Analysis
-
max time kernel
153s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 06:32
Static task
static1
Behavioral task
behavioral1
Sample
ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe
Resource
win10v2004-20220812-en
General
-
Target
ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe
-
Size
767KB
-
MD5
7c2424a3c3548fe475e16d10e5e18b50
-
SHA1
c6a67fa3db86385781a9d6512ed3bd19ce700198
-
SHA256
ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81
-
SHA512
ee64bf32108bfe9b9156bb42edc9a28de34ed9331cd7d4ef3f049bee53beda780bdcce79d4e99072ee39ee51d73c3af623a1dd030a3d3003e10f130797ea3ce0
-
SSDEEP
12288:mdsngxZoh0ucDuCkZurIi7oriJ+VM85CIJ91KBLiUbsnt6JrXbiDAYvT93b7MG58:asngtDuCkZurLo2CF5CIJ91KBXsnt61/
Malware Config
Extracted
darkcomet
RiotPointBeggers
127.0.0.1:6514
darkscouting.no-ip.biz:6514
DC_MUTEX-6D97NCS
-
InstallPath
SysAdmin\windesk.exe
-
gencode
7ud6mCiyikB2
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
rundll32
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\SysAdmin\\windesk.exe" ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe -
Executes dropped EXE 2 IoCs
pid Process 4820 windesk.exe 3436 windesk.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1132 attrib.exe 4296 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Windows\\SysAdmin\\windesk.exe" windesk.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Windows\\SysAdmin\\windesk.exe" ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5068 set thread context of 4904 5068 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 80 PID 4820 set thread context of 3436 4820 windesk.exe 88 -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysAdmin\ ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe File opened for modification C:\Windows\SysAdmin\windesk.exe windesk.exe File created C:\Windows\SysAdmin\windesk.exe ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe File opened for modification C:\Windows\SysAdmin\windesk.exe ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 5068 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 5068 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 5068 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 5068 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 5068 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 5068 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 5068 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 5068 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 4820 windesk.exe 4820 windesk.exe 4820 windesk.exe 4820 windesk.exe 4820 windesk.exe 4820 windesk.exe 4820 windesk.exe 4820 windesk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3436 windesk.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe Token: SeSecurityPrivilege 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe Token: SeTakeOwnershipPrivilege 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe Token: SeLoadDriverPrivilege 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe Token: SeSystemProfilePrivilege 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe Token: SeSystemtimePrivilege 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe Token: SeProfSingleProcessPrivilege 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe Token: SeIncBasePriorityPrivilege 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe Token: SeCreatePagefilePrivilege 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe Token: SeBackupPrivilege 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe Token: SeRestorePrivilege 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe Token: SeShutdownPrivilege 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe Token: SeDebugPrivilege 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe Token: SeSystemEnvironmentPrivilege 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe Token: SeChangeNotifyPrivilege 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe Token: SeRemoteShutdownPrivilege 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe Token: SeUndockPrivilege 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe Token: SeManageVolumePrivilege 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe Token: SeImpersonatePrivilege 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe Token: SeCreateGlobalPrivilege 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe Token: 33 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe Token: 34 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe Token: 35 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe Token: 36 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe Token: SeIncreaseQuotaPrivilege 3436 windesk.exe Token: SeSecurityPrivilege 3436 windesk.exe Token: SeTakeOwnershipPrivilege 3436 windesk.exe Token: SeLoadDriverPrivilege 3436 windesk.exe Token: SeSystemProfilePrivilege 3436 windesk.exe Token: SeSystemtimePrivilege 3436 windesk.exe Token: SeProfSingleProcessPrivilege 3436 windesk.exe Token: SeIncBasePriorityPrivilege 3436 windesk.exe Token: SeCreatePagefilePrivilege 3436 windesk.exe Token: SeBackupPrivilege 3436 windesk.exe Token: SeRestorePrivilege 3436 windesk.exe Token: SeShutdownPrivilege 3436 windesk.exe Token: SeDebugPrivilege 3436 windesk.exe Token: SeSystemEnvironmentPrivilege 3436 windesk.exe Token: SeChangeNotifyPrivilege 3436 windesk.exe Token: SeRemoteShutdownPrivilege 3436 windesk.exe Token: SeUndockPrivilege 3436 windesk.exe Token: SeManageVolumePrivilege 3436 windesk.exe Token: SeImpersonatePrivilege 3436 windesk.exe Token: SeCreateGlobalPrivilege 3436 windesk.exe Token: 33 3436 windesk.exe Token: 34 3436 windesk.exe Token: 35 3436 windesk.exe Token: 36 3436 windesk.