Analysis
-
max time kernel
219s -
max time network
257s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 04:07
Static task
static1
Behavioral task
behavioral1
Sample
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe
Resource
win10v2004-20221111-en
General
-
Target
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe
-
Size
343KB
-
MD5
c6551e869e75447e6456095e6c6aeced
-
SHA1
44b79feb248f0c1d68e9f4f61f43050280e8672a
-
SHA256
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5
-
SHA512
965aa351ec316b187c92ed0ce065db56b813e52f31abd391f593b4215b443300f8355889b8eb66e896f9fcdc0fd87511d55c734e785459d047ebf4e0a0db00fe
-
SSDEEP
6144:fUPCHRSrGCFGMQZhKYWqdRBYn58JOBGmtMCANkRfX90OO1+JCl+aL5n:Xx2GiGMBHqhYOJONtMCesfXlKXll
Malware Config
Extracted
darkcomet
13.07.12 Crypter
leetaka1337.no-ip.org:1604
DC_MUTEX-JFX5RP1
-
InstallPath
MSDCSC\winhost.exe
-
gencode
lCnq6VNbar2M
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe" d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe -
Executes dropped EXE 3 IoCs
Processes:
STUB.EXEwinhost.exewinhost.exepid process 364 STUB.EXE 1348 winhost.exe 904 winhost.exe -
Processes:
resource yara_rule behavioral1/memory/1324-57-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1324-59-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1324-60-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1324-62-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1324-65-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1324-66-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1324-67-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Loads dropped DLL 4 IoCs
Processes:
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exepid process 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\winhost.exe" d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe -
Drops file in System32 directory 3 IoCs
Processes:
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exedescription ioc process File created C:\Windows\SysWOW64\MSDCSC\winhost.exe d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\winhost.exe d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exewinhost.exedescription pid process target process PID 948 set thread context of 1324 948 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe PID 1348 set thread context of 904 1348 winhost.exe winhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
winhost.exepid process 904 winhost.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exed461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exewinhost.exewinhost.exedescription pid process Token: SeDebugPrivilege 948 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeIncreaseQuotaPrivilege 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeSecurityPrivilege 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeTakeOwnershipPrivilege 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeLoadDriverPrivilege 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeSystemProfilePrivilege 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeSystemtimePrivilege 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeProfSingleProcessPrivilege 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeIncBasePriorityPrivilege 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeCreatePagefilePrivilege 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeBackupPrivilege 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeRestorePrivilege 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeShutdownPrivilege 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeDebugPrivilege 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeSystemEnvironmentPrivilege 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeChangeNotifyPrivilege 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeRemoteShutdownPrivilege 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeUndockPrivilege 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeManageVolumePrivilege 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeImpersonatePrivilege 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeCreateGlobalPrivilege 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: 33 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: 34 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: 35 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeDebugPrivilege 1348 winhost.exe Token: SeIncreaseQuotaPrivilege 904 winhost.exe Token: SeSecurityPrivilege 904 winhost.exe Token: SeTakeOwnershipPrivilege 904 winhost.exe Token: SeLoadDriverPrivilege 904 winhost.exe Token: SeSystemProfilePrivilege 904 winhost.exe Token: SeSystemtimePrivilege 904 winhost.exe Token: SeProfSingleProcessPrivilege 904 winhost.exe Token: SeIncBasePriorityPrivilege 904 winhost.exe Token: SeCreatePagefilePrivilege 904 winhost.exe Token: SeBackupPrivilege 904 winhost.exe Token: SeRestorePrivilege 904 winhost.exe Token: SeShutdownPrivilege 904 winhost.exe Token: SeDebugPrivilege 904 winhost.exe Token: SeSystemEnvironmentPrivilege 904 winhost.exe Token: SeChangeNotifyPrivilege 904 winhost.exe Token: SeRemoteShutdownPrivilege 904 winhost.exe Token: SeUndockPrivilege 904 winhost.exe Token: SeManageVolumePrivilege 904 winhost.exe Token: SeImpersonatePrivilege 904 winhost.exe Token: SeCreateGlobalPrivilege 904 winhost.exe Token: 33 904 winhost.exe Token: 34 904 winhost.exe Token: 35 904 winhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winhost.exepid process 904 winhost.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exed461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exewinhost.exedescription pid process target process PID 948 wrote to memory of 1324 948 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe PID 948 wrote to memory of 1324 948 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe PID 948 wrote to memory of 1324 948 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe PID 948 wrote to memory of 1324 948 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe PID 948 wrote to memory of 1324 948 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe PID 948 wrote to memory of 1324 948 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe PID 948 wrote to memory of 1324 948 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe PID 948 wrote to memory of 1324 948 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe PID 1324 wrote to memory of 364 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe STUB.EXE PID 1324 wrote to memory of 364 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe STUB.EXE PID 1324 wrote to memory of 364 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe STUB.EXE PID 1324 wrote to memory of 364 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe STUB.EXE PID 1324 wrote to memory of 1348 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe winhost.exe PID 1324 wrote to memory of 1348 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe winhost.exe PID 1324 wrote to memory of 1348 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe winhost.exe PID 1324 wrote to memory of 1348 1324 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe winhost.exe PID 1348 wrote to memory of 904 1348 winhost.exe winhost.exe PID 1348 wrote to memory of 904 1348 winhost.exe winhost.exe PID 1348 wrote to memory of 904 1348 winhost.exe winhost.exe PID 1348 wrote to memory of 904 1348 winhost.exe winhost.exe PID 1348 wrote to memory of 904 1348 winhost.exe winhost.exe PID 1348 wrote to memory of 904 1348 winhost.exe winhost.exe PID 1348 wrote to memory of 904 1348 winhost.exe winhost.exe PID 1348 wrote to memory of 904 1348 winhost.exe winhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe"C:\Users\Admin\AppData\Local\Temp\d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exeC:\Users\Admin\AppData\Local\Temp\d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\STUB.EXE"C:\Users\Admin\AppData\Local\Temp\STUB.EXE"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\winhost.exe"C:\Windows\system32\MSDCSC\winhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\MSDCSC\winhost.exeC:\Windows\SysWOW64\MSDCSC\winhost.exe4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\STUB.EXEFilesize
47KB
MD56e9ee67b3cceaf1fc3bd53a9c33a3cc7
SHA11ce7d9f73b9da92385ec41e416d2cf7a6f2ccc03
SHA256e9509d87ec53efda131c636fe729180eea8c48850693f0c800fc04f88f5960bb
SHA5126ee77b3d3238e1507ab83f57fa06b88b384b5d8a804a27d93aab30622166b1bedd4796ec30c8dfca3b9085d41c69fd064014e0a424a79e9e8f15b79c6568fb1c
