Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20/01/2024, 03:05
Behavioral task
behavioral1
Sample
latest.exe
Resource
win7-20231215-en
General
-
Target
latest.exe
-
Size
756KB
-
MD5
3d44f7937fb46ea4de708e90a4ca4587
-
SHA1
db54473365d6aa656523607286c777ce37aee53b
-
SHA256
f993cc832ebf9603779a0d03ef696305818f27d0edf14dca665eb8571b13b98e
-
SHA512
c4d686e875ad26e5debed497630d7d1e6acecf64864928375fbd09130b9761fa54e623b9d41b2d984ee4a4f5b83debb2f194a485242fdad70ecec17dbfeae2fe
-
SSDEEP
12288:x9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hz:rZ1xuVVjfFoynPaVBUR8f+kN10EB1
Malware Config
Extracted
darkcomet
Guest16
122.176.133.66:2181
DC_MUTEX-10VBW8X
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
EVjYUENRn40t
-
install
true
-
offline_keylogger
true
-
password
hacker667
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" latest.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2700 attrib.exe 2688 attrib.exe -
Executes dropped EXE 1 IoCs
pid Process 2832 msdcsc.exe -
Loads dropped DLL 2 IoCs
pid Process 2476 latest.exe 2476 latest.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" latest.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2832 set thread context of 2108 2832 msdcsc.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2108 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2476 latest.exe Token: SeSecurityPrivilege 2476 latest.exe Token: SeTakeOwnershipPrivilege 2476 latest.exe Token: SeLoadDriverPrivilege 2476 latest.exe Token: SeSystemProfilePrivilege 2476 latest.exe Token: SeSystemtimePrivilege 2476 latest.exe Token: SeProfSingleProcessPrivilege 2476 latest.exe Token: SeIncBasePriorityPrivilege 2476 latest.exe Token: SeCreatePagefilePrivilege 2476 latest.exe Token: SeBackupPrivilege 2476 latest.exe Token: SeRestorePrivilege 2476 latest.exe Token: SeShutdownPrivilege 2476 latest.exe Token: SeDebugPrivilege 2476 latest.exe Token: SeSystemEnvironmentPrivilege 2476 latest.exe Token: SeChangeNotifyPrivilege 2476 latest.exe Token: SeRemoteShutdownPrivilege 2476 latest.exe Token: SeUndockPrivilege 2476 latest.exe Token: SeManageVolumePrivilege 2476 latest.exe Token: SeImpersonatePrivilege 2476 latest.exe Token: SeCreateGlobalPrivilege 2476 latest.exe Token: 33 2476 latest.exe Token: 34 2476 latest.exe Token: 35 2476 latest.exe Token: SeIncreaseQuotaPrivilege 2832 msdcsc.exe Token: SeSecurityPrivilege 2832 msdcsc.exe Token: SeTakeOwnershipPrivilege 2832 msdcsc.exe Token: SeLoadDriverPrivilege 2832 msdcsc.exe Token: SeSystemProfilePrivilege 2832 msdcsc.exe Token: SeSystemtimePrivilege 2832 msdcsc.exe Token: SeProfSingleProcessPrivilege 2832 msdcsc.exe Token: SeIncBasePriorityPrivilege 2832 msdcsc.exe Token: SeCreatePagefilePrivilege 2832 msdcsc.exe Token: SeBackupPrivilege 2832 msdcsc.exe Token: SeRestorePrivilege 2832 msdcsc.exe Token: SeShutdownPrivilege 2832 msdcsc.exe Token: SeDebugPrivilege 2832 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2832 msdcsc.exe Token: SeChangeNotifyPrivilege 2832 msdcsc.exe Token: SeRemoteShutdownPrivilege 2832 msdcsc.exe Token: SeUndockPrivilege 2832 msdcsc.exe Token: SeManageVolumePrivilege 2832 msdcsc.exe Token: SeImpersonatePrivilege 2832 msdcsc.exe Token: SeCreateGlobalPrivilege 2832 msdcsc.exe Token: 33 2832 msdcsc.exe Token: 34 2832 msdcsc.exe Token: 35 2832 msdcsc.exe Token: SeIncreaseQuotaPrivilege 2108 iexplore.exe Token: SeSecurityPrivilege 2108 iexplore.exe Token: SeTakeOwnershipPrivilege 2108 iexplore.exe Token: SeLoadDriverPrivilege 2108 iexplore.exe Token: SeSystemProfilePrivilege 2108 iexplore.exe Token: SeSystemtimePrivilege 2108 iexplore.exe Token: SeProfSingleProcessPrivilege 2108 iexplore.exe Token: SeIncBasePriorityPrivilege 2108 iexplore.exe Token: SeCreatePagefilePrivilege 2108 iexplore.exe Token: SeBackupPrivilege 2108 iexplore.exe Token: SeRestorePrivilege 2108 iexplore.exe Token: SeShutdownPrivilege 2108 iexplore.exe Token: SeDebugPrivilege 2108 iexplore.exe Token: SeSystemEnvironmentPrivilege 2108 iexplore.exe Token: SeChangeNotifyPrivilege 2108 iexplore.exe Token: SeRemoteShutdownPrivilege 2108 iexplore.exe Token: SeUndockPrivilege 2108 iexplore.exe Token: SeManageVolumePrivilege 2108 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2108 iexplore.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 2476 wrote to memory of 2752 2476 latest.exe 28 PID 2476 wrote to memory of 2752 2476 latest.exe 28 PID 2476 wrote to memory of 2752 2476 latest.exe 28 PID 2476 wrote to memory of 2752 2476 latest.exe 28 PID 2476 wrote to memory of 1268 2476 latest.exe 29 PID 2476 wrote to memory of 1268 2476 latest.exe 29 PID 2476 wrote to memory of 1268 2476 latest.exe 29 PID 2476 wrote to memory of 1268 2476 latest.exe 29 PID 1268 wrote to memory of 2700 1268 cmd.exe 32 PID 1268 wrote to memory of 2700 1268 cmd.exe 32 PID 1268 wrote to memory of 2700 1268 cmd.exe 32 PID 1268 wrote to memory of 2700 1268 cmd.exe 32 PID 2752 wrote to memory of 2688 2752 cmd.exe 33 PID 2752 wrote to memory of 2688 2752 cmd.exe 33 PID 2752 wrote to memory of 2688 2752 cmd.exe 33 PID 2752 wrote to memory of 2688 2752 cmd.exe 33 PID 2476 wrote to memory of 2832 2476 latest.exe 34 PID 2476 wrote to memory of 2832 2476 latest.exe 34 PID 2476 wrote to memory of 2832 2476 latest.exe 34 PID 2476 wrote to memory of 2832 2476 latest.exe 34 PID 2832 wrote to memory of 2108 2832 msdcsc.exe 35 PID 2832 wrote to memory of 2108 2832 msdcsc.exe 35 PID 2832 wrote to memory of 2108 2832 msdcsc.exe 35 PID 2832 wrote to memory of 2108 2832 msdcsc.exe 35 PID 2832 wrote to memory of 2108 2832 msdcsc.exe 35 PID 2832 wrote to memory of 2108 2832 msdcsc.exe 35 PID 2108 wrote to memory of 2608 2108 iexplore.exe 36 PID 2108 wrote to memory of 2608 2108 iexplore.exe 36 PID 2108 wrote to memory of 2608 2108 iexplore.exe 36 PID 2108 wrote to memory of 2608 2108 iexplore.exe 36 PID 2108 wrote to memory of 2608 2108 iexplore.exe 36 PID 2108 wrote to memory of 2608 2108 iexplore.exe 36 PID 2108 wrote to memory of 2608 2108 iexplore.exe 36 PID 2108 wrote to memory of 2608 2108 iexplore.exe 36 PID 2108 wrote to memory of 2608 2108 iexplore.exe 36 PID 2108 wrote to memory of 2608 2108 iexplore.exe 36 PID 2108 wrote to memory of 2608 2108 iexplore.exe 36 PID 2108 wrote to memory of 2608 2108 iexplore.exe 36 PID 2108 wrote to memory of 2608 2108 iexplore.exe 36 PID 2108 wrote to memory of 2608 2108 iexplore.exe 36 PID 2108 wrote to memory of 2608 2108 iexplore.exe 36 PID 2108 wrote to memory of 2608 2108 iexplore.exe 36 PID 2108 wrote to memory of 2608 2108 iexplore.exe 36 PID 2108 wrote to memory of 2608 2108 iexplore.exe 36 PID 2108 wrote to memory of 2608 2108 iexplore.exe 36 PID 2108 wrote to memory of 2608 2108 iexplore.exe 36 PID 2108 wrote to memory of 2608 2108 iexplore.exe 36 PID 2108 wrote to memory of 2608 2108 iexplore.exe 36 PID 2108 wrote to memory of 2608 2108 iexplore.exe 36 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2700 attrib.exe 2688 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\latest.exe"C:\Users\Admin\AppData\Local\Temp\latest.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\latest.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\latest.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2688
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2700
-
-
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵PID:2608
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
756KB
MD53d44f7937fb46ea4de708e90a4ca4587
SHA1db54473365d6aa656523607286c777ce37aee53b
SHA256f993cc832ebf9603779a0d03ef696305818f27d0edf14dca665eb8571b13b98e
SHA512c4d686e875ad26e5debed497630d7d1e6acecf64864928375fbd09130b9761fa54e623b9d41b2d984ee4a4f5b83debb2f194a485242fdad70ecec17dbfeae2fe