Analysis
-
max time kernel
202s -
max time network
215s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 01:54
Static task
static1
Behavioral task
behavioral1
Sample
b0dc3dbef3c1ecec8099f9531b9c0b4b913dbc244bfb0a6c399b40c66c81ccc0.exe
Resource
win7-20220901-en
General
-
Target
b0dc3dbef3c1ecec8099f9531b9c0b4b913dbc244bfb0a6c399b40c66c81ccc0.exe
-
Size
834KB
-
MD5
642cc235b6552c524c89441d23053420
-
SHA1
64ea644a56e14d2062f76374176785a45515b9fd
-
SHA256
b0dc3dbef3c1ecec8099f9531b9c0b4b913dbc244bfb0a6c399b40c66c81ccc0
-
SHA512
1ade8c82a148496a47c46dc3567deb20a98d512ead13f5cf533d22ef0fbfbcaf2c9ad691c95717d956533875ec0f6aafc68764842f00129b1370cd3b25d49883
-
SSDEEP
24576:jG94QklbgNXrs5jkPENZI9k6Ts84PCx7/NBEn:jg4owbZI7cPc7Un
Malware Config
Extracted
darkcomet
Guest2
myvault.no-ip.info:999
DC_MUTEX-ZCH6G3K
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
L8vg77ELMAXt
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
5.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\MSDCSC\\msdcsc.exe" 5.EXE -
Executes dropped EXE 1 IoCs
Processes:
5.EXEpid process 1872 5.EXE -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 228 attrib.exe 224 attrib.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b0dc3dbef3c1ecec8099f9531b9c0b4b913dbc244bfb0a6c399b40c66c81ccc0.exe5.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation b0dc3dbef3c1ecec8099f9531b9c0b4b913dbc244bfb0a6c399b40c66c81ccc0.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 5.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\MSDCSC\\msdcsc.exe" 5.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
5.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 5.EXE -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
5.EXEdescription pid process Token: SeIncreaseQuotaPrivilege 1872 5.EXE Token: SeSecurityPrivilege 1872 5.EXE Token: SeTakeOwnershipPrivilege 1872 5.EXE Token: SeLoadDriverPrivilege 1872 5.EXE Token: SeSystemProfilePrivilege 1872 5.EXE Token: SeSystemtimePrivilege 1872 5.EXE Token: SeProfSingleProcessPrivilege 1872 5.EXE Token: SeIncBasePriorityPrivilege 1872 5.EXE Token: SeCreatePagefilePrivilege 1872 5.EXE Token: SeBackupPrivilege 1872 5.EXE Token: SeRestorePrivilege 1872 5.EXE Token: SeShutdownPrivilege 1872 5.EXE Token: SeDebugPrivilege 1872 5.EXE Token: SeSystemEnvironmentPrivilege 1872 5.EXE Token: SeChangeNotifyPrivilege 1872 5.EXE Token: SeRemoteShutdownPrivilege 1872 5.EXE Token: SeUndockPrivilege 1872 5.EXE Token: SeManageVolumePrivilege 1872 5.EXE Token: SeImpersonatePrivilege 1872 5.EXE Token: SeCreateGlobalPrivilege 1872 5.EXE Token: 33 1872 5.EXE Token: 34 1872 5.EXE Token: 35 1872 5.EXE Token: 36 1872 5.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
b0dc3dbef3c1ecec8099f9531b9c0b4b913dbc244bfb0a6c399b40c66c81ccc0.exe5.EXEcmd.execmd.exedescription pid process target process PID 3076 wrote to memory of 1872 3076 b0dc3dbef3c1ecec8099f9531b9c0b4b913dbc244bfb0a6c399b40c66c81ccc0.exe 5.EXE PID 3076 wrote to memory of 1872 3076 b0dc3dbef3c1ecec8099f9531b9c0b4b913dbc244bfb0a6c399b40c66c81ccc0.exe 5.EXE PID 3076 wrote to memory of 1872 3076 b0dc3dbef3c1ecec8099f9531b9c0b4b913dbc244bfb0a6c399b40c66c81ccc0.exe 5.EXE PID 1872 wrote to memory of 4944 1872 5.EXE cmd.exe PID 1872 wrote to memory of 4944 1872 5.EXE cmd.exe PID 1872 wrote to memory of 4944 1872 5.EXE cmd.exe PID 1872 wrote to memory of 2776 1872 5.EXE cmd.exe PID 1872 wrote to memory of 2776 1872 5.EXE cmd.exe PID 1872 wrote to memory of 2776 1872 5.EXE cmd.exe PID 2776 wrote to memory of 228 2776 cmd.exe attrib.exe PID 2776 wrote to memory of 228 2776 cmd.exe attrib.exe PID 2776 wrote to memory of 228 2776 cmd.exe attrib.exe PID 4944 wrote to memory of 224 4944 cmd.exe attrib.exe PID 4944 wrote to memory of 224 4944 cmd.exe attrib.exe PID 4944 wrote to memory of 224 4944 cmd.exe attrib.exe PID 1872 wrote to memory of 204 1872 5.EXE notepad.exe PID 1872 wrote to memory of 204 1872 5.EXE notepad.exe PID 1872 wrote to memory of 204 1872 5.EXE notepad.exe PID 1872 wrote to memory of 204 1872 5.EXE notepad.exe PID 1872 wrote to memory of 204 1872 5.EXE notepad.exe PID 1872 wrote to memory of 204 1872 5.EXE notepad.exe PID 1872 wrote to memory of 204 1872 5.EXE notepad.exe PID 1872 wrote to memory of 204 1872 5.EXE notepad.exe PID 1872 wrote to memory of 204 1872 5.EXE notepad.exe PID 1872 wrote to memory of 204 1872 5.EXE notepad.exe PID 1872 wrote to memory of 204 1872 5.EXE notepad.exe PID 1872 wrote to memory of 204 1872 5.EXE notepad.exe PID 1872 wrote to memory of 204 1872 5.EXE notepad.exe PID 1872 wrote to memory of 204 1872 5.EXE notepad.exe PID 1872 wrote to memory of 204 1872 5.EXE notepad.exe PID 1872 wrote to memory of 204 1872 5.EXE notepad.exe PID 1872 wrote to memory of 204 1872 5.EXE notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 228 attrib.exe 224 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0dc3dbef3c1ecec8099f9531b9c0b4b913dbc244bfb0a6c399b40c66c81ccc0.exe"C:\Users\Admin\AppData\Local\Temp\b0dc3dbef3c1ecec8099f9531b9c0b4b913dbc244bfb0a6c399b40c66c81ccc0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5.EXE"C:\Users\Admin\AppData\Local\Temp\5.EXE"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\5.EXE" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\5.EXE" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5.EXEFilesize
629KB
MD5c4ce3a50c3a1cee27ff75153d047a547
SHA19d2117b1004e3dc45d421b8fd670168c77d8f834
SHA256ef1f09a0fac40e5153c090639f161e122c77eab49ef74041fc0f04c66fbeba05
SHA5120f923ad200f019bf9ddb966723cf2ff95df1243a879729139b6060a733d7ee1c40eef9f0627a2ab5e96b664d656ea56b9a276ac104162be7b41d5efef8e8a09c
-
C:\Users\Admin\AppData\Local\Temp\5.EXEFilesize
629KB
MD5c4ce3a50c3a1cee27ff75153d047a547
SHA19d2117b1004e3dc45d421b8fd670168c77d8f834
SHA256ef1f09a0fac40e5153c090639f161e122c77eab49ef74041fc0f04c66fbeba05
SHA5120f923ad200f019bf9ddb966723cf2ff95df1243a879729139b6060a733d7ee1c40eef9f0627a2ab5e96b664d656ea56b9a276ac104162be7b41d5efef8e8a09c
-
memory/204-140-0x0000000000000000-mapping.dmp
-
memory/224-139-0x0000000000000000-mapping.dmp
-
memory/228-138-0x0000000000000000-mapping.dmp
-
memory/1872-132-0x0000000000000000-mapping.dmp
-
memory/1872-135-0x0000000000400000-0x0000000000551000-memory.dmpFilesize
1.3MB
-
memory/1872-141-0x0000000000400000-0x0000000000551000-memory.dmpFilesize
1.3MB
-
memory/2776-137-0x0000000000000000-mapping.dmp
-
memory/4944-136-0x0000000000000000-mapping.dmp