Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 00:14
Behavioral task
behavioral1
Sample
6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe
Resource
win7-20220718-en
General
-
Target
6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe
-
Size
283KB
-
MD5
ebf9b9aa46566390172fc9929cd2fc14
-
SHA1
0673fbd0e76b828cae642eee449a7cb3745ca250
-
SHA256
6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90
-
SHA512
5c5d6d7b1b4044a8fac3ce1a7b11b066743b4f681050f6965cbb0cb58b9fff183538b172a82f6c7daa1b7ac4f98059b564d4461f5a173544af17cab3fb182fa5
Malware Config
Extracted
darkcomet
Guest16
sms4kaka.hopto.org:5555
DC_MUTEX-592DL0X
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
MuNYS9T6SHPe
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 4532 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 3984 attrib.exe 3440 attrib.exe -
Processes:
resource yara_rule behavioral2/memory/2292-130-0x0000000000400000-0x00000000004C7000-memory.dmp upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx behavioral2/memory/4532-139-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/2292-140-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/4532-141-0x0000000000400000-0x00000000004C7000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 4532 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe Token: SeSecurityPrivilege 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe Token: SeTakeOwnershipPrivilege 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe Token: SeLoadDriverPrivilege 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe Token: SeSystemProfilePrivilege 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe Token: SeSystemtimePrivilege 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe Token: SeProfSingleProcessPrivilege 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe Token: SeIncBasePriorityPrivilege 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe Token: SeCreatePagefilePrivilege 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe Token: SeBackupPrivilege 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe Token: SeRestorePrivilege 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe Token: SeShutdownPrivilege 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe Token: SeDebugPrivilege 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe Token: SeSystemEnvironmentPrivilege 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe Token: SeChangeNotifyPrivilege 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe Token: SeRemoteShutdownPrivilege 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe Token: SeUndockPrivilege 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe Token: SeManageVolumePrivilege 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe Token: SeImpersonatePrivilege 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe Token: SeCreateGlobalPrivilege 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe Token: 33 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe Token: 34 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe Token: 35 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe Token: 36 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe Token: SeIncreaseQuotaPrivilege 4532 msdcsc.exe Token: SeSecurityPrivilege 4532 msdcsc.exe Token: SeTakeOwnershipPrivilege 4532 msdcsc.exe Token: SeLoadDriverPrivilege 4532 msdcsc.exe Token: SeSystemProfilePrivilege 4532 msdcsc.exe Token: SeSystemtimePrivilege 4532 msdcsc.exe Token: SeProfSingleProcessPrivilege 4532 msdcsc.exe Token: SeIncBasePriorityPrivilege 4532 msdcsc.exe Token: SeCreatePagefilePrivilege 4532 msdcsc.exe Token: SeBackupPrivilege 4532 msdcsc.exe Token: SeRestorePrivilege 4532 msdcsc.exe Token: SeShutdownPrivilege 4532 msdcsc.exe Token: SeDebugPrivilege 4532 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4532 msdcsc.exe Token: SeChangeNotifyPrivilege 4532 msdcsc.exe Token: SeRemoteShutdownPrivilege 4532 msdcsc.exe Token: SeUndockPrivilege 4532 msdcsc.exe Token: SeManageVolumePrivilege 4532 msdcsc.exe Token: SeImpersonatePrivilege 4532 msdcsc.exe Token: SeCreateGlobalPrivilege 4532 msdcsc.exe Token: 33 4532 msdcsc.exe Token: 34 4532 msdcsc.exe Token: 35 4532 msdcsc.exe Token: 36 4532 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 4532 msdcsc.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.execmd.execmd.exemsdcsc.exedescription pid process target process PID 2292 wrote to memory of 4556 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe cmd.exe PID 2292 wrote to memory of 4556 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe cmd.exe PID 2292 wrote to memory of 4556 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe cmd.exe PID 2292 wrote to memory of 4008 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe cmd.exe PID 2292 wrote to memory of 4008 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe cmd.exe PID 2292 wrote to memory of 4008 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe cmd.exe PID 4556 wrote to memory of 3984 4556 cmd.exe attrib.exe PID 4556 wrote to memory of 3984 4556 cmd.exe attrib.exe PID 4556 wrote to memory of 3984 4556 cmd.exe attrib.exe PID 4008 wrote to memory of 3440 4008 cmd.exe attrib.exe PID 4008 wrote to memory of 3440 4008 cmd.exe attrib.exe PID 4008 wrote to memory of 3440 4008 cmd.exe attrib.exe PID 2292 wrote to memory of 4532 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe msdcsc.exe PID 2292 wrote to memory of 4532 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe msdcsc.exe PID 2292 wrote to memory of 4532 2292 6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe msdcsc.exe PID 4532 wrote to memory of 4292 4532 msdcsc.exe notepad.exe PID 4532 wrote to memory of 4292 4532 msdcsc.exe notepad.exe PID 4532 wrote to memory of 4292 4532 msdcsc.exe notepad.exe PID 4532 wrote to memory of 4292 4532 msdcsc.exe notepad.exe PID 4532 wrote to memory of 4292 4532 msdcsc.exe notepad.exe PID 4532 wrote to memory of 4292 4532 msdcsc.exe notepad.exe PID 4532 wrote to memory of 4292 4532 msdcsc.exe notepad.exe PID 4532 wrote to memory of 4292 4532 msdcsc.exe notepad.exe PID 4532 wrote to memory of 4292 4532 msdcsc.exe notepad.exe PID 4532 wrote to memory of 4292 4532 msdcsc.exe notepad.exe PID 4532 wrote to memory of 4292 4532 msdcsc.exe notepad.exe PID 4532 wrote to memory of 4292 4532 msdcsc.exe notepad.exe PID 4532 wrote to memory of 4292 4532 msdcsc.exe notepad.exe PID 4532 wrote to memory of 4292 4532 msdcsc.exe notepad.exe PID 4532 wrote to memory of 4292 4532 msdcsc.exe notepad.exe PID 4532 wrote to memory of 4292 4532 msdcsc.exe notepad.exe PID 4532 wrote to memory of 4292 4532 msdcsc.exe notepad.exe PID 4532 wrote to memory of 4292 4532 msdcsc.exe notepad.exe PID 4532 wrote to memory of 4292 4532 msdcsc.exe notepad.exe PID 4532 wrote to memory of 4292 4532 msdcsc.exe notepad.exe PID 4532 wrote to memory of 4292 4532 msdcsc.exe notepad.exe PID 4532 wrote to memory of 4292 4532 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3984 attrib.exe 3440 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe"C:\Users\Admin\AppData\Local\Temp\6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\6aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
283KB
MD5ebf9b9aa46566390172fc9929cd2fc14
SHA10673fbd0e76b828cae642eee449a7cb3745ca250
SHA2566aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90
SHA5125c5d6d7b1b4044a8fac3ce1a7b11b066743b4f681050f6965cbb0cb58b9fff183538b172a82f6c7daa1b7ac4f98059b564d4461f5a173544af17cab3fb182fa5
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
283KB
MD5ebf9b9aa46566390172fc9929cd2fc14
SHA10673fbd0e76b828cae642eee449a7cb3745ca250
SHA2566aa1714aa9ab2d0cefb5f8ee9dfa78850fd3dbe32ac9d7b8db0ab0cfaf687a90
SHA5125c5d6d7b1b4044a8fac3ce1a7b11b066743b4f681050f6965cbb0cb58b9fff183538b172a82f6c7daa1b7ac4f98059b564d4461f5a173544af17cab3fb182fa5
-
memory/2292-130-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2292-140-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/3440-134-0x0000000000000000-mapping.dmp
-
memory/3984-133-0x0000000000000000-mapping.dmp
-
memory/4008-132-0x0000000000000000-mapping.dmp
-
memory/4292-138-0x0000000000000000-mapping.dmp
-
memory/4532-135-0x0000000000000000-mapping.dmp
-
memory/4532-139-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/4532-141-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/4556-131-0x0000000000000000-mapping.dmp