Analysis
-
max time kernel
156s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 06:43
Static task
static1
Behavioral task
behavioral1
Sample
b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exe
Resource
win7-20220901-en
General
-
Target
b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exe
-
Size
474KB
-
MD5
10d8db9c89b6b8d766a899da925517ae
-
SHA1
a7749810330ac5e76896eabe72fafa1b28924913
-
SHA256
b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4
-
SHA512
763badf29a6554542aa8974e609a8d09e21a3ee535e5156977c06616071a70b1b1f2d4d3aa47ebf0713dbb847b56764b831495e9b148d02493651dd5977a6c26
-
SSDEEP
12288:C2LVSjLqDJZMQzzdrikNOQsLr3dP7/JkHlpAuuVP427tDGTz:FLg29+QFriPQsLDhrJ2A5Vw27tqTz
Malware Config
Extracted
darkcomet
Guest16
hellobhaiji.no-ip.org:1604
DC_MUTEX-SE6LJZ8
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
mlhnz99gxBf3
-
install
true
-
offline_keylogger
true
-
password
123456789
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 4032 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2452 attrib.exe 4068 attrib.exe -
Processes:
resource yara_rule behavioral2/memory/676-133-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral2/memory/676-134-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral2/memory/676-135-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral2/memory/676-137-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral2/memory/676-138-0x0000000000400000-0x00000000004E8000-memory.dmp upx behavioral2/memory/676-148-0x0000000000400000-0x00000000004E8000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exedescription pid process target process PID 1612 set thread context of 676 1612 b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exe vbc.exe -
Drops file in Windows directory 2 IoCs
Processes:
attrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe -
Modifies registry class 1 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vbc.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 676 vbc.exe Token: SeSecurityPrivilege 676 vbc.exe Token: SeTakeOwnershipPrivilege 676 vbc.exe Token: SeLoadDriverPrivilege 676 vbc.exe Token: SeSystemProfilePrivilege 676 vbc.exe Token: SeSystemtimePrivilege 676 vbc.exe Token: SeProfSingleProcessPrivilege 676 vbc.exe Token: SeIncBasePriorityPrivilege 676 vbc.exe Token: SeCreatePagefilePrivilege 676 vbc.exe Token: SeBackupPrivilege 676 vbc.exe Token: SeRestorePrivilege 676 vbc.exe Token: SeShutdownPrivilege 676 vbc.exe Token: SeDebugPrivilege 676 vbc.exe Token: SeSystemEnvironmentPrivilege 676 vbc.exe Token: SeChangeNotifyPrivilege 676 vbc.exe Token: SeRemoteShutdownPrivilege 676 vbc.exe Token: SeUndockPrivilege 676 vbc.exe Token: SeManageVolumePrivilege 676 vbc.exe Token: SeImpersonatePrivilege 676 vbc.exe Token: SeCreateGlobalPrivilege 676 vbc.exe Token: 33 676 vbc.exe Token: 34 676 vbc.exe Token: 35 676 vbc.exe Token: 36 676 vbc.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exevbc.execmd.execmd.exedescription pid process target process PID 1612 wrote to memory of 676 1612 b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exe vbc.exe PID 1612 wrote to memory of 676 1612 b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exe vbc.exe PID 1612 wrote to memory of 676 1612 b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exe vbc.exe PID 1612 wrote to memory of 676 1612 b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exe vbc.exe PID 1612 wrote to memory of 676 1612 b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exe vbc.exe PID 1612 wrote to memory of 676 1612 b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exe vbc.exe PID 1612 wrote to memory of 676 1612 b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exe vbc.exe PID 1612 wrote to memory of 676 1612 b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exe vbc.exe PID 676 wrote to memory of 2196 676 vbc.exe cmd.exe PID 676 wrote to memory of 2196 676 vbc.exe cmd.exe PID 676 wrote to memory of 2196 676 vbc.exe cmd.exe PID 676 wrote to memory of 1332 676 vbc.exe cmd.exe PID 676 wrote to memory of 1332 676 vbc.exe cmd.exe PID 676 wrote to memory of 1332 676 vbc.exe cmd.exe PID 676 wrote to memory of 3492 676 vbc.exe notepad.exe PID 676 wrote to memory of 3492 676 vbc.exe notepad.exe PID 676 wrote to memory of 3492 676 vbc.exe notepad.exe PID 676 wrote to memory of 3492 676 vbc.exe notepad.exe PID 676 wrote to memory of 3492 676 vbc.exe notepad.exe PID 676 wrote to memory of 3492 676 vbc.exe notepad.exe PID 676 wrote to memory of 3492 676 vbc.exe notepad.exe PID 676 wrote to memory of 3492 676 vbc.exe notepad.exe PID 676 wrote to memory of 3492 676 vbc.exe notepad.exe PID 676 wrote to memory of 3492 676 vbc.exe notepad.exe PID 676 wrote to memory of 3492 676 vbc.exe notepad.exe PID 676 wrote to memory of 3492 676 vbc.exe notepad.exe PID 676 wrote to memory of 3492 676 vbc.exe notepad.exe PID 676 wrote to memory of 3492 676 vbc.exe notepad.exe PID 676 wrote to memory of 3492 676 vbc.exe notepad.exe PID 676 wrote to memory of 3492 676 vbc.exe notepad.exe PID 676 wrote to memory of 3492 676 vbc.exe notepad.exe PID 2196 wrote to memory of 2452 2196 cmd.exe attrib.exe PID 2196 wrote to memory of 2452 2196 cmd.exe attrib.exe PID 2196 wrote to memory of 2452 2196 cmd.exe attrib.exe PID 1332 wrote to memory of 4068 1332 cmd.exe attrib.exe PID 1332 wrote to memory of 4068 1332 cmd.exe attrib.exe PID 1332 wrote to memory of 4068 1332 cmd.exe attrib.exe PID 676 wrote to memory of 4032 676 vbc.exe msdcsc.exe PID 676 wrote to memory of 4032 676 vbc.exe msdcsc.exe PID 676 wrote to memory of 4032 676 vbc.exe msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2452 attrib.exe 4068 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exe"C:\Users\Admin\AppData\Local\Temp\b79e1b1c27f4d27629213c9cd6b348507e201a175f9e88b631a8fd51323311b4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
memory/676-133-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/676-134-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/676-135-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/676-137-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/676-138-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/676-132-0x0000000000000000-mapping.dmp
-
memory/676-148-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB
-
memory/1332-141-0x0000000000000000-mapping.dmp
-
memory/1612-136-0x00000000748F0000-0x0000000074EA1000-memory.dmpFilesize
5.7MB
-
memory/1612-139-0x00000000748F0000-0x0000000074EA1000-memory.dmpFilesize
5.7MB
-
memory/2196-140-0x0000000000000000-mapping.dmp
-
memory/2452-143-0x0000000000000000-mapping.dmp
-
memory/3492-142-0x0000000000000000-mapping.dmp
-
memory/4032-145-0x0000000000000000-mapping.dmp
-
memory/4068-144-0x0000000000000000-mapping.dmp