Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
07-01-2025 17:04
Behavioral task
behavioral1
Sample
6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe
Resource
win7-20241023-en
windows7-x64
19 signatures
150 seconds
General
-
Target
6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe
-
Size
662KB
-
MD5
95a914bf89f4bfb6dfc46e05df00edd2
-
SHA1
8fc777c38bb0087f05b8b59fa828d05c63bb6d19
-
SHA256
6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a
-
SHA512
729cfe6858120ccc939427813fc9758e8e035e0b3b95456a8c553ea1b253b282e597398cc7c1a3e9e5fa4dc5a72e91f06955d9496d5ffd5d7e831776fe411b4a
-
SSDEEP
12288:o3OpvNW4a76S/Ddon/m09bbYlIaaMcE2YGhq3vo1RnfAvIESJgoE26yc/RFF:eOA4aWNn/m09fKIaaBEtWq3A1Ov8JgbZ
Malware Config
Extracted
Family
darkcomet
Botnet
roditeli
C2
84.109.80.244:1604
Mutex
DC_MUTEX-Z6PTE5A
Attributes
-
InstallPath
winlogon.exe
-
gencode
TtoBEMYiC0cu
-
install
true
-
offline_keylogger
true
-
password
55257012
-
persistence
true
-
reg_key
Microsoft
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winlogon.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" winlogon.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2016 attrib.exe 2708 attrib.exe -
Deletes itself 1 IoCs
pid Process 356 notepad.exe -
Executes dropped EXE 1 IoCs
pid Process 2716 winlogon.exe -
Loads dropped DLL 2 IoCs
pid Process 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2716 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeSecurityPrivilege 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeTakeOwnershipPrivilege 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeLoadDriverPrivilege 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeSystemProfilePrivilege 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeSystemtimePrivilege 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeProfSingleProcessPrivilege 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeIncBasePriorityPrivilege 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeCreatePagefilePrivilege 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeBackupPrivilege 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeRestorePrivilege 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeShutdownPrivilege 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeDebugPrivilege 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeSystemEnvironmentPrivilege 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeChangeNotifyPrivilege 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeRemoteShutdownPrivilege 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeUndockPrivilege 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeManageVolumePrivilege 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeImpersonatePrivilege 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeCreateGlobalPrivilege 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: 33 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: 34 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: 35 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe Token: SeIncreaseQuotaPrivilege 2716 winlogon.exe Token: SeSecurityPrivilege 2716 winlogon.exe Token: SeTakeOwnershipPrivilege 2716 winlogon.exe Token: SeLoadDriverPrivilege 2716 winlogon.exe Token: SeSystemProfilePrivilege 2716 winlogon.exe Token: SeSystemtimePrivilege 2716 winlogon.exe Token: SeProfSingleProcessPrivilege 2716 winlogon.exe Token: SeIncBasePriorityPrivilege 2716 winlogon.exe Token: SeCreatePagefilePrivilege 2716 winlogon.exe Token: SeBackupPrivilege 2716 winlogon.exe Token: SeRestorePrivilege 2716 winlogon.exe Token: SeShutdownPrivilege 2716 winlogon.exe Token: SeDebugPrivilege 2716 winlogon.exe Token: SeSystemEnvironmentPrivilege 2716 winlogon.exe Token: SeChangeNotifyPrivilege 2716 winlogon.exe Token: SeRemoteShutdownPrivilege 2716 winlogon.exe Token: SeUndockPrivilege 2716 winlogon.exe Token: SeManageVolumePrivilege 2716 winlogon.exe Token: SeImpersonatePrivilege 2716 winlogon.exe Token: SeCreateGlobalPrivilege 2716 winlogon.exe Token: 33 2716 winlogon.exe Token: 34 2716 winlogon.exe Token: 35 2716 winlogon.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2716 winlogon.exe -
Suspicious use of WriteProcessMemory 61 IoCs
description pid Process procid_target PID 2328 wrote to memory of 2528 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 30 PID 2328 wrote to memory of 2528 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 30 PID 2328 wrote to memory of 2528 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 30 PID 2328 wrote to memory of 2528 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 30 PID 2328 wrote to memory of 2332 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 32 PID 2328 wrote to memory of 2332 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 32 PID 2328 wrote to memory of 2332 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 32 PID 2328 wrote to memory of 2332 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 32 PID 2328 wrote to memory of 356 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 34 PID 2328 wrote to memory of 356 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 34 PID 2328 wrote to memory of 356 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 34 PID 2328 wrote to memory of 356 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 34 PID 2328 wrote to memory of 356 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 34 PID 2328 wrote to memory of 356 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 34 PID 2328 wrote to memory of 356 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 34 PID 2328 wrote to memory of 356 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 34 PID 2328 wrote to memory of 356 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 34 PID 2328 wrote to memory of 356 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 34 PID 2328 wrote to memory of 356 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 34 PID 2328 wrote to memory of 356 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 34 PID 2328 wrote to memory of 356 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 34 PID 2328 wrote to memory of 356 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 34 PID 2328 wrote to memory of 356 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 34 PID 2328 wrote to memory of 356 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 34 PID 2328 wrote to memory of 356 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 34 PID 2328 wrote to memory of 356 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 34 PID 2332 wrote to memory of 2708 2332 cmd.exe 35 PID 2332 wrote to memory of 2708 2332 cmd.exe 35 PID 2332 wrote to memory of 2708 2332 cmd.exe 35 PID 2332 wrote to memory of 2708 2332 cmd.exe 35 PID 2528 wrote to memory of 2016 2528 cmd.exe 36 PID 2528 wrote to memory of 2016 2528 cmd.exe 36 PID 2528 wrote to memory of 2016 2528 cmd.exe 36 PID 2528 wrote to memory of 2016 2528 cmd.exe 36 PID 2328 wrote to memory of 2716 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 37 PID 2328 wrote to memory of 2716 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 37 PID 2328 wrote to memory of 2716 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 37 PID 2328 wrote to memory of 2716 2328 6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe 37 PID 2716 wrote to memory of 536 2716 winlogon.exe 38 PID 2716 wrote to memory of 536 2716 winlogon.exe 38 PID 2716 wrote to memory of 536 2716 winlogon.exe 38 PID 2716 wrote to memory of 536 2716 winlogon.exe 38 PID 2716 wrote to memory of 536 2716 winlogon.exe 38 PID 2716 wrote to memory of 536 2716 winlogon.exe 38 PID 2716 wrote to memory of 536 2716 winlogon.exe 38 PID 2716 wrote to memory of 536 2716 winlogon.exe 38 PID 2716 wrote to memory of 536 2716 winlogon.exe 38 PID 2716 wrote to memory of 536 2716 winlogon.exe 38 PID 2716 wrote to memory of 536 2716 winlogon.exe 38 PID 2716 wrote to memory of 536 2716 winlogon.exe 38 PID 2716 wrote to memory of 536 2716 winlogon.exe 38 PID 2716 wrote to memory of 536 2716 winlogon.exe 38 PID 2716 wrote to memory of 536 2716 winlogon.exe 38 PID 2716 wrote to memory of 536 2716 winlogon.exe 38 PID 2716 wrote to memory of 536 2716 winlogon.exe 38 PID 2716 wrote to memory of 536 2716 winlogon.exe 38 PID 2716 wrote to memory of 536 2716 winlogon.exe 38 PID 2716 wrote to memory of 536 2716 winlogon.exe 38 PID 2716 wrote to memory of 536 2716 winlogon.exe 38 PID 2716 wrote to memory of 536 2716 winlogon.exe 38 PID 2716 wrote to memory of 536 2716 winlogon.exe 38 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2016 attrib.exe 2708 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe"C:\Users\Admin\AppData\Local\Temp\6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\6f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a.exe" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2016
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2708
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:356
-
-
C:\Users\Admin\AppData\Roaming\winlogon.exe"C:\Users\Admin\AppData\Roaming\winlogon.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- System Location Discovery: System Language Discovery
PID:536
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
662KB
MD595a914bf89f4bfb6dfc46e05df00edd2
SHA18fc777c38bb0087f05b8b59fa828d05c63bb6d19
SHA2566f391a43ca110c02d7cc4ab3d9bd496e599e0b030208936b390f7d3ccb4b8f2a
SHA512729cfe6858120ccc939427813fc9758e8e035e0b3b95456a8c553ea1b253b282e597398cc7c1a3e9e5fa4dc5a72e91f06955d9496d5ffd5d7e831776fe411b4a