Analysis
-
max time kernel
44s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 06:43
Static task
static1
Behavioral task
behavioral1
Sample
b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exe
Resource
win7-20220901-en
General
-
Target
b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exe
-
Size
474KB
-
MD5
10d8db9c89b6b8d766a899da925517ae
-
SHA1
a7749810330ac5e76896eabe72fafa1b28924913
-
SHA256
b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4
-
SHA512
763badf29a6554542aa8974e609a8d09e21a3ee535e5156977c06616071a70b1b1f2d4d3aa47ebf0713dbb847b56764b831495e9b148d02493651dd5977a6c26
-
SSDEEP
12288:C2LVSjLqDJZMQzzdrikNOQsLr3dP7/JkHlpAuuVP427tDGTz:FLg29+QFriPQsLDhrJ2A5Vw27tqTz
Malware Config
Extracted
darkcomet
Guest16
hellobhaiji.no-ip.org:1604
DC_MUTEX-SE6LJZ8
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
mlhnz99gxBf3
-
install
true
-
offline_keylogger
true
-
password
123456789
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1540 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1808 attrib.exe 1584 attrib.exe -
Processes:
resource yara_rule behavioral1/memory/1628-56-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral1/memory/1628-58-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral1/memory/1628-60-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral1/memory/1628-62-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral1/memory/1628-65-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral1/memory/1628-66-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral1/memory/1628-67-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral1/memory/1628-78-0x0000000000400000-0x00000000004E8000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
vbc.exepid process 1628 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exedescription pid process target process PID 1168 set thread context of 1628 1168 b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exe vbc.exe -
Drops file in Windows directory 2 IoCs
Processes:
attrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe attrib.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1628 vbc.exe Token: SeSecurityPrivilege 1628 vbc.exe Token: SeTakeOwnershipPrivilege 1628 vbc.exe Token: SeLoadDriverPrivilege 1628 vbc.exe Token: SeSystemProfilePrivilege 1628 vbc.exe Token: SeSystemtimePrivilege 1628 vbc.exe Token: SeProfSingleProcessPrivilege 1628 vbc.exe Token: SeIncBasePriorityPrivilege 1628 vbc.exe Token: SeCreatePagefilePrivilege 1628 vbc.exe Token: SeBackupPrivilege 1628 vbc.exe Token: SeRestorePrivilege 1628 vbc.exe Token: SeShutdownPrivilege 1628 vbc.exe Token: SeDebugPrivilege 1628 vbc.exe Token: SeSystemEnvironmentPrivilege 1628 vbc.exe Token: SeChangeNotifyPrivilege 1628 vbc.exe Token: SeRemoteShutdownPrivilege 1628 vbc.exe Token: SeUndockPrivilege 1628 vbc.exe Token: SeManageVolumePrivilege 1628 vbc.exe Token: SeImpersonatePrivilege 1628 vbc.exe Token: SeCreateGlobalPrivilege 1628 vbc.exe Token: 33 1628 vbc.exe Token: 34 1628 vbc.exe Token: 35 1628 vbc.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exevbc.execmd.execmd.exedescription pid process target process PID 1168 wrote to memory of 1628 1168 b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exe vbc.exe PID 1168 wrote to memory of 1628 1168 b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exe vbc.exe PID 1168 wrote to memory of 1628 1168 b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exe vbc.exe PID 1168 wrote to memory of 1628 1168 b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exe vbc.exe PID 1168 wrote to memory of 1628 1168 b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exe vbc.exe PID 1168 wrote to memory of 1628 1168 b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exe vbc.exe PID 1168 wrote to memory of 1628 1168 b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exe vbc.exe PID 1168 wrote to memory of 1628 1168 b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exe vbc.exe PID 1628 wrote to memory of 1888 1628 vbc.exe cmd.exe PID 1628 wrote to memory of 1888 1628 vbc.exe cmd.exe PID 1628 wrote to memory of 1888 1628 vbc.exe cmd.exe PID 1628 wrote to memory of 1888 1628 vbc.exe cmd.exe PID 1628 wrote to memory of 1780 1628 vbc.exe cmd.exe PID 1628 wrote to memory of 1780 1628 vbc.exe cmd.exe PID 1628 wrote to memory of 1780 1628 vbc.exe cmd.exe PID 1628 wrote to memory of 1780 1628 vbc.exe cmd.exe PID 1628 wrote to memory of 1936 1628 vbc.exe notepad.exe PID 1628 wrote to memory of 1936 1628 vbc.exe notepad.exe PID 1628 wrote to memory of 1936 1628 vbc.exe notepad.exe PID 1628 wrote to memory of 1936 1628 vbc.exe notepad.exe PID 1628 wrote to memory of 1936 1628 vbc.exe notepad.exe PID 1628 wrote to memory of 1936 1628 vbc.exe notepad.exe PID 1628 wrote to memory of 1936 1628 vbc.exe notepad.exe PID 1628 wrote to memory of 1936 1628 vbc.exe notepad.exe PID 1628 wrote to memory of 1936 1628 vbc.exe notepad.exe PID 1628 wrote to memory of 1936 1628 vbc.exe notepad.exe PID 1628 wrote to memory of 1936 1628 vbc.exe notepad.exe PID 1628 wrote to memory of 1936 1628 vbc.exe notepad.exe PID 1628 wrote to memory of 1936 1628 vbc.exe notepad.exe PID 1628 wrote to memory of 1936 1628 vbc.exe notepad.exe PID 1628 wrote to memory of 1936 1628 vbc.exe notepad.exe PID 1628 wrote to memory of 1936 1628 vbc.exe notepad.exe PID 1628 wrote to memory of 1936 1628 vbc.exe notepad.exe PID 1628 wrote to memory of 1936 1628 vbc.exe notepad.exe PID 1888 wrote to memory of 1808 1888 cmd.exe attrib.exe PID 1888 wrote to memory of 1808 1888 cmd.exe attrib.exe PID 1888 wrote to memory of 1808 1888 cmd.exe attrib.exe PID 1888 wrote to memory of 1808 1888 cmd.exe attrib.exe PID 1780 wrote to memory of 1584 1780 cmd.exe attrib.exe PID 1780 wrote to memory of 1584 1780 cmd.exe attrib.exe PID 1780 wrote to memory of 1584 1780 cmd.exe attrib.exe PID 1780 wrote to memory of 1584 1780 cmd.exe attrib.exe PID 1628 wrote to memory of 1540 1628 vbc.exe msdcsc.exe PID 1628 wrote to memory of 1540 1628 vbc.exe msdcsc.exe PID 1628 wrote to memory of 1540 1628 vbc.exe msdcsc.exe PID 1628 wrote to memory of 1540 1628 vbc.exe msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1808 attrib.exe 1584 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exe"C:\Users\Admin\AppData\Local\Temp\b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
memory/1168-64-0x0000000074720000-0x0000000074CCB000-memory.dmpFilesize
5.7MB
-
memory/1168-54-0x00000000760E1000-0x00000000760E3000-memory.dmpFilesize
8KB
-
memory/1540-75-0x0000000000000000-mapping.dmp
-
memory/1584-73-0x0000000000000000-mapping.dmp
-
memory/1628-67-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/1628-58-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/1628-66-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/1628-62-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/1628-78-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/1628-55-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/1628-56-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/1628-61-0x00000000004CD910-mapping.dmp
-
memory/1628-65-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/1628-60-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/1780-69-0x0000000000000000-mapping.dmp
-
memory/1808-72-0x0000000000000000-mapping.dmp
-
memory/1888-68-0x0000000000000000-mapping.dmp
-
memory/1936-70-0x0000000000000000-mapping.dmp