Analysis
-
max time kernel
171s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2022 17:40
Static task
static1
Behavioral task
behavioral1
Sample
c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe
Resource
win10v2004-20220812-en
General
-
Target
c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe
-
Size
347KB
-
MD5
eefcea17c245d722fcfe515970a99b24
-
SHA1
100f1fa0224e1ae4b79fb661e29a7b22cf0e47fa
-
SHA256
c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500
-
SHA512
23c08bc35f8e3c6e28173f0e6eadabe11638e40c3ec68ef0a6448a70739d340d29a3c3b75f887ed7aa807cfe40cc78b34c1f040fffa51cea87ba14553d4e08bb
-
SSDEEP
6144:CUPCHaSrGCFGMQZhKYWqdRBYn58JOBGmtMCANkRfX90OO1+JC5mfT4Neu:G62GiGMBHqhYOJONtMCesfXlKXk7A
Malware Config
Extracted
darkcomet
13.07.12 Crypter
leetaka1337.no-ip.org:1604
DC_MUTEX-JFX5RP1
-
InstallPath
MSDCSC\winhost.exe
-
gencode
lCnq6VNbar2M
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe" c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe -
Executes dropped EXE 2 IoCs
Processes:
STUB.EXEwinhost.exepid process 3948 STUB.EXE 4840 winhost.exe -
Processes:
resource yara_rule behavioral2/memory/5068-134-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/5068-135-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/5068-136-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/5068-138-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/5068-139-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\winhost.exe" c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe -
Drops file in System32 directory 3 IoCs
Processes:
c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exedescription ioc process File created C:\Windows\SysWOW64\MSDCSC\winhost.exe c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\winhost.exe c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exedescription pid process target process PID 4112 set thread context of 5068 4112 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exec4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exewinhost.exedescription pid process Token: SeDebugPrivilege 4112 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeIncreaseQuotaPrivilege 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeSecurityPrivilege 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeTakeOwnershipPrivilege 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeLoadDriverPrivilege 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeSystemProfilePrivilege 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeSystemtimePrivilege 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeProfSingleProcessPrivilege 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeIncBasePriorityPrivilege 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeCreatePagefilePrivilege 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeBackupPrivilege 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeRestorePrivilege 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeShutdownPrivilege 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeDebugPrivilege 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeSystemEnvironmentPrivilege 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeChangeNotifyPrivilege 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeRemoteShutdownPrivilege 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeUndockPrivilege 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeManageVolumePrivilege 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeImpersonatePrivilege 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeCreateGlobalPrivilege 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: 33 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: 34 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: 35 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: 36 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe Token: SeDebugPrivilege 4840 winhost.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exec4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exewinhost.exedescription pid process target process PID 4112 wrote to memory of 5068 4112 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe PID 4112 wrote to memory of 5068 4112 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe PID 4112 wrote to memory of 5068 4112 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe PID 4112 wrote to memory of 5068 4112 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe PID 4112 wrote to memory of 5068 4112 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe PID 4112 wrote to memory of 5068 4112 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe PID 4112 wrote to memory of 5068 4112 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe PID 4112 wrote to memory of 5068 4112 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe PID 5068 wrote to memory of 3948 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe STUB.EXE PID 5068 wrote to memory of 3948 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe STUB.EXE PID 5068 wrote to memory of 3948 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe STUB.EXE PID 5068 wrote to memory of 4840 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe winhost.exe PID 5068 wrote to memory of 4840 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe winhost.exe PID 5068 wrote to memory of 4840 5068 c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe winhost.exe PID 4840 wrote to memory of 4800 4840 winhost.exe winhost.exe PID 4840 wrote to memory of 4800 4840 winhost.exe winhost.exe PID 4840 wrote to memory of 4800 4840 winhost.exe winhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe"C:\Users\Admin\AppData\Local\Temp\c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exeC:\Users\Admin\AppData\Local\Temp\c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\STUB.EXE"C:\Users\Admin\AppData\Local\Temp\STUB.EXE"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\MSDCSC\winhost.exe"C:\Windows\system32\MSDCSC\winhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\MSDCSC\winhost.exeC:\Windows\SysWOW64\MSDCSC\winhost.exe4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\STUB.EXEFilesize
47KB
MD56e9ee67b3cceaf1fc3bd53a9c33a3cc7
SHA11ce7d9f73b9da92385ec41e416d2cf7a6f2ccc03
SHA256e9509d87ec53efda131c636fe729180eea8c48850693f0c800fc04f88f5960bb
SHA5126ee77b3d3238e1507ab83f57fa06b88b384b5d8a804a27d93aab30622166b1bedd4796ec30c8dfca3b9085d41c69fd064014e0a424a79e9e8f15b79c6568fb1c
-
C:\Users\Admin\AppData\Local\Temp\STUB.EXEFilesize
47KB
MD56e9ee67b3cceaf1fc3bd53a9c33a3cc7
SHA11ce7d9f73b9da92385ec41e416d2cf7a6f2ccc03
SHA256e9509d87ec53efda131c636fe729180eea8c48850693f0c800fc04f88f5960bb
SHA5126ee77b3d3238e1507ab83f57fa06b88b384b5d8a804a27d93aab30622166b1bedd4796ec30c8dfca3b9085d41c69fd064014e0a424a79e9e8f15b79c6568fb1c
-
C:\Windows\SysWOW64\MSDCSC\winhost.exeFilesize
347KB
MD5eefcea17c245d722fcfe515970a99b24
SHA1100f1fa0224e1ae4b79fb661e29a7b22cf0e47fa
SHA256c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500
SHA51223c08bc35f8e3c6e28173f0e6eadabe11638e40c3ec68ef0a6448a70739d340d29a3c3b75f887ed7aa807cfe40cc78b34c1f040fffa51cea87ba14553d4e08bb
-
C:\Windows\SysWOW64\MSDCSC\winhost.exeFilesize
347KB
MD5eefcea17c245d722fcfe515970a99b24
SHA1100f1fa0224e1ae4b79fb661e29a7b22cf0e47fa
SHA256c4a3eb0612d558ec941be28a8a4b7734a822c5659db9f840a57567a971ffc500
SHA51223c08bc35f8e3c6e28173f0e6eadabe11638e40c3ec68ef0a6448a70739d340d29a3c3b75f887ed7aa807cfe40cc78b34c1f040fffa51cea87ba14553d4e08bb
-
memory/3948-140-0x0000000000000000-mapping.dmp
-
memory/3948-143-0x0000000074630000-0x0000000074BE1000-memory.dmpFilesize
5.7MB
-
memory/4112-132-0x0000000075510000-0x0000000075AC1000-memory.dmpFilesize
5.7MB
-
memory/4112-137-0x0000000075510000-0x0000000075AC1000-memory.dmpFilesize
5.7MB
-
memory/4800-147-0x0000000000000000-mapping.dmp
-
memory/4840-144-0x0000000000000000-mapping.dmp
-
memory/4840-148-0x0000000073C80000-0x0000000074231000-memory.dmpFilesize
5.7MB
-
memory/5068-136-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/5068-138-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/5068-139-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/5068-135-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/5068-134-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/5068-133-0x0000000000000000-mapping.dmp