Analysis
-
max time kernel
192s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 04:54
Static task
static1
Behavioral task
behavioral1
Sample
cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe
Resource
win10v2004-20221111-en
General
-
Target
cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe
-
Size
720KB
-
MD5
6ba4a7256ec1bfc7df3ce97b038780d1
-
SHA1
35e84eaad0f438beed9b4ac93cabf89275afe821
-
SHA256
cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72
-
SHA512
941ea136b35f574c73fb4c3a763909060c02c4abce8b1e0ba8348df1cd49516f30d6ef766363435748b38a1a460dd2b580f240a2020736382501511efaecc73e
-
SSDEEP
12288:jrayyPRqmsl1nbsemjtyhunREl8QmElwRB7nR8dyV5pwEaKrj0izflO:kQDlJmjtyhuWlzlibR8dyuEaKj0iz9
Malware Config
Extracted
darkcomet
naam
namuna.zapto.org:5000
DCMIN_MUTEX-NWZN7WB
-
InstallPath
MSDCSC\svchost.exe
-
gencode
rghasalJMHfn
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
rundll.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\svchost.exe" cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe -
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 3044 svchost.exe 3876 svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll.exe = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\svchost.exe" cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exesvchost.exedescription pid process target process PID 2928 set thread context of 3180 2928 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe PID 3044 set thread context of 3876 3044 svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exesvchost.exedescription pid process Token: SeIncreaseQuotaPrivilege 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe Token: SeSecurityPrivilege 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe Token: SeTakeOwnershipPrivilege 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe Token: SeLoadDriverPrivilege 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe Token: SeSystemProfilePrivilege 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe Token: SeSystemtimePrivilege 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe Token: SeProfSingleProcessPrivilege 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe Token: SeIncBasePriorityPrivilege 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe Token: SeCreatePagefilePrivilege 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe Token: SeBackupPrivilege 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe Token: SeRestorePrivilege 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe Token: SeShutdownPrivilege 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe Token: SeDebugPrivilege 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe Token: SeSystemEnvironmentPrivilege 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe Token: SeChangeNotifyPrivilege 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe Token: SeRemoteShutdownPrivilege 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe Token: SeUndockPrivilege 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe Token: SeManageVolumePrivilege 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe Token: SeImpersonatePrivilege 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe Token: SeCreateGlobalPrivilege 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe Token: 33 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe Token: 34 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe Token: 35 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe Token: 36 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe Token: SeIncreaseQuotaPrivilege 3876 svchost.exe Token: SeSecurityPrivilege 3876 svchost.exe Token: SeTakeOwnershipPrivilege 3876 svchost.exe Token: SeLoadDriverPrivilege 3876 svchost.exe Token: SeSystemProfilePrivilege 3876 svchost.exe Token: SeSystemtimePrivilege 3876 svchost.exe Token: SeProfSingleProcessPrivilege 3876 svchost.exe Token: SeIncBasePriorityPrivilege 3876 svchost.exe Token: SeCreatePagefilePrivilege 3876 svchost.exe Token: SeBackupPrivilege 3876 svchost.exe Token: SeRestorePrivilege 3876 svchost.exe Token: SeShutdownPrivilege 3876 svchost.exe Token: SeDebugPrivilege 3876 svchost.exe Token: SeSystemEnvironmentPrivilege 3876 svchost.exe Token: SeChangeNotifyPrivilege 3876 svchost.exe Token: SeRemoteShutdownPrivilege 3876 svchost.exe Token: SeUndockPrivilege 3876 svchost.exe Token: SeManageVolumePrivilege 3876 svchost.exe Token: SeImpersonatePrivilege 3876 svchost.exe Token: SeCreateGlobalPrivilege 3876 svchost.exe Token: 33 3876 svchost.exe Token: 34 3876 svchost.exe Token: 35 3876 svchost.exe Token: 36 3876 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 3876 svchost.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.execb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exesvchost.exedescription pid process target process PID 2928 wrote to memory of 3180 2928 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe PID 2928 wrote to memory of 3180 2928 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe PID 2928 wrote to memory of 3180 2928 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe PID 2928 wrote to memory of 3180 2928 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe PID 2928 wrote to memory of 3180 2928 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe PID 2928 wrote to memory of 3180 2928 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe PID 2928 wrote to memory of 3180 2928 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe PID 2928 wrote to memory of 3180 2928 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe PID 2928 wrote to memory of 3180 2928 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe PID 2928 wrote to memory of 3180 2928 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe PID 2928 wrote to memory of 3180 2928 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe PID 2928 wrote to memory of 3180 2928 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe PID 2928 wrote to memory of 3180 2928 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe PID 2928 wrote to memory of 3180 2928 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe PID 3180 wrote to memory of 3044 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe svchost.exe PID 3180 wrote to memory of 3044 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe svchost.exe PID 3180 wrote to memory of 3044 3180 cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe svchost.exe PID 3044 wrote to memory of 3876 3044 svchost.exe svchost.exe PID 3044 wrote to memory of 3876 3044 svchost.exe svchost.exe PID 3044 wrote to memory of 3876 3044 svchost.exe svchost.exe PID 3044 wrote to memory of 3876 3044 svchost.exe svchost.exe PID 3044 wrote to memory of 3876 3044 svchost.exe svchost.exe PID 3044 wrote to memory of 3876 3044 svchost.exe svchost.exe PID 3044 wrote to memory of 3876 3044 svchost.exe svchost.exe PID 3044 wrote to memory of 3876 3044 svchost.exe svchost.exe PID 3044 wrote to memory of 3876 3044 svchost.exe svchost.exe PID 3044 wrote to memory of 3876 3044 svchost.exe svchost.exe PID 3044 wrote to memory of 3876 3044 svchost.exe svchost.exe PID 3044 wrote to memory of 3876 3044 svchost.exe svchost.exe PID 3044 wrote to memory of 3876 3044 svchost.exe svchost.exe PID 3044 wrote to memory of 3876 3044 svchost.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe"C:\Users\Admin\AppData\Local\Temp\cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exeC:\Users\Admin\AppData\Local\Temp\cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exe"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exe"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exeFilesize
720KB
MD56ba4a7256ec1bfc7df3ce97b038780d1
SHA135e84eaad0f438beed9b4ac93cabf89275afe821
SHA256cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72
SHA512941ea136b35f574c73fb4c3a763909060c02c4abce8b1e0ba8348df1cd49516f30d6ef766363435748b38a1a460dd2b580f240a2020736382501511efaecc73e
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exeFilesize
720KB
MD56ba4a7256ec1bfc7df3ce97b038780d1
SHA135e84eaad0f438beed9b4ac93cabf89275afe821
SHA256cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72
SHA512941ea136b35f574c73fb4c3a763909060c02c4abce8b1e0ba8348df1cd49516f30d6ef766363435748b38a1a460dd2b580f240a2020736382501511efaecc73e
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exeFilesize
720KB
MD56ba4a7256ec1bfc7df3ce97b038780d1
SHA135e84eaad0f438beed9b4ac93cabf89275afe821
SHA256cb2422fee19846491846526008f4b73d17d8d20bf5c9fc9d161c5492b33c1a72
SHA512941ea136b35f574c73fb4c3a763909060c02c4abce8b1e0ba8348df1cd49516f30d6ef766363435748b38a1a460dd2b580f240a2020736382501511efaecc73e
-
memory/2928-134-0x0000000000530000-0x0000000000534000-memory.dmpFilesize
16KB
-
memory/3044-138-0x0000000000000000-mapping.dmp
-
memory/3180-135-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3180-137-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3180-136-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3180-132-0x0000000000000000-mapping.dmp
-
memory/3180-143-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3180-133-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3876-141-0x0000000000000000-mapping.dmp
-
memory/3876-146-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3876-147-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3876-148-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB