Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
24-09-2021 06:08
Behavioral task
behavioral1
Sample
5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe
Resource
win10-en-20210920
General
-
Target
5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe
-
Size
849KB
-
MD5
bf1bf48e54628cce8c27309c05a1edaf
-
SHA1
28af1bd896e3fdf0f902af4948b48483e0c71193
-
SHA256
5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03
-
SHA512
8138f0dc6880275ad6dce4e375b53078d5b83ba36d1796d20c4c06e63c436096fb40ffd4f68a72393052368c7a44c59e71581306402ba7b52d2a65ff86eb8bee
Malware Config
Extracted
darkcomet
Guest16
ffcdds.ddns.net:1604
DC_MUTEX-XETQG0J
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
urvT6qvyMSb0
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1700 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exepid process 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeSecurityPrivilege 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeTakeOwnershipPrivilege 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeLoadDriverPrivilege 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeSystemProfilePrivilege 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeSystemtimePrivilege 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeProfSingleProcessPrivilege 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeIncBasePriorityPrivilege 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeCreatePagefilePrivilege 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeBackupPrivilege 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeRestorePrivilege 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeShutdownPrivilege 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeDebugPrivilege 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeSystemEnvironmentPrivilege 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeChangeNotifyPrivilege 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeRemoteShutdownPrivilege 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeUndockPrivilege 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeManageVolumePrivilege 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeImpersonatePrivilege 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeCreateGlobalPrivilege 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: 33 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: 34 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: 35 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeIncreaseQuotaPrivilege 1700 msdcsc.exe Token: SeSecurityPrivilege 1700 msdcsc.exe Token: SeTakeOwnershipPrivilege 1700 msdcsc.exe Token: SeLoadDriverPrivilege 1700 msdcsc.exe Token: SeSystemProfilePrivilege 1700 msdcsc.exe Token: SeSystemtimePrivilege 1700 msdcsc.exe Token: SeProfSingleProcessPrivilege 1700 msdcsc.exe Token: SeIncBasePriorityPrivilege 1700 msdcsc.exe Token: SeCreatePagefilePrivilege 1700 msdcsc.exe Token: SeBackupPrivilege 1700 msdcsc.exe Token: SeRestorePrivilege 1700 msdcsc.exe Token: SeShutdownPrivilege 1700 msdcsc.exe Token: SeDebugPrivilege 1700 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1700 msdcsc.exe Token: SeChangeNotifyPrivilege 1700 msdcsc.exe Token: SeRemoteShutdownPrivilege 1700 msdcsc.exe Token: SeUndockPrivilege 1700 msdcsc.exe Token: SeManageVolumePrivilege 1700 msdcsc.exe Token: SeImpersonatePrivilege 1700 msdcsc.exe Token: SeCreateGlobalPrivilege 1700 msdcsc.exe Token: 33 1700 msdcsc.exe Token: 34 1700 msdcsc.exe Token: 35 1700 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1700 msdcsc.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exemsdcsc.exedescription pid process target process PID 1268 wrote to memory of 1700 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe msdcsc.exe PID 1268 wrote to memory of 1700 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe msdcsc.exe PID 1268 wrote to memory of 1700 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe msdcsc.exe PID 1268 wrote to memory of 1700 1268 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe msdcsc.exe PID 1700 wrote to memory of 960 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 960 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 960 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 960 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 960 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 960 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 960 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 960 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 960 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 960 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 960 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 960 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 960 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 960 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 960 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 960 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 960 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 960 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 960 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 960 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 960 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 960 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 960 1700 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe"C:\Users\Admin\AppData\Local\Temp\5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
bf1bf48e54628cce8c27309c05a1edaf
SHA128af1bd896e3fdf0f902af4948b48483e0c71193
SHA2565d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03
SHA5128138f0dc6880275ad6dce4e375b53078d5b83ba36d1796d20c4c06e63c436096fb40ffd4f68a72393052368c7a44c59e71581306402ba7b52d2a65ff86eb8bee
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
bf1bf48e54628cce8c27309c05a1edaf
SHA128af1bd896e3fdf0f902af4948b48483e0c71193
SHA2565d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03
SHA5128138f0dc6880275ad6dce4e375b53078d5b83ba36d1796d20c4c06e63c436096fb40ffd4f68a72393052368c7a44c59e71581306402ba7b52d2a65ff86eb8bee
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
bf1bf48e54628cce8c27309c05a1edaf
SHA128af1bd896e3fdf0f902af4948b48483e0c71193
SHA2565d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03
SHA5128138f0dc6880275ad6dce4e375b53078d5b83ba36d1796d20c4c06e63c436096fb40ffd4f68a72393052368c7a44c59e71581306402ba7b52d2a65ff86eb8bee
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
bf1bf48e54628cce8c27309c05a1edaf
SHA128af1bd896e3fdf0f902af4948b48483e0c71193
SHA2565d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03
SHA5128138f0dc6880275ad6dce4e375b53078d5b83ba36d1796d20c4c06e63c436096fb40ffd4f68a72393052368c7a44c59e71581306402ba7b52d2a65ff86eb8bee
-
memory/960-61-0x0000000000000000-mapping.dmp
-
memory/960-64-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/1268-53-0x00000000755A1000-0x00000000755A3000-memory.dmpFilesize
8KB
-
memory/1268-54-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/1700-57-0x0000000000000000-mapping.dmp
-
memory/1700-63-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB