Analysis
-
max time kernel
180s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 04:07
Static task
static1
Behavioral task
behavioral1
Sample
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe
Resource
win10v2004-20221111-en
General
-
Target
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe
-
Size
343KB
-
MD5
c6551e869e75447e6456095e6c6aeced
-
SHA1
44b79feb248f0c1d68e9f4f61f43050280e8672a
-
SHA256
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5
-
SHA512
965aa351ec316b187c92ed0ce065db56b813e52f31abd391f593b4215b443300f8355889b8eb66e896f9fcdc0fd87511d55c734e785459d047ebf4e0a0db00fe
-
SSDEEP
6144:fUPCHRSrGCFGMQZhKYWqdRBYn58JOBGmtMCANkRfX90OO1+JCl+aL5n:Xx2GiGMBHqhYOJONtMCesfXlKXll
Malware Config
Extracted
darkcomet
13.07.12 Crypter
leetaka1337.no-ip.org:1604
DC_MUTEX-JFX5RP1
-
InstallPath
MSDCSC\winhost.exe
-
gencode
lCnq6VNbar2M
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe" d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe -
Executes dropped EXE 3 IoCs
Processes:
STUB.EXEwinhost.exewinhost.exepid process 3220 STUB.EXE 1296 winhost.exe 1916 winhost.exe -
Processes:
resource yara_rule behavioral2/memory/4408-133-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4408-134-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4408-135-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4408-137-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4408-138-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\winhost.exe" d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe -
Drops file in System32 directory 3 IoCs
Processes:
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exedescription ioc process File created C:\Windows\SysWOW64\MSDCSC\winhost.exe d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\winhost.exe d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exewinhost.exedescription pid process target process PID 5068 set thread context of 4408 5068 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe PID 1296 set thread context of 1916 1296 winhost.exe winhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
winhost.exepid process 1916 winhost.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exed461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exewinhost.exewinhost.exedescription pid process Token: SeDebugPrivilege 5068 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeIncreaseQuotaPrivilege 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeSecurityPrivilege 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeTakeOwnershipPrivilege 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeLoadDriverPrivilege 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeSystemProfilePrivilege 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeSystemtimePrivilege 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeProfSingleProcessPrivilege 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeIncBasePriorityPrivilege 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeCreatePagefilePrivilege 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeBackupPrivilege 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeRestorePrivilege 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeShutdownPrivilege 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeDebugPrivilege 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeSystemEnvironmentPrivilege 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeChangeNotifyPrivilege 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeRemoteShutdownPrivilege 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeUndockPrivilege 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeManageVolumePrivilege 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeImpersonatePrivilege 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeCreateGlobalPrivilege 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: 33 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: 34 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: 35 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: 36 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe Token: SeDebugPrivilege 1296 winhost.exe Token: SeIncreaseQuotaPrivilege 1916 winhost.exe Token: SeSecurityPrivilege 1916 winhost.exe Token: SeTakeOwnershipPrivilege 1916 winhost.exe Token: SeLoadDriverPrivilege 1916 winhost.exe Token: SeSystemProfilePrivilege 1916 winhost.exe Token: SeSystemtimePrivilege 1916 winhost.exe Token: SeProfSingleProcessPrivilege 1916 winhost.exe Token: SeIncBasePriorityPrivilege 1916 winhost.exe Token: SeCreatePagefilePrivilege 1916 winhost.exe Token: SeBackupPrivilege 1916 winhost.exe Token: SeRestorePrivilege 1916 winhost.exe Token: SeShutdownPrivilege 1916 winhost.exe Token: SeDebugPrivilege 1916 winhost.exe Token: SeSystemEnvironmentPrivilege 1916 winhost.exe Token: SeChangeNotifyPrivilege 1916 winhost.exe Token: SeRemoteShutdownPrivilege 1916 winhost.exe Token: SeUndockPrivilege 1916 winhost.exe Token: SeManageVolumePrivilege 1916 winhost.exe Token: SeImpersonatePrivilege 1916 winhost.exe Token: SeCreateGlobalPrivilege 1916 winhost.exe Token: 33 1916 winhost.exe Token: 34 1916 winhost.exe Token: 35 1916 winhost.exe Token: 36 1916 winhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winhost.exepid process 1916 winhost.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exed461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exewinhost.exedescription pid process target process PID 5068 wrote to memory of 4408 5068 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe PID 5068 wrote to memory of 4408 5068 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe PID 5068 wrote to memory of 4408 5068 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe PID 5068 wrote to memory of 4408 5068 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe PID 5068 wrote to memory of 4408 5068 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe PID 5068 wrote to memory of 4408 5068 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe PID 5068 wrote to memory of 4408 5068 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe PID 5068 wrote to memory of 4408 5068 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe PID 4408 wrote to memory of 3220 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe STUB.EXE PID 4408 wrote to memory of 3220 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe STUB.EXE PID 4408 wrote to memory of 3220 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe STUB.EXE PID 4408 wrote to memory of 1296 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe winhost.exe PID 4408 wrote to memory of 1296 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe winhost.exe PID 4408 wrote to memory of 1296 4408 d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe winhost.exe PID 1296 wrote to memory of 1916 1296 winhost.exe winhost.exe PID 1296 wrote to memory of 1916 1296 winhost.exe winhost.exe PID 1296 wrote to memory of 1916 1296 winhost.exe winhost.exe PID 1296 wrote to memory of 1916 1296 winhost.exe winhost.exe PID 1296 wrote to memory of 1916 1296 winhost.exe winhost.exe PID 1296 wrote to memory of 1916 1296 winhost.exe winhost.exe PID 1296 wrote to memory of 1916 1296 winhost.exe winhost.exe PID 1296 wrote to memory of 1916 1296 winhost.exe winhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe"C:\Users\Admin\AppData\Local\Temp\d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exeC:\Users\Admin\AppData\Local\Temp\d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\STUB.EXE"C:\Users\Admin\AppData\Local\Temp\STUB.EXE"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\winhost.exe"C:\Windows\system32\MSDCSC\winhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\MSDCSC\winhost.exeC:\Windows\SysWOW64\MSDCSC\winhost.exe4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\STUB.EXEFilesize
47KB
MD56e9ee67b3cceaf1fc3bd53a9c33a3cc7
SHA11ce7d9f73b9da92385ec41e416d2cf7a6f2ccc03
SHA256e9509d87ec53efda131c636fe729180eea8c48850693f0c800fc04f88f5960bb
SHA5126ee77b3d3238e1507ab83f57fa06b88b384b5d8a804a27d93aab30622166b1bedd4796ec30c8dfca3b9085d41c69fd064014e0a424a79e9e8f15b79c6568fb1c
-
C:\Users\Admin\AppData\Local\Temp\STUB.EXEFilesize
47KB
MD56e9ee67b3cceaf1fc3bd53a9c33a3cc7
SHA11ce7d9f73b9da92385ec41e416d2cf7a6f2ccc03
SHA256e9509d87ec53efda131c636fe729180eea8c48850693f0c800fc04f88f5960bb
SHA5126ee77b3d3238e1507ab83f57fa06b88b384b5d8a804a27d93aab30622166b1bedd4796ec30c8dfca3b9085d41c69fd064014e0a424a79e9e8f15b79c6568fb1c
-
C:\Windows\SysWOW64\MSDCSC\winhost.exeFilesize
343KB
MD5c6551e869e75447e6456095e6c6aeced
SHA144b79feb248f0c1d68e9f4f61f43050280e8672a
SHA256d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5
SHA512965aa351ec316b187c92ed0ce065db56b813e52f31abd391f593b4215b443300f8355889b8eb66e896f9fcdc0fd87511d55c734e785459d047ebf4e0a0db00fe
-
C:\Windows\SysWOW64\MSDCSC\winhost.exeFilesize
343KB
MD5c6551e869e75447e6456095e6c6aeced
SHA144b79feb248f0c1d68e9f4f61f43050280e8672a
SHA256d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5
SHA512965aa351ec316b187c92ed0ce065db56b813e52f31abd391f593b4215b443300f8355889b8eb66e896f9fcdc0fd87511d55c734e785459d047ebf4e0a0db00fe
-
C:\Windows\SysWOW64\MSDCSC\winhost.exeFilesize
343KB
MD5c6551e869e75447e6456095e6c6aeced
SHA144b79feb248f0c1d68e9f4f61f43050280e8672a
SHA256d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5
SHA512965aa351ec316b187c92ed0ce065db56b813e52f31abd391f593b4215b443300f8355889b8eb66e896f9fcdc0fd87511d55c734e785459d047ebf4e0a0db00fe
-
memory/1296-151-0x0000000072980000-0x0000000072F31000-memory.dmpFilesize
5.7MB
-
memory/1296-146-0x0000000072980000-0x0000000072F31000-memory.dmpFilesize
5.7MB
-
memory/1296-143-0x0000000000000000-mapping.dmp
-
memory/1916-147-0x0000000000000000-mapping.dmp
-
memory/3220-142-0x0000000074010000-0x00000000745C1000-memory.dmpFilesize
5.7MB
-
memory/3220-139-0x0000000000000000-mapping.dmp
-
memory/3220-156-0x0000000074010000-0x00000000745C1000-memory.dmpFilesize
5.7MB
-
memory/4408-132-0x0000000000000000-mapping.dmp
-
memory/4408-138-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/4408-137-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/4408-135-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/4408-134-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/4408-133-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/5068-136-0x00000000751D0000-0x0000000075781000-memory.dmpFilesize
5.7MB
-
memory/5068-155-0x00000000751D0000-0x0000000075781000-memory.dmpFilesize
5.7MB