Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-05-2022 00:23
Behavioral task
behavioral1
Sample
4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe
Resource
win7-20220414-en
General
-
Target
4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe
-
Size
690KB
-
MD5
6b5b75a9e7c39b3737029ac0bde1c152
-
SHA1
def2b6e36621133659ac94cc9bc60cbe7743c6ce
-
SHA256
4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818
-
SHA512
d0f74e89c78a3baf9907799790b0aba7a7ed8594db502397e52106f0a114aad5c4435a49a59f56a785427b06a59f28636d3de3e6125a82a34b3f07fedc6a4d90
Malware Config
Extracted
darkcomet
All
127.0.0.1:1604
DC_MUTEX-W1Y6BV1
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
6zPJwU2MxqV4
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 2544 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 2544 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeSecurityPrivilege 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeTakeOwnershipPrivilege 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeLoadDriverPrivilege 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeSystemProfilePrivilege 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeSystemtimePrivilege 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeProfSingleProcessPrivilege 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeIncBasePriorityPrivilege 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeCreatePagefilePrivilege 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeBackupPrivilege 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeRestorePrivilege 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeShutdownPrivilege 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeDebugPrivilege 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeSystemEnvironmentPrivilege 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeChangeNotifyPrivilege 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeRemoteShutdownPrivilege 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeUndockPrivilege 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeManageVolumePrivilege 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeImpersonatePrivilege 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeCreateGlobalPrivilege 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: 33 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: 34 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: 35 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: 36 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe Token: SeIncreaseQuotaPrivilege 2544 msdcsc.exe Token: SeSecurityPrivilege 2544 msdcsc.exe Token: SeTakeOwnershipPrivilege 2544 msdcsc.exe Token: SeLoadDriverPrivilege 2544 msdcsc.exe Token: SeSystemProfilePrivilege 2544 msdcsc.exe Token: SeSystemtimePrivilege 2544 msdcsc.exe Token: SeProfSingleProcessPrivilege 2544 msdcsc.exe Token: SeIncBasePriorityPrivilege 2544 msdcsc.exe Token: SeCreatePagefilePrivilege 2544 msdcsc.exe Token: SeBackupPrivilege 2544 msdcsc.exe Token: SeRestorePrivilege 2544 msdcsc.exe Token: SeShutdownPrivilege 2544 msdcsc.exe Token: SeDebugPrivilege 2544 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2544 msdcsc.exe Token: SeChangeNotifyPrivilege 2544 msdcsc.exe Token: SeRemoteShutdownPrivilege 2544 msdcsc.exe Token: SeUndockPrivilege 2544 msdcsc.exe Token: SeManageVolumePrivilege 2544 msdcsc.exe Token: SeImpersonatePrivilege 2544 msdcsc.exe Token: SeCreateGlobalPrivilege 2544 msdcsc.exe Token: 33 2544 msdcsc.exe Token: 34 2544 msdcsc.exe Token: 35 2544 msdcsc.exe Token: 36 2544 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 2544 msdcsc.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.execmd.execmd.exemsdcsc.exedescription pid process target process PID 2304 wrote to memory of 1888 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe cmd.exe PID 2304 wrote to memory of 1888 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe cmd.exe PID 2304 wrote to memory of 1888 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe cmd.exe PID 2304 wrote to memory of 2064 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe cmd.exe PID 2304 wrote to memory of 2064 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe cmd.exe PID 2304 wrote to memory of 2064 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe cmd.exe PID 1888 wrote to memory of 2612 1888 cmd.exe attrib.exe PID 1888 wrote to memory of 2612 1888 cmd.exe attrib.exe PID 1888 wrote to memory of 2612 1888 cmd.exe attrib.exe PID 2064 wrote to memory of 4220 2064 cmd.exe attrib.exe PID 2064 wrote to memory of 4220 2064 cmd.exe attrib.exe PID 2064 wrote to memory of 4220 2064 cmd.exe attrib.exe PID 2304 wrote to memory of 2544 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe msdcsc.exe PID 2304 wrote to memory of 2544 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe msdcsc.exe PID 2304 wrote to memory of 2544 2304 4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe msdcsc.exe PID 2544 wrote to memory of 4024 2544 msdcsc.exe notepad.exe PID 2544 wrote to memory of 4024 2544 msdcsc.exe notepad.exe PID 2544 wrote to memory of 4024 2544 msdcsc.exe notepad.exe PID 2544 wrote to memory of 4024 2544 msdcsc.exe notepad.exe PID 2544 wrote to memory of 4024 2544 msdcsc.exe notepad.exe PID 2544 wrote to memory of 4024 2544 msdcsc.exe notepad.exe PID 2544 wrote to memory of 4024 2544 msdcsc.exe notepad.exe PID 2544 wrote to memory of 4024 2544 msdcsc.exe notepad.exe PID 2544 wrote to memory of 4024 2544 msdcsc.exe notepad.exe PID 2544 wrote to memory of 4024 2544 msdcsc.exe notepad.exe PID 2544 wrote to memory of 4024 2544 msdcsc.exe notepad.exe PID 2544 wrote to memory of 4024 2544 msdcsc.exe notepad.exe PID 2544 wrote to memory of 4024 2544 msdcsc.exe notepad.exe PID 2544 wrote to memory of 4024 2544 msdcsc.exe notepad.exe PID 2544 wrote to memory of 4024 2544 msdcsc.exe notepad.exe PID 2544 wrote to memory of 4024 2544 msdcsc.exe notepad.exe PID 2544 wrote to memory of 4024 2544 msdcsc.exe notepad.exe PID 2544 wrote to memory of 4024 2544 msdcsc.exe notepad.exe PID 2544 wrote to memory of 4024 2544 msdcsc.exe notepad.exe PID 2544 wrote to memory of 4024 2544 msdcsc.exe notepad.exe PID 2544 wrote to memory of 4024 2544 msdcsc.exe notepad.exe PID 2544 wrote to memory of 4024 2544 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4220 attrib.exe 2612 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe"C:\Users\Admin\AppData\Local\Temp\4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\4c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818.exe" +s +h1⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
690KB
MD56b5b75a9e7c39b3737029ac0bde1c152
SHA1def2b6e36621133659ac94cc9bc60cbe7743c6ce
SHA2564c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818
SHA512d0f74e89c78a3baf9907799790b0aba7a7ed8594db502397e52106f0a114aad5c4435a49a59f56a785427b06a59f28636d3de3e6125a82a34b3f07fedc6a4d90
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
690KB
MD56b5b75a9e7c39b3737029ac0bde1c152
SHA1def2b6e36621133659ac94cc9bc60cbe7743c6ce
SHA2564c44224a2703b19147751b2926bd047e82dd80305141a253418594c6f4672818
SHA512d0f74e89c78a3baf9907799790b0aba7a7ed8594db502397e52106f0a114aad5c4435a49a59f56a785427b06a59f28636d3de3e6125a82a34b3f07fedc6a4d90
-
memory/1888-130-0x0000000000000000-mapping.dmp
-
memory/2064-131-0x0000000000000000-mapping.dmp
-
memory/2544-134-0x0000000000000000-mapping.dmp
-
memory/2612-132-0x0000000000000000-mapping.dmp
-
memory/4024-137-0x0000000000000000-mapping.dmp
-
memory/4220-133-0x0000000000000000-mapping.dmp