General
-
Target
cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520
-
Size
717KB
-
Sample
221129-rg86maff77
-
MD5
7ee9e4b9d2802572b2d75480856b9f36
-
SHA1
c901cc47c59a82950dde33e792aafe4b951a884f
-
SHA256
cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520
-
SHA512
7d4e6f2c75ffbb62e3418731e4370e3476e44b610d386fe249b08bee440576814fe17189d12046bcee40f0c2bf9356957ed0264abf29c76d8d9c14632de13bde
-
SSDEEP
12288:2l8E4w5huat7UovONzbXw8QeDRFr4LlcTO3HdEnNoa56Y55YB2vHqytk+b:sdhHwNzbXJrTONYBku57aS
Behavioral task
behavioral1
Sample
cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
darkcomet
kingcrackzzz
kingcrackzzz.no-ip.biz:6885
DC_MUTEX-ERXUPQB
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
f1rWBr8TZa1l
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520
-
Size
717KB
-
MD5
7ee9e4b9d2802572b2d75480856b9f36
-
SHA1
c901cc47c59a82950dde33e792aafe4b951a884f
-
SHA256
cb3f20b18b7ac18e174f71a3470efd0502b5b11dc285c6f2adc27d4b139d0520
-
SHA512
7d4e6f2c75ffbb62e3418731e4370e3476e44b610d386fe249b08bee440576814fe17189d12046bcee40f0c2bf9356957ed0264abf29c76d8d9c14632de13bde
-
SSDEEP
12288:2l8E4w5huat7UovONzbXw8QeDRFr4LlcTO3HdEnNoa56Y55YB2vHqytk+b:sdhHwNzbXJrTONYBku57aS
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-