Analysis
-
max time kernel
151s -
max time network
131s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
31-08-2021 19:03
Static task
static1
Behavioral task
behavioral1
Sample
802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe
Resource
win10v20210410
General
-
Target
802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe
-
Size
797KB
-
MD5
2ca8be7c1b7b9d4addcdd8643b37faf8
-
SHA1
4282592b2dda12b1385575b7686e741e5af9e178
-
SHA256
802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94
-
SHA512
b81531ded14a93fa7a6136ce721bc79cc113b4745d226acddb73067d5f628469820eb40b233b0de2fe5526c413914b51f24ec4533710b19d37842d307a754f93
Malware Config
Extracted
darkcomet
enayi avc�s�
8.tcp.ngrok.io:18922
8.tcp.ngrok.io:11390
DC_MUTEX-JJADN00
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
LHGZ2Ktc5bFu
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Owo Para
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\MSDCSC\\msdcsc.exe" 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 992 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msdcsc.exe802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Owo Para = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Owo Para = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\MSDCSC\\msdcsc.exe" 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe Token: SeSecurityPrivilege 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe Token: SeTakeOwnershipPrivilege 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe Token: SeLoadDriverPrivilege 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe Token: SeSystemProfilePrivilege 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe Token: SeSystemtimePrivilege 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe Token: SeProfSingleProcessPrivilege 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe Token: SeIncBasePriorityPrivilege 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe Token: SeCreatePagefilePrivilege 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe Token: SeBackupPrivilege 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe Token: SeRestorePrivilege 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe Token: SeShutdownPrivilege 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe Token: SeDebugPrivilege 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe Token: SeSystemEnvironmentPrivilege 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe Token: SeChangeNotifyPrivilege 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe Token: SeRemoteShutdownPrivilege 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe Token: SeUndockPrivilege 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe Token: SeManageVolumePrivilege 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe Token: SeImpersonatePrivilege 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe Token: SeCreateGlobalPrivilege 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe Token: 33 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe Token: 34 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe Token: 35 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe Token: 36 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe Token: SeIncreaseQuotaPrivilege 992 msdcsc.exe Token: SeSecurityPrivilege 992 msdcsc.exe Token: SeTakeOwnershipPrivilege 992 msdcsc.exe Token: SeLoadDriverPrivilege 992 msdcsc.exe Token: SeSystemProfilePrivilege 992 msdcsc.exe Token: SeSystemtimePrivilege 992 msdcsc.exe Token: SeProfSingleProcessPrivilege 992 msdcsc.exe Token: SeIncBasePriorityPrivilege 992 msdcsc.exe Token: SeCreatePagefilePrivilege 992 msdcsc.exe Token: SeBackupPrivilege 992 msdcsc.exe Token: SeRestorePrivilege 992 msdcsc.exe Token: SeShutdownPrivilege 992 msdcsc.exe Token: SeDebugPrivilege 992 msdcsc.exe Token: SeSystemEnvironmentPrivilege 992 msdcsc.exe Token: SeChangeNotifyPrivilege 992 msdcsc.exe Token: SeRemoteShutdownPrivilege 992 msdcsc.exe Token: SeUndockPrivilege 992 msdcsc.exe Token: SeManageVolumePrivilege 992 msdcsc.exe Token: SeImpersonatePrivilege 992 msdcsc.exe Token: SeCreateGlobalPrivilege 992 msdcsc.exe Token: 33 992 msdcsc.exe Token: 34 992 msdcsc.exe Token: 35 992 msdcsc.exe Token: 36 992 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 992 msdcsc.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.execmd.execmd.exemsdcsc.exedescription pid process target process PID 744 wrote to memory of 3176 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe cmd.exe PID 744 wrote to memory of 3176 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe cmd.exe PID 744 wrote to memory of 3176 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe cmd.exe PID 744 wrote to memory of 2772 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe cmd.exe PID 744 wrote to memory of 2772 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe cmd.exe PID 744 wrote to memory of 2772 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe cmd.exe PID 3176 wrote to memory of 1072 3176 cmd.exe attrib.exe PID 3176 wrote to memory of 1072 3176 cmd.exe attrib.exe PID 3176 wrote to memory of 1072 3176 cmd.exe attrib.exe PID 2772 wrote to memory of 1864 2772 cmd.exe attrib.exe PID 2772 wrote to memory of 1864 2772 cmd.exe attrib.exe PID 2772 wrote to memory of 1864 2772 cmd.exe attrib.exe PID 744 wrote to memory of 992 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe msdcsc.exe PID 744 wrote to memory of 992 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe msdcsc.exe PID 744 wrote to memory of 992 744 802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe msdcsc.exe PID 992 wrote to memory of 4092 992 msdcsc.exe iexplore.exe PID 992 wrote to memory of 4092 992 msdcsc.exe iexplore.exe PID 992 wrote to memory of 4092 992 msdcsc.exe iexplore.exe PID 992 wrote to memory of 3384 992 msdcsc.exe explorer.exe PID 992 wrote to memory of 3384 992 msdcsc.exe explorer.exe PID 992 wrote to memory of 2452 992 msdcsc.exe notepad.exe PID 992 wrote to memory of 2452 992 msdcsc.exe notepad.exe PID 992 wrote to memory of 2452 992 msdcsc.exe notepad.exe PID 992 wrote to memory of 2452 992 msdcsc.exe notepad.exe PID 992 wrote to memory of 2452 992 msdcsc.exe notepad.exe PID 992 wrote to memory of 2452 992 msdcsc.exe notepad.exe PID 992 wrote to memory of 2452 992 msdcsc.exe notepad.exe PID 992 wrote to memory of 2452 992 msdcsc.exe notepad.exe PID 992 wrote to memory of 2452 992 msdcsc.exe notepad.exe PID 992 wrote to memory of 2452 992 msdcsc.exe notepad.exe PID 992 wrote to memory of 2452 992 msdcsc.exe notepad.exe PID 992 wrote to memory of 2452 992 msdcsc.exe notepad.exe PID 992 wrote to memory of 2452 992 msdcsc.exe notepad.exe PID 992 wrote to memory of 2452 992 msdcsc.exe notepad.exe PID 992 wrote to memory of 2452 992 msdcsc.exe notepad.exe PID 992 wrote to memory of 2452 992 msdcsc.exe notepad.exe PID 992 wrote to memory of 2452 992 msdcsc.exe notepad.exe PID 992 wrote to memory of 2452 992 msdcsc.exe notepad.exe PID 992 wrote to memory of 2452 992 msdcsc.exe notepad.exe PID 992 wrote to memory of 2452 992 msdcsc.exe notepad.exe PID 992 wrote to memory of 2452 992 msdcsc.exe notepad.exe PID 992 wrote to memory of 2452 992 msdcsc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1864 attrib.exe 1072 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe"C:\Users\Admin\AppData\Local\Temp\802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\MSDCSC\msdcsc.exeMD5
2ca8be7c1b7b9d4addcdd8643b37faf8
SHA14282592b2dda12b1385575b7686e741e5af9e178
SHA256802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94
SHA512b81531ded14a93fa7a6136ce721bc79cc113b4745d226acddb73067d5f628469820eb40b233b0de2fe5526c413914b51f24ec4533710b19d37842d307a754f93
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\MSDCSC\msdcsc.exeMD5
2ca8be7c1b7b9d4addcdd8643b37faf8
SHA14282592b2dda12b1385575b7686e741e5af9e178
SHA256802b67f035f6b75aa99b4c04c7701ca80f132ec5007d066f04c174e304423f94
SHA512b81531ded14a93fa7a6136ce721bc79cc113b4745d226acddb73067d5f628469820eb40b233b0de2fe5526c413914b51f24ec4533710b19d37842d307a754f93
-
memory/744-114-0x0000000002240000-0x0000000002241000-memory.dmpFilesize
4KB
-
memory/992-119-0x0000000000000000-mapping.dmp
-
memory/992-123-0x0000000002100000-0x0000000002101000-memory.dmpFilesize
4KB
-
memory/1072-117-0x0000000000000000-mapping.dmp
-
memory/1864-118-0x0000000000000000-mapping.dmp
-
memory/2452-122-0x0000000000000000-mapping.dmp
-
memory/2452-124-0x00000000010E0000-0x00000000010E1000-memory.dmpFilesize
4KB
-
memory/2772-116-0x0000000000000000-mapping.dmp
-
memory/3176-115-0x0000000000000000-mapping.dmp