Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 15:44
Behavioral task
behavioral1
Sample
65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Resource
win7-20220812-en
General
-
Target
65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
-
Size
748KB
-
MD5
83ee51d85cd4ff8e04993585fa2ffdd4
-
SHA1
2b3001d66cc2a502975f7e0c4688f297ba729e2d
-
SHA256
65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6
-
SHA512
715ca23574b7c3ec0882b11f241133386bd86d5f2e2845d7cb488262dfce3c160ccff91bad5baa26fa952eddf024cc8ad9839085dcc22f2b51d0c1cb989fe140
-
SSDEEP
12288:dk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+rqMd0QZp:u0QRWoJEfg0oChGdJQbjPbNW5tYeP+Gq
Malware Config
Extracted
darkcomet
mobd
72.78.91.89:1604
DC_MUTEX-F54S21D
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
jhly2TMuqK8k
-
install
true
-
offline_keylogger
false
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Desktop\\MSDCSC\\msdcsc.exe" 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" iexplore.exe -
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe -
Drops file in Drivers directory 1 IoCs
Processes:
65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 2016 msdcsc.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1912 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exepid process 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exemsdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Desktop\\MSDCSC\\msdcsc.exe" 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Desktop\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Desktop\\MSDCSC\\msdcsc.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 2016 set thread context of 944 2016 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 944 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeSecurityPrivilege 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeTakeOwnershipPrivilege 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeLoadDriverPrivilege 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeSystemProfilePrivilege 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeSystemtimePrivilege 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeProfSingleProcessPrivilege 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeIncBasePriorityPrivilege 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeCreatePagefilePrivilege 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeBackupPrivilege 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeRestorePrivilege 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeShutdownPrivilege 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeDebugPrivilege 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeSystemEnvironmentPrivilege 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeChangeNotifyPrivilege 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeRemoteShutdownPrivilege 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeUndockPrivilege 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeManageVolumePrivilege 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeImpersonatePrivilege 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeCreateGlobalPrivilege 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: 33 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: 34 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: 35 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeIncreaseQuotaPrivilege 2016 msdcsc.exe Token: SeSecurityPrivilege 2016 msdcsc.exe Token: SeTakeOwnershipPrivilege 2016 msdcsc.exe Token: SeLoadDriverPrivilege 2016 msdcsc.exe Token: SeSystemProfilePrivilege 2016 msdcsc.exe Token: SeSystemtimePrivilege 2016 msdcsc.exe Token: SeProfSingleProcessPrivilege 2016 msdcsc.exe Token: SeIncBasePriorityPrivilege 2016 msdcsc.exe Token: SeCreatePagefilePrivilege 2016 msdcsc.exe Token: SeBackupPrivilege 2016 msdcsc.exe Token: SeRestorePrivilege 2016 msdcsc.exe Token: SeShutdownPrivilege 2016 msdcsc.exe Token: SeDebugPrivilege 2016 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2016 msdcsc.exe Token: SeChangeNotifyPrivilege 2016 msdcsc.exe Token: SeRemoteShutdownPrivilege 2016 msdcsc.exe Token: SeUndockPrivilege 2016 msdcsc.exe Token: SeManageVolumePrivilege 2016 msdcsc.exe Token: SeImpersonatePrivilege 2016 msdcsc.exe Token: SeCreateGlobalPrivilege 2016 msdcsc.exe Token: 33 2016 msdcsc.exe Token: 34 2016 msdcsc.exe Token: 35 2016 msdcsc.exe Token: SeIncreaseQuotaPrivilege 944 iexplore.exe Token: SeSecurityPrivilege 944 iexplore.exe Token: SeTakeOwnershipPrivilege 944 iexplore.exe Token: SeLoadDriverPrivilege 944 iexplore.exe Token: SeSystemProfilePrivilege 944 iexplore.exe Token: SeSystemtimePrivilege 944 iexplore.exe Token: SeProfSingleProcessPrivilege 944 iexplore.exe Token: SeIncBasePriorityPrivilege 944 iexplore.exe Token: SeCreatePagefilePrivilege 944 iexplore.exe Token: SeBackupPrivilege 944 iexplore.exe Token: SeRestorePrivilege 944 iexplore.exe Token: SeShutdownPrivilege 944 iexplore.exe Token: SeDebugPrivilege 944 iexplore.exe Token: SeSystemEnvironmentPrivilege 944 iexplore.exe Token: SeChangeNotifyPrivilege 944 iexplore.exe Token: SeRemoteShutdownPrivilege 944 iexplore.exe Token: SeUndockPrivilege 944 iexplore.exe Token: SeManageVolumePrivilege 944 iexplore.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.execmd.exemsdcsc.exedescription pid process target process PID 1336 wrote to memory of 1912 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe cmd.exe PID 1336 wrote to memory of 1912 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe cmd.exe PID 1336 wrote to memory of 1912 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe cmd.exe PID 1336 wrote to memory of 1912 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe cmd.exe PID 1336 wrote to memory of 2016 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe msdcsc.exe PID 1336 wrote to memory of 2016 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe msdcsc.exe PID 1336 wrote to memory of 2016 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe msdcsc.exe PID 1336 wrote to memory of 2016 1336 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe msdcsc.exe PID 1912 wrote to memory of 108 1912 cmd.exe PING.EXE PID 1912 wrote to memory of 108 1912 cmd.exe PING.EXE PID 1912 wrote to memory of 108 1912 cmd.exe PING.EXE PID 1912 wrote to memory of 108 1912 cmd.exe PING.EXE PID 2016 wrote to memory of 944 2016 msdcsc.exe iexplore.exe PID 2016 wrote to memory of 944 2016 msdcsc.exe iexplore.exe PID 2016 wrote to memory of 944 2016 msdcsc.exe iexplore.exe PID 2016 wrote to memory of 944 2016 msdcsc.exe iexplore.exe PID 2016 wrote to memory of 944 2016 msdcsc.exe iexplore.exe PID 2016 wrote to memory of 944 2016 msdcsc.exe iexplore.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe"C:\Users\Admin\AppData\Local\Temp\65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 43⤵
- Runs ping.exe
-
C:\Users\Admin\Desktop\MSDCSC\msdcsc.exe"C:\Users\Admin\Desktop\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies security service
- Windows security bypass
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\MSDCSC\msdcsc.exeFilesize
748KB
MD583ee51d85cd4ff8e04993585fa2ffdd4
SHA12b3001d66cc2a502975f7e0c4688f297ba729e2d
SHA25665b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6
SHA512715ca23574b7c3ec0882b11f241133386bd86d5f2e2845d7cb488262dfce3c160ccff91bad5baa26fa952eddf024cc8ad9839085dcc22f2b51d0c1cb989fe140
-
C:\Users\Admin\Desktop\MSDCSC\msdcsc.exeFilesize
748KB
MD583ee51d85cd4ff8e04993585fa2ffdd4
SHA12b3001d66cc2a502975f7e0c4688f297ba729e2d
SHA25665b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6
SHA512715ca23574b7c3ec0882b11f241133386bd86d5f2e2845d7cb488262dfce3c160ccff91bad5baa26fa952eddf024cc8ad9839085dcc22f2b51d0c1cb989fe140
-
\Users\Admin\Desktop\MSDCSC\msdcsc.exeFilesize
748KB
MD583ee51d85cd4ff8e04993585fa2ffdd4
SHA12b3001d66cc2a502975f7e0c4688f297ba729e2d
SHA25665b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6
SHA512715ca23574b7c3ec0882b11f241133386bd86d5f2e2845d7cb488262dfce3c160ccff91bad5baa26fa952eddf024cc8ad9839085dcc22f2b51d0c1cb989fe140
-
\Users\Admin\Desktop\MSDCSC\msdcsc.exeFilesize
748KB
MD583ee51d85cd4ff8e04993585fa2ffdd4
SHA12b3001d66cc2a502975f7e0c4688f297ba729e2d
SHA25665b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6
SHA512715ca23574b7c3ec0882b11f241133386bd86d5f2e2845d7cb488262dfce3c160ccff91bad5baa26fa952eddf024cc8ad9839085dcc22f2b51d0c1cb989fe140
-
memory/108-59-0x0000000000000000-mapping.dmp
-
memory/1336-54-0x00000000762D1000-0x00000000762D3000-memory.dmpFilesize
8KB
-
memory/1912-55-0x0000000000000000-mapping.dmp
-
memory/2016-58-0x0000000000000000-mapping.dmp