Analysis
-
max time kernel
8s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01-01-2024 23:53
Static task
static1
Behavioral task
behavioral1
Sample
3e30c9cbfed6311e5ebe149203bc4839.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3e30c9cbfed6311e5ebe149203bc4839.exe
Resource
win10v2004-20231215-en
General
-
Target
3e30c9cbfed6311e5ebe149203bc4839.exe
-
Size
1.1MB
-
MD5
3e30c9cbfed6311e5ebe149203bc4839
-
SHA1
fcca7dc34ad5b01e45b3d834a43c59fac8cf527c
-
SHA256
6609f8a3eb1784fe12d91be389de594b5b9a0ccea15cd0de4ecbd5fe52638f20
-
SHA512
1993e43d2bfbe9c4f39db163d21b81b4fc40026fdbbfab0a568047c43b64347dd234f21d5f3026b810caab4de4c5b7f446ad0682e1f0c43dc6978c7faf8c4a6b
-
SSDEEP
12288:m1Eu4AZ+EOJTSNT8JpclOVgvcWS2LgHtJpXMKI1jdT5yRVhJUzIwX5+9NB8GYbnt:Y0GMG15eisLl74ZYS+/VRZN9
Malware Config
Extracted
darkcomet
01
hostme.no-ip.org:1604
DC_MUTEX-MJWC85T
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
kCB568SQFn2i
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" svchost.exe -
Executes dropped EXE 2 IoCs
Processes:
svchost.exemsdcsc.exepid process 2644 svchost.exe 2780 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
3e30c9cbfed6311e5ebe149203bc4839.exesvchost.exepid process 2504 3e30c9cbfed6311e5ebe149203bc4839.exe 2644 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3e30c9cbfed6311e5ebe149203bc4839.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Users\\Admin\\AppData\\Roaming\\3e30c9cbfed6311e5ebe149203bc4839.exe" 3e30c9cbfed6311e5ebe149203bc4839.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" svchost.exe -
Drops file in System32 directory 3 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe svchost.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe svchost.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3e30c9cbfed6311e5ebe149203bc4839.exedescription pid process target process PID 2504 set thread context of 2644 2504 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
svchost.exedescription pid process Token: SeIncreaseQuotaPrivilege 2644 svchost.exe Token: SeSecurityPrivilege 2644 svchost.exe Token: SeTakeOwnershipPrivilege 2644 svchost.exe Token: SeLoadDriverPrivilege 2644 svchost.exe Token: SeSystemProfilePrivilege 2644 svchost.exe Token: SeSystemtimePrivilege 2644 svchost.exe Token: SeProfSingleProcessPrivilege 2644 svchost.exe Token: SeIncBasePriorityPrivilege 2644 svchost.exe Token: SeCreatePagefilePrivilege 2644 svchost.exe Token: SeBackupPrivilege 2644 svchost.exe Token: SeRestorePrivilege 2644 svchost.exe Token: SeShutdownPrivilege 2644 svchost.exe Token: SeDebugPrivilege 2644 svchost.exe Token: SeSystemEnvironmentPrivilege 2644 svchost.exe Token: SeChangeNotifyPrivilege 2644 svchost.exe Token: SeRemoteShutdownPrivilege 2644 svchost.exe Token: SeUndockPrivilege 2644 svchost.exe Token: SeManageVolumePrivilege 2644 svchost.exe Token: SeImpersonatePrivilege 2644 svchost.exe Token: SeCreateGlobalPrivilege 2644 svchost.exe Token: 33 2644 svchost.exe Token: 34 2644 svchost.exe Token: 35 2644 svchost.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
3e30c9cbfed6311e5ebe149203bc4839.exesvchost.exedescription pid process target process PID 2504 wrote to memory of 2644 2504 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2504 wrote to memory of 2644 2504 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2504 wrote to memory of 2644 2504 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2504 wrote to memory of 2644 2504 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2504 wrote to memory of 2644 2504 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2504 wrote to memory of 2644 2504 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2504 wrote to memory of 2644 2504 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2504 wrote to memory of 2644 2504 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2504 wrote to memory of 2644 2504 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2504 wrote to memory of 2644 2504 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2504 wrote to memory of 2644 2504 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2504 wrote to memory of 2644 2504 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2504 wrote to memory of 2644 2504 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 2644 wrote to memory of 2780 2644 svchost.exe msdcsc.exe PID 2644 wrote to memory of 2780 2644 svchost.exe msdcsc.exe PID 2644 wrote to memory of 2780 2644 svchost.exe msdcsc.exe PID 2644 wrote to memory of 2780 2644 svchost.exe msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e30c9cbfed6311e5ebe149203bc4839.exe"C:\Users\Admin\AppData\Local\Temp\3e30c9cbfed6311e5ebe149203bc4839.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
415KB
MD587ba94dcd3334ba357c6b70f1401f7f3
SHA188c8be63990a6d9d86b298e9a16c8479c5e26675
SHA25681dbda90158db49d954670538a65a4560e60a07434c4eed0abbed25fc9428c59
SHA51206beb5c381e4602e550da2c8da997e3d37857437b5cfe3643c68eb644df5b44bac4f70532f999aec99483b5d68862c3c5c4bb20896422248f2c4fb1000ad61fa
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
199KB
MD5e942f4a4bfbb1677d6d270aad53424af
SHA1d2290b118048e907c44b23ea2fe3f3c35c8e2559
SHA25619fd56ac0e0220eb832376e86aa553ef70b65daa05a6e043ca07e1217ca6d7dc
SHA512b4020e461d07d5b0c3b0f9cc75a34a9a90232d3e5acf5d35313ce9a02301a22cfac21bb29795ec3313f31470a99baa3acc4c69472ef630dc9eeff46d7f62e6a9
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
183KB
MD586b4ffa237e7059cc0905d0d69e34d44
SHA17f6004cae488f382be27ec1b5e49e05dee95552a
SHA256a9206782dfc8047465aa8f70f59957cd010cdddcb7e5c90080ba14743edced4a
SHA5125ef26a5c5379973b870f3f160823d133a36f7438fdbd969953f41e0cc9fd0989888b9b1afdc82c570d0bc5adc7c7b733cfda18adb6cc19eaf3e110179ad0c91d
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
141KB
MD568f13e11d24c55c17f2b12bd09418cf2
SHA1a5415b7bc1f36f4ee593065994087b3a2b3aea30
SHA256c0ecc5345ac93587b9b111856f8e6ec7005d9b9a2c34f18a82813185ae71d681
SHA5122f7259a3b5958526062e2d996fa2c5a5dc744997045b738e77df3581212c2814f92d338465286049aac53fbb94110efe0673281bc3e96550748fbaa19a4da3a5
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
76KB
MD5e45355646a24e6714a6f4578f881348e
SHA1680bde6d20d53efc3940e67b00566d9eb03d4f03
SHA25688c0331375587e846738c26f7cc605126cd41c338c7fb588d4261bea6e70c55b
SHA5126c13c284f1f083333e26bdad6aab77b3d987974add6a28b1b6c27a8a9ec993c7ca7e834da1425b6c7be96aa70e3ee18a7a0cd1a3d37d7d97a785c2c51f3770a9
-
\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
24KB
MD5c37baf46e3bdac70c02f0edaac0b1fac
SHA1fd884d1bce988ba1866bffbf10fe5f4f1b89f09e
SHA256950673b93495f0ed4d3d7c714a29533df2706a8e03e1e3f142078745304aedef
SHA512f6f750069e6ab0f7097ef0527c2e3f172ced4902d0a9ba982cbabdc268c96d0b1c603bfb0c6cc8f6ff0f2a00159f13cd4f24a82a3e2f48353c324dbc2f423fa3
-
\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
90KB
MD555a152c2aa377b551e0894d7a31994f7
SHA156f9cc557f4a2df54e00948a36d3d4087f91f9fb
SHA2562b2cd651ddb5c5334305c7d048bbc481494ec89bfe55d5d1302f27656119210e
SHA5129b6b27b8f37d778b3ccad2cae431e0b26fe297ea67d916201e243c767ff376d8384bcf42c10b6ed9e44807ffa5165196c98323bf0f4221bb2e01730b5a754289
-
memory/2504-1-0x0000000074CC0000-0x000000007526B000-memory.dmpFilesize
5.7MB
-
memory/2504-2-0x0000000002300000-0x0000000002340000-memory.dmpFilesize
256KB
-
memory/2504-0-0x0000000074CC0000-0x000000007526B000-memory.dmpFilesize
5.7MB
-
memory/2504-27-0x0000000074CC0000-0x000000007526B000-memory.dmpFilesize
5.7MB
-
memory/2644-17-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2644-30-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB
-
memory/2644-26-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2644-24-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2644-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2644-21-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2644-28-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2644-20-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2644-29-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2644-11-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2644-19-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2644-13-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2644-39-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2644-15-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2644-9-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB