Analysis
-
max time kernel
150s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-05-2022 00:23
Behavioral task
behavioral1
Sample
4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe
Resource
win7-20220414-en
General
-
Target
4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe
-
Size
690KB
-
MD5
6b5b75a9e7c39b3737029ac0bde1c152
-
SHA1
def2b6e36621133659ac94cc9bc60cbe7743c6ce
-
SHA256
4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818
-
SHA512
d0f74e89c78a3baf9907799790b0aba7a7ed8594db502397e52106f0a114aad5c4435a49a59f56a785427b06a59f28636d3de3e6125a82a34b3f07fedc6a4d90
Malware Config
Extracted
darkcomet
All
127.0.0.1:1604
DC_MUTEX-W1Y6BV1
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
6zPJwU2MxqV4
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1984 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exepid process 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msdcsc.exe4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1984 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeSecurityPrivilege 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeTakeOwnershipPrivilege 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeLoadDriverPrivilege 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeSystemProfilePrivilege 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeSystemtimePrivilege 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeProfSingleProcessPrivilege 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeIncBasePriorityPrivilege 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeCreatePagefilePrivilege 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeBackupPrivilege 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeRestorePrivilege 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeShutdownPrivilege 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeDebugPrivilege 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeSystemEnvironmentPrivilege 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeChangeNotifyPrivilege 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeRemoteShutdownPrivilege 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeUndockPrivilege 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeManageVolumePrivilege 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeImpersonatePrivilege 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeCreateGlobalPrivilege 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: 33 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: 34 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: 35 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeIncreaseQuotaPrivilege 1984 msdcsc.exe Token: SeSecurityPrivilege 1984 msdcsc.exe Token: SeTakeOwnershipPrivilege 1984 msdcsc.exe Token: SeLoadDriverPrivilege 1984 msdcsc.exe Token: SeSystemProfilePrivilege 1984 msdcsc.exe Token: SeSystemtimePrivilege 1984 msdcsc.exe Token: SeProfSingleProcessPrivilege 1984 msdcsc.exe Token: SeIncBasePriorityPrivilege 1984 msdcsc.exe Token: SeCreatePagefilePrivilege 1984 msdcsc.exe Token: SeBackupPrivilege 1984 msdcsc.exe Token: SeRestorePrivilege 1984 msdcsc.exe Token: SeShutdownPrivilege 1984 msdcsc.exe Token: SeDebugPrivilege 1984 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1984 msdcsc.exe Token: SeChangeNotifyPrivilege 1984 msdcsc.exe Token: SeRemoteShutdownPrivilege 1984 msdcsc.exe Token: SeUndockPrivilege 1984 msdcsc.exe Token: SeManageVolumePrivilege 1984 msdcsc.exe Token: SeImpersonatePrivilege 1984 msdcsc.exe Token: SeCreateGlobalPrivilege 1984 msdcsc.exe Token: 33 1984 msdcsc.exe Token: 34 1984 msdcsc.exe Token: 35 1984 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1984 msdcsc.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.execmd.execmd.exemsdcsc.exedescription pid process target process PID 1784 wrote to memory of 1108 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe cmd.exe PID 1784 wrote to memory of 1108 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe cmd.exe PID 1784 wrote to memory of 1108 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe cmd.exe PID 1784 wrote to memory of 1108 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe cmd.exe PID 1784 wrote to memory of 1128 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe cmd.exe PID 1784 wrote to memory of 1128 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe cmd.exe PID 1784 wrote to memory of 1128 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe cmd.exe PID 1784 wrote to memory of 1128 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe cmd.exe PID 1108 wrote to memory of 844 1108 cmd.exe attrib.exe PID 1108 wrote to memory of 844 1108 cmd.exe attrib.exe PID 1108 wrote to memory of 844 1108 cmd.exe attrib.exe PID 1108 wrote to memory of 844 1108 cmd.exe attrib.exe PID 1128 wrote to memory of 2000 1128 cmd.exe attrib.exe PID 1128 wrote to memory of 2000 1128 cmd.exe attrib.exe PID 1128 wrote to memory of 2000 1128 cmd.exe attrib.exe PID 1128 wrote to memory of 2000 1128 cmd.exe attrib.exe PID 1784 wrote to memory of 1984 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe msdcsc.exe PID 1784 wrote to memory of 1984 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe msdcsc.exe PID 1784 wrote to memory of 1984 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe msdcsc.exe PID 1784 wrote to memory of 1984 1784 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe msdcsc.exe PID 1984 wrote to memory of 1700 1984 msdcsc.exe notepad.exe PID 1984 wrote to memory of 1700 1984 msdcsc.exe notepad.exe PID 1984 wrote to memory of 1700 1984 msdcsc.exe notepad.exe PID 1984 wrote to memory of 1700 1984 msdcsc.exe notepad.exe PID 1984 wrote to memory of 1700 1984 msdcsc.exe notepad.exe PID 1984 wrote to memory of 1700 1984 msdcsc.exe notepad.exe PID 1984 wrote to memory of 1700 1984 msdcsc.exe notepad.exe PID 1984 wrote to memory of 1700 1984 msdcsc.exe notepad.exe PID 1984 wrote to memory of 1700 1984 msdcsc.exe notepad.exe PID 1984 wrote to memory of 1700 1984 msdcsc.exe notepad.exe PID 1984 wrote to memory of 1700 1984 msdcsc.exe notepad.exe PID 1984 wrote to memory of 1700 1984 msdcsc.exe notepad.exe PID 1984 wrote to memory of 1700 1984 msdcsc.exe notepad.exe PID 1984 wrote to memory of 1700 1984 msdcsc.exe notepad.exe PID 1984 wrote to memory of 1700 1984 msdcsc.exe notepad.exe PID 1984 wrote to memory of 1700 1984 msdcsc.exe notepad.exe PID 1984 wrote to memory of 1700 1984 msdcsc.exe notepad.exe PID 1984 wrote to memory of 1700 1984 msdcsc.exe notepad.exe PID 1984 wrote to memory of 1700 1984 msdcsc.exe notepad.exe PID 1984 wrote to memory of 1700 1984 msdcsc.exe notepad.exe PID 1984 wrote to memory of 1700 1984 msdcsc.exe notepad.exe PID 1984 wrote to memory of 1700 1984 msdcsc.exe notepad.exe PID 1984 wrote to memory of 1700 1984 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 844 attrib.exe 2000 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe"C:\Users\Admin\AppData\Local\Temp\4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
690KB
MD56b5b75a9e7c39b3737029ac0bde1c152
SHA1def2b6e36621133659ac94cc9bc60cbe7743c6ce
SHA2564c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818
SHA512d0f74e89c78a3baf9907799790b0aba7a7ed8594db502397e52106f0a114aad5c4435a49a59f56a785427b06a59f28636d3de3e6125a82a34b3f07fedc6a4d90
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
690KB
MD56b5b75a9e7c39b3737029ac0bde1c152
SHA1def2b6e36621133659ac94cc9bc60cbe7743c6ce
SHA2564c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818
SHA512d0f74e89c78a3baf9907799790b0aba7a7ed8594db502397e52106f0a114aad5c4435a49a59f56a785427b06a59f28636d3de3e6125a82a34b3f07fedc6a4d90
-
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
690KB
MD56b5b75a9e7c39b3737029ac0bde1c152
SHA1def2b6e36621133659ac94cc9bc60cbe7743c6ce
SHA2564c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818
SHA512d0f74e89c78a3baf9907799790b0aba7a7ed8594db502397e52106f0a114aad5c4435a49a59f56a785427b06a59f28636d3de3e6125a82a34b3f07fedc6a4d90
-
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
690KB
MD56b5b75a9e7c39b3737029ac0bde1c152
SHA1def2b6e36621133659ac94cc9bc60cbe7743c6ce
SHA2564c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818
SHA512d0f74e89c78a3baf9907799790b0aba7a7ed8594db502397e52106f0a114aad5c4435a49a59f56a785427b06a59f28636d3de3e6125a82a34b3f07fedc6a4d90
-
memory/844-57-0x0000000000000000-mapping.dmp
-
memory/1108-55-0x0000000000000000-mapping.dmp
-
memory/1128-56-0x0000000000000000-mapping.dmp
-
memory/1700-65-0x0000000000000000-mapping.dmp
-
memory/1784-54-0x0000000074C81000-0x0000000074C83000-memory.dmpFilesize
8KB
-
memory/1984-61-0x0000000000000000-mapping.dmp
-
memory/2000-58-0x0000000000000000-mapping.dmp