu2rpKomPPijFbJ34tEZCgWSZkK5VdKbggPdOXwx6vwGpy30Yw6m:b8p2goysF4taCgVRdiNlOQF309
Malware Config
Extracted
darkcomet
fo
127.0.0.1:1010
46.39.230.61:1010
DC_MUTEX-PR2UBLF
-
gencode
ovcHaFsW9bRT
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Darkcomet family
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" ror.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ror.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ror.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ror.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2476 attrib.exe 2444 attrib.exe -
Executes dropped EXE 1 IoCs
pid Process 2808 ror.exe -
Loads dropped DLL 2 IoCs
pid Process 1660 fba9123755068d98735d9c5a00d99abd57a90acaccce9b1a0549c1aeb76613dcN.exe 1660 fba9123755068d98735d9c5a00d99abd57a90acaccce9b1a0549c1aeb76613dcN.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ror.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ror.exe -
resource yara_rule behavioral1/files/0x0007000000012117-12.dat upx behavioral1/memory/2808-13-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2808-44-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2808-47-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2808-49-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2808-53-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fba9123755068d98735d9c5a00d99abd57a90acaccce9b1a0549c1aeb76613dcN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ror.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2808 ror.exe Token: SeSecurityPrivilege 2808 ror.exe Token: SeTakeOwnershipPrivilege 2808 ror.exe Token: SeLoadDriverPrivilege 2808 ror.exe Token: SeSystemProfilePrivilege 2808 ror.exe Token: SeSystemtimePrivilege 2808 ror.exe Token: SeProfSingleProcessPrivilege 2808 ror.exe Token: SeIncBasePriorityPrivilege 2808 ror.exe Token: SeCreatePagefilePrivilege 2808 ror.exe Token: SeBackupPrivilege 2808 ror.exe Token: SeRestorePrivilege 2808 ror.exe Token: SeShutdownPrivilege 2808 ror.exe Token: SeDebugPrivilege 2808 ror.exe Token: SeSystemEnvironmentPrivilege 2808 ror.exe Token: SeChangeNotifyPrivilege 2808 ror.exe Token: SeRemoteShutdownPrivilege 2808 ror.exe Token: SeUndockPrivilege 2808 ror.exe Token: SeManageVolumePrivilege 2808 ror.exe Token: SeImpersonatePrivilege 2808 ror.exe Token: SeCreateGlobalPrivilege 2808 ror.exe Token: 33 2808 ror.exe Token: 34 2808 ror.exe Token: 35 2808 ror.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2808 ror.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 1660 wrote to memory of 2808 1660 fba9123755068d98735d9c5a00d99abd57a90acaccce9b1a0549c1aeb76613dcN.exe 29 PID 1660 wrote to memory of 2808 1660 fba9123755068d98735d9c5a00d99abd57a90acaccce9b1a0549c1aeb76613dcN.exe 29 PID 1660 wrote to memory of 2808 1660 fba9123755068d98735d9c5a00d99abd57a90acaccce9b1a0549c1aeb76613dcN.exe 29 PID 1660 wrote to memory of 2808 1660 fba9123755068d98735d9c5a00d99abd57a90acaccce9b1a0549c1aeb76613dcN.exe 29 PID 2808 wrote to memory of 2564 2808 ror.exe 30 PID 2808 wrote to memory of 2564 2808 ror.exe 30 PID 2808 wrote to memory of 2564 2808 ror.exe 30 PID 2808 wrote to memory of 2564 2808 ror.exe 30 PID 2808 wrote to memory of 2556 2808 ror.exe 31 PID 2808 wrote to memory of 2556 2808 ror.exe 31 PID 2808 wrote to memory of 2556 2808 ror.exe 31 PID 2808 wrote to memory of 2556 2808 ror.exe 31 PID 2808 wrote to memory of 2420 2808 ror.exe 33 PID 2808 wrote to memory of 2420 2808 ror.exe 33 PID 2808 wrote to memory of 2420 2808 ror.exe 33 PID 2808 wrote to memory of 2420 2808 ror.exe 33 PID 2808 wrote to memory of 2420 2808 ror.exe 33 PID 2808 wrote to memory of 2420 2808 ror.exe 33 PID 2808 wrote to memory of 2420 2808 ror.exe 33 PID 2808 wrote to memory of 2420 2808 ror.exe 33 PID 2808 wrote to memory of 2420 2808 ror.exe 33 PID 2808 wrote to memory of 2420 2808 ror.exe 33 PID 2808 wrote to memory of 2420 2808 ror.exe 33 PID 2808 wrote to memory of 2420 2808 ror.exe 33 PID 2808 wrote to memory of 2420 2808 ror.exe 33 PID 2808 wrote to memory of 2420 2808 ror.exe 33 PID 2808 wrote to memory of 2420 2808 ror.exe 33 PID 2808 wrote to memory of 2420 2808 ror.exe 33 PID 2808 wrote to memory of 2420 2808 ror.exe 33 PID 2808 wrote to memory of 2420 2808 ror.exe 33 PID 2808 wrote to memory of 2420 2808 ror.exe 33 PID 2808 wrote to memory of 2420 2808 ror.exe 33 PID 2808 wrote to memory of 2420 2808 ror.exe 33 PID 2808 wrote to memory of 2420 2808 ror.exe 33 PID 2808 wrote to memory of 2420 2808 ror.exe 33 PID 2564 wrote to memory of 2444 2564 cmd.exe 35 PID 2564 wrote to memory of 2444 2564 cmd.exe 35 PID 2564 wrote to memory of 2444 2564 cmd.exe 35 PID 2564 wrote to memory of 2444 2564 cmd.exe 35 PID 2556 wrote to memory of 2476 2556 cmd.exe 36 PID 2556 wrote to memory of 2476 2556 cmd.exe 36 PID 2556 wrote to memory of 2476 2556 cmd.exe 36 PID 2556 wrote to memory of 2476 2556 cmd.exe 36 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion ror.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern ror.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" ror.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2476 attrib.exe 2444 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fba9123755068d98735d9c5a00d99abd57a90acaccce9b1a0549c1aeb76613dcN.exe"C:\Users\Admin\AppData\Local\Temp\fba9123755068d98735d9c5a00d99abd57a90acaccce9b1a0549c1aeb76613dcN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\ror.exe"C:\Users\Admin\AppData\Local\Temp\ror.exe"2⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2808 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\ror.exe" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\ror.exe" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2444
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2476
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- System Location Discovery: System Language Discovery
PID:2420
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5169b88b99a74428b0dbc617fb209379e
SHA14743c42d5aea002dc04dbfe4e4eba2a2c4da6014
SHA2566f6113d00980391262126021c78100e29d9cd12ca97c18ca1172c12e7138ce80
SHA51244fdf103ee303b7497a633f595daf22704dc7af012796201bf9ac76561b41d10b6fc6007f5de5eeadf2a1c2db83310a5b73a7a466da3bb92ef4f675244f3666d