Analysis
-
max time kernel
153s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-07-2022 00:12
Behavioral task
behavioral1
Sample
494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe
Resource
win7-20220414-en
General
-
Target
494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe
-
Size
658KB
-
MD5
d3589c94215ab602474b5d6b6e7a6380
-
SHA1
49c2134fb14c2546771933b1ddfc53dd0561aa00
-
SHA256
494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db
-
SHA512
e2625c5dcd3f44528baf998acf1b6867e6dbaba94679cb6e5faa6b024552f17b2d62442ba04eef57e32f1706572e1ddcdd60748ebd9169b85b8062b6d5641bfa
Malware Config
Extracted
darkcomet
Guest16
8.tcp.ngrok.io:13657
DC_MUTEX-G3PH8LT
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
wAgcpnDzigN6
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 680 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeSecurityPrivilege 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeTakeOwnershipPrivilege 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeLoadDriverPrivilege 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeSystemProfilePrivilege 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeSystemtimePrivilege 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeProfSingleProcessPrivilege 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeIncBasePriorityPrivilege 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeCreatePagefilePrivilege 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeBackupPrivilege 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeRestorePrivilege 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeShutdownPrivilege 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeDebugPrivilege 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeSystemEnvironmentPrivilege 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeChangeNotifyPrivilege 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeRemoteShutdownPrivilege 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeUndockPrivilege 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeManageVolumePrivilege 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeImpersonatePrivilege 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeCreateGlobalPrivilege 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: 33 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: 34 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: 35 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: 36 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe Token: SeIncreaseQuotaPrivilege 680 msdcsc.exe Token: SeSecurityPrivilege 680 msdcsc.exe Token: SeTakeOwnershipPrivilege 680 msdcsc.exe Token: SeLoadDriverPrivilege 680 msdcsc.exe Token: SeSystemProfilePrivilege 680 msdcsc.exe Token: SeSystemtimePrivilege 680 msdcsc.exe Token: SeProfSingleProcessPrivilege 680 msdcsc.exe Token: SeIncBasePriorityPrivilege 680 msdcsc.exe Token: SeCreatePagefilePrivilege 680 msdcsc.exe Token: SeBackupPrivilege 680 msdcsc.exe Token: SeRestorePrivilege 680 msdcsc.exe Token: SeShutdownPrivilege 680 msdcsc.exe Token: SeDebugPrivilege 680 msdcsc.exe Token: SeSystemEnvironmentPrivilege 680 msdcsc.exe Token: SeChangeNotifyPrivilege 680 msdcsc.exe Token: SeRemoteShutdownPrivilege 680 msdcsc.exe Token: SeUndockPrivilege 680 msdcsc.exe Token: SeManageVolumePrivilege 680 msdcsc.exe Token: SeImpersonatePrivilege 680 msdcsc.exe Token: SeCreateGlobalPrivilege 680 msdcsc.exe Token: 33 680 msdcsc.exe Token: 34 680 msdcsc.exe Token: 35 680 msdcsc.exe Token: 36 680 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 680 msdcsc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exemsdcsc.exedescription pid process target process PID 4032 wrote to memory of 680 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe msdcsc.exe PID 4032 wrote to memory of 680 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe msdcsc.exe PID 4032 wrote to memory of 680 4032 494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe msdcsc.exe PID 680 wrote to memory of 3656 680 msdcsc.exe notepad.exe PID 680 wrote to memory of 3656 680 msdcsc.exe notepad.exe PID 680 wrote to memory of 3656 680 msdcsc.exe notepad.exe PID 680 wrote to memory of 3656 680 msdcsc.exe notepad.exe PID 680 wrote to memory of 3656 680 msdcsc.exe notepad.exe PID 680 wrote to memory of 3656 680 msdcsc.exe notepad.exe PID 680 wrote to memory of 3656 680 msdcsc.exe notepad.exe PID 680 wrote to memory of 3656 680 msdcsc.exe notepad.exe PID 680 wrote to memory of 3656 680 msdcsc.exe notepad.exe PID 680 wrote to memory of 3656 680 msdcsc.exe notepad.exe PID 680 wrote to memory of 3656 680 msdcsc.exe notepad.exe PID 680 wrote to memory of 3656 680 msdcsc.exe notepad.exe PID 680 wrote to memory of 3656 680 msdcsc.exe notepad.exe PID 680 wrote to memory of 3656 680 msdcsc.exe notepad.exe PID 680 wrote to memory of 3656 680 msdcsc.exe notepad.exe PID 680 wrote to memory of 3656 680 msdcsc.exe notepad.exe PID 680 wrote to memory of 3656 680 msdcsc.exe notepad.exe PID 680 wrote to memory of 3656 680 msdcsc.exe notepad.exe PID 680 wrote to memory of 3656 680 msdcsc.exe notepad.exe PID 680 wrote to memory of 3656 680 msdcsc.exe notepad.exe PID 680 wrote to memory of 3656 680 msdcsc.exe notepad.exe PID 680 wrote to memory of 3656 680 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe"C:\Users\Admin\AppData\Local\Temp\494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD5d3589c94215ab602474b5d6b6e7a6380
SHA149c2134fb14c2546771933b1ddfc53dd0561aa00
SHA256494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db
SHA512e2625c5dcd3f44528baf998acf1b6867e6dbaba94679cb6e5faa6b024552f17b2d62442ba04eef57e32f1706572e1ddcdd60748ebd9169b85b8062b6d5641bfa
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD5d3589c94215ab602474b5d6b6e7a6380
SHA149c2134fb14c2546771933b1ddfc53dd0561aa00
SHA256494f1f9db5268247533e28b2a3785de4bea7cd123e050d97700964943922a6db
SHA512e2625c5dcd3f44528baf998acf1b6867e6dbaba94679cb6e5faa6b024552f17b2d62442ba04eef57e32f1706572e1ddcdd60748ebd9169b85b8062b6d5641bfa
-
memory/680-130-0x0000000000000000-mapping.dmp
-
memory/3656-133-0x0000000000000000-mapping.dmp