Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 18:26
Behavioral task
behavioral1
Sample
94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe
Resource
win7-20220812-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe
-
Size
658KB
-
MD5
59bc1bbbe088f8cb41308fb7d3132be9
-
SHA1
fa8f3540c30298d776796d3768a44e89cecbfb65
-
SHA256
94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604
-
SHA512
7be4b2f540b69379a1474898f2b9d64e24f4257ad36a904fe4bbf75be0c4fc1884022ad5465d1217e5f410e944f9dab5f80f137a911721cb7c4789e8b9fabb1e
-
SSDEEP
12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hc:KZ1xuVVjfFoynPaVBUR8f+kN10EBC
Score
10/10
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
mijnpoepetenxd.ddns.net:443
Mutex
DC_MUTEX-2S3DT5Y
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
3ZEuvTt3lYFT
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe -
Executes dropped EXE 1 IoCs
pid Process 2072 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2072 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe Token: SeSecurityPrivilege 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe Token: SeTakeOwnershipPrivilege 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe Token: SeLoadDriverPrivilege 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe Token: SeSystemProfilePrivilege 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe Token: SeSystemtimePrivilege 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe Token: SeProfSingleProcessPrivilege 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe Token: SeIncBasePriorityPrivilege 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe Token: SeCreatePagefilePrivilege 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe Token: SeBackupPrivilege 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe Token: SeRestorePrivilege 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe Token: SeShutdownPrivilege 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe Token: SeDebugPrivilege 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe Token: SeSystemEnvironmentPrivilege 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe Token: SeChangeNotifyPrivilege 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe Token: SeRemoteShutdownPrivilege 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe Token: SeUndockPrivilege 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe Token: SeManageVolumePrivilege 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe Token: SeImpersonatePrivilege 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe Token: SeCreateGlobalPrivilege 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe Token: 33 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe Token: 34 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe Token: 35 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe Token: 36 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe Token: SeIncreaseQuotaPrivilege 2072 msdcsc.exe Token: SeSecurityPrivilege 2072 msdcsc.exe Token: SeTakeOwnershipPrivilege 2072 msdcsc.exe Token: SeLoadDriverPrivilege 2072 msdcsc.exe Token: SeSystemProfilePrivilege 2072 msdcsc.exe Token: SeSystemtimePrivilege 2072 msdcsc.exe Token: SeProfSingleProcessPrivilege 2072 msdcsc.exe Token: SeIncBasePriorityPrivilege 2072 msdcsc.exe Token: SeCreatePagefilePrivilege 2072 msdcsc.exe Token: SeBackupPrivilege 2072 msdcsc.exe Token: SeRestorePrivilege 2072 msdcsc.exe Token: SeShutdownPrivilege 2072 msdcsc.exe Token: SeDebugPrivilege 2072 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2072 msdcsc.exe Token: SeChangeNotifyPrivilege 2072 msdcsc.exe Token: SeRemoteShutdownPrivilege 2072 msdcsc.exe Token: SeUndockPrivilege 2072 msdcsc.exe Token: SeManageVolumePrivilege 2072 msdcsc.exe Token: SeImpersonatePrivilege 2072 msdcsc.exe Token: SeCreateGlobalPrivilege 2072 msdcsc.exe Token: 33 2072 msdcsc.exe Token: 34 2072 msdcsc.exe Token: 35 2072 msdcsc.exe Token: 36 2072 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2072 msdcsc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2128 wrote to memory of 2072 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe 81 PID 2128 wrote to memory of 2072 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe 81 PID 2128 wrote to memory of 2072 2128 94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe 81 PID 2072 wrote to memory of 3872 2072 msdcsc.exe 82 PID 2072 wrote to memory of 3872 2072 msdcsc.exe 82 PID 2072 wrote to memory of 3872 2072 msdcsc.exe 82 PID 2072 wrote to memory of 3872 2072 msdcsc.exe 82 PID 2072 wrote to memory of 3872 2072 msdcsc.exe 82 PID 2072 wrote to memory of 3872 2072 msdcsc.exe 82 PID 2072 wrote to memory of 3872 2072 msdcsc.exe 82 PID 2072 wrote to memory of 3872 2072 msdcsc.exe 82 PID 2072 wrote to memory of 3872 2072 msdcsc.exe 82 PID 2072 wrote to memory of 3872 2072 msdcsc.exe 82 PID 2072 wrote to memory of 3872 2072 msdcsc.exe 82 PID 2072 wrote to memory of 3872 2072 msdcsc.exe 82 PID 2072 wrote to memory of 3872 2072 msdcsc.exe 82 PID 2072 wrote to memory of 3872 2072 msdcsc.exe 82 PID 2072 wrote to memory of 3872 2072 msdcsc.exe 82 PID 2072 wrote to memory of 3872 2072 msdcsc.exe 82 PID 2072 wrote to memory of 3872 2072 msdcsc.exe 82 PID 2072 wrote to memory of 3872 2072 msdcsc.exe 82 PID 2072 wrote to memory of 3872 2072 msdcsc.exe 82 PID 2072 wrote to memory of 3872 2072 msdcsc.exe 82 PID 2072 wrote to memory of 3872 2072 msdcsc.exe 82 PID 2072 wrote to memory of 3872 2072 msdcsc.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe"C:\Users\Admin\AppData\Local\Temp\94504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:3872
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
658KB
MD559bc1bbbe088f8cb41308fb7d3132be9
SHA1fa8f3540c30298d776796d3768a44e89cecbfb65
SHA25694504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604
SHA5127be4b2f540b69379a1474898f2b9d64e24f4257ad36a904fe4bbf75be0c4fc1884022ad5465d1217e5f410e944f9dab5f80f137a911721cb7c4789e8b9fabb1e
-
Filesize
658KB
MD559bc1bbbe088f8cb41308fb7d3132be9
SHA1fa8f3540c30298d776796d3768a44e89cecbfb65
SHA25694504f0b203bccd77720c2a6c0b1cea42679f3a7ccdab84c6ca9004442426604
SHA5127be4b2f540b69379a1474898f2b9d64e24f4257ad36a904fe4bbf75be0c4fc1884022ad5465d1217e5f410e944f9dab5f80f137a911721cb7c4789e8b9fabb1e