Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-06-2022 19:03
Behavioral task
behavioral1
Sample
1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe
Resource
win7-20220414-en
General
-
Target
1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe
-
Size
690KB
-
MD5
3a22854e13ec22a99aaf693ca81d2898
-
SHA1
8c59c824bc38b6aa0f2310752b4d6c96104f40a4
-
SHA256
1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f
-
SHA512
ca18233f933509679c74469a23487c5bb3f9e7a48aca9ba98e76d7201b679097c1af4aadf77ef3dbbee1d008d8806d418eb9c7c4fd0a85c38bf4b9d7b726a9fa
Malware Config
Extracted
darkcomet
ALL
78.179.195.97:1604
DC_MUTEX-G42FP02
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
AYYXG1rhBfzD
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 604 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1216 attrib.exe 1156 attrib.exe -
Loads dropped DLL 2 IoCs
Processes:
1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exepid process 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 604 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeSecurityPrivilege 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeTakeOwnershipPrivilege 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeLoadDriverPrivilege 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeSystemProfilePrivilege 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeSystemtimePrivilege 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeProfSingleProcessPrivilege 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeIncBasePriorityPrivilege 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeCreatePagefilePrivilege 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeBackupPrivilege 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeRestorePrivilege 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeShutdownPrivilege 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeDebugPrivilege 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeSystemEnvironmentPrivilege 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeChangeNotifyPrivilege 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeRemoteShutdownPrivilege 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeUndockPrivilege 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeManageVolumePrivilege 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeImpersonatePrivilege 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeCreateGlobalPrivilege 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: 33 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: 34 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: 35 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeIncreaseQuotaPrivilege 604 msdcsc.exe Token: SeSecurityPrivilege 604 msdcsc.exe Token: SeTakeOwnershipPrivilege 604 msdcsc.exe Token: SeLoadDriverPrivilege 604 msdcsc.exe Token: SeSystemProfilePrivilege 604 msdcsc.exe Token: SeSystemtimePrivilege 604 msdcsc.exe Token: SeProfSingleProcessPrivilege 604 msdcsc.exe Token: SeIncBasePriorityPrivilege 604 msdcsc.exe Token: SeCreatePagefilePrivilege 604 msdcsc.exe Token: SeBackupPrivilege 604 msdcsc.exe Token: SeRestorePrivilege 604 msdcsc.exe Token: SeShutdownPrivilege 604 msdcsc.exe Token: SeDebugPrivilege 604 msdcsc.exe Token: SeSystemEnvironmentPrivilege 604 msdcsc.exe Token: SeChangeNotifyPrivilege 604 msdcsc.exe Token: SeRemoteShutdownPrivilege 604 msdcsc.exe Token: SeUndockPrivilege 604 msdcsc.exe Token: SeManageVolumePrivilege 604 msdcsc.exe Token: SeImpersonatePrivilege 604 msdcsc.exe Token: SeCreateGlobalPrivilege 604 msdcsc.exe Token: 33 604 msdcsc.exe Token: 34 604 msdcsc.exe Token: 35 604 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 604 msdcsc.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.execmd.execmd.exemsdcsc.exedescription pid process target process PID 1320 wrote to memory of 956 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe cmd.exe PID 1320 wrote to memory of 956 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe cmd.exe PID 1320 wrote to memory of 956 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe cmd.exe PID 1320 wrote to memory of 956 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe cmd.exe PID 1320 wrote to memory of 1236 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe cmd.exe PID 1320 wrote to memory of 1236 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe cmd.exe PID 1320 wrote to memory of 1236 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe cmd.exe PID 1320 wrote to memory of 1236 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe cmd.exe PID 956 wrote to memory of 1156 956 cmd.exe attrib.exe PID 956 wrote to memory of 1156 956 cmd.exe attrib.exe PID 956 wrote to memory of 1156 956 cmd.exe attrib.exe PID 956 wrote to memory of 1156 956 cmd.exe attrib.exe PID 1236 wrote to memory of 1216 1236 cmd.exe attrib.exe PID 1236 wrote to memory of 1216 1236 cmd.exe attrib.exe PID 1236 wrote to memory of 1216 1236 cmd.exe attrib.exe PID 1236 wrote to memory of 1216 1236 cmd.exe attrib.exe PID 1320 wrote to memory of 604 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe msdcsc.exe PID 1320 wrote to memory of 604 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe msdcsc.exe PID 1320 wrote to memory of 604 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe msdcsc.exe PID 1320 wrote to memory of 604 1320 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe msdcsc.exe PID 604 wrote to memory of 580 604 msdcsc.exe notepad.exe PID 604 wrote to memory of 580 604 msdcsc.exe notepad.exe PID 604 wrote to memory of 580 604 msdcsc.exe notepad.exe PID 604 wrote to memory of 580 604 msdcsc.exe notepad.exe PID 604 wrote to memory of 580 604 msdcsc.exe notepad.exe PID 604 wrote to memory of 580 604 msdcsc.exe notepad.exe PID 604 wrote to memory of 580 604 msdcsc.exe notepad.exe PID 604 wrote to memory of 580 604 msdcsc.exe notepad.exe PID 604 wrote to memory of 580 604 msdcsc.exe notepad.exe PID 604 wrote to memory of 580 604 msdcsc.exe notepad.exe PID 604 wrote to memory of 580 604 msdcsc.exe notepad.exe PID 604 wrote to memory of 580 604 msdcsc.exe notepad.exe PID 604 wrote to memory of 580 604 msdcsc.exe notepad.exe PID 604 wrote to memory of 580 604 msdcsc.exe notepad.exe PID 604 wrote to memory of 580 604 msdcsc.exe notepad.exe PID 604 wrote to memory of 580 604 msdcsc.exe notepad.exe PID 604 wrote to memory of 580 604 msdcsc.exe notepad.exe PID 604 wrote to memory of 580 604 msdcsc.exe notepad.exe PID 604 wrote to memory of 580 604 msdcsc.exe notepad.exe PID 604 wrote to memory of 580 604 msdcsc.exe notepad.exe PID 604 wrote to memory of 580 604 msdcsc.exe notepad.exe PID 604 wrote to memory of 580 604 msdcsc.exe notepad.exe PID 604 wrote to memory of 580 604 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1156 attrib.exe 1216 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe"C:\Users\Admin\AppData\Local\Temp\1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
690KB
MD53a22854e13ec22a99aaf693ca81d2898
SHA18c59c824bc38b6aa0f2310752b4d6c96104f40a4
SHA2561b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f
SHA512ca18233f933509679c74469a23487c5bb3f9e7a48aca9ba98e76d7201b679097c1af4aadf77ef3dbbee1d008d8806d418eb9c7c4fd0a85c38bf4b9d7b726a9fa
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
690KB
MD53a22854e13ec22a99aaf693ca81d2898
SHA18c59c824bc38b6aa0f2310752b4d6c96104f40a4
SHA2561b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f
SHA512ca18233f933509679c74469a23487c5bb3f9e7a48aca9ba98e76d7201b679097c1af4aadf77ef3dbbee1d008d8806d418eb9c7c4fd0a85c38bf4b9d7b726a9fa
-
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
690KB
MD53a22854e13ec22a99aaf693ca81d2898
SHA18c59c824bc38b6aa0f2310752b4d6c96104f40a4
SHA2561b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f
SHA512ca18233f933509679c74469a23487c5bb3f9e7a48aca9ba98e76d7201b679097c1af4aadf77ef3dbbee1d008d8806d418eb9c7c4fd0a85c38bf4b9d7b726a9fa
-
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
690KB
MD53a22854e13ec22a99aaf693ca81d2898
SHA18c59c824bc38b6aa0f2310752b4d6c96104f40a4
SHA2561b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f
SHA512ca18233f933509679c74469a23487c5bb3f9e7a48aca9ba98e76d7201b679097c1af4aadf77ef3dbbee1d008d8806d418eb9c7c4fd0a85c38bf4b9d7b726a9fa
-
memory/580-65-0x0000000000000000-mapping.dmp
-
memory/604-61-0x0000000000000000-mapping.dmp
-
memory/956-55-0x0000000000000000-mapping.dmp
-
memory/1156-57-0x0000000000000000-mapping.dmp
-
memory/1216-58-0x0000000000000000-mapping.dmp
-
memory/1236-56-0x0000000000000000-mapping.dmp
-
memory/1320-54-0x0000000075CD1000-0x0000000075CD3000-memory.dmpFilesize
8KB