Analysis
-
max time kernel
162s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en -
submitted
06-09-2021 06:44
Behavioral task
behavioral1
Sample
7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe
Resource
win7-en
General
-
Target
7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe
-
Size
658KB
-
MD5
f7ce32b7a4e41e6d16aaa8c2766ede4d
-
SHA1
4183604cdb185657e8fbcf4e5df2c694cb94049c
-
SHA256
7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716
-
SHA512
1fcdf94c074d1958ca19fcc107a722b6524f71f4cdff7acf49013f9e5b1b08dba892c605f3ee23cc53f8e053fa3900a6d774501b6447c2a6d6214ddd40ce6fe1
Malware Config
Extracted
darkcomet
All
:1604
DC_MUTEX-U0DM7GE
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
KUiN9kpfaemv
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 852 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exepid process 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 852 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeSecurityPrivilege 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeTakeOwnershipPrivilege 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeLoadDriverPrivilege 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeSystemProfilePrivilege 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeSystemtimePrivilege 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeProfSingleProcessPrivilege 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeIncBasePriorityPrivilege 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeCreatePagefilePrivilege 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeBackupPrivilege 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeRestorePrivilege 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeShutdownPrivilege 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeDebugPrivilege 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeSystemEnvironmentPrivilege 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeChangeNotifyPrivilege 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeRemoteShutdownPrivilege 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeUndockPrivilege 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeManageVolumePrivilege 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeImpersonatePrivilege 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeCreateGlobalPrivilege 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: 33 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: 34 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: 35 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeIncreaseQuotaPrivilege 852 msdcsc.exe Token: SeSecurityPrivilege 852 msdcsc.exe Token: SeTakeOwnershipPrivilege 852 msdcsc.exe Token: SeLoadDriverPrivilege 852 msdcsc.exe Token: SeSystemProfilePrivilege 852 msdcsc.exe Token: SeSystemtimePrivilege 852 msdcsc.exe Token: SeProfSingleProcessPrivilege 852 msdcsc.exe Token: SeIncBasePriorityPrivilege 852 msdcsc.exe Token: SeCreatePagefilePrivilege 852 msdcsc.exe Token: SeBackupPrivilege 852 msdcsc.exe Token: SeRestorePrivilege 852 msdcsc.exe Token: SeShutdownPrivilege 852 msdcsc.exe Token: SeDebugPrivilege 852 msdcsc.exe Token: SeSystemEnvironmentPrivilege 852 msdcsc.exe Token: SeChangeNotifyPrivilege 852 msdcsc.exe Token: SeRemoteShutdownPrivilege 852 msdcsc.exe Token: SeUndockPrivilege 852 msdcsc.exe Token: SeManageVolumePrivilege 852 msdcsc.exe Token: SeImpersonatePrivilege 852 msdcsc.exe Token: SeCreateGlobalPrivilege 852 msdcsc.exe Token: 33 852 msdcsc.exe Token: 34 852 msdcsc.exe Token: 35 852 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 852 msdcsc.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.execmd.execmd.exemsdcsc.exedescription pid process target process PID 2020 wrote to memory of 1744 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe cmd.exe PID 2020 wrote to memory of 1744 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe cmd.exe PID 2020 wrote to memory of 1744 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe cmd.exe PID 2020 wrote to memory of 1744 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe cmd.exe PID 2020 wrote to memory of 1772 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe cmd.exe PID 2020 wrote to memory of 1772 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe cmd.exe PID 2020 wrote to memory of 1772 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe cmd.exe PID 2020 wrote to memory of 1772 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe cmd.exe PID 1744 wrote to memory of 1736 1744 cmd.exe attrib.exe PID 1744 wrote to memory of 1736 1744 cmd.exe attrib.exe PID 1744 wrote to memory of 1736 1744 cmd.exe attrib.exe PID 1744 wrote to memory of 1736 1744 cmd.exe attrib.exe PID 1772 wrote to memory of 1528 1772 cmd.exe attrib.exe PID 1772 wrote to memory of 1528 1772 cmd.exe attrib.exe PID 1772 wrote to memory of 1528 1772 cmd.exe attrib.exe PID 1772 wrote to memory of 1528 1772 cmd.exe attrib.exe PID 2020 wrote to memory of 852 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe msdcsc.exe PID 2020 wrote to memory of 852 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe msdcsc.exe PID 2020 wrote to memory of 852 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe msdcsc.exe PID 2020 wrote to memory of 852 2020 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe msdcsc.exe PID 852 wrote to memory of 660 852 msdcsc.exe notepad.exe PID 852 wrote to memory of 660 852 msdcsc.exe notepad.exe PID 852 wrote to memory of 660 852 msdcsc.exe notepad.exe PID 852 wrote to memory of 660 852 msdcsc.exe notepad.exe PID 852 wrote to memory of 660 852 msdcsc.exe notepad.exe PID 852 wrote to memory of 660 852 msdcsc.exe notepad.exe PID 852 wrote to memory of 660 852 msdcsc.exe notepad.exe PID 852 wrote to memory of 660 852 msdcsc.exe notepad.exe PID 852 wrote to memory of 660 852 msdcsc.exe notepad.exe PID 852 wrote to memory of 660 852 msdcsc.exe notepad.exe PID 852 wrote to memory of 660 852 msdcsc.exe notepad.exe PID 852 wrote to memory of 660 852 msdcsc.exe notepad.exe PID 852 wrote to memory of 660 852 msdcsc.exe notepad.exe PID 852 wrote to memory of 660 852 msdcsc.exe notepad.exe PID 852 wrote to memory of 660 852 msdcsc.exe notepad.exe PID 852 wrote to memory of 660 852 msdcsc.exe notepad.exe PID 852 wrote to memory of 660 852 msdcsc.exe notepad.exe PID 852 wrote to memory of 660 852 msdcsc.exe notepad.exe PID 852 wrote to memory of 660 852 msdcsc.exe notepad.exe PID 852 wrote to memory of 660 852 msdcsc.exe notepad.exe PID 852 wrote to memory of 660 852 msdcsc.exe notepad.exe PID 852 wrote to memory of 660 852 msdcsc.exe notepad.exe PID 852 wrote to memory of 660 852 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1528 attrib.exe 1736 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe"C:\Users\Admin\AppData\Local\Temp\7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
f7ce32b7a4e41e6d16aaa8c2766ede4d
SHA14183604cdb185657e8fbcf4e5df2c694cb94049c
SHA2567118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716
SHA5121fcdf94c074d1958ca19fcc107a722b6524f71f4cdff7acf49013f9e5b1b08dba892c605f3ee23cc53f8e053fa3900a6d774501b6447c2a6d6214ddd40ce6fe1
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
f7ce32b7a4e41e6d16aaa8c2766ede4d
SHA14183604cdb185657e8fbcf4e5df2c694cb94049c
SHA2567118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716
SHA5121fcdf94c074d1958ca19fcc107a722b6524f71f4cdff7acf49013f9e5b1b08dba892c605f3ee23cc53f8e053fa3900a6d774501b6447c2a6d6214ddd40ce6fe1
-
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
f7ce32b7a4e41e6d16aaa8c2766ede4d
SHA14183604cdb185657e8fbcf4e5df2c694cb94049c
SHA2567118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716
SHA5121fcdf94c074d1958ca19fcc107a722b6524f71f4cdff7acf49013f9e5b1b08dba892c605f3ee23cc53f8e053fa3900a6d774501b6447c2a6d6214ddd40ce6fe1
-
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
f7ce32b7a4e41e6d16aaa8c2766ede4d
SHA14183604cdb185657e8fbcf4e5df2c694cb94049c
SHA2567118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716
SHA5121fcdf94c074d1958ca19fcc107a722b6524f71f4cdff7acf49013f9e5b1b08dba892c605f3ee23cc53f8e053fa3900a6d774501b6447c2a6d6214ddd40ce6fe1
-
memory/660-65-0x0000000000000000-mapping.dmp
-
memory/660-68-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/852-61-0x0000000000000000-mapping.dmp
-
memory/852-67-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1528-58-0x0000000000000000-mapping.dmp
-
memory/1736-57-0x0000000000000000-mapping.dmp
-
memory/1744-55-0x0000000000000000-mapping.dmp
-
memory/1772-56-0x0000000000000000-mapping.dmp
-
memory/2020-53-0x00000000761B1000-0x00000000761B3000-memory.dmpFilesize
8KB
-
memory/2020-54-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB