Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15-05-2021 08:22
Static task
static1
Behavioral task
behavioral1
Sample
afde80e403c3cee66901608a34694fed406fe49bf29f7a094b5849490066d1e2.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
afde80e403c3cee66901608a34694fed406fe49bf29f7a094b5849490066d1e2.exe
Resource
win10v20210410
General
-
Target
afde80e403c3cee66901608a34694fed406fe49bf29f7a094b5849490066d1e2.exe
-
Size
6.2MB
-
MD5
4dbce725957c4224d8eda6f98319e048
-
SHA1
918762b4e789416e62bb9a2947f66d8f03325474
-
SHA256
afde80e403c3cee66901608a34694fed406fe49bf29f7a094b5849490066d1e2
-
SHA512
3e8f4c959bce90c6dfa08da98454ba0c58fad680b784ae3c2ade977e15cedc65a133f4e929cb82e6651830a9f1d4f27a41fd994cbef1201db1d04bb84c78d0b9
Malware Config
Extracted
darkcomet
Hackeado EDK
kaelhacking.no-ip.org:2000
DC_MUTEX-TCSRCNU
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
YREZtoVwzYzE
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Encryptado.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" Encryptado.exe -
Executes dropped EXE 4 IoCs
Processes:
DARKCO~1.EXETRAINE~1.EXEEncryptado.exemsdcsc.exepid process 2352 DARKCO~1.EXE 3292 TRAINE~1.EXE 2312 Encryptado.exe 2760 msdcsc.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
afde80e403c3cee66901608a34694fed406fe49bf29f7a094b5849490066d1e2.exeEncryptado.exemsdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce afde80e403c3cee66901608a34694fed406fe49bf29f7a094b5849490066d1e2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" afde80e403c3cee66901608a34694fed406fe49bf29f7a094b5849490066d1e2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" Encryptado.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Drops file in System32 directory 3 IoCs
Processes:
Encryptado.exedescription ioc process File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe Encryptado.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe Encryptado.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ Encryptado.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
Encryptado.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2312 Encryptado.exe Token: SeSecurityPrivilege 2312 Encryptado.exe Token: SeTakeOwnershipPrivilege 2312 Encryptado.exe Token: SeLoadDriverPrivilege 2312 Encryptado.exe Token: SeSystemProfilePrivilege 2312 Encryptado.exe Token: SeSystemtimePrivilege 2312 Encryptado.exe Token: SeProfSingleProcessPrivilege 2312 Encryptado.exe Token: SeIncBasePriorityPrivilege 2312 Encryptado.exe Token: SeCreatePagefilePrivilege 2312 Encryptado.exe Token: SeBackupPrivilege 2312 Encryptado.exe Token: SeRestorePrivilege 2312 Encryptado.exe Token: SeShutdownPrivilege 2312 Encryptado.exe Token: SeDebugPrivilege 2312 Encryptado.exe Token: SeSystemEnvironmentPrivilege 2312 Encryptado.exe Token: SeChangeNotifyPrivilege 2312 Encryptado.exe Token: SeRemoteShutdownPrivilege 2312 Encryptado.exe Token: SeUndockPrivilege 2312 Encryptado.exe Token: SeManageVolumePrivilege 2312 Encryptado.exe Token: SeImpersonatePrivilege 2312 Encryptado.exe Token: SeCreateGlobalPrivilege 2312 Encryptado.exe Token: 33 2312 Encryptado.exe Token: 34 2312 Encryptado.exe Token: 35 2312 Encryptado.exe Token: 36 2312 Encryptado.exe Token: SeIncreaseQuotaPrivilege 2760 msdcsc.exe Token: SeSecurityPrivilege 2760 msdcsc.exe Token: SeTakeOwnershipPrivilege 2760 msdcsc.exe Token: SeLoadDriverPrivilege 2760 msdcsc.exe Token: SeSystemProfilePrivilege 2760 msdcsc.exe Token: SeSystemtimePrivilege 2760 msdcsc.exe Token: SeProfSingleProcessPrivilege 2760 msdcsc.exe Token: SeIncBasePriorityPrivilege 2760 msdcsc.exe Token: SeCreatePagefilePrivilege 2760 msdcsc.exe