Analysis
-
max time kernel
150s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:18
Static task
static1
Behavioral task
behavioral1
Sample
153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
Resource
win10v20201028
General
-
Target
153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
-
Size
1.7MB
-
MD5
b73ddd5b666ee096c73d5dccee18b54b
-
SHA1
60483bb7bb5f6aea52b4afbc60b3d4cbe1bb9a00
-
SHA256
4bf25d8f561fa3bf452d87b82bbb051d074b2ae8bcebec1dc421d1e653902884
-
SHA512
ad7d8bcdf85eddc1412a6196392bec46ba3aaf8d9f1e48b399289e2225c42f43a5a4305840595ff96abf4f67eccf9e64669a77e8b2e6fabe8b84fbb533e893e2
Malware Config
Extracted
darkcomet
Guest16_min
127.0.0.1:82
DCMIN_MUTEX-U2EW3CZ
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
vzqTZlD6owu2
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe -
Executes dropped EXE 2 IoCs
Processes:
IMDCSC.exeIMDCSC.exepid process 3156 IMDCSC.exe 2440 IMDCSC.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exeIMDCSC.exedescription pid process target process PID 576 set thread context of 3248 576 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe PID 3156 set thread context of 2440 3156 IMDCSC.exe IMDCSC.exe -
autoit_exe 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe autoit_exe C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe autoit_exe C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exeIMDCSC.exedescription pid process Token: SeIncreaseQuotaPrivilege 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe Token: SeSecurityPrivilege 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe Token: SeTakeOwnershipPrivilege 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe Token: SeLoadDriverPrivilege 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe Token: SeSystemProfilePrivilege 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe Token: SeSystemtimePrivilege 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe Token: SeProfSingleProcessPrivilege 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe Token: SeIncBasePriorityPrivilege 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe Token: SeCreatePagefilePrivilege 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe Token: SeBackupPrivilege 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe Token: SeRestorePrivilege 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe Token: SeShutdownPrivilege 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe Token: SeDebugPrivilege 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe Token: SeSystemEnvironmentPrivilege 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe Token: SeChangeNotifyPrivilege 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe Token: SeRemoteShutdownPrivilege 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe Token: SeUndockPrivilege 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe Token: SeManageVolumePrivilege 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe Token: SeImpersonatePrivilege 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe Token: SeCreateGlobalPrivilege 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe Token: 33 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe Token: 34 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe Token: 35 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe Token: 36 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe Token: SeIncreaseQuotaPrivilege 2440 IMDCSC.exe Token: SeSecurityPrivilege 2440 IMDCSC.exe Token: SeTakeOwnershipPrivilege 2440 IMDCSC.exe Token: SeLoadDriverPrivilege 2440 IMDCSC.exe Token: SeSystemProfilePrivilege 2440 IMDCSC.exe Token: SeSystemtimePrivilege 2440 IMDCSC.exe Token: SeProfSingleProcessPrivilege 2440 IMDCSC.exe Token: SeIncBasePriorityPrivilege 2440 IMDCSC.exe Token: SeCreatePagefilePrivilege 2440 IMDCSC.exe Token: SeBackupPrivilege 2440 IMDCSC.exe Token: SeRestorePrivilege 2440 IMDCSC.exe Token: SeShutdownPrivilege 2440 IMDCSC.exe Token: SeDebugPrivilege 2440 IMDCSC.exe Token: SeSystemEnvironmentPrivilege 2440 IMDCSC.exe Token: SeChangeNotifyPrivilege 2440 IMDCSC.exe Token: SeRemoteShutdownPrivilege 2440 IMDCSC.exe Token: SeUndockPrivilege 2440 IMDCSC.exe Token: SeManageVolumePrivilege 2440 IMDCSC.exe Token: SeImpersonatePrivilege 2440 IMDCSC.exe Token: SeCreateGlobalPrivilege 2440 IMDCSC.exe Token: 33 2440 IMDCSC.exe Token: 34 2440 IMDCSC.exe Token: 35 2440 IMDCSC.exe Token: 36 2440 IMDCSC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
