Analysis
-
max time kernel
157s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 09:34
Behavioral task
behavioral1
Sample
2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe
Resource
win7-20220812-en
General
-
Target
2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe
-
Size
658KB
-
MD5
95f8e456ac2d3c5a86b002596fb9015c
-
SHA1
902684ac2da80970b8d37a683485a8645d10468f
-
SHA256
2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111
-
SHA512
5820bb9fb23e009770f3aa5003b347a7d5730a24eb66eb7380c7b10e4adc679e0491de1bd47002a32985f3bb999e1f340de47905f5a32e9592f1f89934f32b6d
-
SSDEEP
12288:e9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hE:qZ1xuVVjfFoynPaVBUR8f+kN10EB2
Malware Config
Extracted
darkcomet
All
deeside.ddns.net:1604
DC_MUTEX-Q7AJXN5
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
Xdh5jBJVLZA4
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 888 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 4336 attrib.exe 4388 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 888 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeSecurityPrivilege 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeTakeOwnershipPrivilege 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeLoadDriverPrivilege 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeSystemProfilePrivilege 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeSystemtimePrivilege 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeProfSingleProcessPrivilege 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeIncBasePriorityPrivilege 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeCreatePagefilePrivilege 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeBackupPrivilege 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeRestorePrivilege 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeShutdownPrivilege 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeDebugPrivilege 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeSystemEnvironmentPrivilege 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeChangeNotifyPrivilege 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeRemoteShutdownPrivilege 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeUndockPrivilege 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeManageVolumePrivilege 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeImpersonatePrivilege 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeCreateGlobalPrivilege 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: 33 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: 34 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: 35 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: 36 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe Token: SeIncreaseQuotaPrivilege 888 msdcsc.exe Token: SeSecurityPrivilege 888 msdcsc.exe Token: SeTakeOwnershipPrivilege 888 msdcsc.exe Token: SeLoadDriverPrivilege 888 msdcsc.exe Token: SeSystemProfilePrivilege 888 msdcsc.exe Token: SeSystemtimePrivilege 888 msdcsc.exe Token: SeProfSingleProcessPrivilege 888 msdcsc.exe Token: SeIncBasePriorityPrivilege 888 msdcsc.exe Token: SeCreatePagefilePrivilege 888 msdcsc.exe Token: SeBackupPrivilege 888 msdcsc.exe Token: SeRestorePrivilege 888 msdcsc.exe Token: SeShutdownPrivilege 888 msdcsc.exe Token: SeDebugPrivilege 888 msdcsc.exe Token: SeSystemEnvironmentPrivilege 888 msdcsc.exe Token: SeChangeNotifyPrivilege 888 msdcsc.exe Token: SeRemoteShutdownPrivilege 888 msdcsc.exe Token: SeUndockPrivilege 888 msdcsc.exe Token: SeManageVolumePrivilege 888 msdcsc.exe Token: SeImpersonatePrivilege 888 msdcsc.exe Token: SeCreateGlobalPrivilege 888 msdcsc.exe Token: 33 888 msdcsc.exe Token: 34 888 msdcsc.exe Token: 35 888 msdcsc.exe Token: 36 888 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 888 msdcsc.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.execmd.execmd.exemsdcsc.exedescription pid process target process PID 432 wrote to memory of 4956 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe cmd.exe PID 432 wrote to memory of 4956 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe cmd.exe PID 432 wrote to memory of 4956 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe cmd.exe PID 432 wrote to memory of 2220 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe cmd.exe PID 432 wrote to memory of 2220 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe cmd.exe PID 432 wrote to memory of 2220 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe cmd.exe PID 4956 wrote to memory of 4336 4956 cmd.exe attrib.exe PID 4956 wrote to memory of 4336 4956 cmd.exe attrib.exe PID 4956 wrote to memory of 4336 4956 cmd.exe attrib.exe PID 2220 wrote to memory of 4388 2220 cmd.exe attrib.exe PID 2220 wrote to memory of 4388 2220 cmd.exe attrib.exe PID 2220 wrote to memory of 4388 2220 cmd.exe attrib.exe PID 432 wrote to memory of 888 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe msdcsc.exe PID 432 wrote to memory of 888 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe msdcsc.exe PID 432 wrote to memory of 888 432 2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe msdcsc.exe PID 888 wrote to memory of 1452 888 msdcsc.exe notepad.exe PID 888 wrote to memory of 1452 888 msdcsc.exe notepad.exe PID 888 wrote to memory of 1452 888 msdcsc.exe notepad.exe PID 888 wrote to memory of 1452 888 msdcsc.exe notepad.exe PID 888 wrote to memory of 1452 888 msdcsc.exe notepad.exe PID 888 wrote to memory of 1452 888 msdcsc.exe notepad.exe PID 888 wrote to memory of 1452 888 msdcsc.exe notepad.exe PID 888 wrote to memory of 1452 888 msdcsc.exe notepad.exe PID 888 wrote to memory of 1452 888 msdcsc.exe notepad.exe PID 888 wrote to memory of 1452 888 msdcsc.exe notepad.exe PID 888 wrote to memory of 1452 888 msdcsc.exe notepad.exe PID 888 wrote to memory of 1452 888 msdcsc.exe notepad.exe PID 888 wrote to memory of 1452 888 msdcsc.exe notepad.exe PID 888 wrote to memory of 1452 888 msdcsc.exe notepad.exe PID 888 wrote to memory of 1452 888 msdcsc.exe notepad.exe PID 888 wrote to memory of 1452 888 msdcsc.exe notepad.exe PID 888 wrote to memory of 1452 888 msdcsc.exe notepad.exe PID 888 wrote to memory of 1452 888 msdcsc.exe notepad.exe PID 888 wrote to memory of 1452 888 msdcsc.exe notepad.exe PID 888 wrote to memory of 1452 888 msdcsc.exe notepad.exe PID 888 wrote to memory of 1452 888 msdcsc.exe notepad.exe PID 888 wrote to memory of 1452 888 msdcsc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4336 attrib.exe 4388 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe"C:\Users\Admin\AppData\Local\Temp\2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\2a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4336 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:888 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:1452
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
658KB
MD595f8e456ac2d3c5a86b002596fb9015c
SHA1902684ac2da80970b8d37a683485a8645d10468f
SHA2562a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111
SHA5125820bb9fb23e009770f3aa5003b347a7d5730a24eb66eb7380c7b10e4adc679e0491de1bd47002a32985f3bb999e1f340de47905f5a32e9592f1f89934f32b6d
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
658KB
MD595f8e456ac2d3c5a86b002596fb9015c
SHA1902684ac2da80970b8d37a683485a8645d10468f
SHA2562a0960a21018740e47266a4aff181e431c9be3a62f967716f71d873cd38e2111
SHA5125820bb9fb23e009770f3aa5003b347a7d5730a24eb66eb7380c7b10e4adc679e0491de1bd47002a32985f3bb999e1f340de47905f5a32e9592f1f89934f32b6d
-
memory/888-136-0x0000000000000000-mapping.dmp
-
memory/1452-139-0x0000000000000000-mapping.dmp
-
memory/2220-133-0x0000000000000000-mapping.dmp
-
memory/4336-134-0x0000000000000000-mapping.dmp
-
memory/4388-135-0x0000000000000000-mapping.dmp
-
memory/4956-132-0x0000000000000000-mapping.dmp