Analysis
-
max time kernel
199s -
max time network
218s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 02:52
Static task
static1
Behavioral task
behavioral1
Sample
f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exe
Resource
win10v2004-20221111-en
General
-
Target
f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exe
-
Size
965KB
-
MD5
d48e65382aa5038a7b5006635b32b951
-
SHA1
69462a33f4c19711386f07ea3fb0cbe0d9a697cd
-
SHA256
f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565
-
SHA512
591b21d638a2591ba1c60165f2207e47fd5c52d681c984edb5e705ebf9b2bd7565e94309f8899473b2f3b028236304a5fdd41223c4d9145314d72b048bdbae10
-
SSDEEP
24576:QjanCAfUaJYNo5/XOqoa4Q+f1mIMVlzGqLD6h2Zg3:Qj2CNBHClLDOb
Malware Config
Extracted
darkcomet
mohamad
monasara4.no-ip.org:1604
DC_MUTEX-W41GGVQ
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
PTslBCtLGc65
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 2276 msdcsc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Drops file in System32 directory 2 IoCs
Processes:
f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exedescription ioc process File created C:\Windows\SysWOW64\authctl.exe f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exe File opened for modification C:\Windows\SysWOW64\authctl.exe f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exedescription pid process target process PID 3940 set thread context of 2684 3940 f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Modifies registry class 1 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vbc.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
dw20.exevbc.exedescription pid process Token: SeRestorePrivilege 4004 dw20.exe Token: SeBackupPrivilege 4004 dw20.exe Token: SeBackupPrivilege 4004 dw20.exe Token: SeBackupPrivilege 4004 dw20.exe Token: SeIncreaseQuotaPrivilege 2684 vbc.exe Token: SeSecurityPrivilege 2684 vbc.exe Token: SeTakeOwnershipPrivilege 2684 vbc.exe Token: SeLoadDriverPrivilege 2684 vbc.exe Token: SeSystemProfilePrivilege 2684 vbc.exe Token: SeSystemtimePrivilege 2684 vbc.exe Token: SeProfSingleProcessPrivilege 2684 vbc.exe Token: SeIncBasePriorityPrivilege 2684 vbc.exe Token: SeCreatePagefilePrivilege 2684 vbc.exe Token: SeBackupPrivilege 2684 vbc.exe Token: SeRestorePrivilege 2684 vbc.exe Token: SeShutdownPrivilege 2684 vbc.exe Token: SeDebugPrivilege 2684 vbc.exe Token: SeBackupPrivilege 4004 dw20.exe Token: SeSystemEnvironmentPrivilege 2684 vbc.exe Token: SeChangeNotifyPrivilege 2684 vbc.exe Token: SeRemoteShutdownPrivilege 2684 vbc.exe Token: SeUndockPrivilege 2684 vbc.exe Token: SeManageVolumePrivilege 2684 vbc.exe Token: SeImpersonatePrivilege 2684 vbc.exe Token: SeCreateGlobalPrivilege 2684 vbc.exe Token: 33 2684 vbc.exe Token: 34 2684 vbc.exe Token: 35 2684 vbc.exe Token: 36 2684 vbc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exevbc.exedescription pid process target process PID 3940 wrote to memory of 2684 3940 f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exe vbc.exe PID 3940 wrote to memory of 2684 3940 f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exe vbc.exe PID 3940 wrote to memory of 2684 3940 f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exe vbc.exe PID 3940 wrote to memory of 2684 3940 f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exe vbc.exe PID 3940 wrote to memory of 2684 3940 f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exe vbc.exe PID 3940 wrote to memory of 2684 3940 f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exe vbc.exe PID 3940 wrote to memory of 2684 3940 f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exe vbc.exe PID 3940 wrote to memory of 2684 3940 f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exe vbc.exe PID 3940 wrote to memory of 2684 3940 f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exe vbc.exe PID 3940 wrote to memory of 2684 3940 f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exe vbc.exe PID 3940 wrote to memory of 2684 3940 f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exe vbc.exe PID 3940 wrote to memory of 2684 3940 f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exe vbc.exe PID 3940 wrote to memory of 2684 3940 f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exe vbc.exe PID 3940 wrote to memory of 2684 3940 f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exe vbc.exe PID 3940 wrote to memory of 4004 3940 f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exe dw20.exe PID 3940 wrote to memory of 4004 3940 f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exe dw20.exe PID 3940 wrote to memory of 4004 3940 f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exe dw20.exe PID 2684 wrote to memory of 2276 2684 vbc.exe msdcsc.exe PID 2684 wrote to memory of 2276 2684 vbc.exe msdcsc.exe PID 2684 wrote to memory of 2276 2684 vbc.exe msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exe"C:\Users\Admin\AppData\Local\Temp\f34ecc9a2b4cc433afae06d4e6dee9cf9b30c78b2349ac190855c3b79de8d565.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 10282⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
memory/2276-140-0x0000000000000000-mapping.dmp
-
memory/2684-133-0x0000000000000000-mapping.dmp
-
memory/2684-134-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2684-135-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2684-136-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2684-138-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2684-143-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3940-132-0x00000000748F0000-0x0000000074EA1000-memory.dmpFilesize
5.7MB
-
memory/3940-139-0x00000000748F0000-0x0000000074EA1000-memory.dmpFilesize
5.7MB
-
memory/4004-137-0x0000000000000000-mapping.dmp