Analysis
-
max time kernel
151s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 16:08
Behavioral task
behavioral1
Sample
7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe
Resource
win10v2004-20220812-en
General
-
Target
7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe
-
Size
756KB
-
MD5
6d3942d9fe24a9da8310d6991ea77030
-
SHA1
60bf0552c3b6a37ee840382792cb5e837c88e4fe
-
SHA256
7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7
-
SHA512
bf31936ce761718ef6daf755db7c9a10a42420022c57a42f575eb52f1a8bce6208f34b72b97ff150d5bba03346537eaf8f4bb958e71bddf309cb3e4bbe2ff594
-
SSDEEP
12288:y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h1:eZ1xuVVjfFoynPaVBUR8f+kN10EB3
Malware Config
Extracted
darkcomet
victime
88.139.111.187:1604
DC_MUTEX-5014XJ2
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
BFM60zGFMdWM
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1940 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exepid process 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1940 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeSecurityPrivilege 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeTakeOwnershipPrivilege 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeLoadDriverPrivilege 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeSystemProfilePrivilege 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeSystemtimePrivilege 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeProfSingleProcessPrivilege 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeIncBasePriorityPrivilege 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeCreatePagefilePrivilege 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeBackupPrivilege 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeRestorePrivilege 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeShutdownPrivilege 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeDebugPrivilege 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeSystemEnvironmentPrivilege 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeChangeNotifyPrivilege 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeRemoteShutdownPrivilege 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeUndockPrivilege 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeManageVolumePrivilege 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeImpersonatePrivilege 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeCreateGlobalPrivilege 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: 33 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: 34 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: 35 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeIncreaseQuotaPrivilege 1940 msdcsc.exe Token: SeSecurityPrivilege 1940 msdcsc.exe Token: SeTakeOwnershipPrivilege 1940 msdcsc.exe Token: SeLoadDriverPrivilege 1940 msdcsc.exe Token: SeSystemProfilePrivilege 1940 msdcsc.exe Token: SeSystemtimePrivilege 1940 msdcsc.exe Token: SeProfSingleProcessPrivilege 1940 msdcsc.exe Token: SeIncBasePriorityPrivilege 1940 msdcsc.exe Token: SeCreatePagefilePrivilege 1940 msdcsc.exe Token: SeBackupPrivilege 1940 msdcsc.exe Token: SeRestorePrivilege 1940 msdcsc.exe Token: SeShutdownPrivilege 1940 msdcsc.exe Token: SeDebugPrivilege 1940 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1940 msdcsc.exe Token: SeChangeNotifyPrivilege 1940 msdcsc.exe Token: SeRemoteShutdownPrivilege 1940 msdcsc.exe Token: SeUndockPrivilege 1940 msdcsc.exe Token: SeManageVolumePrivilege 1940 msdcsc.exe Token: SeImpersonatePrivilege 1940 msdcsc.exe Token: SeCreateGlobalPrivilege 1940 msdcsc.exe Token: 33 1940 msdcsc.exe Token: 34 1940 msdcsc.exe Token: 35 1940 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1940 msdcsc.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exemsdcsc.exedescription pid process target process PID 1112 wrote to memory of 1940 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe msdcsc.exe PID 1112 wrote to memory of 1940 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe msdcsc.exe PID 1112 wrote to memory of 1940 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe msdcsc.exe PID 1112 wrote to memory of 1940 1112 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe msdcsc.exe PID 1940 wrote to memory of 1472 1940 msdcsc.exe notepad.exe PID 1940 wrote to memory of 1472 1940 msdcsc.exe notepad.exe PID 1940 wrote to memory of 1472 1940 msdcsc.exe notepad.exe PID 1940 wrote to memory of 1472 1940 msdcsc.exe notepad.exe PID 1940 wrote to memory of 1472 1940 msdcsc.exe notepad.exe PID 1940 wrote to memory of 1472 1940 msdcsc.exe notepad.exe PID 1940 wrote to memory of 1472 1940 msdcsc.exe notepad.exe PID 1940 wrote to memory of 1472 1940 msdcsc.exe notepad.exe PID 1940 wrote to memory of 1472 1940 msdcsc.exe notepad.exe PID 1940 wrote to memory of 1472 1940 msdcsc.exe notepad.exe PID 1940 wrote to memory of 1472 1940 msdcsc.exe notepad.exe PID 1940 wrote to memory of 1472 1940 msdcsc.exe notepad.exe PID 1940 wrote to memory of 1472 1940 msdcsc.exe notepad.exe PID 1940 wrote to memory of 1472 1940 msdcsc.exe notepad.exe PID 1940 wrote to memory of 1472 1940 msdcsc.exe notepad.exe PID 1940 wrote to memory of 1472 1940 msdcsc.exe notepad.exe PID 1940 wrote to memory of 1472 1940 msdcsc.exe notepad.exe PID 1940 wrote to memory of 1472 1940 msdcsc.exe notepad.exe PID 1940 wrote to memory of 1472 1940 msdcsc.exe notepad.exe PID 1940 wrote to memory of 1472 1940 msdcsc.exe notepad.exe PID 1940 wrote to memory of 1472 1940 msdcsc.exe notepad.exe PID 1940 wrote to memory of 1472 1940 msdcsc.exe notepad.exe PID 1940 wrote to memory of 1472 1940 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe"C:\Users\Admin\AppData\Local\Temp\7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
756KB
MD56d3942d9fe24a9da8310d6991ea77030
SHA160bf0552c3b6a37ee840382792cb5e837c88e4fe
SHA2567c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7
SHA512bf31936ce761718ef6daf755db7c9a10a42420022c57a42f575eb52f1a8bce6208f34b72b97ff150d5bba03346537eaf8f4bb958e71bddf309cb3e4bbe2ff594
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
756KB
MD56d3942d9fe24a9da8310d6991ea77030
SHA160bf0552c3b6a37ee840382792cb5e837c88e4fe
SHA2567c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7
SHA512bf31936ce761718ef6daf755db7c9a10a42420022c57a42f575eb52f1a8bce6208f34b72b97ff150d5bba03346537eaf8f4bb958e71bddf309cb3e4bbe2ff594
-
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
756KB
MD56d3942d9fe24a9da8310d6991ea77030
SHA160bf0552c3b6a37ee840382792cb5e837c88e4fe
SHA2567c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7
SHA512bf31936ce761718ef6daf755db7c9a10a42420022c57a42f575eb52f1a8bce6208f34b72b97ff150d5bba03346537eaf8f4bb958e71bddf309cb3e4bbe2ff594
-
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
756KB
MD56d3942d9fe24a9da8310d6991ea77030
SHA160bf0552c3b6a37ee840382792cb5e837c88e4fe
SHA2567c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7
SHA512bf31936ce761718ef6daf755db7c9a10a42420022c57a42f575eb52f1a8bce6208f34b72b97ff150d5bba03346537eaf8f4bb958e71bddf309cb3e4bbe2ff594
-
memory/1112-54-0x0000000076961000-0x0000000076963000-memory.dmpFilesize
8KB
-
memory/1472-61-0x0000000000000000-mapping.dmp
-
memory/1940-57-0x0000000000000000-mapping.dmp