Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
31-08-2022 15:11
Behavioral task
behavioral1
Sample
0x000a000000012314-64.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0x000a000000012314-64.exe
Resource
win10v2004-20220812-en
General
-
Target
0x000a000000012314-64.exe
-
Size
658KB
-
MD5
d80debf77a79e5d605f91e2a589ea1d5
-
SHA1
9a33e569d2b50491dd09f3bebde1e5c11643e60a
-
SHA256
5356f94fc2d25126dc80b7552da5c311d90318cb9f89bacf296dee3ce0d26e2f
-
SHA512
e2b04e4eadef192237011280a6967b9063ca3c605f77a0100119332ca036d56a9e500abd2168a07a5fd9f5a24b35ad3dae45b99fccd716274a6a994b7fc8e1d7
-
SSDEEP
12288:S9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h9:+Z1xuVVjfFoynPaVBUR8f+kN10EBH
Malware Config
Extracted
darkcomet
Guest16
185.140.53.117:1985
DC_MUTEX-QFGHKXR
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
hW0MZpETNScR
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
0x000a000000012314-64.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 0x000a000000012314-64.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 2876 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0x000a000000012314-64.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 0x000a000000012314-64.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
0x000a000000012314-64.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 0x000a000000012314-64.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
0x000a000000012314-64.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 3932 0x000a000000012314-64.exe Token: SeSecurityPrivilege 3932 0x000a000000012314-64.exe Token: SeTakeOwnershipPrivilege 3932 0x000a000000012314-64.exe Token: SeLoadDriverPrivilege 3932 0x000a000000012314-64.exe Token: SeSystemProfilePrivilege 3932 0x000a000000012314-64.exe Token: SeSystemtimePrivilege 3932 0x000a000000012314-64.exe Token: SeProfSingleProcessPrivilege 3932 0x000a000000012314-64.exe Token: SeIncBasePriorityPrivilege 3932 0x000a000000012314-64.exe Token: SeCreatePagefilePrivilege 3932 0x000a000000012314-64.exe Token: SeBackupPrivilege 3932 0x000a000000012314-64.exe Token: SeRestorePrivilege 3932 0x000a000000012314-64.exe Token: SeShutdownPrivilege 3932 0x000a000000012314-64.exe Token: SeDebugPrivilege 3932 0x000a000000012314-64.exe Token: SeSystemEnvironmentPrivilege 3932 0x000a000000012314-64.exe Token: SeChangeNotifyPrivilege 3932 0x000a000000012314-64.exe Token: SeRemoteShutdownPrivilege 3932 0x000a000000012314-64.exe Token: SeUndockPrivilege 3932 0x000a000000012314-64.exe Token: SeManageVolumePrivilege 3932 0x000a000000012314-64.exe Token: SeImpersonatePrivilege 3932 0x000a000000012314-64.exe Token: SeCreateGlobalPrivilege 3932 0x000a000000012314-64.exe Token: 33 3932 0x000a000000012314-64.exe Token: 34 3932 0x000a000000012314-64.exe Token: 35 3932 0x000a000000012314-64.exe Token: 36 3932 0x000a000000012314-64.exe Token: SeIncreaseQuotaPrivilege 2876 msdcsc.exe Token: SeSecurityPrivilege 2876 msdcsc.exe Token: SeTakeOwnershipPrivilege 2876 msdcsc.exe Token: SeLoadDriverPrivilege 2876 msdcsc.exe Token: SeSystemProfilePrivilege 2876 msdcsc.exe Token: SeSystemtimePrivilege 2876 msdcsc.exe Token: SeProfSingleProcessPrivilege 2876 msdcsc.exe Token: SeIncBasePriorityPrivilege 2876 msdcsc.exe Token: SeCreatePagefilePrivilege 2876 msdcsc.exe Token: SeBackupPrivilege 2876 msdcsc.exe Token: SeRestorePrivilege 2876 msdcsc.exe Token: SeShutdownPrivilege 2876 msdcsc.exe Token: SeDebugPrivilege 2876 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2876 msdcsc.exe Token: SeChangeNotifyPrivilege 2876 msdcsc.exe Token: SeRemoteShutdownPrivilege 2876 msdcsc.exe Token: SeUndockPrivilege 2876 msdcsc.exe Token: SeManageVolumePrivilege 2876 msdcsc.exe Token: SeImpersonatePrivilege 2876 msdcsc.exe Token: SeCreateGlobalPrivilege 2876 msdcsc.exe Token: 33 2876 msdcsc.exe Token: 34 2876 msdcsc.exe Token: 35 2876 msdcsc.exe Token: 36 2876 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 2876 msdcsc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
0x000a000000012314-64.exemsdcsc.exedescription pid process target process PID 3932 wrote to memory of 2876 3932 0x000a000000012314-64.exe msdcsc.exe PID 3932 wrote to memory of 2876 3932 0x000a000000012314-64.exe msdcsc.exe PID 3932 wrote to memory of 2876 3932 0x000a000000012314-64.exe msdcsc.exe PID 2876 wrote to memory of 3068 2876 msdcsc.exe notepad.exe PID 2876 wrote to memory of 3068 2876 msdcsc.exe notepad.exe PID 2876 wrote to memory of 3068 2876 msdcsc.exe notepad.exe PID 2876 wrote to memory of 3068 2876 msdcsc.exe notepad.exe PID 2876 wrote to memory of 3068 2876 msdcsc.exe notepad.exe PID 2876 wrote to memory of 3068 2876 msdcsc.exe notepad.exe PID 2876 wrote to memory of 3068 2876 msdcsc.exe notepad.exe PID 2876 wrote to memory of 3068 2876 msdcsc.exe notepad.exe PID 2876 wrote to memory of 3068 2876 msdcsc.exe notepad.exe PID 2876 wrote to memory of 3068 2876 msdcsc.exe notepad.exe PID 2876 wrote to memory of 3068 2876 msdcsc.exe notepad.exe PID 2876 wrote to memory of 3068 2876 msdcsc.exe notepad.exe PID 2876 wrote to memory of 3068 2876 msdcsc.exe notepad.exe PID 2876 wrote to memory of 3068 2876 msdcsc.exe notepad.exe PID 2876 wrote to memory of 3068 2876 msdcsc.exe notepad.exe PID 2876 wrote to memory of 3068 2876 msdcsc.exe notepad.exe PID 2876 wrote to memory of 3068 2876 msdcsc.exe notepad.exe PID 2876 wrote to memory of 3068 2876 msdcsc.exe notepad.exe PID 2876 wrote to memory of 3068 2876 msdcsc.exe notepad.exe PID 2876 wrote to memory of 3068 2876 msdcsc.exe notepad.exe PID 2876 wrote to memory of 3068 2876 msdcsc.exe notepad.exe PID 2876 wrote to memory of 3068 2876 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000a000000012314-64.exe"C:\Users\Admin\AppData\Local\Temp\0x000a000000012314-64.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
658KB
MD5d80debf77a79e5d605f91e2a589ea1d5
SHA19a33e569d2b50491dd09f3bebde1e5c11643e60a
SHA2565356f94fc2d25126dc80b7552da5c311d90318cb9f89bacf296dee3ce0d26e2f
SHA512e2b04e4eadef192237011280a6967b9063ca3c605f77a0100119332ca036d56a9e500abd2168a07a5fd9f5a24b35ad3dae45b99fccd716274a6a994b7fc8e1d7
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
658KB
MD5d80debf77a79e5d605f91e2a589ea1d5
SHA19a33e569d2b50491dd09f3bebde1e5c11643e60a
SHA2565356f94fc2d25126dc80b7552da5c311d90318cb9f89bacf296dee3ce0d26e2f
SHA512e2b04e4eadef192237011280a6967b9063ca3c605f77a0100119332ca036d56a9e500abd2168a07a5fd9f5a24b35ad3dae45b99fccd716274a6a994b7fc8e1d7
-
memory/2876-132-0x0000000000000000-mapping.dmp
-
memory/3068-135-0x0000000000000000-mapping.dmp