Analysis
-
max time kernel
150s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 12:55
Static task
static1
Behavioral task
behavioral1
Sample
8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe
Resource
win7-20220812-en
General
-
Target
8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe
-
Size
2.9MB
-
MD5
df7bf31aea132aca10366ae20dd0c350
-
SHA1
dba114d4074f3f338940bdb075bbda26172c53db
-
SHA256
8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694
-
SHA512
e86224122b1faaba9ec590eae700b435ad7cd8881d141c8ba0d9ec07b179bd7fd1418d4024fc2b3c05ec08ed8463d84f132dc250be4d4a3c59301424af6c1cb3
-
SSDEEP
49152:LMnXXFJkevVRBhRFGdPWgaqWMZYANAPc+N3MTrDOyD9Eh6kScQhACeHrIF:PSLTeZHrSgEh6krQKC08
Malware Config
Extracted
darkcomet
Main
24.13.208.88:100
jaxxyisboss.zapto.org:100
DC_MUTEX-C0UC4KU
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
w4i0rGCzp71f
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Microsoft Defender
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
cvtres.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" cvtres.exe -
Executes dropped EXE 3 IoCs
Processes:
msconfig.exeJAXXY SKYPE BOT.EXEmsdcsc.exepid process 3068 msconfig.exe 3636 JAXXY SKYPE BOT.EXE 2736 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 4368 attrib.exe 4904 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
msconfig.execvtres.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18.exe = "C:\\Users\\Admin\\AppData\\RoamingMicrosoft\\System\\Services\\18.exe" msconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run msconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\18.exe = "C:\\Users\\Admin\\AppData\\RoamingMicrosoft\\System\\Services\\18.exe" msconfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Defender = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" cvtres.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msconfig.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msconfig.exedescription pid process target process PID 3068 set thread context of 372 3068 msconfig.exe cvtres.exe -
Drops file in Windows directory 2 IoCs
Processes:
attrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cvtres.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cvtres.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
cvtres.exeJAXXY SKYPE BOT.EXEdescription pid process Token: SeIncreaseQuotaPrivilege 372 cvtres.exe Token: SeSecurityPrivilege 372 cvtres.exe Token: SeTakeOwnershipPrivilege 372 cvtres.exe Token: SeLoadDriverPrivilege 372 cvtres.exe Token: SeSystemProfilePrivilege 372 cvtres.exe Token: SeSystemtimePrivilege 372 cvtres.exe Token: SeProfSingleProcessPrivilege 372 cvtres.exe Token: SeIncBasePriorityPrivilege 372 cvtres.exe Token: SeCreatePagefilePrivilege 372 cvtres.exe Token: SeBackupPrivilege 372 cvtres.exe Token: SeRestorePrivilege 372 cvtres.exe Token: SeShutdownPrivilege 372 cvtres.exe Token: SeDebugPrivilege 372 cvtres.exe Token: SeSystemEnvironmentPrivilege 372 cvtres.exe Token: SeChangeNotifyPrivilege 372 cvtres.exe Token: SeRemoteShutdownPrivilege 372 cvtres.exe Token: SeUndockPrivilege 372 cvtres.exe Token: SeManageVolumePrivilege 372 cvtres.exe Token: SeImpersonatePrivilege 372 cvtres.exe Token: SeCreateGlobalPrivilege 372 cvtres.exe Token: 33 372 cvtres.exe Token: 34 372 cvtres.exe Token: 35 372 cvtres.exe Token: 36 372 cvtres.exe Token: SeDebugPrivilege 3636 JAXXY SKYPE BOT.EXE -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exemsconfig.execvtres.execmd.execmd.exedescription pid process target process PID 2448 wrote to memory of 3068 2448 8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe msconfig.exe PID 2448 wrote to memory of 3068 2448 8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe msconfig.exe PID 2448 wrote to memory of 3068 2448 8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe msconfig.exe PID 3068 wrote to memory of 372 3068 msconfig.exe cvtres.exe PID 3068 wrote to memory of 372 3068 msconfig.exe cvtres.exe PID 3068 wrote to memory of 372 3068 msconfig.exe cvtres.exe PID 3068 wrote to memory of 372 3068 msconfig.exe cvtres.exe PID 3068 wrote to memory of 372 3068 msconfig.exe cvtres.exe PID 3068 wrote to memory of 372 3068 msconfig.exe cvtres.exe PID 3068 wrote to memory of 372 3068 msconfig.exe cvtres.exe PID 3068 wrote to memory of 372 3068 msconfig.exe cvtres.exe PID 3068 wrote to memory of 372 3068 msconfig.exe cvtres.exe PID 3068 wrote to memory of 372 3068 msconfig.exe cvtres.exe PID 3068 wrote to memory of 372 3068 msconfig.exe cvtres.exe PID 3068 wrote to memory of 372 3068 msconfig.exe cvtres.exe PID 3068 wrote to memory of 372 3068 msconfig.exe cvtres.exe PID 3068 wrote to memory of 372 3068 msconfig.exe cvtres.exe PID 372 wrote to memory of 4524 372 cvtres.exe cmd.exe PID 372 wrote to memory of 4524 372 cvtres.exe cmd.exe PID 372 wrote to memory of 4524 372 cvtres.exe cmd.exe PID 372 wrote to memory of 2148 372 cvtres.exe cmd.exe PID 372 wrote to memory of 2148 372 cvtres.exe cmd.exe PID 372 wrote to memory of 2148 372 cvtres.exe cmd.exe PID 4524 wrote to memory of 4368 4524 cmd.exe attrib.exe PID 4524 wrote to memory of 4368 4524 cmd.exe attrib.exe PID 4524 wrote to memory of 4368 4524 cmd.exe attrib.exe PID 372 wrote to memory of 3636 372 cvtres.exe JAXXY SKYPE BOT.EXE PID 372 wrote to memory of 3636 372 cvtres.exe JAXXY SKYPE BOT.EXE PID 372 wrote to memory of 3636 372 cvtres.exe JAXXY SKYPE BOT.EXE PID 2148 wrote to memory of 4904 2148 cmd.exe attrib.exe PID 2148 wrote to memory of 4904 2148 cmd.exe attrib.exe PID 2148 wrote to memory of 4904 2148 cmd.exe attrib.exe PID 372 wrote to memory of 2736 372 cvtres.exe msdcsc.exe PID 372 wrote to memory of 2736 372 cvtres.exe msdcsc.exe PID 372 wrote to memory of 2736 372 cvtres.exe msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4368 attrib.exe 4904 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe"C:\Users\Admin\AppData\Local\Temp\8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\msconfig.exe"C:\Users\Admin\AppData\Roaming\msconfig.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe3⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" +s +h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" +s +h5⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h5⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\JAXXY SKYPE BOT.EXE"C:\Users\Admin\AppData\Local\Temp\JAXXY SKYPE BOT.EXE"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\JAXXY SKYPE BOT.EXEFilesize
1.8MB
MD54ba0b86113558f1a2056b81ebae2907f
SHA1617b31d2ee0035f7124553a49cc4b296c5daa46a
SHA2566dde2bdb73e20b0054ec960a581129598b643d54159204c6cd8868a038eaab36
SHA512c1056fcaf32d6098706dca9a3fae74b3c045db991434252f7e4f91cf8daa4078b8f0ab9408ce1b9b6821321d31a0d00377b40920ccee2ff7a9f1a9fe57842500
-
C:\Users\Admin\AppData\Local\Temp\JAXXY SKYPE BOT.EXEFilesize
1.8MB
MD54ba0b86113558f1a2056b81ebae2907f
SHA1617b31d2ee0035f7124553a49cc4b296c5daa46a
SHA2566dde2bdb73e20b0054ec960a581129598b643d54159204c6cd8868a038eaab36
SHA512c1056fcaf32d6098706dca9a3fae74b3c045db991434252f7e4f91cf8daa4078b8f0ab9408ce1b9b6821321d31a0d00377b40920ccee2ff7a9f1a9fe57842500
-
C:\Users\Admin\AppData\Roaming\msconfig.exeFilesize
2.9MB
MD5df7bf31aea132aca10366ae20dd0c350
SHA1dba114d4074f3f338940bdb075bbda26172c53db
SHA2568cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694
SHA512e86224122b1faaba9ec590eae700b435ad7cd8881d141c8ba0d9ec07b179bd7fd1418d4024fc2b3c05ec08ed8463d84f132dc250be4d4a3c59301424af6c1cb3
-
C:\Users\Admin\AppData\Roaming\msconfig.exeFilesize
2.9MB
MD5df7bf31aea132aca10366ae20dd0c350
SHA1dba114d4074f3f338940bdb075bbda26172c53db
SHA2568cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694
SHA512e86224122b1faaba9ec590eae700b435ad7cd8881d141c8ba0d9ec07b179bd7fd1418d4024fc2b3c05ec08ed8463d84f132dc250be4d4a3c59301424af6c1cb3
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
memory/372-160-0x0000000000400000-0x00000000006BE000-memory.dmpFilesize
2.7MB
-
memory/372-139-0x0000000000400000-0x00000000006BE000-memory.dmpFilesize
2.7MB
-
memory/372-140-0x0000000000400000-0x00000000006BE000-memory.dmpFilesize
2.7MB
-
memory/372-141-0x0000000000400000-0x00000000006BE000-memory.dmpFilesize
2.7MB
-
memory/372-143-0x0000000000400000-0x00000000006BE000-memory.dmpFilesize
2.7MB
-
memory/372-138-0x0000000000000000-mapping.dmp
-
memory/2148-145-0x0000000000000000-mapping.dmp
-
memory/2448-132-0x00000000749B0000-0x0000000074F61000-memory.dmpFilesize
5.7MB
-
memory/2448-137-0x00000000749B0000-0x0000000074F61000-memory.dmpFilesize
5.7MB
-
memory/2736-155-0x0000000000000000-mapping.dmp
-
memory/3068-142-0x00000000749B0000-0x0000000074F61000-memory.dmpFilesize
5.7MB
-
memory/3068-136-0x00000000749B0000-0x0000000074F61000-memory.dmpFilesize
5.7MB
-
memory/3068-133-0x0000000000000000-mapping.dmp
-
memory/3636-153-0x0000000006090000-0x0000000006634000-memory.dmpFilesize
5.6MB
-
memory/3636-152-0x0000000005890000-0x000000000592C000-memory.dmpFilesize
624KB
-
memory/3636-151-0x0000000000D70000-0x0000000000F4E000-memory.dmpFilesize
1.9MB
-
memory/3636-154-0x0000000005A00000-0x0000000005A92000-memory.dmpFilesize
584KB
-
memory/3636-147-0x0000000000000000-mapping.dmp
-
memory/3636-157-0x0000000005990000-0x000000000599A000-memory.dmpFilesize
40KB
-
memory/3636-158-0x0000000005BD0000-0x0000000005C26000-memory.dmpFilesize
344KB
-
memory/3636-161-0x0000000009A70000-0x0000000009AD6000-memory.dmpFilesize
408KB
-
memory/4368-146-0x0000000000000000-mapping.dmp
-
memory/4524-144-0x0000000000000000-mapping.dmp
-
memory/4904-150-0x0000000000000000-mapping.dmp