Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-05-2022 01:07
Behavioral task
behavioral1
Sample
e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe
Resource
win7-20220414-en
General
-
Target
e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe
-
Size
690KB
-
MD5
d7f711538e044b1db71efad106ed6659
-
SHA1
c048b33b8e497a9bbc6df0a59080ae1b3ae7d2e7
-
SHA256
e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9
-
SHA512
9167e182fbb50578ef2f3337274a2340d86977fe400e00920e21cc002a117a18362d1d65c98a512b67178b53a1e8a128bed04ac15dd99108fb69ecbc5cf3ccf3
Malware Config
Extracted
darkcomet
All
:1604
DC_MUTEX-APF4CUU
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
fmb76uQCmiRB
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 2848 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 2848 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeSecurityPrivilege 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeTakeOwnershipPrivilege 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeLoadDriverPrivilege 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeSystemProfilePrivilege 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeSystemtimePrivilege 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeProfSingleProcessPrivilege 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeIncBasePriorityPrivilege 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeCreatePagefilePrivilege 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeBackupPrivilege 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeRestorePrivilege 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeShutdownPrivilege 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeDebugPrivilege 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeSystemEnvironmentPrivilege 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeChangeNotifyPrivilege 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeRemoteShutdownPrivilege 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeUndockPrivilege 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeManageVolumePrivilege 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeImpersonatePrivilege 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeCreateGlobalPrivilege 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: 33 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: 34 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: 35 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: 36 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe Token: SeIncreaseQuotaPrivilege 2848 msdcsc.exe Token: SeSecurityPrivilege 2848 msdcsc.exe Token: SeTakeOwnershipPrivilege 2848 msdcsc.exe Token: SeLoadDriverPrivilege 2848 msdcsc.exe Token: SeSystemProfilePrivilege 2848 msdcsc.exe Token: SeSystemtimePrivilege 2848 msdcsc.exe Token: SeProfSingleProcessPrivilege 2848 msdcsc.exe Token: SeIncBasePriorityPrivilege 2848 msdcsc.exe Token: SeCreatePagefilePrivilege 2848 msdcsc.exe Token: SeBackupPrivilege 2848 msdcsc.exe Token: SeRestorePrivilege 2848 msdcsc.exe Token: SeShutdownPrivilege 2848 msdcsc.exe Token: SeDebugPrivilege 2848 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2848 msdcsc.exe Token: SeChangeNotifyPrivilege 2848 msdcsc.exe Token: SeRemoteShutdownPrivilege 2848 msdcsc.exe Token: SeUndockPrivilege 2848 msdcsc.exe Token: SeManageVolumePrivilege 2848 msdcsc.exe Token: SeImpersonatePrivilege 2848 msdcsc.exe Token: SeCreateGlobalPrivilege 2848 msdcsc.exe Token: 33 2848 msdcsc.exe Token: 34 2848 msdcsc.exe Token: 35 2848 msdcsc.exe Token: 36 2848 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 2848 msdcsc.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.execmd.execmd.exemsdcsc.exedescription pid process target process PID 2148 wrote to memory of 3368 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe cmd.exe PID 2148 wrote to memory of 3368 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe cmd.exe PID 2148 wrote to memory of 3368 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe cmd.exe PID 2148 wrote to memory of 4668 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe cmd.exe PID 2148 wrote to memory of 4668 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe cmd.exe PID 2148 wrote to memory of 4668 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe cmd.exe PID 3368 wrote to memory of 4876 3368 cmd.exe attrib.exe PID 3368 wrote to memory of 4876 3368 cmd.exe attrib.exe PID 3368 wrote to memory of 4876 3368 cmd.exe attrib.exe PID 4668 wrote to memory of 4864 4668 cmd.exe attrib.exe PID 4668 wrote to memory of 4864 4668 cmd.exe attrib.exe PID 4668 wrote to memory of 4864 4668 cmd.exe attrib.exe PID 2148 wrote to memory of 2848 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe msdcsc.exe PID 2148 wrote to memory of 2848 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe msdcsc.exe PID 2148 wrote to memory of 2848 2148 e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe msdcsc.exe PID 2848 wrote to memory of 2616 2848 msdcsc.exe notepad.exe PID 2848 wrote to memory of 2616 2848 msdcsc.exe notepad.exe PID 2848 wrote to memory of 2616 2848 msdcsc.exe notepad.exe PID 2848 wrote to memory of 2616 2848 msdcsc.exe notepad.exe PID 2848 wrote to memory of 2616 2848 msdcsc.exe notepad.exe PID 2848 wrote to memory of 2616 2848 msdcsc.exe notepad.exe PID 2848 wrote to memory of 2616 2848 msdcsc.exe notepad.exe PID 2848 wrote to memory of 2616 2848 msdcsc.exe notepad.exe PID 2848 wrote to memory of 2616 2848 msdcsc.exe notepad.exe PID 2848 wrote to memory of 2616 2848 msdcsc.exe notepad.exe PID 2848 wrote to memory of 2616 2848 msdcsc.exe notepad.exe PID 2848 wrote to memory of 2616 2848 msdcsc.exe notepad.exe PID 2848 wrote to memory of 2616 2848 msdcsc.exe notepad.exe PID 2848 wrote to memory of 2616 2848 msdcsc.exe notepad.exe PID 2848 wrote to memory of 2616 2848 msdcsc.exe notepad.exe PID 2848 wrote to memory of 2616 2848 msdcsc.exe notepad.exe PID 2848 wrote to memory of 2616 2848 msdcsc.exe notepad.exe PID 2848 wrote to memory of 2616 2848 msdcsc.exe notepad.exe PID 2848 wrote to memory of 2616 2848 msdcsc.exe notepad.exe PID 2848 wrote to memory of 2616 2848 msdcsc.exe notepad.exe PID 2848 wrote to memory of 2616 2848 msdcsc.exe notepad.exe PID 2848 wrote to memory of 2616 2848 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4864 attrib.exe 4876 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe"C:\Users\Admin\AppData\Local\Temp\e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9.exe" +s +h1⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
690KB
MD5d7f711538e044b1db71efad106ed6659
SHA1c048b33b8e497a9bbc6df0a59080ae1b3ae7d2e7
SHA256e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9
SHA5129167e182fbb50578ef2f3337274a2340d86977fe400e00920e21cc002a117a18362d1d65c98a512b67178b53a1e8a128bed04ac15dd99108fb69ecbc5cf3ccf3
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
690KB
MD5d7f711538e044b1db71efad106ed6659
SHA1c048b33b8e497a9bbc6df0a59080ae1b3ae7d2e7
SHA256e1f217b1bbd2e69f5234c04c4d4d76e6738faeff250b5dd97ff2700ec190a5b9
SHA5129167e182fbb50578ef2f3337274a2340d86977fe400e00920e21cc002a117a18362d1d65c98a512b67178b53a1e8a128bed04ac15dd99108fb69ecbc5cf3ccf3
-
memory/2616-137-0x0000000000000000-mapping.dmp
-
memory/2848-134-0x0000000000000000-mapping.dmp
-
memory/3368-130-0x0000000000000000-mapping.dmp
-
memory/4668-131-0x0000000000000000-mapping.dmp
-
memory/4864-133-0x0000000000000000-mapping.dmp
-
memory/4876-132-0x0000000000000000-mapping.dmp