Analysis
-
max time kernel
151s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-05-2022 01:07
Behavioral task
behavioral1
Sample
e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe
Resource
win7-20220414-en
General
-
Target
e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe
-
Size
690KB
-
MD5
d7f711538e044b1db71efad106ed6659
-
SHA1
c048b33b8e497a9bbc6df0a59080ae1b3ae7d2e7
-
SHA256
e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9
-
SHA512
9167e182fbb50578ef2f3337274a2340d86977fe400e00920e21cc002a117a18362d1d65c98a512b67178b53a1e8a128bed04ac15dd99108fb69ecbc5cf3ccf3
Malware Config
Extracted
darkcomet
All
:1604
DC_MUTEX-APF4CUU
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
fmb76uQCmiRB
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1156 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exepid process 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1156 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeSecurityPrivilege 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeTakeOwnershipPrivilege 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeLoadDriverPrivilege 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeSystemProfilePrivilege 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeSystemtimePrivilege 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeProfSingleProcessPrivilege 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeIncBasePriorityPrivilege 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeCreatePagefilePrivilege 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeBackupPrivilege 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeRestorePrivilege 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeShutdownPrivilege 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeDebugPrivilege 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeSystemEnvironmentPrivilege 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeChangeNotifyPrivilege 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeRemoteShutdownPrivilege 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeUndockPrivilege 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeManageVolumePrivilege 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeImpersonatePrivilege 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeCreateGlobalPrivilege 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: 33 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: 34 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: 35 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeIncreaseQuotaPrivilege 1156 msdcsc.exe Token: SeSecurityPrivilege 1156 msdcsc.exe Token: SeTakeOwnershipPrivilege 1156 msdcsc.exe Token: SeLoadDriverPrivilege 1156 msdcsc.exe Token: SeSystemProfilePrivilege 1156 msdcsc.exe Token: SeSystemtimePrivilege 1156 msdcsc.exe Token: SeProfSingleProcessPrivilege 1156 msdcsc.exe Token: SeIncBasePriorityPrivilege 1156 msdcsc.exe Token: SeCreatePagefilePrivilege 1156 msdcsc.exe Token: SeBackupPrivilege 1156 msdcsc.exe Token: SeRestorePrivilege 1156 msdcsc.exe Token: SeShutdownPrivilege 1156 msdcsc.exe Token: SeDebugPrivilege 1156 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1156 msdcsc.exe Token: SeChangeNotifyPrivilege 1156 msdcsc.exe Token: SeRemoteShutdownPrivilege 1156 msdcsc.exe Token: SeUndockPrivilege 1156 msdcsc.exe Token: SeManageVolumePrivilege 1156 msdcsc.exe Token: SeImpersonatePrivilege 1156 msdcsc.exe Token: SeCreateGlobalPrivilege 1156 msdcsc.exe Token: 33 1156 msdcsc.exe Token: 34 1156 msdcsc.exe Token: 35 1156 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1156 msdcsc.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.execmd.execmd.exemsdcsc.exedescription pid process target process PID 1684 wrote to memory of 1484 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe cmd.exe PID 1684 wrote to memory of 1484 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe cmd.exe PID 1684 wrote to memory of 1484 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe cmd.exe PID 1684 wrote to memory of 1484 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe cmd.exe PID 1684 wrote to memory of 952 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe cmd.exe PID 1684 wrote to memory of 952 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe cmd.exe PID 1684 wrote to memory of 952 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe cmd.exe PID 1684 wrote to memory of 952 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe cmd.exe PID 1484 wrote to memory of 1208 1484 cmd.exe attrib.exe PID 952 wrote to memory of 1728 952 cmd.exe attrib.exe PID 1484 wrote to memory of 1208 1484 cmd.exe attrib.exe PID 952 wrote to memory of 1728 952 cmd.exe attrib.exe PID 1484 wrote to memory of 1208 1484 cmd.exe attrib.exe PID 952 wrote to memory of 1728 952 cmd.exe attrib.exe PID 1484 wrote to memory of 1208 1484 cmd.exe attrib.exe PID 952 wrote to memory of 1728 952 cmd.exe attrib.exe PID 1684 wrote to memory of 1156 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe msdcsc.exe PID 1684 wrote to memory of 1156 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe msdcsc.exe PID 1684 wrote to memory of 1156 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe msdcsc.exe PID 1684 wrote to memory of 1156 1684 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe msdcsc.exe PID 1156 wrote to memory of 1772 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 1772 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 1772 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 1772 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 1772 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 1772 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 1772 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 1772 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 1772 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 1772 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 1772 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 1772 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 1772 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 1772 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 1772 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 1772 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 1772 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 1772 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 1772 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 1772 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 1772 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 1772 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 1772 1156 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1728 attrib.exe 1208 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe"C:\Users\Admin\AppData\Local\Temp\e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
690KB
MD5d7f711538e044b1db71efad106ed6659
SHA1c048b33b8e497a9bbc6df0a59080ae1b3ae7d2e7
SHA256e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9
SHA5129167e182fbb50578ef2f3337274a2340d86977fe400e00920e21cc002a117a18362d1d65c98a512b67178b53a1e8a128bed04ac15dd99108fb69ecbc5cf3ccf3
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
690KB
MD5d7f711538e044b1db71efad106ed6659
SHA1c048b33b8e497a9bbc6df0a59080ae1b3ae7d2e7
SHA256e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9
SHA5129167e182fbb50578ef2f3337274a2340d86977fe400e00920e21cc002a117a18362d1d65c98a512b67178b53a1e8a128bed04ac15dd99108fb69ecbc5cf3ccf3
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
690KB
MD5d7f711538e044b1db71efad106ed6659
SHA1c048b33b8e497a9bbc6df0a59080ae1b3ae7d2e7
SHA256e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9
SHA5129167e182fbb50578ef2f3337274a2340d86977fe400e00920e21cc002a117a18362d1d65c98a512b67178b53a1e8a128bed04ac15dd99108fb69ecbc5cf3ccf3
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
690KB
MD5d7f711538e044b1db71efad106ed6659
SHA1c048b33b8e497a9bbc6df0a59080ae1b3ae7d2e7
SHA256e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9
SHA5129167e182fbb50578ef2f3337274a2340d86977fe400e00920e21cc002a117a18362d1d65c98a512b67178b53a1e8a128bed04ac15dd99108fb69ecbc5cf3ccf3
-
memory/952-56-0x0000000000000000-mapping.dmp
-
memory/1156-61-0x0000000000000000-mapping.dmp
-
memory/1208-57-0x0000000000000000-mapping.dmp
-
memory/1484-55-0x0000000000000000-mapping.dmp
-
memory/1684-54-0x0000000076431000-0x0000000076433000-memory.dmpFilesize
8KB
-
memory/1728-58-0x0000000000000000-mapping.dmp
-
memory/1772-65-0x0000000000000000-mapping.dmp