Analysis
-
max time kernel
15s -
max time network
114s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 13:42
Static task
static1
Behavioral task
behavioral1
Sample
14929a757a1299c47ab1395a63d4c8ee.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
14929a757a1299c47ab1395a63d4c8ee.exe
Resource
win10v20201028
General
-
Target
14929a757a1299c47ab1395a63d4c8ee.exe
-
Size
775KB
-
MD5
14929a757a1299c47ab1395a63d4c8ee
-
SHA1
fcc28114965b83bee2919e450b7731feebbbdd09
-
SHA256
65d1b87c16eb44d2d057df7492af8ee0f0f070e59f6678d9cb04a40b33df0d0f
-
SHA512
856470354ab7956c5709589c3a77674ca8e265b5ae29748d5d4d2e52c8986b9f6d4f8166f4a9ecc47b9c9cfdc16d7d699d4cd03c7f6ef596f2e58a36348e01ec
Malware Config
Extracted
darkcomet
����
dcv123.no-ip.biz:1604
DC_MUTEX-45YS4L8
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
jvfglC4ADoBp
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
msdcsc
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Steam.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" Steam.exe -
Executes dropped EXE 1 IoCs
Processes:
Steam.exepid process 2924 Steam.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Steam.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\msdcsc = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" Steam.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
Steam.exedescription pid process Token: SeIncreaseQuotaPrivilege 2924 Steam.exe Token: SeSecurityPrivilege 2924 Steam.exe Token: SeTakeOwnershipPrivilege 2924 Steam.exe Token: SeLoadDriverPrivilege 2924 Steam.exe Token: SeSystemProfilePrivilege 2924 Steam.exe Token: SeSystemtimePrivilege 2924 Steam.exe Token: SeProfSingleProcessPrivilege 2924 Steam.exe Token: SeIncBasePriorityPrivilege 2924 Steam.exe Token: SeCreatePagefilePrivilege 2924 Steam.exe Token: SeBackupPrivilege 2924 Steam.exe Token: SeRestorePrivilege 2924 Steam.exe Token: SeShutdownPrivilege 2924 Steam.exe Token: SeDebugPrivilege 2924 Steam.exe Token: SeSystemEnvironmentPrivilege 2924 Steam.exe Token: SeChangeNotifyPrivilege 2924 Steam.exe Token: SeRemoteShutdownPrivilege 2924 Steam.exe Token: SeUndockPrivilege 2924 Steam.exe Token: SeManageVolumePrivilege 2924 Steam.exe Token: SeImpersonatePrivilege 2924 Steam.exe Token: SeCreateGlobalPrivilege 2924 Steam.exe Token: 33 2924 Steam.exe Token: 34 2924 Steam.exe Token: 35 2924 Steam.exe Token: 36 2924 Steam.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
14929a757a1299c47ab1395a63d4c8ee.exedescription pid process target process PID 3276 wrote to memory of 2924 3276 14929a757a1299c47ab1395a63d4c8ee.exe Steam.exe PID 3276 wrote to memory of 2924 3276 14929a757a1299c47ab1395a63d4c8ee.exe Steam.exe PID 3276 wrote to memory of 2924 3276 14929a757a1299c47ab1395a63d4c8ee.exe Steam.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\14929a757a1299c47ab1395a63d4c8ee.exe"C:\Users\Admin\AppData\Local\Temp\14929a757a1299c47ab1395a63d4c8ee.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Steam.exe"C:\Users\Admin\AppData\Local\Temp\Steam.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Steam.exeMD5
ccf6a95666b780aa1420ebc1eadc5463
SHA1cb9f6d999959d4f7dbcc8b5d9b94913cb9db015b
SHA256857a582cf3b9e8bfd6f65698a0879dc8b7c8361963505092b4af26d711f32b60
SHA512bb6fc1a2996800185286c8e40c8e64ddfef732385f2cc678502efb3f64543275c985a3cc12ce94338ac48c995ffd9095b840c12b310ad34f395a66f70237665f
-
C:\Users\Admin\AppData\Local\Temp\Steam.exeMD5
ccf6a95666b780aa1420ebc1eadc5463
SHA1cb9f6d999959d4f7dbcc8b5d9b94913cb9db015b
SHA256857a582cf3b9e8bfd6f65698a0879dc8b7c8361963505092b4af26d711f32b60
SHA512bb6fc1a2996800185286c8e40c8e64ddfef732385f2cc678502efb3f64543275c985a3cc12ce94338ac48c995ffd9095b840c12b310ad34f395a66f70237665f
-
memory/2924-2-0x0000000000000000-mapping.dmp