Analysis
-
max time kernel
163s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
19/10/2022, 14:31
Behavioral task
behavioral1
Sample
d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe
Resource
win7-20220901-en
General
-
Target
d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe
-
Size
1.6MB
-
MD5
a20d99cf1d92e6b93810eed118feb880
-
SHA1
f10a8c84559386e512815f5e7b0e803c2cbc9ea2
-
SHA256
d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e
-
SHA512
cd49a1f5374d2b63561568c0d820fd2ba6d2d54a249f808e6826a5a499a0bc046a081a66f485069d24006da56841b1bb451fc858a19f65b44f5e68d7b404c7d4
-
SSDEEP
24576:rthEVaPqLeyARPeXzlXEUYHDCQCm1ZTPGpVGsl10nupkTIC06pTzNnm:/EVUck8jlVbQCm7aH5l13a66pHs
Malware Config
Extracted
darkcomet
Guest16
67.149.136.142:200
DC_MUTEX-8W2HP8D
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
EJ1PSg89PChw
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" explorer.exe -
Executes dropped EXE 2 IoCs
pid Process 1060 67051d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 1984 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 556 attrib.exe 744 attrib.exe -
resource yara_rule behavioral1/memory/888-55-0x0000000000400000-0x00000000004FE000-memory.dmp upx behavioral1/files/0x000500000000b2d2-56.dat upx behavioral1/files/0x000500000000b2d2-58.dat upx behavioral1/files/0x000500000000b2d2-61.dat upx behavioral1/memory/1060-63-0x0000000000400000-0x00000000004FE000-memory.dmp upx behavioral1/memory/888-64-0x0000000000400000-0x00000000004FE000-memory.dmp upx behavioral1/memory/1060-69-0x0000000000400000-0x00000000004FE000-memory.dmp upx -
Deletes itself 1 IoCs
pid Process 1408 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 888 d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 1412 explorer.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 67051d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\67051d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe = "C:\\Users\\Admin\\AppData\\Roaming\\67051d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe" 67051d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" explorer.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini explorer.exe -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/888-55-0x0000000000400000-0x00000000004FE000-memory.dmp autoit_exe behavioral1/memory/1060-63-0x0000000000400000-0x00000000004FE000-memory.dmp autoit_exe behavioral1/memory/888-64-0x0000000000400000-0x00000000004FE000-memory.dmp autoit_exe behavioral1/memory/1060-69-0x0000000000400000-0x00000000004FE000-memory.dmp autoit_exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe attrib.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1060 set thread context of 1412 1060 67051d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 30 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64 attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1412 explorer.exe Token: SeSecurityPrivilege 1412 explorer.exe Token: SeTakeOwnershipPrivilege 1412 explorer.exe Token: SeLoadDriverPrivilege 1412 explorer.exe Token: SeSystemProfilePrivilege 1412 explorer.exe Token: SeSystemtimePrivilege 1412 explorer.exe Token: SeProfSingleProcessPrivilege 1412 explorer.exe Token: SeIncBasePriorityPrivilege 1412 explorer.exe Token: SeCreatePagefilePrivilege 1412 explorer.exe Token: SeBackupPrivilege 1412 explorer.exe Token: SeRestorePrivilege 1412 explorer.exe Token: SeShutdownPrivilege 1412 explorer.exe Token: SeDebugPrivilege 1412 explorer.exe Token: SeSystemEnvironmentPrivilege 1412 explorer.exe Token: SeChangeNotifyPrivilege 1412 explorer.exe Token: SeRemoteShutdownPrivilege 1412 explorer.exe Token: SeUndockPrivilege 1412 explorer.exe Token: SeManageVolumePrivilege 1412 explorer.exe Token: SeImpersonatePrivilege 1412 explorer.exe Token: SeCreateGlobalPrivilege 1412 explorer.exe Token: 33 1412 explorer.exe Token: 34 1412 explorer.exe Token: 35 1412 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1412 explorer.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1412 explorer.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 888 wrote to memory of 1060 888 d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 27 PID 888 wrote to memory of 1060 888 d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 27 PID 888 wrote to memory of 1060 888 d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 27 PID 888 wrote to memory of 1060 888 d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 27 PID 888 wrote to memory of 1408 888 d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 29 PID 888 wrote to memory of 1408 888 d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 29 PID 888 wrote to memory of 1408 888 d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 29 PID 888 wrote to memory of 1408 888 d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 29 PID 1060 wrote to memory of 1412 1060 67051d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 30 PID 1060 wrote to memory of 1412 1060 67051d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 30 PID 1060 wrote to memory of 1412 1060 67051d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 30 PID 1060 wrote to memory of 1412 1060 67051d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 30 PID 1060 wrote to memory of 1412 1060 67051d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 30 PID 1060 wrote to memory of 1412 1060 67051d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 30 PID 1412 wrote to memory of 1200 1412 explorer.exe 31 PID 1412 wrote to memory of 1200 1412 explorer.exe 31 PID 1412 wrote to memory of 1200 1412 explorer.exe 31 PID 1412 wrote to memory of 1200 1412 explorer.exe 31 PID 1412 wrote to memory of 1204 1412 explorer.exe 33 PID 1412 wrote to memory of 1204 1412 explorer.exe 33 PID 1412 wrote to memory of 1204 1412 explorer.exe 33 PID 1412 wrote to memory of 1204 1412 explorer.exe 33 PID 1412 wrote to memory of 1544 1412 explorer.exe 34 PID 1412 wrote to memory of 1544 1412 explorer.exe 34 PID 1412 wrote to memory of 1544 1412 explorer.exe 34 PID 1412 wrote to memory of 1544 1412 explorer.exe 34 PID 1200 wrote to memory of 556 1200 cmd.exe 36 PID 1200 wrote to memory of 556 1200 cmd.exe 36 PID 1200 wrote to memory of 556 1200 cmd.exe 36 PID 1200 wrote to memory of 556 1200 cmd.exe 36 PID 1204 wrote to memory of 744 1204 cmd.exe 37 PID 1204 wrote to memory of 744 1204 cmd.exe 37 PID 1204 wrote to memory of 744 1204 cmd.exe 37 PID 1204 wrote to memory of 744 1204 cmd.exe 37 PID 1412 wrote to memory of 1544 1412 explorer.exe 34 PID 1412 wrote to memory of 1544 1412 explorer.exe 34 PID 1412 wrote to memory of 1544 1412 explorer.exe 34 PID 1412 wrote to memory of 1544 1412 explorer.exe 34 PID 1412 wrote to memory of 1544 1412 explorer.exe 34 PID 1412 wrote to memory of 1544 1412 explorer.exe 34 PID 1412 wrote to memory of 1544 1412 explorer.exe 34 PID 1412 wrote to memory of 1544 1412 explorer.exe 34 PID 1412 wrote to memory of 1544 1412 explorer.exe 34 PID 1412 wrote to memory of 1544 1412 explorer.exe 34 PID 1412 wrote to memory of 1544 1412 explorer.exe 34 PID 1412 wrote to memory of 1544 1412 explorer.exe 34 PID 1412 wrote to memory of 1544 1412 explorer.exe 34 PID 1412 wrote to memory of 1544 1412 explorer.exe 34 PID 1412 wrote to memory of 1984 1412 explorer.exe 38 PID 1412 wrote to memory of 1984 1412 explorer.exe 38 PID 1412 wrote to memory of 1984 1412 explorer.exe 38 PID 1412 wrote to memory of 1984 1412 explorer.exe 38 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 556 attrib.exe 744 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe"C:\Users\Admin\AppData\Local\Temp\d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Users\Admin\AppData\Roaming\67051d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exeC:\Users\Admin\AppData\Roaming\67051d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\explorer.exe" +s +h4⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\explorer.exe" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:556
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h4⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h5⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:744
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵PID:1544
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Executes dropped EXE
PID:1984
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Tempscratch.cmd2⤵
- Deletes itself
PID:1408
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
PID:2016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
290B
MD5144cad0760a5a3c194e8f81b1a199207
SHA19a56de0c82cf9f2817763d9b6616f1bb434775b5
SHA2567622731f0d69b59fe7bb6d70e4f55ccd54562406d1c92b429ecf4e5d33adbd6e
SHA51247854437f0dd08ae8a0fff3498b464dc959a5ba358c9983ef4aa51ab29e2d58f948f82afa526a4ed214ceed695fd9d3c4cd70fefe2e1fb7c7619d079d16e7a31
-
C:\Users\Admin\AppData\Roaming\67051d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe
Filesize1.6MB
MD5a20d99cf1d92e6b93810eed118feb880
SHA1f10a8c84559386e512815f5e7b0e803c2cbc9ea2
SHA256d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e
SHA512cd49a1f5374d2b63561568c0d820fd2ba6d2d54a249f808e6826a5a499a0bc046a081a66f485069d24006da56841b1bb451fc858a19f65b44f5e68d7b404c7d4
-
C:\Users\Admin\AppData\Roaming\67051d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe
Filesize1.6MB
MD5a20d99cf1d92e6b93810eed118feb880
SHA1f10a8c84559386e512815f5e7b0e803c2cbc9ea2
SHA256d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e
SHA512cd49a1f5374d2b63561568c0d820fd2ba6d2d54a249f808e6826a5a499a0bc046a081a66f485069d24006da56841b1bb451fc858a19f65b44f5e68d7b404c7d4
-
Filesize
2.5MB
MD540d777b7a95e00593eb1568c68514493
SHA189a175a12bc20104770d0ef83e553f8b0e06274b
SHA2560a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894
SHA512d5719baef8bef791ef99b4c88d449d45f199638438bd929c1a3e7a74309931c72e03567633135a4fcf4c92e2b53e552f9526cba2e1d85383906d3c1aa21dd67f
-
\Users\Admin\AppData\Roaming\67051d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe
Filesize1.6MB
MD5a20d99cf1d92e6b93810eed118feb880
SHA1f10a8c84559386e512815f5e7b0e803c2cbc9ea2
SHA256d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e
SHA512cd49a1f5374d2b63561568c0d820fd2ba6d2d54a249f808e6826a5a499a0bc046a081a66f485069d24006da56841b1bb451fc858a19f65b44f5e68d7b404c7d4
-
Filesize
2.5MB
MD540d777b7a95e00593eb1568c68514493
SHA189a175a12bc20104770d0ef83e553f8b0e06274b
SHA2560a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894
SHA512d5719baef8bef791ef99b4c88d449d45f199638438bd929c1a3e7a74309931c72e03567633135a4fcf4c92e2b53e552f9526cba2e1d85383906d3c1aa21dd67f