Analysis
-
max time kernel
188s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 09:18
Behavioral task
behavioral1
Sample
027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe
Resource
win10v2004-20220812-en
General
-
Target
027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe
-
Size
727KB
-
MD5
58bd0cb3fb9afa61cdaa25bb0e8a6de0
-
SHA1
c70b6052af8f72d1261315b11d79d1f5ed644e1f
-
SHA256
027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194
-
SHA512
1949b34e1c6712dff92052964f7a990de17ba1e94bb67c5bc0268e9549d32b434a0b4080b4a4369434f6965c58b02cd68b8861ab889c390742f6218aed3314ee
-
SSDEEP
12288:h9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h75LF/Mw:bZ1xuVVjfFoynPaVBUR8f+kN10EB5VlV
Malware Config
Extracted
darkcomet
ÖÜÜÜÍíÉ ÌÏíÏÉ
memateiraq.no-ip.biz:1604
DC_MUTEX-HJG940C
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
7NAj1Mr7bd6y
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe -
Executes dropped EXE 1 IoCs
pid Process 4800 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeSecurityPrivilege 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeTakeOwnershipPrivilege 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeLoadDriverPrivilege 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeSystemProfilePrivilege 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeSystemtimePrivilege 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeProfSingleProcessPrivilege 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeIncBasePriorityPrivilege 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeCreatePagefilePrivilege 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeBackupPrivilege 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeRestorePrivilege 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeShutdownPrivilege 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeDebugPrivilege 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeSystemEnvironmentPrivilege 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeChangeNotifyPrivilege 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeRemoteShutdownPrivilege 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeUndockPrivilege 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeManageVolumePrivilege 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeImpersonatePrivilege 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeCreateGlobalPrivilege 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: 33 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: 34 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: 35 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: 36 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe Token: SeIncreaseQuotaPrivilege 4800 msdcsc.exe Token: SeSecurityPrivilege 4800 msdcsc.exe Token: SeTakeOwnershipPrivilege 4800 msdcsc.exe Token: SeLoadDriverPrivilege 4800 msdcsc.exe Token: SeSystemProfilePrivilege 4800 msdcsc.exe Token: SeSystemtimePrivilege 4800 msdcsc.exe Token: SeProfSingleProcessPrivilege 4800 msdcsc.exe Token: SeIncBasePriorityPrivilege 4800 msdcsc.exe Token: SeCreatePagefilePrivilege 4800 msdcsc.exe Token: SeBackupPrivilege 4800 msdcsc.exe Token: SeRestorePrivilege 4800 msdcsc.exe Token: SeShutdownPrivilege 4800 msdcsc.exe Token: SeDebugPrivilege 4800 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4800 msdcsc.exe Token: SeChangeNotifyPrivilege 4800 msdcsc.exe Token: SeRemoteShutdownPrivilege 4800 msdcsc.exe Token: SeUndockPrivilege 4800 msdcsc.exe Token: SeManageVolumePrivilege 4800 msdcsc.exe Token: SeImpersonatePrivilege 4800 msdcsc.exe Token: SeCreateGlobalPrivilege 4800 msdcsc.exe Token: 33 4800 msdcsc.exe Token: 34 4800 msdcsc.exe Token: 35 4800 msdcsc.exe Token: 36 4800 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4800 msdcsc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 920 wrote to memory of 4800 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe 80 PID 920 wrote to memory of 4800 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe 80 PID 920 wrote to memory of 4800 920 027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe 80 PID 4800 wrote to memory of 3320 4800 msdcsc.exe 81 PID 4800 wrote to memory of 3320 4800 msdcsc.exe 81 PID 4800 wrote to memory of 3320 4800 msdcsc.exe 81 PID 4800 wrote to memory of 3320 4800 msdcsc.exe 81 PID 4800 wrote to memory of 3320 4800 msdcsc.exe 81 PID 4800 wrote to memory of 3320 4800 msdcsc.exe 81 PID 4800 wrote to memory of 3320 4800 msdcsc.exe 81 PID 4800 wrote to memory of 3320 4800 msdcsc.exe 81 PID 4800 wrote to memory of 3320 4800 msdcsc.exe 81 PID 4800 wrote to memory of 3320 4800 msdcsc.exe 81 PID 4800 wrote to memory of 3320 4800 msdcsc.exe 81 PID 4800 wrote to memory of 3320 4800 msdcsc.exe 81 PID 4800 wrote to memory of 3320 4800 msdcsc.exe 81 PID 4800 wrote to memory of 3320 4800 msdcsc.exe 81 PID 4800 wrote to memory of 3320 4800 msdcsc.exe 81 PID 4800 wrote to memory of 3320 4800 msdcsc.exe 81 PID 4800 wrote to memory of 3320 4800 msdcsc.exe 81 PID 4800 wrote to memory of 3320 4800 msdcsc.exe 81 PID 4800 wrote to memory of 3320 4800 msdcsc.exe 81 PID 4800 wrote to memory of 3320 4800 msdcsc.exe 81 PID 4800 wrote to memory of 3320 4800 msdcsc.exe 81 PID 4800 wrote to memory of 3320 4800 msdcsc.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe"C:\Users\Admin\AppData\Local\Temp\027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:3320
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
727KB
MD558bd0cb3fb9afa61cdaa25bb0e8a6de0
SHA1c70b6052af8f72d1261315b11d79d1f5ed644e1f
SHA256027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194
SHA5121949b34e1c6712dff92052964f7a990de17ba1e94bb67c5bc0268e9549d32b434a0b4080b4a4369434f6965c58b02cd68b8861ab889c390742f6218aed3314ee
-
Filesize
727KB
MD558bd0cb3fb9afa61cdaa25bb0e8a6de0
SHA1c70b6052af8f72d1261315b11d79d1f5ed644e1f
SHA256027eed8da627e8af40b14b85de849ca8cc7991767cfd8a98c4bc0ae8cc9b5194
SHA5121949b34e1c6712dff92052964f7a990de17ba1e94bb67c5bc0268e9549d32b434a0b4080b4a4369434f6965c58b02cd68b8861ab889c390742f6218aed3314ee