Analysis
-
max time kernel
90s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 21:56
Static task
static1
Behavioral task
behavioral1
Sample
c4dab5471ab7c23e71f8e5796d55c8bf2d7c3a4e8ebba7637d47321aca764c5b.exe
Resource
win7-20221111-en
General
-
Target
c4dab5471ab7c23e71f8e5796d55c8bf2d7c3a4e8ebba7637d47321aca764c5b.exe
-
Size
300KB
-
MD5
cc0b280b1138859bedd6af39377526a5
-
SHA1
861cecd1d68a5ee192e69e5f1cf028114ec1b7af
-
SHA256
c4dab5471ab7c23e71f8e5796d55c8bf2d7c3a4e8ebba7637d47321aca764c5b
-
SHA512
b002cfc305630fca9c6af061ff032aae88ae0aaa185628808d717ce1eb0ef4802d916a9f78e8582b97e64981d7f1c0ecce4eee35df9f6c5e2d2bbcbead5d51ff
-
SSDEEP
6144:YRk2kQjwtxwiG9Gl9St23NZCB0lsvW8gco/LDLPOj03p2KZhE:YR49x6EmslevWQIHDOj03p2
Malware Config
Extracted
darkcomet
Guest16
jjb4xt3r.myftp.biz:1604
DC_MUTEX-8JY3N3Z
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
SjbmmcfPKkjH
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 2144 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2428 attrib.exe 952 attrib.exe -
Processes:
resource yara_rule behavioral2/memory/5032-134-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5032-136-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5032-137-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5032-138-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5032-140-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5032-149-0x0000000000400000-0x00000000004B9000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c4dab5471ab7c23e71f8e5796d55c8bf2d7c3a4e8ebba7637d47321aca764c5b.exedescription pid process target process PID 4060 set thread context of 5032 4060 c4dab5471ab7c23e71f8e5796d55c8bf2d7c3a4e8ebba7637d47321aca764c5b.exe vbc.exe -
Drops file in Windows directory 2 IoCs
Processes:
attrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 5032 vbc.exe Token: SeSecurityPrivilege 5032 vbc.exe Token: SeTakeOwnershipPrivilege 5032 vbc.exe Token: SeLoadDriverPrivilege 5032 vbc.exe Token: SeSystemProfilePrivilege 5032 vbc.exe Token: SeSystemtimePrivilege 5032 vbc.exe Token: SeProfSingleProcessPrivilege 5032 vbc.exe Token: SeIncBasePriorityPrivilege 5032 vbc.exe Token: SeCreatePagefilePrivilege 5032 vbc.exe Token: SeBackupPrivilege 5032 vbc.exe Token: SeRestorePrivilege 5032 vbc.exe Token: SeShutdownPrivilege 5032 vbc.exe Token: SeDebugPrivilege 5032 vbc.exe Token: SeSystemEnvironmentPrivilege 5032 vbc.exe Token: SeChangeNotifyPrivilege 5032 vbc.exe Token: SeRemoteShutdownPrivilege 5032 vbc.exe Token: SeUndockPrivilege 5032 vbc.exe Token: SeManageVolumePrivilege 5032 vbc.exe Token: SeImpersonatePrivilege 5032 vbc.exe Token: SeCreateGlobalPrivilege 5032 vbc.exe Token: 33 5032 vbc.exe Token: 34 5032 vbc.exe Token: 35 5032 vbc.exe Token: 36 5032 vbc.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
c4dab5471ab7c23e71f8e5796d55c8bf2d7c3a4e8ebba7637d47321aca764c5b.exevbc.execmd.execmd.exedescription pid process target process PID 4060 wrote to memory of 5032 4060 c4dab5471ab7c23e71f8e5796d55c8bf2d7c3a4e8ebba7637d47321aca764c5b.exe vbc.exe PID 4060 wrote to memory of 5032 4060 c4dab5471ab7c23e71f8e5796d55c8bf2d7c3a4e8ebba7637d47321aca764c5b.exe vbc.exe PID 4060 wrote to memory of 5032 4060 c4dab5471ab7c23e71f8e5796d55c8bf2d7c3a4e8ebba7637d47321aca764c5b.exe vbc.exe PID 4060 wrote to memory of 5032 4060 c4dab5471ab7c23e71f8e5796d55c8bf2d7c3a4e8ebba7637d47321aca764c5b.exe vbc.exe PID 4060 wrote to memory of 5032 4060 c4dab5471ab7c23e71f8e5796d55c8bf2d7c3a4e8ebba7637d47321aca764c5b.exe vbc.exe PID 4060 wrote to memory of 5032 4060 c4dab5471ab7c23e71f8e5796d55c8bf2d7c3a4e8ebba7637d47321aca764c5b.exe vbc.exe PID 4060 wrote to memory of 5032 4060 c4dab5471ab7c23e71f8e5796d55c8bf2d7c3a4e8ebba7637d47321aca764c5b.exe vbc.exe PID 4060 wrote to memory of 5032 4060 c4dab5471ab7c23e71f8e5796d55c8bf2d7c3a4e8ebba7637d47321aca764c5b.exe vbc.exe PID 5032 wrote to memory of 796 5032 vbc.exe cmd.exe PID 5032 wrote to memory of 796 5032 vbc.exe cmd.exe PID 5032 wrote to memory of 796 5032 vbc.exe cmd.exe PID 5032 wrote to memory of 4772 5032 vbc.exe cmd.exe PID 5032 wrote to memory of 4772 5032 vbc.exe cmd.exe PID 5032 wrote to memory of 4772 5032 vbc.exe cmd.exe PID 5032 wrote to memory of 2196 5032 vbc.exe notepad.exe PID 5032 wrote to memory of 2196 5032 vbc.exe notepad.exe PID 5032 wrote to memory of 2196 5032 vbc.exe notepad.exe PID 5032 wrote to memory of 2196 5032 vbc.exe notepad.exe PID 5032 wrote to memory of 2196 5032 vbc.exe notepad.exe PID 5032 wrote to memory of 2196 5032 vbc.exe notepad.exe PID 5032 wrote to memory of 2196 5032 vbc.exe notepad.exe PID 5032 wrote to memory of 2196 5032 vbc.exe notepad.exe PID 5032 wrote to memory of 2196 5032 vbc.exe notepad.exe PID 5032 wrote to memory of 2196 5032 vbc.exe notepad.exe PID 5032 wrote to memory of 2196 5032 vbc.exe notepad.exe PID 5032 wrote to memory of 2196 5032 vbc.exe notepad.exe PID 5032 wrote to memory of 2196 5032 vbc.exe notepad.exe PID 5032 wrote to memory of 2196 5032 vbc.exe notepad.exe PID 5032 wrote to memory of 2196 5032 vbc.exe notepad.exe PID 5032 wrote to memory of 2196 5032 vbc.exe notepad.exe PID 5032 wrote to memory of 2196 5032 vbc.exe notepad.exe PID 796 wrote to memory of 952 796 cmd.exe attrib.exe PID 796 wrote to memory of 952 796 cmd.exe attrib.exe PID 796 wrote to memory of 952 796 cmd.exe attrib.exe PID 5032 wrote to memory of 2144 5032 vbc.exe msdcsc.exe PID 5032 wrote to memory of 2144 5032 vbc.exe msdcsc.exe PID 5032 wrote to memory of 2144 5032 vbc.exe msdcsc.exe PID 4772 wrote to memory of 2428 4772 cmd.exe attrib.exe PID 4772 wrote to memory of 2428 4772 cmd.exe attrib.exe PID 4772 wrote to memory of 2428 4772 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 952 attrib.exe 2428 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4dab5471ab7c23e71f8e5796d55c8bf2d7c3a4e8ebba7637d47321aca764c5b.exe"C:\Users\Admin\AppData\Local\Temp\c4dab5471ab7c23e71f8e5796d55c8bf2d7c3a4e8ebba7637d47321aca764c5b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
memory/796-141-0x0000000000000000-mapping.dmp
-
memory/952-144-0x0000000000000000-mapping.dmp
-
memory/2144-145-0x0000000000000000-mapping.dmp
-
memory/2196-143-0x0000000000000000-mapping.dmp
-
memory/2428-147-0x0000000000000000-mapping.dmp
-
memory/4060-139-0x0000000074F90000-0x0000000075541000-memory.dmpFilesize
5.7MB
-
memory/4060-132-0x0000000074F90000-0x0000000075541000-memory.dmpFilesize
5.7MB
-
memory/4772-142-0x0000000000000000-mapping.dmp
-
memory/5032-138-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5032-140-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5032-137-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5032-136-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5032-134-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5032-133-0x0000000000000000-mapping.dmp
-
memory/5032-149-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB