Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 16:08
Static task
static1
Behavioral task
behavioral1
Sample
9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
Resource
win10v2004-20220901-en
General
-
Target
9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
-
Size
579KB
-
MD5
68a54e3adbf81b3b808c11da8ce7c68a
-
SHA1
c7e1f952fd870d31508e69e41adc9f625781e34e
-
SHA256
9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661
-
SHA512
9ccfbf2dacf6994c0f87e1fb32571c8e50085cd10e14860684e2ea421dd4ebd59884c5a5d6fe98fdee22ddd8e89c40e4962f776032dc730d0f163a6bdf3c808d
-
SSDEEP
12288:nVDHFNzdkfqQNQECtK/lGRgOUqmq9kR6lhKXrJjpfmOnX/M:VDHFNBkyQNQ9tK/cRgOnmq9g6QXnE
Malware Config
Extracted
darkcomet
Guest16
alankaboot.no-ip.biz:1604
DC_MUTEX-F54S21D
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
JbvaliXHAQvv
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 368 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 368 set thread context of 3432 368 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe Token: SeSecurityPrivilege 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe Token: SeTakeOwnershipPrivilege 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe Token: SeLoadDriverPrivilege 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe Token: SeSystemProfilePrivilege 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe Token: SeSystemtimePrivilege 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe Token: SeProfSingleProcessPrivilege 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe Token: SeIncBasePriorityPrivilege 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe Token: SeCreatePagefilePrivilege 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe Token: SeBackupPrivilege 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe Token: SeRestorePrivilege 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe Token: SeShutdownPrivilege 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe Token: SeDebugPrivilege 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe Token: SeSystemEnvironmentPrivilege 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe Token: SeChangeNotifyPrivilege 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe Token: SeRemoteShutdownPrivilege 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe Token: SeUndockPrivilege 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe Token: SeManageVolumePrivilege 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe Token: SeImpersonatePrivilege 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe Token: SeCreateGlobalPrivilege 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe Token: 33 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe Token: 34 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe Token: 35 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe Token: 36 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe Token: SeIncreaseQuotaPrivilege 368 msdcsc.exe Token: SeSecurityPrivilege 368 msdcsc.exe Token: SeTakeOwnershipPrivilege 368 msdcsc.exe Token: SeLoadDriverPrivilege 368 msdcsc.exe Token: SeSystemProfilePrivilege 368 msdcsc.exe Token: SeSystemtimePrivilege 368 msdcsc.exe Token: SeProfSingleProcessPrivilege 368 msdcsc.exe Token: SeIncBasePriorityPrivilege 368 msdcsc.exe Token: SeCreatePagefilePrivilege 368 msdcsc.exe Token: SeBackupPrivilege 368 msdcsc.exe Token: SeRestorePrivilege 368 msdcsc.exe Token: SeShutdownPrivilege 368 msdcsc.exe Token: SeDebugPrivilege 368 msdcsc.exe Token: SeSystemEnvironmentPrivilege 368 msdcsc.exe Token: SeChangeNotifyPrivilege 368 msdcsc.exe Token: SeRemoteShutdownPrivilege 368 msdcsc.exe Token: SeUndockPrivilege 368 msdcsc.exe Token: SeManageVolumePrivilege 368 msdcsc.exe Token: SeImpersonatePrivilege 368 msdcsc.exe Token: SeCreateGlobalPrivilege 368 msdcsc.exe Token: 33 368 msdcsc.exe Token: 34 368 msdcsc.exe Token: 35 368 msdcsc.exe Token: 36 368 msdcsc.exe Token: SeIncreaseQuotaPrivilege 3432 iexplore.exe Token: SeSecurityPrivilege 3432 iexplore.exe Token: SeTakeOwnershipPrivilege 3432 iexplore.exe Token: SeLoadDriverPrivilege 3432 iexplore.exe Token: SeSystemProfilePrivilege 3432 iexplore.exe Token: SeSystemtimePrivilege 3432 iexplore.exe Token: SeProfSingleProcessPrivilege 3432 iexplore.exe Token: SeIncBasePriorityPrivilege 3432 iexplore.exe Token: SeCreatePagefilePrivilege 3432 iexplore.exe Token: SeBackupPrivilege 3432 iexplore.exe Token: SeRestorePrivilege 3432 iexplore.exe Token: SeShutdownPrivilege 3432 iexplore.exe Token: SeDebugPrivilege 3432 iexplore.exe Token: SeSystemEnvironmentPrivilege 3432 iexplore.exe Token: SeChangeNotifyPrivilege 3432 iexplore.exe Token: SeRemoteShutdownPrivilege 3432 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 3432 iexplore.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exemsdcsc.exedescription pid process target process PID 1596 wrote to memory of 368 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe msdcsc.exe PID 1596 wrote to memory of 368 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe msdcsc.exe PID 1596 wrote to memory of 368 1596 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe msdcsc.exe PID 368 wrote to memory of 3432 368 msdcsc.exe iexplore.exe PID 368 wrote to memory of 3432 368 msdcsc.exe iexplore.exe PID 368 wrote to memory of 3432 368 msdcsc.exe iexplore.exe PID 368 wrote to memory of 3432 368 msdcsc.exe iexplore.exe PID 368 wrote to memory of 3432 368 msdcsc.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe"C:\Users\Admin\AppData\Local\Temp\9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exeFilesize
579KB
MD568a54e3adbf81b3b808c11da8ce7c68a
SHA1c7e1f952fd870d31508e69e41adc9f625781e34e
SHA2569802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661
SHA5129ccfbf2dacf6994c0f87e1fb32571c8e50085cd10e14860684e2ea421dd4ebd59884c5a5d6fe98fdee22ddd8e89c40e4962f776032dc730d0f163a6bdf3c808d
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exeFilesize
579KB
MD568a54e3adbf81b3b808c11da8ce7c68a
SHA1c7e1f952fd870d31508e69e41adc9f625781e34e
SHA2569802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661
SHA5129ccfbf2dacf6994c0f87e1fb32571c8e50085cd10e14860684e2ea421dd4ebd59884c5a5d6fe98fdee22ddd8e89c40e4962f776032dc730d0f163a6bdf3c808d
-
memory/368-135-0x0000000000000000-mapping.dmp
-
memory/368-139-0x00000000021A0000-0x0000000002200000-memory.dmpFilesize
384KB
-
memory/368-140-0x0000000000400000-0x0000000000504000-memory.dmpFilesize
1.0MB
-
memory/1596-132-0x0000000000400000-0x0000000000504000-memory.dmpFilesize
1.0MB
-
memory/1596-133-0x0000000002300000-0x0000000002360000-memory.dmpFilesize
384KB
-
memory/1596-134-0x0000000003400000-0x0000000003500000-memory.dmpFilesize
1024KB
-
memory/1596-138-0x0000000000400000-0x0000000000504000-memory.dmpFilesize
1.0MB