Analysis
-
max time kernel
158s -
max time network
138s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
06-09-2021 06:44
Behavioral task
behavioral1
Sample
7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe
Resource
win7-en
General
-
Target
7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe
-
Size
658KB
-
MD5
f7ce32b7a4e41e6d16aaa8c2766ede4d
-
SHA1
4183604cdb185657e8fbcf4e5df2c694cb94049c
-
SHA256
7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716
-
SHA512
1fcdf94c074d1958ca19fcc107a722b6524f71f4cdff7acf49013f9e5b1b08dba892c605f3ee23cc53f8e053fa3900a6d774501b6447c2a6d6214ddd40ce6fe1
Malware Config
Extracted
darkcomet
All
:1604
DC_MUTEX-U0DM7GE
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
KUiN9kpfaemv
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 192 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 192 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeSecurityPrivilege 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeTakeOwnershipPrivilege 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeLoadDriverPrivilege 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeSystemProfilePrivilege 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeSystemtimePrivilege 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeProfSingleProcessPrivilege 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeIncBasePriorityPrivilege 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeCreatePagefilePrivilege 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeBackupPrivilege 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeRestorePrivilege 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeShutdownPrivilege 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeDebugPrivilege 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeSystemEnvironmentPrivilege 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeChangeNotifyPrivilege 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeRemoteShutdownPrivilege 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeUndockPrivilege 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeManageVolumePrivilege 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeImpersonatePrivilege 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeCreateGlobalPrivilege 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: 33 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: 34 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: 35 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: 36 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe Token: SeIncreaseQuotaPrivilege 192 msdcsc.exe Token: SeSecurityPrivilege 192 msdcsc.exe Token: SeTakeOwnershipPrivilege 192 msdcsc.exe Token: SeLoadDriverPrivilege 192 msdcsc.exe Token: SeSystemProfilePrivilege 192 msdcsc.exe Token: SeSystemtimePrivilege 192 msdcsc.exe Token: SeProfSingleProcessPrivilege 192 msdcsc.exe Token: SeIncBasePriorityPrivilege 192 msdcsc.exe Token: SeCreatePagefilePrivilege 192 msdcsc.exe Token: SeBackupPrivilege 192 msdcsc.exe Token: SeRestorePrivilege 192 msdcsc.exe Token: SeShutdownPrivilege 192 msdcsc.exe Token: SeDebugPrivilege 192 msdcsc.exe Token: SeSystemEnvironmentPrivilege 192 msdcsc.exe Token: SeChangeNotifyPrivilege 192 msdcsc.exe Token: SeRemoteShutdownPrivilege 192 msdcsc.exe Token: SeUndockPrivilege 192 msdcsc.exe Token: SeManageVolumePrivilege 192 msdcsc.exe Token: SeImpersonatePrivilege 192 msdcsc.exe Token: SeCreateGlobalPrivilege 192 msdcsc.exe Token: 33 192 msdcsc.exe Token: 34 192 msdcsc.exe Token: 35 192 msdcsc.exe Token: 36 192 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 192 msdcsc.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.execmd.execmd.exemsdcsc.exedescription pid process target process PID 808 wrote to memory of 3044 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe cmd.exe PID 808 wrote to memory of 3044 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe cmd.exe PID 808 wrote to memory of 3044 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe cmd.exe PID 808 wrote to memory of 1840 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe cmd.exe PID 808 wrote to memory of 1840 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe cmd.exe PID 808 wrote to memory of 1840 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe cmd.exe PID 1840 wrote to memory of 1880 1840 cmd.exe attrib.exe PID 1840 wrote to memory of 1880 1840 cmd.exe attrib.exe PID 1840 wrote to memory of 1880 1840 cmd.exe attrib.exe PID 3044 wrote to memory of 1896 3044 cmd.exe attrib.exe PID 3044 wrote to memory of 1896 3044 cmd.exe attrib.exe PID 3044 wrote to memory of 1896 3044 cmd.exe attrib.exe PID 808 wrote to memory of 192 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe msdcsc.exe PID 808 wrote to memory of 192 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe msdcsc.exe PID 808 wrote to memory of 192 808 7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe msdcsc.exe PID 192 wrote to memory of 3332 192 msdcsc.exe notepad.exe PID 192 wrote to memory of 3332 192 msdcsc.exe notepad.exe PID 192 wrote to memory of 3332 192 msdcsc.exe notepad.exe PID 192 wrote to memory of 3332 192 msdcsc.exe notepad.exe PID 192 wrote to memory of 3332 192 msdcsc.exe notepad.exe PID 192 wrote to memory of 3332 192 msdcsc.exe notepad.exe PID 192 wrote to memory of 3332 192 msdcsc.exe notepad.exe PID 192 wrote to memory of 3332 192 msdcsc.exe notepad.exe PID 192 wrote to memory of 3332 192 msdcsc.exe notepad.exe PID 192 wrote to memory of 3332 192 msdcsc.exe notepad.exe PID 192 wrote to memory of 3332 192 msdcsc.exe notepad.exe PID 192 wrote to memory of 3332 192 msdcsc.exe notepad.exe PID 192 wrote to memory of 3332 192 msdcsc.exe notepad.exe PID 192 wrote to memory of 3332 192 msdcsc.exe notepad.exe PID 192 wrote to memory of 3332 192 msdcsc.exe notepad.exe PID 192 wrote to memory of 3332 192 msdcsc.exe notepad.exe PID 192 wrote to memory of 3332 192 msdcsc.exe notepad.exe PID 192 wrote to memory of 3332 192 msdcsc.exe notepad.exe PID 192 wrote to memory of 3332 192 msdcsc.exe notepad.exe PID 192 wrote to memory of 3332 192 msdcsc.exe notepad.exe PID 192 wrote to memory of 3332 192 msdcsc.exe notepad.exe PID 192 wrote to memory of 3332 192 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1880 attrib.exe 1896 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe"C:\Users\Admin\AppData\Local\Temp\7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
f7ce32b7a4e41e6d16aaa8c2766ede4d
SHA14183604cdb185657e8fbcf4e5df2c694cb94049c
SHA2567118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716
SHA5121fcdf94c074d1958ca19fcc107a722b6524f71f4cdff7acf49013f9e5b1b08dba892c605f3ee23cc53f8e053fa3900a6d774501b6447c2a6d6214ddd40ce6fe1
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
f7ce32b7a4e41e6d16aaa8c2766ede4d
SHA14183604cdb185657e8fbcf4e5df2c694cb94049c
SHA2567118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716
SHA5121fcdf94c074d1958ca19fcc107a722b6524f71f4cdff7acf49013f9e5b1b08dba892c605f3ee23cc53f8e053fa3900a6d774501b6447c2a6d6214ddd40ce6fe1
-
memory/192-119-0x0000000000000000-mapping.dmp
-
memory/192-123-0x0000000000570000-0x00000000006BA000-memory.dmpFilesize
1.3MB
-
memory/808-114-0x00000000022F0000-0x00000000022F1000-memory.dmpFilesize
4KB
-
memory/1840-116-0x0000000000000000-mapping.dmp
-
memory/1880-117-0x0000000000000000-mapping.dmp
-
memory/1896-118-0x0000000000000000-mapping.dmp
-
memory/3044-115-0x0000000000000000-mapping.dmp
-
memory/3332-122-0x0000000000000000-mapping.dmp
-
memory/3332-124-0x00000000011C0000-0x00000000011C1000-memory.dmpFilesize
4KB