Analysis
-
max time kernel
151s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2022 23:45
Behavioral task
behavioral1
Sample
ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe
Resource
win10v2004-20220812-en
General
-
Target
ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe
-
Size
658KB
-
MD5
840b5eeea3176f01d5852f76e769c5f6
-
SHA1
5c0a4613ecc7a354cf53cde8643861b58bf737a4
-
SHA256
ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e
-
SHA512
6aeda1c472ff8bd3b12cf7e3b48620914353607aa0883b984a4b4044910f2034738be68cc2d677f3ea3a2776ae3ad48e843c3942400cc33af8c899f93885ad92
-
SSDEEP
12288:S9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hP:+Z1xuVVjfFoynPaVBUR8f+kN10EBh
Malware Config
Extracted
darkcomet
1
c0k3.no-ip.org:1604
DC_MUTEX-8H85MRV
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
ZXqyaXHT9LjV
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1780 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1780 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe Token: SeSecurityPrivilege 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe Token: SeTakeOwnershipPrivilege 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe Token: SeLoadDriverPrivilege 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe Token: SeSystemProfilePrivilege 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe Token: SeSystemtimePrivilege 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe Token: SeProfSingleProcessPrivilege 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe Token: SeIncBasePriorityPrivilege 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe Token: SeCreatePagefilePrivilege 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe Token: SeBackupPrivilege 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe Token: SeRestorePrivilege 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe Token: SeShutdownPrivilege 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe Token: SeDebugPrivilege 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe Token: SeSystemEnvironmentPrivilege 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe Token: SeChangeNotifyPrivilege 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe Token: SeRemoteShutdownPrivilege 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe Token: SeUndockPrivilege 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe Token: SeManageVolumePrivilege 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe Token: SeImpersonatePrivilege 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe Token: SeCreateGlobalPrivilege 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe Token: 33 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe Token: 34 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe Token: 35 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe Token: 36 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe Token: SeIncreaseQuotaPrivilege 1780 msdcsc.exe Token: SeSecurityPrivilege 1780 msdcsc.exe Token: SeTakeOwnershipPrivilege 1780 msdcsc.exe Token: SeLoadDriverPrivilege 1780 msdcsc.exe Token: SeSystemProfilePrivilege 1780 msdcsc.exe Token: SeSystemtimePrivilege 1780 msdcsc.exe Token: SeProfSingleProcessPrivilege 1780 msdcsc.exe Token: SeIncBasePriorityPrivilege 1780 msdcsc.exe Token: SeCreatePagefilePrivilege 1780 msdcsc.exe Token: SeBackupPrivilege 1780 msdcsc.exe Token: SeRestorePrivilege 1780 msdcsc.exe Token: SeShutdownPrivilege 1780 msdcsc.exe Token: SeDebugPrivilege 1780 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1780 msdcsc.exe Token: SeChangeNotifyPrivilege 1780 msdcsc.exe Token: SeRemoteShutdownPrivilege 1780 msdcsc.exe Token: SeUndockPrivilege 1780 msdcsc.exe Token: SeManageVolumePrivilege 1780 msdcsc.exe Token: SeImpersonatePrivilege 1780 msdcsc.exe Token: SeCreateGlobalPrivilege 1780 msdcsc.exe Token: 33 1780 msdcsc.exe Token: 34 1780 msdcsc.exe Token: 35 1780 msdcsc.exe Token: 36 1780 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1780 msdcsc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exemsdcsc.exedescription pid process target process PID 4580 wrote to memory of 1780 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe msdcsc.exe PID 4580 wrote to memory of 1780 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe msdcsc.exe PID 4580 wrote to memory of 1780 4580 ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe msdcsc.exe PID 1780 wrote to memory of 2388 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 2388 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 2388 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 2388 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 2388 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 2388 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 2388 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 2388 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 2388 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 2388 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 2388 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 2388 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 2388 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 2388 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 2388 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 2388 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 2388 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 2388 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 2388 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 2388 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 2388 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 2388 1780 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe"C:\Users\Admin\AppData\Local\Temp\ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
658KB
MD5840b5eeea3176f01d5852f76e769c5f6
SHA15c0a4613ecc7a354cf53cde8643861b58bf737a4
SHA256ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e
SHA5126aeda1c472ff8bd3b12cf7e3b48620914353607aa0883b984a4b4044910f2034738be68cc2d677f3ea3a2776ae3ad48e843c3942400cc33af8c899f93885ad92
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
658KB
MD5840b5eeea3176f01d5852f76e769c5f6
SHA15c0a4613ecc7a354cf53cde8643861b58bf737a4
SHA256ab1477722843a045b21dd70fa847f760e82e2cc9750a6947dbda59fd9c7cdc3e
SHA5126aeda1c472ff8bd3b12cf7e3b48620914353607aa0883b984a4b4044910f2034738be68cc2d677f3ea3a2776ae3ad48e843c3942400cc33af8c899f93885ad92
-
memory/1780-132-0x0000000000000000-mapping.dmp
-
memory/2388-135-0x0000000000000000-mapping.dmp