Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 15:44
Behavioral task
behavioral1
Sample
65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Resource
win7-20220812-en
General
-
Target
65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
-
Size
748KB
-
MD5
83ee51d85cd4ff8e04993585fa2ffdd4
-
SHA1
2b3001d66cc2a502975f7e0c4688f297ba729e2d
-
SHA256
65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6
-
SHA512
715ca23574b7c3ec0882b11f241133386bd86d5f2e2845d7cb488262dfce3c160ccff91bad5baa26fa952eddf024cc8ad9839085dcc22f2b51d0c1cb989fe140
-
SSDEEP
12288:dk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+rqMd0QZp:u0QRWoJEfg0oChGdJQbjPbNW5tYeP+Gq
Malware Config
Extracted
darkcomet
mobd
72.78.91.89:1604
DC_MUTEX-F54S21D
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
jhly2TMuqK8k
-
install
true
-
offline_keylogger
false
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Desktop\\MSDCSC\\msdcsc.exe" 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe -
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe -
Drops file in Drivers directory 1 IoCs
Processes:
65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 544 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exemsdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Desktop\\MSDCSC\\msdcsc.exe" 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Desktop\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Desktop\\MSDCSC\\msdcsc.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 544 set thread context of 4876 544 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 4876 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeSecurityPrivilege 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeTakeOwnershipPrivilege 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeLoadDriverPrivilege 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeSystemProfilePrivilege 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeSystemtimePrivilege 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeProfSingleProcessPrivilege 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeIncBasePriorityPrivilege 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeCreatePagefilePrivilege 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeBackupPrivilege 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeRestorePrivilege 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeShutdownPrivilege 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeDebugPrivilege 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeSystemEnvironmentPrivilege 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeChangeNotifyPrivilege 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeRemoteShutdownPrivilege 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeUndockPrivilege 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeManageVolumePrivilege 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeImpersonatePrivilege 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeCreateGlobalPrivilege 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: 33 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: 34 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: 35 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: 36 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe Token: SeIncreaseQuotaPrivilege 544 msdcsc.exe Token: SeSecurityPrivilege 544 msdcsc.exe Token: SeTakeOwnershipPrivilege 544 msdcsc.exe Token: SeLoadDriverPrivilege 544 msdcsc.exe Token: SeSystemProfilePrivilege 544 msdcsc.exe Token: SeSystemtimePrivilege 544 msdcsc.exe Token: SeProfSingleProcessPrivilege 544 msdcsc.exe Token: SeIncBasePriorityPrivilege 544 msdcsc.exe Token: SeCreatePagefilePrivilege 544 msdcsc.exe Token: SeBackupPrivilege 544 msdcsc.exe Token: SeRestorePrivilege 544 msdcsc.exe Token: SeShutdownPrivilege 544 msdcsc.exe Token: SeDebugPrivilege 544 msdcsc.exe Token: SeSystemEnvironmentPrivilege 544 msdcsc.exe Token: SeChangeNotifyPrivilege 544 msdcsc.exe Token: SeRemoteShutdownPrivilege 544 msdcsc.exe Token: SeUndockPrivilege 544 msdcsc.exe Token: SeManageVolumePrivilege 544 msdcsc.exe Token: SeImpersonatePrivilege 544 msdcsc.exe Token: SeCreateGlobalPrivilege 544 msdcsc.exe Token: 33 544 msdcsc.exe Token: 34 544 msdcsc.exe Token: 35 544 msdcsc.exe Token: 36 544 msdcsc.exe Token: SeIncreaseQuotaPrivilege 4876 iexplore.exe Token: SeSecurityPrivilege 4876 iexplore.exe Token: SeTakeOwnershipPrivilege 4876 iexplore.exe Token: SeLoadDriverPrivilege 4876 iexplore.exe Token: SeSystemProfilePrivilege 4876 iexplore.exe Token: SeSystemtimePrivilege 4876 iexplore.exe Token: SeProfSingleProcessPrivilege 4876 iexplore.exe Token: SeIncBasePriorityPrivilege 4876 iexplore.exe Token: SeCreatePagefilePrivilege 4876 iexplore.exe Token: SeBackupPrivilege 4876 iexplore.exe Token: SeRestorePrivilege 4876 iexplore.exe Token: SeShutdownPrivilege 4876 iexplore.exe Token: SeDebugPrivilege 4876 iexplore.exe Token: SeSystemEnvironmentPrivilege 4876 iexplore.exe Token: SeChangeNotifyPrivilege 4876 iexplore.exe Token: SeRemoteShutdownPrivilege 4876 iexplore.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.execmd.exemsdcsc.exedescription pid process target process PID 5016 wrote to memory of 5024 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe cmd.exe PID 5016 wrote to memory of 5024 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe cmd.exe PID 5016 wrote to memory of 5024 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe cmd.exe PID 5016 wrote to memory of 544 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe msdcsc.exe PID 5016 wrote to memory of 544 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe msdcsc.exe PID 5016 wrote to memory of 544 5016 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe msdcsc.exe PID 5024 wrote to memory of 3480 5024 cmd.exe PING.EXE PID 5024 wrote to memory of 3480 5024 cmd.exe PING.EXE PID 5024 wrote to memory of 3480 5024 cmd.exe PING.EXE PID 544 wrote to memory of 4876 544 msdcsc.exe iexplore.exe PID 544 wrote to memory of 4876 544 msdcsc.exe iexplore.exe PID 544 wrote to memory of 4876 544 msdcsc.exe iexplore.exe PID 544 wrote to memory of 4876 544 msdcsc.exe iexplore.exe PID 544 wrote to memory of 4876 544 msdcsc.exe iexplore.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe"C:\Users\Admin\AppData\Local\Temp\65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 43⤵
- Runs ping.exe
-
C:\Users\Admin\Desktop\MSDCSC\msdcsc.exe"C:\Users\Admin\Desktop\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies security service
- Windows security bypass
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\MSDCSC\msdcsc.exeFilesize
748KB
MD583ee51d85cd4ff8e04993585fa2ffdd4
SHA12b3001d66cc2a502975f7e0c4688f297ba729e2d
SHA25665b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6
SHA512715ca23574b7c3ec0882b11f241133386bd86d5f2e2845d7cb488262dfce3c160ccff91bad5baa26fa952eddf024cc8ad9839085dcc22f2b51d0c1cb989fe140
-
C:\Users\Admin\Desktop\MSDCSC\msdcsc.exeFilesize
748KB
MD583ee51d85cd4ff8e04993585fa2ffdd4
SHA12b3001d66cc2a502975f7e0c4688f297ba729e2d
SHA25665b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6
SHA512715ca23574b7c3ec0882b11f241133386bd86d5f2e2845d7cb488262dfce3c160ccff91bad5baa26fa952eddf024cc8ad9839085dcc22f2b51d0c1cb989fe140
-
memory/544-133-0x0000000000000000-mapping.dmp
-
memory/3480-136-0x0000000000000000-mapping.dmp
-
memory/5024-132-0x0000000000000000-mapping.dmp