Analysis
-
max time kernel
150s -
max time network
113s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
24-09-2021 06:08
Behavioral task
behavioral1
Sample
5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe
Resource
win10-en-20210920
General
-
Target
5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe
-
Size
849KB
-
MD5
bf1bf48e54628cce8c27309c05a1edaf
-
SHA1
28af1bd896e3fdf0f902af4948b48483e0c71193
-
SHA256
5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03
-
SHA512
8138f0dc6880275ad6dce4e375b53078d5b83ba36d1796d20c4c06e63c436096fb40ffd4f68a72393052368c7a44c59e71581306402ba7b52d2a65ff86eb8bee
Malware Config
Extracted
darkcomet
Guest16
ffcdds.ddns.net:1604
DC_MUTEX-XETQG0J
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
urvT6qvyMSb0
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 4092 msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeSecurityPrivilege 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeTakeOwnershipPrivilege 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeLoadDriverPrivilege 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeSystemProfilePrivilege 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeSystemtimePrivilege 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeProfSingleProcessPrivilege 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeIncBasePriorityPrivilege 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeCreatePagefilePrivilege 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeBackupPrivilege 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeRestorePrivilege 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeShutdownPrivilege 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeDebugPrivilege 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeSystemEnvironmentPrivilege 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeChangeNotifyPrivilege 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeRemoteShutdownPrivilege 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeUndockPrivilege 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeManageVolumePrivilege 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeImpersonatePrivilege 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeCreateGlobalPrivilege 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: 33 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: 34 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: 35 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: 36 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe Token: SeIncreaseQuotaPrivilege 4092 msdcsc.exe Token: SeSecurityPrivilege 4092 msdcsc.exe Token: SeTakeOwnershipPrivilege 4092 msdcsc.exe Token: SeLoadDriverPrivilege 4092 msdcsc.exe Token: SeSystemProfilePrivilege 4092 msdcsc.exe Token: SeSystemtimePrivilege 4092 msdcsc.exe Token: SeProfSingleProcessPrivilege 4092 msdcsc.exe Token: SeIncBasePriorityPrivilege 4092 msdcsc.exe Token: SeCreatePagefilePrivilege 4092 msdcsc.exe Token: SeBackupPrivilege 4092 msdcsc.exe Token: SeRestorePrivilege 4092 msdcsc.exe Token: SeShutdownPrivilege 4092 msdcsc.exe Token: SeDebugPrivilege 4092 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4092 msdcsc.exe Token: SeChangeNotifyPrivilege 4092 msdcsc.exe Token: SeRemoteShutdownPrivilege 4092 msdcsc.exe Token: SeUndockPrivilege 4092 msdcsc.exe Token: SeManageVolumePrivilege 4092 msdcsc.exe Token: SeImpersonatePrivilege 4092 msdcsc.exe Token: SeCreateGlobalPrivilege 4092 msdcsc.exe Token: 33 4092 msdcsc.exe Token: 34 4092 msdcsc.exe Token: 35 4092 msdcsc.exe Token: 36 4092 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 4092 msdcsc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exemsdcsc.exedescription pid process target process PID 4196 wrote to memory of 4092 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe msdcsc.exe PID 4196 wrote to memory of 4092 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe msdcsc.exe PID 4196 wrote to memory of 4092 4196 5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe msdcsc.exe PID 4092 wrote to memory of 3944 4092 msdcsc.exe notepad.exe PID 4092 wrote to memory of 3944 4092 msdcsc.exe notepad.exe PID 4092 wrote to memory of 3944 4092 msdcsc.exe notepad.exe PID 4092 wrote to memory of 3944 4092 msdcsc.exe notepad.exe PID 4092 wrote to memory of 3944 4092 msdcsc.exe notepad.exe PID 4092 wrote to memory of 3944 4092 msdcsc.exe notepad.exe PID 4092 wrote to memory of 3944 4092 msdcsc.exe notepad.exe PID 4092 wrote to memory of 3944 4092 msdcsc.exe notepad.exe PID 4092 wrote to memory of 3944 4092 msdcsc.exe notepad.exe PID 4092 wrote to memory of 3944 4092 msdcsc.exe notepad.exe PID 4092 wrote to memory of 3944 4092 msdcsc.exe notepad.exe PID 4092 wrote to memory of 3944 4092 msdcsc.exe notepad.exe PID 4092 wrote to memory of 3944 4092 msdcsc.exe notepad.exe PID 4092 wrote to memory of 3944 4092 msdcsc.exe notepad.exe PID 4092 wrote to memory of 3944 4092 msdcsc.exe notepad.exe PID 4092 wrote to memory of 3944 4092 msdcsc.exe notepad.exe PID 4092 wrote to memory of 3944 4092 msdcsc.exe notepad.exe PID 4092 wrote to memory of 3944 4092 msdcsc.exe notepad.exe PID 4092 wrote to memory of 3944 4092 msdcsc.exe notepad.exe PID 4092 wrote to memory of 3944 4092 msdcsc.exe notepad.exe PID 4092 wrote to memory of 3944 4092 msdcsc.exe notepad.exe PID 4092 wrote to memory of 3944 4092 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe"C:\Users\Admin\AppData\Local\Temp\5d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
bf1bf48e54628cce8c27309c05a1edaf
SHA128af1bd896e3fdf0f902af4948b48483e0c71193
SHA2565d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03
SHA5128138f0dc6880275ad6dce4e375b53078d5b83ba36d1796d20c4c06e63c436096fb40ffd4f68a72393052368c7a44c59e71581306402ba7b52d2a65ff86eb8bee
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
bf1bf48e54628cce8c27309c05a1edaf
SHA128af1bd896e3fdf0f902af4948b48483e0c71193
SHA2565d6a551a0ad117a907bcd225ea0d97355b88063e472007d33e2e159cc635fc03
SHA5128138f0dc6880275ad6dce4e375b53078d5b83ba36d1796d20c4c06e63c436096fb40ffd4f68a72393052368c7a44c59e71581306402ba7b52d2a65ff86eb8bee
-
memory/3944-119-0x0000000000000000-mapping.dmp
-
memory/3944-121-0x0000000000A20000-0x0000000000A21000-memory.dmpFilesize
4KB
-
memory/4092-116-0x0000000000000000-mapping.dmp
-
memory/4092-120-0x0000000000770000-0x0000000000771000-memory.dmpFilesize
4KB
-
memory/4196-115-0x0000000002470000-0x0000000002471000-memory.dmpFilesize
4KB