Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01-01-2024 23:53
Static task
static1
Behavioral task
behavioral1
Sample
3e30c9cbfed6311e5ebe149203bc4839.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3e30c9cbfed6311e5ebe149203bc4839.exe
Resource
win10v2004-20231215-en
General
-
Target
3e30c9cbfed6311e5ebe149203bc4839.exe
-
Size
1.1MB
-
MD5
3e30c9cbfed6311e5ebe149203bc4839
-
SHA1
fcca7dc34ad5b01e45b3d834a43c59fac8cf527c
-
SHA256
6609f8a3eb1784fe12d91be389de594b5b9a0ccea15cd0de4ecbd5fe52638f20
-
SHA512
1993e43d2bfbe9c4f39db163d21b81b4fc40026fdbbfab0a568047c43b64347dd234f21d5f3026b810caab4de4c5b7f446ad0682e1f0c43dc6978c7faf8c4a6b
-
SSDEEP
12288:m1Eu4AZ+EOJTSNT8JpclOVgvcWS2LgHtJpXMKI1jdT5yRVhJUzIwX5+9NB8GYbnt:Y0GMG15eisLl74ZYS+/VRZN9
Malware Config
Extracted
darkcomet
01
hostme.no-ip.org:1604
DC_MUTEX-MJWC85T
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
kCB568SQFn2i
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation svchost.exe -
Executes dropped EXE 2 IoCs
Processes:
svchost.exemsdcsc.exepid process 4544 svchost.exe 3748 msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3e30c9cbfed6311e5ebe149203bc4839.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Users\\Admin\\AppData\\Roaming\\3e30c9cbfed6311e5ebe149203bc4839.exe" 3e30c9cbfed6311e5ebe149203bc4839.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" svchost.exe -
Drops file in System32 directory 3 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe svchost.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ svchost.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3e30c9cbfed6311e5ebe149203bc4839.exedescription pid process target process PID 1544 set thread context of 4544 1544 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
svchost.exedescription pid process Token: SeIncreaseQuotaPrivilege 4544 svchost.exe Token: SeSecurityPrivilege 4544 svchost.exe Token: SeTakeOwnershipPrivilege 4544 svchost.exe Token: SeLoadDriverPrivilege 4544 svchost.exe Token: SeSystemProfilePrivilege 4544 svchost.exe Token: SeSystemtimePrivilege 4544 svchost.exe Token: SeProfSingleProcessPrivilege 4544 svchost.exe Token: SeIncBasePriorityPrivilege 4544 svchost.exe Token: SeCreatePagefilePrivilege 4544 svchost.exe Token: SeBackupPrivilege 4544 svchost.exe Token: SeRestorePrivilege 4544 svchost.exe Token: SeShutdownPrivilege 4544 svchost.exe Token: SeDebugPrivilege 4544 svchost.exe Token: SeSystemEnvironmentPrivilege 4544 svchost.exe Token: SeChangeNotifyPrivilege 4544 svchost.exe Token: SeRemoteShutdownPrivilege 4544 svchost.exe Token: SeUndockPrivilege 4544 svchost.exe Token: SeManageVolumePrivilege 4544 svchost.exe Token: SeImpersonatePrivilege 4544 svchost.exe Token: SeCreateGlobalPrivilege 4544 svchost.exe Token: 33 4544 svchost.exe Token: 34 4544 svchost.exe Token: 35 4544 svchost.exe Token: 36 4544 svchost.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
3e30c9cbfed6311e5ebe149203bc4839.exesvchost.exedescription pid process target process PID 1544 wrote to memory of 4544 1544 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 1544 wrote to memory of 4544 1544 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 1544 wrote to memory of 4544 1544 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 1544 wrote to memory of 4544 1544 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 1544 wrote to memory of 4544 1544 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 1544 wrote to memory of 4544 1544 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 1544 wrote to memory of 4544 1544 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 1544 wrote to memory of 4544 1544 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 1544 wrote to memory of 4544 1544 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 1544 wrote to memory of 4544 1544 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 1544 wrote to memory of 4544 1544 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 1544 wrote to memory of 4544 1544 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 1544 wrote to memory of 4544 1544 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 1544 wrote to memory of 4544 1544 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe PID 4544 wrote to memory of 3748 4544 svchost.exe msdcsc.exe PID 4544 wrote to memory of 3748 4544 svchost.exe msdcsc.exe PID 4544 wrote to memory of 3748 4544 svchost.exe msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e30c9cbfed6311e5ebe149203bc4839.exe"C:\Users\Admin\AppData\Local\Temp\3e30c9cbfed6311e5ebe149203bc4839.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1544-1-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/1544-0-0x00000000747B0000-0x0000000074D61000-memory.dmpFilesize
5.7MB
-
memory/1544-13-0x00000000747B0000-0x0000000074D61000-memory.dmpFilesize
5.7MB
-
memory/4544-11-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4544-14-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4544-15-0x00000000025D0000-0x00000000025D1000-memory.dmpFilesize
4KB
-
memory/4544-27-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4544-9-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4544-6-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB