Analysis
-
max time kernel
95s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 15:27
Static task
static1
Behavioral task
behavioral1
Sample
5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe
Resource
win10v2004-20220812-en
General
-
Target
5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe
-
Size
772KB
-
MD5
47a3df044a495ed7c6ba76c035a5551d
-
SHA1
0793db2a77213074fd9b0d494dad66b1368186ba
-
SHA256
5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2
-
SHA512
7f791219154d97fba2e3d48541f877bb6ee1bd64dc6f63a9ef238cd1161e84994eef85632206d7ccdc0034bd2cb54fcecfdfd4120dc9f79a8b5a26e1cae17617
-
SSDEEP
12288:cf2GiGMBHqhYOJONtMCesfXlKXeR6z6MMRlcT9cYYIJj0j0zpggnT:/GQFQgkC1PMzIlcZdYIJj0qdT
Malware Config
Extracted
darkcomet
13.07.12 Crypter
leetaka1337.no-ip.org:1604
DC_MUTEX-JFX5RP1
-
InstallPath
MSDCSC\winhost.exe
-
gencode
lCnq6VNbar2M
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe" 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe -
Executes dropped EXE 2 IoCs
Processes:
STUB.EXEwinhost.exepid process 1452 STUB.EXE 1788 winhost.exe -
Processes:
resource yara_rule behavioral2/memory/2980-134-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/2980-135-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/2980-136-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/2980-139-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/2980-138-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\winhost.exe" 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe -
Drops file in System32 directory 3 IoCs
Processes:
5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exedescription ioc process File created C:\Windows\SysWOW64\MSDCSC\winhost.exe 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\winhost.exe 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exedescription pid process target process PID 4996 set thread context of 2980 4996 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exewinhost.exedescription pid process Token: SeDebugPrivilege 4996 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe Token: SeIncreaseQuotaPrivilege 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe Token: SeSecurityPrivilege 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe Token: SeTakeOwnershipPrivilege 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe Token: SeLoadDriverPrivilege 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe Token: SeSystemProfilePrivilege 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe Token: SeSystemtimePrivilege 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe Token: SeProfSingleProcessPrivilege 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe Token: SeIncBasePriorityPrivilege 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe Token: SeCreatePagefilePrivilege 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe Token: SeBackupPrivilege 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe Token: SeRestorePrivilege 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe Token: SeShutdownPrivilege 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe Token: SeDebugPrivilege 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe Token: SeSystemEnvironmentPrivilege 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe Token: SeChangeNotifyPrivilege 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe Token: SeRemoteShutdownPrivilege 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe Token: SeUndockPrivilege 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe Token: SeManageVolumePrivilege 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe Token: SeImpersonatePrivilege 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe Token: SeCreateGlobalPrivilege 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe Token: 33 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe Token: 34 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe Token: 35 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe Token: 36 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe Token: SeDebugPrivilege 1788 winhost.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exewinhost.exedescription pid process target process PID 4996 wrote to memory of 2980 4996 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe PID 4996 wrote to memory of 2980 4996 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe PID 4996 wrote to memory of 2980 4996 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe PID 4996 wrote to memory of 2980 4996 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe PID 4996 wrote to memory of 2980 4996 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe PID 4996 wrote to memory of 2980 4996 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe PID 4996 wrote to memory of 2980 4996 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe PID 4996 wrote to memory of 2980 4996 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe PID 2980 wrote to memory of 1452 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe STUB.EXE PID 2980 wrote to memory of 1452 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe STUB.EXE PID 2980 wrote to memory of 1452 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe STUB.EXE PID 2980 wrote to memory of 1788 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe winhost.exe PID 2980 wrote to memory of 1788 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe winhost.exe PID 2980 wrote to memory of 1788 2980 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe winhost.exe PID 1788 wrote to memory of 4352 1788 winhost.exe winhost.exe PID 1788 wrote to memory of 4352 1788 winhost.exe winhost.exe PID 1788 wrote to memory of 4352 1788 winhost.exe winhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe"C:\Users\Admin\AppData\Local\Temp\5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exeC:\Users\Admin\AppData\Local\Temp\5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\STUB.EXE"C:\Users\Admin\AppData\Local\Temp\STUB.EXE"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\winhost.exe"C:\Windows\system32\MSDCSC\winhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\MSDCSC\winhost.exeC:\Windows\SysWOW64\MSDCSC\winhost.exe4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\STUB.EXEFilesize
47KB
MD56e9ee67b3cceaf1fc3bd53a9c33a3cc7
SHA11ce7d9f73b9da92385ec41e416d2cf7a6f2ccc03
SHA256e9509d87ec53efda131c636fe729180eea8c48850693f0c800fc04f88f5960bb
SHA5126ee77b3d3238e1507ab83f57fa06b88b384b5d8a804a27d93aab30622166b1bedd4796ec30c8dfca3b9085d41c69fd064014e0a424a79e9e8f15b79c6568fb1c
-
C:\Users\Admin\AppData\Local\Temp\STUB.EXEFilesize
47KB
MD56e9ee67b3cceaf1fc3bd53a9c33a3cc7
SHA11ce7d9f73b9da92385ec41e416d2cf7a6f2ccc03
SHA256e9509d87ec53efda131c636fe729180eea8c48850693f0c800fc04f88f5960bb
SHA5126ee77b3d3238e1507ab83f57fa06b88b384b5d8a804a27d93aab30622166b1bedd4796ec30c8dfca3b9085d41c69fd064014e0a424a79e9e8f15b79c6568fb1c
-
C:\Windows\SysWOW64\MSDCSC\winhost.exeFilesize
772KB
MD547a3df044a495ed7c6ba76c035a5551d
SHA10793db2a77213074fd9b0d494dad66b1368186ba
SHA2565c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2
SHA5127f791219154d97fba2e3d48541f877bb6ee1bd64dc6f63a9ef238cd1161e84994eef85632206d7ccdc0034bd2cb54fcecfdfd4120dc9f79a8b5a26e1cae17617
-
C:\Windows\SysWOW64\MSDCSC\winhost.exeFilesize
772KB
MD547a3df044a495ed7c6ba76c035a5551d
SHA10793db2a77213074fd9b0d494dad66b1368186ba
SHA2565c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2
SHA5127f791219154d97fba2e3d48541f877bb6ee1bd64dc6f63a9ef238cd1161e84994eef85632206d7ccdc0034bd2cb54fcecfdfd4120dc9f79a8b5a26e1cae17617
-
memory/1452-144-0x0000000073860000-0x0000000073E11000-memory.dmpFilesize
5.7MB
-
memory/1452-143-0x0000000073860000-0x0000000073E11000-memory.dmpFilesize
5.7MB
-
memory/1452-145-0x0000000073860000-0x0000000073E11000-memory.dmpFilesize
5.7MB
-
memory/1452-140-0x0000000000000000-mapping.dmp
-
memory/1788-146-0x0000000000000000-mapping.dmp
-
memory/1788-150-0x0000000072EB0000-0x0000000073461000-memory.dmpFilesize
5.7MB
-
memory/2980-138-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/2980-136-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/2980-135-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/2980-139-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/2980-134-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/2980-133-0x0000000000000000-mapping.dmp
-
memory/4352-149-0x0000000000000000-mapping.dmp
-
memory/4996-137-0x0000000074740000-0x0000000074CF1000-memory.dmpFilesize
5.7MB
-
memory/4996-132-0x0000000074740000-0x0000000074CF1000-memory.dmpFilesize
5.7MB