Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
23-02-2021 15:31
Behavioral task
behavioral1
Sample
bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
Resource
win7v20201028
General
-
Target
bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
-
Size
759KB
-
MD5
0033390156302419d1c2443fb91b3b7d
-
SHA1
d1f62d7c700090f9d19a534109e783d13fd4ff48
-
SHA256
bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32
-
SHA512
17b88128a27d2ac444b71c31019eeda32dadd7ff14806e5210f33220eede8921c3fb2a1115fde157e33e1f87794420b6f720d347418d99cbeeeb30df6bec4b0d
Malware Config
Extracted
darkcomet
killme
exte.duckdns.org:1604
DC_MUTEX-1B8PLBC
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
Vb8gzzR5D30d
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe -
Executes dropped EXE 2 IoCs
Processes:
LEGIT.EXEmsdcsc.exepid process 996 LEGIT.EXE 2844 msdcsc.exe -
Processes:
resource yara_rule C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
LEGIT.EXEpid process 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE 996 LEGIT.EXE -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exemsdcsc.exeLEGIT.EXEdescription pid process Token: SeIncreaseQuotaPrivilege 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe Token: SeSecurityPrivilege 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe Token: SeTakeOwnershipPrivilege 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe Token: SeLoadDriverPrivilege 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe Token: SeSystemProfilePrivilege 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe Token: SeSystemtimePrivilege 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe Token: SeProfSingleProcessPrivilege 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe Token: SeIncBasePriorityPrivilege 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe Token: SeCreatePagefilePrivilege 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe Token: SeBackupPrivilege 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe Token: SeRestorePrivilege 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe Token: SeShutdownPrivilege 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe Token: SeDebugPrivilege 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe Token: SeSystemEnvironmentPrivilege 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe Token: SeChangeNotifyPrivilege 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe Token: SeRemoteShutdownPrivilege 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe Token: SeUndockPrivilege 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe Token: SeManageVolumePrivilege 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe Token: SeImpersonatePrivilege 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe Token: SeCreateGlobalPrivilege 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe Token: 33 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe Token: 34 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe Token: 35 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe Token: 36 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe Token: SeIncreaseQuotaPrivilege 2844 msdcsc.exe Token: SeSecurityPrivilege 2844 msdcsc.exe Token: SeTakeOwnershipPrivilege 2844 msdcsc.exe Token: SeLoadDriverPrivilege 2844 msdcsc.exe Token: SeSystemProfilePrivilege 2844 msdcsc.exe Token: SeSystemtimePrivilege 2844 msdcsc.exe Token: SeProfSingleProcessPrivilege 2844 msdcsc.exe Token: SeIncBasePriorityPrivilege 2844 msdcsc.exe Token: SeCreatePagefilePrivilege 2844 msdcsc.exe Token: SeBackupPrivilege 2844 msdcsc.exe Token: SeRestorePrivilege 2844 msdcsc.exe Token: SeShutdownPrivilege 2844 msdcsc.exe Token: SeDebugPrivilege 2844 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2844 msdcsc.exe Token: SeChangeNotifyPrivilege 2844 msdcsc.exe Token: SeRemoteShutdownPrivilege 2844 msdcsc.exe Token: SeUndockPrivilege 2844 msdcsc.exe Token: SeManageVolumePrivilege 2844 msdcsc.exe Token: SeImpersonatePrivilege 2844 msdcsc.exe Token: SeCreateGlobalPrivilege 2844 msdcsc.exe Token: 33 2844 msdcsc.exe Token: 34 2844 msdcsc.exe Token: 35 2844 msdcsc.exe Token: 36 2844 msdcsc.exe Token: SeDebugPrivilege 996 LEGIT.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 2844 msdcsc.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.execmd.execmd.exemsdcsc.exedescription pid process target process PID 1048 wrote to memory of 2796 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe cmd.exe PID 1048 wrote to memory of 2796 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe cmd.exe PID 1048 wrote to memory of 2796 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe cmd.exe PID 1048 wrote to memory of 2880 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe cmd.exe PID 1048 wrote to memory of 2880 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe cmd.exe PID 1048 wrote to memory of 2880 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe cmd.exe PID 1048 wrote to memory of 996 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe LEGIT.EXE PID 1048 wrote to memory of 996 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe LEGIT.EXE PID 1048 wrote to memory of 996 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe LEGIT.EXE PID 2880 wrote to memory of 3016 2880 cmd.exe attrib.exe PID 2880 wrote to memory of 3016 2880 cmd.exe attrib.exe PID 2880 wrote to memory of 3016 2880 cmd.exe attrib.exe PID 2796 wrote to memory of 2192 2796 cmd.exe attrib.exe PID 2796 wrote to memory of 2192 2796 cmd.exe attrib.exe PID 2796 wrote to memory of 2192 2796 cmd.exe attrib.exe PID 1048 wrote to memory of 2844 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe msdcsc.exe PID 1048 wrote to memory of 2844 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe msdcsc.exe PID 1048 wrote to memory of 2844 1048 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe msdcsc.exe PID 2844 wrote to memory of 420 2844 msdcsc.exe notepad.exe PID 2844 wrote to memory of 420 2844 msdcsc.exe notepad.exe PID 2844 wrote to memory of 420 2844 msdcsc.exe notepad.exe PID 2844 wrote to memory of 420 2844 msdcsc.exe notepad.exe PID 2844 wrote to memory of 420 2844 msdcsc.exe notepad.exe PID 2844 wrote to memory of 420 2844 msdcsc.exe notepad.exe PID 2844 wrote to memory of 420 2844 msdcsc.exe notepad.exe PID 2844 wrote to memory of 420 2844 msdcsc.exe notepad.exe PID 2844 wrote to memory of 420 2844 msdcsc.exe notepad.exe PID 2844 wrote to memory of 420 2844 msdcsc.exe notepad.exe PID 2844 wrote to memory of 420 2844 msdcsc.exe notepad.exe PID 2844 wrote to memory of 420 2844 msdcsc.exe notepad.exe PID 2844 wrote to memory of 420 2844 msdcsc.exe notepad.exe PID 2844 wrote to memory of 420 2844 msdcsc.exe notepad.exe PID 2844 wrote to memory of 420 2844 msdcsc.exe notepad.exe PID 2844 wrote to memory of 420 2844 msdcsc.exe notepad.exe PID 2844 wrote to memory of 420 2844 msdcsc.exe notepad.exe PID 2844 wrote to memory of 420 2844 msdcsc.exe notepad.exe PID 2844 wrote to memory of 420 2844 msdcsc.exe notepad.exe PID 2844 wrote to memory of 420 2844 msdcsc.exe notepad.exe PID 2844 wrote to memory of 420 2844 msdcsc.exe notepad.exe PID 2844 wrote to memory of 420 2844 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3016 attrib.exe 2192 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe"C:\Users\Admin\AppData\Local\Temp\bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe" +s +h3⤵
- Views/modifies file attributes
PID:2192 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\LEGIT.EXE"C:\Users\Admin\AppData\Local\Temp\LEGIT.EXE"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:420
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\LEGIT.EXEMD5
5f7ab5d237a07802284d31cd63badce1
SHA1607efffa330ffadcd869f5a69bc912e4f49841a3
SHA25655f44e8df73184a7efb2ef53531637171221f47963060df1a455662fa4cf63d6
SHA512428e802c318cd92d3ad0b2a2ede3cd2ed4bf1c0dc517ded1911b32bbfeb6b93be83d6be32b9ace6acea3f5dd386e15db8d3ae5b0924ddebabe8dda58e88c87a9
-
C:\Users\Admin\AppData\Local\Temp\LEGIT.EXEMD5
5f7ab5d237a07802284d31cd63badce1
SHA1607efffa330ffadcd869f5a69bc912e4f49841a3
SHA25655f44e8df73184a7efb2ef53531637171221f47963060df1a455662fa4cf63d6
SHA512428e802c318cd92d3ad0b2a2ede3cd2ed4bf1c0dc517ded1911b32bbfeb6b93be83d6be32b9ace6acea3f5dd386e15db8d3ae5b0924ddebabe8dda58e88c87a9
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
0033390156302419d1c2443fb91b3b7d
SHA1d1f62d7c700090f9d19a534109e783d13fd4ff48
SHA256bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32
SHA51217b88128a27d2ac444b71c31019eeda32dadd7ff14806e5210f33220eede8921c3fb2a1115fde157e33e1f87794420b6f720d347418d99cbeeeb30df6bec4b0d
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
0033390156302419d1c2443fb91b3b7d
SHA1d1f62d7c700090f9d19a534109e783d13fd4ff48
SHA256bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32
SHA51217b88128a27d2ac444b71c31019eeda32dadd7ff14806e5210f33220eede8921c3fb2a1115fde157e33e1f87794420b6f720d347418d99cbeeeb30df6bec4b0d
-
memory/420-16-0x0000000000000000-mapping.dmp
-
memory/420-17-0x00000000008B0000-0x00000000008B1000-memory.dmpFilesize
4KB
-
memory/996-5-0x0000000000000000-mapping.dmp
-
memory/996-10-0x0000000072080000-0x000000007276E000-memory.dmpFilesize
6.9MB
-
memory/996-11-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/1048-2-0x0000000000A80000-0x0000000000A81000-memory.dmpFilesize
4KB
-
memory/2192-8-0x0000000000000000-mapping.dmp
-
memory/2796-3-0x0000000000000000-mapping.dmp
-
memory/2844-13-0x0000000000000000-mapping.dmp
-
memory/2844-18-0x0000000000840000-0x0000000000841000-memory.dmpFilesize
4KB
-
memory/2880-4-0x0000000000000000-mapping.dmp
-
memory/3016-7-0x0000000000000000-mapping.dmp