Analysis
-
max time kernel
155s -
max time network
157s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
14-08-2021 06:51
Static task
static1
Behavioral task
behavioral1
Sample
SBHJYT.exe
Resource
win7v20210410
General
-
Target
SBHJYT.exe
-
Size
13.9MB
-
MD5
20799f295c5b0e5aa27b5896b230b57a
-
SHA1
e0e72f3a636f4dcd87bb5606f24fe0ff298fbb74
-
SHA256
3d96847f7962c01a7951f95acb29dff7999b7e8d54c946b3b1ccd035cbf2bcb1
-
SHA512
70cd3984c49da18dc9aeb852f745a8324a93583ab892af7f08bf5372cdb4ffc0cb0cce4033988d9088aaf1b0c740f612690addf9598ad3349ef6ef79112b3d16
Malware Config
Extracted
darkcomet
Guest16
onlinebonjour1pt.ddns.net:1605
DC_MUTEX-K9JEE5J
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
PPlJGVizdNKt
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Microdaptxx
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
SBHJYT.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" SBHJYT.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
suricata: ET MALWARE Backdoor.Win32.DarkComet Screenshot Upload Successful
suricata: ET MALWARE Backdoor.Win32.DarkComet Screenshot Upload Successful
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
msdcsc.exemsdcsc.exepid process 3716 msdcsc.exe 3180 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SBHJYT.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation SBHJYT.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
SBHJYT.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microdaptxx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" SBHJYT.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microdaptxx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
SBHJYT.exemsdcsc.exedescription pid process target process PID 4060 set thread context of 2388 4060 SBHJYT.exe SBHJYT.exe PID 3716 set thread context of 3180 3716 msdcsc.exe msdcsc.exe -
autoit_exe 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
SBHJYT.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance SBHJYT.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 3180 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
SBHJYT.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2388 SBHJYT.exe Token: SeSecurityPrivilege 2388 SBHJYT.exe Token: SeTakeOwnershipPrivilege 2388 SBHJYT.exe Token: SeLoadDriverPrivilege 2388 SBHJYT.exe Token: SeSystemProfilePrivilege 2388 SBHJYT.exe Token: SeSystemtimePrivilege 2388 SBHJYT.exe Token: SeProfSingleProcessPrivilege 2388 SBHJYT.exe Token: SeIncBasePriorityPrivilege 2388 SBHJYT.exe Token: SeCreatePagefilePrivilege 2388 SBHJYT.exe Token: SeBackupPrivilege 2388 SBHJYT.exe Token: SeRestorePrivilege 2388 SBHJYT.exe Token: SeShutdownPrivilege 2388 SBHJYT.exe Token: SeDebugPrivilege 2388 SBHJYT.exe Token: SeSystemEnvironmentPrivilege 2388 SBHJYT.exe Token: SeChangeNotifyPrivilege 2388 SBHJYT.exe Token: SeRemoteShutdownPrivilege 2388 SBHJYT.exe Token: SeUndockPrivilege 2388 SBHJYT.exe Token: SeManageVolumePrivilege 2388 SBHJYT.exe Token: SeImpersonatePrivilege 2388 SBHJYT.exe Token: SeCreateGlobalPrivilege 2388 SBHJYT.exe Token: 33 2388 SBHJYT.exe Token: 34 2388 SBHJYT.exe Token: 35 2388 SBHJYT.exe Token: 36 2388 SBHJYT.exe Token: SeIncreaseQuotaPrivilege 3180 msdcsc.exe Token: SeSecurityPrivilege 3180 msdcsc.exe Token: SeTakeOwnershipPrivilege 3180 msdcsc.exe Token: SeLoadDriverPrivilege 3180 msdcsc.exe Token: SeSystemProfilePrivilege 3180 msdcsc.exe Token: SeSystemtimePrivilege 3180 msdcsc.exe Token: SeProfSingleProcessPrivilege 3180 msdcsc.exe Token: SeIncBasePriorityPrivilege 3180 msdcsc.exe Token: SeCreatePagefilePrivilege 3180 msdcsc.exe Token: SeBackupPrivilege 3180 msdcsc.exe Token: SeRestorePrivilege 3180 msdcsc.exe Token: SeShutdownPrivilege 3180 msdcsc.exe Token: SeDebugPrivilege 3180 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3180 msdcsc.exe Token: SeChangeNotifyPrivilege 3180 msdcsc.exe Token: SeRemoteShutdownPrivilege 3180 msdcsc.exe Token: SeUndockPrivilege 3180 msdcsc.exe Token: SeManageVolumePrivilege 3180 msdcsc.exe Token: SeImpersonatePrivilege 3180 msdcsc.exe Token: SeCreateGlobalPrivilege 3180 msdcsc.exe Token: 33 3180 msdcsc.exe Token: 34 3180 msdcsc.exe Token: 35 3180 msdcsc.exe Token: 36 3180 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 3180 msdcsc.exe -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
SBHJYT.exeSBHJYT.execmd.execmd.exemsdcsc.exemsdcsc.exedescription pid process target process PID 4060 wrote to memory of 2388 4060 SBHJYT.exe SBHJYT.exe PID 4060 wrote to memory of 2388 4060 SBHJYT.exe SBHJYT.exe PID 4060 wrote to memory of 2388 4060 SBHJYT.exe SBHJYT.exe PID 4060 wrote to memory of 2388 4060 SBHJYT.exe SBHJYT.exe PID 4060 wrote to memory of 2388 4060 SBHJYT.exe SBHJYT.exe PID 2388 wrote to memory of 2972 2388 SBHJYT.exe cmd.exe PID 2388 wrote to memory of 2972 2388 SBHJYT.exe cmd.exe PID 2388 wrote to memory of 2972 2388 SBHJYT.exe cmd.exe PID 2388 wrote to memory of 2296 2388 SBHJYT.exe cmd.exe PID 2388 wrote to memory of 2296 2388 SBHJYT.exe cmd.exe PID 2388 wrote to memory of 2296 2388 SBHJYT.exe cmd.exe PID 2296 wrote to memory of 3680 2296 cmd.exe attrib.exe PID 2296 wrote to memory of 3680 2296 cmd.exe attrib.exe PID 2296 wrote to memory of 3680 2296 cmd.exe attrib.exe PID 2972 wrote to memory of 3644 2972 cmd.exe attrib.exe PID 2972 wrote to memory of 3644 2972 cmd.exe attrib.exe PID 2972 wrote to memory of 3644 2972 cmd.exe attrib.exe PID 2388 wrote to memory of 3716 2388 SBHJYT.exe msdcsc.exe PID 2388 wrote to memory of 3716 2388 SBHJYT.exe msdcsc.exe PID 2388 wrote to memory of 3716 2388 SBHJYT.exe msdcsc.exe PID 3716 wrote to memory of 3180 3716 msdcsc.exe msdcsc.exe PID 3716 wrote to memory of 3180 3716 msdcsc.exe msdcsc.exe PID 3716 wrote to memory of 3180 3716 msdcsc.exe msdcsc.exe PID 3716 wrote to memory of 3180 3716 msdcsc.exe msdcsc.exe PID 3716 wrote to memory of 3180 3716 msdcsc.exe msdcsc.exe PID 3180 wrote to memory of 3676 3180 msdcsc.exe notepad.exe PID 3180 wrote to memory of 3676 3180 msdcsc.exe notepad.exe PID 3180 wrote to memory of 3676 3180 msdcsc.exe notepad.exe PID 3180 wrote to memory of 3676 3180 msdcsc.exe notepad.exe PID 3180 wrote to memory of 3676 3180 msdcsc.exe notepad.exe PID 3180 wrote to memory of 3676 3180 msdcsc.exe notepad.exe PID 3180 wrote to memory of 3676 3180 msdcsc.exe notepad.exe PID 3180 wrote to memory of 3676 3180 msdcsc.exe notepad.exe PID 3180 wrote to memory of 3676 3180 msdcsc.exe notepad.exe PID 3180 wrote to memory of 3676 3180 msdcsc.exe notepad.exe PID 3180 wrote to memory of 3676 3180 msdcsc.exe notepad.exe PID 3180 wrote to memory of 3676 3180 msdcsc.exe notepad.exe PID 3180 wrote to memory of 3676 3180 msdcsc.exe notepad.exe PID 3180 wrote to memory of 3676 3180 msdcsc.exe notepad.exe PID 3180 wrote to memory of 3676 3180 msdcsc.exe notepad.exe PID 3180 wrote to memory of 3676 3180 msdcsc.exe notepad.exe PID 3180 wrote to memory of 3676 3180 msdcsc.exe notepad.exe PID 3180 wrote to memory of 3676 3180 msdcsc.exe notepad.exe PID 3180 wrote to memory of 3676 3180 msdcsc.exe notepad.exe PID 3180 wrote to memory of 3676 3180 msdcsc.exe notepad.exe PID 3180 wrote to memory of 3676 3180 msdcsc.exe notepad.exe PID 3180 wrote to memory of 3676 3180 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3644 attrib.exe 3680 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SBHJYT.exe"C:\Users\Admin\AppData\Local\Temp\SBHJYT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SBHJYT.exe"C:\Users\Admin\AppData\Local\Temp\SBHJYT.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\SBHJYT.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\SBHJYT.exe" +s +h4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"4⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
20799f295c5b0e5aa27b5896b230b57a
SHA1e0e72f3a636f4dcd87bb5606f24fe0ff298fbb74
SHA2563d96847f7962c01a7951f95acb29dff7999b7e8d54c946b3b1ccd035cbf2bcb1
SHA51270cd3984c49da18dc9aeb852f745a8324a93583ab892af7f08bf5372cdb4ffc0cb0cce4033988d9088aaf1b0c740f612690addf9598ad3349ef6ef79112b3d16
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
20799f295c5b0e5aa27b5896b230b57a
SHA1e0e72f3a636f4dcd87bb5606f24fe0ff298fbb74
SHA2563d96847f7962c01a7951f95acb29dff7999b7e8d54c946b3b1ccd035cbf2bcb1
SHA51270cd3984c49da18dc9aeb852f745a8324a93583ab892af7f08bf5372cdb4ffc0cb0cce4033988d9088aaf1b0c740f612690addf9598ad3349ef6ef79112b3d16
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
20799f295c5b0e5aa27b5896b230b57a
SHA1e0e72f3a636f4dcd87bb5606f24fe0ff298fbb74
SHA2563d96847f7962c01a7951f95acb29dff7999b7e8d54c946b3b1ccd035cbf2bcb1
SHA51270cd3984c49da18dc9aeb852f745a8324a93583ab892af7f08bf5372cdb4ffc0cb0cce4033988d9088aaf1b0c740f612690addf9598ad3349ef6ef79112b3d16
-
memory/2296-119-0x0000000000000000-mapping.dmp
-
memory/2388-115-0x000000000015F888-mapping.dmp
-
memory/2388-117-0x0000000002B60000-0x0000000002B61000-memory.dmpFilesize
4KB
-
memory/2388-116-0x00000000000D0000-0x0000000000186000-memory.dmpFilesize
728KB
-
memory/2388-114-0x00000000000D0000-0x0000000000186000-memory.dmpFilesize
728KB
-
memory/2972-118-0x0000000000000000-mapping.dmp
-
memory/3180-126-0x000000000015F888-mapping.dmp
-
memory/3180-129-0x00000000000D0000-0x0000000000186000-memory.dmpFilesize
728KB
-
memory/3180-130-0x0000000000A00000-0x0000000000B4A000-memory.dmpFilesize
1.3MB
-
memory/3644-121-0x0000000000000000-mapping.dmp
-
memory/3676-128-0x0000000000000000-mapping.dmp
-
memory/3676-131-0x0000000003100000-0x0000000003101000-memory.dmpFilesize
4KB
-
memory/3680-120-0x0000000000000000-mapping.dmp
-
memory/3716-122-0x0000000000000000-mapping.dmp