Analysis
-
max time kernel
158s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 02:21
Static task
static1
Behavioral task
behavioral1
Sample
fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe
Resource
win7-20220812-en
General
-
Target
fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe
-
Size
2.6MB
-
MD5
10c0e1e14e177d1486d99c3a91d84969
-
SHA1
c0b90a929ff7a8c1c14ee554f2cc55a39605217e
-
SHA256
fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d
-
SHA512
2d83e9fd63d40c2ee020c63878e2c5e421944a458f516741cfefa539de3649f59e3c64dfeab3496dd8c291a4f9756cc37cc3fe5f59d2e861e5a8553f417d3237
-
SSDEEP
49152:Txjs/ylV/q8f7NHOiCR577tOReeel4+GnBdJFEwks51SjaU7/fMP0:TxcylVyABa5PgdFZnBtE+10
Malware Config
Extracted
darkcomet
±ö¿Í16
heiseyinmou.gnway.net:2012
DC_MUTEX-F4ZWV0U
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
czMVsH3hot1Q
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
����
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
okko1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" okko1.exe -
Executes dropped EXE 3 IoCs
Processes:
maqi1.exeokko1.exemsdcsc.exepid process 4128 maqi1.exe 4512 okko1.exe 4716 msdcsc.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exeWScript.exeokko1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation okko1.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
okko1.exemsdcsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Wine okko1.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Wine msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
okko1.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\΢Ð͸üР= "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" okko1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\΢Ð͸üР= "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
okko1.exemsdcsc.exedescription ioc process File opened for modification \??\PhysicalDrive0 okko1.exe File opened for modification \??\PhysicalDrive0 msdcsc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
okko1.exemsdcsc.exepid process 4512 okko1.exe 4716 msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exeokko1.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ okko1.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
okko1.exemsdcsc.exepid process 4512 okko1.exe 4512 okko1.exe 4716 msdcsc.exe 4716 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
okko1.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4512 okko1.exe Token: SeSecurityPrivilege 4512 okko1.exe Token: SeTakeOwnershipPrivilege 4512 okko1.exe Token: SeLoadDriverPrivilege 4512 okko1.exe Token: SeSystemProfilePrivilege 4512 okko1.exe Token: SeSystemtimePrivilege 4512 okko1.exe Token: SeProfSingleProcessPrivilege 4512 okko1.exe Token: SeIncBasePriorityPrivilege 4512 okko1.exe Token: SeCreatePagefilePrivilege 4512 okko1.exe Token: SeBackupPrivilege 4512 okko1.exe Token: SeRestorePrivilege 4512 okko1.exe Token: SeShutdownPrivilege 4512 okko1.exe Token: SeDebugPrivilege 4512 okko1.exe Token: SeSystemEnvironmentPrivilege 4512 okko1.exe Token: SeChangeNotifyPrivilege 4512 okko1.exe Token: SeRemoteShutdownPrivilege 4512 okko1.exe Token: SeUndockPrivilege 4512 okko1.exe Token: SeManageVolumePrivilege 4512 okko1.exe Token: SeImpersonatePrivilege 4512 okko1.exe Token: SeCreateGlobalPrivilege 4512 okko1.exe Token: 33 4512 okko1.exe Token: 34 4512 okko1.exe Token: 35 4512 okko1.exe Token: 36 4512 okko1.exe Token: SeIncreaseQuotaPrivilege 4716 msdcsc.exe Token: SeSecurityPrivilege 4716 msdcsc.exe Token: SeTakeOwnershipPrivilege 4716 msdcsc.exe Token: SeLoadDriverPrivilege 4716 msdcsc.exe Token: SeSystemProfilePrivilege 4716 msdcsc.exe Token: SeSystemtimePrivilege 4716 msdcsc.exe Token: SeProfSingleProcessPrivilege 4716 msdcsc.exe Token: SeIncBasePriorityPrivilege 4716 msdcsc.exe Token: SeCreatePagefilePrivilege 4716 msdcsc.exe Token: SeBackupPrivilege 4716 msdcsc.exe Token: SeRestorePrivilege 4716 msdcsc.exe Token: SeShutdownPrivilege 4716 msdcsc.exe Token: SeDebugPrivilege 4716 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4716 msdcsc.exe Token: SeChangeNotifyPrivilege 4716 msdcsc.exe Token: SeRemoteShutdownPrivilege 4716 msdcsc.exe Token: SeUndockPrivilege 4716 msdcsc.exe Token: SeManageVolumePrivilege 4716 msdcsc.exe Token: SeImpersonatePrivilege 4716 msdcsc.exe Token: SeCreateGlobalPrivilege 4716 msdcsc.exe Token: 33 4716 msdcsc.exe Token: 34 4716 msdcsc.exe Token: 35 4716 msdcsc.exe Token: 36 4716 msdcsc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
maqi1.exemsdcsc.exepid process 4128 maqi1.exe 4128 maqi1.exe 4716 msdcsc.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exeWScript.execmd.execmd.exeokko1.exedescription pid process target process PID 748 wrote to memory of 4956 748 fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe WScript.exe PID 748 wrote to memory of 4956 748 fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe WScript.exe PID 748 wrote to memory of 4956 748 fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe WScript.exe PID 4956 wrote to memory of 3360 4956 WScript.exe cmd.exe PID 4956 wrote to memory of 3360 4956 WScript.exe cmd.exe PID 4956 wrote to memory of 3360 4956 WScript.exe cmd.exe PID 4956 wrote to memory of 2968 4956 WScript.exe cmd.exe PID 4956 wrote to memory of 2968 4956 WScript.exe cmd.exe PID 4956 wrote to memory of 2968 4956 WScript.exe cmd.exe PID 3360 wrote to memory of 4128 3360 cmd.exe maqi1.exe PID 3360 wrote to memory of 4128 3360 cmd.exe maqi1.exe PID 3360 wrote to memory of 4128 3360 cmd.exe maqi1.exe PID 2968 wrote to memory of 4512 2968 cmd.exe okko1.exe PID 2968 wrote to memory of 4512 2968 cmd.exe okko1.exe PID 2968 wrote to memory of 4512 2968 cmd.exe okko1.exe PID 4512 wrote to memory of 4848 4512 okko1.exe notepad.exe PID 4512 wrote to memory of 4848 4512 okko1.exe notepad.exe PID 4512 wrote to memory of 4848 4512 okko1.exe notepad.exe PID 4512 wrote to memory of 4848 4512 okko1.exe notepad.exe PID 4512 wrote to memory of 4848 4512 okko1.exe notepad.exe PID 4512 wrote to memory of 4848 4512 okko1.exe notepad.exe PID 4512 wrote to memory of 4848 4512 okko1.exe notepad.exe PID 4512 wrote to memory of 4848 4512 okko1.exe notepad.exe PID 4512 wrote to memory of 4848 4512 okko1.exe notepad.exe PID 4512 wrote to memory of 4848 4512 okko1.exe notepad.exe PID 4512 wrote to memory of 4848 4512 okko1.exe notepad.exe PID 4512 wrote to memory of 4848 4512 okko1.exe notepad.exe PID 4512 wrote to memory of 4848 4512 okko1.exe notepad.exe PID 4512 wrote to memory of 4848 4512 okko1.exe notepad.exe PID 4512 wrote to memory of 4848 4512 okko1.exe notepad.exe PID 4512 wrote to memory of 4848 4512 okko1.exe notepad.exe PID 4512 wrote to memory of 4848 4512 okko1.exe notepad.exe PID 4512 wrote to memory of 4716 4512 okko1.exe msdcsc.exe PID 4512 wrote to memory of 4716 4512 okko1.exe msdcsc.exe PID 4512 wrote to memory of 4716 4512 okko1.exe msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe"C:\Users\Admin\AppData\Local\Temp\fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c maqi1.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\maqi1.exemaqi1.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c okko1.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\okko1.exeokko1.exe4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Identifies Wine through registry keys
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"5⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.vbsFilesize
106B
MD5e747a0e254ab7f22c2b8ee54df6e5bb8
SHA192a5caa16fd59ddebdf587ba4a63ac51803180a6
SHA25627748d903993b59f21a8d6ed85a0c20be4a5eabb87812c084a72354386146cd3
SHA512a9e2759db18734c0ef1dadee1fa98d459f6efbdf37197f3df76671e22da11440062dc06108529d6c7272f9a875c51b1a78c635a72c3c87ebca3940ce763d8fbc
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\maqi1.exeFilesize
20KB
MD55eff78e5cca75e6c30fc246d788a6ab2
SHA18b09f99a3304afa60ef0559efbc94162de09ca39
SHA25601960035d76685f023298fd55d5ff2da022ca531673e517eed5c28bb7f8e4e33
SHA512ce6b16cbe6f4633f0f19c1de496f8a67e47dfb7db7e4dd4b3bb6c36ae8908b34c4ffd6a3e2552ef634ab9f296b2075c476cff257f72692cb9bd0458bc41c8d37
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\maqi1.exeFilesize
20KB
MD55eff78e5cca75e6c30fc246d788a6ab2
SHA18b09f99a3304afa60ef0559efbc94162de09ca39
SHA25601960035d76685f023298fd55d5ff2da022ca531673e517eed5c28bb7f8e4e33
SHA512ce6b16cbe6f4633f0f19c1de496f8a67e47dfb7db7e4dd4b3bb6c36ae8908b34c4ffd6a3e2552ef634ab9f296b2075c476cff257f72692cb9bd0458bc41c8d37
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\okko1.exeFilesize
2.6MB
MD531cf3cc235759304d54b64e35356baa0
SHA1ea2d45d27e152341d0b9a4a3302f93b71ac9234d
SHA256a277106c79599bf4fea2a16a04ee9836ce032b1a2b919a75591b3bb8dd84dc27
SHA512da13df4f95585d73db363d7978bf836178a483781ade674b7b21b01cc2dcfd591fff7a10002a9fb1057945816f835076bd66c5a7a1afff4a4a724fa7749641c4
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\okko1.exeFilesize
2.6MB
MD531cf3cc235759304d54b64e35356baa0
SHA1ea2d45d27e152341d0b9a4a3302f93b71ac9234d
SHA256a277106c79599bf4fea2a16a04ee9836ce032b1a2b919a75591b3bb8dd84dc27
SHA512da13df4f95585d73db363d7978bf836178a483781ade674b7b21b01cc2dcfd591fff7a10002a9fb1057945816f835076bd66c5a7a1afff4a4a724fa7749641c4
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
2.6MB
MD531cf3cc235759304d54b64e35356baa0
SHA1ea2d45d27e152341d0b9a4a3302f93b71ac9234d
SHA256a277106c79599bf4fea2a16a04ee9836ce032b1a2b919a75591b3bb8dd84dc27
SHA512da13df4f95585d73db363d7978bf836178a483781ade674b7b21b01cc2dcfd591fff7a10002a9fb1057945816f835076bd66c5a7a1afff4a4a724fa7749641c4
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
2.6MB
MD531cf3cc235759304d54b64e35356baa0
SHA1ea2d45d27e152341d0b9a4a3302f93b71ac9234d
SHA256a277106c79599bf4fea2a16a04ee9836ce032b1a2b919a75591b3bb8dd84dc27
SHA512da13df4f95585d73db363d7978bf836178a483781ade674b7b21b01cc2dcfd591fff7a10002a9fb1057945816f835076bd66c5a7a1afff4a4a724fa7749641c4
-
memory/2968-135-0x0000000000000000-mapping.dmp
-
memory/3360-134-0x0000000000000000-mapping.dmp
-
memory/4128-136-0x0000000000000000-mapping.dmp
-
memory/4512-142-0x0000000000400000-0x000000000096E000-memory.dmpFilesize
5.4MB
-
memory/4512-144-0x0000000000400000-0x000000000096E000-memory.dmpFilesize
5.4MB
-
memory/4512-139-0x0000000000000000-mapping.dmp
-
memory/4512-150-0x0000000000400000-0x000000000096E000-memory.dmpFilesize
5.4MB
-
memory/4716-145-0x0000000000000000-mapping.dmp
-
memory/4716-148-0x0000000000400000-0x000000000096E000-memory.dmpFilesize
5.4MB
-
memory/4716-149-0x0000000000400000-0x000000000096E000-memory.dmpFilesize
5.4MB
-
memory/4716-151-0x0000000000400000-0x000000000096E000-memory.dmpFilesize
5.4MB
-
memory/4716-152-0x0000000000400000-0x000000000096E000-memory.dmpFilesize
5.4MB
-
memory/4848-143-0x0000000000000000-mapping.dmp
-
memory/4956-132-0x0000000000000000-mapping.dmp