Analysis
-
max time kernel
152s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 04:33
Behavioral task
behavioral1
Sample
b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Resource
win7-20220715-en
General
-
Target
b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
-
Size
659KB
-
MD5
ab9f0ba9e9a9f560b1a751753bbda072
-
SHA1
ab74ddcb47d0f2380f8d6f7033946a0efb57ef05
-
SHA256
b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733
-
SHA512
86468ae3ea2011aa41ee195e4e3afb5775ddaf346987a9c799e61d5efbc9eea31aab442310417bbbbd1a31fe7cf93d49397ec8f85c732b920c110ad64556114c
Malware Config
Extracted
darkcomet
Guest16
dark666.ddns.net:4404
DC_MUTEX-JEQGQ39
-
InstallPath
MSDCSC\svchost.exe
-
gencode
sfuC1uourBRa
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
svchost
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\svchost.exe" b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" svchost.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1820 svchost.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1640 attrib.exe 1304 attrib.exe -
Loads dropped DLL 2 IoCs
Processes:
b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exepid process 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\svchost.exe" b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 1820 svchost.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exesvchost.exedescription pid process Token: SeIncreaseQuotaPrivilege 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe Token: SeSecurityPrivilege 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe Token: SeTakeOwnershipPrivilege 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe Token: SeLoadDriverPrivilege 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe Token: SeSystemProfilePrivilege 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe Token: SeSystemtimePrivilege 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe Token: SeProfSingleProcessPrivilege 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe Token: SeIncBasePriorityPrivilege 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe Token: SeCreatePagefilePrivilege 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe Token: SeBackupPrivilege 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe Token: SeRestorePrivilege 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe Token: SeShutdownPrivilege 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe Token: SeDebugPrivilege 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe Token: SeSystemEnvironmentPrivilege 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe Token: SeChangeNotifyPrivilege 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe Token: SeRemoteShutdownPrivilege 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe Token: SeUndockPrivilege 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe Token: SeManageVolumePrivilege 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe Token: SeImpersonatePrivilege 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe Token: SeCreateGlobalPrivilege 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe Token: 33 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe Token: 34 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe Token: 35 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe Token: SeIncreaseQuotaPrivilege 1820 svchost.exe Token: SeSecurityPrivilege 1820 svchost.exe Token: SeTakeOwnershipPrivilege 1820 svchost.exe Token: SeLoadDriverPrivilege 1820 svchost.exe Token: SeSystemProfilePrivilege 1820 svchost.exe Token: SeSystemtimePrivilege 1820 svchost.exe Token: SeProfSingleProcessPrivilege 1820 svchost.exe Token: SeIncBasePriorityPrivilege 1820 svchost.exe Token: SeCreatePagefilePrivilege 1820 svchost.exe Token: SeBackupPrivilege 1820 svchost.exe Token: SeRestorePrivilege 1820 svchost.exe Token: SeShutdownPrivilege 1820 svchost.exe Token: SeDebugPrivilege 1820 svchost.exe Token: SeSystemEnvironmentPrivilege 1820 svchost.exe Token: SeChangeNotifyPrivilege 1820 svchost.exe Token: SeRemoteShutdownPrivilege 1820 svchost.exe Token: SeUndockPrivilege 1820 svchost.exe Token: SeManageVolumePrivilege 1820 svchost.exe Token: SeImpersonatePrivilege 1820 svchost.exe Token: SeCreateGlobalPrivilege 1820 svchost.exe Token: 33 1820 svchost.exe Token: 34 1820 svchost.exe Token: 35 1820 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 1820 svchost.