Analysis
-
max time kernel
151s -
max time network
36s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 00:14
Behavioral task
behavioral1
Sample
6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe
Resource
win7-20220718-en
General
-
Target
6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe
-
Size
756KB
-
MD5
fc31e56ab0b5fc0cf54c77018ac02c4f
-
SHA1
960431fb7697fb10d517a0a1eba6e674c2634886
-
SHA256
6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7
-
SHA512
5a78bd769845247154949a3074883920a2ce7eeaff2588ead01054739aba114e5aad9b1571d863dbdb8c0b8cab5df452c30ba3992d1ca95ef578c9a880c139ae
Malware Config
Extracted
darkcomet
Guest16
39.48.14.238:1604
DC_MUTEX-2888LM2
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
WpcmlJsqmTWl
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1572 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 5008 attrib.exe 5084 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1572 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe Token: SeSecurityPrivilege 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe Token: SeTakeOwnershipPrivilege 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe Token: SeLoadDriverPrivilege 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe Token: SeSystemProfilePrivilege 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe Token: SeSystemtimePrivilege 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe Token: SeProfSingleProcessPrivilege 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe Token: SeIncBasePriorityPrivilege 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe Token: SeCreatePagefilePrivilege 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe Token: SeBackupPrivilege 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe Token: SeRestorePrivilege 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe Token: SeShutdownPrivilege 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe Token: SeDebugPrivilege 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe Token: SeSystemEnvironmentPrivilege 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe Token: SeChangeNotifyPrivilege 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe Token: SeRemoteShutdownPrivilege 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe Token: SeUndockPrivilege 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe Token: SeManageVolumePrivilege 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe Token: SeImpersonatePrivilege 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe Token: SeCreateGlobalPrivilege 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe Token: 33 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe Token: 34 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe Token: 35 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe Token: 36 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe Token: SeIncreaseQuotaPrivilege 1572 msdcsc.exe Token: SeSecurityPrivilege 1572 msdcsc.exe Token: SeTakeOwnershipPrivilege 1572 msdcsc.exe Token: SeLoadDriverPrivilege 1572 msdcsc.exe Token: SeSystemProfilePrivilege 1572 msdcsc.exe Token: SeSystemtimePrivilege 1572 msdcsc.exe Token: SeProfSingleProcessPrivilege 1572 msdcsc.exe Token: SeIncBasePriorityPrivilege 1572 msdcsc.exe Token: SeCreatePagefilePrivilege 1572 msdcsc.exe Token: SeBackupPrivilege 1572 msdcsc.exe Token: SeRestorePrivilege 1572 msdcsc.exe Token: SeShutdownPrivilege 1572 msdcsc.exe Token: SeDebugPrivilege 1572 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1572 msdcsc.exe Token: SeChangeNotifyPrivilege 1572 msdcsc.exe Token: SeRemoteShutdownPrivilege 1572 msdcsc.exe Token: SeUndockPrivilege 1572 msdcsc.exe Token: SeManageVolumePrivilege 1572 msdcsc.exe Token: SeImpersonatePrivilege 1572 msdcsc.exe Token: SeCreateGlobalPrivilege 1572 msdcsc.exe Token: 33 1572 msdcsc.exe Token: 34 1572 msdcsc.exe Token: 35 1572 msdcsc.exe Token: 36 1572 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1572 msdcsc.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.execmd.execmd.exemsdcsc.exedescription pid process target process PID 4972 wrote to memory of 872 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe cmd.exe PID 4972 wrote to memory of 872 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe cmd.exe PID 4972 wrote to memory of 872 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe cmd.exe PID 4972 wrote to memory of 1528 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe cmd.exe PID 4972 wrote to memory of 1528 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe cmd.exe PID 4972 wrote to memory of 1528 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe cmd.exe PID 1528 wrote to memory of 5008 1528 cmd.exe attrib.exe PID 1528 wrote to memory of 5008 1528 cmd.exe attrib.exe PID 1528 wrote to memory of 5008 1528 cmd.exe attrib.exe PID 872 wrote to memory of 5084 872 cmd.exe attrib.exe PID 872 wrote to memory of 5084 872 cmd.exe attrib.exe PID 872 wrote to memory of 5084 872 cmd.exe attrib.exe PID 4972 wrote to memory of 1572 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe msdcsc.exe PID 4972 wrote to memory of 1572 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe msdcsc.exe PID 4972 wrote to memory of 1572 4972 6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe msdcsc.exe PID 1572 wrote to memory of 428 1572 msdcsc.exe notepad.exe PID 1572 wrote to memory of 428 1572 msdcsc.exe notepad.exe PID 1572 wrote to memory of 428 1572 msdcsc.exe notepad.exe PID 1572 wrote to memory of 428 1572 msdcsc.exe notepad.exe PID 1572 wrote to memory of 428 1572 msdcsc.exe notepad.exe PID 1572 wrote to memory of 428 1572 msdcsc.exe notepad.exe PID 1572 wrote to memory of 428 1572 msdcsc.exe notepad.exe PID 1572 wrote to memory of 428 1572 msdcsc.exe notepad.exe PID 1572 wrote to memory of 428 1572 msdcsc.exe notepad.exe PID 1572 wrote to memory of 428 1572 msdcsc.exe notepad.exe PID 1572 wrote to memory of 428 1572 msdcsc.exe notepad.exe PID 1572 wrote to memory of 428 1572 msdcsc.exe notepad.exe PID 1572 wrote to memory of 428 1572 msdcsc.exe notepad.exe PID 1572 wrote to memory of 428 1572 msdcsc.exe notepad.exe PID 1572 wrote to memory of 428 1572 msdcsc.exe notepad.exe PID 1572 wrote to memory of 428 1572 msdcsc.exe notepad.exe PID 1572 wrote to memory of 428 1572 msdcsc.exe notepad.exe PID 1572 wrote to memory of 428 1572 msdcsc.exe notepad.exe PID 1572 wrote to memory of 428 1572 msdcsc.exe notepad.exe PID 1572 wrote to memory of 428 1572 msdcsc.exe notepad.exe PID 1572 wrote to memory of 428 1572 msdcsc.exe notepad.exe PID 1572 wrote to memory of 428 1572 msdcsc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 5008 attrib.exe 5084 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe"C:\Users\Admin\AppData\Local\Temp\6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\6c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
756KB
MD5fc31e56ab0b5fc0cf54c77018ac02c4f
SHA1960431fb7697fb10d517a0a1eba6e674c2634886
SHA2566c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7
SHA5125a78bd769845247154949a3074883920a2ce7eeaff2588ead01054739aba114e5aad9b1571d863dbdb8c0b8cab5df452c30ba3992d1ca95ef578c9a880c139ae
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
756KB
MD5fc31e56ab0b5fc0cf54c77018ac02c4f
SHA1960431fb7697fb10d517a0a1eba6e674c2634886
SHA2566c42d09cb956bcc92031f99ab79065c318985fa063ae5eacc07ddbbbe34652f7
SHA5125a78bd769845247154949a3074883920a2ce7eeaff2588ead01054739aba114e5aad9b1571d863dbdb8c0b8cab5df452c30ba3992d1ca95ef578c9a880c139ae
-
memory/428-139-0x0000000000000000-mapping.dmp
-
memory/872-132-0x0000000000000000-mapping.dmp
-
memory/1528-133-0x0000000000000000-mapping.dmp
-
memory/1572-136-0x0000000000000000-mapping.dmp
-
memory/5008-134-0x0000000000000000-mapping.dmp
-
memory/5084-135-0x0000000000000000-mapping.dmp