Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2022 23:38
Behavioral task
behavioral1
Sample
242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe
Resource
win7-20220901-en
General
-
Target
242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe
-
Size
1.3MB
-
MD5
65335c3362c2a5af1662e5d596e812c0
-
SHA1
49d54432fc1691d0f6b477e7c4ccc4162ea6bd41
-
SHA256
242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21
-
SHA512
043828beaffc5e73707021320877e65dc26b4d7957702f855241ed777087dd8c608af71f14a5d4c4d5ff3229c42a4ab831bc2310c5f6bf6a7452d697783bd7f4
-
SSDEEP
24576:xQtAJH+PECTpJzNYDoKVf7LtxBezzJ34GAx+0QRWoJEfg0oChGdJQbjPbNW5tYeH:+SH+PECTpJzNYDnVjLtxclmJQRV2o3Mj
Malware Config
Extracted
darkcomet
Guest16
herorivals.ddns.net:1604
herorivals.ddns.net:1605
DC_MUTEX-F54S21D
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
jZMx1931CGta
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Microsoft
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
systeminf2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" systeminf2.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
iexplore.exemsdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
iexplore.exemsdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Processes:
iexplore.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Executes dropped EXE 3 IoCs
Processes:
systeminf1.exesysteminf2.exemsdcsc.exepid process 3752 systeminf1.exe 1392 systeminf2.exe 1820 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 5072 attrib.exe 4320 attrib.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
systeminf2.exe242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation systeminf2.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
systeminf2.exemsdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" systeminf2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" iexplore.exe -
Drops file in System32 directory 3 IoCs
Processes:
242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exeattrib.exedescription ioc process File created C:\Windows\SysWOW64\systeminf1.exe 242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe File created C:\Windows\SysWOW64\systeminf2.exe 242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe File opened for modification C:\Windows\SysWOW64\systeminf2.exe attrib.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 1820 set thread context of 4160 1820 msdcsc.exe iexplore.exe -
Drops file in Windows directory 1 IoCs
Processes:
attrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64 attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
systeminf2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ systeminf2.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
systeminf2.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 1392 systeminf2.exe Token: SeSecurityPrivilege 1392 systeminf2.exe Token: SeTakeOwnershipPrivilege 1392 systeminf2.exe Token: SeLoadDriverPrivilege 1392 systeminf2.exe Token: SeSystemProfilePrivilege 1392 systeminf2.exe Token: SeSystemtimePrivilege 1392 systeminf2.exe Token: SeProfSingleProcessPrivilege 1392 systeminf2.exe Token: SeIncBasePriorityPrivilege 1392 systeminf2.exe Token: SeCreatePagefilePrivilege 1392 systeminf2.exe Token: SeBackupPrivilege 1392 systeminf2.exe Token: SeRestorePrivilege 1392 systeminf2.exe Token: SeShutdownPrivilege 1392 systeminf2.exe Token: SeDebugPrivilege 1392 systeminf2.exe Token: SeSystemEnvironmentPrivilege 1392 systeminf2.exe Token: SeChangeNotifyPrivilege 1392 systeminf2.exe Token: SeRemoteShutdownPrivilege 1392 systeminf2.exe Token: SeUndockPrivilege 1392 systeminf2.exe Token: SeManageVolumePrivilege 1392 systeminf2.exe Token: SeImpersonatePrivilege 1392 systeminf2.exe Token: SeCreateGlobalPrivilege 1392 systeminf2.exe Token: 33 1392 systeminf2.exe Token: 34 1392 systeminf2.exe Token: 35 1392 systeminf2.exe Token: 36 1392 systeminf2.exe Token: SeIncreaseQuotaPrivilege 1820 msdcsc.exe Token: SeSecurityPrivilege 1820 msdcsc.exe Token: SeTakeOwnershipPrivilege 1820 msdcsc.exe Token: SeLoadDriverPrivilege 1820 msdcsc.exe Token: SeSystemProfilePrivilege 1820 msdcsc.exe Token: SeSystemtimePrivilege 1820 msdcsc.exe Token: SeProfSingleProcessPrivilege 1820 msdcsc.exe Token: SeIncBasePriorityPrivilege 1820 msdcsc.exe Token: SeCreatePagefilePrivilege 1820 msdcsc.exe Token: SeBackupPrivilege 1820 msdcsc.exe Token: SeRestorePrivilege 1820 msdcsc.exe Token: SeShutdownPrivilege 1820 msdcsc.exe Token: SeDebugPrivilege 1820 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1820 msdcsc.exe Token: SeChangeNotifyPrivilege 1820 msdcsc.exe Token: SeRemoteShutdownPrivilege 1820 msdcsc.exe Token: SeUndockPrivilege 1820 msdcsc.exe Token: SeManageVolumePrivilege 1820 msdcsc.exe Token: SeImpersonatePrivilege 1820 msdcsc.exe Token: SeCreateGlobalPrivilege 1820 msdcsc.exe Token: 33 1820 msdcsc.exe Token: 34 1820 msdcsc.exe Token: 35 1820 msdcsc.exe Token: 36 1820 msdcsc.exe Token: SeIncreaseQuotaPrivilege 4160 iexplore.exe Token: SeSecurityPrivilege 4160 iexplore.exe Token: SeTakeOwnershipPrivilege 4160 iexplore.exe Token: SeLoadDriverPrivilege 4160 iexplore.exe Token: SeSystemProfilePrivilege 4160 iexplore.exe Token: SeSystemtimePrivilege 4160 iexplore.exe Token: SeProfSingleProcessPrivilege 4160 iexplore.exe Token: SeIncBasePriorityPrivilege 4160 iexplore.exe Token: SeCreatePagefilePrivilege 4160 iexplore.exe Token: SeBackupPrivilege 4160 iexplore.exe Token: SeRestorePrivilege 4160 iexplore.exe Token: SeShutdownPrivilege 4160 iexplore.exe Token: SeDebugPrivilege 4160 iexplore.exe Token: SeSystemEnvironmentPrivilege 4160 iexplore.exe Token: SeChangeNotifyPrivilege 4160 iexplore.exe Token: SeRemoteShutdownPrivilege 4160 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 4160 iexplore.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exesysteminf2.execmd.execmd.execmd.exemsdcsc.exedescription pid process target process PID 4744 wrote to memory of 3752 4744 242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe systeminf1.exe PID 4744 wrote to memory of 3752 4744 242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe systeminf1.exe PID 4744 wrote to memory of 1392 4744 242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe systeminf2.exe PID 4744 wrote to memory of 1392 4744 242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe systeminf2.exe PID 4744 wrote to memory of 1392 4744 242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe systeminf2.exe PID 1392 wrote to memory of 2468 1392 systeminf2.exe cmd.exe PID 1392 wrote to memory of 2468 1392 systeminf2.exe cmd.exe PID 1392 wrote to memory of 2468 1392 systeminf2.exe cmd.exe PID 1392 wrote to memory of 4868 1392 systeminf2.exe cmd.exe PID 1392 wrote to memory of 4868 1392 systeminf2.exe cmd.exe PID 1392 wrote to memory of 4868 1392 systeminf2.exe cmd.exe PID 1392 wrote to memory of 2856 1392 systeminf2.exe cmd.exe PID 1392 wrote to memory of 2856 1392 systeminf2.exe cmd.exe PID 1392 wrote to memory of 2856 1392 systeminf2.exe cmd.exe PID 2468 wrote to memory of 5072 2468 cmd.exe attrib.exe PID 2468 wrote to memory of 5072 2468 cmd.exe attrib.exe PID 2468 wrote to memory of 5072 2468 cmd.exe attrib.exe PID 4868 wrote to memory of 4320 4868 cmd.exe attrib.exe PID 4868 wrote to memory of 4320 4868 cmd.exe attrib.exe PID 4868 wrote to memory of 4320 4868 cmd.exe attrib.exe PID 2856 wrote to memory of 3552 2856 cmd.exe PING.EXE PID 2856 wrote to memory of 3552 2856 cmd.exe PING.EXE PID 2856 wrote to memory of 3552 2856 cmd.exe PING.EXE PID 1392 wrote to memory of 1820 1392 systeminf2.exe msdcsc.exe PID 1392 wrote to memory of 1820 1392 systeminf2.exe msdcsc.exe PID 1392 wrote to memory of 1820 1392 systeminf2.exe msdcsc.exe PID 1820 wrote to memory of 4160 1820 msdcsc.exe iexplore.exe PID 1820 wrote to memory of 4160 1820 msdcsc.exe iexplore.exe PID 1820 wrote to memory of 4160 1820 msdcsc.exe iexplore.exe PID 1820 wrote to memory of 4160 1820 msdcsc.exe iexplore.exe PID 1820 wrote to memory of 4160 1820 msdcsc.exe iexplore.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 5072 attrib.exe 4320 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe"C:\Users\Admin\AppData\Local\Temp\242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\systeminf1.exe"C:\Windows\system32\systeminf1.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\systeminf2.exe"C:\Windows\system32\systeminf2.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\systeminf2.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\systeminf2.exe" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\systeminf2.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 44⤵
- Runs ping.exe
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
650KB
MD5552473949ab5541cf86c13a5d0687ccf
SHA138c1a2f1bdb20e810a827201531748ec22f9f021
SHA256fab5a805543b152f3cca1a3096d95003cc434897eeebe50520fa304ae114b124
SHA5128ff686d433a34de9fb56c01c71255b698be635e5994a8565130e1ab6566019f4e093f92e4bfc287abc842aca5a8ab7d6aac272760cacc8e84a3767f85e132619
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
650KB
MD5552473949ab5541cf86c13a5d0687ccf
SHA138c1a2f1bdb20e810a827201531748ec22f9f021
SHA256fab5a805543b152f3cca1a3096d95003cc434897eeebe50520fa304ae114b124
SHA5128ff686d433a34de9fb56c01c71255b698be635e5994a8565130e1ab6566019f4e093f92e4bfc287abc842aca5a8ab7d6aac272760cacc8e84a3767f85e132619
-
C:\Windows\SysWOW64\systeminf1.exeFilesize
94KB
MD58f6ee86140c12ebc9d2b640112db78a4
SHA15c9af3a3df26b7129649d0961895bf6f58e6e265
SHA256fdad7fe01215afeb8aff1a74c9c69f34ac5fcddc622da622591ce42825f84bde
SHA5125091ff6f7befdccebaa31ff1da79299460aa9a919cc51bd48cd24e8ddb8f7eed165ae032c70f30897cdae3da9a1fec99d502fbe526d8a890887119acf387362f
-
C:\Windows\SysWOW64\systeminf1.exeFilesize
94KB
MD58f6ee86140c12ebc9d2b640112db78a4
SHA15c9af3a3df26b7129649d0961895bf6f58e6e265
SHA256fdad7fe01215afeb8aff1a74c9c69f34ac5fcddc622da622591ce42825f84bde
SHA5125091ff6f7befdccebaa31ff1da79299460aa9a919cc51bd48cd24e8ddb8f7eed165ae032c70f30897cdae3da9a1fec99d502fbe526d8a890887119acf387362f
-
C:\Windows\SysWOW64\systeminf2.exeFilesize
650KB
MD5552473949ab5541cf86c13a5d0687ccf
SHA138c1a2f1bdb20e810a827201531748ec22f9f021
SHA256fab5a805543b152f3cca1a3096d95003cc434897eeebe50520fa304ae114b124
SHA5128ff686d433a34de9fb56c01c71255b698be635e5994a8565130e1ab6566019f4e093f92e4bfc287abc842aca5a8ab7d6aac272760cacc8e84a3767f85e132619
-
C:\Windows\SysWOW64\systeminf2.exeFilesize
650KB
MD5552473949ab5541cf86c13a5d0687ccf
SHA138c1a2f1bdb20e810a827201531748ec22f9f021
SHA256fab5a805543b152f3cca1a3096d95003cc434897eeebe50520fa304ae114b124
SHA5128ff686d433a34de9fb56c01c71255b698be635e5994a8565130e1ab6566019f4e093f92e4bfc287abc842aca5a8ab7d6aac272760cacc8e84a3767f85e132619
-
memory/1392-135-0x0000000000000000-mapping.dmp
-
memory/1820-146-0x0000000000000000-mapping.dmp
-
memory/2468-139-0x0000000000000000-mapping.dmp
-
memory/2856-141-0x0000000000000000-mapping.dmp
-
memory/3552-144-0x0000000000000000-mapping.dmp
-
memory/3752-132-0x0000000000000000-mapping.dmp
-
memory/3752-145-0x00007FFF78560000-0x00007FFF79021000-memory.dmpFilesize
10.8MB
-
memory/3752-138-0x0000000000E00000-0x0000000000E1E000-memory.dmpFilesize
120KB
-
memory/3752-149-0x00007FFF78560000-0x00007FFF79021000-memory.dmpFilesize
10.8MB
-
memory/4320-143-0x0000000000000000-mapping.dmp
-
memory/4868-140-0x0000000000000000-mapping.dmp
-
memory/5072-142-0x0000000000000000-mapping.dmp