Analysis
-
max time kernel
30s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 07:06
Static task
static1
Behavioral task
behavioral1
Sample
a0c68d73c01a70d1ed9b984d7a92d7a33d2b6b76fb48774137443c538b9a1035.exe
Resource
win7-20220812-en
General
-
Target
a0c68d73c01a70d1ed9b984d7a92d7a33d2b6b76fb48774137443c538b9a1035.exe
-
Size
1022KB
-
MD5
71aa732bc440747865b80aa4ae6b7964
-
SHA1
3fcee2da11b8c942ba2029f074e3452ca74d5d47
-
SHA256
a0c68d73c01a70d1ed9b984d7a92d7a33d2b6b76fb48774137443c538b9a1035
-
SHA512
58ca1d67623fa73dec810467a22842c6c761f843b6eae7d1da27b060db1c39b919bc98284ff2d94602aa4a8a929cff2d3126d82acd1d2464ecdd7e2674c8e6b8
-
SSDEEP
24576:6vOTggIRfmQX3zRYC6FVZPv+FWe4Ys/EWc:KjYlDZ3+UT/EW
Malware Config
Extracted
darkcomet
Guest16
86.19.152.61:1604
DC_MUTEX-3SXRNQA
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
25DXBoo5LzAj
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MSDCSC\\msdcsc.exe" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 892 svchost.exe 1628 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1164 attrib.exe 752 attrib.exe -
Loads dropped DLL 2 IoCs
pid Process 1392 a0c68d73c01a70d1ed9b984d7a92d7a33d2b6b76fb48774137443c538b9a1035.exe 892 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Users\\Admin\\AppData\\Roaming\\a0c68d73c01a70d1ed9b984d7a92d7a33d2b6b76fb48774137443c538b9a1035.exe" a0c68d73c01a70d1ed9b984d7a92d7a33d2b6b76fb48774137443c538b9a1035.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MSDCSC\\msdcsc.exe" svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1392 set thread context of 892 1392 a0c68d73c01a70d1ed9b984d7a92d7a33d2b6b76fb48774137443c538b9a1035.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 892 svchost.exe Token: SeSecurityPrivilege 892 svchost.exe Token: SeTakeOwnershipPrivilege 892 svchost.exe Token: SeLoadDriverPrivilege 892 svchost.exe Token: SeSystemProfilePrivilege 892 svchost.exe Token: SeSystemtimePrivilege 892 svchost.exe Token: SeProfSingleProcessPrivilege 892 svchost.exe Token: SeIncBasePriorityPrivilege 892 svchost.exe Token: SeCreatePagefilePrivilege 892 svchost.exe Token: SeBackupPrivilege 892 svchost.exe Token: SeRestorePrivilege 892 svchost.exe Token: SeShutdownPrivilege 892 svchost.exe Token: SeDebugPrivilege 892 svchost.exe Token: SeSystemEnvironmentPrivilege 892 svchost.exe Token: SeChangeNotifyPrivilege 892 svchost.exe Token: SeRemoteShutdownPrivilege 892 svchost.exe Token: SeUndockPrivilege 892 svchost.exe Token: SeManageVolumePrivilege 892 svchost.exe Token: SeImpersonatePrivilege 892 svchost.exe Token: SeCreateGlobalPrivilege 892 svchost.exe Token: 33 892 svchost.exe Token: 34 892 svchost.exe Token: 35 892 svchost.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 1392 wrote to memory of 892 1392 a0c68d73c01a70d1ed9b984d7a92d7a33d2b6b76fb48774137443c538b9a1035.exe 28 PID 1392 wrote to memory of 892 1392 a0c68d73c01a70d1ed9b984d7a92d7a33d2b6b76fb48774137443c538b9a1035.exe 28 PID 1392 wrote to memory of 892 1392 a0c68d73c01a70d1ed9b984d7a92d7a33d2b6b76fb48774137443c538b9a1035.exe 28 PID 1392 wrote to memory of 892 1392 a0c68d73c01a70d1ed9b984d7a92d7a33d2b6b76fb48774137443c538b9a1035.exe 28 PID 1392 wrote to memory of 892 1392 a0c68d73c01a70d1ed9b984d7a92d7a33d2b6b76fb48774137443c538b9a1035.exe 28 PID 1392 wrote to memory of 892 1392 a0c68d73c01a70d1ed9b984d7a92d7a33d2b6b76fb48774137443c538b9a1035.exe 28 PID 1392 wrote to memory of 892 1392 a0c68d73c01a70d1ed9b984d7a92d7a33d2b6b76fb48774137443c538b9a1035.exe 28 PID 1392 wrote to memory of 892 1392 a0c68d73c01a70d1ed9b984d7a92d7a33d2b6b76fb48774137443c538b9a1035.exe 28 PID 1392 wrote to memory of 892 1392 a0c68d73c01a70d1ed9b984d7a92d7a33d2b6b76fb48774137443c538b9a1035.exe 28 PID 1392 wrote to memory of 892 1392 a0c68d73c01a70d1ed9b984d7a92d7a33d2b6b76fb48774137443c538b9a1035.exe 28 PID 1392 wrote to memory of 892 1392 a0c68d73c01a70d1ed9b984d7a92d7a33d2b6b76fb48774137443c538b9a1035.exe 28 PID 1392 wrote to memory of 892 1392 a0c68d73c01a70d1ed9b984d7a92d7a33d2b6b76fb48774137443c538b9a1035.exe 28 PID 1392 wrote to memory of 892 1392 a0c68d73c01a70d1ed9b984d7a92d7a33d2b6b76fb48774137443c538b9a1035.exe 28 PID 892 wrote to memory of 1268 892 svchost.exe 29 PID 892 wrote to memory of 1268 892 svchost.exe 29 PID 892 wrote to memory of 1268 892 svchost.exe 29 PID 892 wrote to memory of 1268 892 svchost.exe 29 PID 892 wrote to memory of 1632 892 svchost.exe 31 PID 892 wrote to memory of 1632 892 svchost.exe 31 PID 892 wrote to memory of 1632 892 svchost.exe 31 PID 892 wrote to memory of 1632 892 svchost.exe 31 PID 892 wrote to memory of 432 892 svchost.exe 33 PID 892 wrote to memory of 432 892 svchost.exe 33 PID 892 wrote to memory of 432 892 svchost.exe 33 PID 892 wrote to memory of 432 892 svchost.exe 33 PID 1268 wrote to memory of 1164 1268 cmd.exe 34 PID 1268 wrote to memory of 1164 1268 cmd.exe 34 PID 1268 wrote to memory of 1164 1268 cmd.exe 34 PID 1268 wrote to memory of 1164 1268 cmd.exe 34 PID 892 wrote to memory of 432 892 svchost.exe 33 PID 892 wrote to memory of 432 892 svchost.exe 33 PID 892 wrote to memory of 432 892 svchost.exe 33 PID 892 wrote to memory of 432 892 svchost.exe 33 PID 892 wrote to memory of 432 892 svchost.exe 33 PID 892 wrote to memory of 432 892 svchost.exe 33 PID 892 wrote to memory of 432 892 svchost.exe 33 PID 892 wrote to memory of 432 892 svchost.exe 33 PID 892 wrote to memory of 432 892 svchost.exe 33 PID 892 wrote to memory of 432 892 svchost.exe 33 PID 892 wrote to memory of 432 892 svchost.exe 33 PID 892 wrote to memory of 432 892 svchost.exe 33 PID 892 wrote to memory of 432 892 svchost.exe 33 PID 892 wrote to memory of 432 892 svchost.exe 33 PID 1632 wrote to memory of 752 1632 cmd.exe 35 PID 1632 wrote to memory of 752 1632 cmd.exe 35 PID 1632 wrote to memory of 752 1632 cmd.exe 35 PID 1632 wrote to memory of 752 1632 cmd.exe 35 PID 892 wrote to memory of 1628 892 svchost.exe 36 PID 892 wrote to memory of 1628 892 svchost.exe 36 PID 892 wrote to memory of 1628 892 svchost.exe 36 PID 892 wrote to memory of 1628 892 svchost.exe 36 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1164 attrib.exe 752 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0c68d73c01a70d1ed9b984d7a92d7a33d2b6b76fb48774137443c538b9a1035.exe"C:\Users\Admin\AppData\Local\Temp\a0c68d73c01a70d1ed9b984d7a92d7a33d2b6b76fb48774137443c538b9a1035.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\svchost.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\svchost.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1164
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:752
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:432
-
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
PID:1628
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98