Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2024 19:07
Behavioral task
behavioral1
Sample
43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe
Resource
win7-20240215-en
General
-
Target
43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe
-
Size
1.1MB
-
MD5
8cae7b7712c8db2a4896e15635953d93
-
SHA1
aa362e6fb974dd0d2e0322d3c9c076c842765823
-
SHA256
43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09
-
SHA512
f5f83ab8fd44c08d2c33b3bd8a1197737fdcda03985acdd218f414cfd40359257cf4df3f7c62a8ad435c983fcd9445a45dd9d3fef8d7e3bad521f3493d478e8d
-
SSDEEP
24576:9Z1xuVVjfFoynPaVBUR8f+kN10EdcESg2WfrG31X:HQDgok30bESg9frGX
Malware Config
Extracted
darkcomet
Guest16
46.148.21.34:3128
DC_MUTEX-5NGFKSE
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
5KiVbE9BkMJo
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 4984 attrib.exe 2228 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 440 msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe Token: SeSecurityPrivilege 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe Token: SeTakeOwnershipPrivilege 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe Token: SeLoadDriverPrivilege 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe Token: SeSystemProfilePrivilege 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe Token: SeSystemtimePrivilege 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe Token: SeProfSingleProcessPrivilege 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe Token: SeIncBasePriorityPrivilege 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe Token: SeCreatePagefilePrivilege 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe Token: SeBackupPrivilege 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe Token: SeRestorePrivilege 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe Token: SeShutdownPrivilege 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe Token: SeDebugPrivilege 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe Token: SeSystemEnvironmentPrivilege 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe Token: SeChangeNotifyPrivilege 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe Token: SeRemoteShutdownPrivilege 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe Token: SeUndockPrivilege 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe Token: SeManageVolumePrivilege 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe Token: SeImpersonatePrivilege 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe Token: SeCreateGlobalPrivilege 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe Token: 33 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe Token: 34 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe Token: 35 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe Token: 36 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe Token: SeIncreaseQuotaPrivilege 440 msdcsc.exe Token: SeSecurityPrivilege 440 msdcsc.exe Token: SeTakeOwnershipPrivilege 440 msdcsc.exe Token: SeLoadDriverPrivilege 440 msdcsc.exe Token: SeSystemProfilePrivilege 440 msdcsc.exe Token: SeSystemtimePrivilege 440 msdcsc.exe Token: SeProfSingleProcessPrivilege 440 msdcsc.exe Token: SeIncBasePriorityPrivilege 440 msdcsc.exe Token: SeCreatePagefilePrivilege 440 msdcsc.exe Token: SeBackupPrivilege 440 msdcsc.exe Token: SeRestorePrivilege 440 msdcsc.exe Token: SeShutdownPrivilege 440 msdcsc.exe Token: SeDebugPrivilege 440 msdcsc.exe Token: SeSystemEnvironmentPrivilege 440 msdcsc.exe Token: SeChangeNotifyPrivilege 440 msdcsc.exe Token: SeRemoteShutdownPrivilege 440 msdcsc.exe Token: SeUndockPrivilege 440 msdcsc.exe Token: SeManageVolumePrivilege 440 msdcsc.exe Token: SeImpersonatePrivilege 440 msdcsc.exe Token: SeCreateGlobalPrivilege 440 msdcsc.exe Token: 33 440 msdcsc.exe Token: 34 440 msdcsc.exe Token: 35 440 msdcsc.exe Token: 36 440 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 440 msdcsc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.execmd.execmd.exedescription pid process target process PID 1696 wrote to memory of 5108 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe cmd.exe PID 1696 wrote to memory of 5108 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe cmd.exe PID 1696 wrote to memory of 5108 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe cmd.exe PID 1696 wrote to memory of 5112 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe cmd.exe PID 1696 wrote to memory of 5112 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe cmd.exe PID 1696 wrote to memory of 5112 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe cmd.exe PID 5112 wrote to memory of 4984 5112 cmd.exe attrib.exe PID 5112 wrote to memory of 4984 5112 cmd.exe attrib.exe PID 5112 wrote to memory of 4984 5112 cmd.exe attrib.exe PID 5108 wrote to memory of 2228 5108 cmd.exe attrib.exe PID 5108 wrote to memory of 2228 5108 cmd.exe attrib.exe PID 5108 wrote to memory of 2228 5108 cmd.exe attrib.exe PID 1696 wrote to memory of 440 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe msdcsc.exe PID 1696 wrote to memory of 440 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe msdcsc.exe PID 1696 wrote to memory of 440 1696 43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe msdcsc.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4984 attrib.exe 2228 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe"C:\Users\Admin\AppData\Local\Temp\43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\43073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeFilesize
1.1MB
MD58cae7b7712c8db2a4896e15635953d93
SHA1aa362e6fb974dd0d2e0322d3c9c076c842765823
SHA25643073226301eeeb038faa18c034a87a396544f0b7e96d8999a74369a5847cf09
SHA512f5f83ab8fd44c08d2c33b3bd8a1197737fdcda03985acdd218f414cfd40359257cf4df3f7c62a8ad435c983fcd9445a45dd9d3fef8d7e3bad521f3493d478e8d
-
memory/440-62-0x00000000007E0000-0x00000000007E1000-memory.dmpFilesize
4KB
-
memory/440-64-0x0000000000400000-0x0000000000521000-memory.dmpFilesize
1.1MB
-
memory/440-66-0x0000000000400000-0x0000000000521000-memory.dmpFilesize
1.1MB
-
memory/1696-0-0x00000000028C0000-0x00000000028C1000-memory.dmpFilesize
4KB
-
memory/1696-63-0x0000000000400000-0x0000000000521000-memory.dmpFilesize
1.1MB