Analysis
-
max time kernel
151s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 11:38
Static task
static1
Behavioral task
behavioral1
Sample
fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe
Resource
win7-20221111-en
General
-
Target
fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe
-
Size
3.0MB
-
MD5
6f6614d8d57607da94626df2a6f6115d
-
SHA1
50bcecaca1aff978d6f79b76fcf7d974cbbdce32
-
SHA256
fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935
-
SHA512
1e854ca45b7854874ef28aa84a42d31931018adb0239655b6eb37af6f32d1a55dc301fd5b378b65d2869e3831452418aae3705af0a3290979ee801b6631bb178
-
SSDEEP
24576:Ihqg3a11e7FXE61jqAdc9DH/73df8XoxZlYscJsLn1D4L4oSnJRxEkQq77GraUDN:IhqoRXE6GtU4hYse+n1kcMGCYVoOPA
Malware Config
Extracted
darkcomet
Main
leinuo2rat.no-ip.biz:1604
DC_MUTEX-ZPESHXD
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
KlPD5oRnmTw4
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
Updata
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" vbc.exe -
Executes dropped EXE 2 IoCs
Processes:
Minecraft.exemsdcsc.exepid process 1676 Minecraft.exe 684 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 764 attrib.exe 1860 attrib.exe -
Loads dropped DLL 2 IoCs
Processes:
fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exevbc.exepid process 1756 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe 732 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vbc.exefc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Updata = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindosU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WindosU.exe" fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exedescription ioc process File created C:\autorun.inf fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe File opened for modification C:\autorun.inf fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe File created D:\autorun.inf fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe File opened for modification D:\autorun.inf fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exedescription pid process target process PID 1756 set thread context of 732 1756 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe -
Drops file in Windows directory 2 IoCs
Processes:
attrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 732 vbc.exe Token: SeSecurityPrivilege 732 vbc.exe Token: SeTakeOwnershipPrivilege 732 vbc.exe Token: SeLoadDriverPrivilege 732 vbc.exe Token: SeSystemProfilePrivilege 732 vbc.exe Token: SeSystemtimePrivilege 732 vbc.exe Token: SeProfSingleProcessPrivilege 732 vbc.exe Token: SeIncBasePriorityPrivilege 732 vbc.exe Token: SeCreatePagefilePrivilege 732 vbc.exe Token: SeBackupPrivilege 732 vbc.exe Token: SeRestorePrivilege 732 vbc.exe Token: SeShutdownPrivilege 732 vbc.exe Token: SeDebugPrivilege 732 vbc.exe Token: SeSystemEnvironmentPrivilege 732 vbc.exe Token: SeChangeNotifyPrivilege 732 vbc.exe Token: SeRemoteShutdownPrivilege 732 vbc.exe Token: SeUndockPrivilege 732 vbc.exe Token: SeManageVolumePrivilege 732 vbc.exe Token: SeImpersonatePrivilege 732 vbc.exe Token: SeCreateGlobalPrivilege 732 vbc.exe Token: 33 732 vbc.exe Token: 34 732 vbc.exe Token: 35 732 vbc.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exevbc.execmd.execmd.exedescription pid process target process PID 1756 wrote to memory of 732 1756 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 1756 wrote to memory of 732 1756 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 1756 wrote to memory of 732 1756 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 1756 wrote to memory of 732 1756 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 1756 wrote to memory of 732 1756 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 1756 wrote to memory of 732 1756 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 1756 wrote to memory of 732 1756 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 1756 wrote to memory of 732 1756 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 1756 wrote to memory of 732 1756 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 1756 wrote to memory of 732 1756 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 1756 wrote to memory of 732 1756 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 1756 wrote to memory of 732 1756 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 1756 wrote to memory of 732 1756 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 1756 wrote to memory of 