Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 00:14
Behavioral task
behavioral1
Sample
b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe
Resource
win7-20220715-en
General
-
Target
b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe
-
Size
658KB
-
MD5
012c913e751ab367e15764c21caeda17
-
SHA1
2ed45638dd8b9730be7e1e128aad0fd89fe423e2
-
SHA256
b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415
-
SHA512
9a3a8136fcf6d9e30c8d7cc97d1fbe5bbfe4326cc1891232027348666fb89b81c218638e42ded7df294e84a3b85b423c6ee51138d55c89d284d8f3792bc0a514
Malware Config
Extracted
darkcomet
Hello
wbbebe.ddns.net:1604
DC_MUTEX-LMU8FMS
-
InstallPath
MSDCSC\svchost.exe
-
gencode
puGMcKAsuLmD
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\svchost.exe" b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
iexplore.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" svchost.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
svchost.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" iexplore.exe -
Processes:
svchost.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe -
Disables RegEdit via registry modification 2 IoCs
Processes:
svchost.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1340 svchost.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Loads dropped DLL 2 IoCs
Processes:
b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exepid process 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe -
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exesvchost.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\svchost.exe" b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Set value (str) \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\svchost.exe" iexplore.exe -
Drops file in System32 directory 3 IoCs
Processes:
b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exedescription ioc process File created C:\Windows\SysWOW64\MSDCSC\svchost.exe b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\svchost.exe b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 1340 set thread context of 972 1340 svchost.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 972 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exesvchost.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeSecurityPrivilege 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeTakeOwnershipPrivilege 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeLoadDriverPrivilege 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeSystemProfilePrivilege 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeSystemtimePrivilege 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeProfSingleProcessPrivilege 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeIncBasePriorityPrivilege 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeCreatePagefilePrivilege 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeBackupPrivilege 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeRestorePrivilege 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeShutdownPrivilege 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeDebugPrivilege 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeSystemEnvironmentPrivilege 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeChangeNotifyPrivilege 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeRemoteShutdownPrivilege 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeUndockPrivilege 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeManageVolumePrivilege 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeImpersonatePrivilege 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeCreateGlobalPrivilege 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: 33 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: 34 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: 35 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeIncreaseQuotaPrivilege 1340 svchost.exe Token: SeSecurityPrivilege 1340 svchost.exe Token: SeTakeOwnershipPrivilege 1340 svchost.exe Token: SeLoadDriverPrivilege 1340 svchost.exe Token: SeSystemProfilePrivilege 1340 svchost.exe Token: SeSystemtimePrivilege 1340 svchost.exe Token: SeProfSingleProcessPrivilege 1340 svchost.exe Token: SeIncBasePriorityPrivilege 1340 svchost.exe Token: SeCreatePagefilePrivilege 1340 svchost.exe Token: SeBackupPrivilege 1340 svchost.exe Token: SeRestorePrivilege 1340 svchost.exe Token: SeShutdownPrivilege 1340 svchost.exe Token: SeDebugPrivilege 1340 svchost.exe Token: SeSystemEnvironmentPrivilege 1340 svchost.exe Token: SeChangeNotifyPrivilege 1340 svchost.exe Token: SeRemoteShutdownPrivilege 1340 svchost.exe Token: SeUndockPrivilege 1340 svchost.exe Token: SeManageVolumePrivilege 1340 svchost.exe Token: SeImpersonatePrivilege 1340 svchost.exe Token: SeCreateGlobalPrivilege 1340 svchost.exe Token: 33 1340 svchost.exe Token: 34 1340 svchost.exe Token: 35 1340 svchost.exe Token: SeIncreaseQuotaPrivilege 972 iexplore.exe Token: SeSecurityPrivilege 972 iexplore.exe Token: SeTakeOwnershipPrivilege 972 iexplore.exe Token: SeLoadDriverPrivilege 972 iexplore.exe Token: SeSystemProfilePrivilege 972 iexplore.exe Token: SeSystemtimePrivilege 972 iexplore.exe Token: SeProfSingleProcessPrivilege 972 iexplore.exe Token: SeIncBasePriorityPrivilege 972 iexplore.exe Token: SeCreatePagefilePrivilege 972 iexplore.exe Token: SeBackupPrivilege 972 iexplore.exe Token: SeRestorePrivilege 972 iexplore.exe Token: SeShutdownPrivilege 972 iexplore.exe Token: SeDebugPrivilege 972 iexplore.exe Token: SeSystemEnvironmentPrivilege 972 iexplore.exe Token: SeChangeNotifyPrivilege 972 iexplore.exe Token: SeRemoteShutdownPrivilege 972 iexplore.exe Token: SeUndockPrivilege 972 iexplore.exe Token: SeManageVolumePrivilege 972 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 972 iexplore.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.execmd.exesvchost.exeiexplore.exedescription pid process target process PID 2020 wrote to memory of 832 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe cmd.exe PID 2020 wrote to memory of 832 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe cmd.exe PID 2020 wrote to memory of 832 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe cmd.exe PID 2020 wrote to memory of 832 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe cmd.exe PID 832 wrote to memory of 1644 832 cmd.exe attrib.exe PID 832 wrote to memory of 1644 832 cmd.exe attrib.exe PID 832 wrote to memory of 1644 832 cmd.exe attrib.exe PID 832 wrote to memory of 1644 832 cmd.exe attrib.exe PID 2020 wrote to memory of 1340 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe svchost.exe PID 2020 wrote to memory of 1340 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe svchost.exe PID 2020 wrote to memory of 1340 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe svchost.exe PID 2020 wrote to memory of 1340 2020 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe svchost.exe PID 1340 wrote to memory of 972 1340 svchost.exe iexplore.exe PID 1340 wrote to memory of 972 1340 svchost.exe iexplore.exe PID 1340 wrote to memory of 972 1340 svchost.exe iexplore.exe PID 1340 wrote to memory of 972 1340 svchost.exe iexplore.exe PID 1340 wrote to memory of 972 1340 svchost.exe iexplore.exe PID 1340 wrote to memory of 972 1340 svchost.exe iexplore.exe PID 972 wrote to memory of 908 972 iexplore.exe notepad.exe PID 972 wrote to memory of 908 972 iexplore.exe notepad.exe PID 972 wrote to memory of 908 972 iexplore.exe notepad.exe PID 972 wrote to memory of 908 972 iexplore.exe notepad.exe PID 972 wrote to memory of 908 972 iexplore.exe notepad.exe PID 972 wrote to memory of 908 972 iexplore.exe notepad.exe PID 972 wrote to memory of 908 972 iexplore.exe notepad.exe PID 972 wrote to memory of 908 972 iexplore.exe notepad.exe PID 972 wrote to memory of 908 972 iexplore.exe notepad.exe PID 972 wrote to memory of 908 972 iexplore.exe notepad.exe PID 972 wrote to memory of 908 972 iexplore.exe notepad.exe PID 972 wrote to memory of 908 972 iexplore.exe notepad.exe PID 972 wrote to memory of 908 972 iexplore.exe notepad.exe PID 972 wrote to memory of 908 972 iexplore.exe notepad.exe PID 972 wrote to memory of 908 972 iexplore.exe notepad.exe PID 972 wrote to memory of 908 972 iexplore.exe notepad.exe PID 972 wrote to memory of 908 972 iexplore.exe notepad.exe PID 972 wrote to memory of 908 972 iexplore.exe notepad.exe PID 972 wrote to memory of 908 972 iexplore.exe notepad.exe PID 972 wrote to memory of 908 972 iexplore.exe notepad.exe PID 972 wrote to memory of 908 972 iexplore.exe notepad.exe PID 972 wrote to memory of 908 972 iexplore.exe notepad.exe PID 972 wrote to memory of 908 972 iexplore.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" svchost.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe"C:\Users\Admin\AppData\Local\Temp\b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\svchost.exe"C:\Windows\system32\MSDCSC\svchost.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\MSDCSC\svchost.exeFilesize
658KB
MD5012c913e751ab367e15764c21caeda17
SHA12ed45638dd8b9730be7e1e128aad0fd89fe423e2
SHA256b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415
SHA5129a3a8136fcf6d9e30c8d7cc97d1fbe5bbfe4326cc1891232027348666fb89b81c218638e42ded7df294e84a3b85b423c6ee51138d55c89d284d8f3792bc0a514
-
C:\Windows\SysWOW64\MSDCSC\svchost.exeFilesize
658KB
MD5012c913e751ab367e15764c21caeda17
SHA12ed45638dd8b9730be7e1e128aad0fd89fe423e2
SHA256b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415
SHA5129a3a8136fcf6d9e30c8d7cc97d1fbe5bbfe4326cc1891232027348666fb89b81c218638e42ded7df294e84a3b85b423c6ee51138d55c89d284d8f3792bc0a514
-
\Windows\SysWOW64\MSDCSC\svchost.exeFilesize
658KB
MD5012c913e751ab367e15764c21caeda17
SHA12ed45638dd8b9730be7e1e128aad0fd89fe423e2
SHA256b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415
SHA5129a3a8136fcf6d9e30c8d7cc97d1fbe5bbfe4326cc1891232027348666fb89b81c218638e42ded7df294e84a3b85b423c6ee51138d55c89d284d8f3792bc0a514
-
\Windows\SysWOW64\MSDCSC\svchost.exeFilesize
658KB
MD5012c913e751ab367e15764c21caeda17
SHA12ed45638dd8b9730be7e1e128aad0fd89fe423e2
SHA256b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415
SHA5129a3a8136fcf6d9e30c8d7cc97d1fbe5bbfe4326cc1891232027348666fb89b81c218638e42ded7df294e84a3b85b423c6ee51138d55c89d284d8f3792bc0a514
-
memory/832-55-0x0000000000000000-mapping.dmp
-
memory/908-63-0x0000000000000000-mapping.dmp
-
memory/1340-59-0x0000000000000000-mapping.dmp
-
memory/1644-56-0x0000000000000000-mapping.dmp
-
memory/2020-54-0x0000000076771000-0x0000000076773000-memory.dmpFilesize
8KB