Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2022 12:41
Behavioral task
behavioral1
Sample
a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
Resource
win7-20220812-en
General
-
Target
a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
-
Size
377KB
-
MD5
6feaab979663244eca21c62008b09202
-
SHA1
89da90563896e8af51b1613b7848db8af17ae615
-
SHA256
a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79
-
SHA512
c3aebe6cb7a9f2c8a6069953d68a31e2e40ce007ef2a0f3bf94cd2ffb107d46d16ce281a8127d8661e778eeccfab47096839c9053f178815cd142ac3a60b6a4a
-
SSDEEP
6144:IcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37mO4EqXoetQGqvvoB:IcW7KEZlPzCy37mO4iGqvw
Malware Config
Extracted
darkcomet
Guest16
192.168.0.210:1604
DC_MUTEX-JNPFFAB
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
asWjgGEaR2qG
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1100 msdcsc.exe -
Processes:
resource yara_rule behavioral2/memory/1676-132-0x0000000000400000-0x00000000004DF000-memory.dmp upx behavioral2/memory/1676-133-0x0000000000400000-0x00000000004DF000-memory.dmp upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx behavioral2/memory/1100-138-0x0000000000400000-0x00000000004DF000-memory.dmp upx behavioral2/memory/1676-139-0x0000000000400000-0x00000000004DF000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exedescription pid process Token: SeIncreaseQuotaPrivilege 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe Token: SeSecurityPrivilege 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe Token: SeTakeOwnershipPrivilege 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe Token: SeLoadDriverPrivilege 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe Token: SeSystemProfilePrivilege 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe Token: SeSystemtimePrivilege 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe Token: SeProfSingleProcessPrivilege 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe Token: SeIncBasePriorityPrivilege 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe Token: SeCreatePagefilePrivilege 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe Token: SeBackupPrivilege 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe Token: SeRestorePrivilege 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe Token: SeShutdownPrivilege 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe Token: SeDebugPrivilege 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe Token: SeSystemEnvironmentPrivilege 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe Token: SeChangeNotifyPrivilege 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe Token: SeRemoteShutdownPrivilege 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe Token: SeUndockPrivilege 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe Token: SeManageVolumePrivilege 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe Token: SeImpersonatePrivilege 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe Token: SeCreateGlobalPrivilege 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe Token: 33 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe Token: 34 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe Token: 35 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe Token: 36 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exedescription pid process target process PID 1676 wrote to memory of 1100 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe msdcsc.exe PID 1676 wrote to memory of 1100 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe msdcsc.exe PID 1676 wrote to memory of 1100 1676 a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe"C:\Users\Admin\AppData\Local\Temp\a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\jI82l\PCGWIN32.LI5Filesize
2KB
MD5c0623cf06a5fb615d72064c320c990ef
SHA111940e7f73bf9a2864d046bd719c66211a810196
SHA2561fbfcb960a9606bc3cab19cf90045c3035d77d676e835eec659dce3df24512e1
SHA51285972333bce830fa8c32bbd5bc4bc4ffdde0bd536ba97968d3494aac8e6e48af99dbf6a9932130c36304d081626d0eca1059f5521305331034ec062bdf6c6a72
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
377KB
MD56feaab979663244eca21c62008b09202
SHA189da90563896e8af51b1613b7848db8af17ae615
SHA256a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79
SHA512c3aebe6cb7a9f2c8a6069953d68a31e2e40ce007ef2a0f3bf94cd2ffb107d46d16ce281a8127d8661e778eeccfab47096839c9053f178815cd142ac3a60b6a4a
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
377KB
MD56feaab979663244eca21c62008b09202
SHA189da90563896e8af51b1613b7848db8af17ae615
SHA256a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79
SHA512c3aebe6cb7a9f2c8a6069953d68a31e2e40ce007ef2a0f3bf94cd2ffb107d46d16ce281a8127d8661e778eeccfab47096839c9053f178815cd142ac3a60b6a4a
-
memory/1100-134-0x0000000000000000-mapping.dmp
-
memory/1100-138-0x0000000000400000-0x00000000004DF000-memory.dmpFilesize
892KB
-
memory/1676-132-0x0000000000400000-0x00000000004DF000-memory.dmpFilesize
892KB
-
memory/1676-133-0x0000000000400000-0x00000000004DF000-memory.dmpFilesize
892KB
-
memory/1676-139-0x0000000000400000-0x00000000004DF000-memory.dmpFilesize
892KB