Analysis
-
max time kernel
151s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
30-06-2022 19:03
Behavioral task
behavioral1
Sample
1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe
Resource
win7-20220414-en
General
-
Target
1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe
-
Size
690KB
-
MD5
3a22854e13ec22a99aaf693ca81d2898
-
SHA1
8c59c824bc38b6aa0f2310752b4d6c96104f40a4
-
SHA256
1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f
-
SHA512
ca18233f933509679c74469a23487c5bb3f9e7a48aca9ba98e76d7201b679097c1af4aadf77ef3dbbee1d008d8806d418eb9c7c4fd0a85c38bf4b9d7b726a9fa
Malware Config
Extracted
darkcomet
ALL
78.179.195.97:1604
DC_MUTEX-G42FP02
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
AYYXG1rhBfzD
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 3556 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 4604 attrib.exe 4616 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 3556 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeSecurityPrivilege 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeTakeOwnershipPrivilege 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeLoadDriverPrivilege 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeSystemProfilePrivilege 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeSystemtimePrivilege 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeProfSingleProcessPrivilege 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeIncBasePriorityPrivilege 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeCreatePagefilePrivilege 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeBackupPrivilege 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeRestorePrivilege 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeShutdownPrivilege 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeDebugPrivilege 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeSystemEnvironmentPrivilege 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeChangeNotifyPrivilege 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeRemoteShutdownPrivilege 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeUndockPrivilege 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeManageVolumePrivilege 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeImpersonatePrivilege 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeCreateGlobalPrivilege 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: 33 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: 34 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: 35 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: 36 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe Token: SeIncreaseQuotaPrivilege 3556 msdcsc.exe Token: SeSecurityPrivilege 3556 msdcsc.exe Token: SeTakeOwnershipPrivilege 3556 msdcsc.exe Token: SeLoadDriverPrivilege 3556 msdcsc.exe Token: SeSystemProfilePrivilege 3556 msdcsc.exe Token: SeSystemtimePrivilege 3556 msdcsc.exe Token: SeProfSingleProcessPrivilege 3556 msdcsc.exe Token: SeIncBasePriorityPrivilege 3556 msdcsc.exe Token: SeCreatePagefilePrivilege 3556 msdcsc.exe Token: SeBackupPrivilege 3556 msdcsc.exe Token: SeRestorePrivilege 3556 msdcsc.exe Token: SeShutdownPrivilege 3556 msdcsc.exe Token: SeDebugPrivilege 3556 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3556 msdcsc.exe Token: SeChangeNotifyPrivilege 3556 msdcsc.exe Token: SeRemoteShutdownPrivilege 3556 msdcsc.exe Token: SeUndockPrivilege 3556 msdcsc.exe Token: SeManageVolumePrivilege 3556 msdcsc.exe Token: SeImpersonatePrivilege 3556 msdcsc.exe Token: SeCreateGlobalPrivilege 3556 msdcsc.exe Token: 33 3556 msdcsc.exe Token: 34 3556 msdcsc.exe Token: 35 3556 msdcsc.exe Token: 36 3556 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 3556 msdcsc.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.execmd.execmd.exemsdcsc.exedescription pid process target process PID 4532 wrote to memory of 4520 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe cmd.exe PID 4532 wrote to memory of 4520 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe cmd.exe PID 4532 wrote to memory of 4520 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe cmd.exe PID 4532 wrote to memory of 2796 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe cmd.exe PID 4532 wrote to memory of 2796 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe cmd.exe PID 4532 wrote to memory of 2796 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe cmd.exe PID 4520 wrote to memory of 4604 4520 cmd.exe attrib.exe PID 4520 wrote to memory of 4604 4520 cmd.exe attrib.exe PID 4520 wrote to memory of 4604 4520 cmd.exe attrib.exe PID 2796 wrote to memory of 4616 2796 cmd.exe attrib.exe PID 2796 wrote to memory of 4616 2796 cmd.exe attrib.exe PID 2796 wrote to memory of 4616 2796 cmd.exe attrib.exe PID 4532 wrote to memory of 3556 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe msdcsc.exe PID 4532 wrote to memory of 3556 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe msdcsc.exe PID 4532 wrote to memory of 3556 4532 1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe msdcsc.exe PID 3556 wrote to memory of 1512 3556 msdcsc.exe notepad.exe PID 3556 wrote to memory of 1512 3556 msdcsc.exe notepad.exe PID 3556 wrote to memory of 1512 3556 msdcsc.exe notepad.exe PID 3556 wrote to memory of 1512 3556 msdcsc.exe notepad.exe PID 3556 wrote to memory of 1512 3556 msdcsc.exe notepad.exe PID 3556 wrote to memory of 1512 3556 msdcsc.exe notepad.exe PID 3556 wrote to memory of 1512 3556 msdcsc.exe notepad.exe PID 3556 wrote to memory of 1512 3556 msdcsc.exe notepad.exe PID 3556 wrote to memory of 1512 3556 msdcsc.exe notepad.exe PID 3556 wrote to memory of 1512 3556 msdcsc.exe notepad.exe PID 3556 wrote to memory of 1512 3556 msdcsc.exe notepad.exe PID 3556 wrote to memory of 1512 3556 msdcsc.exe notepad.exe PID 3556 wrote to memory of 1512 3556 msdcsc.exe notepad.exe PID 3556 wrote to memory of 1512 3556 msdcsc.exe notepad.exe PID 3556 wrote to memory of 1512 3556 msdcsc.exe notepad.exe PID 3556 wrote to memory of 1512 3556 msdcsc.exe notepad.exe PID 3556 wrote to memory of 1512 3556 msdcsc.exe notepad.exe PID 3556 wrote to memory of 1512 3556 msdcsc.exe notepad.exe PID 3556 wrote to memory of 1512 3556 msdcsc.exe notepad.exe PID 3556 wrote to memory of 1512 3556 msdcsc.exe notepad.exe PID 3556 wrote to memory of 1512 3556 msdcsc.exe notepad.exe PID 3556 wrote to memory of 1512 3556 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4604 attrib.exe 4616 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe"C:\Users\Admin\AppData\Local\Temp\1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\1b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
690KB
MD53a22854e13ec22a99aaf693ca81d2898
SHA18c59c824bc38b6aa0f2310752b4d6c96104f40a4
SHA2561b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f
SHA512ca18233f933509679c74469a23487c5bb3f9e7a48aca9ba98e76d7201b679097c1af4aadf77ef3dbbee1d008d8806d418eb9c7c4fd0a85c38bf4b9d7b726a9fa
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
690KB
MD53a22854e13ec22a99aaf693ca81d2898
SHA18c59c824bc38b6aa0f2310752b4d6c96104f40a4
SHA2561b306c2602d71c1b39a6972d2c8607e544edb2eeab17b423729a0c1b0f340f3f
SHA512ca18233f933509679c74469a23487c5bb3f9e7a48aca9ba98e76d7201b679097c1af4aadf77ef3dbbee1d008d8806d418eb9c7c4fd0a85c38bf4b9d7b726a9fa
-
memory/1512-137-0x0000000000000000-mapping.dmp
-
memory/2796-131-0x0000000000000000-mapping.dmp
-
memory/3556-134-0x0000000000000000-mapping.dmp
-
memory/4520-130-0x0000000000000000-mapping.dmp
-
memory/4604-132-0x0000000000000000-mapping.dmp
-
memory/4616-133-0x0000000000000000-mapping.dmp