Analysis
-
max time kernel
151s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04-12-2022 03:10
Static task
static1
Behavioral task
behavioral1
Sample
c2b9789afd8ef5c0d52b89acd6979206b4afd2857e81a8e1fe1583cb3248d903.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c2b9789afd8ef5c0d52b89acd6979206b4afd2857e81a8e1fe1583cb3248d903.exe
Resource
win10v2004-20220812-en
General
-
Target
c2b9789afd8ef5c0d52b89acd6979206b4afd2857e81a8e1fe1583cb3248d903.exe
-
Size
1.4MB
-
MD5
963fcbc4e17e12ed311ebafd76c308b7
-
SHA1
094d1280d925811e88ee511e75dcef95d977d4fd
-
SHA256
c2b9789afd8ef5c0d52b89acd6979206b4afd2857e81a8e1fe1583cb3248d903
-
SHA512
01a0a8f6674574bd1cb3b71d194285ec968e25594c5bebe4de55c023dd4f9ef46f45330162eda251e62842148d08312b8465c6b50d49f2a332743b43e010d65f
-
SSDEEP
24576:xUP/y4LAuYTJkkhas4G3nJvvQMOHIvtThAECEXNj8ASgnSjDQizcROqxGZ:Mq4LAv1kk8zk5OuNhAECkNigSvbPqU
Malware Config
Extracted
darkcomet
HF
thailandhack.no-ip.org:83
DC_MUTEX-KT2FTNQ
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
vt9w2l6Dosvn
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
212r.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 212r.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
212r.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 212r.exe -
Executes dropped EXE 2 IoCs
Processes:
212r.exemsdcsc.exepid process 2008 212r.exe 644 msdcsc.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
msdcsc.exe212r.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Wine msdcsc.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Wine 212r.exe -
Loads dropped DLL 4 IoCs
Processes:
c2b9789afd8ef5c0d52b89acd6979206b4afd2857e81a8e1fe1583cb3248d903.exe212r.exepid process 1988 c2b9789afd8ef5c0d52b89acd6979206b4afd2857e81a8e1fe1583cb3248d903.exe 1988 c2b9789afd8ef5c0d52b89acd6979206b4afd2857e81a8e1fe1583cb3248d903.exe 2008 212r.exe 2008 212r.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
212r.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 212r.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
212r.exemsdcsc.exepid process 2008 212r.exe 644 msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
212r.exemsdcsc.exepid process 2008 212r.exe 644 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
212r.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2008 212r.exe Token: SeSecurityPrivilege 2008 212r.exe Token: SeTakeOwnershipPrivilege 2008 212r.exe Token: SeLoadDriverPrivilege 2008 212r.exe Token: SeSystemProfilePrivilege 2008 212r.exe Token: SeSystemtimePrivilege 2008 212r.exe Token: SeProfSingleProcessPrivilege 2008 212r.exe Token: SeIncBasePriorityPrivilege 2008 212r.exe Token: SeCreatePagefilePrivilege 2008 212r.exe Token: SeBackupPrivilege 2008 212r.exe Token: SeRestorePrivilege 2008 212r.exe Token: SeShutdownPrivilege 2008 212r.exe Token: SeDebugPrivilege 2008 212r.exe Token: SeSystemEnvironmentPrivilege 2008 212r.exe Token: SeChangeNotifyPrivilege 2008 212r.exe Token: SeRemoteShutdownPrivilege 2008 212r.exe Token: SeUndockPrivilege 2008 212r.exe Token: SeManageVolumePrivilege 2008 212r.exe Token: SeImpersonatePrivilege 2008 212r.exe Token: SeCreateGlobalPrivilege 2008 212r.exe Token: 33 2008 212r.exe Token: 34 2008 212r.exe Token: 35 2008 212r.exe Token: SeIncreaseQuotaPrivilege 644 msdcsc.exe Token: SeSecurityPrivilege 644 msdcsc.exe Token: SeTakeOwnershipPrivilege 644 msdcsc.exe Token: SeLoadDriverPrivilege 644 msdcsc.exe Token: SeSystemProfilePrivilege 644 msdcsc.exe Token: SeSystemtimePrivilege 644 msdcsc.exe Token: SeProfSingleProcessPrivilege 644 msdcsc.exe Token: SeIncBasePriorityPrivilege 644 msdcsc.exe Token: SeCreatePagefilePrivilege 644 msdcsc.exe Token: SeBackupPrivilege 644 msdcsc.exe Token: SeRestorePrivilege 644 msdcsc.exe Token: SeShutdownPrivilege 644 msdcsc.exe Token: SeDebugPrivilege 644 msdcsc.exe Token: SeSystemEnvironmentPrivilege 644 msdcsc.exe Token: SeChangeNotifyPrivilege 644 msdcsc.exe Token: SeRemoteShutdownPrivilege 644 msdcsc.exe Token: SeUndockPrivilege 644 msdcsc.exe Token: SeManageVolumePrivilege 644 msdcsc.exe Token: SeImpersonatePrivilege 644 msdcsc.exe Token: SeCreateGlobalPrivilege 644 msdcsc.exe Token: 33 644 msdcsc.exe Token: 34 644 msdcsc.exe Token: 35 644 msdcsc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 1680 DllHost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
c2b9789afd8ef5c0d52b89acd6979206b4afd2857e81a8e1fe1583cb3248d903.exemsdcsc.exepid process 1988 c2b9789afd8ef5c0d52b89acd6979206b4afd2857e81a8e1fe1583cb3248d903.exe 644 msdcsc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c2b9789afd8ef5c0d52b89acd6979206b4afd2857e81a8e1fe1583cb3248d903.exe212r.exedescription pid process target process PID 1988 wrote to memory of 2008 1988 c2b9789afd8ef5c0d52b89acd6979206b4afd2857e81a8e1fe1583cb3248d903.exe 212r.exe PID 1988 wrote to memory of 2008 1988 c2b9789afd8ef5c0d52b89acd6979206b4afd2857e81a8e1fe1583cb3248d903.exe 212r.exe PID 1988 wrote to memory of 2008 1988 c2b9789afd8ef5c0d52b89acd6979206b4afd2857e81a8e1fe1583cb3248d903.exe 212r.exe PID 1988 wrote to memory of 2008 1988 c2b9789afd8ef5c0d52b89acd6979206b4afd2857e81a8e1fe1583cb3248d903.exe 212r.exe PID 2008 wrote to memory of 644 2008 212r.exe msdcsc.exe PID 2008 wrote to memory of 644 2008 212r.exe msdcsc.exe PID 2008 wrote to memory of 644 2008 212r.exe msdcsc.exe PID 2008 wrote to memory of 644 2008 212r.exe msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2b9789afd8ef5c0d52b89acd6979206b4afd2857e81a8e1fe1583cb3248d903.exe"C:\Users\Admin\AppData\Local\Temp\c2b9789afd8ef5c0d52b89acd6979206b4afd2857e81a8e1fe1583cb3248d903.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\212r.exe"C:\Users\Admin\AppData\Local\Temp\212r.exe"2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\212r.exeFilesize
1.2MB
MD53539ab0f4c2410b3083e7c14ef56534a
SHA1bd9b11442936503eabd931049ad12c7929387988
SHA2566ac0695b6649ce7df26c3b257bd8b00bcc9e363f0b92ef0e53ffd56ee717a50a
SHA5126707d7a2fa9041b6c63033e8b3aeb7795e138d00fc53be5a9f97117ccb77f0c0e456cccf0262bf3d491d24d413ca040b364d9b1275f7bb9372e9487b67c1c463
-
C:\Users\Admin\AppData\Local\Temp\212r.exeFilesize
1.2MB
MD53539ab0f4c2410b3083e7c14ef56534a
SHA1bd9b11442936503eabd931049ad12c7929387988
SHA2566ac0695b6649ce7df26c3b257bd8b00bcc9e363f0b92ef0e53ffd56ee717a50a
SHA5126707d7a2fa9041b6c63033e8b3aeb7795e138d00fc53be5a9f97117ccb77f0c0e456cccf0262bf3d491d24d413ca040b364d9b1275f7bb9372e9487b67c1c463
-
C:\Users\Admin\AppData\Local\Temp\´éҹ˹éÒàÊ×éÍ1 copy.JPGFilesize
97KB
MD59cb2bc22b877519f49122ab3af08a77e
SHA1e4b4223bac51e0a46097a2356e690c26a6aa52a7
SHA2563d30cd299f122d6d16a2cb2b9b202f20336f8509f74b006696e9a04d719bd7ee
SHA5127ce2a02621bb56579704bce06cbce4fe123904d0fbd685b29a0accdb2c0adf0373fdb3329fedeb68dd95c42f929f3bbf332c1bfb456316e433a34a263d90b987
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
1.2MB
MD53539ab0f4c2410b3083e7c14ef56534a
SHA1bd9b11442936503eabd931049ad12c7929387988
SHA2566ac0695b6649ce7df26c3b257bd8b00bcc9e363f0b92ef0e53ffd56ee717a50a
SHA5126707d7a2fa9041b6c63033e8b3aeb7795e138d00fc53be5a9f97117ccb77f0c0e456cccf0262bf3d491d24d413ca040b364d9b1275f7bb9372e9487b67c1c463
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
1.2MB
MD53539ab0f4c2410b3083e7c14ef56534a
SHA1bd9b11442936503eabd931049ad12c7929387988
SHA2566ac0695b6649ce7df26c3b257bd8b00bcc9e363f0b92ef0e53ffd56ee717a50a
SHA5126707d7a2fa9041b6c63033e8b3aeb7795e138d00fc53be5a9f97117ccb77f0c0e456cccf0262bf3d491d24d413ca040b364d9b1275f7bb9372e9487b67c1c463
-
\Users\Admin\AppData\Local\Temp\212r.exeFilesize
1.2MB
MD53539ab0f4c2410b3083e7c14ef56534a
SHA1bd9b11442936503eabd931049ad12c7929387988
SHA2566ac0695b6649ce7df26c3b257bd8b00bcc9e363f0b92ef0e53ffd56ee717a50a
SHA5126707d7a2fa9041b6c63033e8b3aeb7795e138d00fc53be5a9f97117ccb77f0c0e456cccf0262bf3d491d24d413ca040b364d9b1275f7bb9372e9487b67c1c463
-
\Users\Admin\AppData\Local\Temp\212r.exeFilesize
1.2MB
MD53539ab0f4c2410b3083e7c14ef56534a
SHA1bd9b11442936503eabd931049ad12c7929387988
SHA2566ac0695b6649ce7df26c3b257bd8b00bcc9e363f0b92ef0e53ffd56ee717a50a
SHA5126707d7a2fa9041b6c63033e8b3aeb7795e138d00fc53be5a9f97117ccb77f0c0e456cccf0262bf3d491d24d413ca040b364d9b1275f7bb9372e9487b67c1c463
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
1.2MB
MD53539ab0f4c2410b3083e7c14ef56534a
SHA1bd9b11442936503eabd931049ad12c7929387988
SHA2566ac0695b6649ce7df26c3b257bd8b00bcc9e363f0b92ef0e53ffd56ee717a50a
SHA5126707d7a2fa9041b6c63033e8b3aeb7795e138d00fc53be5a9f97117ccb77f0c0e456cccf0262bf3d491d24d413ca040b364d9b1275f7bb9372e9487b67c1c463
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
1.2MB
MD53539ab0f4c2410b3083e7c14ef56534a
SHA1bd9b11442936503eabd931049ad12c7929387988
SHA2566ac0695b6649ce7df26c3b257bd8b00bcc9e363f0b92ef0e53ffd56ee717a50a
SHA5126707d7a2fa9041b6c63033e8b3aeb7795e138d00fc53be5a9f97117ccb77f0c0e456cccf0262bf3d491d24d413ca040b364d9b1275f7bb9372e9487b67c1c463
-
memory/644-77-0x0000000000400000-0x00000000006AC000-memory.dmpFilesize
2.7MB
-
memory/644-75-0x0000000000400000-0x00000000006AC000-memory.dmpFilesize
2.7MB
-
memory/644-83-0x0000000000400000-0x00000000006AC000-memory.dmpFilesize
2.7MB
-
memory/644-82-0x0000000000400000-0x00000000006AC000-memory.dmpFilesize
2.7MB
-
memory/644-72-0x0000000000000000-mapping.dmp
-
memory/644-81-0x0000000000400000-0x00000000006AC000-memory.dmpFilesize
2.7MB
-
memory/644-78-0x00000000002E0000-0x0000000000340000-memory.dmpFilesize
384KB
-
memory/1988-56-0x0000000075911000-0x0000000075913000-memory.dmpFilesize
8KB
-
memory/1988-62-0x0000000003E60000-0x000000000410C000-memory.dmpFilesize
2.7MB
-
memory/1988-61-0x0000000003E60000-0x000000000410C000-memory.dmpFilesize
2.7MB
-
memory/2008-76-0x0000000006990000-0x0000000006C3C000-memory.dmpFilesize
2.7MB
-
memory/2008-66-0x0000000000400000-0x00000000006AC000-memory.dmpFilesize
2.7MB
-
memory/2008-79-0x0000000000400000-0x00000000006AC000-memory.dmpFilesize
2.7MB
-
memory/2008-63-0x0000000000400000-0x00000000006AC000-memory.dmpFilesize
2.7MB
-
memory/2008-64-0x00000000006B0000-0x0000000000710000-memory.dmpFilesize
384KB
-
memory/2008-69-0x0000000000400000-0x00000000006AC000-memory.dmpFilesize
2.7MB
-
memory/2008-59-0x0000000000000000-mapping.dmp