General
Target

287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe

Filesize

349KB

Completed

21-05-2022 19:19

Task

behavioral1

Score
10/10
MD5

2c0d429589bc6ff62344c943b0db8def

SHA1

602c64345157856e174eb001d2a2b81346117094

SHA256

287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287

SHA256

c661e141a6492369ca45911af5740ce1bb7d85117f3f113da07cf22d83bef911036c7d06b4a5cbacca738e73075b09e476bdca16fa0a9beb5d471bcf9f48f649

Malware Config
Signatures 10

Filter: none

Defense Evasion
Discovery
Persistence
  • Darkcomet

    Description

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence
    287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe

    TTPs

    Winlogon Helper DLLModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
  • Executes dropped EXE
    msdcsc.exe

    Reported IOCs

    pidprocess
    1484msdcsc.exe
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x000a00000001230d-55.datupx
    behavioral1/files/0x000a00000001230d-56.datupx
    behavioral1/files/0x000a00000001230d-58.datupx
    behavioral1/files/0x000a00000001230d-60.datupx
  • Loads dropped DLL
    287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe

    Reported IOCs

    pidprocess
    1684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    1684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
  • Adds Run key to start application
    287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious use of AdjustPrivilegeToken
    287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exemsdcsc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeIncreaseQuotaPrivilege1684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeSecurityPrivilege1684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeTakeOwnershipPrivilege1684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeLoadDriverPrivilege1684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeSystemProfilePrivilege1684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeSystemtimePrivilege1684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeProfSingleProcessPrivilege1684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeIncBasePriorityPrivilege1684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeCreatePagefilePrivilege1684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeBackupPrivilege1684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeRestorePrivilege1684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeShutdownPrivilege1684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeDebugPrivilege1684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeSystemEnvironmentPrivilege1684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeChangeNotifyPrivilege1684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeRemoteShutdownPrivilege1684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeUndockPrivilege1684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeManageVolumePrivilege1684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeImpersonatePrivilege1684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeCreateGlobalPrivilege1684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: 331684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: 341684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: 351684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeIncreaseQuotaPrivilege1484msdcsc.exe
    Token: SeSecurityPrivilege1484msdcsc.exe
    Token: SeTakeOwnershipPrivilege1484msdcsc.exe
    Token: SeLoadDriverPrivilege1484msdcsc.exe
    Token: SeSystemProfilePrivilege1484msdcsc.exe
    Token: SeSystemtimePrivilege1484msdcsc.exe
    Token: SeProfSingleProcessPrivilege1484msdcsc.exe
    Token: SeIncBasePriorityPrivilege1484msdcsc.exe
    Token: SeCreatePagefilePrivilege1484msdcsc.exe
    Token: SeBackupPrivilege1484msdcsc.exe
    Token: SeRestorePrivilege1484msdcsc.exe
    Token: SeShutdownPrivilege1484msdcsc.exe
    Token: SeDebugPrivilege1484msdcsc.exe
    Token: SeSystemEnvironmentPrivilege1484msdcsc.exe
    Token: SeChangeNotifyPrivilege1484msdcsc.exe
    Token: SeRemoteShutdownPrivilege1484msdcsc.exe
    Token: SeUndockPrivilege1484msdcsc.exe
    Token: SeManageVolumePrivilege1484msdcsc.exe
    Token: SeImpersonatePrivilege1484msdcsc.exe
    Token: SeCreateGlobalPrivilege1484msdcsc.exe
    Token: 331484msdcsc.exe
    Token: 341484msdcsc.exe
    Token: 351484msdcsc.exe
  • Suspicious use of SetWindowsHookEx
    msdcsc.exe

    Reported IOCs

    pidprocess
    1484msdcsc.exe
  • Suspicious use of WriteProcessMemory
    287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1684 wrote to memory of 14841684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exemsdcsc.exe
    PID 1684 wrote to memory of 14841684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exemsdcsc.exe
    PID 1684 wrote to memory of 14841684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exemsdcsc.exe
    PID 1684 wrote to memory of 14841684287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exemsdcsc.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    "C:\Users\Admin\AppData\Local\Temp\287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe"
    Modifies WinLogon for persistence
    Loads dropped DLL
    Adds Run key to start application
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1484
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

                      MD5

                      2c0d429589bc6ff62344c943b0db8def

                      SHA1

                      602c64345157856e174eb001d2a2b81346117094

                      SHA256

                      287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287

                      SHA512

                      c661e141a6492369ca45911af5740ce1bb7d85117f3f113da07cf22d83bef911036c7d06b4a5cbacca738e73075b09e476bdca16fa0a9beb5d471bcf9f48f649

                    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

                      MD5

                      2c0d429589bc6ff62344c943b0db8def

                      SHA1

                      602c64345157856e174eb001d2a2b81346117094

                      SHA256

                      287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287

                      SHA512

                      c661e141a6492369ca45911af5740ce1bb7d85117f3f113da07cf22d83bef911036c7d06b4a5cbacca738e73075b09e476bdca16fa0a9beb5d471bcf9f48f649

                    • \Users\Admin\Documents\MSDCSC\msdcsc.exe

                      MD5

                      2c0d429589bc6ff62344c943b0db8def

                      SHA1

                      602c64345157856e174eb001d2a2b81346117094

                      SHA256

                      287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287

                      SHA512

                      c661e141a6492369ca45911af5740ce1bb7d85117f3f113da07cf22d83bef911036c7d06b4a5cbacca738e73075b09e476bdca16fa0a9beb5d471bcf9f48f649

                    • \Users\Admin\Documents\MSDCSC\msdcsc.exe

                      MD5

                      2c0d429589bc6ff62344c943b0db8def

                      SHA1

                      602c64345157856e174eb001d2a2b81346117094

                      SHA256

                      287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287

                      SHA512

                      c661e141a6492369ca45911af5740ce1bb7d85117f3f113da07cf22d83bef911036c7d06b4a5cbacca738e73075b09e476bdca16fa0a9beb5d471bcf9f48f649

                    • memory/1484-57-0x0000000000000000-mapping.dmp

                    • memory/1684-54-0x0000000076431000-0x0000000076433000-memory.dmp