IMDCSC.exepid process 2440 IMDCSC.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exeIMDCSC.exedescription pid process target process PID 576 wrote to memory of 3248 576 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe PID 576 wrote to memory of 3248 576 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe PID 576 wrote to memory of 3248 576 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe PID 576 wrote to memory of 3248 576 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe PID 576 wrote to memory of 3248 576 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe PID 576 wrote to memory of 3248 576 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe PID 576 wrote to memory of 3248 576 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe PID 576 wrote to memory of 3248 576 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe PID 576 wrote to memory of 3248 576 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe PID 576 wrote to memory of 3248 576 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe PID 576 wrote to memory of 3248 576 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe PID 576 wrote to memory of 3248 576 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe PID 576 wrote to memory of 3248 576 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe PID 576 wrote to memory of 3248 576 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe PID 3248 wrote to memory of 3156 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe IMDCSC.exe PID 3248 wrote to memory of 3156 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe IMDCSC.exe PID 3248 wrote to memory of 3156 3248 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe IMDCSC.exe PID 3156 wrote to memory of 2440 3156 IMDCSC.exe IMDCSC.exe PID 3156 wrote to memory of 2440 3156 IMDCSC.exe IMDCSC.exe PID 3156 wrote to memory of 2440 3156 IMDCSC.exe IMDCSC.exe PID 3156 wrote to memory of 2440 3156 IMDCSC.exe IMDCSC.exe PID 3156 wrote to memory of 2440 3156 IMDCSC.exe IMDCSC.exe PID 3156 wrote to memory of 2440 3156 IMDCSC.exe IMDCSC.exe PID 3156 wrote to memory of 2440 3156 IMDCSC.exe IMDCSC.exe PID 3156 wrote to memory of 2440 3156 IMDCSC.exe IMDCSC.exe PID 3156 wrote to memory of 2440 3156 IMDCSC.exe IMDCSC.exe PID 3156 wrote to memory of 2440 3156 IMDCSC.exe IMDCSC.exe PID 3156 wrote to memory of 2440 3156 IMDCSC.exe IMDCSC.exe PID 3156 wrote to memory of 2440 3156 IMDCSC.exe IMDCSC.exe PID 3156 wrote to memory of 2440 3156 IMDCSC.exe IMDCSC.exe PID 3156 wrote to memory of 2440 3156 IMDCSC.exe IMDCSC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe"C:\Users\Admin\AppData\Local\Temp\153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Users\Admin\AppData\Local\Temp\153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe"C:\Users\Admin\AppData\Local\Temp\153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe"2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2440
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exeMD5
b73ddd5b666ee096c73d5dccee18b54b
SHA160483bb7bb5f6aea52b4afbc60b3d4cbe1bb9a00
SHA2564bf25d8f561fa3bf452d87b82bbb051d074b2ae8bcebec1dc421d1e653902884
SHA512ad7d8bcdf85eddc1412a6196392bec46ba3aaf8d9f1e48b399289e2225c42f43a5a4305840595ff96abf4f67eccf9e64669a77e8b2e6fabe8b84fbb533e893e2
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exeMD5
b73ddd5b666ee096c73d5dccee18b54b
SHA160483bb7bb5f6aea52b4afbc60b3d4cbe1bb9a00
SHA2564bf25d8f561fa3bf452d87b82bbb051d074b2ae8bcebec1dc421d1e653902884
SHA512ad7d8bcdf85eddc1412a6196392bec46ba3aaf8d9f1e48b399289e2225c42f43a5a4305840595ff96abf4f67eccf9e64669a77e8b2e6fabe8b84fbb533e893e2
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exeMD5
b73ddd5b666ee096c73d5dccee18b54b
SHA160483bb7bb5f6aea52b4afbc60b3d4cbe1bb9a00
SHA2564bf25d8f561fa3bf452d87b82bbb051d074b2ae8bcebec1dc421d1e653902884
SHA512ad7d8bcdf85eddc1412a6196392bec46ba3aaf8d9f1e48b399289e2225c42f43a5a4305840595ff96abf4f67eccf9e64669a77e8b2e6fabe8b84fbb533e893e2
-
memory/2440-7-0x000000000048F888-mapping.dmp
-
memory/3156-3-0x0000000000000000-mapping.dmp
-
memory/3248-1-0x000000000048F888-mapping.dmp
-
memory/3248-0-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3248-2-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB