Analysis
-
max time kernel
189s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 03:57
Static task
static1
Behavioral task
behavioral1
Sample
d87d4d7a0dbb25f084859b8512e23f2ef94589655f2cd417c25009e9605c6998.exe
Resource
win7-20220812-en
General
-
Target
d87d4d7a0dbb25f084859b8512e23f2ef94589655f2cd417c25009e9605c6998.exe
-
Size
820KB
-
MD5
7f0263ae88e07076889366970ce6147f
-
SHA1
84a669be1ad036f481be5bca379b6d962523342e
-
SHA256
d87d4d7a0dbb25f084859b8512e23f2ef94589655f2cd417c25009e9605c6998
-
SHA512
a8b02c7cfc7296f1eae5415c4aa4f4c8b1c02ad30ea7047f9eb7e79c3c9d677b4ca5a98a87a7d48c343e5bacbb7f157af91296bcc26ec75c1600e1a95ce304e2
-
SSDEEP
12288:9H0sGRDS9vqmZzw7JLjJoGmpuoJQQJBIwV1Kathio+:GkhqSzwRjporBB1Kj
Malware Config
Extracted
darkcomet
Strain10
mediaupdate.sytes.net:1604
DC_MUTEX-4WRRCYC
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
QbtXBpuhirwF
-
install
true
-
offline_keylogger
false
-
persistence
false
-
reg_key
MediaUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
AppLaunch.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" AppLaunch.exe -
Executes dropped EXE 3 IoCs
Processes:
MsCtfMonitor.exertscom.exemsdcsc.exepid process 1264 MsCtfMonitor.exe 1704 rtscom.exe 4504 msdcsc.exe -
Processes:
resource yara_rule behavioral2/memory/4892-142-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4892-143-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4892-144-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4892-145-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4892-146-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/1876-163-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/1876-164-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/1876-165-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d87d4d7a0dbb25f084859b8512e23f2ef94589655f2cd417c25009e9605c6998.exeexplorer.exeMsCtfMonitor.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation d87d4d7a0dbb25f084859b8512e23f2ef94589655f2cd417c25009e9605c6998.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation MsCtfMonitor.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
AppLaunch.exeMsCtfMonitor.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MediaUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" AppLaunch.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Activex Application Updater = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\MsCtfMonitor.exe" MsCtfMonitor.exe -
Drops file in System32 directory 3 IoCs
Processes:
AppLaunch.exedescription ioc process File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe AppLaunch.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe AppLaunch.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ AppLaunch.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
explorer.exertscom.exedescription pid process target process PID 5040 set thread context of 4892 5040 explorer.exe AppLaunch.exe PID 1704 set thread context of 1876 1704 rtscom.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
AppLaunch.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
explorer.exeMsCtfMonitor.exepid process 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 1264 MsCtfMonitor.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe 5040 explorer.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
d87d4d7a0dbb25f084859b8512e23f2ef94589655f2cd417c25009e9605c6998.exepid process 2484 d87d4d7a0dbb25f084859b8512e23f2ef94589655f2cd417c25009e9605c6998.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
d87d4d7a0dbb25f084859b8512e23f2ef94589655f2cd417c25009e9605c6998.exeexplorer.exeAppLaunch.exeMsCtfMonitor.exertscom.exeAppLaunch.exedescription pid process Token: SeDebugPrivilege 2484 d87d4d7a0dbb25f084859b8512e23f2ef94589655f2cd417c25009e9605c6998.exe Token: SeDebugPrivilege 5040 explorer.exe Token: SeIncreaseQuotaPrivilege 4892 AppLaunch.exe Token: SeSecurityPrivilege 4892 AppLaunch.exe Token: SeTakeOwnershipPrivilege 4892 AppLaunch.exe Token: SeLoadDriverPrivilege 4892 AppLaunch.exe Token: SeSystemProfilePrivilege 4892 AppLaunch.exe Token: SeSystemtimePrivilege 4892 AppLaunch.exe Token: SeProfSingleProcessPrivilege 4892 AppLaunch.exe Token: SeIncBasePriorityPrivilege 4892 AppLaunch.exe Token: SeCreatePagefilePrivilege 4892 AppLaunch.exe Token: SeBackupPrivilege 4892 AppLaunch.exe Token: SeRestorePrivilege 4892 AppLaunch.exe Token: SeShutdownPrivilege 4892 AppLaunch.exe Token: SeDebugPrivilege 4892 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 4892 AppLaunch.exe Token: SeChangeNotifyPrivilege 4892 AppLaunch.exe Token: SeRemoteShutdownPrivilege 4892 AppLaunch.exe Token: SeUndockPrivilege 4892 AppLaunch.exe Token: SeManageVolumePrivilege 4892 AppLaunch.exe Token: SeImpersonatePrivilege 4892 AppLaunch.exe Token: SeCreateGlobalPrivilege 4892 AppLaunch.exe Token: 33 4892 AppLaunch.exe Token: 34 4892 AppLaunch.exe Token: 35 4892 AppLaunch.exe Token: 36 4892 AppLaunch.exe Token: SeDebugPrivilege 1264 MsCtfMonitor.exe Token: SeDebugPrivilege 1704 rtscom.exe Token: SeIncreaseQuotaPrivilege 1876 AppLaunch.exe Token: SeSecurityPrivilege 1876 AppLaunch.exe Token: SeTakeOwnershipPrivilege 1876 AppLaunch.exe Token: SeLoadDriverPrivilege 1876 AppLaunch.exe Token: SeSystemProfilePrivilege 1876 AppLaunch.exe Token: SeSystemtimePrivilege 1876 AppLaunch.exe Token: SeProfSingleProcessPrivilege 1876 AppLaunch.exe Token: SeIncBasePriorityPrivilege 1876 AppLaunch.exe Token: SeCreatePagefilePrivilege 1876 AppLaunch.exe Token: SeBackupPrivilege 1876 AppLaunch.exe Token: SeRestorePrivilege 1876 AppLaunch.exe Token: SeShutdownPrivilege 1876 AppLaunch.exe Token: SeDebugPrivilege 1876 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 1876 AppLaunch.exe Token: SeChangeNotifyPrivilege 1876 AppLaunch.exe Token: SeRemoteShutdownPrivilege 1876 AppLaunch.exe Token: SeUndockPrivilege 1876 AppLaunch.exe Token: SeManageVolumePrivilege 1876 AppLaunch.exe Token: SeImpersonatePrivilege 1876 AppLaunch.exe Token: SeCreateGlobalPrivilege 1876 AppLaunch.exe Token: 33 1876 AppLaunch.exe Token: 34 1876 AppLaunch.exe Token: 35 1876 AppLaunch.exe Token: 36 1876 AppLaunch.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
d87d4d7a0dbb25f084859b8512e23f2ef94589655f2cd417c25009e9605c6998.exeexplorer.exeMsCtfMonitor.exeAppLaunch.exertscom.exedescription pid process target process PID 2484 wrote to memory of 5040 2484 d87d4d7a0dbb25f084859b8512e23f2ef94589655f2cd417c25009e9605c6998.exe explorer.exe PID 2484 wrote to memory of 5040 2484 d87d4d7a0dbb25f084859b8512e23f2ef94589655f2cd417c25009e9605c6998.exe explorer.exe PID 2484 wrote to memory of 5040 2484 d87d4d7a0dbb25f084859b8512e23f2ef94589655f2cd417c25009e9605c6998.exe explorer.exe PID 5040 wrote to memory of 4892 5040 explorer.exe AppLaunch.exe PID 5040 wrote to memory of 4892 5040 explorer.exe AppLaunch.exe PID 5040 wrote to memory of 4892 5040 explorer.exe AppLaunch.exe PID 5040 wrote to memory of 4892 5040 explorer.exe AppLaunch.exe PID 5040 wrote to memory of 4892 5040 explorer.exe AppLaunch.exe PID 5040 wrote to memory of 4892 5040 explorer.exe AppLaunch.exe PID 5040 wrote to memory of 4892 5040 explorer.exe AppLaunch.exe PID 5040 wrote to memory of 4892 5040 explorer.exe AppLaunch.exe PID 5040 wrote to memory of 1264 5040 explorer.exe MsCtfMonitor.exe PID 5040 wrote to memory of 1264 5040 explorer.exe MsCtfMonitor.exe PID 5040 wrote to memory of 1264 5040 explorer.exe MsCtfMonitor.exe PID 1264 wrote to memory of 1704 1264 MsCtfMonitor.exe rtscom.exe PID 1264 wrote to memory of 1704 1264 MsCtfMonitor.exe rtscom.exe PID 1264 wrote to memory of 1704 1264 MsCtfMonitor.exe rtscom.exe PID 4892 wrote to memory of 4504 4892 AppLaunch.exe msdcsc.exe PID 4892 wrote to memory of 4504 4892 AppLaunch.exe msdcsc.exe PID 4892 wrote to memory of 4504 4892 AppLaunch.exe msdcsc.exe PID 1704 wrote to memory of 1876 1704 rtscom.exe AppLaunch.exe PID 1704 wrote to memory of 1876 1704 rtscom.exe AppLaunch.exe PID 1704 wrote to memory of 1876 1704 rtscom.exe AppLaunch.exe PID 1704 wrote to memory of 1876 1704 rtscom.exe AppLaunch.exe PID 1704 wrote to memory of 1876 1704 rtscom.exe AppLaunch.exe PID 1704 wrote to memory of 1876 1704 rtscom.exe AppLaunch.exe PID 1704 wrote to memory of 1876 1704 rtscom.exe AppLaunch.exe PID 1704 wrote to memory of 1876 1704 rtscom.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d87d4d7a0dbb25f084859b8512e23f2ef94589655f2cd417c25009e9605c6998.exe"C:\Users\Admin\AppData\Local\Temp\d87d4d7a0dbb25f084859b8512e23f2ef94589655f2cd417c25009e9605c6998.exe"1⤵
- Checks computer location settings
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe3⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MsCtfMonitor.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MsCtfMonitor.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rtscom.exe"C:\Users\Admin\AppData\Local\Temp\rtscom.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe5⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\rtscom.exeFilesize
820KB
MD57f0263ae88e07076889366970ce6147f
SHA184a669be1ad036f481be5bca379b6d962523342e
SHA256d87d4d7a0dbb25f084859b8512e23f2ef94589655f2cd417c25009e9605c6998
SHA512a8b02c7cfc7296f1eae5415c4aa4f4c8b1c02ad30ea7047f9eb7e79c3c9d677b4ca5a98a87a7d48c343e5bacbb7f157af91296bcc26ec75c1600e1a95ce304e2
-
C:\Users\Admin\AppData\Local\Temp\rtscom.exeFilesize
820KB
MD57f0263ae88e07076889366970ce6147f
SHA184a669be1ad036f481be5bca379b6d962523342e
SHA256d87d4d7a0dbb25f084859b8512e23f2ef94589655f2cd417c25009e9605c6998
SHA512a8b02c7cfc7296f1eae5415c4aa4f4c8b1c02ad30ea7047f9eb7e79c3c9d677b4ca5a98a87a7d48c343e5bacbb7f157af91296bcc26ec75c1600e1a95ce304e2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MsCtfMonitor.exeFilesize
10KB
MD535d27e7f59c8f5513992c45176692cea
SHA1995e3161e4aec8352944d8bd89bc39336ca7e5a2
SHA25681b234bc8bfc469366ecf1e050b876499350decc68014d3c3aa35b61cf7562c6
SHA5127d33964473172f385deac03edab825037003fdbfe88f5695ac1832804ed46d8b068c77b30c2742688f8cbb7b15b3c245f9a9a8ecb702a39b29a0dfa41ebcdede
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MsCtfMonitor.exeFilesize
10KB
MD535d27e7f59c8f5513992c45176692cea
SHA1995e3161e4aec8352944d8bd89bc39336ca7e5a2
SHA25681b234bc8bfc469366ecf1e050b876499350decc68014d3c3aa35b61cf7562c6
SHA5127d33964473172f385deac03edab825037003fdbfe88f5695ac1832804ed46d8b068c77b30c2742688f8cbb7b15b3c245f9a9a8ecb702a39b29a0dfa41ebcdede
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
57KB
MD5454501a66ad6e85175a6757573d79f8b
SHA18ca96c61f26a640a5b1b1152d055260b9d43e308
SHA2567fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8
SHA5129dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
57KB
MD5454501a66ad6e85175a6757573d79f8b
SHA18ca96c61f26a640a5b1b1152d055260b9d43e308
SHA2567fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8
SHA5129dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7
-
memory/1264-147-0x0000000000000000-mapping.dmp
-
memory/1264-158-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/1264-153-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/1704-151-0x0000000000000000-mapping.dmp
-
memory/1704-159-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/1704-154-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/1876-165-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1876-164-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1876-163-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1876-160-0x0000000000000000-mapping.dmp
-
memory/2484-135-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/2484-138-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/2484-136-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/4504-155-0x0000000000000000-mapping.dmp
-
memory/4892-141-0x0000000000000000-mapping.dmp
-
memory/4892-146-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4892-145-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4892-144-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4892-143-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4892-142-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5040-137-0x0000000000000000-mapping.dmp
-
memory/5040-139-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/5040-140-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB