Analysis
-
max time kernel
151s -
max time network
163s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 03:43
Static task
static1
Behavioral task
behavioral1
Sample
Result.jpg.exe
Resource
win7-20220414-en
General
-
Target
Result.jpg.exe
-
Size
1.2MB
-
MD5
da81c76543b3f280abfaf1c04a820c8d
-
SHA1
e746372c52ab53a7dcded6ffd497f10d3b84bda9
-
SHA256
996d745b0948add2ef943870d637afb46d4463432df4cb766509ecaa1982a35a
-
SHA512
8fe78aee184022b8a15646d1a847aed29e3bf463599d5b8b517a321cc876f53ebb170b03ccdddb2032a6ab420956bfd233c489e954044a93a4c7995ed41b3346
Malware Config
Extracted
darkcomet
1
sadist.ddns.net:500
DC_MUTEX-WDGJLC3
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
bg0tFwB3BTiD
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 1.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe -
Executes dropped EXE 2 IoCs
Processes:
1.exemsdcsc.exepid process 1064 1.exe 648 msdcsc.exe -
Loads dropped DLL 4 IoCs
Processes:
Result.jpg.exe1.exepid process 1748 Result.jpg.exe 1748 Result.jpg.exe 1064 1.exe 1064 1.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
1.exemsdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 648 set thread context of 1056 648 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
1.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 1064 1.exe Token: SeSecurityPrivilege 1064 1.exe Token: SeTakeOwnershipPrivilege 1064 1.exe Token: SeLoadDriverPrivilege 1064 1.exe Token: SeSystemProfilePrivilege 1064 1.exe Token: SeSystemtimePrivilege 1064 1.exe Token: SeProfSingleProcessPrivilege 1064 1.exe Token: SeIncBasePriorityPrivilege 1064 1.exe Token: SeCreatePagefilePrivilege 1064 1.exe Token: SeBackupPrivilege 1064 1.exe Token: SeRestorePrivilege 1064 1.exe Token: SeShutdownPrivilege 1064 1.exe Token: SeDebugPrivilege 1064 1.exe Token: SeSystemEnvironmentPrivilege 1064 1.exe Token: SeChangeNotifyPrivilege 1064 1.exe Token: SeRemoteShutdownPrivilege 1064 1.exe Token: SeUndockPrivilege 1064 1.exe Token: SeManageVolumePrivilege 1064 1.exe Token: SeImpersonatePrivilege 1064 1.exe Token: SeCreateGlobalPrivilege 1064 1.exe Token: 33 1064 1.exe Token: 34 1064 1.exe Token: 35 1064 1.exe Token: SeIncreaseQuotaPrivilege 648 msdcsc.exe Token: SeSecurityPrivilege 648 msdcsc.exe Token: SeTakeOwnershipPrivilege 648 msdcsc.exe Token: SeLoadDriverPrivilege 648 msdcsc.exe Token: SeSystemProfilePrivilege 648 msdcsc.exe Token: SeSystemtimePrivilege 648 msdcsc.exe Token: SeProfSingleProcessPrivilege 648 msdcsc.exe Token: SeIncBasePriorityPrivilege 648 msdcsc.exe Token: SeCreatePagefilePrivilege 648 msdcsc.exe Token: SeBackupPrivilege 648 msdcsc.exe Token: SeRestorePrivilege 648 msdcsc.exe Token: SeShutdownPrivilege 648 msdcsc.exe Token: SeDebugPrivilege 648 msdcsc.exe Token: SeSystemEnvironmentPrivilege 648 msdcsc.exe Token: SeChangeNotifyPrivilege 648 msdcsc.exe Token: SeRemoteShutdownPrivilege 648 msdcsc.exe Token: SeUndockPrivilege 648 msdcsc.exe Token: SeManageVolumePrivilege 648 msdcsc.exe Token: SeImpersonatePrivilege 648 msdcsc.exe Token: SeCreateGlobalPrivilege 648 msdcsc.exe Token: 33 648 msdcsc.exe Token: 34 648 msdcsc.exe Token: 35 648 msdcsc.exe Token: SeIncreaseQuotaPrivilege 1056 iexplore.exe Token: SeSecurityPrivilege 1056 iexplore.exe Token: SeTakeOwnershipPrivilege 1056 iexplore.exe Token: SeLoadDriverPrivilege 1056 iexplore.exe Token: SeSystemProfilePrivilege 1056 iexplore.exe Token: SeSystemtimePrivilege 1056 iexplore.exe Token: SeProfSingleProcessPrivilege 1056 iexplore.exe Token: SeIncBasePriorityPrivilege 1056 iexplore.exe Token: SeCreatePagefilePrivilege 1056 iexplore.exe Token: SeBackupPrivilege 1056 iexplore.exe Token: SeRestorePrivilege 1056 iexplore.exe Token: SeShutdownPrivilege 1056 iexplore.exe Token: SeDebugPrivilege 1056 iexplore.exe Token: SeSystemEnvironmentPrivilege 1056 iexplore.exe Token: SeChangeNotifyPrivilege 1056 iexplore.exe Token: SeRemoteShutdownPrivilege 1056 iexplore.exe Token: SeUndockPrivilege 1056 iexplore.exe Token: SeManageVolumePrivilege 1056 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 924 DllHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 1056 iexplore.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
Result.jpg.exe1.execmd.execmd.exemsdcsc.exedescription pid process target process PID 1748 wrote to memory of 1064 1748 Result.jpg.exe 1.exe PID 1748 wrote to memory of 1064 1748 Result.jpg.exe 1.exe PID 1748 wrote to memory of 1064 1748 Result.jpg.exe 1.exe PID 1748 wrote to memory of 1064 1748 Result.jpg.exe 1.exe PID 1064 wrote to memory of 696 1064 1.exe cmd.exe PID 1064 wrote to memory of 696 1064 1.exe cmd.exe PID 1064 wrote to memory of 696 1064 1.exe cmd.exe PID 1064 wrote to memory of 696 1064 1.exe cmd.exe PID 1064 wrote to memory of 1732 1064 1.exe cmd.exe PID 1064 wrote to memory of 1732 1064 1.exe cmd.exe PID 1064 wrote to memory of 1732 1064 1.exe cmd.exe PID 1064 wrote to memory of 1732 1064 1.exe cmd.exe PID 1064 wrote to memory of 440 1064 1.exe notepad.exe PID 1064 wrote to memory of 440 1064 1.exe notepad.exe PID 1064 wrote to memory of 440 1064 1.exe notepad.exe PID 1064 wrote to memory of 440 1064 1.exe notepad.exe PID 1064 wrote to memory of 440 1064 1.exe notepad.exe PID 1064 wrote to memory of 440 1064 1.exe notepad.exe PID 1064 wrote to memory of 440 1064 1.exe notepad.exe PID 1064 wrote to memory of 440 1064 1.exe notepad.exe PID 1064 wrote to memory of 440 1064 1.exe notepad.exe PID 1064 wrote to memory of 440 1064 1.exe notepad.exe PID 1064 wrote to memory of 440 1064 1.exe notepad.exe PID 1064 wrote to memory of 440 1064 1.exe notepad.exe PID 1064 wrote to memory of 440 1064 1.exe notepad.exe PID 1064 wrote to memory of 440 1064 1.exe notepad.exe PID 1064 wrote to memory of 440 1064 1.exe notepad.exe PID 1064 wrote to memory of 440 1064 1.exe notepad.exe PID 1064 wrote to memory of 440 1064 1.exe notepad.exe PID 1064 wrote to memory of 440 1064 1.exe notepad.exe PID 696 wrote to memory of 1832 696 cmd.exe attrib.exe PID 696 wrote to memory of 1832 696 cmd.exe attrib.exe PID 696 wrote to memory of 1832 696 cmd.exe attrib.exe PID 696 wrote to memory of 1832 696 cmd.exe attrib.exe PID 1732 wrote to memory of 1376 1732 cmd.exe attrib.exe PID 1732 wrote to memory of 1376 1732 cmd.exe attrib.exe PID 1732 wrote to memory of 1376 1732 cmd.exe attrib.exe PID 1732 wrote to memory of 1376 1732 cmd.exe attrib.exe PID 1064 wrote to memory of 648 1064 1.exe msdcsc.exe PID 1064 wrote to memory of 648 1064 1.exe msdcsc.exe PID 1064 wrote to memory of 648 1064 1.exe msdcsc.exe PID 1064 wrote to memory of 648 1064 1.exe msdcsc.exe PID 648 wrote to memory of 1056 648 msdcsc.exe iexplore.exe PID 648 wrote to memory of 1056 648 msdcsc.exe iexplore.exe PID 648 wrote to memory of 1056 648 msdcsc.exe iexplore.exe PID 648 wrote to memory of 1056 648 msdcsc.exe iexplore.exe PID 648 wrote to memory of 1056 648 msdcsc.exe iexplore.exe PID 648 wrote to memory of 1056 648 msdcsc.exe iexplore.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1832 attrib.exe 1376 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Result.jpg.exe"C:\Users\Admin\AppData\Local\Temp\Result.jpg.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\1.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\1.exe" +s +h4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Modifies firewall policy service
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.exeFilesize
658KB
MD5fbb4270367abd1e26b0a72f302b263cf
SHA1d68d73d6eec4ab2b086babcbaeff0a85fb487067
SHA256f06eb9383ca282824c0fa3172b4d404de4a03c1eea2ee74aeaf022514255743b
SHA51273bc3fbe0efa3040751ccc1396362a60136e6b864862eb0682d1d1e29d7c89012f61e98ddaf102580f075315f3959997210e5c56ba34dec483b139eac8639ef9
-
C:\Users\Admin\AppData\Local\Temp\1.exeFilesize
658KB
MD5fbb4270367abd1e26b0a72f302b263cf
SHA1d68d73d6eec4ab2b086babcbaeff0a85fb487067
SHA256f06eb9383ca282824c0fa3172b4d404de4a03c1eea2ee74aeaf022514255743b
SHA51273bc3fbe0efa3040751ccc1396362a60136e6b864862eb0682d1d1e29d7c89012f61e98ddaf102580f075315f3959997210e5c56ba34dec483b139eac8639ef9
-
C:\Users\Admin\AppData\Local\Temp\1574605225_22.ico.jpgFilesize
533KB
MD5ac7a4fccf9ab574e25354c7a7cc867b5
SHA152ca4149c29f52b9b387303b112e4a6a4392ad8c
SHA2564e660bd705f186e365162329262e7375b5d06b01777286be8eb0e5a9c48786ca
SHA51282beb0be72bf9daceb4f03306ad61e7959332544610370d3457e8c4951cc76942679bdcaa6f0c2ae67a2a40682a4fb187739513396e36f418ae45afc699ef195
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD5fbb4270367abd1e26b0a72f302b263cf
SHA1d68d73d6eec4ab2b086babcbaeff0a85fb487067
SHA256f06eb9383ca282824c0fa3172b4d404de4a03c1eea2ee74aeaf022514255743b
SHA51273bc3fbe0efa3040751ccc1396362a60136e6b864862eb0682d1d1e29d7c89012f61e98ddaf102580f075315f3959997210e5c56ba34dec483b139eac8639ef9
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD5fbb4270367abd1e26b0a72f302b263cf
SHA1d68d73d6eec4ab2b086babcbaeff0a85fb487067
SHA256f06eb9383ca282824c0fa3172b4d404de4a03c1eea2ee74aeaf022514255743b
SHA51273bc3fbe0efa3040751ccc1396362a60136e6b864862eb0682d1d1e29d7c89012f61e98ddaf102580f075315f3959997210e5c56ba34dec483b139eac8639ef9
-
\Users\Admin\AppData\Local\Temp\1.exeFilesize
658KB
MD5fbb4270367abd1e26b0a72f302b263cf
SHA1d68d73d6eec4ab2b086babcbaeff0a85fb487067
SHA256f06eb9383ca282824c0fa3172b4d404de4a03c1eea2ee74aeaf022514255743b
SHA51273bc3fbe0efa3040751ccc1396362a60136e6b864862eb0682d1d1e29d7c89012f61e98ddaf102580f075315f3959997210e5c56ba34dec483b139eac8639ef9
-
\Users\Admin\AppData\Local\Temp\1.exeFilesize
658KB
MD5fbb4270367abd1e26b0a72f302b263cf
SHA1d68d73d6eec4ab2b086babcbaeff0a85fb487067
SHA256f06eb9383ca282824c0fa3172b4d404de4a03c1eea2ee74aeaf022514255743b
SHA51273bc3fbe0efa3040751ccc1396362a60136e6b864862eb0682d1d1e29d7c89012f61e98ddaf102580f075315f3959997210e5c56ba34dec483b139eac8639ef9
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD5fbb4270367abd1e26b0a72f302b263cf
SHA1d68d73d6eec4ab2b086babcbaeff0a85fb487067
SHA256f06eb9383ca282824c0fa3172b4d404de4a03c1eea2ee74aeaf022514255743b
SHA51273bc3fbe0efa3040751ccc1396362a60136e6b864862eb0682d1d1e29d7c89012f61e98ddaf102580f075315f3959997210e5c56ba34dec483b139eac8639ef9
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD5fbb4270367abd1e26b0a72f302b263cf
SHA1d68d73d6eec4ab2b086babcbaeff0a85fb487067
SHA256f06eb9383ca282824c0fa3172b4d404de4a03c1eea2ee74aeaf022514255743b
SHA51273bc3fbe0efa3040751ccc1396362a60136e6b864862eb0682d1d1e29d7c89012f61e98ddaf102580f075315f3959997210e5c56ba34dec483b139eac8639ef9
-
memory/440-64-0x0000000000000000-mapping.dmp
-
memory/648-70-0x0000000000000000-mapping.dmp
-
memory/696-62-0x0000000000000000-mapping.dmp
-
memory/1064-58-0x0000000000000000-mapping.dmp
-
memory/1376-67-0x0000000000000000-mapping.dmp
-
memory/1732-63-0x0000000000000000-mapping.dmp
-
memory/1748-54-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB
-
memory/1832-66-0x0000000000000000-mapping.dmp