Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 21:45
Static task
static1
Behavioral task
behavioral1
Sample
3e30c9cbfed6311e5ebe149203bc4839.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3e30c9cbfed6311e5ebe149203bc4839.exe
Resource
win10v2004-20231215-en
General
-
Target
3e30c9cbfed6311e5ebe149203bc4839.exe
-
Size
1.1MB
-
MD5
3e30c9cbfed6311e5ebe149203bc4839
-
SHA1
fcca7dc34ad5b01e45b3d834a43c59fac8cf527c
-
SHA256
6609f8a3eb1784fe12d91be389de594b5b9a0ccea15cd0de4ecbd5fe52638f20
-
SHA512
1993e43d2bfbe9c4f39db163d21b81b4fc40026fdbbfab0a568047c43b64347dd234f21d5f3026b810caab4de4c5b7f446ad0682e1f0c43dc6978c7faf8c4a6b
-
SSDEEP
12288:m1Eu4AZ+EOJTSNT8JpclOVgvcWS2LgHtJpXMKI1jdT5yRVhJUzIwX5+9NB8GYbnt:Y0GMG15eisLl74ZYS+/VRZN9
Malware Config
Extracted
darkcomet
01
hostme.no-ip.org:1604
DC_MUTEX-MJWC85T
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
kCB568SQFn2i
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" svchost.exe -
Executes dropped EXE 2 IoCs
Processes:
svchost.exemsdcsc.exepid process 2360 svchost.exe 2852 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
3e30c9cbfed6311e5ebe149203bc4839.exesvchost.exepid process 1696 3e30c9cbfed6311e5ebe149203bc4839.exe 2360 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3e30c9cbfed6311e5ebe149203bc4839.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Users\\Admin\\AppData\\Roaming\\3e30c9cbfed6311e5ebe149203bc4839.exe" 3e30c9cbfed6311e5ebe149203bc4839.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" svchost.exe -
Drops file in System32 directory 3 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe svchost.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe svchost.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3e30c9cbfed6311e5ebe149203bc4839.exedescription pid process target process PID 1696 set thread context of 2360 1696 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
svchost.exedescription pid process Token: SeIncreaseQuotaPrivilege 2360 svchost.exe Token: SeSecurityPrivilege 2360 svchost.exe Token: SeTakeOwnershipPrivilege 2360 svchost.exe Token: SeLoadDriverPrivilege 2360 svchost.exe Token: SeSystemProfilePrivilege 2360 svchost.exe Token: SeSystemtimePrivilege 2360 svchost.exe Token: SeProfSingleProcessPrivilege 2360 svchost.exe Token: SeIncBasePriorityPrivilege 2360 svchost.exe Token: SeCreatePagefilePrivilege 2360 svchost.exe Token: SeBackupPrivilege 2360 svchost.exe Token: SeRestorePrivilege 2360 svchost.exe Token: SeShutdownPrivilege 2360 svchost.exe Token: SeDebugPrivilege 2360 svchost.exe Token: SeSystemEnvironmentPrivilege 2360 svchost.exe Token: SeChangeNotifyPrivilege 2360 svchost.exe Token: SeRemoteShutdownPrivilege 2360 svchost.exe Token: SeUndockPrivilege 2360 svchost.exe Token: SeManageVolumePrivilege 2360 svchost.exe Token: SeImpersonatePrivilege 2360 svchost.exe Token: SeCreateGlobalPrivilege 2360 svchost.exe Token: 33 2360 svchost.exe Token: 34 2360 svchost.exe Token: 35 2360 svchost.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
3e30c9cbfed6311e5ebe149203bc4839.exesvchost.exedescription pid process target process PID 1696 wrote to memory of 2360 1696 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 1696 wrote to memory of 2360 1696 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 1696 wrote to memory of 2360 1696 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 1696 wrote to memory of 2360 1696 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 1696 wrote to memory of 2360 1696 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 1696 wrote to memory of 2360 1696 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 1696 wrote to memory of 2360 1696 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 1696 wrote to memory of 2360 1696 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 1696 wrote to memory of 2360 1696 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 1696 wrote to memory of 2360 1696 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 1696 wrote to memory of 2360 1696 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 1696 wrote to memory of 2360 1696 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 1696 wrote to memory of 2360 1696 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2360 wrote to memory of 2852 2360 svchost.exe msdcsc.exe PID 2360 wrote to memory of 2852 2360 svchost.exe msdcsc.exe PID 2360 wrote to memory of 2852 2360 svchost.exe msdcsc.exe PID 2360 wrote to memory of 2852 2360 svchost.exe msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e30c9cbfed6311e5ebe149203bc4839.exe"C:\Users\Admin\AppData\Local\Temp\3e30c9cbfed6311e5ebe149203bc4839.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1696-30-0x0000000074950000-0x0000000074EFB000-memory.dmpFilesize
5.7MB
-
memory/1696-2-0x0000000074950000-0x0000000074EFB000-memory.dmpFilesize
5.7MB
-
memory/1696-0-0x0000000074950000-0x0000000074EFB000-memory.dmpFilesize
5.7MB
-
memory/1696-1-0x0000000002330000-0x0000000002370000-memory.dmpFilesize
256KB
-
memory/2360-29-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2360-22-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2360-31-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2360-41-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2360-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2360-28-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2360-26-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2360-32-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2360-20-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2360-18-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2360-16-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2360-14-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2360-12-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2360-9-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2360-11-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB