Analysis
-
max time kernel
150s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
01-10-2022 23:37
Behavioral task
behavioral1
Sample
cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe
Resource
win10v2004-20220812-en
General
-
Target
cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe
-
Size
658KB
-
MD5
55395ef731c5a631abec11ed0e978470
-
SHA1
f2eea062acb3e4e163f7e9a0051fe22c1d6d198c
-
SHA256
cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77
-
SHA512
887e07ad230bad73ff536bd3b7338cc0639e6241a9b6e5a5dcc4fa17c31fcb0ce153b3e712258a99fe4939fd847782b69a9088334097842b0fab314d7a78057c
-
SSDEEP
12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hg:KZ1xuVVjfFoynPaVBUR8f+kN10EB6
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-CNLPXW5
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
R7NeeQje4jv6
-
install
true
-
offline_keylogger
true
-
password
159753sa
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 2044 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exepid process 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 2044 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe Token: SeSecurityPrivilege 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe Token: SeTakeOwnershipPrivilege 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe Token: SeLoadDriverPrivilege 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe Token: SeSystemProfilePrivilege 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe Token: SeSystemtimePrivilege 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe Token: SeProfSingleProcessPrivilege 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe Token: SeIncBasePriorityPrivilege 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe Token: SeCreatePagefilePrivilege 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe Token: SeBackupPrivilege 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe Token: SeRestorePrivilege 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe Token: SeShutdownPrivilege 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe Token: SeDebugPrivilege 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe Token: SeSystemEnvironmentPrivilege 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe Token: SeChangeNotifyPrivilege 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe Token: SeRemoteShutdownPrivilege 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe Token: SeUndockPrivilege 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe Token: SeManageVolumePrivilege 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe Token: SeImpersonatePrivilege 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe Token: SeCreateGlobalPrivilege 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe Token: 33 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe Token: 34 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe Token: 35 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe Token: SeIncreaseQuotaPrivilege 2044 msdcsc.exe Token: SeSecurityPrivilege 2044 msdcsc.exe Token: SeTakeOwnershipPrivilege 2044 msdcsc.exe Token: SeLoadDriverPrivilege 2044 msdcsc.exe Token: SeSystemProfilePrivilege 2044 msdcsc.exe Token: SeSystemtimePrivilege 2044 msdcsc.exe Token: SeProfSingleProcessPrivilege 2044 msdcsc.exe Token: SeIncBasePriorityPrivilege 2044 msdcsc.exe Token: SeCreatePagefilePrivilege 2044 msdcsc.exe Token: SeBackupPrivilege 2044 msdcsc.exe Token: SeRestorePrivilege 2044 msdcsc.exe Token: SeShutdownPrivilege 2044 msdcsc.exe Token: SeDebugPrivilege 2044 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2044 msdcsc.exe Token: SeChangeNotifyPrivilege 2044 msdcsc.exe Token: SeRemoteShutdownPrivilege 2044 msdcsc.exe Token: SeUndockPrivilege 2044 msdcsc.exe Token: SeManageVolumePrivilege 2044 msdcsc.exe Token: SeImpersonatePrivilege 2044 msdcsc.exe Token: SeCreateGlobalPrivilege 2044 msdcsc.exe Token: 33 2044 msdcsc.exe Token: 34 2044 msdcsc.exe Token: 35 2044 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 2044 msdcsc.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exemsdcsc.exedescription pid process target process PID 1204 wrote to memory of 2044 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe msdcsc.exe PID 1204 wrote to memory of 2044 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe msdcsc.exe PID 1204 wrote to memory of 2044 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe msdcsc.exe PID 1204 wrote to memory of 2044 1204 cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe msdcsc.exe PID 2044 wrote to memory of 588 2044 msdcsc.exe notepad.exe PID 2044 wrote to memory of 588 2044 msdcsc.exe notepad.exe PID 2044 wrote to memory of 588 2044 msdcsc.exe notepad.exe PID 2044 wrote to memory of 588 2044 msdcsc.exe notepad.exe PID 2044 wrote to memory of 588 2044 msdcsc.exe notepad.exe PID 2044 wrote to memory of 588 2044 msdcsc.exe notepad.exe PID 2044 wrote to memory of 588 2044 msdcsc.exe notepad.exe PID 2044 wrote to memory of 588 2044 msdcsc.exe notepad.exe PID 2044 wrote to memory of 588 2044 msdcsc.exe notepad.exe PID 2044 wrote to memory of 588 2044 msdcsc.exe notepad.exe PID 2044 wrote to memory of 588 2044 msdcsc.exe notepad.exe PID 2044 wrote to memory of 588 2044 msdcsc.exe notepad.exe PID 2044 wrote to memory of 588 2044 msdcsc.exe notepad.exe PID 2044 wrote to memory of 588 2044 msdcsc.exe notepad.exe PID 2044 wrote to memory of 588 2044 msdcsc.exe notepad.exe PID 2044 wrote to memory of 588 2044 msdcsc.exe notepad.exe PID 2044 wrote to memory of 588 2044 msdcsc.exe notepad.exe PID 2044 wrote to memory of 588 2044 msdcsc.exe notepad.exe PID 2044 wrote to memory of 588 2044 msdcsc.exe notepad.exe PID 2044 wrote to memory of 588 2044 msdcsc.exe notepad.exe PID 2044 wrote to memory of 588 2044 msdcsc.exe notepad.exe PID 2044 wrote to memory of 588 2044 msdcsc.exe notepad.exe PID 2044 wrote to memory of 588 2044 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe"C:\Users\Admin\AppData\Local\Temp\cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD555395ef731c5a631abec11ed0e978470
SHA1f2eea062acb3e4e163f7e9a0051fe22c1d6d198c
SHA256cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77
SHA512887e07ad230bad73ff536bd3b7338cc0639e6241a9b6e5a5dcc4fa17c31fcb0ce153b3e712258a99fe4939fd847782b69a9088334097842b0fab314d7a78057c
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD555395ef731c5a631abec11ed0e978470
SHA1f2eea062acb3e4e163f7e9a0051fe22c1d6d198c
SHA256cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77
SHA512887e07ad230bad73ff536bd3b7338cc0639e6241a9b6e5a5dcc4fa17c31fcb0ce153b3e712258a99fe4939fd847782b69a9088334097842b0fab314d7a78057c
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD555395ef731c5a631abec11ed0e978470
SHA1f2eea062acb3e4e163f7e9a0051fe22c1d6d198c
SHA256cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77
SHA512887e07ad230bad73ff536bd3b7338cc0639e6241a9b6e5a5dcc4fa17c31fcb0ce153b3e712258a99fe4939fd847782b69a9088334097842b0fab314d7a78057c
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD555395ef731c5a631abec11ed0e978470
SHA1f2eea062acb3e4e163f7e9a0051fe22c1d6d198c
SHA256cc02982c750629bce6c1cb23eb565495c6823796323c5fd00817273090ea7d77
SHA512887e07ad230bad73ff536bd3b7338cc0639e6241a9b6e5a5dcc4fa17c31fcb0ce153b3e712258a99fe4939fd847782b69a9088334097842b0fab314d7a78057c
-
memory/588-61-0x0000000000000000-mapping.dmp
-
memory/1204-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmpFilesize
8KB
-
memory/2044-57-0x0000000000000000-mapping.dmp