Analysis
-
max time kernel
171s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 10:02
Static task
static1
Behavioral task
behavioral1
Sample
0ed85fa7d62a79306a7e52a321de3d1880afd9ef5ba376569f528e7f52047f25.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0ed85fa7d62a79306a7e52a321de3d1880afd9ef5ba376569f528e7f52047f25.exe
Resource
win10v2004-20220812-en
General
-
Target
0ed85fa7d62a79306a7e52a321de3d1880afd9ef5ba376569f528e7f52047f25.exe
-
Size
2.7MB
-
MD5
84bf54351957e900ffed47bec794bad7
-
SHA1
99c2985eec7c242cc0b574138af08ae2f2d9c0ac
-
SHA256
0ed85fa7d62a79306a7e52a321de3d1880afd9ef5ba376569f528e7f52047f25
-
SHA512
aafcfb2c36eb42b5e52d26c88a4e004bb89a1127a04714c245bdd09ad49d22f3bcfdbaf42aeed4d9932646e39422d66605149e858a4f35c9e8f59270e6751ba2
-
SSDEEP
49152:bkwkn9IMHeae6S5VuaVP1L3TQ/8hdROmzdL0zy4tEwdHO5BIPbSj+XC2Qg9aPCS:IdnV5MVuQt7TQEh7OmJxw0MPWj+XC2FL
Malware Config
Extracted
darkcomet
Guest16_min
verydark25.no-ip.biz:100
DCMIN_MUTEX-QPZZXFD
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
0GZSgZY5XLqM
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
Chrome Updater
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
613.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" 613.exe -
Executes dropped EXE 4 IoCs
Processes:
613.exe613.exeIMDCSC.exeIMDCSC.exepid process 4688 613.exe 4192 613.exe 2492 IMDCSC.exe 2760 IMDCSC.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0ed85fa7d62a79306a7e52a321de3d1880afd9ef5ba376569f528e7f52047f25.exe613.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 0ed85fa7d62a79306a7e52a321de3d1880afd9ef5ba376569f528e7f52047f25.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 613.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
613.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chrome Updater = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" 613.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\613\613.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\613\613.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\613\613.exe autoit_exe C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe autoit_exe C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe autoit_exe C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
613.exeIMDCSC.exedescription pid process target process PID 4688 set thread context of 4192 4688 613.exe 613.exe PID 2492 set thread context of 2760 2492 IMDCSC.exe IMDCSC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
613.exeIMDCSC.exepid process 4688 613.exe 4688 613.exe 2492 IMDCSC.exe 2492 IMDCSC.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
613.exeIMDCSC.exedescription pid process Token: SeIncreaseQuotaPrivilege 4192 613.exe Token: SeSecurityPrivilege 4192 613.exe Token: SeTakeOwnershipPrivilege 4192 613.exe Token: SeLoadDriverPrivilege 4192 613.exe Token: SeSystemProfilePrivilege 4192 613.exe Token: SeSystemtimePrivilege 4192 613.exe Token: SeProfSingleProcessPrivilege 4192 613.exe Token: SeIncBasePriorityPrivilege 4192 613.exe Token: SeCreatePagefilePrivilege 4192 613.exe Token: SeBackupPrivilege 4192 613.exe Token: SeRestorePrivilege 4192 613.exe Token: SeShutdownPrivilege 4192 613.exe Token: SeDebugPrivilege 4192 613.exe Token: SeSystemEnvironmentPrivilege 4192 613.exe Token: SeChangeNotifyPrivilege 4192 613.exe Token: SeRemoteShutdownPrivilege 4192 613.exe Token: SeUndockPrivilege 4192 613.exe Token: SeManageVolumePrivilege 4192 613.exe Token: SeImpersonatePrivilege 4192 613.exe Token: SeCreateGlobalPrivilege 4192 613.exe Token: 33 4192 613.exe Token: 34 4192 613.exe Token: 35 4192 613.exe Token: 36 4192 613.exe Token: SeIncreaseQuotaPrivilege 2760 IMDCSC.exe Token: SeSecurityPrivilege 2760 IMDCSC.exe Token: SeTakeOwnershipPrivilege 2760 IMDCSC.exe Token: SeLoadDriverPrivilege 2760 IMDCSC.exe Token: SeSystemProfilePrivilege 2760 IMDCSC.exe Token: SeSystemtimePrivilege 2760 IMDCSC.exe Token: SeProfSingleProcessPrivilege 2760 IMDCSC.exe Token: SeIncBasePriorityPrivilege 2760 IMDCSC.exe Token: SeCreatePagefilePrivilege 2760 IMDCSC.exe Token: SeBackupPrivilege 2760 IMDCSC.exe Token: SeRestorePrivilege 2760 IMDCSC.exe Token: SeShutdownPrivilege 2760 IMDCSC.exe Token: SeDebugPrivilege 2760 IMDCSC.exe Token: SeSystemEnvironmentPrivilege 2760 IMDCSC.exe Token: SeChangeNotifyPrivilege 2760 IMDCSC.exe Token: SeRemoteShutdownPrivilege 2760 IMDCSC.exe Token: SeUndockPrivilege 2760 IMDCSC.exe Token: SeManageVolumePrivilege 2760 IMDCSC.exe Token: SeImpersonatePrivilege 2760 IMDCSC.exe Token: SeCreateGlobalPrivilege 2760 IMDCSC.exe Token: 33 2760 IMDCSC.exe Token: 34 2760 IMDCSC.exe Token: 35 2760 IMDCSC.exe Token: 36 2760 IMDCSC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
IMDCSC.exepid process 2760 IMDCSC.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
0ed85fa7d62a79306a7e52a321de3d1880afd9ef5ba376569f528e7f52047f25.exe613.exe613.exeIMDCSC.exedescription pid process target process PID 1156 wrote to memory of 4688 1156 0ed85fa7d62a79306a7e52a321de3d1880afd9ef5ba376569f528e7f52047f25.exe 613.exe PID 1156 wrote to memory of 4688 1156 0ed85fa7d62a79306a7e52a321de3d1880afd9ef5ba376569f528e7f52047f25.exe 613.exe PID 1156 wrote to memory of 4688 1156 0ed85fa7d62a79306a7e52a321de3d1880afd9ef5ba376569f528e7f52047f25.exe 613.exe PID 4688 wrote to memory of 4192 4688 613.exe 613.exe PID 4688 wrote to memory of 4192 4688 613.exe 613.exe PID 4688 wrote to memory of 4192 4688 613.exe 613.exe PID 4688 wrote to memory of 4192 4688 613.exe 613.exe PID 4688 wrote to memory of 4192 4688 613.exe 613.exe PID 4192 wrote to memory of 2492 4192 613.exe IMDCSC.exe PID 4192 wrote to memory of 2492 4192 613.exe IMDCSC.exe PID 4192 wrote to memory of 2492 4192 613.exe IMDCSC.exe PID 2492 wrote to memory of 2760 2492 IMDCSC.exe IMDCSC.exe PID 2492 wrote to memory of 2760 2492 IMDCSC.exe IMDCSC.exe PID 2492 wrote to memory of 2760 2492 IMDCSC.exe IMDCSC.exe PID 2492 wrote to memory of 2760 2492 IMDCSC.exe IMDCSC.exe PID 2492 wrote to memory of 2760 2492 IMDCSC.exe IMDCSC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ed85fa7d62a79306a7e52a321de3d1880afd9ef5ba376569f528e7f52047f25.exe"C:\Users\Admin\AppData\Local\Temp\0ed85fa7d62a79306a7e52a321de3d1880afd9ef5ba376569f528e7f52047f25.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\613\613.exe"C:\Users\Admin\AppData\Local\Temp\613\613.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\613\613.exe"C:\Users\Admin\AppData\Local\Temp\613\613.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2760
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5e3db605b6b773ae7ed7fe8596abae583
SHA12b573adfe3e3a2edc68936a3e864d7a9a909f12d
SHA25653c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f
SHA512a5b139462b64e1196045000efe64ad553d8ee3204b5da3f9b3e0df77bcec3b6253b5d169331338f009c8213023443453bb1a5f18417c47e5e179378a7bd2900b
-
Filesize
1.5MB
MD5e3db605b6b773ae7ed7fe8596abae583
SHA12b573adfe3e3a2edc68936a3e864d7a9a909f12d
SHA25653c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f
SHA512a5b139462b64e1196045000efe64ad553d8ee3204b5da3f9b3e0df77bcec3b6253b5d169331338f009c8213023443453bb1a5f18417c47e5e179378a7bd2900b
-
Filesize
1.5MB
MD5e3db605b6b773ae7ed7fe8596abae583
SHA12b573adfe3e3a2edc68936a3e864d7a9a909f12d
SHA25653c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f
SHA512a5b139462b64e1196045000efe64ad553d8ee3204b5da3f9b3e0df77bcec3b6253b5d169331338f009c8213023443453bb1a5f18417c47e5e179378a7bd2900b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
658KB
MD507c4d7f2b2cfa8ab7b39a250429bfa78
SHA1dc0e4ca81efbef25aa53d08dbc7fd24008b790b9
SHA2560076395fd58ddcfaa73dcce59a05eb3b45d7116f671f32b5077846bddf3c16b2
SHA5122a806c450f58e3e583f956a0c4a756e71a87c9e6ebce12d9ff5fa01f5724ee5823f22183d73ca0cba5fed772139c576bdf883b237f3b8897fc5264cdc68aa005
-
Filesize
1.5MB
MD5e3db605b6b773ae7ed7fe8596abae583
SHA12b573adfe3e3a2edc68936a3e864d7a9a909f12d
SHA25653c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f
SHA512a5b139462b64e1196045000efe64ad553d8ee3204b5da3f9b3e0df77bcec3b6253b5d169331338f009c8213023443453bb1a5f18417c47e5e179378a7bd2900b
-
Filesize
1.5MB
MD5e3db605b6b773ae7ed7fe8596abae583
SHA12b573adfe3e3a2edc68936a3e864d7a9a909f12d
SHA25653c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f
SHA512a5b139462b64e1196045000efe64ad553d8ee3204b5da3f9b3e0df77bcec3b6253b5d169331338f009c8213023443453bb1a5f18417c47e5e179378a7bd2900b
-
Filesize
1.5MB
MD5e3db605b6b773ae7ed7fe8596abae583
SHA12b573adfe3e3a2edc68936a3e864d7a9a909f12d
SHA25653c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f
SHA512a5b139462b64e1196045000efe64ad553d8ee3204b5da3f9b3e0df77bcec3b6253b5d169331338f009c8213023443453bb1a5f18417c47e5e179378a7bd2900b