Analysis
-
max time kernel
196s -
max time network
200s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 08:34
Behavioral task
behavioral1
Sample
5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe
Resource
win7-20220901-en
General
-
Target
5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe
-
Size
658KB
-
MD5
f7bf4b5a76924169cc5bf45cf23902b9
-
SHA1
3cbcd664a2b51eba71c9efe113e15515e9c900c1
-
SHA256
5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190
-
SHA512
cdedf956f723bd20f723cb9892d684af18fef9a58eeb67939b04fdd96e18c216adef58a7ab22ab39a6b77d182eb8fdd1e63b936d980d3c5aa3e296661a88a222
-
SSDEEP
12288:C9HMeUmcufrvA3kb445UEJ2jsWiD4EvFuu4cNgZhCiZKD/XdyFQ:uiBIGkbxqEcjsWiDxguehC2Sr
Malware Config
Extracted
darkcomet
Guest16
192.168.2.196:1604
DC_MUTEX-1CRTNX9
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
gh7aHBKiofzL
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 4308 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 5092 attrib.exe 4728 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe Token: SeSecurityPrivilege 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe Token: SeTakeOwnershipPrivilege 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe Token: SeLoadDriverPrivilege 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe Token: SeSystemProfilePrivilege 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe Token: SeSystemtimePrivilege 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe Token: SeProfSingleProcessPrivilege 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe Token: SeIncBasePriorityPrivilege 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe Token: SeCreatePagefilePrivilege 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe Token: SeBackupPrivilege 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe Token: SeRestorePrivilege 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe Token: SeShutdownPrivilege 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe Token: SeDebugPrivilege 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe Token: SeSystemEnvironmentPrivilege 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe Token: SeChangeNotifyPrivilege 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe Token: SeRemoteShutdownPrivilege 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe Token: SeUndockPrivilege 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe Token: SeManageVolumePrivilege 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe Token: SeImpersonatePrivilege 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe Token: SeCreateGlobalPrivilege 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe Token: 33 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe Token: 34 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe Token: 35 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe Token: 36 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe Token: SeIncreaseQuotaPrivilege 4308 msdcsc.exe Token: SeSecurityPrivilege 4308 msdcsc.exe Token: SeTakeOwnershipPrivilege 4308 msdcsc.exe Token: SeLoadDriverPrivilege 4308 msdcsc.exe Token: SeSystemProfilePrivilege 4308 msdcsc.exe Token: SeSystemtimePrivilege 4308 msdcsc.exe Token: SeProfSingleProcessPrivilege 4308 msdcsc.exe Token: SeIncBasePriorityPrivilege 4308 msdcsc.exe Token: SeCreatePagefilePrivilege 4308 msdcsc.exe Token: SeBackupPrivilege 4308 msdcsc.exe Token: SeRestorePrivilege 4308 msdcsc.exe Token: SeShutdownPrivilege 4308 msdcsc.exe Token: SeDebugPrivilege 4308 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4308 msdcsc.exe Token: SeChangeNotifyPrivilege 4308 msdcsc.exe Token: SeRemoteShutdownPrivilege 4308 msdcsc.exe Token: SeUndockPrivilege 4308 msdcsc.exe Token: SeManageVolumePrivilege 4308 msdcsc.exe Token: SeImpersonatePrivilege 4308 msdcsc.exe Token: SeCreateGlobalPrivilege 4308 msdcsc.exe Token: 33 4308 msdcsc.exe Token: 34 4308 msdcsc.exe Token: 35 4308 msdcsc.exe Token: 36 4308 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 4308 msdcsc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.execmd.execmd.exedescription pid process target process PID 1800 wrote to memory of 4696 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe cmd.exe PID 1800 wrote to memory of 4696 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe cmd.exe PID 1800 wrote to memory of 4696 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe cmd.exe PID 1800 wrote to memory of 1352 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe cmd.exe PID 1800 wrote to memory of 1352 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe cmd.exe PID 1800 wrote to memory of 1352 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe cmd.exe PID 4696 wrote to memory of 4728 4696 cmd.exe attrib.exe PID 4696 wrote to memory of 4728 4696 cmd.exe attrib.exe PID 4696 wrote to memory of 4728 4696 cmd.exe attrib.exe PID 1352 wrote to memory of 5092 1352 cmd.exe attrib.exe PID 1352 wrote to memory of 5092 1352 cmd.exe attrib.exe PID 1352 wrote to memory of 5092 1352 cmd.exe attrib.exe PID 1800 wrote to memory of 4308 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe msdcsc.exe PID 1800 wrote to memory of 4308 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe msdcsc.exe PID 1800 wrote to memory of 4308 1800 5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 5092 attrib.exe 4728 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe"C:\Users\Admin\AppData\Local\Temp\5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\5ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4728 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5092 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4308
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD5f7bf4b5a76924169cc5bf45cf23902b9
SHA13cbcd664a2b51eba71c9efe113e15515e9c900c1
SHA2565ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190
SHA512cdedf956f723bd20f723cb9892d684af18fef9a58eeb67939b04fdd96e18c216adef58a7ab22ab39a6b77d182eb8fdd1e63b936d980d3c5aa3e296661a88a222
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD5f7bf4b5a76924169cc5bf45cf23902b9
SHA13cbcd664a2b51eba71c9efe113e15515e9c900c1
SHA2565ef891b82e3bf3810d99ac3535d070c3b4615adfcac5d158a3b5b8ea369d9190
SHA512cdedf956f723bd20f723cb9892d684af18fef9a58eeb67939b04fdd96e18c216adef58a7ab22ab39a6b77d182eb8fdd1e63b936d980d3c5aa3e296661a88a222
-
memory/1352-133-0x0000000000000000-mapping.dmp
-
memory/4308-136-0x0000000000000000-mapping.dmp
-
memory/4696-132-0x0000000000000000-mapping.dmp
-
memory/4728-134-0x0000000000000000-mapping.dmp
-
memory/5092-135-0x0000000000000000-mapping.dmp