-
C:\Users\Admin\AppData\Local\Temp\STUB.EXEFilesize
47KB
MD56e9ee67b3cceaf1fc3bd53a9c33a3cc7
SHA11ce7d9f73b9da92385ec41e416d2cf7a6f2ccc03
SHA256e9509d87ec53efda131c636fe729180eea8c48850693f0c800fc04f88f5960bb
SHA5126ee77b3d3238e1507ab83f57fa06b88b384b5d8a804a27d93aab30622166b1bedd4796ec30c8dfca3b9085d41c69fd064014e0a424a79e9e8f15b79c6568fb1c
-
C:\Windows\SysWOW64\MSDCSC\winhost.exeFilesize
343KB
MD5c6551e869e75447e6456095e6c6aeced
SHA144b79feb248f0c1d68e9f4f61f43050280e8672a
SHA256d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5
SHA512965aa351ec316b187c92ed0ce065db56b813e52f31abd391f593b4215b443300f8355889b8eb66e896f9fcdc0fd87511d55c734e785459d047ebf4e0a0db00fe
-
C:\Windows\SysWOW64\MSDCSC\winhost.exeFilesize
343KB
MD5c6551e869e75447e6456095e6c6aeced
SHA144b79feb248f0c1d68e9f4f61f43050280e8672a
SHA256d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5
SHA512965aa351ec316b187c92ed0ce065db56b813e52f31abd391f593b4215b443300f8355889b8eb66e896f9fcdc0fd87511d55c734e785459d047ebf4e0a0db00fe
-
C:\Windows\SysWOW64\MSDCSC\winhost.exeFilesize
343KB
MD5c6551e869e75447e6456095e6c6aeced
SHA144b79feb248f0c1d68e9f4f61f43050280e8672a
SHA256d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5
SHA512965aa351ec316b187c92ed0ce065db56b813e52f31abd391f593b4215b443300f8355889b8eb66e896f9fcdc0fd87511d55c734e785459d047ebf4e0a0db00fe
-
\Users\Admin\AppData\Local\Temp\STUB.EXEFilesize
47KB
MD56e9ee67b3cceaf1fc3bd53a9c33a3cc7
SHA11ce7d9f73b9da92385ec41e416d2cf7a6f2ccc03
SHA256e9509d87ec53efda131c636fe729180eea8c48850693f0c800fc04f88f5960bb
SHA5126ee77b3d3238e1507ab83f57fa06b88b384b5d8a804a27d93aab30622166b1bedd4796ec30c8dfca3b9085d41c69fd064014e0a424a79e9e8f15b79c6568fb1c
-
\Users\Admin\AppData\Local\Temp\STUB.EXEFilesize
47KB
MD56e9ee67b3cceaf1fc3bd53a9c33a3cc7
SHA11ce7d9f73b9da92385ec41e416d2cf7a6f2ccc03
SHA256e9509d87ec53efda131c636fe729180eea8c48850693f0c800fc04f88f5960bb
SHA5126ee77b3d3238e1507ab83f57fa06b88b384b5d8a804a27d93aab30622166b1bedd4796ec30c8dfca3b9085d41c69fd064014e0a424a79e9e8f15b79c6568fb1c
-
\Windows\SysWOW64\MSDCSC\winhost.exeFilesize
343KB
MD5c6551e869e75447e6456095e6c6aeced
SHA144b79feb248f0c1d68e9f4f61f43050280e8672a
SHA256d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5
SHA512965aa351ec316b187c92ed0ce065db56b813e52f31abd391f593b4215b443300f8355889b8eb66e896f9fcdc0fd87511d55c734e785459d047ebf4e0a0db00fe
-
\Windows\SysWOW64\MSDCSC\winhost.exeFilesize
343KB
MD5c6551e869e75447e6456095e6c6aeced
SHA144b79feb248f0c1d68e9f4f61f43050280e8672a
SHA256d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5
SHA512965aa351ec316b187c92ed0ce065db56b813e52f31abd391f593b4215b443300f8355889b8eb66e896f9fcdc0fd87511d55c734e785459d047ebf4e0a0db00fe
-
memory/364-74-0x0000000074260000-0x000000007480B000-memory.dmpFilesize
5.7MB
-
memory/364-70-0x0000000000000000-mapping.dmp
-
memory/904-88-0x00000000004C05C0-mapping.dmp
-
memory/904-97-0x000000000047E000-0x00000000004C1000-memory.dmpFilesize
268KB
-
memory/904-98-0x000000000047E000-0x00000000004C1000-memory.dmpFilesize
268KB
-
memory/948-54-0x0000000075D51000-0x0000000075D53000-memory.dmpFilesize
8KB
-
memory/948-63-0x0000000074920000-0x0000000074ECB000-memory.dmpFilesize
5.7MB
-
memory/948-55-0x0000000074920000-0x0000000074ECB000-memory.dmpFilesize
5.7MB
-
memory/1324-62-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/1324-96-0x000000000047E000-0x00000000004C1000-memory.dmpFilesize
268KB
-
memory/1324-67-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/1324-66-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/1324-56-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/1324-65-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/1324-61-0x00000000004C05C0-mapping.dmp
-
memory/1324-75-0x000000000047E000-0x00000000004C1000-memory.dmpFilesize
268KB
-
memory/1324-60-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/1324-59-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/1324-57-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/1348-83-0x00000000731A0000-0x000000007374B000-memory.dmpFilesize
5.7MB
-
memory/1348-91-0x00000000731A0000-0x000000007374B000-memory.dmpFilesize
5.7MB
-
memory/1348-78-0x0000000000000000-mapping.dmp