Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 03:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe
Resource
win7-20241010-en
windows7-x64
15 signatures
150 seconds
General
-
Target
cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe
-
Size
3.2MB
-
MD5
f2395e55fc1ed3d2eda2a3bdd13d8af6
-
SHA1
bf5fa44a16a1ba7d772b6722552ed9525a965ee1
-
SHA256
cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88
-
SHA512
69334c6ee8df715b3373eb65f2aba85c4fbcf9fa9e6548b1b1910b646335cad97dfb36e553061aa756cc6dd881f63acff351464a515323227aa164342bb9724f
-
SSDEEP
49152:9gYvvhIIP0qkE+ZZPhrXXi3kmPlfD34C7/tcHk3oFughjfqKw07txr18zoTC:9gYv55j43H+9k21cu6ughTqKw07tx2f
Malware Config
Extracted
Family
darkcomet
Botnet
ROLLEO
C2
127.0.0.1:1607
109.226.126.84:1607
Mutex
DC_MUTEX-SR7HAR4
Attributes
-
InstallPath
WindowsDefencer\Update.exe
-
gencode
TeJuc1dkNHmJ
-
install
true
-
offline_keylogger
false
-
persistence
true
-
reg_key
Windows Defencer
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WindowsDefencer\\Update.exe" file.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Update.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 536 attrib.exe 768 attrib.exe -
Executes dropped EXE 3 IoCs
pid Process 2788 borodacraft.exe 2716 file.exe 808 Update.exe -
Loads dropped DLL 8 IoCs
pid Process 1700 cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe 1700 cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe 1700 cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe 1700 cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe 2716 file.exe 808 Update.exe 808 Update.exe 808 Update.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DDLMBOHHPEGIFCA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe" cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defencer = "C:\\Windows\\system32\\WindowsDefencer\\Update.exe" file.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defencer = "C:\\Windows\\system32\\WindowsDefencer\\Update.exe" Update.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsDefencer\Update.exe file.exe File opened for modification C:\Windows\SysWOW64\WindowsDefencer\Update.exe file.exe File opened for modification C:\Windows\SysWOW64\WindowsDefencer\ file.exe -
resource yara_rule behavioral1/files/0x0008000000015d53-20.dat upx behavioral1/memory/2716-21-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2716-59-0x0000000003F50000-0x0000000004007000-memory.dmp upx behavioral1/memory/2716-107-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/808-109-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language borodacraft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2716 file.exe Token: SeSecurityPrivilege 2716 file.exe Token: SeTakeOwnershipPrivilege 2716 file.exe Token: SeLoadDriverPrivilege 2716 file.exe Token: SeSystemProfilePrivilege 2716 file.exe Token: SeSystemtimePrivilege 2716 file.exe Token: SeProfSingleProcessPrivilege 2716 file.exe Token: SeIncBasePriorityPrivilege 2716 file.exe Token: SeCreatePagefilePrivilege 2716 file.exe Token: SeBackupPrivilege 2716 file.exe Token: SeRestorePrivilege 2716 file.exe Token: SeShutdownPrivilege 2716 file.exe Token: SeDebugPrivilege 2716 file.exe Token: SeSystemEnvironmentPrivilege 2716 file.exe Token: SeChangeNotifyPrivilege 2716 file.exe Token: SeRemoteShutdownPrivilege 2716 file.exe Token: SeUndockPrivilege 2716 file.exe Token: SeManageVolumePrivilege 2716 file.exe Token: SeImpersonatePrivilege 2716 file.exe Token: SeCreateGlobalPrivilege 2716 file.exe Token: 33 2716 file.exe Token: 34 2716 file.exe Token: 35 2716 file.exe Token: SeIncreaseQuotaPrivilege 808 Update.exe Token: SeSecurityPrivilege 808 Update.exe Token: SeTakeOwnershipPrivilege 808 Update.exe Token: SeLoadDriverPrivilege 808 Update.exe Token: SeSystemProfilePrivilege 808 Update.exe Token: SeSystemtimePrivilege 808 Update.exe Token: SeProfSingleProcessPrivilege 808 Update.exe Token: SeIncBasePriorityPrivilege 808 Update.exe Token: SeCreatePagefilePrivilege 808 Update.exe Token: SeBackupPrivilege 808 Update.exe Token: SeRestorePrivilege 808 Update.exe Token: SeShutdownPrivilege 808 Update.exe Token: SeDebugPrivilege 808 Update.exe Token: SeSystemEnvironmentPrivilege 808 Update.exe Token: SeChangeNotifyPrivilege 808 Update.exe Token: SeRemoteShutdownPrivilege 808 Update.exe Token: SeUndockPrivilege 808 Update.exe Token: SeManageVolumePrivilege 808 Update.exe Token: SeImpersonatePrivilege 808 Update.exe Token: SeCreateGlobalPrivilege 808 Update.exe Token: 33 808 Update.exe Token: 34 808 Update.exe Token: 35 808 Update.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1700 wrote to memory of 2788 1700 cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe 30 PID 1700 wrote to memory of 2788 1700 cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe 30 PID 1700 wrote to memory of 2788 1700 cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe 30 PID 1700 wrote to memory of 2788 1700 cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe 30 PID 1700 wrote to memory of 2716 1700 cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe 31 PID 1700 wrote to memory of 2716 1700 cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe 31 PID 1700 wrote to memory of 2716 1700 cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe 31 PID 1700 wrote to memory of 2716 1700 cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe 31 PID 2716 wrote to memory of 2616 2716 file.exe 32 PID 2716 wrote to memory of 2616 2716 file.exe 32 PID 2716 wrote to memory of 2616 2716 file.exe 32 PID 2716 wrote to memory of 2616 2716 file.exe 32 PID 2716 wrote to memory of 2856 2716 file.exe 33 PID 2716 wrote to memory of 2856 2716 file.exe 33 PID 2716 wrote to memory of 2856 2716 file.exe 33 PID 2716 wrote to memory of 2856 2716 file.exe 33 PID 2716 wrote to memory of 2728 2716 file.exe 35 PID 2716 wrote to memory of 2728 2716 file.exe 35 PID 2716 wrote to memory of 2728 2716 file.exe 35 PID 2716 wrote to memory of 2728 2716 file.exe 35 PID 2716 wrote to memory of 2728 2716 file.exe 35 PID 2716 wrote to memory of 2728 2716 file.exe 35 PID 2716 wrote to memory of 2728 2716 file.exe 35 PID 2716 wrote to memory of 2728 2716 file.exe 35 PID 2716 wrote to memory of 2728 2716 file.exe 35 PID 2716 wrote to memory of 2728 2716 file.exe 35 PID 2716 wrote to memory of 2728 2716 file.exe 35 PID 2716 wrote to memory of 2728 2716 file.exe 35 PID 2716 wrote to memory of 2728 2716 file.exe 35 PID 2716 wrote to memory of 2728 2716 file.exe 35 PID 2716 wrote to memory of 2728 2716 file.exe 35 PID 2716 wrote to memory of 2728 2716 file.exe 35 PID 2716 wrote to memory of 2728 2716 file.exe 35 PID 2716 wrote to memory of 2728 2716 file.exe 35 PID 2616 wrote to memory of 536 2616 cmd.exe 37 PID 2616 wrote to memory of 536 2616 cmd.exe 37 PID 2616 wrote to memory of 536 2616 cmd.exe 37 PID 2616 wrote to memory of 536 2616 cmd.exe 37 PID 2856 wrote to memory of 768 2856 cmd.exe 38 PID 2856 wrote to memory of 768 2856 cmd.exe 38 PID 2856 wrote to memory of 768 2856 cmd.exe 38 PID 2856 wrote to memory of 768 2856 cmd.exe 38 PID 2716 wrote to memory of 808 2716 file.exe 39 PID 2716 wrote to memory of 808 2716 file.exe 39 PID 2716 wrote to memory of 808 2716 file.exe 39 PID 2716 wrote to memory of 808 2716 file.exe 39 PID 2716 wrote to memory of 808 2716 file.exe 39 PID 2716 wrote to memory of 808 2716 file.exe 39 PID 2716 wrote to memory of 808 2716 file.exe 39 PID 808 wrote to memory of 1952 808 Update.exe 40 PID 808 wrote to memory of 1952 808 Update.exe 40 PID 808 wrote to memory of 1952 808 Update.exe 40 PID 808 wrote to memory of 1952 808 Update.exe 40 PID 808 wrote to memory of 1952 808 Update.exe 40 PID 808 wrote to memory of 1952 808 Update.exe 40 PID 808 wrote to memory of 1952 808 Update.exe 40 PID 808 wrote to memory of 756 808 Update.exe 41 PID 808 wrote to memory of 756 808 Update.exe 41 PID 808 wrote to memory of 756 808 Update.exe 41 PID 808 wrote to memory of 756 808 Update.exe 41 PID 808 wrote to memory of 2232 808 Update.exe 42 PID 808 wrote to memory of 2232 808 Update.exe 42 PID 808 wrote to memory of 2232 808 Update.exe 42 PID 808 wrote to memory of 2232 808 Update.exe 42 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 768 attrib.exe 536 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe"C:\Users\Admin\AppData\Local\Temp\cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\borodacraft.exe"C:\Users\Admin\AppData\Local\Temp\borodacraft.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2788
-
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\file.exe" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\file.exe" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:536
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:768
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- System Location Discovery: System Language Discovery
PID:2728
-
-
C:\Windows\SysWOW64\WindowsDefencer\Update.exe"C:\Windows\system32\WindowsDefencer\Update.exe"3⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵PID:1952
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"4⤵PID:756
-
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- System Location Discovery: System Language Discovery
PID:2232
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5e01dfbe76c690a070ec522d0091a9b3a
SHA13233ef818c3cc27e07612b7db236b74798eca8f7
SHA256f4d4b2be4cfc692bf9e3a48a93b038280d6dca1dc69956bcae3707abf97d1686
SHA512ace329d994a6bc7317401e31d7f2e830e9bb17488891c3fc56c14e03b2a2e72b599b7b4f41cc2f59b781c22478e69461791e1a7ba14c27cd845567b3d5f8b406
-
Filesize
252KB
MD549e04125173bdb0f292b0abb13db301d
SHA100bce84c8a0b6b71d03fa032aff71eb3500b2147
SHA256f0bbed6d47a04063aa467df02a87991e25bf744ee0eec4e31cff20f1ac110a29
SHA512af083f3620e1401f619314014405ed8ffe3a938e15c6a04fdf204c32d348f52d21ff36ed084ba6fcf0a6f292c3d12becee08c229fc4c9ac14b234f594a2bbeb9