Analysis
-
max time kernel
2s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-12-2023 04:11
Behavioral task
behavioral1
Sample
27a57d1fca8d099b7876b56c82c5d88d.exe
Resource
win7-20231215-en
General
-
Target
27a57d1fca8d099b7876b56c82c5d88d.exe
-
Size
660KB
-
MD5
27a57d1fca8d099b7876b56c82c5d88d
-
SHA1
7ef8df1692fb110fe3adaa3fd94e6b1a483c0244
-
SHA256
ad3b7f8850afcbe69d1ebc88cfbe86a208fc0620e7a00079ee0e32446c7257f5
-
SHA512
15b7213699c19b23ca42be95f7db12cd23e1b67532642072fcdb1bb4246b2c24dec73ac69b01966d5b0135223c1bbf4d29a51435dc973659ebe6efb8c49749e3
-
SSDEEP
12288:wX2JVHMRtDaSm3TJvVNvWV5YTsY7tHwbz/htfcoCoK632zb7G/Q0e:2ss2Sm39NNv9wY7tHwbzfIoK6MoG
Malware Config
Extracted
darkcomet
777
mandoo.no-ip.org:3366
DC_MUTEX-7UAXXG6
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
hvljDtRVRRkE
-
install
true
-
offline_keylogger
true
-
password
1443813678
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
27a57d1fca8d099b7876b56c82c5d88d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 27a57d1fca8d099b7876b56c82c5d88d.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2804 attrib.exe 2800 attrib.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
27a57d1fca8d099b7876b56c82c5d88d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 27a57d1fca8d099b7876b56c82c5d88d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
27a57d1fca8d099b7876b56c82c5d88d.exedescription pid process Token: SeIncreaseQuotaPrivilege 2244 27a57d1fca8d099b7876b56c82c5d88d.exe Token: SeSecurityPrivilege 2244 27a57d1fca8d099b7876b56c82c5d88d.exe Token: SeTakeOwnershipPrivilege 2244 27a57d1fca8d099b7876b56c82c5d88d.exe Token: SeLoadDriverPrivilege 2244 27a57d1fca8d099b7876b56c82c5d88d.exe Token: SeSystemProfilePrivilege 2244 27a57d1fca8d099b7876b56c82c5d88d.exe Token: SeSystemtimePrivilege 2244 27a57d1fca8d099b7876b56c82c5d88d.exe Token: SeProfSingleProcessPrivilege 2244 27a57d1fca8d099b7876b56c82c5d88d.exe Token: SeIncBasePriorityPrivilege 2244 27a57d1fca8d099b7876b56c82c5d88d.exe Token: SeCreatePagefilePrivilege 2244 27a57d1fca8d099b7876b56c82c5d88d.exe Token: SeBackupPrivilege 2244 27a57d1fca8d099b7876b56c82c5d88d.exe Token: SeRestorePrivilege 2244 27a57d1fca8d099b7876b56c82c5d88d.exe Token: SeShutdownPrivilege 2244 27a57d1fca8d099b7876b56c82c5d88d.exe Token: SeDebugPrivilege 2244 27a57d1fca8d099b7876b56c82c5d88d.exe Token: SeSystemEnvironmentPrivilege 2244 27a57d1fca8d099b7876b56c82c5d88d.exe Token: SeChangeNotifyPrivilege 2244 27a57d1fca8d099b7876b56c82c5d88d.exe Token: SeRemoteShutdownPrivilege 2244 27a57d1fca8d099b7876b56c82c5d88d.exe Token: SeUndockPrivilege 2244 27a57d1fca8d099b7876b56c82c5d88d.exe Token: SeManageVolumePrivilege 2244 27a57d1fca8d099b7876b56c82c5d88d.exe Token: SeImpersonatePrivilege 2244 27a57d1fca8d099b7876b56c82c5d88d.exe Token: SeCreateGlobalPrivilege 2244 27a57d1fca8d099b7876b56c82c5d88d.exe Token: 33 2244 27a57d1fca8d099b7876b56c82c5d88d.exe Token: 34 2244 27a57d1fca8d099b7876b56c82c5d88d.exe Token: 35 2244 27a57d1fca8d099b7876b56c82c5d88d.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
27a57d1fca8d099b7876b56c82c5d88d.execmd.exedescription pid process target process PID 2244 wrote to memory of 2784 2244 27a57d1fca8d099b7876b56c82c5d88d.exe cmd.exe PID 2244 wrote to memory of 2784 2244 27a57d1fca8d099b7876b56c82c5d88d.exe cmd.exe PID 2244 wrote to memory of 2784 2244 27a57d1fca8d099b7876b56c82c5d88d.exe cmd.exe PID 2244 wrote to memory of 2784 2244 27a57d1fca8d099b7876b56c82c5d88d.exe cmd.exe PID 2244 wrote to memory of 2816 2244 27a57d1fca8d099b7876b56c82c5d88d.exe cmd.exe PID 2244 wrote to memory of 2816 2244 27a57d1fca8d099b7876b56c82c5d88d.exe cmd.exe PID 2244 wrote to memory of 2816 2244 27a57d1fca8d099b7876b56c82c5d88d.exe cmd.exe PID 2244 wrote to memory of 2816 2244 27a57d1fca8d099b7876b56c82c5d88d.exe cmd.exe PID 2244 wrote to memory of 2788 2244 27a57d1fca8d099b7876b56c82c5d88d.exe notepad.exe PID 2244 wrote to memory of 2788 2244 27a57d1fca8d099b7876b56c82c5d88d.exe notepad.exe PID 2244 wrote to memory of 2788 2244 27a57d1fca8d099b7876b56c82c5d88d.exe notepad.exe PID 2244 wrote to memory of 2788 2244 27a57d1fca8d099b7876b56c82c5d88d.exe notepad.exe PID 2244 wrote to memory of 2788 2244 27a57d1fca8d099b7876b56c82c5d88d.exe notepad.exe PID 2244 wrote to memory of 2788 2244 27a57d1fca8d099b7876b56c82c5d88d.exe notepad.exe PID 2244 wrote to memory of 2788 2244 27a57d1fca8d099b7876b56c82c5d88d.exe notepad.exe PID 2244 wrote to memory of 2788 2244 27a57d1fca8d099b7876b56c82c5d88d.exe notepad.exe PID 2244 wrote to memory of 2788 2244 27a57d1fca8d099b7876b56c82c5d88d.exe notepad.exe PID 2784 wrote to memory of 2800 2784 cmd.exe attrib.exe PID 2784 wrote to memory of 2800 2784 cmd.exe attrib.exe PID 2784 wrote to memory of 2800 2784 cmd.exe attrib.exe PID 2784 wrote to memory of 2800 2784 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2804 attrib.exe 2800 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\27a57d1fca8d099b7876b56c82c5d88d.exe"C:\Users\Admin\AppData\Local\Temp\27a57d1fca8d099b7876b56c82c5d88d.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\27a57d1fca8d099b7876b56c82c5d88d.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\27a57d1fca8d099b7876b56c82c5d88d.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h1⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"1⤵
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1744-68-0x0000000001D10000-0x0000000001D11000-memory.dmpFilesize
4KB
-
memory/2244-0-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/2244-32-0x0000000000400000-0x00000000004B4000-memory.dmpFilesize
720KB
-
memory/2612-33-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/2612-36-0x0000000000400000-0x00000000004B4000-memory.dmpFilesize
720KB
-
memory/2624-35-0x0000000000400000-0x00000000004B4000-memory.dmpFilesize
720KB
-
memory/2788-23-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2788-3-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB