Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20/01/2024, 20:51
Behavioral task
behavioral1
Sample
6b72b066e97055e859d4c4fe1e2ce84b.exe
Resource
win7-20231129-en
General
-
Target
6b72b066e97055e859d4c4fe1e2ce84b.exe
-
Size
251KB
-
MD5
6b72b066e97055e859d4c4fe1e2ce84b
-
SHA1
d5ad14292e12510c9389508220c288bb7a43b2be
-
SHA256
8e5f1c5943a1f7d03bba72b77f532a3c46f314d1cf1eb4dd6e651b5168a90a76
-
SHA512
cbe0d4f87beed4f0363c8a6b4451ea2307ea6d1c69122b462e938a839ce2f582338fe362137dd93ea1f792613b5b151a2278a88e3486dd1cd66ccf957af6c3e8
-
SSDEEP
6144:ocNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37p:ocW7KEZlPzCy37p
Malware Config
Extracted
darkcomet
Guest16
speeed.zapto.org:15963
speeed.hopto.org:15963
DC_MUTEX-7CAR0WV
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
rxLxJDdtvsZV
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 6b72b066e97055e859d4c4fe1e2ce84b.exe -
Executes dropped EXE 1 IoCs
pid Process 2948 msdcsc.exe -
Loads dropped DLL 2 IoCs
pid Process 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe -
resource yara_rule behavioral1/memory/1720-0-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/files/0x000b0000000144ac-5.dat upx behavioral1/memory/2948-16-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2836-15-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1720-17-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 6b72b066e97055e859d4c4fe1e2ce84b.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2948 set thread context of 2836 2948 msdcsc.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeSecurityPrivilege 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeTakeOwnershipPrivilege 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeLoadDriverPrivilege 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeSystemProfilePrivilege 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeSystemtimePrivilege 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeProfSingleProcessPrivilege 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeIncBasePriorityPrivilege 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeCreatePagefilePrivilege 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeBackupPrivilege 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeRestorePrivilege 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeShutdownPrivilege 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeDebugPrivilege 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeSystemEnvironmentPrivilege 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeChangeNotifyPrivilege 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeRemoteShutdownPrivilege 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeUndockPrivilege 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeManageVolumePrivilege 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeImpersonatePrivilege 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeCreateGlobalPrivilege 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: 33 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: 34 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: 35 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeIncreaseQuotaPrivilege 2948 msdcsc.exe Token: SeSecurityPrivilege 2948 msdcsc.exe Token: SeTakeOwnershipPrivilege 2948 msdcsc.exe Token: SeLoadDriverPrivilege 2948 msdcsc.exe Token: SeSystemProfilePrivilege 2948 msdcsc.exe Token: SeSystemtimePrivilege 2948 msdcsc.exe Token: SeProfSingleProcessPrivilege 2948 msdcsc.exe Token: SeIncBasePriorityPrivilege 2948 msdcsc.exe Token: SeCreatePagefilePrivilege 2948 msdcsc.exe Token: SeBackupPrivilege 2948 msdcsc.exe Token: SeRestorePrivilege 2948 msdcsc.exe Token: SeShutdownPrivilege 2948 msdcsc.exe Token: SeDebugPrivilege 2948 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2948 msdcsc.exe Token: SeChangeNotifyPrivilege 2948 msdcsc.exe Token: SeRemoteShutdownPrivilege 2948 msdcsc.exe Token: SeUndockPrivilege 2948 msdcsc.exe Token: SeManageVolumePrivilege 2948 msdcsc.exe Token: SeImpersonatePrivilege 2948 msdcsc.exe Token: SeCreateGlobalPrivilege 2948 msdcsc.exe Token: 33 2948 msdcsc.exe Token: 34 2948 msdcsc.exe Token: 35 2948 msdcsc.exe Token: SeIncreaseQuotaPrivilege 2836 iexplore.exe Token: SeSecurityPrivilege 2836 iexplore.exe Token: SeTakeOwnershipPrivilege 2836 iexplore.exe Token: SeLoadDriverPrivilege 2836 iexplore.exe Token: SeSystemProfilePrivilege 2836 iexplore.exe Token: SeSystemtimePrivilege 2836 iexplore.exe Token: SeProfSingleProcessPrivilege 2836 iexplore.exe Token: SeIncBasePriorityPrivilege 2836 iexplore.exe Token: SeCreatePagefilePrivilege 2836 iexplore.exe Token: SeBackupPrivilege 2836 iexplore.exe Token: SeRestorePrivilege 2836 iexplore.exe Token: SeShutdownPrivilege 2836 iexplore.exe Token: SeDebugPrivilege 2836 iexplore.exe Token: SeSystemEnvironmentPrivilege 2836 iexplore.exe Token: SeChangeNotifyPrivilege 2836 iexplore.exe Token: SeRemoteShutdownPrivilege 2836 iexplore.exe Token: SeUndockPrivilege 2836 iexplore.exe Token: SeManageVolumePrivilege 2836 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2836 iexplore.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1720 wrote to memory of 2948 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe 28 PID 1720 wrote to memory of 2948 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe 28 PID 1720 wrote to memory of 2948 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe 28 PID 1720 wrote to memory of 2948 1720 6b72b066e97055e859d4c4fe1e2ce84b.exe 28 PID 2948 wrote to memory of 2836 2948 msdcsc.exe 29 PID 2948 wrote to memory of 2836 2948 msdcsc.exe 29 PID 2948 wrote to memory of 2836 2948 msdcsc.exe 29 PID 2948 wrote to memory of 2836 2948 msdcsc.exe 29 PID 2948 wrote to memory of 2836 2948 msdcsc.exe 29 PID 2948 wrote to memory of 2836 2948 msdcsc.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b72b066e97055e859d4c4fe1e2ce84b.exe"C:\Users\Admin\AppData\Local\Temp\6b72b066e97055e859d4c4fe1e2ce84b.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2836
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD56b72b066e97055e859d4c4fe1e2ce84b
SHA1d5ad14292e12510c9389508220c288bb7a43b2be
SHA2568e5f1c5943a1f7d03bba72b77f532a3c46f314d1cf1eb4dd6e651b5168a90a76
SHA512cbe0d4f87beed4f0363c8a6b4451ea2307ea6d1c69122b462e938a839ce2f582338fe362137dd93ea1f792613b5b151a2278a88e3486dd1cd66ccf957af6c3e8