Analysis
-
max time kernel
90s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 01:56
Static task
static1
Behavioral task
behavioral1
Sample
894324d95e7faada875358b1267b1d5644d11c2948a99a107fdfef49c899eb75.exe
Resource
win7-20220812-en
General
-
Target
894324d95e7faada875358b1267b1d5644d11c2948a99a107fdfef49c899eb75.exe
-
Size
1.2MB
-
MD5
8976f3e0aff56ea29bb2cea8fc199e43
-
SHA1
f7c707b7d1405d75b342a89d07445953b65b1724
-
SHA256
894324d95e7faada875358b1267b1d5644d11c2948a99a107fdfef49c899eb75
-
SHA512
19af5e522a586e4d1c398bb21d1406c701a06b15a0f467e687bcf4d33650e5cde143532722883e1dbba96511e974354a9292bfe901a4065786947b1a61a88bbd
-
SSDEEP
12288:vZdjjz8tf5Tdxr0s6rMie0Fy1SNoiH99cM1gDcIBzKocKBEth7B6OwjfHngQRRBU:vZQM8mqJsMOG1Jc6J8U+Hjlz93
Malware Config
Extracted
darkcomet
Thomas
thomaske19951.no-ip.org:2000
DC_MUTEX-ECCAP6P
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
5wK8lbcuWlps
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" vbc.exe -
Drops file in Drivers directory 1 IoCs
Processes:
vbc.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts vbc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 4052 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 4680 attrib.exe 4688 attrib.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" vbc.exe -
Drops file in System32 directory 5 IoCs
Processes:
894324d95e7faada875358b1267b1d5644d11c2948a99a107fdfef49c899eb75.exevbc.exedescription ioc process File created C:\Windows\SysWOW64\Windows\wdt.exe 894324d95e7faada875358b1267b1d5644d11c2948a99a107fdfef49c899eb75.exe File opened for modification C:\Windows\SysWOW64\Windows\wdt.exe 894324d95e7faada875358b1267b1d5644d11c2948a99a107fdfef49c899eb75.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe vbc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe vbc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
894324d95e7faada875358b1267b1d5644d11c2948a99a107fdfef49c899eb75.exedescription pid process target process PID 4708 set thread context of 3972 4708 894324d95e7faada875358b1267b1d5644d11c2948a99a107fdfef49c899eb75.exe vbc.exe -
Drops file in Windows directory 2 IoCs
Processes:
attrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 3972 vbc.exe Token: SeSecurityPrivilege 3972 vbc.exe Token: SeTakeOwnershipPrivilege 3972 vbc.exe Token: SeLoadDriverPrivilege 3972 vbc.exe Token: SeSystemProfilePrivilege 3972 vbc.exe Token: SeSystemtimePrivilege 3972 vbc.exe Token: SeProfSingleProcessPrivilege 3972 vbc.exe Token: SeIncBasePriorityPrivilege 3972 vbc.exe Token: SeCreatePagefilePrivilege 3972 vbc.exe Token: SeBackupPrivilege 3972 vbc.exe Token: SeRestorePrivilege 3972 vbc.exe Token: SeShutdownPrivilege 3972 vbc.exe Token: SeDebugPrivilege 3972 vbc.exe Token: SeSystemEnvironmentPrivilege 3972 vbc.exe Token: SeChangeNotifyPrivilege 3972 vbc.exe Token: SeRemoteShutdownPrivilege 3972 vbc.exe Token: SeUndockPrivilege 3972 vbc.exe Token: SeManageVolumePrivilege 3972 vbc.exe Token: SeImpersonatePrivilege 3972 vbc.exe Token: SeCreateGlobalPrivilege 3972 vbc.exe Token: 33 3972 vbc.exe Token: 34 3972 vbc.exe Token: 35 3972 vbc.exe Token: 36 3972 vbc.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
894324d95e7faada875358b1267b1d5644d11c2948a99a107fdfef49c899eb75.exevbc.execmd.execmd.exedescription pid process target process PID 4708 wrote to memory of 3972 4708 894324d95e7faada875358b1267b1d5644d11c2948a99a107fdfef49c899eb75.exe vbc.exe PID 4708 wrote to memory of 3972 4708 894324d95e7faada875358b1267b1d5644d11c2948a99a107fdfef49c899eb75.exe vbc.exe PID 4708 wrote to memory of 3972 4708 894324d95e7faada875358b1267b1d5644d11c2948a99a107fdfef49c899eb75.exe vbc.exe PID 4708 wrote to memory of 3972 4708 894324d95e7faada875358b1267b1d5644d11c2948a99a107fdfef49c899eb75.exe vbc.exe PID 4708 wrote to memory of 3972 4708 894324d95e7faada875358b1267b1d5644d11c2948a99a107fdfef49c899eb75.exe vbc.exe PID 4708 wrote to memory of 3972 4708 894324d95e7faada875358b1267b1d5644d11c2948a99a107fdfef49c899eb75.exe vbc.exe PID 4708 wrote to memory of 3972 4708 894324d95e7faada875358b1267b1d5644d11c2948a99a107fdfef49c899eb75.exe vbc.exe PID 4708 wrote to memory of 3972 4708 894324d95e7faada875358b1267b1d5644d11c2948a99a107fdfef49c899eb75.exe vbc.exe PID 4708 wrote to memory of 3972 4708 894324d95e7faada875358b1267b1d5644d11c2948a99a107fdfef49c899eb75.exe vbc.exe PID 4708 wrote to memory of 3972 4708 894324d95e7faada875358b1267b1d5644d11c2948a99a107fdfef49c899eb75.exe vbc.exe PID 4708 wrote to memory of 3972 4708 894324d95e7faada875358b1267b1d5644d11c2948a99a107fdfef49c899eb75.exe vbc.exe PID 4708 wrote to memory of 3972 4708 894324d95e7faada875358b1267b1d5644d11c2948a99a107fdfef49c899eb75.exe vbc.exe PID 4708 wrote to memory of 3972 4708 894324d95e7faada875358b1267b1d5644d11c2948a99a107fdfef49c899eb75.exe vbc.exe PID 4708 wrote to memory of 3972 4708 894324d95e7faada875358b1267b1d5644d11c2948a99a107fdfef49c899eb75.exe vbc.exe PID 3972 wrote to memory of 4384 3972 vbc.exe cmd.exe PID 3972 wrote to memory of 4384 3972 vbc.exe cmd.exe PID 3972 wrote to memory of 4384 3972 vbc.exe cmd.exe PID 3972 wrote to memory of 2168 3972 vbc.exe cmd.exe PID 3972 wrote to memory of 2168 3972 vbc.exe cmd.exe PID 3972 wrote to memory of 2168 3972 vbc.exe cmd.exe PID 3972 wrote to memory of 4052 3972 vbc.exe msdcsc.exe PID 3972 wrote to memory of 4052 3972 vbc.exe msdcsc.exe PID 3972 wrote to memory of 4052 3972 vbc.exe msdcsc.exe PID 2168 wrote to memory of 4680 2168 cmd.exe attrib.exe PID 2168 wrote to memory of 4680 2168 cmd.exe attrib.exe PID 2168 wrote to memory of 4680 2168 cmd.exe attrib.exe PID 4384 wrote to memory of 4688 4384 cmd.exe attrib.exe PID 4384 wrote to memory of 4688 4384 cmd.exe attrib.exe PID 4384 wrote to memory of 4688 4384 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4680 attrib.exe 4688 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\894324d95e7faada875358b1267b1d5644d11c2948a99a107fdfef49c899eb75.exe"C:\Users\Admin\AppData\Local\Temp\894324d95e7faada875358b1267b1d5644d11c2948a99a107fdfef49c899eb75.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
memory/2168-139-0x0000000000000000-mapping.dmp
-
memory/3972-133-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/3972-132-0x0000000000000000-mapping.dmp
-
memory/3972-134-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/3972-135-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/3972-137-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/3972-142-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/4052-140-0x0000000000000000-mapping.dmp
-
memory/4384-138-0x0000000000000000-mapping.dmp
-
memory/4680-143-0x0000000000000000-mapping.dmp
-
memory/4688-144-0x0000000000000000-mapping.dmp
-
memory/4708-136-0x0000000074D40000-0x00000000752F1000-memory.dmpFilesize
5.7MB
-
memory/4708-146-0x0000000074D40000-0x00000000752F1000-memory.dmpFilesize
5.7MB