Analysis
-
max time kernel
139s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 22:56
Static task
static1
Behavioral task
behavioral1
Sample
5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
Resource
win10v2004-20220721-en
General
-
Target
5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
-
Size
782KB
-
MD5
80b7945f8e8fcdd55b75e1473ea4427b
-
SHA1
7b233834a7fd5a1263fc354f7e8c2258f5a75e66
-
SHA256
5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9
-
SHA512
0f25181af50d9e7ddfcc734ed876447eeea0f5be4c1dc6fdcd097784673915ce3fb6830ba22a87fc50bff2711af1d3f03d56d2eb1c8c6b78cec5e4291671bc6c
Malware Config
Extracted
darkcomet
Hacked
185.24.233.5:2014
DCMIN_MUTEX-FQ792JQ
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
z0xXl46NUTbS
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe -
Executes dropped EXE 2 IoCs
Processes:
IMDCSC.exeIMDCSC.exepid process 4152 IMDCSC.exe 1744 IMDCSC.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exeIMDCSC.exedescription pid process target process PID 4828 set thread context of 2032 4828 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe PID 4152 set thread context of 1744 4152 IMDCSC.exe IMDCSC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exeIMDCSC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe Token: SeSecurityPrivilege 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe Token: SeTakeOwnershipPrivilege 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe Token: SeLoadDriverPrivilege 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe Token: SeSystemProfilePrivilege 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe Token: SeSystemtimePrivilege 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe Token: SeProfSingleProcessPrivilege 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe Token: SeIncBasePriorityPrivilege 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe Token: SeCreatePagefilePrivilege 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe Token: SeBackupPrivilege 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe Token: SeRestorePrivilege 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe Token: SeShutdownPrivilege 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe Token: SeDebugPrivilege 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe Token: SeSystemEnvironmentPrivilege 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe Token: SeChangeNotifyPrivilege 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe Token: SeRemoteShutdownPrivilege 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe Token: SeUndockPrivilege 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe Token: SeManageVolumePrivilege 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe Token: SeImpersonatePrivilege 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe Token: SeCreateGlobalPrivilege 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe Token: 33 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe Token: 34 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe Token: 35 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe Token: 36 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe Token: SeIncreaseQuotaPrivilege 1744 IMDCSC.exe Token: SeSecurityPrivilege 1744 IMDCSC.exe Token: SeTakeOwnershipPrivilege 1744 IMDCSC.exe Token: SeLoadDriverPrivilege 1744 IMDCSC.exe Token: SeSystemProfilePrivilege 1744 IMDCSC.exe Token: SeSystemtimePrivilege 1744 IMDCSC.exe Token: SeProfSingleProcessPrivilege 1744 IMDCSC.exe Token: SeIncBasePriorityPrivilege 1744 IMDCSC.exe Token: SeCreatePagefilePrivilege 1744 IMDCSC.exe Token: SeBackupPrivilege 1744 IMDCSC.exe Token: SeRestorePrivilege 1744 IMDCSC.exe Token: SeShutdownPrivilege 1744 IMDCSC.exe Token: SeDebugPrivilege 1744 IMDCSC.exe Token: SeSystemEnvironmentPrivilege 1744 IMDCSC.exe Token: SeChangeNotifyPrivilege 1744 IMDCSC.exe Token: SeRemoteShutdownPrivilege 1744 IMDCSC.exe Token: SeUndockPrivilege 1744 IMDCSC.exe Token: SeManageVolumePrivilege 1744 IMDCSC.exe Token: SeImpersonatePrivilege 1744 IMDCSC.exe Token: SeCreateGlobalPrivilege 1744 IMDCSC.exe Token: 33 1744 IMDCSC.exe Token: 34 1744 IMDCSC.exe Token: 35 1744 IMDCSC.exe Token: 36 1744 IMDCSC.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exeIMDCSC.exeIMDCSC.exepid process 4828 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe 4152 IMDCSC.exe 1744 IMDCSC.