Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
01-10-2022 23:39
Behavioral task
behavioral1
Sample
77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
Resource
win7-20220901-en
General
-
Target
77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
-
Size
392KB
-
MD5
78015ac78c3ad87fdadd6ed4488c4ac0
-
SHA1
0c4219868261b460dc4f126bd796f96e8b23e770
-
SHA256
77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d
-
SHA512
0d1aa3696cc03b795a954fd04e5ab13762c17d02222f2a49d6ec94873ce3ea5a53ccddf78b5f18662eae0a535754e50d8998e54b4877136285a356832c53fecf
-
SSDEEP
6144:pcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37UMEFhG9KOUH0c7FT8EXN3BsV/0:pcW7KEZlPzCy37T0GEtD7FB3B
Malware Config
Extracted
darkcomet
Guest16
hack6969.zapto.org:1604
Btrev.ddns.net:1336
DC_MUTEX-N1UFMN8
-
InstallPath
MSDCSC\svchost.exe
-
gencode
3396looGFZlq
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\svchost.exe" 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe -
Executes dropped EXE 2 IoCs
Processes:
AMIGO DO CS.EXEsvchost.exepid process 544 AMIGO DO CS.EXE 860 svchost.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 520 attrib.exe 1916 attrib.exe -
Processes:
resource yara_rule behavioral1/memory/960-62-0x0000000000400000-0x00000000004DB000-memory.dmp upx \ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exe upx \ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exe upx C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exe upx C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exe upx behavioral1/memory/860-72-0x0000000000400000-0x00000000004DB000-memory.dmp upx behavioral1/memory/960-73-0x0000000000400000-0x00000000004DB000-memory.dmp upx behavioral1/memory/860-74-0x0000000000400000-0x00000000004DB000-memory.dmp upx -
Loads dropped DLL 3 IoCs
Processes:
77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exepid process 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\svchost.exe" 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\svchost.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
AMIGO DO CS.EXEpid process 544 AMIGO DO CS.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 860 svchost.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exesvchost.exedescription pid process Token: SeIncreaseQuotaPrivilege 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe Token: SeSecurityPrivilege 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe Token: SeTakeOwnershipPrivilege 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe Token: SeLoadDriverPrivilege 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe Token: SeSystemProfilePrivilege 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe Token: SeSystemtimePrivilege 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe Token: SeProfSingleProcessPrivilege 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe Token: SeIncBasePriorityPrivilege 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe Token: SeCreatePagefilePrivilege 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe Token: SeBackupPrivilege 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe Token: SeRestorePrivilege 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe Token: SeShutdownPrivilege 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe Token: SeDebugPrivilege 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe Token: SeSystemEnvironmentPrivilege 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe Token: SeChangeNotifyPrivilege 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe Token: SeRemoteShutdownPrivilege 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe Token: SeUndockPrivilege 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe Token: SeManageVolumePrivilege 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe Token: SeImpersonatePrivilege 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe Token: SeCreateGlobalPrivilege 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe Token: 33 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe Token: 34 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe Token: 35 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe Token: SeIncreaseQuotaPrivilege 860 svchost.exe Token: SeSecurityPrivilege 860 svchost.exe Token: SeTakeOwnershipPrivilege 860 svchost.exe Token: SeLoadDriverPrivilege 860 svchost.exe Token: SeSystemProfilePrivilege 860 svchost.exe Token: SeSystemtimePrivilege 860 svchost.exe Token: SeProfSingleProcessPrivilege 860 svchost.exe Token: SeIncBasePriorityPrivilege 860 svchost.exe Token: SeCreatePagefilePrivilege 860 svchost.exe Token: SeBackupPrivilege 860 svchost.exe Token: SeRestorePrivilege 860 svchost.exe Token: SeShutdownPrivilege 860 svchost.exe Token: SeDebugPrivilege 860 svchost.exe Token: SeSystemEnvironmentPrivilege 860 svchost.exe Token: SeChangeNotifyPrivilege 860 svchost.exe Token: SeRemoteShutdownPrivilege 860 svchost.exe Token: SeUndockPrivilege 860 svchost.exe Token: SeManageVolumePrivilege 860 svchost.exe Token: SeImpersonatePrivilege 860 svchost.exe Token: SeCreateGlobalPrivilege 860 svchost.exe Token: 33 860 svchost.exe Token: 34 860 svchost.exe Token: 35 860 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 860 svchost.exe -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.execmd.execmd.exesvchost.exedescription pid process target process PID 960 wrote to memory of 1868 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe cmd.exe PID 960 wrote to memory of 1868 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe cmd.exe PID 960 wrote to memory of 1868 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe cmd.exe PID 960 wrote to memory of 1868 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe cmd.exe PID 960 wrote to memory of 1760 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe cmd.exe PID 960 wrote to memory of 1760 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe cmd.exe PID 960 wrote to memory of 1760 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe cmd.exe PID 960 wrote to memory of 1760 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe cmd.exe PID 960 wrote to memory of 544 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe AMIGO DO CS.EXE PID 960 wrote to memory of 544 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe AMIGO DO CS.EXE PID 960 wrote to memory of 544 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe AMIGO DO CS.EXE PID 960 wrote to memory of 544 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe AMIGO DO CS.EXE PID 1868 wrote to memory of 520 1868 cmd.exe attrib.exe PID 1868 wrote to memory of 520 1868 cmd.exe attrib.exe PID 1868 wrote to memory of 520 1868 cmd.exe attrib.exe PID 1868 wrote to memory of 520 1868 cmd.exe attrib.exe PID 1760 wrote to memory of 1916 1760 cmd.exe attrib.exe PID 1760 wrote to memory of 1916 1760 cmd.exe attrib.exe PID 1760 wrote to memory of 1916 1760 cmd.exe attrib.exe PID 1760 wrote to memory of 1916 1760 cmd.exe attrib.exe PID 960 wrote to memory of 860 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe svchost.exe PID 960 wrote to memory of 860 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe svchost.exe PID 960 wrote to memory of 860 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe svchost.exe PID 960 wrote to memory of 860 960 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe svchost.exe PID 860 wrote to memory of 1040 860 svchost.exe notepad.exe PID 860 wrote to memory of 1040 860 svchost.exe notepad.exe PID 860 wrote to memory of 1040 860 svchost.exe notepad.exe PID 860 wrote to memory of 1040 860 svchost.exe notepad.exe PID 860 wrote to memory of 1040 860 svchost.exe notepad.exe PID 860 wrote to memory of 1040 860 svchost.exe notepad.exe PID 860 wrote to memory of 1040 860 svchost.exe notepad.exe PID 860 wrote to memory of 1040 860 svchost.exe notepad.exe PID 860 wrote to memory of 1040 860 svchost.exe notepad.exe PID 860 wrote to memory of 1040 860 svchost.exe notepad.exe PID 860 wrote to memory of 1040 860 svchost.exe notepad.exe PID 860 wrote to memory of 1040 860 svchost.exe notepad.exe PID 860 wrote to memory of 1040 860 svchost.exe notepad.exe PID 860 wrote to memory of 1040 860 svchost.exe notepad.exe PID 860 wrote to memory of 1040 860 svchost.exe notepad.exe PID 860 wrote to memory of 1040 860 svchost.exe notepad.exe PID 860 wrote to memory of 1040 860 svchost.exe notepad.exe PID 860 wrote to memory of 1040 860 svchost.exe notepad.exe PID 860 wrote to memory of 1040 860 svchost.exe notepad.exe PID 860 wrote to memory of 1040 860 svchost.exe notepad.exe PID 860 wrote to memory of 1040 860 svchost.exe notepad.exe PID 860 wrote to memory of 1040 860 svchost.exe notepad.exe PID 860 wrote to memory of 1040 860 svchost.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 520 attrib.exe 1916 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe"C:\Users\Admin\AppData\Local\Temp\77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\AMIGO DO CS.EXE"C:\Users\Admin\AppData\Local\Temp\AMIGO DO CS.EXE"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exe"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exeFilesize
392KB
MD578015ac78c3ad87fdadd6ed4488c4ac0
SHA10c4219868261b460dc4f126bd796f96e8b23e770
SHA25677c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d
SHA5120d1aa3696cc03b795a954fd04e5ab13762c17d02222f2a49d6ec94873ce3ea5a53ccddf78b5f18662eae0a535754e50d8998e54b4877136285a356832c53fecf
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exeFilesize
392KB
MD578015ac78c3ad87fdadd6ed4488c4ac0
SHA10c4219868261b460dc4f126bd796f96e8b23e770
SHA25677c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d
SHA5120d1aa3696cc03b795a954fd04e5ab13762c17d02222f2a49d6ec94873ce3ea5a53ccddf78b5f18662eae0a535754e50d8998e54b4877136285a356832c53fecf
-
C:\Users\Admin\AppData\Local\Temp\AMIGO DO CS.EXEFilesize
144KB
MD5a93149d40e9107d7fcbc61b561643fdb
SHA1e344cb449844e3e218c264ae6a41d2d01cea8917
SHA256616f7b59e63ec6cb84f3c1f037673681fd367046d37292749a4da119cdeb3a87
SHA5123965226d540b9f9b0a00dab9397a7dca7ba35949d2e987a60d7eb25c7e6a21c09102c1e33c6d0c7eb242234b21e500165eb7b7de62e9e52f7bdebd35b41b1f6a
-
\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exeFilesize
392KB
MD578015ac78c3ad87fdadd6ed4488c4ac0
SHA10c4219868261b460dc4f126bd796f96e8b23e770
SHA25677c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d
SHA5120d1aa3696cc03b795a954fd04e5ab13762c17d02222f2a49d6ec94873ce3ea5a53ccddf78b5f18662eae0a535754e50d8998e54b4877136285a356832c53fecf
-
\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exeFilesize
392KB
MD578015ac78c3ad87fdadd6ed4488c4ac0
SHA10c4219868261b460dc4f126bd796f96e8b23e770
SHA25677c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d
SHA5120d1aa3696cc03b795a954fd04e5ab13762c17d02222f2a49d6ec94873ce3ea5a53ccddf78b5f18662eae0a535754e50d8998e54b4877136285a356832c53fecf
-
\Users\Admin\AppData\Local\Temp\AMIGO DO CS.EXEFilesize
144KB
MD5a93149d40e9107d7fcbc61b561643fdb
SHA1e344cb449844e3e218c264ae6a41d2d01cea8917
SHA256616f7b59e63ec6cb84f3c1f037673681fd367046d37292749a4da119cdeb3a87
SHA5123965226d540b9f9b0a00dab9397a7dca7ba35949d2e987a60d7eb25c7e6a21c09102c1e33c6d0c7eb242234b21e500165eb7b7de62e9e52f7bdebd35b41b1f6a
-
memory/520-60-0x0000000000000000-mapping.dmp
-
memory/544-58-0x0000000000000000-mapping.dmp
-
memory/860-74-0x0000000000400000-0x00000000004DB000-memory.dmpFilesize
876KB
-
memory/860-72-0x0000000000400000-0x00000000004DB000-memory.dmpFilesize
876KB
-
memory/860-65-0x0000000000000000-mapping.dmp
-
memory/960-71-0x0000000005030000-0x000000000510B000-memory.dmpFilesize
876KB
-
memory/960-62-0x0000000000400000-0x00000000004DB000-memory.dmpFilesize
876KB
-
memory/960-73-0x0000000000400000-0x00000000004DB000-memory.dmpFilesize
876KB
-
memory/960-54-0x00000000757A1000-0x00000000757A3000-memory.dmpFilesize
8KB
-
memory/1040-69-0x0000000000000000-mapping.dmp
-
memory/1760-56-0x0000000000000000-mapping.dmp
-
memory/1868-55-0x0000000000000000-mapping.dmp
-
memory/1916-61-0x0000000000000000-mapping.dmp