Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 23:57
Static task
static1
Behavioral task
behavioral1
Sample
601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe
Resource
win7-20220812-en
General
-
Target
601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe
-
Size
375KB
-
MD5
657b79ef025b2ed1c70fb8aefeda1df6
-
SHA1
ceb60d07ae73c6cbb9de4b0e7185aaae763d5b7c
-
SHA256
601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1
-
SHA512
0bd736e0510ea4daab6394f9e445d2fc9f5f49aca1be3381968f725c84e8702228b9b08dbd49780f307d020cf845e12d47c6a51c778917c6c5e25bb5a666a91e
-
SSDEEP
6144:5BQte3EQXklI4BtF37lR7+8PXX6agEtzJvK1+7W8OuUGgBU0Z2iw:5BQteFXmDtF3pR7PX6aFtzr7NOu4vov
Malware Config
Extracted
darkcomet
victem
nothanks.no-ip.org:1604
DC_MUTEX-B5AZ2X3
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
XDbFNVHYNmmR
-
install
true
-
offline_keylogger
true
-
password
123
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Executes dropped EXE 2 IoCs
Processes:
msdcsc.exemsdcsc.exepid process 1136 msdcsc.exe 3012 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2076 attrib.exe 1404 attrib.exe -
Processes:
resource yara_rule behavioral2/memory/4056-136-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral2/memory/4056-137-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral2/memory/4056-135-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral2/memory/4056-139-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral2/memory/4056-141-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral2/memory/4056-142-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral2/memory/4056-143-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral2/memory/4056-144-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral2/memory/4056-163-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral2/memory/3012-164-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral2/memory/3012-165-0x0000000000400000-0x00000000004E8000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exemsdcsc.exedescription pid process target process PID 3500 set thread context of 4056 3500 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe PID 1136 set thread context of 3012 1136 msdcsc.exe msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 3012 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe Token: SeSecurityPrivilege 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe Token: SeTakeOwnershipPrivilege 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe Token: SeLoadDriverPrivilege 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe Token: SeSystemProfilePrivilege 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe Token: SeSystemtimePrivilege 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe Token: SeProfSingleProcessPrivilege 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe Token: SeIncBasePriorityPrivilege 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe Token: SeCreatePagefilePrivilege 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe Token: SeBackupPrivilege 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe Token: SeRestorePrivilege 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe Token: SeShutdownPrivilege 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe Token: SeDebugPrivilege 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe Token: SeSystemEnvironmentPrivilege 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe Token: SeChangeNotifyPrivilege 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe Token: SeRemoteShutdownPrivilege 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe Token: SeUndockPrivilege 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe Token: SeManageVolumePrivilege 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe Token: SeImpersonatePrivilege 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe Token: SeCreateGlobalPrivilege 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe Token: 33 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe Token: 34 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe Token: 35 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe Token: 36 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe Token: SeIncreaseQuotaPrivilege 3012 msdcsc.exe Token: SeSecurityPrivilege 3012 msdcsc.exe Token: SeTakeOwnershipPrivilege 3012 msdcsc.exe Token: SeLoadDriverPrivilege 3012 msdcsc.exe Token: SeSystemProfilePrivilege 3012 msdcsc.exe Token: SeSystemtimePrivilege 3012 msdcsc.exe Token: SeProfSingleProcessPrivilege 3012 msdcsc.exe Token: SeIncBasePriorityPrivilege 3012 msdcsc.exe Token: SeCreatePagefilePrivilege 3012 msdcsc.exe Token: SeBackupPrivilege 3012 msdcsc.exe Token: SeRestorePrivilege 3012 msdcsc.exe Token: SeShutdownPrivilege 3012 msdcsc.exe Token: SeDebugPrivilege 3012 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3012 msdcsc.exe Token: SeChangeNotifyPrivilege 3012 msdcsc.exe Token: SeRemoteShutdownPrivilege 3012 msdcsc.exe Token: SeUndockPrivilege 3012 msdcsc.exe Token: SeManageVolumePrivilege 3012 msdcsc.exe Token: SeImpersonatePrivilege 3012 msdcsc.exe Token: SeCreateGlobalPrivilege 3012 msdcsc.exe Token: 33 3012 msdcsc.exe Token: 34 3012 msdcsc.exe Token: 35 3012 msdcsc.exe Token: 36 3012 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 3012 msdcsc.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.execmd.execmd.exemsdcsc.exedescription pid process target process PID 3500 wrote to memory of 4056 3500 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe PID 3500 wrote to memory of 4056 3500 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe PID 3500 wrote to memory of 4056 3500 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe PID 3500 wrote to memory of 4056 3500 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe PID 3500 wrote to memory of 4056 3500 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe PID 3500 wrote to memory of 4056 3500 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe PID 3500 wrote to memory of 4056 3500 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe PID 3500 wrote to memory of 4056 3500 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe PID 4056 wrote to memory of 4808 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe cmd.exe PID 4056 wrote to memory of 4808 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe cmd.exe PID 4056 wrote to memory of 4808 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe cmd.exe PID 4056 wrote to memory of 4824 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe cmd.exe PID 4056 wrote to memory of 4824 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe cmd.exe PID 4056 wrote to memory of 4824 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe cmd.exe PID 4056 wrote to memory of 1136 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe msdcsc.exe PID 4056 wrote to memory of 1136 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe msdcsc.exe PID 4056 wrote to memory of 1136 4056 601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe msdcsc.exe PID 4808 wrote to memory of 1404 4808 cmd.exe attrib.exe PID 4808 wrote to memory of 1404 4808 cmd.exe attrib.exe PID 4808 wrote to memory of 1404 4808 cmd.exe attrib.exe PID 4824 wrote to memory of 2076 4824 cmd.exe attrib.exe PID 4824 wrote to memory of 2076 4824 cmd.exe attrib.exe PID 4824 wrote to memory of 2076 4824 cmd.exe attrib.exe PID 1136 wrote to memory of 3012 1136 msdcsc.exe msdcsc.exe PID 1136 wrote to memory of 3012 1136 msdcsc.exe msdcsc.exe PID 1136 wrote to memory of 3012 1136 msdcsc.exe msdcsc.exe PID 1136 wrote to memory of 3012 1136 msdcsc.exe msdcsc.exe PID 1136 wrote to memory of 3012 1136 msdcsc.exe msdcsc.exe PID 1136 wrote to memory of 3012 1136 msdcsc.exe msdcsc.exe PID 1136 wrote to memory of 3012 1136 msdcsc.exe msdcsc.exe PID 1136 wrote to memory of 3012 1136 msdcsc.exe msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2076 attrib.exe 1404 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe"C:\Users\Admin\AppData\Local\Temp\601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exeC:\Users\Admin\AppData\Local\Temp\601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe4⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
375KB
MD5657b79ef025b2ed1c70fb8aefeda1df6
SHA1ceb60d07ae73c6cbb9de4b0e7185aaae763d5b7c
SHA256601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1
SHA5120bd736e0510ea4daab6394f9e445d2fc9f5f49aca1be3381968f725c84e8702228b9b08dbd49780f307d020cf845e12d47c6a51c778917c6c5e25bb5a666a91e
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
375KB
MD5657b79ef025b2ed1c70fb8aefeda1df6
SHA1ceb60d07ae73c6cbb9de4b0e7185aaae763d5b7c
SHA256601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1
SHA5120bd736e0510ea4daab6394f9e445d2fc9f5f49aca1be3381968f725c84e8702228b9b08dbd49780f307d020cf845e12d47c6a51c778917c6c5e25bb5a666a91e
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
375KB
MD5657b79ef025b2ed1c70fb8aefeda1df6
SHA1ceb60d07ae73c6cbb9de4b0e7185aaae763d5b7c
SHA256601ad03ceea7d536b33d7f8415e01a26f4046e2c9fd0c3c510beb55463f78fc1
SHA5120bd736e0510ea4daab6394f9e445d2fc9f5f49aca1be3381968f725c84e8702228b9b08dbd49780f307d020cf845e12d47c6a51c778917c6c5e25bb5a666a91e
-
memory/1136-152-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1136-147-0x0000000000000000-mapping.dmp
-
memory/1136-160-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1404-150-0x0000000000000000-mapping.dmp
-
memory/2076-151-0x0000000000000000-mapping.dmp
-
memory/3012-164-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/3012-153-0x0000000000000000-mapping.dmp
-
memory/3012-165-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/3500-140-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/3500-132-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/3500-133-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/4056-139-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/4056-144-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/4056-143-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/4056-142-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/4056-141-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/4056-135-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/4056-137-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/4056-163-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/4056-136-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/4056-134-0x0000000000000000-mapping.dmp
-
memory/4808-145-0x0000000000000000-mapping.dmp
-
memory/4824-146-0x0000000000000000-mapping.dmp