Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2025, 21:36
Static task
static1
Behavioral task
behavioral1
Sample
22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe
Resource
win7-20250207-en
General
-
Target
22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe
-
Size
642KB
-
MD5
ca6c591a7ae42873de9f0f512107e693
-
SHA1
e572562e39c39154b46821df84d4750034f61a81
-
SHA256
22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4
-
SHA512
76e46e04b0489aefd11ccfa7e263c56ace00bb1b139de64f878cc8e0e75b3096be0715028ae888fe0896378238e31d6d71c8757aeba5caa625924acd191f51c0
-
SSDEEP
12288:XwLf1o3E5LNco0u9nrFXAjqOKl0aDcoOvB2tdGH4sm+omaeZ:XQdo0g3utujqpXDcoOmdGH4sm1ma
Malware Config
Extracted
darkcomet
- gencode
-
install
false
-
offline_keylogger
false
-
persistence
false
Extracted
darkcomet
Guest16
ariesdevil2.no-ip.org:1604
DC_MUTEX-2ZKGCGV
-
gencode
gePxyhGT8qXk
-
install
false
-
offline_keylogger
true
-
password
0123456789
-
persistence
false
Signatures
-
Darkcomet family
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2672 set thread context of 392 2672 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2672 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe 2672 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe 2672 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe 2672 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe 2672 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe 2672 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe 2672 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe 2672 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe 2672 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe 2672 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 392 vbc.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2672 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe Token: SeIncreaseQuotaPrivilege 392 vbc.exe Token: SeSecurityPrivilege 392 vbc.exe Token: SeTakeOwnershipPrivilege 392 vbc.exe Token: SeLoadDriverPrivilege 392 vbc.exe Token: SeSystemProfilePrivilege 392 vbc.exe Token: SeSystemtimePrivilege 392 vbc.exe Token: SeProfSingleProcessPrivilege 392 vbc.exe Token: SeIncBasePriorityPrivilege 392 vbc.exe Token: SeCreatePagefilePrivilege 392 vbc.exe Token: SeBackupPrivilege 392 vbc.exe Token: SeRestorePrivilege 392 vbc.exe Token: SeShutdownPrivilege 392 vbc.exe Token: SeDebugPrivilege 392 vbc.exe Token: SeSystemEnvironmentPrivilege 392 vbc.exe Token: SeChangeNotifyPrivilege 392 vbc.exe Token: SeRemoteShutdownPrivilege 392 vbc.exe Token: SeUndockPrivilege 392 vbc.exe Token: SeManageVolumePrivilege 392 vbc.exe Token: SeImpersonatePrivilege 392 vbc.exe Token: SeCreateGlobalPrivilege 392 vbc.exe Token: 33 392 vbc.exe Token: 34 392 vbc.exe Token: 35 392 vbc.exe Token: 36 392 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 392 vbc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2672 wrote to memory of 392 2672 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe 87 PID 2672 wrote to memory of 392 2672 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe 87 PID 2672 wrote to memory of 392 2672 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe 87 PID 2672 wrote to memory of 392 2672 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe 87 PID 2672 wrote to memory of 392 2672 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe 87 PID 2672 wrote to memory of 392 2672 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe 87 PID 2672 wrote to memory of 392 2672 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe 87 PID 2672 wrote to memory of 392 2672 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe 87 PID 2672 wrote to memory of 392 2672 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe 87 PID 2672 wrote to memory of 392 2672 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe 87 PID 2672 wrote to memory of 392 2672 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe 87 PID 2672 wrote to memory of 392 2672 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe 87 PID 2672 wrote to memory of 392 2672 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe 87 PID 2672 wrote to memory of 392 2672 22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe 87 PID 392 wrote to memory of 724 392 vbc.exe 89 PID 392 wrote to memory of 724 392 vbc.exe 89 PID 392 wrote to memory of 724 392 vbc.exe 89 PID 392 wrote to memory of 724 392 vbc.exe 89 PID 392 wrote to memory of 724 392 vbc.exe 89 PID 392 wrote to memory of 724 392 vbc.exe 89 PID 392 wrote to memory of 724 392 vbc.exe 89 PID 392 wrote to memory of 724 392 vbc.exe 89 PID 392 wrote to memory of 724 392 vbc.exe 89 PID 392 wrote to memory of 724 392 vbc.exe 89 PID 392 wrote to memory of 724 392 vbc.exe 89 PID 392 wrote to memory of 724 392 vbc.exe 89 PID 392 wrote to memory of 724 392 vbc.exe 89 PID 392 wrote to memory of 724 392 vbc.exe 89 PID 392 wrote to memory of 724 392 vbc.exe 89 PID 392 wrote to memory of 724 392 vbc.exe 89 PID 392 wrote to memory of 724 392 vbc.exe 89 PID 392 wrote to memory of 724 392 vbc.exe 89 PID 392 wrote to memory of 724 392 vbc.exe 89 PID 392 wrote to memory of 724 392 vbc.exe 89 PID 392 wrote to memory of 724 392 vbc.exe 89 PID 392 wrote to memory of 724 392 vbc.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe"C:\Users\Admin\AppData\Local\Temp\22c39ee739643bb374b7b3ab27645b7a2b95581f335965365dc349d696f271d4.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- System Location Discovery: System Language Discovery
PID:724
-
-