Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 16:08
Behavioral task
behavioral1
Sample
7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe
Resource
win10v2004-20220812-en
General
-
Target
7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe
-
Size
756KB
-
MD5
6d3942d9fe24a9da8310d6991ea77030
-
SHA1
60bf0552c3b6a37ee840382792cb5e837c88e4fe
-
SHA256
7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7
-
SHA512
bf31936ce761718ef6daf755db7c9a10a42420022c57a42f575eb52f1a8bce6208f34b72b97ff150d5bba03346537eaf8f4bb958e71bddf309cb3e4bbe2ff594
-
SSDEEP
12288:y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h1:eZ1xuVVjfFoynPaVBUR8f+kN10EB3
Malware Config
Extracted
darkcomet
victime
88.139.111.187:1604
DC_MUTEX-5014XJ2
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
BFM60zGFMdWM
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 5064 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 5064 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeSecurityPrivilege 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeTakeOwnershipPrivilege 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeLoadDriverPrivilege 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeSystemProfilePrivilege 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeSystemtimePrivilege 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeProfSingleProcessPrivilege 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeIncBasePriorityPrivilege 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeCreatePagefilePrivilege 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeBackupPrivilege 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeRestorePrivilege 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeShutdownPrivilege 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeDebugPrivilege 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeSystemEnvironmentPrivilege 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeChangeNotifyPrivilege 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeRemoteShutdownPrivilege 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeUndockPrivilege 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeManageVolumePrivilege 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeImpersonatePrivilege 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeCreateGlobalPrivilege 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: 33 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: 34 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: 35 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: 36 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe Token: SeIncreaseQuotaPrivilege 5064 msdcsc.exe Token: SeSecurityPrivilege 5064 msdcsc.exe Token: SeTakeOwnershipPrivilege 5064 msdcsc.exe Token: SeLoadDriverPrivilege 5064 msdcsc.exe Token: SeSystemProfilePrivilege 5064 msdcsc.exe Token: SeSystemtimePrivilege 5064 msdcsc.exe Token: SeProfSingleProcessPrivilege 5064 msdcsc.exe Token: SeIncBasePriorityPrivilege 5064 msdcsc.exe Token: SeCreatePagefilePrivilege 5064 msdcsc.exe Token: SeBackupPrivilege 5064 msdcsc.exe Token: SeRestorePrivilege 5064 msdcsc.exe Token: SeShutdownPrivilege 5064 msdcsc.exe Token: SeDebugPrivilege 5064 msdcsc.exe Token: SeSystemEnvironmentPrivilege 5064 msdcsc.exe Token: SeChangeNotifyPrivilege 5064 msdcsc.exe Token: SeRemoteShutdownPrivilege 5064 msdcsc.exe Token: SeUndockPrivilege 5064 msdcsc.exe Token: SeManageVolumePrivilege 5064 msdcsc.exe Token: SeImpersonatePrivilege 5064 msdcsc.exe Token: SeCreateGlobalPrivilege 5064 msdcsc.exe Token: 33 5064 msdcsc.exe Token: 34 5064 msdcsc.exe Token: 35 5064 msdcsc.exe Token: 36 5064 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 5064 msdcsc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exemsdcsc.exedescription pid process target process PID 1640 wrote to memory of 5064 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe msdcsc.exe PID 1640 wrote to memory of 5064 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe msdcsc.exe PID 1640 wrote to memory of 5064 1640 7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe msdcsc.exe PID 5064 wrote to memory of 4704 5064 msdcsc.exe notepad.exe PID 5064 wrote to memory of 4704 5064 msdcsc.exe notepad.exe PID 5064 wrote to memory of 4704 5064 msdcsc.exe notepad.exe PID 5064 wrote to memory of 4704 5064 msdcsc.exe notepad.exe PID 5064 wrote to memory of 4704 5064 msdcsc.exe notepad.exe PID 5064 wrote to memory of 4704 5064 msdcsc.exe notepad.exe PID 5064 wrote to memory of 4704 5064 msdcsc.exe notepad.exe PID 5064 wrote to memory of 4704 5064 msdcsc.exe notepad.exe PID 5064 wrote to memory of 4704 5064 msdcsc.exe notepad.exe PID 5064 wrote to memory of 4704 5064 msdcsc.exe notepad.exe PID 5064 wrote to memory of 4704 5064 msdcsc.exe notepad.exe PID 5064 wrote to memory of 4704 5064 msdcsc.exe notepad.exe PID 5064 wrote to memory of 4704 5064 msdcsc.exe notepad.exe PID 5064 wrote to memory of 4704 5064 msdcsc.exe notepad.exe PID 5064 wrote to memory of 4704 5064 msdcsc.exe notepad.exe PID 5064 wrote to memory of 4704 5064 msdcsc.exe notepad.exe PID 5064 wrote to memory of 4704 5064 msdcsc.exe notepad.exe PID 5064 wrote to memory of 4704 5064 msdcsc.exe notepad.exe PID 5064 wrote to memory of 4704 5064 msdcsc.exe notepad.exe PID 5064 wrote to memory of 4704 5064 msdcsc.exe notepad.exe PID 5064 wrote to memory of 4704 5064 msdcsc.exe notepad.exe PID 5064 wrote to memory of 4704 5064 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe"C:\Users\Admin\AppData\Local\Temp\7c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
756KB
MD56d3942d9fe24a9da8310d6991ea77030
SHA160bf0552c3b6a37ee840382792cb5e837c88e4fe
SHA2567c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7
SHA512bf31936ce761718ef6daf755db7c9a10a42420022c57a42f575eb52f1a8bce6208f34b72b97ff150d5bba03346537eaf8f4bb958e71bddf309cb3e4bbe2ff594
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
756KB
MD56d3942d9fe24a9da8310d6991ea77030
SHA160bf0552c3b6a37ee840382792cb5e837c88e4fe
SHA2567c0419ba2a9a126e8193f3efd67a5aea331de825c0bbbf89ef3950ea08b766c7
SHA512bf31936ce761718ef6daf755db7c9a10a42420022c57a42f575eb52f1a8bce6208f34b72b97ff150d5bba03346537eaf8f4bb958e71bddf309cb3e4bbe2ff594
-
memory/4704-135-0x0000000000000000-mapping.dmp
-
memory/5064-132-0x0000000000000000-mapping.dmp