Token: SeBackupPrivilege 2760 msdcsc.exe Token: SeRestorePrivilege 2760 msdcsc.exe Token: SeShutdownPrivilege 2760 msdcsc.exe Token: SeDebugPrivilege 2760 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2760 msdcsc.exe Token: SeChangeNotifyPrivilege 2760 msdcsc.exe Token: SeRemoteShutdownPrivilege 2760 msdcsc.exe Token: SeUndockPrivilege 2760 msdcsc.exe Token: SeManageVolumePrivilege 2760 msdcsc.exe Token: SeImpersonatePrivilege 2760 msdcsc.exe Token: SeCreateGlobalPrivilege 2760 msdcsc.exe Token: 33 2760 msdcsc.exe Token: 34 2760 msdcsc.exe Token: 35 2760 msdcsc.exe Token: 36 2760 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 2760 msdcsc.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
afde80e403c3cee66901608a34694fed406fe49bf29f7a094b5849490066d1e2.exeTRAINE~1.EXEEncryptado.exemsdcsc.exedescription pid process target process PID 4024 wrote to memory of 2352 4024 afde80e403c3cee66901608a34694fed406fe49bf29f7a094b5849490066d1e2.exe DARKCO~1.EXE PID 4024 wrote to memory of 2352 4024 afde80e403c3cee66901608a34694fed406fe49bf29f7a094b5849490066d1e2.exe DARKCO~1.EXE PID 4024 wrote to memory of 2352 4024 afde80e403c3cee66901608a34694fed406fe49bf29f7a094b5849490066d1e2.exe DARKCO~1.EXE PID 4024 wrote to memory of 3292 4024 afde80e403c3cee66901608a34694fed406fe49bf29f7a094b5849490066d1e2.exe TRAINE~1.EXE PID 4024 wrote to memory of 3292 4024 afde80e403c3cee66901608a34694fed406fe49bf29f7a094b5849490066d1e2.exe TRAINE~1.EXE PID 3292 wrote to memory of 2312 3292 TRAINE~1.EXE Encryptado.exe PID 3292 wrote to memory of 2312 3292 TRAINE~1.EXE Encryptado.exe PID 3292 wrote to memory of 2312 3292 TRAINE~1.EXE Encryptado.exe PID 2312 wrote to memory of 2760 2312 Encryptado.exe msdcsc.exe PID 2312 wrote to memory of 2760 2312 Encryptado.exe msdcsc.exe PID 2312 wrote to memory of 2760 2312 Encryptado.exe msdcsc.exe PID 2760 wrote to memory of 2508 2760 msdcsc.exe notepad.exe PID 2760 wrote to memory of 2508 2760 msdcsc.exe notepad.exe PID 2760 wrote to memory of 2508 2760 msdcsc.exe notepad.exe PID 2760 wrote to memory of 2508 2760 msdcsc.exe notepad.exe PID 2760 wrote to memory of 2508 2760 msdcsc.exe notepad.exe PID 2760 wrote to memory of 2508 2760 msdcsc.exe notepad.exe PID 2760 wrote to memory of 2508 2760 msdcsc.exe notepad.exe PID 2760 wrote to memory of 2508 2760 msdcsc.exe notepad.exe PID 2760 wrote to memory of 2508 2760 msdcsc.exe notepad.exe PID 2760 wrote to memory of 2508 2760 msdcsc.exe notepad.exe PID 2760 wrote to memory of 2508 2760 msdcsc.exe notepad.exe PID 2760 wrote to memory of 2508 2760 msdcsc.exe notepad.exe PID 2760 wrote to memory of 2508 2760 msdcsc.exe notepad.exe PID 2760 wrote to memory of 2508 2760 msdcsc.exe notepad.exe PID 2760 wrote to memory of 2508 2760 msdcsc.exe notepad.exe PID 2760 wrote to memory of 2508 2760 msdcsc.exe notepad.exe PID 2760 wrote to memory of 2508 2760 msdcsc.exe notepad.exe PID 2760 wrote to memory of 2508 2760 msdcsc.exe notepad.exe PID 2760 wrote to memory of 2508 2760 msdcsc.exe notepad.exe PID 2760 wrote to memory of 2508 2760 msdcsc.exe notepad.exe PID 2760 wrote to memory of 2508 2760 msdcsc.exe notepad.exe PID 2760 wrote to memory of 2508 2760 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\afde80e403c3cee66901608a34694fed406fe49bf29f7a094b5849490066d1e2.exe"C:\Users\Admin\AppData\Local\Temp\afde80e403c3cee66901608a34694fed406fe49bf29f7a094b5849490066d1e2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DARKCO~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DARKCO~1.EXE2⤵
- Executes dropped EXE
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TRAINE~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TRAINE~1.EXE2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Users\Admin\AppData\Local\Temp\Encryptado.exe"C:\Users\Admin\AppData\Local\Temp\Encryptado.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\notepad.exenotepad5⤵PID:2508
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Encryptado.exeMD5
c4c0b3b8f8088bb36257e9362130ab20
SHA16c10897fb430d619ce46a41429d6efd336709cad
SHA256002f9d5f0b9446c729e0dfee547c16fc751fd2c784a643a3b8038c836f5b5242
SHA51235aa7d48dd043c822b838f45b4c39479fe0949efe8f5b688c6258a36068476d95a3eeea9811a018e0c9648567022d2a3f0e55ed07e02af0ae974c2657d2adb86
-
C:\Users\Admin\AppData\Local\Temp\Encryptado.exeMD5
c4c0b3b8f8088bb36257e9362130ab20
SHA16c10897fb430d619ce46a41429d6efd336709cad
SHA256002f9d5f0b9446c729e0dfee547c16fc751fd2c784a643a3b8038c836f5b5242
SHA51235aa7d48dd043c822b838f45b4c39479fe0949efe8f5b688c6258a36068476d95a3eeea9811a018e0c9648567022d2a3f0e55ed07e02af0ae974c2657d2adb86
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DARKCO~1.EXEMD5
d761f3aa64064a706a521ba14d0f8741
SHA1ab7382bcfdf494d0327fccce9c884592bcc1adeb
SHA25621ca06b18698d14154a45822aaae1e3837d168cc7630bcd3ec3d8c68aaa959e6
SHA512d2274c03f805a5cd62104492e154fc225c3f6997091accb2f4bff165308fc82ba0d9adf185ec744222bcb4ece08d1ba754a35a2d88c10c5743f4d2e66494377f
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DARKCO~1.EXEMD5
d761f3aa64064a706a521ba14d0f8741
SHA1ab7382bcfdf494d0327fccce9c884592bcc1adeb
SHA25621ca06b18698d14154a45822aaae1e3837d168cc7630bcd3ec3d8c68aaa959e6
SHA512d2274c03f805a5cd62104492e154fc225c3f6997091accb2f4bff165308fc82ba0d9adf185ec744222bcb4ece08d1ba754a35a2d88c10c5743f4d2e66494377f
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TRAINE~1.EXEMD5
b6630b857ad5cce1b0c5d0c305303bed
SHA139a0f6fe08608df34aabc0eacac438e018cc949f
SHA2569f549136cba8ab1dff83b14e86500956b69e72700b3746482a30f7a97acd84ff
SHA5120edf02cd28222870253d6cdbb56810a0f3abe81b7cdd21f6f1669abce84dfedb2411b18d6f3165df9e284b5071b6dadedc026ca00ef0b403afa868dc5272a9c4
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TRAINE~1.EXEMD5
b6630b857ad5cce1b0c5d0c305303bed
SHA139a0f6fe08608df34aabc0eacac438e018cc949f
SHA2569f549136cba8ab1dff83b14e86500956b69e72700b3746482a30f7a97acd84ff
SHA5120edf02cd28222870253d6cdbb56810a0f3abe81b7cdd21f6f1669abce84dfedb2411b18d6f3165df9e284b5071b6dadedc026ca00ef0b403afa868dc5272a9c4
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeMD5
c4c0b3b8f8088bb36257e9362130ab20
SHA16c10897fb430d619ce46a41429d6efd336709cad
SHA256002f9d5f0b9446c729e0dfee547c16fc751fd2c784a643a3b8038c836f5b5242
SHA51235aa7d48dd043c822b838f45b4c39479fe0949efe8f5b688c6258a36068476d95a3eeea9811a018e0c9648567022d2a3f0e55ed07e02af0ae974c2657d2adb86
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeMD5
c4c0b3b8f8088bb36257e9362130ab20
SHA16c10897fb430d619ce46a41429d6efd336709cad
SHA256002f9d5f0b9446c729e0dfee547c16fc751fd2c784a643a3b8038c836f5b5242
SHA51235aa7d48dd043c822b838f45b4c39479fe0949efe8f5b688c6258a36068476d95a3eeea9811a018e0c9648567022d2a3f0e55ed07e02af0ae974c2657d2adb86
-
memory/2312-121-0x0000000000000000-mapping.dmp
-
memory/2312-128-0x00000000005A0000-0x00000000005C3000-memory.dmpFilesize
140KB
-
memory/2352-114-0x0000000000000000-mapping.dmp
-
memory/2508-127-0x0000000000000000-mapping.dmp
-
memory/2508-130-0x0000000003160000-0x0000000003161000-memory.dmpFilesize
4KB
-
memory/2760-124-0x0000000000000000-mapping.dmp
-
memory/2760-129-0x00000000005E0000-0x000000000072A000-memory.dmpFilesize
1.3MB
-
memory/3292-120-0x0000000002D30000-0x0000000002D32000-memory.dmpFilesize
8KB
-
memory/3292-117-0x0000000000000000-mapping.dmp