Analysis
-
max time kernel
151s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 02:17
Static task
static1
Behavioral task
behavioral1
Sample
f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe
Resource
win10v2004-20220812-en
General
-
Target
f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe
-
Size
887KB
-
MD5
6e91f9d1c4b9fcf81c4a30e99358fde0
-
SHA1
4eeaf371809f8078e7ed0dc18e196e72c505f871
-
SHA256
f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24
-
SHA512
b462cd0cd1d42a7081f254a118f75b58fab8750fd2348155eb04ba932274715899615bf05f8e0e923bb9abe02041ee582158c1e77e8c2df8d9efbd25fc00c3fe
-
SSDEEP
12288:HWzsaCUc+TcN09kaTUfucrmdztxZcSHg0yJnsumdjANlKk1F:2zs1wmaTU4dRxvgTJsjViB
Malware Config
Extracted
darkcomet
Guest16
hackdarkcomet.ddns.net:1604
DC_MUTEX-BRR8PJY
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
PglT1bwfgHY5
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Executes dropped EXE 2 IoCs
Processes:
msdcsc.exemsdcsc.exepid process 1212 msdcsc.exe 1788 msdcsc.exe -
Processes:
resource yara_rule behavioral1/memory/2040-55-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2040-57-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2040-59-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2040-61-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/2040-62-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/1788-77-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/1788-78-0x0000000000400000-0x00000000004BE000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exepid process 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exemsdcsc.exedescription pid process target process PID 1932 set thread context of 2040 1932 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe PID 1212 set thread context of 1788 1212 msdcsc.exe msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exef77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exemsdcsc.exemsdcsc.exedescription pid process Token: SeDebugPrivilege 1932 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe Token: SeIncreaseQuotaPrivilege 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe Token: SeSecurityPrivilege 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe Token: SeTakeOwnershipPrivilege 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe Token: SeLoadDriverPrivilege 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe Token: SeSystemProfilePrivilege 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe Token: SeSystemtimePrivilege 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe Token: SeProfSingleProcessPrivilege 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe Token: SeIncBasePriorityPrivilege 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe Token: SeCreatePagefilePrivilege 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe Token: SeBackupPrivilege 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe Token: SeRestorePrivilege 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe Token: SeShutdownPrivilege 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe Token: SeDebugPrivilege 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe Token: SeSystemEnvironmentPrivilege 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe Token: SeChangeNotifyPrivilege 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe Token: SeRemoteShutdownPrivilege 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe Token: SeUndockPrivilege 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe Token: SeManageVolumePrivilege 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe Token: SeImpersonatePrivilege 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe Token: SeCreateGlobalPrivilege 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe Token: 33 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe Token: 34 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe Token: 35 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe Token: SeDebugPrivilege 1212 msdcsc.exe Token: SeIncreaseQuotaPrivilege 1788 msdcsc.exe Token: SeSecurityPrivilege 1788 msdcsc.exe Token: SeTakeOwnershipPrivilege 1788 msdcsc.exe Token: SeLoadDriverPrivilege 1788 msdcsc.exe Token: SeSystemProfilePrivilege 1788 msdcsc.exe Token: SeSystemtimePrivilege 1788 msdcsc.exe Token: SeProfSingleProcessPrivilege 1788 msdcsc.exe Token: SeIncBasePriorityPrivilege 1788 msdcsc.exe Token: SeCreatePagefilePrivilege 1788 msdcsc.exe Token: SeBackupPrivilege 1788 msdcsc.exe Token: SeRestorePrivilege 1788 msdcsc.exe Token: SeShutdownPrivilege 1788 msdcsc.exe Token: SeDebugPrivilege 1788 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1788 msdcsc.exe Token: SeChangeNotifyPrivilege 1788 msdcsc.exe Token: SeRemoteShutdownPrivilege 1788 msdcsc.exe Token: SeUndockPrivilege 1788 msdcsc.exe Token: SeManageVolumePrivilege 1788 msdcsc.exe Token: SeImpersonatePrivilege 1788 msdcsc.exe Token: SeCreateGlobalPrivilege 1788 msdcsc.exe Token: 33 1788 msdcsc.exe Token: 34 1788 msdcsc.exe Token: 35 1788 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1788 msdcsc.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exef77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exemsdcsc.exedescription pid process target process PID 1932 wrote to memory of 2040 1932 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe PID 1932 wrote to memory of 2040 1932 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe PID 1932 wrote to memory of 2040 1932 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe PID 1932 wrote to memory of 2040 1932 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe PID 1932 wrote to memory of 2040 1932 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe PID 1932 wrote to memory of 2040 1932 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe PID 1932 wrote to memory of 2040 1932 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe PID 1932 wrote to memory of 2040 1932 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe PID 1932 wrote to memory of 2040 1932 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe PID 2040 wrote to memory of 1212 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe msdcsc.exe PID 2040 wrote to memory of 1212 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe msdcsc.exe PID 2040 wrote to memory of 1212 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe msdcsc.exe PID 2040 wrote to memory of 1212 2040 f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe msdcsc.exe PID 1212 wrote to memory of 1788 1212 msdcsc.exe msdcsc.exe PID 1212 wrote to memory of 1788 1212 msdcsc.exe msdcsc.exe PID 1212 wrote to memory of 1788 1212 msdcsc.exe msdcsc.exe PID 1212 wrote to memory of 1788 1212 msdcsc.exe msdcsc.exe PID 1212 wrote to memory of 1788 1212 msdcsc.exe msdcsc.exe PID 1212 wrote to memory of 1788 1212 msdcsc.exe msdcsc.exe PID 1212 wrote to memory of 1788 1212 msdcsc.exe msdcsc.exe PID 1212 wrote to memory of 1788 1212 msdcsc.exe msdcsc.exe PID 1212 wrote to memory of 1788 1212 msdcsc.exe msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe"C:\Users\Admin\AppData\Local\Temp\f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exeC:\Users\Admin\AppData\Local\Temp\f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24.exe2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeC:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeFilesize
887KB
MD56e91f9d1c4b9fcf81c4a30e99358fde0
SHA14eeaf371809f8078e7ed0dc18e196e72c505f871
SHA256f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24
SHA512b462cd0cd1d42a7081f254a118f75b58fab8750fd2348155eb04ba932274715899615bf05f8e0e923bb9abe02041ee582158c1e77e8c2df8d9efbd25fc00c3fe
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeFilesize
887KB
MD56e91f9d1c4b9fcf81c4a30e99358fde0
SHA14eeaf371809f8078e7ed0dc18e196e72c505f871
SHA256f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24
SHA512b462cd0cd1d42a7081f254a118f75b58fab8750fd2348155eb04ba932274715899615bf05f8e0e923bb9abe02041ee582158c1e77e8c2df8d9efbd25fc00c3fe
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeFilesize
887KB
MD56e91f9d1c4b9fcf81c4a30e99358fde0
SHA14eeaf371809f8078e7ed0dc18e196e72c505f871
SHA256f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24
SHA512b462cd0cd1d42a7081f254a118f75b58fab8750fd2348155eb04ba932274715899615bf05f8e0e923bb9abe02041ee582158c1e77e8c2df8d9efbd25fc00c3fe
-
\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeFilesize
887KB
MD56e91f9d1c4b9fcf81c4a30e99358fde0
SHA14eeaf371809f8078e7ed0dc18e196e72c505f871
SHA256f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24
SHA512b462cd0cd1d42a7081f254a118f75b58fab8750fd2348155eb04ba932274715899615bf05f8e0e923bb9abe02041ee582158c1e77e8c2df8d9efbd25fc00c3fe
-
\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeFilesize
887KB
MD56e91f9d1c4b9fcf81c4a30e99358fde0
SHA14eeaf371809f8078e7ed0dc18e196e72c505f871
SHA256f77ec75d9c444361b57f286bd40726bedeb8106ab18c02ff6a59ef2e3f4e5f24
SHA512b462cd0cd1d42a7081f254a118f75b58fab8750fd2348155eb04ba932274715899615bf05f8e0e923bb9abe02041ee582158c1e77e8c2df8d9efbd25fc00c3fe
-
memory/1212-76-0x0000000072A80000-0x000000007302B000-memory.dmpFilesize
5.7MB
-
memory/1212-65-0x0000000000000000-mapping.dmp
-
memory/1788-70-0x00000000004B8820-mapping.dmp
-
memory/1788-78-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB
-
memory/1788-77-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB
-
memory/1932-60-0x0000000073FC0000-0x000000007456B000-memory.dmpFilesize
5.7MB
-
memory/1932-54-0x0000000075F51000-0x0000000075F53000-memory.dmpFilesize
8KB
-
memory/2040-62-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB
-
memory/2040-55-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB
-
memory/2040-56-0x00000000004B8820-mapping.dmp
-
memory/2040-57-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB
-
memory/2040-59-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB
-
memory/2040-61-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB