Analysis
-
max time kernel
151s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 09:34
Behavioral task
behavioral1
Sample
2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe
Resource
win7-20220812-en
General
-
Target
2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe
-
Size
658KB
-
MD5
95f8e456ac2d3c5a86b002596fb9015c
-
SHA1
902684ac2da80970b8d37a683485a8645d10468f
-
SHA256
2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111
-
SHA512
5820bb9fb23e009770f3aa5003b347a7d5730a24eb66eb7380c7b10e4adc679e0491de1bd47002a32985f3bb999e1f340de47905f5a32e9592f1f89934f32b6d
-
SSDEEP
12288:e9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hE:qZ1xuVVjfFoynPaVBUR8f+kN10EB2
Malware Config
Extracted
darkcomet
All
deeside.ddns.net:1604
DC_MUTEX-Q7AJXN5
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
Xdh5jBJVLZA4
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1728 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1996 attrib.exe 2020 attrib.exe -
Loads dropped DLL 2 IoCs
Processes:
2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exepid process 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1728 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeSecurityPrivilege 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeTakeOwnershipPrivilege 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeLoadDriverPrivilege 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeSystemProfilePrivilege 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeSystemtimePrivilege 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeProfSingleProcessPrivilege 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeIncBasePriorityPrivilege 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeCreatePagefilePrivilege 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeBackupPrivilege 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeRestorePrivilege 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeShutdownPrivilege 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeDebugPrivilege 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeSystemEnvironmentPrivilege 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeChangeNotifyPrivilege 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeRemoteShutdownPrivilege 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeUndockPrivilege 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeManageVolumePrivilege 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeImpersonatePrivilege 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeCreateGlobalPrivilege 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: 33 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: 34 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: 35 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeIncreaseQuotaPrivilege 1728 msdcsc.exe Token: SeSecurityPrivilege 1728 msdcsc.exe Token: SeTakeOwnershipPrivilege 1728 msdcsc.exe Token: SeLoadDriverPrivilege 1728 msdcsc.exe Token: SeSystemProfilePrivilege 1728 msdcsc.exe Token: SeSystemtimePrivilege 1728 msdcsc.exe Token: SeProfSingleProcessPrivilege 1728 msdcsc.exe Token: SeIncBasePriorityPrivilege 1728 msdcsc.exe Token: SeCreatePagefilePrivilege 1728 msdcsc.exe Token: SeBackupPrivilege 1728 msdcsc.exe Token: SeRestorePrivilege 1728 msdcsc.exe Token: SeShutdownPrivilege 1728 msdcsc.exe Token: SeDebugPrivilege 1728 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1728 msdcsc.exe Token: SeChangeNotifyPrivilege 1728 msdcsc.exe Token: SeRemoteShutdownPrivilege 1728 msdcsc.exe Token: SeUndockPrivilege 1728 msdcsc.exe Token: SeManageVolumePrivilege 1728 msdcsc.exe Token: SeImpersonatePrivilege 1728 msdcsc.exe Token: SeCreateGlobalPrivilege 1728 msdcsc.exe Token: 33 1728 msdcsc.exe Token: 34 1728 msdcsc.exe Token: 35 1728 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1728 msdcsc.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.execmd.execmd.exemsdcsc.exedescription pid process target process PID 1472 wrote to memory of 1500 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe cmd.exe PID 1472 wrote to memory of 1500 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe cmd.exe PID 1472 wrote to memory of 1500 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe cmd.exe PID 1472 wrote to memory of 1500 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe cmd.exe PID 1472 wrote to memory of 956 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe cmd.exe PID 1472 wrote to memory of 956 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe cmd.exe PID 1472 wrote to memory of 956 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe cmd.exe PID 1472 wrote to memory of 956 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe cmd.exe PID 1500 wrote to memory of 1996 1500 cmd.exe attrib.exe PID 1500 wrote to memory of 1996 1500 cmd.exe attrib.exe PID 1500 wrote to memory of 1996 1500 cmd.exe attrib.exe PID 1500 wrote to memory of 1996 1500 cmd.exe attrib.exe PID 956 wrote to memory of 2020 956 cmd.exe attrib.exe PID 956 wrote to memory of 2020 956 cmd.exe attrib.exe PID 956 wrote to memory of 2020 956 cmd.exe attrib.exe PID 956 wrote to memory of 2020 956 cmd.exe attrib.exe PID 1472 wrote to memory of 1728 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe msdcsc.exe PID 1472 wrote to memory of 1728 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe msdcsc.exe PID 1472 wrote to memory of 1728 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe msdcsc.exe PID 1472 wrote to memory of 1728 1472 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe msdcsc.exe PID 1728 wrote to memory of 1992 1728 msdcsc.exe notepad.exe PID 1728 wrote to memory of 1992 1728 msdcsc.exe notepad.exe PID 1728 wrote to memory of 1992 1728 msdcsc.exe notepad.exe PID 1728 wrote to memory of 1992 1728 msdcsc.exe notepad.exe PID 1728 wrote to memory of 1992 1728 msdcsc.exe notepad.exe PID 1728 wrote to memory of 1992 1728 msdcsc.exe notepad.exe PID 1728 wrote to memory of 1992 1728 msdcsc.exe notepad.exe PID 1728 wrote to memory of 1992 1728 msdcsc.exe notepad.exe PID 1728 wrote to memory of 1992 1728 msdcsc.exe notepad.exe PID 1728 wrote to memory of 1992 1728 msdcsc.exe notepad.exe PID 1728 wrote to memory of 1992 1728 msdcsc.exe notepad.exe PID 1728 wrote to memory of 1992 1728 msdcsc.exe notepad.exe PID 1728 wrote to memory of 1992 1728 msdcsc.exe notepad.exe PID 1728 wrote to memory of 1992 1728 msdcsc.exe notepad.exe PID 1728 wrote to memory of 1992 1728 msdcsc.exe notepad.exe PID 1728 wrote to memory of 1992 1728 msdcsc.exe notepad.exe PID 1728 wrote to memory of 1992 1728 msdcsc.exe notepad.exe PID 1728 wrote to memory of 1992 1728 msdcsc.exe notepad.exe PID 1728 wrote to memory of 1992 1728 msdcsc.exe notepad.exe PID 1728 wrote to memory of 1992 1728 msdcsc.exe notepad.exe PID 1728 wrote to memory of 1992 1728 msdcsc.exe notepad.exe PID 1728 wrote to memory of 1992 1728 msdcsc.exe notepad.exe PID 1728 wrote to memory of 1992 1728 msdcsc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1996 attrib.exe 2020 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe"C:\Users\Admin\AppData\Local\Temp\2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1996 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1728 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:1992
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
658KB
MD595f8e456ac2d3c5a86b002596fb9015c
SHA1902684ac2da80970b8d37a683485a8645d10468f
SHA2562a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111
SHA5125820bb9fb23e009770f3aa5003b347a7d5730a24eb66eb7380c7b10e4adc679e0491de1bd47002a32985f3bb999e1f340de47905f5a32e9592f1f89934f32b6d
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
658KB
MD595f8e456ac2d3c5a86b002596fb9015c
SHA1902684ac2da80970b8d37a683485a8645d10468f
SHA2562a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111
SHA5125820bb9fb23e009770f3aa5003b347a7d5730a24eb66eb7380c7b10e4adc679e0491de1bd47002a32985f3bb999e1f340de47905f5a32e9592f1f89934f32b6d
-
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
658KB
MD595f8e456ac2d3c5a86b002596fb9015c
SHA1902684ac2da80970b8d37a683485a8645d10468f
SHA2562a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111
SHA5125820bb9fb23e009770f3aa5003b347a7d5730a24eb66eb7380c7b10e4adc679e0491de1bd47002a32985f3bb999e1f340de47905f5a32e9592f1f89934f32b6d
-
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
658KB
MD595f8e456ac2d3c5a86b002596fb9015c
SHA1902684ac2da80970b8d37a683485a8645d10468f
SHA2562a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111
SHA5125820bb9fb23e009770f3aa5003b347a7d5730a24eb66eb7380c7b10e4adc679e0491de1bd47002a32985f3bb999e1f340de47905f5a32e9592f1f89934f32b6d
-
memory/956-56-0x0000000000000000-mapping.dmp
-
memory/1472-54-0x0000000074D61000-0x0000000074D63000-memory.dmpFilesize
8KB
-
memory/1500-55-0x0000000000000000-mapping.dmp
-
memory/1728-61-0x0000000000000000-mapping.dmp
-
memory/1992-65-0x0000000000000000-mapping.dmp
-
memory/1996-57-0x0000000000000000-mapping.dmp
-
memory/2020-58-0x0000000000000000-mapping.dmp