Analysis
-
max time kernel
180s -
max time network
205s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 05:56
Static task
static1
Behavioral task
behavioral1
Sample
bffa061c4938a523859fe0e21a1dd79f85a98c751ca46153dc1199f7dde90e3a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
bffa061c4938a523859fe0e21a1dd79f85a98c751ca46153dc1199f7dde90e3a.exe
Resource
win10v2004-20220812-en
General
-
Target
bffa061c4938a523859fe0e21a1dd79f85a98c751ca46153dc1199f7dde90e3a.exe
-
Size
1.7MB
-
MD5
5e653e5824314a011650dcc406b802cd
-
SHA1
011075687bac2bbb8c3a02f3a0f87c3bbabc09b4
-
SHA256
bffa061c4938a523859fe0e21a1dd79f85a98c751ca46153dc1199f7dde90e3a
-
SHA512
e044c714964fb8ac6aab53a3c6a305ec5e7406d351ef71b693ff70b156b1fb32d4eb83c9cfc9d8aeef4d56c0ec3594bc491abb71b8f69c7dae69ed547986f5cb
-
SSDEEP
24576:3fFT95vS0ErwXs8vmEHwfKss6U3RuFxDS:3tT9IbGYU3RuFx
Malware Config
Extracted
darkcomet
Guest16
qaz3.no-ip.info:81
DC_MUTEX-H49DYYJ
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
NWSuYEBfbuDN
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
762.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 762.exe -
Executes dropped EXE 2 IoCs
Processes:
762.exemsdcsc.exepid process 4412 762.exe 920 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
762.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 762.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
762.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 762.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
762.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 762.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
762.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4412 762.exe Token: SeSecurityPrivilege 4412 762.exe Token: SeTakeOwnershipPrivilege 4412 762.exe Token: SeLoadDriverPrivilege 4412 762.exe Token: SeSystemProfilePrivilege 4412 762.exe Token: SeSystemtimePrivilege 4412 762.exe Token: SeProfSingleProcessPrivilege 4412 762.exe Token: SeIncBasePriorityPrivilege 4412 762.exe Token: SeCreatePagefilePrivilege 4412 762.exe Token: SeBackupPrivilege 4412 762.exe Token: SeRestorePrivilege 4412 762.exe Token: SeShutdownPrivilege 4412 762.exe Token: SeDebugPrivilege 4412 762.exe Token: SeSystemEnvironmentPrivilege 4412 762.exe Token: SeChangeNotifyPrivilege 4412 762.exe Token: SeRemoteShutdownPrivilege 4412 762.exe Token: SeUndockPrivilege 4412 762.exe Token: SeManageVolumePrivilege 4412 762.exe Token: SeImpersonatePrivilege 4412 762.exe Token: SeCreateGlobalPrivilege 4412 762.exe Token: 33 4412 762.exe Token: 34 4412 762.exe Token: 35 4412 762.exe Token: 36 4412 762.exe Token: SeIncreaseQuotaPrivilege 920 msdcsc.exe Token: SeSecurityPrivilege 920 msdcsc.exe Token: SeTakeOwnershipPrivilege 920 msdcsc.exe Token: SeLoadDriverPrivilege 920 msdcsc.exe Token: SeSystemProfilePrivilege 920 msdcsc.exe Token: SeSystemtimePrivilege 920 msdcsc.exe Token: SeProfSingleProcessPrivilege 920 msdcsc.exe Token: SeIncBasePriorityPrivilege 920 msdcsc.exe Token: SeCreatePagefilePrivilege 920 msdcsc.exe Token: SeBackupPrivilege 920 msdcsc.exe Token: SeRestorePrivilege 920 msdcsc.exe Token: SeShutdownPrivilege 920 msdcsc.exe Token: SeDebugPrivilege 920 msdcsc.exe Token: SeSystemEnvironmentPrivilege 920 msdcsc.exe Token: SeChangeNotifyPrivilege 920 msdcsc.exe Token: SeRemoteShutdownPrivilege 920 msdcsc.exe Token: SeUndockPrivilege 920 msdcsc.exe Token: SeManageVolumePrivilege 920 msdcsc.exe Token: SeImpersonatePrivilege 920 msdcsc.exe Token: SeCreateGlobalPrivilege 920 msdcsc.exe Token: 33 920 msdcsc.exe Token: 34 920 msdcsc.exe Token: 35 920 msdcsc.exe Token: 36 920 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 920 msdcsc.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
bffa061c4938a523859fe0e21a1dd79f85a98c751ca46153dc1199f7dde90e3a.exe762.execmd.exemsdcsc.exedescription pid process target process PID 4764 wrote to memory of 4412 4764 bffa061c4938a523859fe0e21a1dd79f85a98c751ca46153dc1199f7dde90e3a.exe 762.exe PID 4764 wrote to memory of 4412 4764 bffa061c4938a523859fe0e21a1dd79f85a98c751ca46153dc1199f7dde90e3a.exe 762.exe PID 4764 wrote to memory of 4412 4764 bffa061c4938a523859fe0e21a1dd79f85a98c751ca46153dc1199f7dde90e3a.exe 762.exe PID 4412 wrote to memory of 4436 4412 762.exe cmd.exe PID 4412 wrote to memory of 4436 4412 762.exe cmd.exe PID 4412 wrote to memory of 4436 4412 762.exe cmd.exe PID 4436 wrote to memory of 1392 4436 cmd.exe PING.EXE PID 4436 wrote to memory of 1392 4436 cmd.exe PING.EXE PID 4436 wrote to memory of 1392 4436 cmd.exe PING.EXE PID 4412 wrote to memory of 920 4412 762.exe msdcsc.exe PID 4412 wrote to memory of 920 4412 762.exe msdcsc.exe PID 4412 wrote to memory of 920 4412 762.exe msdcsc.exe PID 920 wrote to memory of 2580 920 msdcsc.exe iexplore.exe PID 920 wrote to memory of 2580 920 msdcsc.exe iexplore.exe PID 920 wrote to memory of 2580 920 msdcsc.exe iexplore.exe PID 920 wrote to memory of 1724 920 msdcsc.exe explorer.exe PID 920 wrote to memory of 1724 920 msdcsc.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bffa061c4938a523859fe0e21a1dd79f85a98c751ca46153dc1199f7dde90e3a.exe"C:\Users\Admin\AppData\Local\Temp\bffa061c4938a523859fe0e21a1dd79f85a98c751ca46153dc1199f7dde90e3a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\762.exeC:\Users\Admin\AppData\Local\Temp\762.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\762.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 44⤵
- Runs ping.exe
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\762.exeFilesize
650KB
MD57a39ed01aadcbda714d825de690f75ca
SHA1554b6d90d432648697e75bacc4b255c9c3be8230
SHA2567ee19363c5446b3054fecbd7248c9fe6c91699fad49b3aff6b67fd386ccfb029
SHA512e1c30de642de8abf9d43eb6cd94f1e179478d774c85976c1eedd23ebcc4ff28c415cfd7d71394c7068beb099cf44f70d2289ec7aa0df82118936b1de66d10183
-
C:\Users\Admin\AppData\Local\Temp\762.exeFilesize
650KB
MD57a39ed01aadcbda714d825de690f75ca
SHA1554b6d90d432648697e75bacc4b255c9c3be8230
SHA2567ee19363c5446b3054fecbd7248c9fe6c91699fad49b3aff6b67fd386ccfb029
SHA512e1c30de642de8abf9d43eb6cd94f1e179478d774c85976c1eedd23ebcc4ff28c415cfd7d71394c7068beb099cf44f70d2289ec7aa0df82118936b1de66d10183
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
650KB
MD57a39ed01aadcbda714d825de690f75ca
SHA1554b6d90d432648697e75bacc4b255c9c3be8230
SHA2567ee19363c5446b3054fecbd7248c9fe6c91699fad49b3aff6b67fd386ccfb029
SHA512e1c30de642de8abf9d43eb6cd94f1e179478d774c85976c1eedd23ebcc4ff28c415cfd7d71394c7068beb099cf44f70d2289ec7aa0df82118936b1de66d10183
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
650KB
MD57a39ed01aadcbda714d825de690f75ca
SHA1554b6d90d432648697e75bacc4b255c9c3be8230
SHA2567ee19363c5446b3054fecbd7248c9fe6c91699fad49b3aff6b67fd386ccfb029
SHA512e1c30de642de8abf9d43eb6cd94f1e179478d774c85976c1eedd23ebcc4ff28c415cfd7d71394c7068beb099cf44f70d2289ec7aa0df82118936b1de66d10183
-
memory/920-137-0x0000000000000000-mapping.dmp
-
memory/1392-136-0x0000000000000000-mapping.dmp
-
memory/1724-140-0x0000000000000000-mapping.dmp
-
memory/4412-132-0x0000000000000000-mapping.dmp
-
memory/4436-135-0x0000000000000000-mapping.dmp