Analysis
-
max time kernel
152s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 22:57
Behavioral task
behavioral1
Sample
2cfe915e1498dd8ac3643ddc5812f5731d6ecc7d0efde6ad9a9bf35bcb735d0a.exe
Resource
win7-20220812-en
General
-
Target
2cfe915e1498dd8ac3643ddc5812f5731d6ecc7d0efde6ad9a9bf35bcb735d0a.exe
-
Size
5.5MB
-
MD5
564218aa29b51a220144e9d060d1252a
-
SHA1
9168cca0beea91546fb15a7b936e66d1668015e1
-
SHA256
2cfe915e1498dd8ac3643ddc5812f5731d6ecc7d0efde6ad9a9bf35bcb735d0a
-
SHA512
2cd1418e7611b40c524a01d8e3ba6684c96b462690b0915c807ddb60b5d49090125e8fdc8c4bffc435d1add68d82d4094d48c74bd689f00e05d486cbfe6c03bc
-
SSDEEP
98304:rwaQ8ZDJgyslyzoXmaErfYCNmkv5D2PFpuxvnkyyhAuax5O1RVidVSe8+QU/:rwaQ8ZDJw/WdftNnv5D29p0kyVuaO1Rn
Malware Config
Extracted
darkcomet
Danijela
jebozovan.no-ip.org:81
DC_MUTEX-KQRQZPG
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
v7PAnw881ZWq
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
MP4.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" MP4.EXE -
Executes dropped EXE 2 IoCs
Processes:
MP4.EXEmsdcsc.exepid process 5112 MP4.EXE 4492 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 612 attrib.exe 1448 attrib.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2cfe915e1498dd8ac3643ddc5812f5731d6ecc7d0efde6ad9a9bf35bcb735d0a.exeMP4.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 2cfe915e1498dd8ac3643ddc5812f5731d6ecc7d0efde6ad9a9bf35bcb735d0a.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation MP4.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
MP4.EXEmsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" MP4.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
MP4.EXE2cfe915e1498dd8ac3643ddc5812f5731d6ecc7d0efde6ad9a9bf35bcb735d0a.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MP4.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 2cfe915e1498dd8ac3643ddc5812f5731d6ecc7d0efde6ad9a9bf35bcb735d0a.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 4364 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
vlc.exemsdcsc.exepid process 4364 vlc.exe 4492 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
MP4.EXEmsdcsc.exeAUDIODG.EXEvlc.exedescription pid process Token: SeIncreaseQuotaPrivilege 5112 MP4.EXE Token: SeSecurityPrivilege 5112 MP4.EXE Token: SeTakeOwnershipPrivilege 5112 MP4.EXE Token: SeLoadDriverPrivilege 5112 MP4.EXE Token: SeSystemProfilePrivilege 5112 MP4.EXE Token: SeSystemtimePrivilege 5112 MP4.EXE Token: SeProfSingleProcessPrivilege 5112 MP4.EXE Token: SeIncBasePriorityPrivilege 5112 MP4.EXE Token: SeCreatePagefilePrivilege 5112 MP4.EXE Token: SeBackupPrivilege 5112 MP4.EXE Token: SeRestorePrivilege 5112 MP4.EXE Token: SeShutdownPrivilege 5112 MP4.EXE Token: SeDebugPrivilege 5112 MP4.EXE Token: SeSystemEnvironmentPrivilege 5112 MP4.EXE Token: SeChangeNotifyPrivilege 5112 MP4.EXE Token: SeRemoteShutdownPrivilege 5112 MP4.EXE Token: SeUndockPrivilege 5112 MP4.EXE Token: SeManageVolumePrivilege 5112 MP4.EXE Token: SeImpersonatePrivilege 5112 MP4.EXE Token: SeCreateGlobalPrivilege 5112 MP4.EXE Token: 33 5112 MP4.EXE Token: 34 5112 MP4.EXE Token: 35 5112 MP4.EXE Token: 36 5112 MP4.EXE Token: SeIncreaseQuotaPrivilege 4492 msdcsc.exe Token: SeSecurityPrivilege 4492 msdcsc.exe Token: SeTakeOwnershipPrivilege 4492 msdcsc.exe Token: SeLoadDriverPrivilege 4492 msdcsc.exe Token: SeSystemProfilePrivilege 4492 msdcsc.exe Token: SeSystemtimePrivilege 4492 msdcsc.exe Token: SeProfSingleProcessPrivilege 4492 msdcsc.exe Token: SeIncBasePriorityPrivilege 4492 msdcsc.exe Token: SeCreatePagefilePrivilege 4492 msdcsc.exe Token: SeBackupPrivilege 4492 msdcsc.exe Token: SeRestorePrivilege 4492 msdcsc.exe Token: SeShutdownPrivilege 4492 msdcsc.exe Token: SeDebugPrivilege 4492 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4492 msdcsc.exe Token: SeChangeNotifyPrivilege 4492 msdcsc.exe Token: SeRemoteShutdownPrivilege 4492 msdcsc.exe Token: SeUndockPrivilege 4492 msdcsc.exe Token: SeManageVolumePrivilege 4492 msdcsc.exe Token: SeImpersonatePrivilege 4492 msdcsc.exe Token: SeCreateGlobalPrivilege 4492 msdcsc.exe Token: 33 4492 msdcsc.exe Token: 34 4492 msdcsc.exe Token: 35 4492 msdcsc.exe Token: 36 4492 msdcsc.exe Token: 33 3860 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3860 AUDIODG.EXE Token: 33 4364 vlc.exe Token: SeIncBasePriorityPrivilege 4364 vlc.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
Processes:
vlc.exepid process 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe -
Suspicious use of SendNotifyMessage 7 IoCs
Processes:
vlc.exepid process 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
vlc.exemsdcsc.exepid process 4364 vlc.exe 4492 msdcsc.exe 4364 vlc.exe 4364 vlc.exe 4364 vlc.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
2cfe915e1498dd8ac3643ddc5812f5731d6ecc7d0efde6ad9a9bf35bcb735d0a.exeMP4.EXEcmd.execmd.exemsdcsc.exedescription pid process target process PID 4028 wrote to memory of 4364 4028 2cfe915e1498dd8ac3643ddc5812f5731d6ecc7d0efde6ad9a9bf35bcb735d0a.exe vlc.exe PID 4028 wrote to memory of 4364 4028 2cfe915e1498dd8ac3643ddc5812f5731d6ecc7d0efde6ad9a9bf35bcb735d0a.exe vlc.exe PID 4028 wrote to memory of 5112 4028 2cfe915e1498dd8ac3643ddc5812f5731d6ecc7d0efde6ad9a9bf35bcb735d0a.exe MP4.EXE PID 4028 wrote to memory of 5112 4028 2cfe915e1498dd8ac3643ddc5812f5731d6ecc7d0efde6ad9a9bf35bcb735d0a.exe MP4.EXE PID 4028 wrote to memory of 5112 4028 2cfe915e1498dd8ac3643ddc5812f5731d6ecc7d0efde6ad9a9bf35bcb735d0a.exe MP4.EXE PID 5112 wrote to memory of 4236 5112 MP4.EXE cmd.exe PID 5112 wrote to memory of 4236 5112 MP4.EXE cmd.exe PID 5112 wrote to memory of 4236 5112 MP4.EXE cmd.exe PID 5112 wrote to memory of 5100 5112 MP4.EXE cmd.exe PID 5112 wrote to memory of 5100 5112 MP4.EXE cmd.exe PID 5112 wrote to memory of 5100 5112 MP4.EXE cmd.exe PID 5100 wrote to memory of 612 5100 cmd.exe attrib.exe PID 5100 wrote to memory of 612 5100 cmd.exe attrib.exe PID 5100 wrote to memory of 612 5100 cmd.exe attrib.exe PID 4236 wrote to memory of 1448 4236 cmd.exe attrib.exe PID 4236 wrote to memory of 1448 4236 cmd.exe attrib.exe PID 4236 wrote to memory of 1448 4236 cmd.exe attrib.exe PID 5112 wrote to memory of 4492 5112 MP4.EXE msdcsc.exe PID 5112 wrote to memory of 4492 5112 MP4.EXE msdcsc.exe PID 5112 wrote to memory of 4492 5112 MP4.EXE msdcsc.exe PID 4492 wrote to memory of 4220 4492 msdcsc.exe notepad.exe PID 4492 wrote to memory of 4220 4492 msdcsc.exe notepad.exe PID 4492 wrote to memory of 4220 4492 msdcsc.exe notepad.exe PID 4492 wrote to memory of 4220 4492 msdcsc.exe notepad.exe PID 4492 wrote to memory of 4220 4492 msdcsc.exe notepad.exe PID 4492 wrote to memory of 4220 4492 msdcsc.exe notepad.exe PID 4492 wrote to memory of 4220 4492 msdcsc.exe notepad.exe PID 4492 wrote to memory of 4220 4492 msdcsc.exe notepad.exe PID 4492 wrote to memory of 4220 4492 msdcsc.exe notepad.exe PID 4492 wrote to memory of 4220 4492 msdcsc.exe notepad.exe PID 4492 wrote to memory of 4220 4492 msdcsc.exe notepad.exe PID 4492 wrote to memory of 4220 4492 msdcsc.exe notepad.exe PID 4492 wrote to memory of 4220 4492 msdcsc.exe notepad.exe PID 4492 wrote to memory of 4220 4492 msdcsc.exe notepad.exe PID 4492 wrote to memory of 4220 4492 msdcsc.exe notepad.exe PID 4492 wrote to memory of 4220 4492 msdcsc.exe notepad.exe PID 4492 wrote to memory of 4220 4492 msdcsc.exe notepad.exe PID 4492 wrote to memory of 4220 4492 msdcsc.exe notepad.exe PID 4492 wrote to memory of 4220 4492 msdcsc.exe notepad.exe PID 4492 wrote to memory of 4220 4492 msdcsc.exe notepad.exe PID 4492 wrote to memory of 4220 4492 msdcsc.exe notepad.exe PID 4492 wrote to memory of 4220 4492 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 612 attrib.exe 1448 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cfe915e1498dd8ac3643ddc5812f5731d6ecc7d0efde6ad9a9bf35bcb735d0a.exe"C:\Users\Admin\AppData\Local\Temp\2cfe915e1498dd8ac3643ddc5812f5731d6ecc7d0efde6ad9a9bf35bcb735d0a.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\10659678_611934625585217_1729858071_N.MP4"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MP4.EXE"C:\Users\Admin\AppData\Local\Temp\MP4.EXE"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\MP4.EXE" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\MP4.EXE" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3fc 0x4901⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\10659678_611934625585217_1729858071_N.MP4Filesize
4.8MB
MD559b96cc342be62284bbb61034ecac637
SHA108c3cd9dff1e984d404c6d27713b3c6240c303fe
SHA256a53fb6945371857d91ff6af4ff5ed4e5209a085a78590b0aaf508bf9866a64d8
SHA512857fa98335f8312193ec5ab8a86ed7d231c9f2eaebe5390ce7e42332e59555935610d351081bbb42bd77f8365a61fb35b2da185f0ab2cd599109243a0d69dd3f
-
C:\Users\Admin\AppData\Local\Temp\MP4.EXEFilesize
658KB
MD52be3505116f8113795bf495486b94e35
SHA1a5e3be49d4cf80c22e0dc7af491340fc1181e029
SHA2569b56811a9e3d61828afaf142f95164cd31ca7f9f55f097f11c4ac05f3d9d5bec
SHA5120a91560d262d86935c126af1a7cefb1ef454c97dc19ec7eeee65026872af7c2e998535c23c845adc6b6cbce7ba1afd26b4d04567794607e7f80d3ed35d97c452
-
C:\Users\Admin\AppData\Local\Temp\MP4.EXEFilesize
658KB
MD52be3505116f8113795bf495486b94e35
SHA1a5e3be49d4cf80c22e0dc7af491340fc1181e029
SHA2569b56811a9e3d61828afaf142f95164cd31ca7f9f55f097f11c4ac05f3d9d5bec
SHA5120a91560d262d86935c126af1a7cefb1ef454c97dc19ec7eeee65026872af7c2e998535c23c845adc6b6cbce7ba1afd26b4d04567794607e7f80d3ed35d97c452
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD52be3505116f8113795bf495486b94e35
SHA1a5e3be49d4cf80c22e0dc7af491340fc1181e029
SHA2569b56811a9e3d61828afaf142f95164cd31ca7f9f55f097f11c4ac05f3d9d5bec
SHA5120a91560d262d86935c126af1a7cefb1ef454c97dc19ec7eeee65026872af7c2e998535c23c845adc6b6cbce7ba1afd26b4d04567794607e7f80d3ed35d97c452
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD52be3505116f8113795bf495486b94e35
SHA1a5e3be49d4cf80c22e0dc7af491340fc1181e029
SHA2569b56811a9e3d61828afaf142f95164cd31ca7f9f55f097f11c4ac05f3d9d5bec
SHA5120a91560d262d86935c126af1a7cefb1ef454c97dc19ec7eeee65026872af7c2e998535c23c845adc6b6cbce7ba1afd26b4d04567794607e7f80d3ed35d97c452
-
memory/612-140-0x0000000000000000-mapping.dmp
-
memory/1448-141-0x0000000000000000-mapping.dmp
-
memory/4220-145-0x0000000000000000-mapping.dmp
-
memory/4236-138-0x0000000000000000-mapping.dmp
-
memory/4364-133-0x0000000000000000-mapping.dmp
-
memory/4492-142-0x0000000000000000-mapping.dmp
-
memory/5100-139-0x0000000000000000-mapping.dmp
-
memory/5112-134-0x0000000000000000-mapping.dmp