Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2024 13:04
Static task
static1
Behavioral task
behavioral1
Sample
pokerhackV2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
pokerhackV2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
pokerhackdataV2.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
pokerhackdataV2.dll
Resource
win10v2004-20241007-en
General
-
Target
pokerhackV2.exe
-
Size
1.2MB
-
MD5
10088b6ff3ee1aafb4a541cc8782719e
-
SHA1
961bfdba4072ef020046f2f8d12140946632ec1d
-
SHA256
e3c92b8dc88f341dc0c891935455ab602383c7fdd1fadf6cdad7bbc1940f0eac
-
SHA512
f22058d920c671b24c17a7072f018b242cd847aeab34816ae087dade4d4c3c42183658ba5b54ab2b632f22608a4112c0c656f38cc6f56cdfc5df148bc252e0bb
-
SSDEEP
24576:+OXundQ410NuvNb0TSQoPHZEWyGVUeu7t0e2dA1tfVsjKecr9yiHaLwa:3X2510NEaM5GTf7VHiw
Malware Config
Extracted
darkcomet
Guest16
h4ck3d.no-ip.biz:1604
DC_MUTEX-U7QW2L5
-
gencode
ZEXXhn2CQy5v
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Darkcomet family
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TaskMgr = "C:\\Users\\Admin\\AppData\\Local\\TaskMgr.exe" pokerhackV2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TaskMgr = "C:\\Users\\Admin\\AppData\\Local\\TaskMgr.exe" pokerhackV2.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run pokerhackV2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run pokerhackV2.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TaskMgr = "C:\\Users\\Admin\\AppData\\Roaming\\TaskMgr.exe" pokerhackV2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TaskMgr = "C:\\Users\\Admin\\AppData\\Roaming\\TaskMgr.exe" pokerhackV2.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5008 set thread context of 4528 5008 pokerhackV2.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pokerhackV2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5008 pokerhackV2.exe 5008 pokerhackV2.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 5008 pokerhackV2.exe Token: SeIncreaseQuotaPrivilege 4528 vbc.exe Token: SeSecurityPrivilege 4528 vbc.exe Token: SeTakeOwnershipPrivilege 4528 vbc.exe Token: SeLoadDriverPrivilege 4528 vbc.exe Token: SeSystemProfilePrivilege 4528 vbc.exe Token: SeSystemtimePrivilege 4528 vbc.exe Token: SeProfSingleProcessPrivilege 4528 vbc.exe Token: SeIncBasePriorityPrivilege 4528 vbc.exe Token: SeCreatePagefilePrivilege 4528 vbc.exe Token: SeBackupPrivilege 4528 vbc.exe Token: SeRestorePrivilege 4528 vbc.exe Token: SeShutdownPrivilege 4528 vbc.exe Token: SeDebugPrivilege 4528 vbc.exe Token: SeSystemEnvironmentPrivilege 4528 vbc.exe Token: SeChangeNotifyPrivilege 4528 vbc.exe Token: SeRemoteShutdownPrivilege 4528 vbc.exe Token: SeUndockPrivilege 4528 vbc.exe Token: SeManageVolumePrivilege 4528 vbc.exe Token: SeImpersonatePrivilege 4528 vbc.exe Token: SeCreateGlobalPrivilege 4528 vbc.exe Token: 33 4528 vbc.exe Token: 34 4528 vbc.exe Token: 35 4528 vbc.exe Token: 36 4528 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4528 vbc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 5008 wrote to memory of 4528 5008 pokerhackV2.exe 85 PID 5008 wrote to memory of 4528 5008 pokerhackV2.exe 85 PID 5008 wrote to memory of 4528 5008 pokerhackV2.exe 85 PID 5008 wrote to memory of 4528 5008 pokerhackV2.exe 85 PID 5008 wrote to memory of 4528 5008 pokerhackV2.exe 85 PID 5008 wrote to memory of 4528 5008 pokerhackV2.exe 85 PID 5008 wrote to memory of 4528 5008 pokerhackV2.exe 85 PID 5008 wrote to memory of 4528 5008 pokerhackV2.exe 85 PID 5008 wrote to memory of 4528 5008 pokerhackV2.exe 85 PID 5008 wrote to memory of 4528 5008 pokerhackV2.exe 85 PID 5008 wrote to memory of 4528 5008 pokerhackV2.exe 85 PID 5008 wrote to memory of 4528 5008 pokerhackV2.exe 85 PID 5008 wrote to memory of 4528 5008 pokerhackV2.exe 85 PID 5008 wrote to memory of 4528 5008 pokerhackV2.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\pokerhackV2.exe"C:\Users\Admin\AppData\Local\Temp\pokerhackV2.exe"1⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4528
-