Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 21:45
Static task
static1
Behavioral task
behavioral1
Sample
3e30c9cbfed6311e5ebe149203bc4839.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3e30c9cbfed6311e5ebe149203bc4839.exe
Resource
win10v2004-20231215-en
General
-
Target
3e30c9cbfed6311e5ebe149203bc4839.exe
-
Size
1.1MB
-
MD5
3e30c9cbfed6311e5ebe149203bc4839
-
SHA1
fcca7dc34ad5b01e45b3d834a43c59fac8cf527c
-
SHA256
6609f8a3eb1784fe12d91be389de594b5b9a0ccea15cd0de4ecbd5fe52638f20
-
SHA512
1993e43d2bfbe9c4f39db163d21b81b4fc40026fdbbfab0a568047c43b64347dd234f21d5f3026b810caab4de4c5b7f446ad0682e1f0c43dc6978c7faf8c4a6b
-
SSDEEP
12288:m1Eu4AZ+EOJTSNT8JpclOVgvcWS2LgHtJpXMKI1jdT5yRVhJUzIwX5+9NB8GYbnt:Y0GMG15eisLl74ZYS+/VRZN9
Malware Config
Extracted
darkcomet
01
hostme.no-ip.org:1604
DC_MUTEX-MJWC85T
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
kCB568SQFn2i
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation svchost.exe -
Executes dropped EXE 2 IoCs
Processes:
svchost.exemsdcsc.exepid process 2184 svchost.exe 3728 msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exe3e30c9cbfed6311e5ebe149203bc4839.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Users\\Admin\\AppData\\Roaming\\3e30c9cbfed6311e5ebe149203bc4839.exe" 3e30c9cbfed6311e5ebe149203bc4839.exe -
Drops file in System32 directory 3 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe svchost.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe svchost.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3e30c9cbfed6311e5ebe149203bc4839.exedescription pid process target process PID 2760 set thread context of 2184 2760 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
svchost.exedescription pid process Token: SeIncreaseQuotaPrivilege 2184 svchost.exe Token: SeSecurityPrivilege 2184 svchost.exe Token: SeTakeOwnershipPrivilege 2184 svchost.exe Token: SeLoadDriverPrivilege 2184 svchost.exe Token: SeSystemProfilePrivilege 2184 svchost.exe Token: SeSystemtimePrivilege 2184 svchost.exe Token: SeProfSingleProcessPrivilege 2184 svchost.exe Token: SeIncBasePriorityPrivilege 2184 svchost.exe Token: SeCreatePagefilePrivilege 2184 svchost.exe Token: SeBackupPrivilege 2184 svchost.exe Token: SeRestorePrivilege 2184 svchost.exe Token: SeShutdownPrivilege 2184 svchost.exe Token: SeDebugPrivilege 2184 svchost.exe Token: SeSystemEnvironmentPrivilege 2184 svchost.exe Token: SeChangeNotifyPrivilege 2184 svchost.exe Token: SeRemoteShutdownPrivilege 2184 svchost.exe Token: SeUndockPrivilege 2184 svchost.exe Token: SeManageVolumePrivilege 2184 svchost.exe Token: SeImpersonatePrivilege 2184 svchost.exe Token: SeCreateGlobalPrivilege 2184 svchost.exe Token: 33 2184 svchost.exe Token: 34 2184 svchost.exe Token: 35 2184 svchost.exe Token: 36 2184 svchost.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
3e30c9cbfed6311e5ebe149203bc4839.exesvchost.exedescription pid process target process PID 2760 wrote to memory of 2184 2760 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2760 wrote to memory of 2184 2760 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2760 wrote to memory of 2184 2760 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2760 wrote to memory of 2184 2760 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2760 wrote to memory of 2184 2760 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2760 wrote to memory of 2184 2760 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2760 wrote to memory of 2184 2760 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2760 wrote to memory of 2184 2760 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2760 wrote to memory of 2184 2760 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2760 wrote to memory of 2184 2760 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2760 wrote to memory of 2184 2760 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2760 wrote to memory of 2184 2760 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2760 wrote to memory of 2184 2760 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2760 wrote to memory of 2184 2760 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2184 wrote to memory of 3728 2184 svchost.exe msdcsc.exe PID 2184 wrote to memory of 3728 2184 svchost.exe msdcsc.exe PID 2184 wrote to memory of 3728 2184 svchost.exe msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e30c9cbfed6311e5ebe149203bc4839.exe"C:\Users\Admin\AppData\Local\Temp\3e30c9cbfed6311e5ebe149203bc4839.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
406KB
MD5727c2dff5191fbedf1f3aef4f9844f35
SHA13ac96d64379c70475577c3949af3adc8f5c93e92
SHA2565c92a1f613b02bdc571ea094f42a72924c106aabda7dd20d1a7ee87b7e269350
SHA512465e9bf522f272e2758de5422d077f65db6db977f28cb683c549bbff94d0079b641ef8cf1a69931518e1b19be6d511170915cfe098cdbc5d6c2a4758a1628790
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
128KB
MD50712478a997cb73c2acf83235029fee1
SHA15f65d6384b1a4c179bedd8f7a0489960f019a73a
SHA2562f2e1ce3714df70bd7afe5d53df5398515e8c717a89a84b83b12db2e218689d4
SHA51280e47e9f2ad87b1cc4acffc63e4123f7705421e11135d5e2c49e70612877da28c98b31552145a045528825724aeb61bbbf8d6d5117d1fdb35cfaff508d559b07
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
379KB
MD598ffba86e6c3773b22d4000436337657
SHA13e0378cf96154c6fe5d2044024a3f65de0930e49
SHA25607b7cb3210e0c0c1b0a47b08c087f8bc7185f11888cbd45d1b98c94088b95aba
SHA512e4c1f32655c01f29bc086f6c503a8f0753711e0fcc950572b96f3aa7af39b9ec0a3497a40fe0ce5c2af06378aef084434e6866cee9f77c360056d3fa0788993d
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
420KB
MD541287aaacf6af38ac4326adaa553a3c9
SHA1a19885c79b85335dd3bc4d8b35a74ba73cb19d57
SHA2563837d9e020211bef81c43f8248879a7617fa8f3ae0d689853a21f521e39d28a0
SHA51271bf505b39954b033d66dca4015a34c4b94a8b76242b599ac448439c34413090497277051313227d55fde11ef842a2203dc2ef9b40c0d322c46a3f78370ecc05
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
424KB
MD50c24cce15959c1295450884dbc9e01a1
SHA102dba94e8fee3b9b3a7ccb7af16ad56e937c1b3b
SHA2568809e463e157d00851ca40b1ecec7d0f019287dbf4a35334c010c0c68eb9a72e
SHA51291b617d1410bcc325b00544aef443ae8e4c5bf6b015999cbbd01e6c60bd6c70c4f56b6d44d1b95039d676fc293db354863115170efa41221e79bb1654941e213
-
memory/2184-7-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2184-11-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2184-14-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2184-16-0x00000000025D0000-0x00000000025D1000-memory.dmpFilesize
4KB
-
memory/2184-10-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2184-28-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2760-0-0x00000000753A0000-0x0000000075951000-memory.dmpFilesize
5.7MB
-
memory/2760-15-0x00000000753A0000-0x0000000075951000-memory.dmpFilesize
5.7MB
-
memory/2760-2-0x0000000000FB0000-0x0000000000FC0000-memory.dmpFilesize
64KB
-
memory/2760-1-0x00000000753A0000-0x0000000075951000-memory.dmpFilesize
5.7MB