Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/10/2022, 16:21
Static task
static1
Behavioral task
behavioral1
Sample
175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe
Resource
win10v2004-20220812-en
General
-
Target
175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe
-
Size
885KB
-
MD5
914c1a5ce18d5c385aa68eb2f627b683
-
SHA1
faa8d0acb8ea3bcf164850fa274a3728a473d394
-
SHA256
175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df
-
SHA512
1cc0928d68d8d62bb7782eab716daaebfd57a66feb76b0d308e4d7ca895b9731399275ca63fe17a0ca415b786f74021496941ed71eca421bd84e217797fe74be
-
SSDEEP
12288:IphltQjZMzBLrnl/f1xYPBXfWau3JOq2oth4i73zi/94fuhoAfWl9H5IXMmtVXGI:jW9rn56BXfWauZXD73zi/MjAfiSZM4
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-J5EQEUY
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
YSvPW7HraQLS
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe -
Executes dropped EXE 3 IoCs
pid Process 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe 5076 msdcsc.exe 1712 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif msdcsc.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4448 set thread context of 1932 4448 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe 85 PID 5076 set thread context of 1712 5076 msdcsc.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Token: SeSecurityPrivilege 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Token: SeTakeOwnershipPrivilege 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Token: SeLoadDriverPrivilege 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Token: SeSystemProfilePrivilege 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Token: SeSystemtimePrivilege 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Token: SeProfSingleProcessPrivilege 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Token: SeIncBasePriorityPrivilege 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Token: SeCreatePagefilePrivilege 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Token: SeBackupPrivilege 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Token: SeRestorePrivilege 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Token: SeShutdownPrivilege 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Token: SeDebugPrivilege 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Token: SeSystemEnvironmentPrivilege 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Token: SeChangeNotifyPrivilege 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Token: SeRemoteShutdownPrivilege 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Token: SeUndockPrivilege 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Token: SeManageVolumePrivilege 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Token: SeImpersonatePrivilege 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Token: SeCreateGlobalPrivilege 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Token: 33 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Token: 34 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Token: 35 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Token: 36 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe Token: SeIncreaseQuotaPrivilege 1712 msdcsc.exe Token: SeSecurityPrivilege 1712 msdcsc.exe Token: SeTakeOwnershipPrivilege 1712 msdcsc.exe Token: SeLoadDriverPrivilege 1712 msdcsc.exe Token: SeSystemProfilePrivilege 1712 msdcsc.exe Token: SeSystemtimePrivilege 1712 msdcsc.exe Token: SeProfSingleProcessPrivilege 1712 msdcsc.exe Token: SeIncBasePriorityPrivilege 1712 msdcsc.exe Token: SeCreatePagefilePrivilege 1712 msdcsc.exe Token: SeBackupPrivilege 1712 msdcsc.exe Token: SeRestorePrivilege 1712 msdcsc.exe Token: SeShutdownPrivilege 1712 msdcsc.exe Token: SeDebugPrivilege 1712 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1712 msdcsc.exe Token: SeChangeNotifyPrivilege 1712 msdcsc.exe Token: SeRemoteShutdownPrivilege 1712 msdcsc.exe Token: SeUndockPrivilege 1712 msdcsc.exe Token: SeManageVolumePrivilege 1712 msdcsc.exe Token: SeImpersonatePrivilege 1712 msdcsc.exe Token: SeCreateGlobalPrivilege 1712 msdcsc.exe Token: 33 1712 msdcsc.exe Token: 34 1712 msdcsc.exe Token: 35 1712 msdcsc.exe Token: 36 1712 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1712 msdcsc.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 4448 wrote to memory of 1980 4448 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe 83 PID 4448 wrote to memory of 1980 4448 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe 83 PID 4448 wrote to memory of 1980 4448 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe 83 PID 4448 wrote to memory of 1932 4448 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe 85 PID 4448 wrote to memory of 1932 4448 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe 85 PID 4448 wrote to memory of 1932 4448 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe 85 PID 4448 wrote to memory of 1932 4448 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe 85 PID 4448 wrote to memory of 1932 4448 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe 85 PID 4448 wrote to memory of 1932 4448 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe 85 PID 4448 wrote to memory of 1932 4448 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe 85 PID 4448 wrote to memory of 1932 4448 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe 85 PID 4448 wrote to memory of 1932 4448 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe 85 PID 4448 wrote to memory of 1932 4448 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe 85 PID 4448 wrote to memory of 1932 4448 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe 85 PID 4448 wrote to memory of 1932 4448 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe 85 PID 4448 wrote to memory of 1932 4448 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe 85 PID 4448 wrote to memory of 1932 4448 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe 85 PID 1980 wrote to memory of 2100 1980 cmd.exe 87 PID 1980 wrote to memory of 2100 1980 cmd.exe 87 PID 1980 wrote to memory of 2100 1980 cmd.exe 87 PID 2100 wrote to memory of 4944 2100 net.exe 86 PID 2100 wrote to memory of 4944 2100 net.exe 86 PID 2100 wrote to memory of 4944 2100 net.exe 86 PID 1932 wrote to memory of 5076 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe 88 PID 1932 wrote to memory of 5076 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe 88 PID 1932 wrote to memory of 5076 1932 175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe 88 PID 5076 wrote to memory of 4440 5076 msdcsc.exe 89 PID 5076 wrote to memory of 4440 5076 msdcsc.exe 89 PID 5076 wrote to memory of 4440 5076 msdcsc.exe 89 PID 5076 wrote to memory of 1712 5076 msdcsc.exe 91 PID 5076 wrote to memory of 1712 5076 msdcsc.exe 91 PID 5076 wrote to memory of 1712 5076 msdcsc.exe 91 PID 5076 wrote to memory of 1712 5076 msdcsc.exe 91 PID 5076 wrote to memory of 1712 5076 msdcsc.exe 91 PID 5076 wrote to memory of 1712 5076 msdcsc.exe 91 PID 5076 wrote to memory of 1712 5076 msdcsc.exe 91 PID 5076 wrote to memory of 1712 5076 msdcsc.exe 91 PID 5076 wrote to memory of 1712 5076 msdcsc.exe 91 PID 5076 wrote to memory of 1712 5076 msdcsc.exe 91 PID 5076 wrote to memory of 1712 5076 msdcsc.exe 91 PID 5076 wrote to memory of 1712 5076 msdcsc.exe 91 PID 5076 wrote to memory of 1712 5076 msdcsc.exe 91 PID 5076 wrote to memory of 1712 5076 msdcsc.exe 91 PID 4440 wrote to memory of 3748 4440 cmd.exe 92 PID 4440 wrote to memory of 3748 4440 cmd.exe 92 PID 4440 wrote to memory of 3748 4440 cmd.exe 92 PID 3748 wrote to memory of 3052 3748 net.exe 93 PID 3748 wrote to memory of 3052 3748 net.exe 93 PID 3748 wrote to memory of 3052 3748 net.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe"C:\Users\Admin\AppData\Local\Temp\175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc2⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- Suspicious use of WriteProcessMemory
PID:2100
-
-
-
C:\Users\Admin\AppData\Local\Temp\175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exeC:\Users\Admin\AppData\Local\Temp\175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc4⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\net.exenet stop MpsSvc5⤵
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc6⤵PID:3052
-
-
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1712
-
-
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc1⤵PID:4944
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
885KB
MD5914c1a5ce18d5c385aa68eb2f627b683
SHA1faa8d0acb8ea3bcf164850fa274a3728a473d394
SHA256175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df
SHA5121cc0928d68d8d62bb7782eab716daaebfd57a66feb76b0d308e4d7ca895b9731399275ca63fe17a0ca415b786f74021496941ed71eca421bd84e217797fe74be
-
C:\Users\Admin\AppData\Local\Temp\175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe
Filesize885KB
MD5914c1a5ce18d5c385aa68eb2f627b683
SHA1faa8d0acb8ea3bcf164850fa274a3728a473d394
SHA256175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df
SHA5121cc0928d68d8d62bb7782eab716daaebfd57a66feb76b0d308e4d7ca895b9731399275ca63fe17a0ca415b786f74021496941ed71eca421bd84e217797fe74be
-
Filesize
885KB
MD5914c1a5ce18d5c385aa68eb2f627b683
SHA1faa8d0acb8ea3bcf164850fa274a3728a473d394
SHA256175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df
SHA5121cc0928d68d8d62bb7782eab716daaebfd57a66feb76b0d308e4d7ca895b9731399275ca63fe17a0ca415b786f74021496941ed71eca421bd84e217797fe74be
-
Filesize
885KB
MD5914c1a5ce18d5c385aa68eb2f627b683
SHA1faa8d0acb8ea3bcf164850fa274a3728a473d394
SHA256175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df
SHA5121cc0928d68d8d62bb7782eab716daaebfd57a66feb76b0d308e4d7ca895b9731399275ca63fe17a0ca415b786f74021496941ed71eca421bd84e217797fe74be
-
Filesize
885KB
MD5914c1a5ce18d5c385aa68eb2f627b683
SHA1faa8d0acb8ea3bcf164850fa274a3728a473d394
SHA256175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df
SHA5121cc0928d68d8d62bb7782eab716daaebfd57a66feb76b0d308e4d7ca895b9731399275ca63fe17a0ca415b786f74021496941ed71eca421bd84e217797fe74be
-
Filesize
885KB
MD5914c1a5ce18d5c385aa68eb2f627b683
SHA1faa8d0acb8ea3bcf164850fa274a3728a473d394
SHA256175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df
SHA5121cc0928d68d8d62bb7782eab716daaebfd57a66feb76b0d308e4d7ca895b9731399275ca63fe17a0ca415b786f74021496941ed71eca421bd84e217797fe74be
-
Filesize
885KB
MD5914c1a5ce18d5c385aa68eb2f627b683
SHA1faa8d0acb8ea3bcf164850fa274a3728a473d394
SHA256175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df
SHA5121cc0928d68d8d62bb7782eab716daaebfd57a66feb76b0d308e4d7ca895b9731399275ca63fe17a0ca415b786f74021496941ed71eca421bd84e217797fe74be