Analysis
-
max time kernel
57s -
max time network
55s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-12-2022 12:55
Static task
static1
Behavioral task
behavioral1
Sample
8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe
Resource
win7-20220812-en
General
-
Target
8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe
-
Size
2.9MB
-
MD5
df7bf31aea132aca10366ae20dd0c350
-
SHA1
dba114d4074f3f338940bdb075bbda26172c53db
-
SHA256
8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694
-
SHA512
e86224122b1faaba9ec590eae700b435ad7cd8881d141c8ba0d9ec07b179bd7fd1418d4024fc2b3c05ec08ed8463d84f132dc250be4d4a3c59301424af6c1cb3
-
SSDEEP
49152:LMnXXFJkevVRBhRFGdPWgaqWMZYANAPc+N3MTrDOyD9Eh6kScQhACeHrIF:PSLTeZHrSgEh6krQKC08
Malware Config
Extracted
darkcomet
Main
24.13.208.88:100
jaxxyisboss.zapto.org:100
DC_MUTEX-C0UC4KU
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
w4i0rGCzp71f
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Microsoft Defender
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
cvtres.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" cvtres.exe -
Executes dropped EXE 3 IoCs
Processes:
msconfig.exeJAXXY SKYPE BOT.EXEmsdcsc.exepid process 864 msconfig.exe 1948 JAXXY SKYPE BOT.EXE 1928 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1336 attrib.exe 680 attrib.exe -
Loads dropped DLL 4 IoCs
Processes:
8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.execvtres.exepid process 1492 8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe 1492 8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe 1352 cvtres.exe 1352 cvtres.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
msconfig.execvtres.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msconfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\18.exe = "C:\\Users\\Admin\\AppData\\RoamingMicrosoft\\System\\Services\\18.exe" msconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run msconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\18.exe = "C:\\Users\\Admin\\AppData\\RoamingMicrosoft\\System\\Services\\18.exe" msconfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Defender = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" cvtres.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msconfig.exedescription pid process target process PID 864 set thread context of 1352 864 msconfig.exe cvtres.exe -
Drops file in Windows directory 2 IoCs
Processes:
attrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
cvtres.exeJAXXY SKYPE BOT.EXEdescription pid process Token: SeIncreaseQuotaPrivilege 1352 cvtres.exe Token: SeSecurityPrivilege 1352 cvtres.exe Token: SeTakeOwnershipPrivilege 1352 cvtres.exe Token: SeLoadDriverPrivilege 1352 cvtres.exe Token: SeSystemProfilePrivilege 1352 cvtres.exe Token: SeSystemtimePrivilege 1352 cvtres.exe Token: SeProfSingleProcessPrivilege 1352 cvtres.exe Token: SeIncBasePriorityPrivilege 1352 cvtres.exe Token: SeCreatePagefilePrivilege 1352 cvtres.exe Token: SeBackupPrivilege 1352 cvtres.exe Token: SeRestorePrivilege 1352 cvtres.exe Token: SeShutdownPrivilege 1352 cvtres.exe Token: SeDebugPrivilege 1352 cvtres.exe Token: SeSystemEnvironmentPrivilege 1352 cvtres.exe Token: SeChangeNotifyPrivilege 1352 cvtres.exe Token: SeRemoteShutdownPrivilege 1352 cvtres.exe Token: SeUndockPrivilege 1352 cvtres.exe Token: SeManageVolumePrivilege 1352 cvtres.exe Token: SeImpersonatePrivilege 1352 cvtres.exe Token: SeCreateGlobalPrivilege 1352 cvtres.exe Token: 33 1352 cvtres.exe Token: 34 1352 cvtres.exe Token: 35 1352 cvtres.exe Token: SeDebugPrivilege 1948 JAXXY SKYPE BOT.EXE -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exemsconfig.execvtres.execmd.execmd.exedescription pid process target process PID 1492 wrote to memory of 864 1492 8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe msconfig.exe PID 1492 wrote to memory of 864 1492 8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe msconfig.exe PID 1492 wrote to memory of 864 1492 8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe msconfig.exe PID 1492 wrote to memory of 864 1492 8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe msconfig.exe PID 864 wrote to memory of 1352 864 msconfig.exe cvtres.exe PID 864 wrote to memory of 1352 864 msconfig.exe cvtres.exe PID 864 wrote to memory of 1352 864 msconfig.exe cvtres.exe PID 864 wrote to memory of 1352 864 msconfig.exe cvtres.exe PID 864 wrote to memory of 1352 864 msconfig.exe cvtres.exe PID 864 wrote to memory of 1352 864 msconfig.exe cvtres.exe PID 864 wrote to memory of 1352 864 msconfig.exe cvtres.exe PID 864 wrote to memory of 1352 864 msconfig.exe cvtres.exe PID 864 wrote to memory of 1352 864 msconfig.exe cvtres.exe PID 864 wrote to memory of 1352 864 msconfig.exe cvtres.exe PID 864 wrote to memory of 1352 864 msconfig.exe cvtres.exe PID 864 wrote to memory of 1352 864 msconfig.exe cvtres.exe PID 864 wrote to memory of 1352 864 msconfig.exe cvtres.exe PID 1352 wrote to memory of 2020 1352 cvtres.exe cmd.exe PID 1352 wrote to memory of 2020 1352 cvtres.exe cmd.exe PID 1352 wrote to memory of 2020 1352 cvtres.exe cmd.exe PID 1352 wrote to memory of 2020 1352 cvtres.exe cmd.exe PID 1352 wrote to memory of 1536 1352 cvtres.exe cmd.exe PID 1352 wrote to memory of 1536 1352 cvtres.exe cmd.exe PID 1352 wrote to memory of 1536 1352 cvtres.exe cmd.exe PID 1352 wrote to memory of 1536 1352 cvtres.exe cmd.exe PID 1352 wrote to memory of 1948 1352 cvtres.exe JAXXY SKYPE BOT.EXE PID 1352 wrote to memory of 1948 1352 cvtres.exe JAXXY SKYPE BOT.EXE PID 1352 wrote to memory of 1948 1352 cvtres.exe JAXXY SKYPE BOT.EXE PID 1352 wrote to memory of 1948 1352 cvtres.exe JAXXY SKYPE BOT.EXE PID 2020 wrote to memory of 1336 2020 cmd.exe attrib.exe PID 2020 wrote to memory of 1336 2020 cmd.exe attrib.exe PID 2020 wrote to memory of 1336 2020 cmd.exe attrib.exe PID 2020 wrote to memory of 1336 2020 cmd.exe attrib.exe PID 1536 wrote to memory of 680 1536 cmd.exe attrib.exe PID 1536 wrote to memory of 680 1536 cmd.exe attrib.exe PID 1536 wrote to memory of 680 1536 cmd.exe attrib.exe PID 1536 wrote to memory of 680 1536 cmd.exe attrib.exe PID 1352 wrote to memory of 1928 1352 cvtres.exe msdcsc.exe PID 1352 wrote to memory of 1928 1352 cvtres.exe msdcsc.exe PID 1352 wrote to memory of 1928 1352 cvtres.exe msdcsc.exe PID 1352 wrote to memory of 1928 1352 cvtres.exe msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1336 attrib.exe 680 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe"C:\Users\Admin\AppData\Local\Temp\8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\msconfig.exe"C:\Users\Admin\AppData\Roaming\msconfig.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe3⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" +s +h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" +s +h5⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h5⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\JAXXY SKYPE BOT.EXE"C:\Users\Admin\AppData\Local\Temp\JAXXY SKYPE BOT.EXE"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\JAXXY SKYPE BOT.EXEFilesize
1.8MB
MD54ba0b86113558f1a2056b81ebae2907f
SHA1617b31d2ee0035f7124553a49cc4b296c5daa46a
SHA2566dde2bdb73e20b0054ec960a581129598b643d54159204c6cd8868a038eaab36
SHA512c1056fcaf32d6098706dca9a3fae74b3c045db991434252f7e4f91cf8daa4078b8f0ab9408ce1b9b6821321d31a0d00377b40920ccee2ff7a9f1a9fe57842500
-
C:\Users\Admin\AppData\Local\Temp\JAXXY SKYPE BOT.EXEFilesize
1.8MB
MD54ba0b86113558f1a2056b81ebae2907f
SHA1617b31d2ee0035f7124553a49cc4b296c5daa46a
SHA2566dde2bdb73e20b0054ec960a581129598b643d54159204c6cd8868a038eaab36
SHA512c1056fcaf32d6098706dca9a3fae74b3c045db991434252f7e4f91cf8daa4078b8f0ab9408ce1b9b6821321d31a0d00377b40920ccee2ff7a9f1a9fe57842500
-
C:\Users\Admin\AppData\Roaming\msconfig.exeFilesize
2.9MB
MD5df7bf31aea132aca10366ae20dd0c350
SHA1dba114d4074f3f338940bdb075bbda26172c53db
SHA2568cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694
SHA512e86224122b1faaba9ec590eae700b435ad7cd8881d141c8ba0d9ec07b179bd7fd1418d4024fc2b3c05ec08ed8463d84f132dc250be4d4a3c59301424af6c1cb3
-
C:\Users\Admin\AppData\Roaming\msconfig.exeFilesize
2.9MB
MD5df7bf31aea132aca10366ae20dd0c350
SHA1dba114d4074f3f338940bdb075bbda26172c53db
SHA2568cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694
SHA512e86224122b1faaba9ec590eae700b435ad7cd8881d141c8ba0d9ec07b179bd7fd1418d4024fc2b3c05ec08ed8463d84f132dc250be4d4a3c59301424af6c1cb3
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2
-
\Users\Admin\AppData\Local\Temp\JAXXY SKYPE BOT.EXEFilesize
1.8MB
MD54ba0b86113558f1a2056b81ebae2907f
SHA1617b31d2ee0035f7124553a49cc4b296c5daa46a
SHA2566dde2bdb73e20b0054ec960a581129598b643d54159204c6cd8868a038eaab36
SHA512c1056fcaf32d6098706dca9a3fae74b3c045db991434252f7e4f91cf8daa4078b8f0ab9408ce1b9b6821321d31a0d00377b40920ccee2ff7a9f1a9fe57842500
-
\Users\Admin\AppData\Roaming\msconfig.exeFilesize
2.9MB
MD5df7bf31aea132aca10366ae20dd0c350
SHA1dba114d4074f3f338940bdb075bbda26172c53db
SHA2568cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694
SHA512e86224122b1faaba9ec590eae700b435ad7cd8881d141c8ba0d9ec07b179bd7fd1418d4024fc2b3c05ec08ed8463d84f132dc250be4d4a3c59301424af6c1cb3
-
\Users\Admin\AppData\Roaming\msconfig.exeFilesize
2.9MB
MD5df7bf31aea132aca10366ae20dd0c350
SHA1dba114d4074f3f338940bdb075bbda26172c53db
SHA2568cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694
SHA512e86224122b1faaba9ec590eae700b435ad7cd8881d141c8ba0d9ec07b179bd7fd1418d4024fc2b3c05ec08ed8463d84f132dc250be4d4a3c59301424af6c1cb3
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2
-
memory/680-92-0x0000000000000000-mapping.dmp
-
memory/864-58-0x0000000000000000-mapping.dmp
-
memory/864-62-0x00000000744C0000-0x0000000074A6B000-memory.dmpFilesize
5.7MB
-
memory/864-81-0x00000000744C0000-0x0000000074A6B000-memory.dmpFilesize
5.7MB
-
memory/1336-91-0x0000000000000000-mapping.dmp
-
memory/1352-64-0x0000000000400000-0x00000000006BE000-memory.dmpFilesize
2.7MB
-
memory/1352-67-0x0000000000400000-0x00000000006BE000-memory.dmpFilesize
2.7MB
-
memory/1352-76-0x0000000000400000-0x00000000006BE000-memory.dmpFilesize
2.7MB
-
memory/1352-78-0x0000000000400000-0x00000000006BE000-memory.dmpFilesize
2.7MB
-
memory/1352-80-0x0000000000400000-0x00000000006BE000-memory.dmpFilesize
2.7MB
-
memory/1352-73-0x0000000000400000-0x00000000006BE000-memory.dmpFilesize
2.7MB
-
memory/1352-79-0x000000000048F888-mapping.dmp
-
memory/1352-83-0x0000000000400000-0x00000000006BE000-memory.dmpFilesize
2.7MB
-
memory/1352-84-0x0000000000400000-0x00000000006BE000-memory.dmpFilesize
2.7MB
-
memory/1352-97-0x0000000000400000-0x00000000006BE000-memory.dmpFilesize
2.7MB
-
memory/1352-65-0x0000000000400000-0x00000000006BE000-memory.dmpFilesize
2.7MB
-
memory/1352-71-0x0000000000400000-0x00000000006BE000-memory.dmpFilesize
2.7MB
-
memory/1352-69-0x0000000000400000-0x00000000006BE000-memory.dmpFilesize
2.7MB
-
memory/1352-74-0x0000000000400000-0x00000000006BE000-memory.dmpFilesize
2.7MB
-
memory/1492-54-0x0000000075451000-0x0000000075453000-memory.dmpFilesize
8KB
-
memory/1492-63-0x00000000744C0000-0x0000000074A6B000-memory.dmpFilesize
5.7MB
-
memory/1492-55-0x00000000744C0000-0x0000000074A6B000-memory.dmpFilesize
5.7MB
-
memory/1536-86-0x0000000000000000-mapping.dmp
-
memory/1928-95-0x0000000000000000-mapping.dmp
-
memory/1948-88-0x0000000000000000-mapping.dmp
-
memory/1948-93-0x0000000000380000-0x000000000055E000-memory.dmpFilesize
1.9MB
-
memory/1948-99-0x0000000005CE0000-0x0000000005EF2000-memory.dmpFilesize
2.1MB
-
memory/1948-100-0x0000000004C65000-0x0000000004C76000-memory.dmpFilesize
68KB
-
memory/1948-101-0x0000000004C65000-0x0000000004C76000-memory.dmpFilesize
68KB
-
memory/2020-85-0x0000000000000000-mapping.dmp