Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 00:14
Behavioral task
behavioral1
Sample
b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe
Resource
win7-20220715-en
General
-
Target
b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe
-
Size
658KB
-
MD5
012c913e751ab367e15764c21caeda17
-
SHA1
2ed45638dd8b9730be7e1e128aad0fd89fe423e2
-
SHA256
b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415
-
SHA512
9a3a8136fcf6d9e30c8d7cc97d1fbe5bbfe4326cc1891232027348666fb89b81c218638e42ded7df294e84a3b85b423c6ee51138d55c89d284d8f3792bc0a514
Malware Config
Extracted
darkcomet
Hello
wbbebe.ddns.net:1604
DC_MUTEX-LMU8FMS
-
InstallPath
MSDCSC\svchost.exe
-
gencode
puGMcKAsuLmD
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\svchost.exe" b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" svchost.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" svchost.exe -
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" svchost.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1508 svchost.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe -
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\svchost.exe" b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\svchost.exe" svchost.exe -
Drops file in System32 directory 3 IoCs
Processes:
b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exedescription ioc process File created C:\Windows\SysWOW64\MSDCSC\svchost.exe b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\svchost.exe b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 1508 svchost.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exesvchost.exedescription pid process Token: SeIncreaseQuotaPrivilege 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeSecurityPrivilege 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeTakeOwnershipPrivilege 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeLoadDriverPrivilege 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeSystemProfilePrivilege 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeSystemtimePrivilege 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeProfSingleProcessPrivilege 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeIncBasePriorityPrivilege 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeCreatePagefilePrivilege 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeBackupPrivilege 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeRestorePrivilege 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeShutdownPrivilege 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeDebugPrivilege 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeSystemEnvironmentPrivilege 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeChangeNotifyPrivilege 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeRemoteShutdownPrivilege 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeUndockPrivilege 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeManageVolumePrivilege 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeImpersonatePrivilege 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeCreateGlobalPrivilege 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: 33 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: 34 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: 35 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: 36 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe Token: SeIncreaseQuotaPrivilege 1508 svchost.exe Token: SeSecurityPrivilege 1508 svchost.exe Token: SeTakeOwnershipPrivilege 1508 svchost.exe Token: SeLoadDriverPrivilege 1508 svchost.exe Token: SeSystemProfilePrivilege 1508 svchost.exe Token: SeSystemtimePrivilege 1508 svchost.exe Token: SeProfSingleProcessPrivilege 1508 svchost.exe Token: SeIncBasePriorityPrivilege 1508 svchost.exe Token: SeCreatePagefilePrivilege 1508 svchost.exe Token: SeBackupPrivilege 1508 svchost.exe Token: SeRestorePrivilege 1508 svchost.exe Token: SeShutdownPrivilege 1508 svchost.exe Token: SeDebugPrivilege 1508 svchost.exe Token: SeSystemEnvironmentPrivilege 1508 svchost.exe Token: SeChangeNotifyPrivilege 1508 svchost.exe Token: SeRemoteShutdownPrivilege 1508 svchost.exe Token: SeUndockPrivilege 1508 svchost.exe Token: SeManageVolumePrivilege 1508 svchost.exe Token: SeImpersonatePrivilege 1508 svchost.exe Token: SeCreateGlobalPrivilege 1508 svchost.exe Token: 33 1508 svchost.exe Token: 34 1508 svchost.exe Token: 35 1508 svchost.exe Token: 36 1508 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 1508 svchost.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.execmd.exesvchost.exedescription pid process target process PID 3584 wrote to memory of 4552 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe cmd.exe PID 3584 wrote to memory of 4552 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe cmd.exe PID 3584 wrote to memory of 4552 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe cmd.exe PID 4552 wrote to memory of 892 4552 cmd.exe attrib.exe PID 4552 wrote to memory of 892 4552 cmd.exe attrib.exe PID 4552 wrote to memory of 892 4552 cmd.exe attrib.exe PID 3584 wrote to memory of 1508 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe svchost.exe PID 3584 wrote to memory of 1508 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe svchost.exe PID 3584 wrote to memory of 1508 3584 b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe svchost.exe PID 1508 wrote to memory of 3404 1508 svchost.exe iexplore.exe PID 1508 wrote to memory of 3404 1508 svchost.exe iexplore.exe PID 1508 wrote to memory of 3404 1508 svchost.exe iexplore.exe PID 1508 wrote to memory of 1044 1508 svchost.exe explorer.exe PID 1508 wrote to memory of 1044 1508 svchost.exe explorer.exe PID 1508 wrote to memory of 2712 1508 svchost.exe notepad.exe PID 1508 wrote to memory of 2712 1508 svchost.exe notepad.exe PID 1508 wrote to memory of 2712 1508 svchost.exe notepad.exe PID 1508 wrote to memory of 2712 1508 svchost.exe notepad.exe PID 1508 wrote to memory of 2712 1508 svchost.exe notepad.exe PID 1508 wrote to memory of 2712 1508 svchost.exe notepad.exe PID 1508 wrote to memory of 2712 1508 svchost.exe notepad.exe PID 1508 wrote to memory of 2712 1508 svchost.exe notepad.exe PID 1508 wrote to memory of 2712 1508 svchost.exe notepad.exe PID 1508 wrote to memory of 2712 1508 svchost.exe notepad.exe PID 1508 wrote to memory of 2712 1508 svchost.exe notepad.exe PID 1508 wrote to memory of 2712 1508 svchost.exe notepad.exe PID 1508 wrote to memory of 2712 1508 svchost.exe notepad.exe PID 1508 wrote to memory of 2712 1508 svchost.exe notepad.exe PID 1508 wrote to memory of 2712 1508 svchost.exe notepad.exe PID 1508 wrote to memory of 2712 1508 svchost.exe notepad.exe PID 1508 wrote to memory of 2712 1508 svchost.exe notepad.exe PID 1508 wrote to memory of 2712 1508 svchost.exe notepad.exe PID 1508 wrote to memory of 2712 1508 svchost.exe notepad.exe PID 1508 wrote to memory of 2712 1508 svchost.exe notepad.exe PID 1508 wrote to memory of 2712 1508 svchost.exe notepad.exe PID 1508 wrote to memory of 2712 1508 svchost.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern svchost.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe"C:\Users\Admin\AppData\Local\Temp\b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\svchost.exe"C:\Windows\system32\MSDCSC\svchost.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\MSDCSC\svchost.exeFilesize
658KB
MD5012c913e751ab367e15764c21caeda17
SHA12ed45638dd8b9730be7e1e128aad0fd89fe423e2
SHA256b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415
SHA5129a3a8136fcf6d9e30c8d7cc97d1fbe5bbfe4326cc1891232027348666fb89b81c218638e42ded7df294e84a3b85b423c6ee51138d55c89d284d8f3792bc0a514
-
C:\Windows\SysWOW64\MSDCSC\svchost.exeFilesize
658KB
MD5012c913e751ab367e15764c21caeda17
SHA12ed45638dd8b9730be7e1e128aad0fd89fe423e2
SHA256b22b2d1e592b4a7af634805a398222af210b9e3a35b6e2d90ae7ba53cda7d415
SHA5129a3a8136fcf6d9e30c8d7cc97d1fbe5bbfe4326cc1891232027348666fb89b81c218638e42ded7df294e84a3b85b423c6ee51138d55c89d284d8f3792bc0a514
-
memory/892-132-0x0000000000000000-mapping.dmp
-
memory/1044-136-0x0000000000000000-mapping.dmp
-
memory/1508-133-0x0000000000000000-mapping.dmp
-
memory/2712-137-0x0000000000000000-mapping.dmp
-
memory/4552-131-0x0000000000000000-mapping.dmp