Analysis
-
max time kernel
110s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/10/2022, 14:31
Behavioral task
behavioral1
Sample
d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe
Resource
win7-20220901-en
General
-
Target
d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe
-
Size
1.6MB
-
MD5
a20d99cf1d92e6b93810eed118feb880
-
SHA1
f10a8c84559386e512815f5e7b0e803c2cbc9ea2
-
SHA256
d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e
-
SHA512
cd49a1f5374d2b63561568c0d820fd2ba6d2d54a249f808e6826a5a499a0bc046a081a66f485069d24006da56841b1bb451fc858a19f65b44f5e68d7b404c7d4
-
SSDEEP
24576:rthEVaPqLeyARPeXzlXEUYHDCQCm1ZTPGpVGsl10nupkTIC06pTzNnm:/EVUck8jlVbQCm7aH5l13a66pHs
Malware Config
Extracted
darkcomet
Guest16
67.149.136.142:200
DC_MUTEX-8W2HP8D
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
EJ1PSg89PChw
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" explorer.exe -
Executes dropped EXE 2 IoCs
pid Process 4568 86050d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 4860 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 488 attrib.exe 4724 attrib.exe -
resource yara_rule behavioral2/memory/4452-132-0x0000000000400000-0x00000000004FE000-memory.dmp upx behavioral2/memory/4452-133-0x0000000000400000-0x00000000004FE000-memory.dmp upx behavioral2/files/0x0007000000022f6b-135.dat upx behavioral2/files/0x0007000000022f6b-136.dat upx behavioral2/memory/4568-138-0x0000000000400000-0x00000000004FE000-memory.dmp upx behavioral2/memory/4452-140-0x0000000000400000-0x00000000004FE000-memory.dmp upx behavioral2/memory/4568-145-0x0000000000400000-0x00000000004FE000-memory.dmp upx behavioral2/memory/4568-146-0x0000000000400000-0x00000000004FE000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 86050d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\86050d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe = "C:\\Users\\Admin\\AppData\\Roaming\\86050d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe" 86050d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" explorer.exe -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4568-138-0x0000000000400000-0x00000000004FE000-memory.dmp autoit_exe behavioral2/memory/4452-140-0x0000000000400000-0x00000000004FE000-memory.dmp autoit_exe behavioral2/memory/4568-145-0x0000000000400000-0x00000000004FE000-memory.dmp autoit_exe behavioral2/memory/4568-146-0x0000000000400000-0x00000000004FE000-memory.dmp autoit_exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe attrib.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4568 set thread context of 312 4568 86050d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 84 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64 attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe -
Modifies registry class 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3588 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3588 explorer.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 312 explorer.exe Token: SeSecurityPrivilege 312 explorer.exe Token: SeTakeOwnershipPrivilege 312 explorer.exe Token: SeLoadDriverPrivilege 312 explorer.exe Token: SeSystemProfilePrivilege 312 explorer.exe Token: SeSystemtimePrivilege 312 explorer.exe Token: SeProfSingleProcessPrivilege 312 explorer.exe Token: SeIncBasePriorityPrivilege 312 explorer.exe Token: SeCreatePagefilePrivilege 312 explorer.exe Token: SeBackupPrivilege 312 explorer.exe Token: SeRestorePrivilege 312 explorer.exe Token: SeShutdownPrivilege 312 explorer.exe Token: SeDebugPrivilege 312 explorer.exe Token: SeSystemEnvironmentPrivilege 312 explorer.exe Token: SeChangeNotifyPrivilege 312 explorer.exe Token: SeRemoteShutdownPrivilege 312 explorer.exe Token: SeUndockPrivilege 312 explorer.exe Token: SeManageVolumePrivilege 312 explorer.exe Token: SeImpersonatePrivilege 312 explorer.exe Token: SeCreateGlobalPrivilege 312 explorer.exe Token: 33 312 explorer.exe Token: 34 312 explorer.exe Token: 35 312 explorer.exe Token: 36 312 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3588 explorer.exe 3588 explorer.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 4452 wrote to memory of 4568 4452 d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 79 PID 4452 wrote to memory of 4568 4452 d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 79 PID 4452 wrote to memory of 4568 4452 d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 79 PID 4452 wrote to memory of 996 4452 d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 80 PID 4452 wrote to memory of 996 4452 d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 80 PID 4452 wrote to memory of 996 4452 d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 80 PID 4568 wrote to memory of 312 4568 86050d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 84 PID 4568 wrote to memory of 312 4568 86050d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 84 PID 4568 wrote to memory of 312 4568 86050d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 84 PID 4568 wrote to memory of 312 4568 86050d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 84 PID 4568 wrote to memory of 312 4568 86050d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe 84 PID 312 wrote to memory of 2856 312 explorer.exe 88 PID 312 wrote to memory of 2856 312 explorer.exe 88 PID 312 wrote to memory of 2856 312 explorer.exe 88 PID 312 wrote to memory of 2420 312 explorer.exe 90 PID 312 wrote to memory of 2420 312 explorer.exe 90 PID 312 wrote to memory of 2420 312 explorer.exe 90 PID 312 wrote to memory of 4472 312 explorer.exe 92 PID 312 wrote to memory of 4472 312 explorer.exe 92 PID 312 wrote to memory of 4472 312 explorer.exe 92 PID 312 wrote to memory of 4472 312 explorer.exe 92 PID 312 wrote to memory of 4472 312 explorer.exe 92 PID 312 wrote to memory of 4472 312 explorer.exe 92 PID 312 wrote to memory of 4472 312 explorer.exe 92 PID 312 wrote to memory of 4472 312 explorer.exe 92 PID 312 wrote to memory of 4472 312 explorer.exe 92 PID 312 wrote to memory of 4472 312 explorer.exe 92 PID 312 wrote to memory of 4472 312 explorer.exe 92 PID 312 wrote to memory of 4472 312 explorer.exe 92 PID 312 wrote to memory of 4472 312 explorer.exe 92 PID 312 wrote to memory of 4472 312 explorer.exe 92 PID 312 wrote to memory of 4472 312 explorer.exe 92 PID 312 wrote to memory of 4472 312 explorer.exe 92 PID 312 wrote to memory of 4472 312 explorer.exe 92 PID 2856 wrote to memory of 488 2856 cmd.exe 93 PID 2420 wrote to memory of 4724 2420 cmd.exe 94 PID 2856 wrote to memory of 488 2856 cmd.exe 93 PID 2856 wrote to memory of 488 2856 cmd.exe 93 PID 2420 wrote to memory of 4724 2420 cmd.exe 94 PID 2420 wrote to memory of 4724 2420 cmd.exe 94 PID 312 wrote to memory of 4860 312 explorer.exe 97 PID 312 wrote to memory of 4860 312 explorer.exe 97 PID 312 wrote to memory of 4860 312 explorer.exe 97 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 488 attrib.exe 4724 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe"C:\Users\Admin\AppData\Local\Temp\d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Users\Admin\AppData\Roaming\86050d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exeC:\Users\Admin\AppData\Roaming\86050d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\explorer.exe" +s +h4⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\explorer.exe" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:488
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h4⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h5⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:4724
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵PID:4472
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Executes dropped EXE
PID:4860
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Tempscratch.cmd2⤵PID:996
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3588
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
290B
MD5144cad0760a5a3c194e8f81b1a199207
SHA19a56de0c82cf9f2817763d9b6616f1bb434775b5
SHA2567622731f0d69b59fe7bb6d70e4f55ccd54562406d1c92b429ecf4e5d33adbd6e
SHA51247854437f0dd08ae8a0fff3498b464dc959a5ba358c9983ef4aa51ab29e2d58f948f82afa526a4ed214ceed695fd9d3c4cd70fefe2e1fb7c7619d079d16e7a31
-
C:\Users\Admin\AppData\Roaming\86050d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe
Filesize1.6MB
MD5a20d99cf1d92e6b93810eed118feb880
SHA1f10a8c84559386e512815f5e7b0e803c2cbc9ea2
SHA256d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e
SHA512cd49a1f5374d2b63561568c0d820fd2ba6d2d54a249f808e6826a5a499a0bc046a081a66f485069d24006da56841b1bb451fc858a19f65b44f5e68d7b404c7d4
-
C:\Users\Admin\AppData\Roaming\86050d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe
Filesize1.6MB
MD5a20d99cf1d92e6b93810eed118feb880
SHA1f10a8c84559386e512815f5e7b0e803c2cbc9ea2
SHA256d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e
SHA512cd49a1f5374d2b63561568c0d820fd2ba6d2d54a249f808e6826a5a499a0bc046a081a66f485069d24006da56841b1bb451fc858a19f65b44f5e68d7b404c7d4
-
Filesize
4.2MB
MD50155e85852fde62a441cbaf485e023be
SHA159482d4b1c0f061426ef71bff8506230faa00701
SHA256e0689419d3d7879a229ecf3e74639e4e9ba0669ed4574f47b108097593fc9fbc
SHA512f1a43adb7b0203dc5ad4613da9645070c4da0d15d8788b50644cb80420d4a38151488aa3888da39a6cb17ef6d3f5ebc5fe08ac948dca1fd0c852dceecd3bafff