Analysis
-
max time kernel
7s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 15:33
Static task
static1
Behavioral task
behavioral1
Sample
3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe
Resource
win10v2004-20221111-en
General
-
Target
3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe
-
Size
1.2MB
-
MD5
c6c22cf761ab226e77e8fff7afc24d35
-
SHA1
2237f3dce12a12a6888915f06e18760a6b127087
-
SHA256
3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd
-
SHA512
cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009
-
SSDEEP
24576:BxM1a9MVNGety8u3a5UwlNL20403Dtqji:7sa9Mf79uMW0pqj
Malware Config
Extracted
darkcomet
csgo
hyptonix.ddns.net:1604
DCMIN_MUTEX-BR4A132
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
YwRoYaRknJKS
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" winlogon.exe -
Executes dropped EXE 4 IoCs
Processes:
winlogon.exewinlogon.execsrss.exeIMDCSC.exepid process 472 winlogon.exe 1564 winlogon.exe 836 csrss.exe 1972 IMDCSC.exe -
Processes:
resource yara_rule behavioral1/memory/1564-72-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1564-75-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1564-77-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1564-82-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1564-83-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1564-84-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Loads dropped DLL 4 IoCs
Processes:
3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exewinlogon.exewinlogon.exepid process 2040 3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe 472 winlogon.exe 472 winlogon.exe 1564 winlogon.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
winlogon.exewinlogon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" winlogon.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
winlogon.exedescription pid process target process PID 472 set thread context of 1564 472 winlogon.exe winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 5 IoCs
Processes:
winlogon.execmd.exe3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.execmd.exewinlogon.exedescription ioc process File created C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe\:ZONE.identifier:$DATA winlogon.exe File created C:\Users\Admin\AppData\Local\Temp\3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe:ZONE.identifier cmd.exe File created C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe\:ZONE.identifier:$DATA 3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe File opened for modification C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe:ZONE.identifier cmd.exe File created C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe\:ZONE.identifier:$DATA winlogon.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exewinlogon.exepid process 2040 3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe 2040 3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe 472 winlogon.exe 472 winlogon.exe 472 winlogon.exe 472 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exewinlogon.exewinlogon.exedescription pid process Token: SeDebugPrivilege 2040 3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe Token: SeDebugPrivilege 472 winlogon.exe Token: SeDebugPrivilege 472 winlogon.exe Token: SeIncreaseQuotaPrivilege 1564 winlogon.exe Token: SeSecurityPrivilege 1564 winlogon.exe Token: SeTakeOwnershipPrivilege 1564 winlogon.exe Token: SeLoadDriverPrivilege 1564 winlogon.exe Token: SeSystemProfilePrivilege 1564 winlogon.exe Token: SeSystemtimePrivilege 1564 winlogon.exe Token: SeProfSingleProcessPrivilege 1564 winlogon.exe Token: SeIncBasePriorityPrivilege 1564 winlogon.exe Token: SeCreatePagefilePrivilege 1564 winlogon.exe Token: SeBackupPrivilege 1564 winlogon.exe Token: SeRestorePrivilege 1564 winlogon.exe Token: SeShutdownPrivilege 1564 winlogon.exe Token: SeDebugPrivilege 1564 winlogon.exe Token: SeSystemEnvironmentPrivilege 1564 winlogon.exe Token: SeChangeNotifyPrivilege 1564 winlogon.exe Token: SeRemoteShutdownPrivilege 1564 winlogon.exe Token: SeUndockPrivilege 1564 winlogon.exe Token: SeManageVolumePrivilege 1564 winlogon.exe Token: SeImpersonatePrivilege 1564 winlogon.exe Token: SeCreateGlobalPrivilege 1564 winlogon.exe Token: 33 1564 winlogon.exe Token: 34 1564 winlogon.exe Token: 35 1564 winlogon.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exewinlogon.exewinlogon.exedescription pid process target process PID 2040 wrote to memory of 588 2040 3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe cmd.exe PID 2040 wrote to memory of 588 2040 3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe cmd.exe PID 2040 wrote to memory of 588 2040 3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe cmd.exe PID 2040 wrote to memory of 588 2040 3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe cmd.exe PID 2040 wrote to memory of 472 2040 3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe winlogon.exe PID 2040 wrote to memory of 472 2040 3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe winlogon.exe PID 2040 wrote to memory of 472 2040 3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe winlogon.exe PID 2040 wrote to memory of 472 2040 3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe winlogon.exe PID 472 wrote to memory of 1016 472 winlogon.exe cmd.exe PID 472 wrote to memory of 1016 472 winlogon.exe cmd.exe PID 472 wrote to memory of 1016 472 winlogon.exe cmd.exe PID 472 wrote to memory of 1016 472 winlogon.exe cmd.exe PID 472 wrote to memory of 1564 472 winlogon.exe winlogon.exe PID 472 wrote to memory of 1564 472 winlogon.exe winlogon.exe PID 472 wrote to memory of 1564 472 winlogon.exe winlogon.exe PID 472 wrote to memory of 1564 472 winlogon.exe winlogon.exe PID 472 wrote to memory of 1564 472 winlogon.exe winlogon.exe PID 472 wrote to memory of 1564 472 winlogon.exe winlogon.exe PID 472 wrote to memory of 1564 472 winlogon.exe winlogon.exe PID 472 wrote to memory of 1564 472 winlogon.exe winlogon.exe PID 472 wrote to memory of 836 472 winlogon.exe csrss.exe PID 472 wrote to memory of 836 472 winlogon.exe csrss.exe PID 472 wrote to memory of 836 472 winlogon.exe csrss.exe PID 472 wrote to memory of 836 472 winlogon.exe csrss.exe PID 1564 wrote to memory of 1972 1564 winlogon.exe IMDCSC.exe PID 1564 wrote to memory of 1972 1564 winlogon.exe IMDCSC.exe PID 1564 wrote to memory of 1972 1564 winlogon.exe IMDCSC.exe PID 1564 wrote to memory of 1972 1564 winlogon.exe IMDCSC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe"C:\Users\Admin\AppData\Local\Temp\3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe"1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exe":ZONE.identifier & exit2⤵
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe":ZONE.identifier & exit3⤵
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe":ZONE.identifier & exit5⤵
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe" -keyhide -prochide 1564 -reg C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe -proc 1564 C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd.exeFilesize
1.2MB
MD5c6c22cf761ab226e77e8fff7afc24d35
SHA12237f3dce12a12a6888915f06e18760a6b127087
SHA2563f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd
SHA512cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exeFilesize
1.2MB
MD5c6c22cf761ab226e77e8fff7afc24d35
SHA12237f3dce12a12a6888915f06e18760a6b127087
SHA2563f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd
SHA512cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exeFilesize
1.2MB
MD5c6c22cf761ab226e77e8fff7afc24d35
SHA12237f3dce12a12a6888915f06e18760a6b127087
SHA2563f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd
SHA512cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exeFilesize
1.2MB
MD5c6c22cf761ab226e77e8fff7afc24d35
SHA12237f3dce12a12a6888915f06e18760a6b127087
SHA2563f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd
SHA512cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exeFilesize
1.2MB
MD5c6c22cf761ab226e77e8fff7afc24d35
SHA12237f3dce12a12a6888915f06e18760a6b127087
SHA2563f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd
SHA512cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exeFilesize
1.2MB
MD5c6c22cf761ab226e77e8fff7afc24d35
SHA12237f3dce12a12a6888915f06e18760a6b127087
SHA2563f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd
SHA512cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exeFilesize
1.2MB
MD5c6c22cf761ab226e77e8fff7afc24d35
SHA12237f3dce12a12a6888915f06e18760a6b127087
SHA2563f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd
SHA512cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exeFilesize
1.2MB
MD5c6c22cf761ab226e77e8fff7afc24d35
SHA12237f3dce12a12a6888915f06e18760a6b127087
SHA2563f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd
SHA512cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exeFilesize
1.2MB
MD5c6c22cf761ab226e77e8fff7afc24d35
SHA12237f3dce12a12a6888915f06e18760a6b127087
SHA2563f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd
SHA512cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009
-
\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exeFilesize
1.2MB
MD5c6c22cf761ab226e77e8fff7afc24d35
SHA12237f3dce12a12a6888915f06e18760a6b127087
SHA2563f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd
SHA512cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009
-
\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exeFilesize
1.2MB
MD5c6c22cf761ab226e77e8fff7afc24d35
SHA12237f3dce12a12a6888915f06e18760a6b127087
SHA2563f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd
SHA512cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009
-
\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exeFilesize
1.2MB
MD5c6c22cf761ab226e77e8fff7afc24d35
SHA12237f3dce12a12a6888915f06e18760a6b127087
SHA2563f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd
SHA512cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009
-
\Users\Admin\Documents\DCSCMIN\IMDCSC.exeFilesize
1.2MB
MD5c6c22cf761ab226e77e8fff7afc24d35
SHA12237f3dce12a12a6888915f06e18760a6b127087
SHA2563f2e96dbf09c90ebd5f20685666ec16416005c794223813ada85208c2a1837cd
SHA512cff97b775e676450a6d156724c7cbbc5fe5b3fa21beb92152066fbf7ab3d95a4c7c8f88aa037d1eab7d85747a0c27834234b5f22d7ef0b232763c41859905009
-
memory/472-67-0x0000000073EC0000-0x000000007446B000-memory.dmpFilesize
5.7MB
-
memory/472-66-0x0000000000AD6000-0x0000000000AE7000-memory.dmpFilesize
68KB
-
memory/472-91-0x0000000000AD6000-0x0000000000AE7000-memory.dmpFilesize
68KB
-
memory/472-60-0x0000000000000000-mapping.dmp
-
memory/472-96-0x0000000073EC0000-0x000000007446B000-memory.dmpFilesize
5.7MB
-
memory/588-57-0x0000000000000000-mapping.dmp
-
memory/836-86-0x0000000000000000-mapping.dmp
-
memory/836-99-0x0000000073EC0000-0x000000007446B000-memory.dmpFilesize
5.7MB
-
memory/1016-68-0x0000000000000000-mapping.dmp
-
memory/1564-75-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1564-72-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1564-84-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1564-82-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1564-79-0x00000000004B56D0-mapping.dmp
-
memory/1564-77-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1564-71-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1564-83-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1972-92-0x0000000000000000-mapping.dmp
-
memory/1972-97-0x0000000073EC0000-0x000000007446B000-memory.dmpFilesize
5.7MB
-
memory/1972-98-0x0000000000966000-0x0000000000977000-memory.dmpFilesize
68KB
-
memory/2040-54-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB
-
memory/2040-65-0x0000000000B26000-0x0000000000B37000-memory.dmpFilesize
68KB
-
memory/2040-64-0x0000000073EC0000-0x000000007446B000-memory.dmpFilesize
5.7MB
-
memory/2040-56-0x0000000000B26000-0x0000000000B37000-memory.dmpFilesize
68KB
-
memory/2040-55-0x0000000073EC0000-0x000000007446B000-memory.dmpFilesize
5.7MB