Analysis
-
max time kernel
153s -
max time network
163s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 05:56
Static task
static1
Behavioral task
behavioral1
Sample
bffa061c4938a523859fe0e21a1dd79f85a98c751ca46153dc1199f7dde90e3a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
bffa061c4938a523859fe0e21a1dd79f85a98c751ca46153dc1199f7dde90e3a.exe
Resource
win10v2004-20220812-en
General
-
Target
bffa061c4938a523859fe0e21a1dd79f85a98c751ca46153dc1199f7dde90e3a.exe
-
Size
1.7MB
-
MD5
5e653e5824314a011650dcc406b802cd
-
SHA1
011075687bac2bbb8c3a02f3a0f87c3bbabc09b4
-
SHA256
bffa061c4938a523859fe0e21a1dd79f85a98c751ca46153dc1199f7dde90e3a
-
SHA512
e044c714964fb8ac6aab53a3c6a305ec5e7406d351ef71b693ff70b156b1fb32d4eb83c9cfc9d8aeef4d56c0ec3594bc491abb71b8f69c7dae69ed547986f5cb
-
SSDEEP
24576:3fFT95vS0ErwXs8vmEHwfKss6U3RuFxDS:3tT9IbGYU3RuFx
Malware Config
Extracted
darkcomet
Guest16
qaz3.no-ip.info:81
DC_MUTEX-H49DYYJ
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
NWSuYEBfbuDN
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
605.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 605.exe -
Executes dropped EXE 2 IoCs
Processes:
605.exemsdcsc.exepid process 1296 605.exe 1468 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
605.exepid process 1296 605.exe 1296 605.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msdcsc.exe605.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 605.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
605.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1296 605.exe Token: SeSecurityPrivilege 1296 605.exe Token: SeTakeOwnershipPrivilege 1296 605.exe Token: SeLoadDriverPrivilege 1296 605.exe Token: SeSystemProfilePrivilege 1296 605.exe Token: SeSystemtimePrivilege 1296 605.exe Token: SeProfSingleProcessPrivilege 1296 605.exe Token: SeIncBasePriorityPrivilege 1296 605.exe Token: SeCreatePagefilePrivilege 1296 605.exe Token: SeBackupPrivilege 1296 605.exe Token: SeRestorePrivilege 1296 605.exe Token: SeShutdownPrivilege 1296 605.exe Token: SeDebugPrivilege 1296 605.exe Token: SeSystemEnvironmentPrivilege 1296 605.exe Token: SeChangeNotifyPrivilege 1296 605.exe Token: SeRemoteShutdownPrivilege 1296 605.exe Token: SeUndockPrivilege 1296 605.exe Token: SeManageVolumePrivilege 1296 605.exe Token: SeImpersonatePrivilege 1296 605.exe Token: SeCreateGlobalPrivilege 1296 605.exe Token: 33 1296 605.exe Token: 34 1296 605.exe Token: 35 1296 605.exe Token: SeIncreaseQuotaPrivilege 1468 msdcsc.exe Token: SeSecurityPrivilege 1468 msdcsc.exe Token: SeTakeOwnershipPrivilege 1468 msdcsc.exe Token: SeLoadDriverPrivilege 1468 msdcsc.exe Token: SeSystemProfilePrivilege 1468 msdcsc.exe Token: SeSystemtimePrivilege 1468 msdcsc.exe Token: SeProfSingleProcessPrivilege 1468 msdcsc.exe Token: SeIncBasePriorityPrivilege 1468 msdcsc.exe Token: SeCreatePagefilePrivilege 1468 msdcsc.exe Token: SeBackupPrivilege 1468 msdcsc.exe Token: SeRestorePrivilege 1468 msdcsc.exe Token: SeShutdownPrivilege 1468 msdcsc.exe Token: SeDebugPrivilege 1468 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1468 msdcsc.exe Token: SeChangeNotifyPrivilege 1468 msdcsc.exe Token: SeRemoteShutdownPrivilege 1468 msdcsc.exe Token: SeUndockPrivilege 1468 msdcsc.exe Token: SeManageVolumePrivilege 1468 msdcsc.exe Token: SeImpersonatePrivilege 1468 msdcsc.exe Token: SeCreateGlobalPrivilege 1468 msdcsc.exe Token: 33 1468 msdcsc.exe Token: 34 1468 msdcsc.exe Token: 35 1468 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1468 msdcsc.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
bffa061c4938a523859fe0e21a1dd79f85a98c751ca46153dc1199f7dde90e3a.exe605.execmd.exemsdcsc.exedescription pid process target process PID 1016 wrote to memory of 1296 1016 bffa061c4938a523859fe0e21a1dd79f85a98c751ca46153dc1199f7dde90e3a.exe 605.exe PID 1016 wrote to memory of 1296 1016 bffa061c4938a523859fe0e21a1dd79f85a98c751ca46153dc1199f7dde90e3a.exe 605.exe PID 1016 wrote to memory of 1296 1016 bffa061c4938a523859fe0e21a1dd79f85a98c751ca46153dc1199f7dde90e3a.exe 605.exe PID 1016 wrote to memory of 1296 1016 bffa061c4938a523859fe0e21a1dd79f85a98c751ca46153dc1199f7dde90e3a.exe 605.exe PID 1296 wrote to memory of 1044 1296 605.exe cmd.exe PID 1296 wrote to memory of 1044 1296 605.exe cmd.exe PID 1296 wrote to memory of 1044 1296 605.exe cmd.exe PID 1296 wrote to memory of 1044 1296 605.exe cmd.exe PID 1044 wrote to memory of 1872 1044 cmd.exe PING.EXE PID 1044 wrote to memory of 1872 1044 cmd.exe PING.EXE PID 1044 wrote to memory of 1872 1044 cmd.exe PING.EXE PID 1044 wrote to memory of 1872 1044 cmd.exe PING.EXE PID 1296 wrote to memory of 1468 1296 605.exe msdcsc.exe PID 1296 wrote to memory of 1468 1296 605.exe msdcsc.exe PID 1296 wrote to memory of 1468 1296 605.exe msdcsc.exe PID 1296 wrote to memory of 1468 1296 605.exe msdcsc.exe PID 1468 wrote to memory of 988 1468 msdcsc.exe iexplore.exe PID 1468 wrote to memory of 988 1468 msdcsc.exe iexplore.exe PID 1468 wrote to memory of 988 1468 msdcsc.exe iexplore.exe PID 1468 wrote to memory of 988 1468 msdcsc.exe iexplore.exe PID 1468 wrote to memory of 1548 1468 msdcsc.exe explorer.exe PID 1468 wrote to memory of 1548 1468 msdcsc.exe explorer.exe PID 1468 wrote to memory of 1548 1468 msdcsc.exe explorer.exe PID 1468 wrote to memory of 1548 1468 msdcsc.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bffa061c4938a523859fe0e21a1dd79f85a98c751ca46153dc1199f7dde90e3a.exe"C:\Users\Admin\AppData\Local\Temp\bffa061c4938a523859fe0e21a1dd79f85a98c751ca46153dc1199f7dde90e3a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\605.exeC:\Users\Admin\AppData\Local\Temp\605.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\605.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 44⤵
- Runs ping.exe
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\605.exeFilesize
650KB
MD57a39ed01aadcbda714d825de690f75ca
SHA1554b6d90d432648697e75bacc4b255c9c3be8230
SHA2567ee19363c5446b3054fecbd7248c9fe6c91699fad49b3aff6b67fd386ccfb029
SHA512e1c30de642de8abf9d43eb6cd94f1e179478d774c85976c1eedd23ebcc4ff28c415cfd7d71394c7068beb099cf44f70d2289ec7aa0df82118936b1de66d10183
-
C:\Users\Admin\AppData\Local\Temp\605.exeFilesize
650KB
MD57a39ed01aadcbda714d825de690f75ca
SHA1554b6d90d432648697e75bacc4b255c9c3be8230
SHA2567ee19363c5446b3054fecbd7248c9fe6c91699fad49b3aff6b67fd386ccfb029
SHA512e1c30de642de8abf9d43eb6cd94f1e179478d774c85976c1eedd23ebcc4ff28c415cfd7d71394c7068beb099cf44f70d2289ec7aa0df82118936b1de66d10183
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
650KB
MD57a39ed01aadcbda714d825de690f75ca
SHA1554b6d90d432648697e75bacc4b255c9c3be8230
SHA2567ee19363c5446b3054fecbd7248c9fe6c91699fad49b3aff6b67fd386ccfb029
SHA512e1c30de642de8abf9d43eb6cd94f1e179478d774c85976c1eedd23ebcc4ff28c415cfd7d71394c7068beb099cf44f70d2289ec7aa0df82118936b1de66d10183
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
650KB
MD57a39ed01aadcbda714d825de690f75ca
SHA1554b6d90d432648697e75bacc4b255c9c3be8230
SHA2567ee19363c5446b3054fecbd7248c9fe6c91699fad49b3aff6b67fd386ccfb029
SHA512e1c30de642de8abf9d43eb6cd94f1e179478d774c85976c1eedd23ebcc4ff28c415cfd7d71394c7068beb099cf44f70d2289ec7aa0df82118936b1de66d10183
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
650KB
MD57a39ed01aadcbda714d825de690f75ca
SHA1554b6d90d432648697e75bacc4b255c9c3be8230
SHA2567ee19363c5446b3054fecbd7248c9fe6c91699fad49b3aff6b67fd386ccfb029
SHA512e1c30de642de8abf9d43eb6cd94f1e179478d774c85976c1eedd23ebcc4ff28c415cfd7d71394c7068beb099cf44f70d2289ec7aa0df82118936b1de66d10183
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
650KB
MD57a39ed01aadcbda714d825de690f75ca
SHA1554b6d90d432648697e75bacc4b255c9c3be8230
SHA2567ee19363c5446b3054fecbd7248c9fe6c91699fad49b3aff6b67fd386ccfb029
SHA512e1c30de642de8abf9d43eb6cd94f1e179478d774c85976c1eedd23ebcc4ff28c415cfd7d71394c7068beb099cf44f70d2289ec7aa0df82118936b1de66d10183
-
memory/1016-54-0x000007FEF3F40000-0x000007FEF4963000-memory.dmpFilesize
10.1MB
-
memory/1044-59-0x0000000000000000-mapping.dmp
-
memory/1296-55-0x0000000000000000-mapping.dmp
-
memory/1296-57-0x00000000756B1000-0x00000000756B3000-memory.dmpFilesize
8KB
-
memory/1468-63-0x0000000000000000-mapping.dmp
-
memory/1872-60-0x0000000000000000-mapping.dmp