Analysis
-
max time kernel
151s -
max time network
72s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15-05-2021 05:39
Behavioral task
behavioral1
Sample
8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
Resource
win7v20210410
General
-
Target
8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
-
Size
658KB
-
MD5
f979bb14551c7b5166c2564f0cb81b17
-
SHA1
8ee1be6c76d7a2a1179564bd0e12bb94a603402c
-
SHA256
8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5
-
SHA512
232f74ea88561f67e5a3095b83681e4f35e49e5c877e81c23cf9b04994a299e8fd981e2efae97297e6f4226ad7d7f49bd2ee4eb4d0d9a4162f22dd2749e8af23
Malware Config
Extracted
darkcomet
All
192.168.0.102:1604
192.168.0.102:81
DC_MUTEX-GRA2N0X
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
jqHg0YaebT2u
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 2888 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 2888 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe Token: SeSecurityPrivilege 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe Token: SeTakeOwnershipPrivilege 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe Token: SeLoadDriverPrivilege 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe Token: SeSystemProfilePrivilege 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe Token: SeSystemtimePrivilege 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe Token: SeProfSingleProcessPrivilege 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe Token: SeIncBasePriorityPrivilege 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe Token: SeCreatePagefilePrivilege 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe Token: SeBackupPrivilege 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe Token: SeRestorePrivilege 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe Token: SeShutdownPrivilege 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe Token: SeDebugPrivilege 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe Token: SeSystemEnvironmentPrivilege 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe Token: SeChangeNotifyPrivilege 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe Token: SeRemoteShutdownPrivilege 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe Token: SeUndockPrivilege 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe Token: SeManageVolumePrivilege 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe Token: SeImpersonatePrivilege 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe Token: SeCreateGlobalPrivilege 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe Token: 33 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe Token: 34 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe Token: 35 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe Token: 36 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe Token: SeIncreaseQuotaPrivilege 2888 msdcsc.exe Token: SeSecurityPrivilege 2888 msdcsc.exe Token: SeTakeOwnershipPrivilege 2888 msdcsc.exe Token: SeLoadDriverPrivilege 2888 msdcsc.exe Token: SeSystemProfilePrivilege 2888 msdcsc.exe Token: SeSystemtimePrivilege 2888 msdcsc.exe Token: SeProfSingleProcessPrivilege 2888 msdcsc.exe Token: SeIncBasePriorityPrivilege 2888 msdcsc.exe Token: SeCreatePagefilePrivilege 2888 msdcsc.exe Token: SeBackupPrivilege 2888 msdcsc.exe Token: SeRestorePrivilege 2888 msdcsc.exe Token: SeShutdownPrivilege 2888 msdcsc.exe Token: SeDebugPrivilege 2888 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2888 msdcsc.exe Token: SeChangeNotifyPrivilege 2888 msdcsc.exe Token: SeRemoteShutdownPrivilege 2888 msdcsc.exe Token: SeUndockPrivilege 2888 msdcsc.exe Token: SeManageVolumePrivilege 2888 msdcsc.exe Token: SeImpersonatePrivilege 2888 msdcsc.exe Token: SeCreateGlobalPrivilege 2888 msdcsc.exe Token: 33 2888 msdcsc.exe Token: 34 2888 msdcsc.exe Token: 35 2888 msdcsc.exe Token: 36 2888 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 2888 msdcsc.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.execmd.execmd.exemsdcsc.exedescription pid process target process PID 488 wrote to memory of 1000 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe cmd.exe PID 488 wrote to memory of 1000 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe cmd.exe PID 488 wrote to memory of 1000 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe cmd.exe PID 488 wrote to memory of 2576 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe cmd.exe PID 488 wrote to memory of 2576 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe cmd.exe PID 488 wrote to memory of 2576 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe cmd.exe PID 1000 wrote to memory of 1852 1000 cmd.exe attrib.exe PID 1000 wrote to memory of 1852 1000 cmd.exe attrib.exe PID 1000 wrote to memory of 1852 1000 cmd.exe attrib.exe PID 2576 wrote to memory of 2884 2576 cmd.exe attrib.exe PID 2576 wrote to memory of 2884 2576 cmd.exe attrib.exe PID 2576 wrote to memory of 2884 2576 cmd.exe attrib.exe PID 488 wrote to memory of 2888 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe msdcsc.exe PID 488 wrote to memory of 2888 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe msdcsc.exe PID 488 wrote to memory of 2888 488 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe msdcsc.exe PID 2888 wrote to memory of 192 2888 msdcsc.exe notepad.exe PID 2888 wrote to memory of 192 2888 msdcsc.exe notepad.exe PID 2888 wrote to memory of 192 2888 msdcsc.exe notepad.exe PID 2888 wrote to memory of 192 2888 msdcsc.exe notepad.exe PID 2888 wrote to memory of 192 2888 msdcsc.exe notepad.exe PID 2888 wrote to memory of 192 2888 msdcsc.exe notepad.exe PID 2888 wrote to memory of 192 2888 msdcsc.exe notepad.exe PID 2888 wrote to memory of 192 2888 msdcsc.exe notepad.exe PID 2888 wrote to memory of 192 2888 msdcsc.exe notepad.exe PID 2888 wrote to memory of 192 2888 msdcsc.exe notepad.exe PID 2888 wrote to memory of 192 2888 msdcsc.exe notepad.exe PID 2888 wrote to memory of 192 2888 msdcsc.exe notepad.exe PID 2888 wrote to memory of 192 2888 msdcsc.exe notepad.exe PID 2888 wrote to memory of 192 2888 msdcsc.exe notepad.exe PID 2888 wrote to memory of 192 2888 msdcsc.exe notepad.exe PID 2888 wrote to memory of 192 2888 msdcsc.exe notepad.exe PID 2888 wrote to memory of 192 2888 msdcsc.exe notepad.exe PID 2888 wrote to memory of 192 2888 msdcsc.exe notepad.exe PID 2888 wrote to memory of 192 2888 msdcsc.exe notepad.exe PID 2888 wrote to memory of 192 2888 msdcsc.exe notepad.exe PID 2888 wrote to memory of 192 2888 msdcsc.exe notepad.exe PID 2888 wrote to memory of 192 2888 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1852 attrib.exe 2884 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe"C:\Users\Admin\AppData\Local\Temp\8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe" +s +h3⤵
- Views/modifies file attributes
PID:1852 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:192
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
f979bb14551c7b5166c2564f0cb81b17
SHA18ee1be6c76d7a2a1179564bd0e12bb94a603402c
SHA2568644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5
SHA512232f74ea88561f67e5a3095b83681e4f35e49e5c877e81c23cf9b04994a299e8fd981e2efae97297e6f4226ad7d7f49bd2ee4eb4d0d9a4162f22dd2749e8af23
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
f979bb14551c7b5166c2564f0cb81b17
SHA18ee1be6c76d7a2a1179564bd0e12bb94a603402c
SHA2568644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5
SHA512232f74ea88561f67e5a3095b83681e4f35e49e5c877e81c23cf9b04994a299e8fd981e2efae97297e6f4226ad7d7f49bd2ee4eb4d0d9a4162f22dd2749e8af23
-
memory/192-122-0x0000000000000000-mapping.dmp
-
memory/192-124-0x0000000000C10000-0x0000000000C11000-memory.dmpFilesize
4KB
-
memory/488-115-0x0000000002220000-0x0000000002221000-memory.dmpFilesize
4KB
-
memory/1000-114-0x0000000000000000-mapping.dmp
-
memory/1852-117-0x0000000000000000-mapping.dmp
-
memory/2576-116-0x0000000000000000-mapping.dmp
-
memory/2884-118-0x0000000000000000-mapping.dmp
-
memory/2888-119-0x0000000000000000-mapping.dmp
-
memory/2888-123-0x0000000001FF0000-0x0000000001FF1000-memory.dmpFilesize
4KB