Analysis
-
max time kernel
152s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25/11/2022, 09:54
Behavioral task
behavioral1
Sample
55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
Resource
win7-20220812-en
General
-
Target
55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
-
Size
1.5MB
-
MD5
370481138474cfcf39b8224c51f6be27
-
SHA1
bc5e1ba878f76bf7e5e61d8c49c00b980236c70d
-
SHA256
55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211
-
SHA512
b8c9a986eeb33aa3b8d51d1e9292dc6b400b42889d5b4e5ab413bc250769c99fb9a53174d0ff3b9bafae6da337a875683c95415ed99f1957177da556407f462b
-
SSDEEP
24576:jiBIGkbxqEcjsWiDxguehC2SF84fSGTEmSSautCzbqbtiEBCx6jq5Yzd5uQWQoq:mCUumo2EffYSab/qbpBCQf5Bloq
Malware Config
Extracted
darkcomet
Guest16
2.tcp.ngrok.io:17588
DC_MUTEX-WW1H6BV
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
WSfeNvq2d8Yr
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Executes dropped EXE 1 IoCs
pid Process 3764 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2000 attrib.exe 2996 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3764 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe Token: SeSecurityPrivilege 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe Token: SeTakeOwnershipPrivilege 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe Token: SeLoadDriverPrivilege 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe Token: SeSystemProfilePrivilege 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe Token: SeSystemtimePrivilege 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe Token: SeProfSingleProcessPrivilege 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe Token: SeIncBasePriorityPrivilege 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe Token: SeCreatePagefilePrivilege 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe Token: SeBackupPrivilege 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe Token: SeRestorePrivilege 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe Token: SeShutdownPrivilege 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe Token: SeDebugPrivilege 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe Token: SeSystemEnvironmentPrivilege 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe Token: SeChangeNotifyPrivilege 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe Token: SeRemoteShutdownPrivilege 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe Token: SeUndockPrivilege 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe Token: SeManageVolumePrivilege 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe Token: SeImpersonatePrivilege 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe Token: SeCreateGlobalPrivilege 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe Token: 33 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe Token: 34 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe Token: 35 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe Token: 36 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe Token: SeIncreaseQuotaPrivilege 3764 msdcsc.exe Token: SeSecurityPrivilege 3764 msdcsc.exe Token: SeTakeOwnershipPrivilege 3764 msdcsc.exe Token: SeLoadDriverPrivilege 3764 msdcsc.exe Token: SeSystemProfilePrivilege 3764 msdcsc.exe Token: SeSystemtimePrivilege 3764 msdcsc.exe Token: SeProfSingleProcessPrivilege 3764 msdcsc.exe Token: SeIncBasePriorityPrivilege 3764 msdcsc.exe Token: SeCreatePagefilePrivilege 3764 msdcsc.exe Token: SeBackupPrivilege 3764 msdcsc.exe Token: SeRestorePrivilege 3764 msdcsc.exe Token: SeShutdownPrivilege 3764 msdcsc.exe Token: SeDebugPrivilege 3764 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3764 msdcsc.exe Token: SeChangeNotifyPrivilege 3764 msdcsc.exe Token: SeRemoteShutdownPrivilege 3764 msdcsc.exe Token: SeUndockPrivilege 3764 msdcsc.exe Token: SeManageVolumePrivilege 3764 msdcsc.exe Token: SeImpersonatePrivilege 3764 msdcsc.exe Token: SeCreateGlobalPrivilege 3764 msdcsc.exe Token: 33 3764 msdcsc.exe Token: 34 3764 msdcsc.exe Token: 35 3764 msdcsc.exe Token: 36 3764 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3764 msdcsc.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 3260 wrote to memory of 860 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe 80 PID 3260 wrote to memory of 860 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe 80 PID 3260 wrote to memory of 860 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe 80 PID 3260 wrote to memory of 1340 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe 83 PID 3260 wrote to memory of 1340 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe 83 PID 3260 wrote to memory of 1340 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe 83 PID 1340 wrote to memory of 2000 1340 cmd.exe 84 PID 1340 wrote to memory of 2000 1340 cmd.exe 84 PID 1340 wrote to memory of 2000 1340 cmd.exe 84 PID 860 wrote to memory of 2996 860 cmd.exe 85 PID 860 wrote to memory of 2996 860 cmd.exe 85 PID 860 wrote to memory of 2996 860 cmd.exe 85 PID 3260 wrote to memory of 3764 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe 86 PID 3260 wrote to memory of 3764 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe 86 PID 3260 wrote to memory of 3764 3260 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe 86 PID 3764 wrote to memory of 1520 3764 msdcsc.exe 87 PID 3764 wrote to memory of 1520 3764 msdcsc.exe 87 PID 3764 wrote to memory of 1520 3764 msdcsc.exe 87 PID 3764 wrote to memory of 1520 3764 msdcsc.exe 87 PID 3764 wrote to memory of 1520 3764 msdcsc.exe 87 PID 3764 wrote to memory of 1520 3764 msdcsc.exe 87 PID 3764 wrote to memory of 1520 3764 msdcsc.exe 87 PID 3764 wrote to memory of 1520 3764 msdcsc.exe 87 PID 3764 wrote to memory of 1520 3764 msdcsc.exe 87 PID 3764 wrote to memory of 1520 3764 msdcsc.exe 87 PID 3764 wrote to memory of 1520 3764 msdcsc.exe 87 PID 3764 wrote to memory of 1520 3764 msdcsc.exe 87 PID 3764 wrote to memory of 1520 3764 msdcsc.exe 87 PID 3764 wrote to memory of 1520 3764 msdcsc.exe 87 PID 3764 wrote to memory of 1520 3764 msdcsc.exe 87 PID 3764 wrote to memory of 1520 3764 msdcsc.exe 87 PID 3764 wrote to memory of 1520 3764 msdcsc.exe 87 PID 3764 wrote to memory of 1520 3764 msdcsc.exe 87 PID 3764 wrote to memory of 1520 3764 msdcsc.exe 87 PID 3764 wrote to memory of 1520 3764 msdcsc.exe 87 PID 3764 wrote to memory of 1520 3764 msdcsc.exe 87 PID 3764 wrote to memory of 1520 3764 msdcsc.exe 87 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2000 attrib.exe 2996 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe"C:\Users\Admin\AppData\Local\Temp\55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2996
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2000
-
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:1520
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
865KB
MD5506559174787b83187ec34afa1f8ef71
SHA119bb6efcd97598be64baa9a2e708c94bbd83b4e7
SHA256a78bca77b067ccf10ef56b4a5f0b5e88925a602a126c774d3578f5d1830f458b
SHA51217c5926c6f8432c3661d37ac70b94d8bca268fd0c3a5caf7159dd5ea36031f71f1530c0ae856eae938fc6037c664691c8e6ad1823bc27b5b7eb87dad8ca846d1
-
Filesize
1.5MB
MD5370481138474cfcf39b8224c51f6be27
SHA1bc5e1ba878f76bf7e5e61d8c49c00b980236c70d
SHA25655aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211
SHA512b8c9a986eeb33aa3b8d51d1e9292dc6b400b42889d5b4e5ab413bc250769c99fb9a53174d0ff3b9bafae6da337a875683c95415ed99f1957177da556407f462b
-
Filesize
1.5MB
MD5370481138474cfcf39b8224c51f6be27
SHA1bc5e1ba878f76bf7e5e61d8c49c00b980236c70d
SHA25655aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211
SHA512b8c9a986eeb33aa3b8d51d1e9292dc6b400b42889d5b4e5ab413bc250769c99fb9a53174d0ff3b9bafae6da337a875683c95415ed99f1957177da556407f462b