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exeIMDCSC.exedescription pid process target process PID 4828 wrote to memory of 2032 4828 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe PID 4828 wrote to memory of 2032 4828 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe PID 4828 wrote to memory of 2032 4828 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe PID 4828 wrote to memory of 2032 4828 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe PID 4828 wrote to memory of 2032 4828 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe PID 4828 wrote to memory of 2032 4828 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe PID 4828 wrote to memory of 2032 4828 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe PID 4828 wrote to memory of 2032 4828 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe PID 4828 wrote to memory of 2032 4828 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe PID 4828 wrote to memory of 2032 4828 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe PID 4828 wrote to memory of 2032 4828 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe PID 4828 wrote to memory of 2032 4828 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe PID 4828 wrote to memory of 2032 4828 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe PID 4828 wrote to memory of 2032 4828 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe PID 2032 wrote to memory of 4152 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe IMDCSC.exe PID 2032 wrote to memory of 4152 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe IMDCSC.exe PID 2032 wrote to memory of 4152 2032 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe IMDCSC.exe PID 4152 wrote to memory of 1744 4152 IMDCSC.exe IMDCSC.exe PID 4152 wrote to memory of 1744 4152 IMDCSC.exe IMDCSC.exe PID 4152 wrote to memory of 1744 4152 IMDCSC.exe IMDCSC.exe PID 4152 wrote to memory of 1744 4152 IMDCSC.exe IMDCSC.exe PID 4152 wrote to memory of 1744 4152 IMDCSC.exe IMDCSC.exe PID 4152 wrote to memory of 1744 4152 IMDCSC.exe IMDCSC.exe PID 4152 wrote to memory of 1744 4152 IMDCSC.exe IMDCSC.exe PID 4152 wrote to memory of 1744 4152 IMDCSC.exe IMDCSC.exe PID 4152 wrote to memory of 1744 4152 IMDCSC.exe IMDCSC.exe PID 4152 wrote to memory of 1744 4152 IMDCSC.exe IMDCSC.exe PID 4152 wrote to memory of 1744 4152 IMDCSC.exe IMDCSC.exe PID 4152 wrote to memory of 1744 4152 IMDCSC.exe IMDCSC.exe PID 4152 wrote to memory of 1744 4152 IMDCSC.exe IMDCSC.exe PID 4152 wrote to memory of 1744 4152 IMDCSC.exe IMDCSC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe"C:\Users\Admin\AppData\Local\Temp\5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe"C:\Users\Admin\AppData\Local\Temp\5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exeFilesize
782KB
MD580b7945f8e8fcdd55b75e1473ea4427b
SHA17b233834a7fd5a1263fc354f7e8c2258f5a75e66
SHA2565d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9
SHA5120f25181af50d9e7ddfcc734ed876447eeea0f5be4c1dc6fdcd097784673915ce3fb6830ba22a87fc50bff2711af1d3f03d56d2eb1c8c6b78cec5e4291671bc6c
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exeFilesize
782KB
MD580b7945f8e8fcdd55b75e1473ea4427b
SHA17b233834a7fd5a1263fc354f7e8c2258f5a75e66
SHA2565d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9
SHA5120f25181af50d9e7ddfcc734ed876447eeea0f5be4c1dc6fdcd097784673915ce3fb6830ba22a87fc50bff2711af1d3f03d56d2eb1c8c6b78cec5e4291671bc6c
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exeFilesize
782KB
MD580b7945f8e8fcdd55b75e1473ea4427b
SHA17b233834a7fd5a1263fc354f7e8c2258f5a75e66
SHA2565d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9
SHA5120f25181af50d9e7ddfcc734ed876447eeea0f5be4c1dc6fdcd097784673915ce3fb6830ba22a87fc50bff2711af1d3f03d56d2eb1c8c6b78cec5e4291671bc6c
-
memory/1744-147-0x0000000000000000-mapping.dmp
-
memory/1744-153-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1744-152-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2032-134-0x0000000000000000-mapping.dmp
-
memory/2032-135-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2032-136-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2032-137-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2032-139-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4152-140-0x0000000000000000-mapping.dmp
-
memory/4152-146-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/4152-145-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/4152-151-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/4828-132-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/4828-138-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/4828-133-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB