Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-08-2021 16:13
Static task
static1
Behavioral task
behavioral1
Sample
PCS.exe
Resource
win7v20210408
General
-
Target
PCS.exe
-
Size
11.1MB
-
MD5
96e9564254f0acc6aa656cb56ab0e94d
-
SHA1
b0d63f3ce6bb82c649cbc7a17df774acbf23477d
-
SHA256
1a722652518e589be34613b12d419efee2235ff0b0a37556fbb9cda5eb27b1d2
-
SHA512
69d05b841c558dfe8f8ad8527e8f9450e68becf50bd0d89e372d8cc8b61770bad6d3a94b22ca858829a613d8c563519d0cc92d13f918274ecacb46799e1103d8
Malware Config
Extracted
darkcomet
Guest16
onlinebonjour1pt.ddns.net:1605
DC_MUTEX-XJRH105
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
TeN3mNbzDY1b
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Microdapt
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
PCS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" PCS.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Executes dropped EXE 2 IoCs
Processes:
msdcsc.exemsdcsc.exepid process 2212 msdcsc.exe 488 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PCS.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation PCS.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
PCS.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microdapt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" PCS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microdapt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
PCS.exemsdcsc.exedescription pid process target process PID 992 set thread context of 2952 992 PCS.exe PCS.exe PID 2212 set thread context of 488 2212 msdcsc.exe msdcsc.exe -
autoit_exe 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
PCS.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance PCS.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
PCS.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2952 PCS.exe Token: SeSecurityPrivilege 2952 PCS.exe Token: SeTakeOwnershipPrivilege 2952 PCS.exe Token: SeLoadDriverPrivilege 2952 PCS.exe Token: SeSystemProfilePrivilege 2952 PCS.exe Token: SeSystemtimePrivilege 2952 PCS.exe Token: SeProfSingleProcessPrivilege 2952 PCS.exe Token: SeIncBasePriorityPrivilege 2952 PCS.exe Token: SeCreatePagefilePrivilege 2952 PCS.exe Token: SeBackupPrivilege 2952 PCS.exe Token: SeRestorePrivilege 2952 PCS.exe Token: SeShutdownPrivilege 2952 PCS.exe Token: SeDebugPrivilege 2952 PCS.exe Token: SeSystemEnvironmentPrivilege 2952 PCS.exe Token: SeChangeNotifyPrivilege 2952 PCS.exe Token: SeRemoteShutdownPrivilege 2952 PCS.exe Token: SeUndockPrivilege 2952 PCS.exe Token: SeManageVolumePrivilege 2952 PCS.exe Token: SeImpersonatePrivilege 2952 PCS.exe Token: SeCreateGlobalPrivilege 2952 PCS.exe Token: 33 2952 PCS.exe Token: 34 2952 PCS.exe Token: 35 2952 PCS.exe Token: 36 2952 PCS.exe Token: SeIncreaseQuotaPrivilege 488 msdcsc.exe Token: SeSecurityPrivilege 488 msdcsc.exe Token: SeTakeOwnershipPrivilege 488 msdcsc.exe Token: SeLoadDriverPrivilege 488 msdcsc.exe Token: SeSystemProfilePrivilege 488 msdcsc.exe Token: SeSystemtimePrivilege 488 msdcsc.exe Token: SeProfSingleProcessPrivilege 488 msdcsc.exe Token: SeIncBasePriorityPrivilege 488 msdcsc.exe Token: SeCreatePagefilePrivilege 488 msdcsc.exe Token: SeBackupPrivilege 488 msdcsc.exe Token: SeRestorePrivilege 488 msdcsc.exe Token: SeShutdownPrivilege 488 msdcsc.exe Token: SeDebugPrivilege 488 msdcsc.exe Token: SeSystemEnvironmentPrivilege 488 msdcsc.exe Token: SeChangeNotifyPrivilege 488 msdcsc.exe Token: SeRemoteShutdownPrivilege 488 msdcsc.exe Token: SeUndockPrivilege 488 msdcsc.exe Token: SeManageVolumePrivilege 488 msdcsc.exe Token: SeImpersonatePrivilege 488 msdcsc.exe Token: SeCreateGlobalPrivilege 488 msdcsc.exe Token: 33 488 msdcsc.exe Token: 34 488 msdcsc.exe Token: 35 488 msdcsc.exe Token: 36 488 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 488 msdcsc.exe -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
PCS.exePCS.execmd.execmd.exemsdcsc.exemsdcsc.exedescription pid process target process PID 992 wrote to memory of 2952 992 PCS.exe PCS.exe PID 992 wrote to memory of 2952 992 PCS.exe PCS.exe PID 992 wrote to memory of 2952 992 PCS.exe PCS.exe PID 992 wrote to memory of 2952 992 PCS.exe PCS.exe PID 992 wrote to memory of 2952 992 PCS.exe PCS.exe PID 2952 wrote to memory of 3692 2952 PCS.exe cmd.exe PID 2952 wrote to memory of 3692 2952 PCS.exe cmd.exe PID 2952 wrote to memory of 3692 2952 PCS.exe cmd.exe PID 2952 wrote to memory of 496 2952 PCS.exe cmd.exe PID 2952 wrote to memory of 496 2952 PCS.exe cmd.exe PID 2952 wrote to memory of 496 2952 PCS.exe cmd.exe PID 496 wrote to memory of 2100 496 cmd.exe attrib.exe PID 496 wrote to memory of 2100 496 cmd.exe attrib.exe PID 3692 wrote to memory of 2108 3692 cmd.exe attrib.exe PID 496 wrote to memory of 2100 496 cmd.exe attrib.exe PID 3692 wrote to memory of 2108 3692 cmd.exe attrib.exe PID 3692 wrote to memory of 2108 3692 cmd.exe attrib.exe PID 2952 wrote to memory of 2212 2952 PCS.exe msdcsc.exe PID 2952 wrote to memory of 2212 2952 PCS.exe msdcsc.exe PID 2952 wrote to memory of 2212 2952 PCS.exe msdcsc.exe PID 2212 wrote to memory of 488 2212 msdcsc.exe msdcsc.exe PID 2212 wrote to memory of 488 2212 msdcsc.exe msdcsc.exe PID 2212 wrote to memory of 488 2212 msdcsc.exe msdcsc.exe PID 2212 wrote to memory of 488 2212 msdcsc.exe msdcsc.exe PID 2212 wrote to memory of 488 2212 msdcsc.exe msdcsc.exe PID 488 wrote to memory of 2800 488 msdcsc.exe notepad.exe PID 488 wrote to memory of 2800 488 msdcsc.exe notepad.exe PID 488 wrote to memory of 2800 488 msdcsc.exe notepad.exe PID 488 wrote to memory of 2800 488 msdcsc.exe notepad.exe PID 488 wrote to memory of 2800 488 msdcsc.exe notepad.exe PID 488 wrote to memory of 2800 488 msdcsc.exe notepad.exe PID 488 wrote to memory of 2800 488 msdcsc.exe notepad.exe PID 488 wrote to memory of 2800 488 msdcsc.exe notepad.exe PID 488 wrote to memory of 2800 488 msdcsc.exe notepad.exe PID 488 wrote to memory of 2800 488 msdcsc.exe notepad.exe PID 488 wrote to memory of 2800 488 msdcsc.exe notepad.exe PID 488 wrote to memory of 2800 488 msdcsc.exe notepad.exe PID 488 wrote to memory of 2800 488 msdcsc.exe notepad.exe PID 488 wrote to memory of 2800 488 msdcsc.exe notepad.exe PID 488 wrote to memory of 2800 488 msdcsc.exe notepad.exe PID 488 wrote to memory of 2800 488 msdcsc.exe notepad.exe PID 488 wrote to memory of 2800 488 msdcsc.exe notepad.exe PID 488 wrote to memory of 2800 488 msdcsc.exe notepad.exe PID 488 wrote to memory of 2800 488 msdcsc.exe notepad.exe PID 488 wrote to memory of 2800 488 msdcsc.exe notepad.exe PID 488 wrote to memory of 2800 488 msdcsc.exe notepad.exe PID 488 wrote to memory of 2800 488 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2108 attrib.exe 2100 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PCS.exe"C:\Users\Admin\AppData\Local\Temp\PCS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PCS.exe"C:\Users\Admin\AppData\Local\Temp\PCS.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\PCS.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\PCS.exe" +s +h4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"4⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
96e9564254f0acc6aa656cb56ab0e94d
SHA1b0d63f3ce6bb82c649cbc7a17df774acbf23477d
SHA2561a722652518e589be34613b12d419efee2235ff0b0a37556fbb9cda5eb27b1d2
SHA51269d05b841c558dfe8f8ad8527e8f9450e68becf50bd0d89e372d8cc8b61770bad6d3a94b22ca858829a613d8c563519d0cc92d13f918274ecacb46799e1103d8
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
96e9564254f0acc6aa656cb56ab0e94d
SHA1b0d63f3ce6bb82c649cbc7a17df774acbf23477d
SHA2561a722652518e589be34613b12d419efee2235ff0b0a37556fbb9cda5eb27b1d2
SHA51269d05b841c558dfe8f8ad8527e8f9450e68becf50bd0d89e372d8cc8b61770bad6d3a94b22ca858829a613d8c563519d0cc92d13f918274ecacb46799e1103d8
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
96e9564254f0acc6aa656cb56ab0e94d
SHA1b0d63f3ce6bb82c649cbc7a17df774acbf23477d
SHA2561a722652518e589be34613b12d419efee2235ff0b0a37556fbb9cda5eb27b1d2
SHA51269d05b841c558dfe8f8ad8527e8f9450e68becf50bd0d89e372d8cc8b61770bad6d3a94b22ca858829a613d8c563519d0cc92d13f918274ecacb46799e1103d8
-
memory/488-129-0x00000000024E0000-0x00000000024E1000-memory.dmpFilesize
4KB
-
memory/488-128-0x00000000000D0000-0x0000000000182000-memory.dmpFilesize
712KB
-
memory/488-126-0x000000000015F888-mapping.dmp
-
memory/496-119-0x0000000000000000-mapping.dmp
-
memory/2100-120-0x0000000000000000-mapping.dmp
-
memory/2108-121-0x0000000000000000-mapping.dmp
-
memory/2212-122-0x0000000000000000-mapping.dmp
-
memory/2800-130-0x0000000000000000-mapping.dmp
-
memory/2800-131-0x0000000003040000-0x0000000003041000-memory.dmpFilesize
4KB
-
memory/2952-114-0x00000000000D0000-0x0000000000182000-memory.dmpFilesize
712KB
-
memory/2952-117-0x0000000002830000-0x0000000002831000-memory.dmpFilesize
4KB
-
memory/2952-116-0x00000000000D0000-0x0000000000182000-memory.dmpFilesize
712KB
-
memory/2952-115-0x000000000015F888-mapping.dmp
-
memory/3692-118-0x0000000000000000-mapping.dmp