Analysis
-
max time kernel
131s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20/01/2024, 18:09
Static task
static1
Behavioral task
behavioral1
Sample
6b18a6b20832fb7929ccb4b3043f3218.exe
Resource
win7-20231215-en
General
-
Target
6b18a6b20832fb7929ccb4b3043f3218.exe
-
Size
964KB
-
MD5
6b18a6b20832fb7929ccb4b3043f3218
-
SHA1
6f35aca55396af3e9f8e6939c4ee1bfb3f5bc69a
-
SHA256
70635ba75fdb495bb4c0209f26176f0c0d40fd294c8b39898f18742f2e55ce20
-
SHA512
f69815bc4bead7481be0ecaa43eb53b32c26a5502e40f4b3f68789534cf501246528a35e86bf3b092aed4864691192527414c7c949327c7610e1659377b230f9
-
SSDEEP
24576:CMFvr6fMVQXwU23E/0iprDKUHSIHzOIfbfxRwv6lRu9xitRHsn:CMFO+QXwb3xGmDIHzOIfjblRuCto
Malware Config
Extracted
darkcomet
Guest16
84.72.27.213:1604
DC_MUTEX-3WNETRQ
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
RJVLW58TNDYF
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 6b18a6b20832fb7929ccb4b3043f3218.exe -
Executes dropped EXE 2 IoCs
pid Process 2748 msdcsc.exe 2536 msdcsc.exe -
Loads dropped DLL 3 IoCs
pid Process 1940 6b18a6b20832fb7929ccb4b3043f3218.exe 1940 6b18a6b20832fb7929ccb4b3043f3218.exe 2748 msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 6b18a6b20832fb7929ccb4b3043f3218.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 6b18a6b20832fb7929ccb4b3043f3218.exe File opened for modification \??\PhysicalDrive0 msdcsc.exe File opened for modification \??\PhysicalDrive0 iexplore.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2612 set thread context of 1940 2612 6b18a6b20832fb7929ccb4b3043f3218.exe 28 PID 2748 set thread context of 2536 2748 msdcsc.exe 30 PID 2536 set thread context of 2528 2536 msdcsc.exe 32 PID 2528 set thread context of 2560 2528 iexplore.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1940 6b18a6b20832fb7929ccb4b3043f3218.exe Token: SeSecurityPrivilege 1940 6b18a6b20832fb7929ccb4b3043f3218.exe Token: SeTakeOwnershipPrivilege 1940 6b18a6b20832fb7929ccb4b3043f3218.exe Token: SeLoadDriverPrivilege 1940 6b18a6b20832fb7929ccb4b3043f3218.exe Token: SeSystemProfilePrivilege 1940 6b18a6b20832fb7929ccb4b3043f3218.exe Token: SeSystemtimePrivilege 1940 6b18a6b20832fb7929ccb4b3043f3218.exe Token: SeProfSingleProcessPrivilege 1940 6b18a6b20832fb7929ccb4b3043f3218.exe Token: SeIncBasePriorityPrivilege 1940 6b18a6b20832fb7929ccb4b3043f3218.exe Token: SeCreatePagefilePrivilege 1940 6b18a6b20832fb7929ccb4b3043f3218.exe Token: SeBackupPrivilege 1940 6b18a6b20832fb7929ccb4b3043f3218.exe Token: SeRestorePrivilege 1940 6b18a6b20832fb7929ccb4b3043f3218.exe Token: SeShutdownPrivilege 1940 6b18a6b20832fb7929ccb4b3043f3218.exe Token: SeDebugPrivilege 1940 6b18a6b20832fb7929ccb4b3043f3218.exe Token: SeSystemEnvironmentPrivilege 1940 6b18a6b20832fb7929ccb4b3043f3218.exe Token: SeChangeNotifyPrivilege 1940 6b18a6b20832fb7929ccb4b3043f3218.exe Token: SeRemoteShutdownPrivilege 1940 6b18a6b20832fb7929ccb4b3043f3218.exe Token: SeUndockPrivilege 1940 6b18a6b20832fb7929ccb4b3043f3218.exe Token: SeManageVolumePrivilege 1940 6b18a6b20832fb7929ccb4b3043f3218.exe Token: SeImpersonatePrivilege 1940 6b18a6b20832fb7929ccb4b3043f3218.exe Token: SeCreateGlobalPrivilege 1940 6b18a6b20832fb7929ccb4b3043f3218.exe Token: 33 1940 6b18a6b20832fb7929ccb4b3043f3218.exe Token: 34 1940 6b18a6b20832fb7929ccb4b3043f3218.exe Token: 35 1940 6b18a6b20832fb7929ccb4b3043f3218.exe Token: SeIncreaseQuotaPrivilege 2536 