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.execmd.execmd.exesvchost.exedescription pid process target process PID 1480 wrote to memory of 1736 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe cmd.exe PID 1480 wrote to memory of 1736 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe cmd.exe PID 1480 wrote to memory of 1736 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe cmd.exe PID 1480 wrote to memory of 1736 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe cmd.exe PID 1480 wrote to memory of 900 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe cmd.exe PID 1480 wrote to memory of 900 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe cmd.exe PID 1480 wrote to memory of 900 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe cmd.exe PID 1480 wrote to memory of 900 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe cmd.exe PID 900 wrote to memory of 1304 900 cmd.exe attrib.exe PID 900 wrote to memory of 1304 900 cmd.exe attrib.exe PID 900 wrote to memory of 1304 900 cmd.exe attrib.exe PID 900 wrote to memory of 1304 900 cmd.exe attrib.exe PID 1736 wrote to memory of 1640 1736 cmd.exe attrib.exe PID 1736 wrote to memory of 1640 1736 cmd.exe attrib.exe PID 1736 wrote to memory of 1640 1736 cmd.exe attrib.exe PID 1736 wrote to memory of 1640 1736 cmd.exe attrib.exe PID 1480 wrote to memory of 1820 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe svchost.exe PID 1480 wrote to memory of 1820 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe svchost.exe PID 1480 wrote to memory of 1820 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe svchost.exe PID 1480 wrote to memory of 1820 1480 b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe svchost.exe PID 1820 wrote to memory of 1828 1820 svchost.exe notepad.exe PID 1820 wrote to memory of 1828 1820 svchost.exe notepad.exe PID 1820 wrote to memory of 1828 1820 svchost.exe notepad.exe PID 1820 wrote to memory of 1828 1820 svchost.exe notepad.exe PID 1820 wrote to memory of 1828 1820 svchost.exe notepad.exe PID 1820 wrote to memory of 1828 1820 svchost.exe notepad.exe PID 1820 wrote to memory of 1828 1820 svchost.exe notepad.exe PID 1820 wrote to memory of 1828 1820 svchost.exe notepad.exe PID 1820 wrote to memory of 1828 1820 svchost.exe notepad.exe PID 1820 wrote to memory of 1828 1820 svchost.exe notepad.exe PID 1820 wrote to memory of 1828 1820 svchost.exe notepad.exe PID 1820 wrote to memory of 1828 1820 svchost.exe notepad.exe PID 1820 wrote to memory of 1828 1820 svchost.exe notepad.exe PID 1820 wrote to memory of 1828 1820 svchost.exe notepad.exe PID 1820 wrote to memory of 1828 1820 svchost.exe notepad.exe PID 1820 wrote to memory of 1828 1820 svchost.exe notepad.exe PID 1820 wrote to memory of 1828 1820 svchost.exe notepad.exe PID 1820 wrote to memory of 1828 1820 svchost.exe notepad.exe PID 1820 wrote to memory of 1828 1820 svchost.exe notepad.exe PID 1820 wrote to memory of 1828 1820 svchost.exe notepad.exe PID 1820 wrote to memory of 1828 1820 svchost.exe notepad.exe PID 1820 wrote to memory of 1828 1820 svchost.exe notepad.exe PID 1820 wrote to memory of 1828 1820 svchost.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1304 attrib.exe 1640 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe"C:\Users\Admin\AppData\Local\Temp\b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\svchost.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\svchost.exe"2⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\svchost.exeFilesize
659KB
MD5ab9f0ba9e9a9f560b1a751753bbda072
SHA1ab74ddcb47d0f2380f8d6f7033946a0efb57ef05
SHA256b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733
SHA51286468ae3ea2011aa41ee195e4e3afb5775ddaf346987a9c799e61d5efbc9eea31aab442310417bbbbd1a31fe7cf93d49397ec8f85c732b920c110ad64556114c
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\svchost.exeFilesize
659KB
MD5ab9f0ba9e9a9f560b1a751753bbda072
SHA1ab74ddcb47d0f2380f8d6f7033946a0efb57ef05
SHA256b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733
SHA51286468ae3ea2011aa41ee195e4e3afb5775ddaf346987a9c799e61d5efbc9eea31aab442310417bbbbd1a31fe7cf93d49397ec8f85c732b920c110ad64556114c
-
\Users\Admin\AppData\Local\Temp\MSDCSC\svchost.exeFilesize
659KB
MD5ab9f0ba9e9a9f560b1a751753bbda072
SHA1ab74ddcb47d0f2380f8d6f7033946a0efb57ef05
SHA256b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733
SHA51286468ae3ea2011aa41ee195e4e3afb5775ddaf346987a9c799e61d5efbc9eea31aab442310417bbbbd1a31fe7cf93d49397ec8f85c732b920c110ad64556114c
-
\Users\Admin\AppData\Local\Temp\MSDCSC\svchost.exeFilesize
659KB
MD5ab9f0ba9e9a9f560b1a751753bbda072
SHA1ab74ddcb47d0f2380f8d6f7033946a0efb57ef05
SHA256b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733
SHA51286468ae3ea2011aa41ee195e4e3afb5775ddaf346987a9c799e61d5efbc9eea31aab442310417bbbbd1a31fe7cf93d49397ec8f85c732b920c110ad64556114c
-
memory/900-56-0x0000000000000000-mapping.dmp
-
memory/1304-57-0x0000000000000000-mapping.dmp
-
memory/1480-54-0x0000000076311000-0x0000000076313000-memory.dmpFilesize
8KB
-
memory/1640-58-0x0000000000000000-mapping.dmp
-
memory/1736-55-0x0000000000000000-mapping.dmp
-
memory/1820-61-0x0000000000000000-mapping.dmp
-
memory/1828-65-0x0000000000000000-mapping.dmp