Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2024, 20:51
Behavioral task
behavioral1
Sample
6b72b066e97055e859d4c4fe1e2ce84b.exe
Resource
win7-20231129-en
General
-
Target
6b72b066e97055e859d4c4fe1e2ce84b.exe
-
Size
251KB
-
MD5
6b72b066e97055e859d4c4fe1e2ce84b
-
SHA1
d5ad14292e12510c9389508220c288bb7a43b2be
-
SHA256
8e5f1c5943a1f7d03bba72b77f532a3c46f314d1cf1eb4dd6e651b5168a90a76
-
SHA512
cbe0d4f87beed4f0363c8a6b4451ea2307ea6d1c69122b462e938a839ce2f582338fe362137dd93ea1f792613b5b151a2278a88e3486dd1cd66ccf957af6c3e8
-
SSDEEP
6144:ocNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37p:ocW7KEZlPzCy37p
Malware Config
Extracted
darkcomet
Guest16
speeed.zapto.org:15963
speeed.hopto.org:15963
DC_MUTEX-7CAR0WV
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
rxLxJDdtvsZV
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 6b72b066e97055e859d4c4fe1e2ce84b.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation 6b72b066e97055e859d4c4fe1e2ce84b.exe -
Executes dropped EXE 1 IoCs
pid Process 4860 msdcsc.exe -
resource yara_rule behavioral2/memory/3660-0-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/files/0x0003000000022765-6.dat upx behavioral2/memory/4268-63-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4860-64-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3660-65-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 6b72b066e97055e859d4c4fe1e2ce84b.exe Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4860 set thread context of 4268 4860 msdcsc.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 6b72b066e97055e859d4c4fe1e2ce84b.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeSecurityPrivilege 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeTakeOwnershipPrivilege 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeLoadDriverPrivilege 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeSystemProfilePrivilege 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeSystemtimePrivilege 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeProfSingleProcessPrivilege 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeIncBasePriorityPrivilege 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeCreatePagefilePrivilege 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeBackupPrivilege 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeRestorePrivilege 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeShutdownPrivilege 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeDebugPrivilege 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeSystemEnvironmentPrivilege 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeChangeNotifyPrivilege 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeRemoteShutdownPrivilege 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeUndockPrivilege 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeManageVolumePrivilege 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeImpersonatePrivilege 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeCreateGlobalPrivilege 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: 33 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: 34 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: 35 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: 36 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe Token: SeIncreaseQuotaPrivilege 4860 msdcsc.exe Token: SeSecurityPrivilege 4860 msdcsc.exe Token: SeTakeOwnershipPrivilege 4860 msdcsc.exe Token: SeLoadDriverPrivilege 4860 msdcsc.exe Token: SeSystemProfilePrivilege 4860 msdcsc.exe Token: SeSystemtimePrivilege 4860 msdcsc.exe Token: SeProfSingleProcessPrivilege 4860 msdcsc.exe Token: SeIncBasePriorityPrivilege 4860 msdcsc.exe Token: SeCreatePagefilePrivilege 4860 msdcsc.exe Token: SeBackupPrivilege 4860 msdcsc.exe Token: SeRestorePrivilege 4860 msdcsc.exe Token: SeShutdownPrivilege 4860 msdcsc.exe Token: SeDebugPrivilege 4860 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4860 msdcsc.exe Token: SeChangeNotifyPrivilege 4860 msdcsc.exe Token: SeRemoteShutdownPrivilege 4860 msdcsc.exe Token: SeUndockPrivilege 4860 msdcsc.exe Token: SeManageVolumePrivilege 4860 msdcsc.exe Token: SeImpersonatePrivilege 4860 msdcsc.exe Token: SeCreateGlobalPrivilege 4860 msdcsc.exe Token: 33 4860 msdcsc.exe Token: 34 4860 msdcsc.exe Token: 35 4860 msdcsc.exe Token: 36 4860 msdcsc.exe Token: SeIncreaseQuotaPrivilege 4268 iexplore.exe Token: SeSecurityPrivilege 4268 iexplore.exe Token: SeTakeOwnershipPrivilege 4268 iexplore.exe Token: SeLoadDriverPrivilege 4268 iexplore.exe Token: SeSystemProfilePrivilege 4268 iexplore.exe Token: SeSystemtimePrivilege 4268 iexplore.exe Token: SeProfSingleProcessPrivilege 4268 iexplore.exe Token: SeIncBasePriorityPrivilege 4268 iexplore.exe Token: SeCreatePagefilePrivilege 4268 iexplore.exe Token: SeBackupPrivilege 4268 iexplore.exe Token: SeRestorePrivilege 4268 iexplore.exe Token: SeShutdownPrivilege 4268 iexplore.exe Token: SeDebugPrivilege 4268 iexplore.exe Token: SeSystemEnvironmentPrivilege 4268 iexplore.exe Token: SeChangeNotifyPrivilege 4268 iexplore.exe Token: SeRemoteShutdownPrivilege 4268 iexplore.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3660 wrote to memory of 4860 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe 89 PID 3660 wrote to memory of 4860 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe 89 PID 3660 wrote to memory of 4860 3660 6b72b066e97055e859d4c4fe1e2ce84b.exe 89 PID 4860 wrote to memory of 4268 4860 msdcsc.exe 90 PID 4860 wrote to memory of 4268 4860 msdcsc.exe 90 PID 4860 wrote to memory of 4268 4860 msdcsc.exe 90 PID 4860 wrote to memory of 4268 4860 msdcsc.exe 90 PID 4860 wrote to memory of 4268 4860 msdcsc.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b72b066e97055e859d4c4fe1e2ce84b.exe"C:\Users\Admin\AppData\Local\Temp\6b72b066e97055e859d4c4fe1e2ce84b.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4268
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD56b72b066e97055e859d4c4fe1e2ce84b
SHA1d5ad14292e12510c9389508220c288bb7a43b2be
SHA2568e5f1c5943a1f7d03bba72b77f532a3c46f314d1cf1eb4dd6e651b5168a90a76
SHA512cbe0d4f87beed4f0363c8a6b4451ea2307ea6d1c69122b462e938a839ce2f582338fe362137dd93ea1f792613b5b151a2278a88e3486dd1cd66ccf957af6c3e8