General
Target

287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe

Filesize

349KB

Completed

21-05-2022 19:19

Task

behavioral2

Score
10/10
MD5

2c0d429589bc6ff62344c943b0db8def

SHA1

602c64345157856e174eb001d2a2b81346117094

SHA256

287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287

SHA256

c661e141a6492369ca45911af5740ce1bb7d85117f3f113da07cf22d83bef911036c7d06b4a5cbacca738e73075b09e476bdca16fa0a9beb5d471bcf9f48f649

Malware Config
Signatures 10

Filter: none

Defense Evasion
Discovery
Persistence
  • Darkcomet

    Description

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence
    287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe

    TTPs

    Winlogon Helper DLLModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
  • Executes dropped EXE
    msdcsc.exe

    Reported IOCs

    pidprocess
    4020msdcsc.exe
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x00060000000231e0-131.datupx
    behavioral2/files/0x00060000000231e0-132.datupx
  • Checks computer location settings
    287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
  • Adds Run key to start application
    287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious use of AdjustPrivilegeToken
    287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exemsdcsc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeIncreaseQuotaPrivilege2300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeSecurityPrivilege2300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeTakeOwnershipPrivilege2300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeLoadDriverPrivilege2300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeSystemProfilePrivilege2300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeSystemtimePrivilege2300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeProfSingleProcessPrivilege2300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeIncBasePriorityPrivilege2300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeCreatePagefilePrivilege2300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeBackupPrivilege2300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeRestorePrivilege2300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeShutdownPrivilege2300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeDebugPrivilege2300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeSystemEnvironmentPrivilege2300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeChangeNotifyPrivilege2300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeRemoteShutdownPrivilege2300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeUndockPrivilege2300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeManageVolumePrivilege2300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeImpersonatePrivilege2300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeCreateGlobalPrivilege2300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: 332300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: 342300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: 352300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: 362300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    Token: SeIncreaseQuotaPrivilege4020msdcsc.exe
    Token: SeSecurityPrivilege4020msdcsc.exe
    Token: SeTakeOwnershipPrivilege4020msdcsc.exe
    Token: SeLoadDriverPrivilege4020msdcsc.exe
    Token: SeSystemProfilePrivilege4020msdcsc.exe
    Token: SeSystemtimePrivilege4020msdcsc.exe
    Token: SeProfSingleProcessPrivilege4020msdcsc.exe
    Token: SeIncBasePriorityPrivilege4020msdcsc.exe
    Token: SeCreatePagefilePrivilege4020msdcsc.exe
    Token: SeBackupPrivilege4020msdcsc.exe
    Token: SeRestorePrivilege4020msdcsc.exe
    Token: SeShutdownPrivilege4020msdcsc.exe
    Token: SeDebugPrivilege4020msdcsc.exe
    Token: SeSystemEnvironmentPrivilege4020msdcsc.exe
    Token: SeChangeNotifyPrivilege4020msdcsc.exe
    Token: SeRemoteShutdownPrivilege4020msdcsc.exe
    Token: SeUndockPrivilege4020msdcsc.exe
    Token: SeManageVolumePrivilege4020msdcsc.exe
    Token: SeImpersonatePrivilege4020msdcsc.exe
    Token: SeCreateGlobalPrivilege4020msdcsc.exe
    Token: 334020msdcsc.exe
    Token: 344020msdcsc.exe
    Token: 354020msdcsc.exe
    Token: 364020msdcsc.exe
  • Suspicious use of SetWindowsHookEx
    msdcsc.exe

    Reported IOCs

    pidprocess
    4020msdcsc.exe
  • Suspicious use of WriteProcessMemory
    287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2300 wrote to memory of 40202300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exemsdcsc.exe
    PID 2300 wrote to memory of 40202300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exemsdcsc.exe
    PID 2300 wrote to memory of 40202300287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exemsdcsc.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
    "C:\Users\Admin\AppData\Local\Temp\287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe"
    Modifies WinLogon for persistence
    Checks computer location settings
    Adds Run key to start application
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4020
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

                      MD5

                      2c0d429589bc6ff62344c943b0db8def

                      SHA1

                      602c64345157856e174eb001d2a2b81346117094

                      SHA256

                      287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287

                      SHA512

                      c661e141a6492369ca45911af5740ce1bb7d85117f3f113da07cf22d83bef911036c7d06b4a5cbacca738e73075b09e476bdca16fa0a9beb5d471bcf9f48f649

                    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

                      MD5

                      2c0d429589bc6ff62344c943b0db8def

                      SHA1

                      602c64345157856e174eb001d2a2b81346117094

                      SHA256

                      287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287

                      SHA512

                      c661e141a6492369ca45911af5740ce1bb7d85117f3f113da07cf22d83bef911036c7d06b4a5cbacca738e73075b09e476bdca16fa0a9beb5d471bcf9f48f649

                    • memory/4020-130-0x0000000000000000-mapping.dmp