Analysis
-
max time kernel
151s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 11:38
Static task
static1
Behavioral task
behavioral1
Sample
fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe
Resource
win7-20221111-en
General
-
Target
fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe
-
Size
3.0MB
-
MD5
6f6614d8d57607da94626df2a6f6115d
-
SHA1
50bcecaca1aff978d6f79b76fcf7d974cbbdce32
-
SHA256
fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935
-
SHA512
1e854ca45b7854874ef28aa84a42d31931018adb0239655b6eb37af6f32d1a55dc301fd5b378b65d2869e3831452418aae3705af0a3290979ee801b6631bb178
-
SSDEEP
24576:Ihqg3a11e7FXE61jqAdc9DH/73df8XoxZlYscJsLn1D4L4oSnJRxEkQq77GraUDN:IhqoRXE6GtU4hYse+n1kcMGCYVoOPA
Malware Config
Extracted
darkcomet
Main
leinuo2rat.no-ip.biz:1604
DC_MUTEX-ZPESHXD
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
KlPD5oRnmTw4
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
Updata
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" vbc.exe -
Executes dropped EXE 2 IoCs
Processes:
Minecraft.exemsdcsc.exepid process 4288 Minecraft.exe 5112 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 4260 attrib.exe 3544 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vbc.exefc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updata = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindosU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WindosU.exe" fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exedescription ioc process File created D:\autorun.inf fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe File opened for modification D:\autorun.inf fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe File created C:\autorun.inf fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe File opened for modification C:\autorun.inf fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exedescription pid process target process PID 2696 set thread context of 404 2696 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe -
Drops file in Windows directory 2 IoCs
Processes:
attrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 404 vbc.exe Token: SeSecurityPrivilege 404 vbc.exe Token: SeTakeOwnershipPrivilege 404 vbc.exe Token: SeLoadDriverPrivilege 404 vbc.exe Token: SeSystemProfilePrivilege 404 vbc.exe Token: SeSystemtimePrivilege 404 vbc.exe Token: SeProfSingleProcessPrivilege 404 vbc.exe Token: SeIncBasePriorityPrivilege 404 vbc.exe Token: SeCreatePagefilePrivilege 404 vbc.exe Token: SeBackupPrivilege 404 vbc.exe Token: SeRestorePrivilege 404 vbc.exe Token: SeShutdownPrivilege 404 vbc.exe Token: SeDebugPrivilege 404 vbc.exe Token: SeSystemEnvironmentPrivilege 404 vbc.exe Token: SeChangeNotifyPrivilege 404 vbc.exe Token: SeRemoteShutdownPrivilege 404 vbc.exe Token: SeUndockPrivilege 404 vbc.exe Token: SeManageVolumePrivilege 404 vbc.exe Token: SeImpersonatePrivilege 404 vbc.exe Token: SeCreateGlobalPrivilege 404 vbc.exe Token: 33 404 vbc.exe Token: 34 404 vbc.exe Token: 35 404 vbc.exe Token: 36 404 vbc.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exevbc.execmd.execmd.exedescription pid process target process PID 2696 wrote to memory of 404 2696 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 2696 wrote to memory of 404 2696 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 2696 wrote to memory of 404 2696 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 2696 wrote to memory of 404 2696 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 2696 wrote to memory of 404 2696 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 2696 wrote to memory of 404 2696 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 2696 wrote to memory of 404 2696 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 2696 wrote to memory of 404 2696 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 2696 wrote to memory of 404 2696 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 2696 wrote to memory of 404 2696 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 2696 wrote to memory of 404 2696 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 2696 wrote to memory of 404 2696 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 2696 wrote to memory of 404 2696 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 2696 wrote to memory of 404 2696 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe PID 404 wrote to memory of 3976 404 vbc.exe cmd.exe PID 404 wrote to memory of 3976 404 vbc.exe cmd.exe PID 404 wrote to memory of 3976 404 vbc.exe cmd.exe PID 2696 wrote to memory of 4288 2696 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe Minecraft.exe PID 2696 wrote to memory of 4288 2696 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe Minecraft.exe PID 2696 wrote to memory of 4288 2696 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe Minecraft.exe PID 404 wrote to memory of 1440 404 vbc.exe cmd.exe PID 404 wrote to memory of 1440 404 vbc.exe cmd.exe PID 404 wrote to memory of 1440 404 vbc.exe cmd.exe PID 404 wrote to memory of 5112 404 vbc.exe msdcsc.exe PID 404 wrote to memory of 5112 404 vbc.exe msdcsc.exe PID 404 wrote to memory of 5112 404 vbc.exe msdcsc.exe PID 3976 wrote to memory of 3544 3976 cmd.exe attrib.exe PID 3976 wrote to memory of 3544 3976 cmd.exe attrib.exe PID 3976 wrote to memory of 3544 3976 cmd.exe attrib.exe PID 1440 wrote to memory of 4260 1440 cmd.exe attrib.exe PID 1440 wrote to memory of 4260 1440 cmd.exe attrib.exe PID 1440 wrote to memory of 4260 1440 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3544 attrib.exe 4260 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe"C:\Users\Admin\AppData\Local\Temp\fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\Minecraft.exe"C:\Users\Admin\AppData\Local\Temp\Minecraft.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
C:\Users\Admin\AppData\Local\Temp\Minecraft.exeFilesize
679KB
MD5605a171c61a0607bdcf6be80ed07cf95
SHA1477d4391b0d84406127e43ead289a3596ac1e5e5
SHA25609b78dc85713ca0f27f17d94c939cc606a59847c1f2b5cdd281b52a48cdaeab9
SHA5123b32197d76951d0e1cd7043758af9b33be12b30c03df00a3ef36078205fa95b1582f65bdf4437a1b879a922d2950868e905bcd2227ce3816d5437556b103d338
-
C:\Users\Admin\AppData\Local\Temp\Minecraft.exeFilesize
679KB
MD5605a171c61a0607bdcf6be80ed07cf95
SHA1477d4391b0d84406127e43ead289a3596ac1e5e5
SHA25609b78dc85713ca0f27f17d94c939cc606a59847c1f2b5cdd281b52a48cdaeab9
SHA5123b32197d76951d0e1cd7043758af9b33be12b30c03df00a3ef36078205fa95b1582f65bdf4437a1b879a922d2950868e905bcd2227ce3816d5437556b103d338
-
memory/404-136-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/404-133-0x0000000000000000-mapping.dmp
-
memory/404-137-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/404-145-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/404-134-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/404-135-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1440-142-0x0000000000000000-mapping.dmp
-
memory/2696-132-0x0000000074F90000-0x0000000075541000-memory.dmpFilesize
5.7MB
-
memory/2696-149-0x0000000074F90000-0x0000000075541000-memory.dmpFilesize
5.7MB
-
memory/3544-147-0x0000000000000000-mapping.dmp
-
memory/3976-138-0x0000000000000000-mapping.dmp
-
memory/4260-148-0x0000000000000000-mapping.dmp
-
memory/4288-139-0x0000000000000000-mapping.dmp
-
memory/5112-143-0x0000000000000000-mapping.dmp