Analysis
-
max time kernel
186s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 09:18
Behavioral task
behavioral1
Sample
027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe
Resource
win10v2004-20220812-en
General
-
Target
027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe
-
Size
727KB
-
MD5
58bd0cb3fb9afa61cdaa25bb0e8a6de0
-
SHA1
c70b6052af8f72d1261315b11d79d1f5ed644e1f
-
SHA256
027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194
-
SHA512
1949b34e1c6712dff92052964f7a990de17ba1e94bb67c5bc0268e9549d32b434a0b4080b4a4369434f6965c58b02cd68b8861ab889c390742f6218aed3314ee
-
SSDEEP
12288:h9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h75LF/Mw:bZ1xuVVjfFoynPaVBUR8f+kN10EB5VlV
Malware Config
Extracted
darkcomet
ÖÜÜÜÍíÉ ÌÏíÏÉ
memateiraq.no-ip.biz:1604
DC_MUTEX-HJG940C
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
7NAj1Mr7bd6y
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe -
Executes dropped EXE 1 IoCs
pid Process 920 msdcsc.exe -
Loads dropped DLL 2 IoCs
pid Process 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeSecurityPrivilege 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeTakeOwnershipPrivilege 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeLoadDriverPrivilege 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeSystemProfilePrivilege 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeSystemtimePrivilege 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeProfSingleProcessPrivilege 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeIncBasePriorityPrivilege 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeCreatePagefilePrivilege 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeBackupPrivilege 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeRestorePrivilege 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeShutdownPrivilege 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeDebugPrivilege 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeSystemEnvironmentPrivilege 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeChangeNotifyPrivilege 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeRemoteShutdownPrivilege 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeUndockPrivilege 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeManageVolumePrivilege 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeImpersonatePrivilege 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeCreateGlobalPrivilege 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: 33 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: 34 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: 35 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeIncreaseQuotaPrivilege 920 msdcsc.exe Token: SeSecurityPrivilege 920 msdcsc.exe Token: SeTakeOwnershipPrivilege 920 msdcsc.exe Token: SeLoadDriverPrivilege 920 msdcsc.exe Token: SeSystemProfilePrivilege 920 msdcsc.exe Token: SeSystemtimePrivilege 920 msdcsc.exe Token: SeProfSingleProcessPrivilege 920 msdcsc.exe Token: SeIncBasePriorityPrivilege 920 msdcsc.exe Token: SeCreatePagefilePrivilege 920 msdcsc.exe Token: SeBackupPrivilege 920 msdcsc.exe Token: SeRestorePrivilege 920 msdcsc.exe Token: SeShutdownPrivilege 920 msdcsc.exe Token: SeDebugPrivilege 920 msdcsc.exe Token: SeSystemEnvironmentPrivilege 920 msdcsc.exe Token: SeChangeNotifyPrivilege 920 msdcsc.exe Token: SeRemoteShutdownPrivilege 920 msdcsc.exe Token: SeUndockPrivilege 920 msdcsc.exe Token: SeManageVolumePrivilege 920 msdcsc.exe Token: SeImpersonatePrivilege 920 msdcsc.exe Token: SeCreateGlobalPrivilege 920 msdcsc.exe Token: 33 920 msdcsc.exe Token: 34 920 msdcsc.exe Token: 35 920 msdcsc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1332 DllHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 920 msdcsc.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1144 wrote to memory of 920 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe 29 PID 1144 wrote to memory of 920 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe 29 PID 1144 wrote to memory of 920 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe 29 PID 1144 wrote to memory of 920 1144 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe 29 PID 920 wrote to memory of 584 920 msdcsc.exe 30 PID 920 wrote to memory of 584 920 msdcsc.exe 30 PID 920 wrote to memory of 584 920 msdcsc.exe 30 PID 920 wrote to memory of 584 920 msdcsc.exe 30 PID 920 wrote to memory of 584 920 msdcsc.exe 30 PID 920 wrote to memory of 584 920 msdcsc.exe 30 PID 920 wrote to memory of 584 920 msdcsc.exe 30 PID 920 wrote to memory of 584 920 msdcsc.exe 30 PID 920 wrote to memory of 584 920 msdcsc.exe 30 PID 920 wrote to memory of 584 920 msdcsc.exe 30 PID 920 wrote to memory of 584 920 msdcsc.exe 30 PID 920 wrote to memory of 584 920 msdcsc.exe 30 PID 920 wrote to memory of 584 920 msdcsc.exe 30 PID 920 wrote to memory of 584 920 msdcsc.exe 30 PID 920 wrote to memory of 584 920 msdcsc.exe 30 PID 920 wrote to memory of 584 920 msdcsc.exe 30 PID 920 wrote to memory of 584 920 msdcsc.exe 30 PID 920 wrote to memory of 584 920 msdcsc.exe 30 PID 920 wrote to memory of 584 920 msdcsc.exe 30 PID 920 wrote to memory of 584 920 msdcsc.exe 30 PID 920 wrote to memory of 584 920 msdcsc.exe 30 PID 920 wrote to memory of 584 920 msdcsc.exe 30 PID 920 wrote to memory of 584 920 msdcsc.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe"C:\Users\Admin\AppData\Local\Temp\027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:584
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1332
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD5779c37de7f335644e9644499fc0f7e7a
SHA1c8864e1581b56ebd6f935d3acb009d7b92844412
SHA256af029447b82e0ffa21c362ec5c8b1fa068cffd5b2db99f62dff5988133a0ce08
SHA512c2313b1f8ef7ba04bc39093e634c2570bc674771c111fa0ae77af18d9c90fd72e56d2ab6ddde5ac2f83b29d88a1af62d84fbf91815c4b2e0454ce1663f6db76f
-
Filesize
727KB
MD558bd0cb3fb9afa61cdaa25bb0e8a6de0
SHA1c70b6052af8f72d1261315b11d79d1f5ed644e1f
SHA256027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194
SHA5121949b34e1c6712dff92052964f7a990de17ba1e94bb67c5bc0268e9549d32b434a0b4080b4a4369434f6965c58b02cd68b8861ab889c390742f6218aed3314ee
-
Filesize
727KB
MD558bd0cb3fb9afa61cdaa25bb0e8a6de0
SHA1c70b6052af8f72d1261315b11d79d1f5ed644e1f
SHA256027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194
SHA5121949b34e1c6712dff92052964f7a990de17ba1e94bb67c5bc0268e9549d32b434a0b4080b4a4369434f6965c58b02cd68b8861ab889c390742f6218aed3314ee
-
Filesize
727KB
MD558bd0cb3fb9afa61cdaa25bb0e8a6de0
SHA1c70b6052af8f72d1261315b11d79d1f5ed644e1f
SHA256027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194
SHA5121949b34e1c6712dff92052964f7a990de17ba1e94bb67c5bc0268e9549d32b434a0b4080b4a4369434f6965c58b02cd68b8861ab889c390742f6218aed3314ee
-
Filesize
727KB
MD558bd0cb3fb9afa61cdaa25bb0e8a6de0
SHA1c70b6052af8f72d1261315b11d79d1f5ed644e1f
SHA256027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194
SHA5121949b34e1c6712dff92052964f7a990de17ba1e94bb67c5bc0268e9549d32b434a0b4080b4a4369434f6965c58b02cd68b8861ab889c390742f6218aed3314ee