Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-01-2025 16:59
Behavioral task
behavioral1
Sample
6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe
Resource
win7-20240903-en
windows7-x64
19 signatures
120 seconds
General
-
Target
6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe
-
Size
662KB
-
MD5
95a914bf89f4bfb6dfc46e05df00edd2
-
SHA1
8fc777c38bb0087f05b8b59fa828d05c63bb6d19
-
SHA256
6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a
-
SHA512
729cfe6858120ccc939427813fc9758e8e035e0b3b95456a8c553ea1b253b282e597398cc7c1a3e9e5fa4dc5a72e91f06955d9496d5ffd5d7e831776fe411b4a
-
SSDEEP
12288:o3OpvNW4a76S/Ddon/m09bbYlIaaMcE2YGhq3vo1RnfAvIESJgoE26yc/RFF:eOA4aWNn/m09fKIaaBEtWq3A1Ov8JgbZ
Malware Config
Extracted
Family
darkcomet
Botnet
roditeli
C2
84.109.80.244:1604
Mutex
DC_MUTEX-Z6PTE5A
Attributes
-
InstallPath
winlogon.exe
-
gencode
TtoBEMYiC0cu
-
install
true
-
offline_keylogger
true
-
password
55257012
-
persistence
true
-
reg_key
Microsoft
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winlogon.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winlogon.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2576 attrib.exe 2008 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe -
Deletes itself 1 IoCs
pid Process 2700 notepad.exe -
Executes dropped EXE 1 IoCs
pid Process 4164 winlogon.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4164 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeSecurityPrivilege 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeTakeOwnershipPrivilege 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeLoadDriverPrivilege 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeSystemProfilePrivilege 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeSystemtimePrivilege 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeProfSingleProcessPrivilege 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeIncBasePriorityPrivilege 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeCreatePagefilePrivilege 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeBackupPrivilege 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeRestorePrivilege 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeShutdownPrivilege 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeDebugPrivilege 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeSystemEnvironmentPrivilege 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeChangeNotifyPrivilege 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeRemoteShutdownPrivilege 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeUndockPrivilege 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeManageVolumePrivilege 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeImpersonatePrivilege 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeCreateGlobalPrivilege 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: 33 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: 34 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: 35 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: 36 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeIncreaseQuotaPrivilege 4164 winlogon.exe Token: SeSecurityPrivilege 4164 winlogon.exe Token: SeTakeOwnershipPrivilege 4164 winlogon.exe Token: SeLoadDriverPrivilege 4164 winlogon.exe Token: SeSystemProfilePrivilege 4164 winlogon.exe Token: SeSystemtimePrivilege 4164 winlogon.exe Token: SeProfSingleProcessPrivilege 4164 winlogon.exe Token: SeIncBasePriorityPrivilege 4164 winlogon.exe Token: SeCreatePagefilePrivilege 4164 winlogon.exe Token: SeBackupPrivilege 4164 winlogon.exe Token: SeRestorePrivilege 4164 winlogon.exe Token: SeShutdownPrivilege 4164 winlogon.exe Token: SeDebugPrivilege 4164 winlogon.exe Token: SeSystemEnvironmentPrivilege 4164 winlogon.exe Token: SeChangeNotifyPrivilege 4164 winlogon.exe Token: SeRemoteShutdownPrivilege 4164 winlogon.exe Token: SeUndockPrivilege 4164 winlogon.exe Token: SeManageVolumePrivilege 4164 winlogon.exe Token: SeImpersonatePrivilege 4164 winlogon.exe Token: SeCreateGlobalPrivilege 4164 winlogon.exe Token: 33 4164 winlogon.exe Token: 34 4164 winlogon.exe Token: 35 4164 winlogon.exe Token: 36 4164 winlogon.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4164 winlogon.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 4624 wrote to memory of 5040 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 84 PID 4624 wrote to memory of 5040 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 84 PID 4624 wrote to memory of 5040 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 84 PID 4624 wrote to memory of 3468 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 86 PID 4624 wrote to memory of 3468 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 86 PID 4624 wrote to memory of 3468 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 86 PID 4624 wrote to memory of 2700 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 87 PID 4624 wrote to memory of 2700 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 87 PID 4624 wrote to memory of 2700 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 87 PID 4624 wrote to memory of 2700 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 87 PID 4624 wrote to memory of 2700 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 87 PID 4624 wrote to memory of 2700 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 87 PID 4624 wrote to memory of 2700 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 87 PID 4624 wrote to memory of 2700 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 87 PID 4624 wrote to memory of 2700 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 87 PID 4624 wrote to memory of 2700 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 87 PID 4624 wrote to memory of 2700 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 87 PID 4624 wrote to memory of 2700 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 87 PID 4624 wrote to memory of 2700 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 87 PID 4624 wrote to memory of 2700 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 87 PID 4624 wrote to memory of 2700 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 87 PID 4624 wrote to memory of 2700 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 87 PID 4624 wrote to memory of 2700 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 87 PID 5040 wrote to memory of 2576 5040 cmd.exe 89 PID 5040 wrote to memory of 2576 5040 cmd.exe 89 PID 5040 wrote to memory of 2576 5040 cmd.exe 89 PID 3468 wrote to memory of 2008 3468 cmd.exe 90 PID 3468 wrote to memory of 2008 3468 cmd.exe 90 PID 3468 wrote to memory of 2008 3468 cmd.exe 90 PID 4624 wrote to memory of 4164 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 91 PID 4624 wrote to memory of 4164 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 91 PID 4624 wrote to memory of 4164 4624 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 91 PID 4164 wrote to memory of 3096 4164 winlogon.exe 92 PID 4164 wrote to memory of 3096 4164 winlogon.exe 92 PID 4164 wrote to memory of 3096 4164 winlogon.exe 92 PID 4164 wrote to memory of 3096 4164 winlogon.exe 92 PID 4164 wrote to memory of 3096 4164 winlogon.exe 92 PID 4164 wrote to memory of 3096 4164 winlogon.exe 92 PID 4164 wrote to memory of 3096 4164 winlogon.exe 92 PID 4164 wrote to memory of 3096 4164 winlogon.exe 92 PID 4164 wrote to memory of 3096 4164 winlogon.exe 92 PID 4164 wrote to memory of 3096 4164 winlogon.exe 92 PID 4164 wrote to memory of 3096 4164 winlogon.exe 92 PID 4164 wrote to memory of 3096 4164 winlogon.exe 92 PID 4164 wrote to memory of 3096 4164 winlogon.exe 92 PID 4164 wrote to memory of 3096 4164 winlogon.exe 92 PID 4164 wrote to memory of 3096 4164 winlogon.exe 92 PID 4164 wrote to memory of 3096 4164 winlogon.exe 92 PID 4164 wrote to memory of 3096 4164 winlogon.exe 92 PID 4164 wrote to memory of 3096 4164 winlogon.exe 92 PID 4164 wrote to memory of 3096 4164 winlogon.exe 92 PID 4164 wrote to memory of 3096 4164 winlogon.exe 92 PID 4164 wrote to memory of 3096 4164 winlogon.exe 92 PID 4164 wrote to memory of 3096 4164 winlogon.exe 92 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2576 attrib.exe 2008 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe"C:\Users\Admin\AppData\Local\Temp\6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2576
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2008
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2700
-
-
C:\Users\Admin\AppData\Roaming\winlogon.exe"C:\Users\Admin\AppData\Roaming\winlogon.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- System Location Discovery: System Language Discovery
PID:3096
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
662KB
MD595a914bf89f4bfb6dfc46e05df00edd2
SHA18fc777c38bb0087f05b8b59fa828d05c63bb6d19
SHA2566f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a
SHA512729cfe6858120ccc939427813fc9758e8e035e0b3b95456a8c553ea1b253b282e597398cc7c1a3e9e5fa4dc5a72e91f06955d9496d5ffd5d7e831776fe411b4a