Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system -
submitted
23/03/2025, 18:33
Behavioral task
behavioral1
Sample
89c08f9425b6ccc85624c6701ffa6af10a2596935c2a2347f574cc7b40dc9ecb.exe
Resource
win7-20250207-en
Behavioral task
behavioral2
Sample
89c08f9425b6ccc85624c6701ffa6af10a2596935c2a2347f574cc7b40dc9ecb.exe
Resource
win10v2004-20250314-en
General
-
Target
89c08f9425b6ccc85624c6701ffa6af10a2596935c2a2347f574cc7b40dc9ecb.exe
-
Size
576KB
-
MD5
ea4445e41347ed5e6d5cc9efa9870c49
-
SHA1
afc184e6231a3a7ab018fa0454d599707533115e
-
SHA256
89c08f9425b6ccc85624c6701ffa6af10a2596935c2a2347f574cc7b40dc9ecb
-
SHA512
ce8093844144ff3ff81b479f325f25bb4b26ed447cc0f07a3fa9cba23ca601c1136ccee9c097d9da76314068362cb89d584d90ee0672b0b4b3c82f318bfbfb77
-
SSDEEP
12288:+NWPkHlUkErBuxQ4uzi6d6dL/yiXLzeMdK6io8levy0FhVlpzkzDDoS7:+NWPkHlUfBgpuPdWzyuDTifgyWlo
Malware Config
Extracted
darkcomet
ToaksBitch
letsgoboom.no-ip.info:1604
DC_MUTEX-ADL2HN0
-
gencode
vwp1Z9lmZ3Pj
-
install
false
-
offline_keylogger
true
-
password
runescaped
-
persistence
false
Signatures
-
Darkcomet family
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate mcsft.exe -
Executes dropped EXE 2 IoCs
pid Process 2900 mcsft.exe 2748 mcsft.exe -
Loads dropped DLL 5 IoCs
pid Process 664 89c08f9425b6ccc85624c6701ffa6af10a2596935c2a2347f574cc7b40dc9ecb.exe 664 89c08f9425b6ccc85624c6701ffa6af10a2596935c2a2347f574cc7b40dc9ecb.exe 664 89c08f9425b6ccc85624c6701ffa6af10a2596935c2a2347f574cc7b40dc9ecb.exe 664 89c08f9425b6ccc85624c6701ffa6af10a2596935c2a2347f574cc7b40dc9ecb.exe 664 89c08f9425b6ccc85624c6701ffa6af10a2596935c2a2347f574cc7b40dc9ecb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mcrosoft = "C:\\Users\\Admin\\AppData\\Roaming\\mcsft.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2900 set thread context of 2748 2900 mcsft.exe 34 -
resource yara_rule behavioral1/memory/664-0-0x0000000000400000-0x00000000007C8000-memory.dmp upx behavioral1/files/0x0009000000015d8c-27.dat upx behavioral1/memory/664-47-0x0000000000400000-0x00000000007C8000-memory.dmp upx behavioral1/memory/2748-51-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2748-54-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2748-53-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2900-56-0x0000000000400000-0x00000000007C8000-memory.dmp upx behavioral1/memory/2748-57-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2748-58-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2748-59-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2748-60-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2748-63-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2748-62-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2748-61-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2748-64-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2748-65-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2748-66-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2748-67-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2748-68-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2748-69-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2748-70-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2748-71-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2748-72-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2748-73-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2748-74-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2748-75-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2748-76-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89c08f9425b6ccc85624c6701ffa6af10a2596935c2a2347f574cc7b40dc9ecb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mcsft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mcsft.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mcsft.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mcsft.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mcsft.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier mcsft.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier mcsft.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2748 mcsft.exe Token: SeSecurityPrivilege 2748 mcsft.exe Token: SeTakeOwnershipPrivilege 2748 mcsft.exe Token: SeLoadDriverPrivilege 2748 mcsft.exe Token: SeSystemProfilePrivilege 2748 mcsft.exe Token: SeSystemtimePrivilege 2748 mcsft.exe Token: SeProfSingleProcessPrivilege 2748 mcsft.exe Token: SeIncBasePriorityPrivilege 2748 mcsft.exe Token: SeCreatePagefilePrivilege 2748 mcsft.exe Token: SeBackupPrivilege 2748 mcsft.exe Token: SeRestorePrivilege 2748 mcsft.exe Token: SeShutdownPrivilege 2748 mcsft.exe Token: SeDebugPrivilege 2748 mcsft.exe Token: SeSystemEnvironmentPrivilege 2748 mcsft.exe Token: SeChangeNotifyPrivilege 2748 mcsft.exe Token: SeRemoteShutdownPrivilege 2748 mcsft.exe Token: SeUndockPrivilege 2748 mcsft.exe Token: SeManageVolumePrivilege 2748 mcsft.exe Token: SeImpersonatePrivilege 2748 mcsft.exe Token: SeCreateGlobalPrivilege 2748 mcsft.exe Token: 33 2748 mcsft.exe Token: 34 2748 mcsft.exe Token: 35 2748 mcsft.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 664 89c08f9425b6ccc85624c6701ffa6af10a2596935c2a2347f574cc7b40dc9ecb.exe 2900 mcsft.exe 2748 mcsft.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 664 wrote to memory of 2940 664 89c08f9425b6ccc85624c6701ffa6af10a2596935c2a2347f574cc7b40dc9ecb.exe 30 PID 664 wrote to memory of 2940 664 89c08f9425b6ccc85624c6701ffa6af10a2596935c2a2347f574cc7b40dc9ecb.exe 30 PID 664 wrote to memory of 2940 664 89c08f9425b6ccc85624c6701ffa6af10a2596935c2a2347f574cc7b40dc9ecb.exe 30 PID 664 wrote to memory of 2940 664 89c08f9425b6ccc85624c6701ffa6af10a2596935c2a2347f574cc7b40dc9ecb.exe 30 PID 2940 wrote to memory of 2104 2940 cmd.exe 32 PID 2940 wrote to memory of 2104 2940 cmd.exe 32 PID 2940 wrote to memory of 2104 2940 cmd.exe 32 PID 2940 wrote to memory of 2104 2940 cmd.exe 32 PID 664 wrote to memory of 2900 664 89c08f9425b6ccc85624c6701ffa6af10a2596935c2a2347f574cc7b40dc9ecb.exe 33 PID 664 wrote to memory of 2900 664 89c08f9425b6ccc85624c6701ffa6af10a2596935c2a2347f574cc7b40dc9ecb.exe 33 PID 664 wrote to memory of 2900 664 89c08f9425b6ccc85624c6701ffa6af10a2596935c2a2347f574cc7b40dc9ecb.exe 33 PID 664 wrote to memory of 2900 664 89c08f9425b6ccc85624c6701ffa6af10a2596935c2a2347f574cc7b40dc9ecb.exe 33 PID 2900 wrote to memory of 2748 2900 mcsft.exe 34 PID 2900 wrote to memory of 2748 2900 mcsft.exe 34 PID 2900 wrote to memory of 2748 2900 mcsft.exe 34 PID 2900 wrote to memory of 2748 2900 mcsft.exe 34 PID 2900 wrote to memory of 2748 2900 mcsft.exe 34 PID 2900 wrote to memory of 2748 2900 mcsft.exe 34 PID 2900 wrote to memory of 2748 2900 mcsft.exe 34 PID 2900 wrote to memory of 2748 2900 mcsft.exe 34 PID 2900 wrote to memory of 2748 2900 mcsft.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\89c08f9425b6ccc85624c6701ffa6af10a2596935c2a2347f574cc7b40dc9ecb.exe"C:\Users\Admin\AppData\Local\Temp\89c08f9425b6ccc85624c6701ffa6af10a2596935c2a2347f574cc7b40dc9ecb.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\dActJ.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoft" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\mcsft.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2104
-
-
-
C:\Users\Admin\AppData\Roaming\mcsft.exe"C:\Users\Admin\AppData\Roaming\mcsft.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Roaming\mcsft.exeC:\Users\Admin\AppData\Roaming\mcsft.exe3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2748
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135B
MD5a5feca573884d76f559b996d45e8ad9a
SHA10e81a993f3af4e31d60653dc2513186f0495f1c8
SHA256c98e20d46d6465febb5d29cfab51241521ea5d6cd621f5e18b9b7d6fbfac3f0f
SHA512a9239648b5f15eac4d4151b6e1bdc81065eeaeb101404c2a0126f03bc87f1e6a57206bfa07a44379e9d3bba889e4497a9991ff41fb109099b01512df3dc3cbda
-
Filesize
576KB
MD5797a8bb06f62bf94c70d9edcfc5a4933
SHA168b22e19b17fb04a01898b48c7a641ca7d133384
SHA256e9a77bac861dba5151bfcee278c9d3b8712931561dca7558a0c0cc22c54d50af
SHA512cab0a9df166e88676d71508fe43336cb8f2194dc37ffd9d20ba149e41dcf9422e96c75efe341ea288f396c903d85fe162890264ba901bf92e09da5568cc76fdf