Analysis
-
max time kernel
186s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-12-2022 00:04
Static task
static1
Behavioral task
behavioral1
Sample
cdcbef9468496cd757f531e70ae814364734e7e06fb1685b41768b8cb3a13b3e.exe
Resource
win7-20220812-en
General
-
Target
cdcbef9468496cd757f531e70ae814364734e7e06fb1685b41768b8cb3a13b3e.exe
-
Size
284KB
-
MD5
d5a63e3923e6303bfddf09ad0ed4e180
-
SHA1
7116926ad42ba42e7cc029125e65ba7f7b30bcad
-
SHA256
cdcbef9468496cd757f531e70ae814364734e7e06fb1685b41768b8cb3a13b3e
-
SHA512
88edb26a18dec93e77c1ff3d2b2c9634b88edd1f334139bcf5a9986171d17c1b36fbd2b12901677cb29df5304257f0f7c2c70661777c3f5346e0effc43ca422c
-
SSDEEP
6144:aSMziw0/rI69JTH87oG2gAON1kBOFq8ApM9:aSMz0/L1YoLDLBc3ApM9
Malware Config
Extracted
darkcomet
DarkComet
swixtor.no-ip.org:200
DC_MUTEX-8T9CL5E
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
lq9FU6ZBn2HD
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
test.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" test.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
test.exemsdcsc.exepid process 1900 test.exe 1312 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1712 attrib.exe 2016 attrib.exe -
Loads dropped DLL 2 IoCs
Processes:
test.exepid process 1900 test.exe 1900 test.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
test.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" test.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
test.exepid process 1900 test.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1312 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
test.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1900 test.exe Token: SeSecurityPrivilege 1900 test.exe Token: SeTakeOwnershipPrivilege 1900 test.exe Token: SeLoadDriverPrivilege 1900 test.exe Token: SeSystemProfilePrivilege 1900 test.exe Token: SeSystemtimePrivilege 1900 test.exe Token: SeProfSingleProcessPrivilege 1900 test.exe Token: SeIncBasePriorityPrivilege 1900 test.exe Token: SeCreatePagefilePrivilege 1900 test.exe Token: SeBackupPrivilege 1900 test.exe Token: SeRestorePrivilege 1900 test.exe Token: SeShutdownPrivilege 1900 test.exe Token: SeDebugPrivilege 1900 test.exe Token: SeSystemEnvironmentPrivilege 1900 test.exe Token: SeChangeNotifyPrivilege 1900 test.exe Token: SeRemoteShutdownPrivilege 1900 test.exe Token: SeUndockPrivilege 1900 test.exe Token: SeManageVolumePrivilege 1900 test.exe Token: SeImpersonatePrivilege 1900 test.exe Token: SeCreateGlobalPrivilege 1900 test.exe Token: 33 1900 test.exe Token: 34 1900 test.exe Token: 35 1900 test.exe Token: SeIncreaseQuotaPrivilege 1312 msdcsc.exe Token: SeSecurityPrivilege 1312 msdcsc.exe Token: SeTakeOwnershipPrivilege 1312 msdcsc.exe Token: SeLoadDriverPrivilege 1312 msdcsc.exe Token: SeSystemProfilePrivilege 1312 msdcsc.exe Token: SeSystemtimePrivilege 1312 msdcsc.exe Token: SeProfSingleProcessPrivilege 1312 msdcsc.exe Token: SeIncBasePriorityPrivilege 1312 msdcsc.exe Token: SeCreatePagefilePrivilege 1312 msdcsc.exe Token: SeBackupPrivilege 1312 msdcsc.exe Token: SeRestorePrivilege 1312 msdcsc.exe Token: SeShutdownPrivilege 1312 msdcsc.exe Token: SeDebugPrivilege 1312 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1312 msdcsc.exe Token: SeChangeNotifyPrivilege 1312 msdcsc.exe Token: SeRemoteShutdownPrivilege 1312 msdcsc.exe Token: SeUndockPrivilege 1312 msdcsc.exe Token: SeManageVolumePrivilege 1312 msdcsc.exe Token: SeImpersonatePrivilege 1312 msdcsc.exe Token: SeCreateGlobalPrivilege 1312 msdcsc.exe Token: 33 1312 msdcsc.exe Token: 34 1312 msdcsc.exe Token: 35 1312 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1312 msdcsc.exe -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
cdcbef9468496cd757f531e70ae814364734e7e06fb1685b41768b8cb3a13b3e.execmd.exetest.execmd.execmd.exemsdcsc.exedescription pid process target process PID 316 wrote to memory of 1896 316 cdcbef9468496cd757f531e70ae814364734e7e06fb1685b41768b8cb3a13b3e.exe cmd.exe PID 316 wrote to memory of 1896 316 cdcbef9468496cd757f531e70ae814364734e7e06fb1685b41768b8cb3a13b3e.exe cmd.exe PID 316 wrote to memory of 1896 316 cdcbef9468496cd757f531e70ae814364734e7e06fb1685b41768b8cb3a13b3e.exe cmd.exe PID 1896 wrote to memory of 1900 1896 cmd.exe test.exe PID 1896 wrote to memory of 1900 1896 cmd.exe test.exe PID 1896 wrote to memory of 1900 1896 cmd.exe test.exe PID 1896 wrote to memory of 1900 1896 cmd.exe test.exe PID 1900 wrote to memory of 1084 1900 test.exe cmd.exe PID 1900 wrote to memory of 1084 1900 test.exe cmd.exe PID 1900 wrote to memory of 1084 1900 test.exe cmd.exe PID 1900 wrote to memory of 1084 1900 test.exe cmd.exe PID 1900 wrote to memory of 892 1900 test.exe cmd.exe PID 1900 wrote to memory of 892 1900 test.exe cmd.exe PID 1900 wrote to memory of 892 1900 test.exe cmd.exe PID 1900 wrote to memory of 892 1900 test.exe cmd.exe PID 1084 wrote to memory of 1712 1084 cmd.exe attrib.exe PID 1084 wrote to memory of 1712 1084 cmd.exe attrib.exe PID 1084 wrote to memory of 1712 1084 cmd.exe attrib.exe PID 1084 wrote to memory of 1712 1084 cmd.exe attrib.exe PID 892 wrote to memory of 2016 892 cmd.exe attrib.exe PID 892 wrote to memory of 2016 892 cmd.exe attrib.exe PID 892 wrote to memory of 2016 892 cmd.exe attrib.exe PID 892 wrote to memory of 2016 892 cmd.exe attrib.exe PID 1900 wrote to memory of 1312 1900 test.exe msdcsc.exe PID 1900 wrote to memory of 1312 1900 test.exe msdcsc.exe PID 1900 wrote to memory of 1312 1900 test.exe msdcsc.exe PID 1900 wrote to memory of 1312 1900 test.exe msdcsc.exe PID 1312 wrote to memory of 1220 1312 msdcsc.exe notepad.exe PID 1312 wrote to memory of 1220 1312 msdcsc.exe notepad.exe PID 1312 wrote to memory of 1220 1312 msdcsc.exe notepad.exe PID 1312 wrote to memory of 1220 1312 msdcsc.exe notepad.exe PID 1312 wrote to memory of 1220 1312 msdcsc.exe notepad.exe PID 1312 wrote to memory of 1220 1312 msdcsc.exe notepad.exe PID 1312 wrote to memory of 1220 1312 msdcsc.exe notepad.exe PID 1312 wrote to memory of 1220 1312 msdcsc.exe notepad.exe PID 1312 wrote to memory of 1220 1312 msdcsc.exe notepad.exe PID 1312 wrote to memory of 1220 1312 msdcsc.exe notepad.exe PID 1312 wrote to memory of 1220 1312 msdcsc.exe notepad.exe PID 1312 wrote to memory of 1220 1312 msdcsc.exe notepad.exe PID 1312 wrote to memory of 1220 1312 msdcsc.exe notepad.exe PID 1312 wrote to memory of 1220 1312 msdcsc.exe notepad.exe PID 1312 wrote to memory of 1220 1312 msdcsc.exe notepad.exe PID 1312 wrote to memory of 1220 1312 msdcsc.exe notepad.exe PID 1312 wrote to memory of 1220 1312 msdcsc.exe notepad.exe PID 1312 wrote to memory of 1220 1312 msdcsc.exe notepad.exe PID 1312 wrote to memory of 1220 1312 msdcsc.exe notepad.exe PID 1312 wrote to memory of 1220 1312 msdcsc.exe notepad.exe PID 1312 wrote to memory of 1220 1312 msdcsc.exe notepad.exe PID 1312 wrote to memory of 1220 1312 msdcsc.exe notepad.exe PID 1312 wrote to memory of 1220 1312 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1712 attrib.exe 2016 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdcbef9468496cd757f531e70ae814364734e7e06fb1685b41768b8cb3a13b3e.exe"C:\Users\Admin\AppData\Local\Temp\cdcbef9468496cd757f531e70ae814364734e7e06fb1685b41768b8cb3a13b3e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\9EEF.tmp\KeepThis.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\test.exetest.exe3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\test.exe" +s +h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\test.exe" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9EEF.tmp\KeepThis.batFilesize
39B
MD5ff6557c86f258c3aec17f15579a7cc97
SHA1feeb0a498b3f851a939b0e09fc8967a732fc2242
SHA25636314ae3076f7de0aed8346749ec3b335aeea8be1fe564d14d689f067f424322
SHA512d898d80623b5bc92cc7427dcfeb55ce337d6155eb99991e5686cdcea230d5a64bbb642337542e08905024d50156de7547b8f24c16882ec78ba90e5e022244925
-
C:\Users\Admin\AppData\Local\Temp\test.exeFilesize
690KB
MD568792f72501d008e36a4c1a6fdcf163f
SHA130d8bc4f8f812369158b464830ef27ff4dbca7a3
SHA256ef83b9ca6a9bae7b25d5413051e26fc4ed2af32eef7b61c4a15a6ce9cf80f6ea
SHA5128a34149c1aa77856a7e42010cb5469b63c027346a2bb8c3ae23cb8a64cf24a1a4b5521bf2ba892fdceaac20851a49b849d41231dd740439c2b2ce5f5cc0ee32a
-
C:\Users\Admin\AppData\Local\Temp\test.exeFilesize
690KB
MD568792f72501d008e36a4c1a6fdcf163f
SHA130d8bc4f8f812369158b464830ef27ff4dbca7a3
SHA256ef83b9ca6a9bae7b25d5413051e26fc4ed2af32eef7b61c4a15a6ce9cf80f6ea
SHA5128a34149c1aa77856a7e42010cb5469b63c027346a2bb8c3ae23cb8a64cf24a1a4b5521bf2ba892fdceaac20851a49b849d41231dd740439c2b2ce5f5cc0ee32a
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
690KB
MD568792f72501d008e36a4c1a6fdcf163f
SHA130d8bc4f8f812369158b464830ef27ff4dbca7a3
SHA256ef83b9ca6a9bae7b25d5413051e26fc4ed2af32eef7b61c4a15a6ce9cf80f6ea
SHA5128a34149c1aa77856a7e42010cb5469b63c027346a2bb8c3ae23cb8a64cf24a1a4b5521bf2ba892fdceaac20851a49b849d41231dd740439c2b2ce5f5cc0ee32a
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
690KB
MD568792f72501d008e36a4c1a6fdcf163f
SHA130d8bc4f8f812369158b464830ef27ff4dbca7a3
SHA256ef83b9ca6a9bae7b25d5413051e26fc4ed2af32eef7b61c4a15a6ce9cf80f6ea
SHA5128a34149c1aa77856a7e42010cb5469b63c027346a2bb8c3ae23cb8a64cf24a1a4b5521bf2ba892fdceaac20851a49b849d41231dd740439c2b2ce5f5cc0ee32a
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
690KB
MD568792f72501d008e36a4c1a6fdcf163f
SHA130d8bc4f8f812369158b464830ef27ff4dbca7a3
SHA256ef83b9ca6a9bae7b25d5413051e26fc4ed2af32eef7b61c4a15a6ce9cf80f6ea
SHA5128a34149c1aa77856a7e42010cb5469b63c027346a2bb8c3ae23cb8a64cf24a1a4b5521bf2ba892fdceaac20851a49b849d41231dd740439c2b2ce5f5cc0ee32a
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
690KB
MD568792f72501d008e36a4c1a6fdcf163f
SHA130d8bc4f8f812369158b464830ef27ff4dbca7a3
SHA256ef83b9ca6a9bae7b25d5413051e26fc4ed2af32eef7b61c4a15a6ce9cf80f6ea
SHA5128a34149c1aa77856a7e42010cb5469b63c027346a2bb8c3ae23cb8a64cf24a1a4b5521bf2ba892fdceaac20851a49b849d41231dd740439c2b2ce5f5cc0ee32a
-
memory/316-61-0x0000000140000000-0x00000001400C3000-memory.dmpFilesize
780KB
-
memory/316-54-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmpFilesize
8KB
-
memory/892-63-0x0000000000000000-mapping.dmp
-
memory/1084-62-0x0000000000000000-mapping.dmp
-
memory/1220-72-0x0000000000000000-mapping.dmp
-
memory/1312-68-0x0000000000000000-mapping.dmp
-
memory/1712-64-0x0000000000000000-mapping.dmp
-
memory/1896-55-0x0000000000000000-mapping.dmp
-
memory/1900-60-0x0000000076121000-0x0000000076123000-memory.dmpFilesize
8KB
-
memory/1900-58-0x0000000000000000-mapping.dmp
-
memory/2016-65-0x0000000000000000-mapping.dmp