Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2022 23:38
Behavioral task
behavioral1
Sample
0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe
Resource
win10v2004-20220901-en
General
-
Target
0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe
-
Size
658KB
-
MD5
640b21a6983119ba8261bf9db1e07a10
-
SHA1
103ab193eeafeb5213bc1a94905090b76afaae77
-
SHA256
0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee
-
SHA512
bd7a094e825ef01d2caa9ab4b9748015e9706c3d415b108c2d2e72d46a92009df2d24eee4ec73b5d7923c3f01499622d93debdd097a551a1164d318d2dd85f91
-
SSDEEP
12288:S9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h9:+Z1xuVVjfFoynPaVBUR8f+kN10EB7
Malware Config
Extracted
darkcomet
Guest16
91.109.23.72:1604
DC_MUTEX-HQVMJBC
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
2nMa4dc9PktF
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 3076 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 3076 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe Token: SeSecurityPrivilege 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe Token: SeTakeOwnershipPrivilege 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe Token: SeLoadDriverPrivilege 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe Token: SeSystemProfilePrivilege 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe Token: SeSystemtimePrivilege 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe Token: SeProfSingleProcessPrivilege 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe Token: SeIncBasePriorityPrivilege 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe Token: SeCreatePagefilePrivilege 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe Token: SeBackupPrivilege 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe Token: SeRestorePrivilege 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe Token: SeShutdownPrivilege 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe Token: SeDebugPrivilege 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe Token: SeSystemEnvironmentPrivilege 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe Token: SeChangeNotifyPrivilege 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe Token: SeRemoteShutdownPrivilege 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe Token: SeUndockPrivilege 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe Token: SeManageVolumePrivilege 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe Token: SeImpersonatePrivilege 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe Token: SeCreateGlobalPrivilege 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe Token: 33 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe Token: 34 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe Token: 35 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe Token: 36 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe Token: SeIncreaseQuotaPrivilege 3076 msdcsc.exe Token: SeSecurityPrivilege 3076 msdcsc.exe Token: SeTakeOwnershipPrivilege 3076 msdcsc.exe Token: SeLoadDriverPrivilege 3076 msdcsc.exe Token: SeSystemProfilePrivilege 3076 msdcsc.exe Token: SeSystemtimePrivilege 3076 msdcsc.exe Token: SeProfSingleProcessPrivilege 3076 msdcsc.exe Token: SeIncBasePriorityPrivilege 3076 msdcsc.exe Token: SeCreatePagefilePrivilege 3076 msdcsc.exe Token: SeBackupPrivilege 3076 msdcsc.exe Token: SeRestorePrivilege 3076 msdcsc.exe Token: SeShutdownPrivilege 3076 msdcsc.exe Token: SeDebugPrivilege 3076 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3076 msdcsc.exe Token: SeChangeNotifyPrivilege 3076 msdcsc.exe Token: SeRemoteShutdownPrivilege 3076 msdcsc.exe Token: SeUndockPrivilege 3076 msdcsc.exe Token: SeManageVolumePrivilege 3076 msdcsc.exe Token: SeImpersonatePrivilege 3076 msdcsc.exe Token: SeCreateGlobalPrivilege 3076 msdcsc.exe Token: 33 3076 msdcsc.exe Token: 34 3076 msdcsc.exe Token: 35 3076 msdcsc.exe Token: 36 3076 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 3076 msdcsc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exemsdcsc.exedescription pid process target process PID 3476 wrote to memory of 3076 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe msdcsc.exe PID 3476 wrote to memory of 3076 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe msdcsc.exe PID 3476 wrote to memory of 3076 3476 0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe msdcsc.exe PID 3076 wrote to memory of 4420 3076 msdcsc.exe notepad.exe PID 3076 wrote to memory of 4420 3076 msdcsc.exe notepad.exe PID 3076 wrote to memory of 4420 3076 msdcsc.exe notepad.exe PID 3076 wrote to memory of 4420 3076 msdcsc.exe notepad.exe PID 3076 wrote to memory of 4420 3076 msdcsc.exe notepad.exe PID 3076 wrote to memory of 4420 3076 msdcsc.exe notepad.exe PID 3076 wrote to memory of 4420 3076 msdcsc.exe notepad.exe PID 3076 wrote to memory of 4420 3076 msdcsc.exe notepad.exe PID 3076 wrote to memory of 4420 3076 msdcsc.exe notepad.exe PID 3076 wrote to memory of 4420 3076 msdcsc.exe notepad.exe PID 3076 wrote to memory of 4420 3076 msdcsc.exe notepad.exe PID 3076 wrote to memory of 4420 3076 msdcsc.exe notepad.exe PID 3076 wrote to memory of 4420 3076 msdcsc.exe notepad.exe PID 3076 wrote to memory of 4420 3076 msdcsc.exe notepad.exe PID 3076 wrote to memory of 4420 3076 msdcsc.exe notepad.exe PID 3076 wrote to memory of 4420 3076 msdcsc.exe notepad.exe PID 3076 wrote to memory of 4420 3076 msdcsc.exe notepad.exe PID 3076 wrote to memory of 4420 3076 msdcsc.exe notepad.exe PID 3076 wrote to memory of 4420 3076 msdcsc.exe notepad.exe PID 3076 wrote to memory of 4420 3076 msdcsc.exe notepad.exe PID 3076 wrote to memory of 4420 3076 msdcsc.exe notepad.exe PID 3076 wrote to memory of 4420 3076 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe"C:\Users\Admin\AppData\Local\Temp\0eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD5640b21a6983119ba8261bf9db1e07a10
SHA1103ab193eeafeb5213bc1a94905090b76afaae77
SHA2560eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee
SHA512bd7a094e825ef01d2caa9ab4b9748015e9706c3d415b108c2d2e72d46a92009df2d24eee4ec73b5d7923c3f01499622d93debdd097a551a1164d318d2dd85f91
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD5640b21a6983119ba8261bf9db1e07a10
SHA1103ab193eeafeb5213bc1a94905090b76afaae77
SHA2560eb8729d5cfe37d6e743fff9a26e81d8aa7124390154ad8aca2657d320330cee
SHA512bd7a094e825ef01d2caa9ab4b9748015e9706c3d415b108c2d2e72d46a92009df2d24eee4ec73b5d7923c3f01499622d93debdd097a551a1164d318d2dd85f91
-
memory/3076-132-0x0000000000000000-mapping.dmp
-
memory/4420-135-0x0000000000000000-mapping.dmp