Analysis
-
max time kernel
152s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 16:59
Static task
static1
Behavioral task
behavioral1
Sample
quotations.scr
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
quotations.scr
Resource
win10v2004-20221111-en
General
-
Target
quotations.scr
-
Size
869KB
-
MD5
b3744139e8d3392ae463249ff04f917f
-
SHA1
89094e0d61c52141499bf3d9b71db66486ac7d87
-
SHA256
6d1d93c0f1a984872cb722531f622b103128249e819e43c1378fecf2a58a09bb
-
SHA512
f5aaa00fbad5337fda4808adea1d18931a4d5dd2bbc67cf5348f18f3438ca8878e799404b210702f0f0c6ed0c2a24c73ec9e8932d7b02ec7c997c85ed65f2712
-
SSDEEP
12288:1qQADfHsnjusfToB0+cARh97RPyGSTciWBjKchwebSSieLneTO7uA8a:HADfHWyssB0ER1PyUB3GebSSiweq7uA
Malware Config
Extracted
darkcomet
Guest16
house10i.ddns.net:1604
DC_MUTEX-L6GEJVR
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
uvQYcLsQZYrq
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" vbc.exe -
Executes dropped EXE 5 IoCs
Processes:
msdcsc.exeIpOverUsbSvrc.exeAcctres.exeIpOverUsbSvrc.exeIpOverUsbSvrc.exepid process 4180 msdcsc.exe 3868 IpOverUsbSvrc.exe 4772 Acctres.exe 1640 IpOverUsbSvrc.exe 2276 IpOverUsbSvrc.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
takshost.exequotations.scrAcctres.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation takshost.exe Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation quotations.scr Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation Acctres.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vbc.exeIpOverUsbSvrc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IpOverUsbSvrc.exe" IpOverUsbSvrc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
quotations.scrdescription pid process target process PID 4000 set thread context of 4248 4000 quotations.scr vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
quotations.scrpid process 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr 4000 quotations.scr -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
quotations.scrpid process 4000 quotations.scr -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
quotations.scrvbc.exeIpOverUsbSvrc.exeAcctres.exetakshost.exedescription pid process Token: SeDebugPrivilege 4000 quotations.scr Token: SeIncreaseQuotaPrivilege 4248 vbc.exe Token: SeSecurityPrivilege 4248 vbc.exe Token: SeTakeOwnershipPrivilege 4248 vbc.exe Token: SeLoadDriverPrivilege 4248 vbc.exe Token: SeSystemProfilePrivilege 4248 vbc.exe Token: SeSystemtimePrivilege 4248 vbc.exe Token: SeProfSingleProcessPrivilege 4248 vbc.exe Token: SeIncBasePriorityPrivilege 4248 vbc.exe Token: SeCreatePagefilePrivilege 4248 vbc.exe Token: SeBackupPrivilege 4248 vbc.exe Token: SeRestorePrivilege 4248 vbc.exe Token: SeShutdownPrivilege 4248 vbc.exe Token: SeDebugPrivilege 4248 vbc.exe Token: SeSystemEnvironmentPrivilege 4248 vbc.exe Token: SeChangeNotifyPrivilege 4248 vbc.exe Token: SeRemoteShutdownPrivilege 4248 vbc.exe Token: SeUndockPrivilege 4248 vbc.exe Token: SeManageVolumePrivilege 4248 vbc.exe Token: SeImpersonatePrivilege 4248 vbc.exe Token: SeCreateGlobalPrivilege 4248 vbc.exe Token: 33 4248 vbc.exe Token: 34 4248 vbc.exe Token: 35 4248 vbc.exe Token: 36 4248 vbc.exe Token: SeDebugPrivilege 3868 IpOverUsbSvrc.exe Token: SeDebugPrivilege 4772 Acctres.exe Token: SeDebugPrivilege 4500 takshost.exe -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
quotations.scrvbc.exeIpOverUsbSvrc.exeAcctres.exetakshost.exedescription pid process target process PID 4000 wrote to memory of 4248 4000 quotations.scr vbc.exe PID 4000 wrote to memory of 4248 4000 quotations.scr vbc.exe PID 4000 wrote to memory of 4248 4000 quotations.scr vbc.exe PID 4000 wrote to memory of 4248 4000 quotations.scr vbc.exe PID 4000 wrote to memory of 4248 4000 quotations.scr vbc.exe PID 4000 wrote to memory of 4248 4000 quotations.scr vbc.exe PID 4000 wrote to memory of 4248 4000 quotations.scr vbc.exe PID 4000 wrote to memory of 4248 4000 quotations.scr vbc.exe PID 4000 wrote to memory of 4248 4000 quotations.scr vbc.exe PID 4000 wrote to memory of 4248 4000 quotations.scr vbc.exe PID 4000 wrote to memory of 4248 4000 quotations.scr vbc.exe PID 4000 wrote to memory of 4248 4000 quotations.scr vbc.exe PID 4248 wrote to memory of 5104 4248 vbc.exe notepad.exe PID 4248 wrote to memory of 5104 4248 vbc.exe notepad.exe PID 4248 wrote to memory of 5104 4248 vbc.exe notepad.exe PID 4248 wrote to memory of 5104 4248 vbc.exe notepad.exe PID 4248 wrote to memory of 5104 4248 vbc.exe notepad.exe PID 4248 wrote to memory of 5104 4248 vbc.exe notepad.exe PID 4248 wrote to memory of 5104 4248 vbc.exe notepad.exe PID 4248 wrote to memory of 5104 4248 vbc.exe notepad.exe PID 4248 wrote to memory of 5104 4248 vbc.exe notepad.exe PID 4248 wrote to memory of 5104 4248 vbc.exe notepad.exe PID 4248 wrote to memory of 5104 4248 vbc.exe notepad.exe PID 4248 wrote to memory of 5104 4248 vbc.exe notepad.exe PID 4248 wrote to memory of 5104 4248 vbc.exe notepad.exe PID 4248 wrote to memory of 5104 4248 vbc.exe notepad.exe PID 4248 wrote to memory of 5104 4248 vbc.exe notepad.exe PID 4248 wrote to memory of 5104 4248 vbc.exe notepad.exe PID 4248 wrote to memory of 5104 4248 vbc.exe notepad.exe PID 4248 wrote to memory of 4180 4248 vbc.exe msdcsc.exe PID 4248 wrote to memory of 4180 4248 vbc.exe msdcsc.exe PID 4248 wrote to memory of 4180 4248 vbc.exe msdcsc.exe PID 4000 wrote to memory of 3868 4000 quotations.scr IpOverUsbSvrc.exe PID 4000 wrote to memory of 3868 4000 quotations.scr IpOverUsbSvrc.exe PID 4000 wrote to memory of 3868 4000 quotations.scr IpOverUsbSvrc.exe PID 3868 wrote to memory of 4772 3868 IpOverUsbSvrc.exe Acctres.exe PID 3868 wrote to memory of 4772 3868 IpOverUsbSvrc.exe Acctres.exe PID 3868 wrote to memory of 4772 3868 IpOverUsbSvrc.exe Acctres.exe PID 4000 wrote to memory of 4500 4000 quotations.scr takshost.exe PID 4000 wrote to memory of 4500 4000 quotations.scr takshost.exe PID 4000 wrote to memory of 4500 4000 quotations.scr takshost.exe PID 4772 wrote to memory of 1640 4772 Acctres.exe IpOverUsbSvrc.exe PID 4772 wrote to memory of 1640 4772 Acctres.exe IpOverUsbSvrc.exe PID 4772 wrote to memory of 1640 4772 Acctres.exe IpOverUsbSvrc.exe PID 4500 wrote to memory of 2276 4500 takshost.exe IpOverUsbSvrc.exe PID 4500 wrote to memory of 2276 4500 takshost.exe IpOverUsbSvrc.exe PID 4500 wrote to memory of 2276 4500 takshost.exe IpOverUsbSvrc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\quotations.scr"C:\Users\Admin\AppData\Local\Temp\quotations.scr" /S1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\IpOverUsbSvrc.exe.logFilesize
224B
MD5c19eb8c8e7a40e6b987f9d2ee952996e
SHA16fc3049855bc9100643e162511673c6df0f28bfb
SHA256677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a
SHA512860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exeFilesize
869KB
MD5b3744139e8d3392ae463249ff04f917f
SHA189094e0d61c52141499bf3d9b71db66486ac7d87
SHA2566d1d93c0f1a984872cb722531f622b103128249e819e43c1378fecf2a58a09bb
SHA512f5aaa00fbad5337fda4808adea1d18931a4d5dd2bbc67cf5348f18f3438ca8878e799404b210702f0f0c6ed0c2a24c73ec9e8932d7b02ec7c997c85ed65f2712
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exeFilesize
869KB
MD5b3744139e8d3392ae463249ff04f917f
SHA189094e0d61c52141499bf3d9b71db66486ac7d87
SHA2566d1d93c0f1a984872cb722531f622b103128249e819e43c1378fecf2a58a09bb
SHA512f5aaa00fbad5337fda4808adea1d18931a4d5dd2bbc67cf5348f18f3438ca8878e799404b210702f0f0c6ed0c2a24c73ec9e8932d7b02ec7c997c85ed65f2712
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exeFilesize
17KB
MD509b171f5148c39fbc02e59ec67f57a5c
SHA100d7926037412a5fc22819bb1cfa8d698e9223fe
SHA2566117d1517e1953ffa068642e78e868ab819ffd0bfc448cfa37a01971d32caad1
SHA5125267cc5effc1cc9401cb3f36c2044e524e0f8b58e5d2ca7d4150824e8c53ebe832a98288368694e4e86ff384bcad89bafa197a8dd19164d17d229ca8b9bb219d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exeFilesize
17KB
MD509b171f5148c39fbc02e59ec67f57a5c
SHA100d7926037412a5fc22819bb1cfa8d698e9223fe
SHA2566117d1517e1953ffa068642e78e868ab819ffd0bfc448cfa37a01971d32caad1
SHA5125267cc5effc1cc9401cb3f36c2044e524e0f8b58e5d2ca7d4150824e8c53ebe832a98288368694e4e86ff384bcad89bafa197a8dd19164d17d229ca8b9bb219d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exeFilesize
17KB
MD509b171f5148c39fbc02e59ec67f57a5c
SHA100d7926037412a5fc22819bb1cfa8d698e9223fe
SHA2566117d1517e1953ffa068642e78e868ab819ffd0bfc448cfa37a01971d32caad1
SHA5125267cc5effc1cc9401cb3f36c2044e524e0f8b58e5d2ca7d4150824e8c53ebe832a98288368694e4e86ff384bcad89bafa197a8dd19164d17d229ca8b9bb219d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exeFilesize
17KB
MD509b171f5148c39fbc02e59ec67f57a5c
SHA100d7926037412a5fc22819bb1cfa8d698e9223fe
SHA2566117d1517e1953ffa068642e78e868ab819ffd0bfc448cfa37a01971d32caad1
SHA5125267cc5effc1cc9401cb3f36c2044e524e0f8b58e5d2ca7d4150824e8c53ebe832a98288368694e4e86ff384bcad89bafa197a8dd19164d17d229ca8b9bb219d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exeFilesize
17KB
MD509b171f5148c39fbc02e59ec67f57a5c
SHA100d7926037412a5fc22819bb1cfa8d698e9223fe
SHA2566117d1517e1953ffa068642e78e868ab819ffd0bfc448cfa37a01971d32caad1
SHA5125267cc5effc1cc9401cb3f36c2044e524e0f8b58e5d2ca7d4150824e8c53ebe832a98288368694e4e86ff384bcad89bafa197a8dd19164d17d229ca8b9bb219d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exeFilesize
17KB
MD509b171f5148c39fbc02e59ec67f57a5c
SHA100d7926037412a5fc22819bb1cfa8d698e9223fe
SHA2566117d1517e1953ffa068642e78e868ab819ffd0bfc448cfa37a01971d32caad1
SHA5125267cc5effc1cc9401cb3f36c2044e524e0f8b58e5d2ca7d4150824e8c53ebe832a98288368694e4e86ff384bcad89bafa197a8dd19164d17d229ca8b9bb219d
-
memory/1640-158-0x0000000000000000-mapping.dmp
-
memory/1640-162-0x0000000074EF0000-0x00000000754A1000-memory.dmpFilesize
5.7MB
-
memory/1640-165-0x0000000074EF0000-0x00000000754A1000-memory.dmpFilesize
5.7MB
-
memory/1640-164-0x0000000074EF0000-0x00000000754A1000-memory.dmpFilesize
5.7MB
-
memory/2276-170-0x0000000074EF0000-0x00000000754A1000-memory.dmpFilesize
5.7MB
-
memory/2276-167-0x0000000000000000-mapping.dmp
-
memory/3868-156-0x0000000074EF0000-0x00000000754A1000-memory.dmpFilesize
5.7MB
-
memory/3868-141-0x0000000000000000-mapping.dmp
-
memory/3868-146-0x0000000074EF0000-0x00000000754A1000-memory.dmpFilesize
5.7MB
-
memory/3868-148-0x0000000074EF0000-0x00000000754A1000-memory.dmpFilesize
5.7MB
-
memory/4000-132-0x0000000074EF0000-0x00000000754A1000-memory.dmpFilesize
5.7MB
-
memory/4000-133-0x0000000074EF0000-0x00000000754A1000-memory.dmpFilesize
5.7MB
-
memory/4000-155-0x0000000074EF0000-0x00000000754A1000-memory.dmpFilesize
5.7MB
-
memory/4180-140-0x0000000000000000-mapping.dmp
-
memory/4248-136-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4248-137-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4248-138-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4248-134-0x0000000000000000-mapping.dmp
-
memory/4248-135-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4248-147-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4500-154-0x0000000000000000-mapping.dmp
-
memory/4500-163-0x0000000074EF0000-0x00000000754A1000-memory.dmpFilesize
5.7MB
-
memory/4500-157-0x0000000074EF0000-0x00000000754A1000-memory.dmpFilesize
5.7MB
-
memory/4772-149-0x0000000000000000-mapping.dmp
-
memory/4772-166-0x0000000074EF0000-0x00000000754A1000-memory.dmpFilesize
5.7MB
-
memory/4772-153-0x0000000074EF0000-0x00000000754A1000-memory.dmpFilesize
5.7MB
-
memory/4772-152-0x0000000074EF0000-0x00000000754A1000-memory.dmpFilesize
5.7MB
-
memory/5104-139-0x0000000000000000-mapping.dmp