Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:38
Behavioral task
behavioral1
Sample
d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe
Resource
win7-20220414-en
General
-
Target
d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe
-
Size
658KB
-
MD5
4d693fde464e00a60c0c87d8a8c4e27c
-
SHA1
9efd17718385a0445d40ce1c3de86b9bd18a33a0
-
SHA256
d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2
-
SHA512
05e358afa6d9419a501125cc57fe8976cddf1b358a7a30d8158d08b439379e00d068e8c8dcde6e65de98a19bedb3ae6521ce412835c7a64348438f05042eaab4
Malware Config
Extracted
darkcomet
Guest16
sasha8787.hopto.org:1604
DC_MUTEX-0E94YVE
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
jc8H9yZoi6Sf
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Disables RegEdit via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 2632 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msdcsc.exed8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 2632 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeSecurityPrivilege 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeTakeOwnershipPrivilege 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeLoadDriverPrivilege 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeSystemProfilePrivilege 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeSystemtimePrivilege 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeProfSingleProcessPrivilege 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeIncBasePriorityPrivilege 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeCreatePagefilePrivilege 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeBackupPrivilege 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeRestorePrivilege 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeShutdownPrivilege 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeDebugPrivilege 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeSystemEnvironmentPrivilege 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeChangeNotifyPrivilege 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeRemoteShutdownPrivilege 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeUndockPrivilege 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeManageVolumePrivilege 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeImpersonatePrivilege 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeCreateGlobalPrivilege 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: 33 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: 34 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: 35 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: 36 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeIncreaseQuotaPrivilege 2632 msdcsc.exe Token: SeSecurityPrivilege 2632 msdcsc.exe Token: SeTakeOwnershipPrivilege 2632 msdcsc.exe Token: SeLoadDriverPrivilege 2632 msdcsc.exe Token: SeSystemProfilePrivilege 2632 msdcsc.exe Token: SeSystemtimePrivilege 2632 msdcsc.exe Token: SeProfSingleProcessPrivilege 2632 msdcsc.exe Token: SeIncBasePriorityPrivilege 2632 msdcsc.exe Token: SeCreatePagefilePrivilege 2632 msdcsc.exe Token: SeBackupPrivilege 2632 msdcsc.exe Token: SeRestorePrivilege 2632 msdcsc.exe Token: SeShutdownPrivilege 2632 msdcsc.exe Token: SeDebugPrivilege 2632 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2632 msdcsc.exe Token: SeChangeNotifyPrivilege 2632 msdcsc.exe Token: SeRemoteShutdownPrivilege 2632 msdcsc.exe Token: SeUndockPrivilege 2632 msdcsc.exe Token: SeManageVolumePrivilege 2632 msdcsc.exe Token: SeImpersonatePrivilege 2632 msdcsc.exe Token: SeCreateGlobalPrivilege 2632 msdcsc.exe Token: 33 2632 msdcsc.exe Token: 34 2632 msdcsc.exe Token: 35 2632 msdcsc.exe Token: 36 2632 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 2632 msdcsc.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.execmd.execmd.exemsdcsc.exedescription pid process target process PID 3508 wrote to memory of 4144 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe cmd.exe PID 3508 wrote to memory of 4144 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe cmd.exe PID 3508 wrote to memory of 4144 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe cmd.exe PID 3508 wrote to memory of 1424 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe cmd.exe PID 3508 wrote to memory of 1424 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe cmd.exe PID 3508 wrote to memory of 1424 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe cmd.exe PID 3508 wrote to memory of 2632 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe msdcsc.exe PID 3508 wrote to memory of 2632 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe msdcsc.exe PID 3508 wrote to memory of 2632 3508 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe msdcsc.exe PID 1424 wrote to memory of 5024 1424 cmd.exe attrib.exe PID 1424 wrote to memory of 5024 1424 cmd.exe attrib.exe PID 1424 wrote to memory of 5024 1424 cmd.exe attrib.exe PID 4144 wrote to memory of 5040 4144 cmd.exe attrib.exe PID 4144 wrote to memory of 5040 4144 cmd.exe attrib.exe PID 4144 wrote to memory of 5040 4144 cmd.exe attrib.exe PID 2632 wrote to memory of 1052 2632 msdcsc.exe notepad.exe PID 2632 wrote to memory of 1052 2632 msdcsc.exe notepad.exe PID 2632 wrote to memory of 1052 2632 msdcsc.exe notepad.exe PID 2632 wrote to memory of 1052 2632 msdcsc.exe notepad.exe PID 2632 wrote to memory of 1052 2632 msdcsc.exe notepad.exe PID 2632 wrote to memory of 1052 2632 msdcsc.exe notepad.exe PID 2632 wrote to memory of 1052 2632 msdcsc.exe notepad.exe PID 2632 wrote to memory of 1052 2632 msdcsc.exe notepad.exe PID 2632 wrote to memory of 1052 2632 msdcsc.exe notepad.exe PID 2632 wrote to memory of 1052 2632 msdcsc.exe notepad.exe PID 2632 wrote to memory of 1052 2632 msdcsc.exe notepad.exe PID 2632 wrote to memory of 1052 2632 msdcsc.exe notepad.exe PID 2632 wrote to memory of 1052 2632 msdcsc.exe notepad.exe PID 2632 wrote to memory of 1052 2632 msdcsc.exe notepad.exe PID 2632 wrote to memory of 1052 2632 msdcsc.exe notepad.exe PID 2632 wrote to memory of 1052 2632 msdcsc.exe notepad.exe PID 2632 wrote to memory of 1052 2632 msdcsc.exe notepad.exe PID 2632 wrote to memory of 1052 2632 msdcsc.exe notepad.exe PID 2632 wrote to memory of 1052 2632 msdcsc.exe notepad.exe PID 2632 wrote to memory of 1052 2632 msdcsc.exe notepad.exe PID 2632 wrote to memory of 1052 2632 msdcsc.exe notepad.exe PID 2632 wrote to memory of 1052 2632 msdcsc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 5040 attrib.exe 5024 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe"C:\Users\Admin\AppData\Local\Temp\d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeFilesize
658KB
MD54d693fde464e00a60c0c87d8a8c4e27c
SHA19efd17718385a0445d40ce1c3de86b9bd18a33a0
SHA256d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2
SHA51205e358afa6d9419a501125cc57fe8976cddf1b358a7a30d8158d08b439379e00d068e8c8dcde6e65de98a19bedb3ae6521ce412835c7a64348438f05042eaab4
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeFilesize
658KB
MD54d693fde464e00a60c0c87d8a8c4e27c
SHA19efd17718385a0445d40ce1c3de86b9bd18a33a0
SHA256d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2
SHA51205e358afa6d9419a501125cc57fe8976cddf1b358a7a30d8158d08b439379e00d068e8c8dcde6e65de98a19bedb3ae6521ce412835c7a64348438f05042eaab4
-
memory/1052-137-0x0000000000000000-mapping.dmp
-
memory/1424-131-0x0000000000000000-mapping.dmp
-
memory/2632-132-0x0000000000000000-mapping.dmp
-
memory/4144-130-0x0000000000000000-mapping.dmp
-
memory/5024-135-0x0000000000000000-mapping.dmp
-
memory/5040-136-0x0000000000000000-mapping.dmp