1676 1756 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe Minecraft.exe PID 1756 wrote to memory of 1676 1756 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe Minecraft.exe PID 1756 wrote to memory of 1676 1756 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe Minecraft.exe PID 1756 wrote to memory of 1676 1756 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe Minecraft.exe PID 732 wrote to memory of 1960 732 vbc.exe cmd.exe PID 732 wrote to memory of 1960 732 vbc.exe cmd.exe PID 732 wrote to memory of 1960 732 vbc.exe cmd.exe PID 732 wrote to memory of 1960 732 vbc.exe cmd.exe PID 732 wrote to memory of 1176 732 vbc.exe cmd.exe PID 732 wrote to memory of 1176 732 vbc.exe cmd.exe PID 732 wrote to memory of 1176 732 vbc.exe cmd.exe PID 732 wrote to memory of 1176 732 vbc.exe cmd.exe PID 732 wrote to memory of 684 732 vbc.exe msdcsc.exe PID 732 wrote to memory of 684 732 vbc.exe msdcsc.exe PID 732 wrote to memory of 684 732 vbc.exe msdcsc.exe PID 732 wrote to memory of 684 732 vbc.exe msdcsc.exe PID 1176 wrote to memory of 1860 1176 cmd.exe attrib.exe PID 1176 wrote to memory of 1860 1176 cmd.exe attrib.exe PID 1176 wrote to memory of 1860 1176 cmd.exe attrib.exe PID 1176 wrote to memory of 1860 1176 cmd.exe attrib.exe PID 1960 wrote to memory of 764 1960 cmd.exe attrib.exe PID 1960 wrote to memory of 764 1960 cmd.exe attrib.exe PID 1960 wrote to memory of 764 1960 cmd.exe attrib.exe PID 1960 wrote to memory of 764 1960 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 764 attrib.exe 1860 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe"C:\Users\Admin\AppData\Local\Temp\fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Minecraft.exe"C:\Users\Admin\AppData\Local\Temp\Minecraft.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exeFilesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exeFilesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
C:\Users\Admin\AppData\Local\Temp\Minecraft.exeFilesize
679KB
MD5605a171c61a0607bdcf6be80ed07cf95
SHA1477d4391b0d84406127e43ead289a3596ac1e5e5
SHA25609b78dc85713ca0f27f17d94c939cc606a59847c1f2b5cdd281b52a48cdaeab9
SHA5123b32197d76951d0e1cd7043758af9b33be12b30c03df00a3ef36078205fa95b1582f65bdf4437a1b879a922d2950868e905bcd2227ce3816d5437556b103d338
-
C:\Users\Admin\AppData\Local\Temp\Minecraft.exeFilesize
679KB
MD5605a171c61a0607bdcf6be80ed07cf95
SHA1477d4391b0d84406127e43ead289a3596ac1e5e5
SHA25609b78dc85713ca0f27f17d94c939cc606a59847c1f2b5cdd281b52a48cdaeab9
SHA5123b32197d76951d0e1cd7043758af9b33be12b30c03df00a3ef36078205fa95b1582f65bdf4437a1b879a922d2950868e905bcd2227ce3816d5437556b103d338
-
\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exeFilesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
\Users\Admin\AppData\Local\Temp\Minecraft.exeFilesize
679KB
MD5605a171c61a0607bdcf6be80ed07cf95
SHA1477d4391b0d84406127e43ead289a3596ac1e5e5
SHA25609b78dc85713ca0f27f17d94c939cc606a59847c1f2b5cdd281b52a48cdaeab9
SHA5123b32197d76951d0e1cd7043758af9b33be12b30c03df00a3ef36078205fa95b1582f65bdf4437a1b879a922d2950868e905bcd2227ce3816d5437556b103d338
-
memory/684-85-0x0000000000000000-mapping.dmp
-
memory/732-75-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/732-60-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/732-67-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/732-69-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/732-71-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/732-72-0x0000000000490888-mapping.dmp
-
memory/732-73-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/732-87-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/732-64-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/732-62-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/732-57-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/732-66-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/732-81-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/732-58-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/764-90-0x0000000000000000-mapping.dmp
-
memory/1176-82-0x0000000000000000-mapping.dmp
-
memory/1676-77-0x0000000000000000-mapping.dmp
-
memory/1756-54-0x0000000075F51000-0x0000000075F53000-memory.dmpFilesize
8KB
-
memory/1756-56-0x00000000744F0000-0x0000000074A9B000-memory.dmpFilesize
5.7MB
-
memory/1756-55-0x00000000744F0000-0x0000000074A9B000-memory.dmpFilesize
5.7MB
-
memory/1860-89-0x0000000000000000-mapping.dmp
-
memory/1960-78-0x0000000000000000-mapping.dmp