Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-07-2022 00:12
Behavioral task
behavioral1
Sample
494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe
Resource
win7-20220414-en
General
-
Target
494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe
-
Size
658KB
-
MD5
d3589c94215ab602474b5d6b6e7a6380
-
SHA1
49c2134fb14c2546771933b1ddfc53dd0561aa00
-
SHA256
494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db
-
SHA512
e2625c5dcd3f44528baf998acf1b6867e6dbaba94679cb6e5faa6b024552f17b2d62442ba04eef57e32f1706572e1ddcdd60748ebd9169b85b8062b6d5641bfa
Malware Config
Extracted
darkcomet
Guest16
8.tcp.ngrok.io:13657
DC_MUTEX-G3PH8LT
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
wAgcpnDzigN6
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1256 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exepid process 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeSecurityPrivilege 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeTakeOwnershipPrivilege 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeLoadDriverPrivilege 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeSystemProfilePrivilege 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeSystemtimePrivilege 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeProfSingleProcessPrivilege 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeIncBasePriorityPrivilege 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeCreatePagefilePrivilege 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeBackupPrivilege 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeRestorePrivilege 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeShutdownPrivilege 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeDebugPrivilege 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeSystemEnvironmentPrivilege 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeChangeNotifyPrivilege 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeRemoteShutdownPrivilege 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeUndockPrivilege 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeManageVolumePrivilege 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeImpersonatePrivilege 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeCreateGlobalPrivilege 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: 33 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: 34 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: 35 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeIncreaseQuotaPrivilege 1256 msdcsc.exe Token: SeSecurityPrivilege 1256 msdcsc.exe Token: SeTakeOwnershipPrivilege 1256 msdcsc.exe Token: SeLoadDriverPrivilege 1256 msdcsc.exe Token: SeSystemProfilePrivilege 1256 msdcsc.exe Token: SeSystemtimePrivilege 1256 msdcsc.exe Token: SeProfSingleProcessPrivilege 1256 msdcsc.exe Token: SeIncBasePriorityPrivilege 1256 msdcsc.exe Token: SeCreatePagefilePrivilege 1256 msdcsc.exe Token: SeBackupPrivilege 1256 msdcsc.exe Token: SeRestorePrivilege 1256 msdcsc.exe Token: SeShutdownPrivilege 1256 msdcsc.exe Token: SeDebugPrivilege 1256 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1256 msdcsc.exe Token: SeChangeNotifyPrivilege 1256 msdcsc.exe Token: SeRemoteShutdownPrivilege 1256 msdcsc.exe Token: SeUndockPrivilege 1256 msdcsc.exe Token: SeManageVolumePrivilege 1256 msdcsc.exe Token: SeImpersonatePrivilege 1256 msdcsc.exe Token: SeCreateGlobalPrivilege 1256 msdcsc.exe Token: 33 1256 msdcsc.exe Token: 34 1256 msdcsc.exe Token: 35 1256 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1256 msdcsc.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exemsdcsc.exedescription pid process target process PID 1720 wrote to memory of 1256 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe msdcsc.exe PID 1720 wrote to memory of 1256 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe msdcsc.exe PID 1720 wrote to memory of 1256 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe msdcsc.exe PID 1720 wrote to memory of 1256 1720 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe msdcsc.exe PID 1256 wrote to memory of 1692 1256 msdcsc.exe notepad.exe PID 1256 wrote to memory of 1692 1256 msdcsc.exe notepad.exe PID 1256 wrote to memory of 1692 1256 msdcsc.exe notepad.exe PID 1256 wrote to memory of 1692 1256 msdcsc.exe notepad.exe PID 1256 wrote to memory of 1692 1256 msdcsc.exe notepad.exe PID 1256 wrote to memory of 1692 1256 msdcsc.exe notepad.exe PID 1256 wrote to memory of 1692 1256 msdcsc.exe notepad.exe PID 1256 wrote to memory of 1692 1256 msdcsc.exe notepad.exe PID 1256 wrote to memory of 1692 1256 msdcsc.exe notepad.exe PID 1256 wrote to memory of 1692 1256 msdcsc.exe notepad.exe PID 1256 wrote to memory of 1692 1256 msdcsc.exe notepad.exe PID 1256 wrote to memory of 1692 1256 msdcsc.exe notepad.exe PID 1256 wrote to memory of 1692 1256 msdcsc.exe notepad.exe PID 1256 wrote to memory of 1692 1256 msdcsc.exe notepad.exe PID 1256 wrote to memory of 1692 1256 msdcsc.exe notepad.exe PID 1256 wrote to memory of 1692 1256 msdcsc.exe notepad.exe PID 1256 wrote to memory of 1692 1256 msdcsc.exe notepad.exe PID 1256 wrote to memory of 1692 1256 msdcsc.exe notepad.exe PID 1256 wrote to memory of 1692 1256 msdcsc.exe notepad.exe PID 1256 wrote to memory of 1692 1256 msdcsc.exe notepad.exe PID 1256 wrote to memory of 1692 1256 msdcsc.exe notepad.exe PID 1256 wrote to memory of 1692 1256 msdcsc.exe notepad.exe PID 1256 wrote to memory of 1692 1256 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe"C:\Users\Admin\AppData\Local\Temp\494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD5d3589c94215ab602474b5d6b6e7a6380
SHA149c2134fb14c2546771933b1ddfc53dd0561aa00
SHA256494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db
SHA512e2625c5dcd3f44528baf998acf1b6867e6dbaba94679cb6e5faa6b024552f17b2d62442ba04eef57e32f1706572e1ddcdd60748ebd9169b85b8062b6d5641bfa
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD5d3589c94215ab602474b5d6b6e7a6380
SHA149c2134fb14c2546771933b1ddfc53dd0561aa00
SHA256494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db
SHA512e2625c5dcd3f44528baf998acf1b6867e6dbaba94679cb6e5faa6b024552f17b2d62442ba04eef57e32f1706572e1ddcdd60748ebd9169b85b8062b6d5641bfa
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD5d3589c94215ab602474b5d6b6e7a6380
SHA149c2134fb14c2546771933b1ddfc53dd0561aa00
SHA256494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db
SHA512e2625c5dcd3f44528baf998acf1b6867e6dbaba94679cb6e5faa6b024552f17b2d62442ba04eef57e32f1706572e1ddcdd60748ebd9169b85b8062b6d5641bfa
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD5d3589c94215ab602474b5d6b6e7a6380
SHA149c2134fb14c2546771933b1ddfc53dd0561aa00
SHA256494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db
SHA512e2625c5dcd3f44528baf998acf1b6867e6dbaba94679cb6e5faa6b024552f17b2d62442ba04eef57e32f1706572e1ddcdd60748ebd9169b85b8062b6d5641bfa
-
memory/1256-57-0x0000000000000000-mapping.dmp
-
memory/1692-61-0x0000000000000000-mapping.dmp
-
memory/1720-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB