Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
23/03/2025, 22:45
Static task
static1
Behavioral task
behavioral1
Sample
fdcc1125280d4a5de64bb9d9aa4b035ab67ed5b823c2f206f3469593d8317160.exe
Resource
win7-20241023-en
General
-
Target
fdcc1125280d4a5de64bb9d9aa4b035ab67ed5b823c2f206f3469593d8317160.exe
-
Size
520KB
-
MD5
4d2a1ccacb5b6701eff72c44c0ad0e3a
-
SHA1
3f4d593feb1636a938f374319924c29b3a4fe894
-
SHA256
fdcc1125280d4a5de64bb9d9aa4b035ab67ed5b823c2f206f3469593d8317160
-
SHA512
4b37a9a11545813b8e60a97aad73c4580de3330cc953e98eeb93a103d626128a41321a930cb98b97062e1f2506c5654e6104ef9dd5b459678b288dc054f33cb6
-
SSDEEP
6144:f9GGo2CwtGg6eeihEfph2CMvvqqSaYwpncOeC66AOa0aFtVEQfTo1ozVqMbQ:f9fC3hh29Ya77A90aFtDfT5IMbQ
Malware Config
Extracted
darkcomet
PrivateEye
ratblackshades.no-ip.biz:1604
DC_MUTEX-ACC1R98
-
gencode
8GG5LVVGljSF
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Darkcomet family
-
Executes dropped EXE 3 IoCs
pid Process 2072 winupd.exe 904 winupd.exe 3324 winupd.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2500 set thread context of 4068 2500 fdcc1125280d4a5de64bb9d9aa4b035ab67ed5b823c2f206f3469593d8317160.exe 97 PID 2072 set thread context of 904 2072 winupd.exe 104 PID 2072 set thread context of 3324 2072 winupd.exe 105 -
resource yara_rule behavioral2/memory/3324-30-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3324-36-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3324-37-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3324-38-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3324-40-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3324-41-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3324-42-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3324-45-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3324-46-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3324-47-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3324-48-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3324-49-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3324-50-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3324-51-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3324-52-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3324-53-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3324-54-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3324-55-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3324-56-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3324-57-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3928 2924 WerFault.exe 106 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fdcc1125280d4a5de64bb9d9aa4b035ab67ed5b823c2f206f3469593d8317160.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fdcc1125280d4a5de64bb9d9aa4b035ab67ed5b823c2f206f3469593d8317160.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2924 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3324 winupd.exe Token: SeSecurityPrivilege 3324 winupd.exe Token: SeTakeOwnershipPrivilege 3324 winupd.exe Token: SeLoadDriverPrivilege 3324 winupd.exe Token: SeSystemProfilePrivilege 3324 winupd.exe Token: SeSystemtimePrivilege 3324 winupd.exe Token: SeProfSingleProcessPrivilege 3324 winupd.exe Token: SeIncBasePriorityPrivilege 3324 winupd.exe Token: SeCreatePagefilePrivilege 3324 winupd.exe Token: SeBackupPrivilege 3324 winupd.exe Token: SeRestorePrivilege 3324 winupd.exe Token: SeShutdownPrivilege 3324 winupd.exe Token: SeDebugPrivilege 3324 winupd.exe Token: SeSystemEnvironmentPrivilege 3324 winupd.exe Token: SeChangeNotifyPrivilege 3324 winupd.exe Token: SeRemoteShutdownPrivilege 3324 winupd.exe Token: SeUndockPrivilege 3324 winupd.exe Token: SeManageVolumePrivilege 3324 winupd.exe Token: SeImpersonatePrivilege 3324 winupd.exe Token: SeCreateGlobalPrivilege 3324 winupd.exe Token: 33 3324 winupd.exe Token: 34 3324 winupd.exe Token: 35 3324 winupd.exe Token: 36 3324 winupd.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2500 fdcc1125280d4a5de64bb9d9aa4b035ab67ed5b823c2f206f3469593d8317160.exe 4068 fdcc1125280d4a5de64bb9d9aa4b035ab67ed5b823c2f206f3469593d8317160.exe 2072 winupd.exe 904 winupd.exe 3324 winupd.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2500 wrote to memory of 4068 2500 fdcc1125280d4a5de64bb9d9aa4b035ab67ed5b823c2f206f3469593d8317160.exe 97 PID 2500 wrote to memory of 4068 2500 fdcc1125280d4a5de64bb9d9aa4b035ab67ed5b823c2f206f3469593d8317160.exe 97 PID 2500 wrote to memory of 4068 2500 fdcc1125280d4a5de64bb9d9aa4b035ab67ed5b823c2f206f3469593d8317160.exe 97 PID 2500 wrote to memory of 4068 2500 fdcc1125280d4a5de64bb9d9aa4b035ab67ed5b823c2f206f3469593d8317160.exe 97 PID 2500 wrote to memory of 4068 2500 fdcc1125280d4a5de64bb9d9aa4b035ab67ed5b823c2f206f3469593d8317160.exe 97 PID 2500 wrote to memory of 4068 2500 fdcc1125280d4a5de64bb9d9aa4b035ab67ed5b823c2f206f3469593d8317160.exe 97 PID 2500 wrote to memory of 4068 2500 fdcc1125280d4a5de64bb9d9aa4b035ab67ed5b823c2f206f3469593d8317160.exe 97 PID 2500 wrote to memory of 4068 2500 fdcc1125280d4a5de64bb9d9aa4b035ab67ed5b823c2f206f3469593d8317160.exe 97 PID 4068 wrote to memory of 2072 4068 fdcc1125280d4a5de64bb9d9aa4b035ab67ed5b823c2f206f3469593d8317160.exe 98 PID 4068 wrote to memory of 2072 4068 fdcc1125280d4a5de64bb9d9aa4b035ab67ed5b823c2f206f3469593d8317160.exe 98 PID 4068 wrote to memory of 2072 4068 fdcc1125280d4a5de64bb9d9aa4b035ab67ed5b823c2f206f3469593d8317160.exe 98 PID 2072 wrote to memory of 904 2072 winupd.exe 104 PID 2072 wrote to memory of 904 2072 winupd.exe 104 PID 2072 wrote to memory of 904 2072 winupd.exe 104 PID 2072 wrote to memory of 904 2072 winupd.exe 104 PID 2072 wrote to memory of 904 2072 winupd.exe 104 PID 2072 wrote to memory of 904 2072 winupd.exe 104 PID 2072 wrote to memory of 904 2072 winupd.exe 104 PID 2072 wrote to memory of 904 2072 winupd.exe 104 PID 2072 wrote to memory of 3324 2072 winupd.exe 105 PID 2072 wrote to memory of 3324 2072 winupd.exe 105 PID 2072 wrote to memory of 3324 2072 winupd.exe 105 PID 2072 wrote to memory of 3324 2072 winupd.exe 105 PID 2072 wrote to memory of 3324 2072 winupd.exe 105 PID 2072 wrote to memory of 3324 2072 winupd.exe 105 PID 2072 wrote to memory of 3324 2072 winupd.exe 105 PID 2072 wrote to memory of 3324 2072 winupd.exe 105 PID 904 wrote to memory of 2924 904 winupd.exe 106 PID 904 wrote to memory of 2924 904 winupd.exe 106 PID 904 wrote to memory of 2924 904 winupd.exe 106 PID 904 wrote to memory of 2924 904 winupd.exe 106 PID 904 wrote to memory of 2924 904 winupd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdcc1125280d4a5de64bb9d9aa4b035ab67ed5b823c2f206f3469593d8317160.exe"C:\Users\Admin\AppData\Local\Temp\fdcc1125280d4a5de64bb9d9aa4b035ab67ed5b823c2f206f3469593d8317160.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\fdcc1125280d4a5de64bb9d9aa4b035ab67ed5b823c2f206f3469593d8317160.exe"C:\Users\Admin\AppData\Local\Temp\fdcc1125280d4a5de64bb9d9aa4b035ab67ed5b823c2f206f3469593d8317160.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeC:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe"5⤵
- Gathers network information
PID:2924 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 2726⤵
- Program crash
PID:3928
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3324
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2924 -ip 29241⤵PID:5952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
520KB
MD5b9bfaa10f901c111152064baa4f83724
SHA1841a1a8bcc2c1fe10010b911553d2601100176e0
SHA256338033139db45bbe9cbed3eb52d48b33e6460aebbb3a318cee80e86f0b608be2
SHA512f396872b79cb6d130dcc55198857b71684f0ccf9bf1cb2bfe910d7d9cabc2c2730011d35131bb36536222f486cf0ff7f0f479c9e52c3f1ef11d7ff8a76eb0246