msdcsc.exe Token: SeSecurityPrivilege 2536 msdcsc.exe Token: SeTakeOwnershipPrivilege 2536 msdcsc.exe Token: SeLoadDriverPrivilege 2536 msdcsc.exe Token: SeSystemProfilePrivilege 2536 msdcsc.exe Token: SeSystemtimePrivilege 2536 msdcsc.exe Token: SeProfSingleProcessPrivilege 2536 msdcsc.exe Token: SeIncBasePriorityPrivilege 2536 msdcsc.exe Token: SeCreatePagefilePrivilege 2536 msdcsc.exe Token: SeBackupPrivilege 2536 msdcsc.exe Token: SeRestorePrivilege 2536 msdcsc.exe Token: SeShutdownPrivilege 2536 msdcsc.exe Token: SeDebugPrivilege 2536 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2536 msdcsc.exe Token: SeChangeNotifyPrivilege 2536 msdcsc.exe Token: SeRemoteShutdownPrivilege 2536 msdcsc.exe Token: SeUndockPrivilege 2536 msdcsc.exe Token: SeManageVolumePrivilege 2536 msdcsc.exe Token: SeImpersonatePrivilege 2536 msdcsc.exe Token: SeCreateGlobalPrivilege 2536 msdcsc.exe Token: 33 2536 msdcsc.exe Token: 34 2536 msdcsc.exe Token: 35 2536 msdcsc.exe Token: SeIncreaseQuotaPrivilege 2560 iexplore.exe Token: SeSecurityPrivilege 2560 iexplore.exe Token: SeTakeOwnershipPrivilege 2560 iexplore.exe Token: SeLoadDriverPrivilege 2560 iexplore.exe Token: SeSystemProfilePrivilege 2560 iexplore.exe Token: SeSystemtimePrivilege 2560 iexplore.exe Token: SeProfSingleProcessPrivilege 2560 iexplore.exe Token: SeIncBasePriorityPrivilege 2560 iexplore.exe Token: SeCreatePagefilePrivilege 2560 iexplore.exe Token: SeBackupPrivilege 2560 iexplore.exe Token: SeRestorePrivilege 2560 iexplore.exe Token: SeShutdownPrivilege 2560 iexplore.exe Token: SeDebugPrivilege 2560 iexplore.exe Token: SeSystemEnvironmentPrivilege 2560 iexplore.exe Token: SeChangeNotifyPrivilege 2560 iexplore.exe Token: SeRemoteShutdownPrivilege 2560 iexplore.exe Token: SeUndockPrivilege 2560 iexplore.exe Token: SeManageVolumePrivilege 2560 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2612 6b18a6b20832fb7929ccb4b3043f3218.exe 2748 msdcsc.exe 2528 iexplore.exe 2560 iexplore.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 2612 wrote to memory of 1940 2612 6b18a6b20832fb7929ccb4b3043f3218.exe 28 PID 2612 wrote to memory of 1940 2612 6b18a6b20832fb7929ccb4b3043f3218.exe 28 PID 2612 wrote to memory of 1940 2612 6b18a6b20832fb7929ccb4b3043f3218.exe 28 PID 2612 wrote to memory of 1940 2612 6b18a6b20832fb7929ccb4b3043f3218.exe 28 PID 2612 wrote to memory of 1940 2612 6b18a6b20832fb7929ccb4b3043f3218.exe 28 PID 2612 wrote to memory of 1940 2612 6b18a6b20832fb7929ccb4b3043f3218.exe 28 PID 2612 wrote to memory of 1940 2612 6b18a6b20832fb7929ccb4b3043f3218.exe 28 PID 2612 wrote to memory of 1940 2612 6b18a6b20832fb7929ccb4b3043f3218.exe 28 PID 2612 wrote to memory of 1940 2612 6b18a6b20832fb7929ccb4b3043f3218.exe 28 PID 2612 wrote to memory of 1940 2612 6b18a6b20832fb7929ccb4b3043f3218.exe 28 PID 2612 wrote to memory of 1940 2612 6b18a6b20832fb7929ccb4b3043f3218.exe 28 PID 2612 wrote to memory of 1940 2612 6b18a6b20832fb7929ccb4b3043f3218.exe 28 PID 2612 wrote to memory of 1940 2612 6b18a6b20832fb7929ccb4b3043f3218.exe 28 PID 1940 wrote to memory of 2748 1940 6b18a6b20832fb7929ccb4b3043f3218.exe 29 PID 1940 wrote to memory of 2748 1940 6b18a6b20832fb7929ccb4b3043f3218.exe 29 PID 1940 wrote to memory of 2748 1940 6b18a6b20832fb7929ccb4b3043f3218.exe 29 PID 1940 wrote to memory of 2748 1940 6b18a6b20832fb7929ccb4b3043f3218.exe 29 PID 2748 wrote to memory of 2536 2748 msdcsc.exe 30 PID 2748 wrote to memory of 2536 2748 msdcsc.exe 30 PID 2748 wrote to memory of 2536 2748 msdcsc.exe 30 PID 2748 wrote to memory of 2536 2748 msdcsc.exe 30 PID 2748 wrote to memory of 2536 2748 msdcsc.exe 30 PID 2748 wrote to memory of 2536 2748 msdcsc.exe 30 PID 2748 wrote to memory of 2536 2748 msdcsc.exe 30 PID 2748 wrote to memory of 2536 2748 msdcsc.exe 30 PID 2748 wrote to memory of 2536 2748 msdcsc.exe 30 PID 2748 wrote to memory of 2536 2748 msdcsc.exe 30 PID 2748 wrote to memory of 2536 2748 msdcsc.exe 30 PID 2748 wrote to memory of 2536 2748 msdcsc.exe 30 PID 2748 wrote to memory of 2536 2748 msdcsc.exe 30 PID 2536 wrote to memory of 2528 2536 msdcsc.exe 32 PID 2536 wrote to memory of 2528 2536 msdcsc.exe 32 PID 2536 wrote to memory of 2528 2536 msdcsc.exe 32 PID 2536 wrote to memory of 2528 2536 msdcsc.exe 32 PID 2536 wrote to memory of 2528 2536 msdcsc.exe 32 PID 2536 wrote to memory of 2528 2536 msdcsc.exe 32 PID 2528 wrote to memory of 2560 2528 iexplore.exe 31 PID 2528 wrote to memory of 2560 2528 iexplore.exe 31 PID 2528 wrote to memory of 2560 2528 iexplore.exe 31 PID 2528 wrote to memory of 2560 2528 iexplore.exe 31 PID 2528 wrote to memory of 2560 2528 iexplore.exe 31 PID 2528 wrote to memory of 2560 2528 iexplore.exe 31 PID 2528 wrote to memory of 2560 2528 iexplore.exe 31 PID 2528 wrote to memory of 2560 2528 iexplore.exe 31 PID 2528 wrote to memory of 2560 2528 iexplore.exe 31 PID 2528 wrote to memory of 2560 2528 iexplore.exe 31 PID 2528 wrote to memory of 2560 2528 iexplore.exe 31 PID 2528 wrote to memory of 2560 2528 iexplore.exe 31 PID 2528 wrote to memory of 2560 2528 iexplore.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b18a6b20832fb7929ccb4b3043f3218.exe"C:\Users\Admin\AppData\Local\Temp\6b18a6b20832fb7929ccb4b3043f3218.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\6b18a6b20832fb7929ccb4b3043f3218.exe"C:\Users\Admin\AppData\Local\Temp\6b18a6b20832fb7929ccb4b3043f3218.exe"2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2528
-
-
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2560
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
964KB
MD56b18a6b20832fb7929ccb4b3043f3218
SHA16f35aca55396af3e9f8e6939c4ee1bfb3f5bc69a
SHA25670635ba75fdb495bb4c0209f26176f0c0d40fd294c8b39898f18742f2e55ce20
SHA512f69815bc4bead7481be0ecaa43eb53b32c26a5502e40f4b3f68789534cf501246528a35e86bf3b092aed4864691192527414c7c949327c7610e1659377b230f9
-
Filesize
823KB
MD57617c14e04407e82bbec55f07f6e3f55
SHA1c9704a54b9077790394868c0b04f0e34ae3805ef
SHA256c259d6579356f15594eaf963c5e620ae15f16ab84a3715d66390f94997f4f68c
SHA5125272bf36b1f43c0a03c60e7d23afe2b15ba2a5f927260f25db46b22353d1c2445b4e4bf82fa2ae83b1ee2d17256f9be42f73124a69897e5ea414ee51236ad3cb
-
Filesize
917KB
MD5c9a40619dfdc1dada43c412323a32069
SHA1667962426ebd67c057ad286f91e8f91b9c20e3bf
SHA256da8b4dac71272c87c9340886ca40a70e24fd566d4ac7b3a8b3072d7789af9f35
SHA51201ee538fc6cb872d1e4c0f65e53cb38cae975236003e1dae86641950ddab15e548ae0468527d66b5f8ed8534020cadb1c0fb8e6fdccbc456bd8c72cb025a3bf9
-
Filesize
920KB
MD5fc65b192df46c0032665308e99e38a8e
SHA108ea4b9c54456f97b2502e615dc84f0e9d6c5e98
SHA25671e059fa78fa9f26226e1714295507cf4282dc73899a36a559fe65e5365c32a7
SHA512c76a76acdba663b5859a5a4af70e400a1676cd87c57a19d9c80a3817b3927f88c4322bd96ff17783caff7d1cbea49ac9de274beb361b4a1943bf34d764227afc