Analysis
-
max time kernel
91s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 16:12
Static task
static1
Behavioral task
behavioral1
Sample
78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe
Resource
win10v2004-20220901-en
General
-
Target
78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe
-
Size
911KB
-
MD5
4bb9134eade669f1ad497b4d022da29f
-
SHA1
46074e9c42e81452ba97459a73896628db5341ea
-
SHA256
78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471
-
SHA512
778851a0407fca8499d7048cfe03e7c475e6d7909e94f7ecf63e6328793b67e07da38b23d8d5a5fafdbba0e057333bbeff1dba5c1bc069c5c74cf0da34b2fa60
-
SSDEEP
24576:W2O/Gl+LjtXzH4UXAPMdLkRrYFJkiD16KF8KJrUt5+Cx:yjtXzH4UXPBkrYoigKF8KlSDx
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-54FS22Q
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
G2nZxP5wXrRx
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" server.exe -
Drops file in Drivers directory 1 IoCs
Processes:
server.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts server.exe -
Executes dropped EXE 3 IoCs
Processes:
server.exeResHacker.exemsdcsc.exepid process 2252 server.exe 2180 ResHacker.exe 328 msdcsc.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exeserver.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation server.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" server.exe -
Drops file in Windows directory 5 IoCs
Processes:
78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exedescription ioc process File opened for modification C:\Windows\server.exe 78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe File created C:\Windows\__tmp_rar_sfx_access_check_240562875 78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe File created C:\Windows\ResHacker.exe 78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe File opened for modification C:\Windows\ResHacker.exe 78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe File created C:\Windows\server.exe 78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
server.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2252 server.exe Token: SeSecurityPrivilege 2252 server.exe Token: SeTakeOwnershipPrivilege 2252 server.exe Token: SeLoadDriverPrivilege 2252 server.exe Token: SeSystemProfilePrivilege 2252 server.exe Token: SeSystemtimePrivilege 2252 server.exe Token: SeProfSingleProcessPrivilege 2252 server.exe Token: SeIncBasePriorityPrivilege 2252 server.exe Token: SeCreatePagefilePrivilege 2252 server.exe Token: SeBackupPrivilege 2252 server.exe Token: SeRestorePrivilege 2252 server.exe Token: SeShutdownPrivilege 2252 server.exe Token: SeDebugPrivilege 2252 server.exe Token: SeSystemEnvironmentPrivilege 2252 server.exe Token: SeChangeNotifyPrivilege 2252 server.exe Token: SeRemoteShutdownPrivilege 2252 server.exe Token: SeUndockPrivilege 2252 server.exe Token: SeManageVolumePrivilege 2252 server.exe Token: SeImpersonatePrivilege 2252 server.exe Token: SeCreateGlobalPrivilege 2252 server.exe Token: 33 2252 server.exe Token: 34 2252 server.exe Token: 35 2252 server.exe Token: 36 2252 server.exe Token: SeIncreaseQuotaPrivilege 328 msdcsc.exe Token: SeSecurityPrivilege 328 msdcsc.exe Token: SeTakeOwnershipPrivilege 328 msdcsc.exe Token: SeLoadDriverPrivilege 328 msdcsc.exe Token: SeSystemProfilePrivilege 328 msdcsc.exe Token: SeSystemtimePrivilege 328 msdcsc.exe Token: SeProfSingleProcessPrivilege 328 msdcsc.exe Token: SeIncBasePriorityPrivilege 328 msdcsc.exe Token: SeCreatePagefilePrivilege 328 msdcsc.exe Token: SeBackupPrivilege 328 msdcsc.exe Token: SeRestorePrivilege 328 msdcsc.exe Token: SeShutdownPrivilege 328 msdcsc.exe Token: SeDebugPrivilege 328 msdcsc.exe Token: SeSystemEnvironmentPrivilege 328 msdcsc.exe Token: SeChangeNotifyPrivilege 328 msdcsc.exe Token: SeRemoteShutdownPrivilege 328 msdcsc.exe Token: SeUndockPrivilege 328 msdcsc.exe Token: SeManageVolumePrivilege 328 msdcsc.exe Token: SeImpersonatePrivilege 328 msdcsc.exe Token: SeCreateGlobalPrivilege 328 msdcsc.exe Token: 33 328 msdcsc.exe Token: 34 328 msdcsc.exe Token: 35 328 msdcsc.exe Token: 36 328 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 328 msdcsc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exeserver.exedescription pid process target process PID 4948 wrote to memory of 2252 4948 78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe server.exe PID 4948 wrote to memory of 2252 4948 78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe server.exe PID 4948 wrote to memory of 2252 4948 78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe server.exe PID 4948 wrote to memory of 2180 4948 78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe ResHacker.exe PID 4948 wrote to memory of 2180 4948 78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe ResHacker.exe PID 4948 wrote to memory of 2180 4948 78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe ResHacker.exe PID 2252 wrote to memory of 328 2252 server.exe msdcsc.exe PID 2252 wrote to memory of 328 2252 server.exe msdcsc.exe PID 2252 wrote to memory of 328 2252 server.exe msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe"C:\Users\Admin\AppData\Local\Temp\78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\server.exe"C:\Windows\server.exe"2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:328
-
-
-
C:\Windows\ResHacker.exe"C:\Windows\ResHacker.exe"2⤵
- Executes dropped EXE
PID:2180
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
694KB
MD560526be0422ff21338477a2db15e0585
SHA187d802a77e22ed3d7ac84ece3247fa60e55f6be5
SHA2565e727364e0dc432f6ea5b157a9e9569cc03b3b26b2db34b070b7c7dd81df484e
SHA512e9f72d24a640900d95243152a912881cc260e220e8c0a289a2feae956118f6d869beb697adc80aa77d1be2dcc2c2809375e420bcc33b2098df83112aa8dbfa70
-
Filesize
694KB
MD560526be0422ff21338477a2db15e0585
SHA187d802a77e22ed3d7ac84ece3247fa60e55f6be5
SHA2565e727364e0dc432f6ea5b157a9e9569cc03b3b26b2db34b070b7c7dd81df484e
SHA512e9f72d24a640900d95243152a912881cc260e220e8c0a289a2feae956118f6d869beb697adc80aa77d1be2dcc2c2809375e420bcc33b2098df83112aa8dbfa70
-
Filesize
861KB
MD566064dbdb70a5eb15ebf3bf65aba254b
SHA10284fd320f99f62aca800fb1251eff4c31ec4ed7
SHA2566a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795
SHA512b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f
-
Filesize
861KB
MD566064dbdb70a5eb15ebf3bf65aba254b
SHA10284fd320f99f62aca800fb1251eff4c31ec4ed7
SHA2566a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795
SHA512b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f
-
Filesize
694KB
MD560526be0422ff21338477a2db15e0585
SHA187d802a77e22ed3d7ac84ece3247fa60e55f6be5
SHA2565e727364e0dc432f6ea5b157a9e9569cc03b3b26b2db34b070b7c7dd81df484e
SHA512e9f72d24a640900d95243152a912881cc260e220e8c0a289a2feae956118f6d869beb697adc80aa77d1be2dcc2c2809375e420bcc33b2098df83112aa8dbfa70
-
Filesize
694KB
MD560526be0422ff21338477a2db15e0585
SHA187d802a77e22ed3d7ac84ece3247fa60e55f6be5
SHA2565e727364e0dc432f6ea5b157a9e9569cc03b3b26b2db34b070b7c7dd81df484e
SHA512e9f72d24a640900d95243152a912881cc260e220e8c0a289a2feae956118f6d869beb697adc80aa77d1be2dcc2c2809375e420bcc33b2098df83112aa8dbfa70