Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 11:39
Static task
static1
Behavioral task
behavioral1
Sample
c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe
Resource
win7-20220901-en
General
-
Target
c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe
-
Size
1.7MB
-
MD5
49d1338dd124baf0102b62040d11fbad
-
SHA1
e06d262b039ddbc61e89787b28224aa2bf64770b
-
SHA256
c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e
-
SHA512
4bd2740e630f013d53c63f13eb34083d4892c73aa78e72d36bd0273ba8134a6eebc8b9949aaa03685f199177053254b4271a2a0be662db1b5dd43259b5e19440
-
SSDEEP
24576:Ooad3G11e7FXE61jqAdc9DH/73df8XoxZlYscJsLn1D4L4oSnJRB:OoaRlXE6GtU4hYse+n1kcr
Malware Config
Extracted
darkcomet
Main
leinuo2rat.no-ip.biz:1604
DC_MUTEX-ZPESHXD
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
KlPD5oRnmTw4
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
Updata
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" vbc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 856 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 4196 attrib.exe 4840 attrib.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exevbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindosU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WindosU.exe" c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updata = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exedescription pid process target process PID 704 set thread context of 4928 704 c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe vbc.exe -
Drops file in Windows directory 2 IoCs
Processes:
attrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4928 vbc.exe Token: SeSecurityPrivilege 4928 vbc.exe Token: SeTakeOwnershipPrivilege 4928 vbc.exe Token: SeLoadDriverPrivilege 4928 vbc.exe Token: SeSystemProfilePrivilege 4928 vbc.exe Token: SeSystemtimePrivilege 4928 vbc.exe Token: SeProfSingleProcessPrivilege 4928 vbc.exe Token: SeIncBasePriorityPrivilege 4928 vbc.exe Token: SeCreatePagefilePrivilege 4928 vbc.exe Token: SeBackupPrivilege 4928 vbc.exe Token: SeRestorePrivilege 4928 vbc.exe Token: SeShutdownPrivilege 4928 vbc.exe Token: SeDebugPrivilege 4928 vbc.exe Token: SeSystemEnvironmentPrivilege 4928 vbc.exe Token: SeChangeNotifyPrivilege 4928 vbc.exe Token: SeRemoteShutdownPrivilege 4928 vbc.exe Token: SeUndockPrivilege 4928 vbc.exe Token: SeManageVolumePrivilege 4928 vbc.exe Token: SeImpersonatePrivilege 4928 vbc.exe Token: SeCreateGlobalPrivilege 4928 vbc.exe Token: 33 4928 vbc.exe Token: 34 4928 vbc.exe Token: 35 4928 vbc.exe Token: 36 4928 vbc.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exevbc.execmd.execmd.exedescription pid process target process PID 704 wrote to memory of 4928 704 c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe vbc.exe PID 704 wrote to memory of 4928 704 c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe vbc.exe PID 704 wrote to memory of 4928 704 c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe vbc.exe PID 704 wrote to memory of 4928 704 c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe vbc.exe PID 704 wrote to memory of 4928 704 c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe vbc.exe PID 704 wrote to memory of 4928 704 c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe vbc.exe PID 704 wrote to memory of 4928 704 c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe vbc.exe PID 704 wrote to memory of 4928 704 c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe vbc.exe PID 704 wrote to memory of 4928 704 c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe vbc.exe PID 704 wrote to memory of 4928 704 c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe vbc.exe PID 704 wrote to memory of 4928 704 c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe vbc.exe PID 704 wrote to memory of 4928 704 c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe vbc.exe PID 704 wrote to memory of 4928 704 c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe vbc.exe PID 704 wrote to memory of 4928 704 c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe vbc.exe PID 4928 wrote to memory of 2312 4928 vbc.exe cmd.exe PID 4928 wrote to memory of 2312 4928 vbc.exe cmd.exe PID 4928 wrote to memory of 2312 4928 vbc.exe cmd.exe PID 4928 wrote to memory of 3520 4928 vbc.exe cmd.exe PID 4928 wrote to memory of 3520 4928 vbc.exe cmd.exe PID 4928 wrote to memory of 3520 4928 vbc.exe cmd.exe PID 4928 wrote to memory of 856 4928 vbc.exe msdcsc.exe PID 4928 wrote to memory of 856 4928 vbc.exe msdcsc.exe PID 4928 wrote to memory of 856 4928 vbc.exe msdcsc.exe PID 2312 wrote to memory of 4840 2312 cmd.exe attrib.exe PID 2312 wrote to memory of 4840 2312 cmd.exe attrib.exe PID 2312 wrote to memory of 4840 2312 cmd.exe attrib.exe PID 3520 wrote to memory of 4196 3520 cmd.exe attrib.exe PID 3520 wrote to memory of 4196 3520 cmd.exe attrib.exe PID 3520 wrote to memory of 4196 3520 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4840 attrib.exe 4196 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe"C:\Users\Admin\AppData\Local\Temp\c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
memory/704-133-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/704-132-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/856-141-0x0000000000000000-mapping.dmp
-
memory/2312-139-0x0000000000000000-mapping.dmp
-
memory/3520-140-0x0000000000000000-mapping.dmp
-
memory/4196-145-0x0000000000000000-mapping.dmp
-
memory/4840-143-0x0000000000000000-mapping.dmp
-
memory/4928-135-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4928-138-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4928-144-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4928-137-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4928-136-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4928-134-0x0000000000000000-mapping.dmp