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 5068 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 4820 windesk.exe 3436 windesk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5068 wrote to memory of 4904 5068 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 80 PID 5068 wrote to memory of 4904 5068 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 80 PID 5068 wrote to memory of 4904 5068 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 80 PID 5068 wrote to memory of 4904 5068 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 80 PID 5068 wrote to memory of 4904 5068 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 80 PID 5068 wrote to memory of 4904 5068 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 80 PID 5068 wrote to memory of 4904 5068 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 80 PID 5068 wrote to memory of 4904 5068 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 80 PID 5068 wrote to memory of 4904 5068 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 80 PID 5068 wrote to memory of 4904 5068 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 80 PID 5068 wrote to memory of 4904 5068 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 80 PID 5068 wrote to memory of 4904 5068 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 80 PID 5068 wrote to memory of 4904 5068 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 80 PID 5068 wrote to memory of 4904 5068 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 80 PID 4904 wrote to memory of 1268 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 81 PID 4904 wrote to memory of 1268 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 81 PID 4904 wrote to memory of 1268 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 81 PID 4904 wrote to memory of 4640 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 82 PID 4904 wrote to memory of 4640 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 82 PID 4904 wrote to memory of 4640 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 82 PID 4640 wrote to memory of 4296 4640 cmd.exe 86 PID 1268 wrote to memory of 1132 1268 cmd.exe 85 PID 4640 wrote to memory of 4296 4640 cmd.exe 86 PID 1268 wrote to memory of 1132 1268 cmd.exe 85 PID 4640 wrote to memory of 4296 4640 cmd.exe 86 PID 1268 wrote to memory of 1132 1268 cmd.exe 85 PID 4904 wrote to memory of 4820 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 87 PID 4904 wrote to memory of 4820 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 87 PID 4904 wrote to memory of 4820 4904 ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe 87 PID 4820 wrote to memory of 3436 4820 windesk.exe 88 PID 4820 wrote to memory of 3436 4820 windesk.exe 88 PID 4820 wrote to memory of 3436 4820 windesk.exe 88 PID 4820 wrote to memory of 3436 4820 windesk.exe 88 PID 4820 wrote to memory of 3436 4820 windesk.exe 88 PID 4820 wrote to memory of 3436 4820 windesk.exe 88 PID 4820 wrote to memory of 3436 4820 windesk.exe 88 PID 4820 wrote to memory of 3436 4820 windesk.exe 88 PID 4820 wrote to memory of 3436 4820 windesk.exe 88 PID 4820 wrote to memory of 3436 4820 windesk.exe 88 PID 4820 wrote to memory of 3436 4820 windesk.exe 88 PID 4820 wrote to memory of 3436 4820 windesk.exe 88 PID 4820 wrote to memory of 3436 4820 windesk.exe 88 PID 4820 wrote to memory of 3436 4820 windesk.exe 88 PID 3436 wrote to memory of 320 3436 windesk.exe 89 PID 3436 wrote to memory of 320 3436 windesk.exe 89 PID 3436 wrote to memory of 320 3436 windesk.exe 89 PID 3436 wrote to memory of 320 3436 windesk.exe 89 PID 3436 wrote to memory of 320 3436 windesk.exe 89 PID 3436 wrote to memory of 320 3436 windesk.exe 89 PID 3436 wrote to memory of 320 3436 windesk.exe 89 PID 3436 wrote to memory of 320 3436 windesk.exe 89 PID 3436 wrote to memory of 320 3436 windesk.exe 89 PID 3436 wrote to memory of 320 3436 windesk.exe 89 PID 3436 wrote to memory of 320 3436 windesk.exe 89 PID 3436 wrote to memory of 320 3436 windesk.exe 89 PID 3436 wrote to memory of 320 3436 windesk.exe 89 PID 3436 wrote to memory of 320 3436 windesk.exe 89 PID 3436 wrote to memory of 320 3436 windesk.exe 89 PID 3436 wrote to memory of 320 3436 windesk.exe 89 PID 3436 wrote to memory of 320 3436 windesk.exe 89 PID 3436 wrote to memory of 320 3436 windesk.exe 89 PID 3436 wrote to memory of 320 3436 windesk.exe 89 PID 3436 wrote to memory of 320 3436 windesk.exe 89 PID 3436 wrote to memory of 320 3436 windesk.exe 89 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1132 attrib.exe 4296 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe"C:\Users\Admin\AppData\Local\Temp\ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exeC:\Users\Admin\AppData\Local\Temp\ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1132
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4296
-
-
-
C:\Windows\SysAdmin\windesk.exe"C:\Windows\SysAdmin\windesk.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysAdmin\windesk.exeC:\Windows\SysAdmin\windesk.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\notepad.exenotepad5⤵PID:320
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
767KB
MD57c2424a3c3548fe475e16d10e5e18b50
SHA1c6a67fa3db86385781a9d6512ed3bd19ce700198
SHA256ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81
SHA512ee64bf32108bfe9b9156bb42edc9a28de34ed9331cd7d4ef3f049bee53beda780bdcce79d4e99072ee39ee51d73c3af623a1dd030a3d3003e10f130797ea3ce0
-
Filesize
767KB
MD57c2424a3c3548fe475e16d10e5e18b50
SHA1c6a67fa3db86385781a9d6512ed3bd19ce700198
SHA256ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81
SHA512ee64bf32108bfe9b9156bb42edc9a28de34ed9331cd7d4ef3f049bee53beda780bdcce79d4e99072ee39ee51d73c3af623a1dd030a3d3003e10f130797ea3ce0
-
Filesize
767KB
MD57c2424a3c3548fe475e16d10e5e18b50
SHA1c6a67fa3db86385781a9d6512ed3bd19ce700198
SHA256ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81
SHA512ee64bf32108bfe9b9156bb42edc9a28de34ed9331cd7d4ef3f049bee53beda780bdcce79d4e99072ee39ee51d73c3af623a1dd030a3d3003e10f130797ea3ce0