Analysis
-
max time kernel
135s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
21-03-2024 22:34
Behavioral task
behavioral1
Sample
9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe
Resource
win10v2004-20240226-en
General
-
Target
9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe
-
Size
658KB
-
MD5
3f373a61431dcfda4b1a0db8b4321c71
-
SHA1
3a6f03440b869b725eb0aa98f6dadcd834394b72
-
SHA256
9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2
-
SHA512
9c5f32818f3f485d8a3e73f0bf1812c79186128516141da49029dac3858899e6d9acf526e74e15ffb895c1c692e27860ea98bb7eee5682129066a795ac55cd7e
-
SSDEEP
12288:e9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hp:qZ1xuVVjfFoynPaVBUR8f+kN10EBT
Malware Config
Extracted
darkcomet
Guest17
91.210.106.47:1604
AP_Microsoft_ax
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
cocYNPSytj54
-
install
true
-
offline_keylogger
true
-
password
7Gtv4n9bg.
-
persistence
false
-
reg_key
Bonjour
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 3012 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exepid process 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bonjour = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 3012 set thread context of 2408 3012 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeSecurityPrivilege 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeTakeOwnershipPrivilege 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeLoadDriverPrivilege 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeSystemProfilePrivilege 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeSystemtimePrivilege 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeProfSingleProcessPrivilege 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeIncBasePriorityPrivilege 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeCreatePagefilePrivilege 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeBackupPrivilege 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeRestorePrivilege 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeShutdownPrivilege 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeDebugPrivilege 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeSystemEnvironmentPrivilege 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeChangeNotifyPrivilege 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeRemoteShutdownPrivilege 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeUndockPrivilege 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeManageVolumePrivilege 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeImpersonatePrivilege 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeCreateGlobalPrivilege 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: 33 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: 34 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: 35 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeIncreaseQuotaPrivilege 3012 msdcsc.exe Token: SeSecurityPrivilege 3012 msdcsc.exe Token: SeTakeOwnershipPrivilege 3012 msdcsc.exe Token: SeLoadDriverPrivilege 3012 msdcsc.exe Token: SeSystemProfilePrivilege 3012 msdcsc.exe Token: SeSystemtimePrivilege 3012 msdcsc.exe Token: SeProfSingleProcessPrivilege 3012 msdcsc.exe Token: SeIncBasePriorityPrivilege 3012 msdcsc.exe Token: SeCreatePagefilePrivilege 3012 msdcsc.exe Token: SeBackupPrivilege 3012 msdcsc.exe Token: SeRestorePrivilege 3012 msdcsc.exe Token: SeShutdownPrivilege 3012 msdcsc.exe Token: SeDebugPrivilege 3012 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3012 msdcsc.exe Token: SeChangeNotifyPrivilege 3012 msdcsc.exe Token: SeRemoteShutdownPrivilege 3012 msdcsc.exe Token: SeUndockPrivilege 3012 msdcsc.exe Token: SeManageVolumePrivilege 3012 msdcsc.exe Token: SeImpersonatePrivilege 3012 msdcsc.exe Token: SeCreateGlobalPrivilege 3012 msdcsc.exe Token: 33 3012 msdcsc.exe Token: 34 3012 msdcsc.exe Token: 35 3012 msdcsc.exe Token: SeIncreaseQuotaPrivilege 2408 iexplore.exe Token: SeSecurityPrivilege 2408 iexplore.exe Token: SeTakeOwnershipPrivilege 2408 iexplore.exe Token: SeLoadDriverPrivilege 2408 iexplore.exe Token: SeSystemProfilePrivilege 2408 iexplore.exe Token: SeSystemtimePrivilege 2408 iexplore.exe Token: SeProfSingleProcessPrivilege 2408 iexplore.exe Token: SeIncBasePriorityPrivilege 2408 iexplore.exe Token: SeCreatePagefilePrivilege 2408 iexplore.exe Token: SeBackupPrivilege 2408 iexplore.exe Token: SeRestorePrivilege 2408 iexplore.exe Token: SeShutdownPrivilege 2408 iexplore.exe Token: SeDebugPrivilege 2408 iexplore.exe Token: SeSystemEnvironmentPrivilege 2408 iexplore.exe Token: SeChangeNotifyPrivilege 2408 iexplore.exe Token: SeRemoteShutdownPrivilege 2408 iexplore.exe Token: SeUndockPrivilege 2408 iexplore.exe Token: SeManageVolumePrivilege 2408 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 2408 iexplore.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exemsdcsc.exedescription pid process target process PID 2884 wrote to memory of 3012 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe msdcsc.exe PID 2884 wrote to memory of 3012 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe msdcsc.exe PID 2884 wrote to memory of 3012 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe msdcsc.exe PID 2884 wrote to memory of 3012 2884 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe msdcsc.exe PID 3012 wrote to memory of 2408 3012 msdcsc.exe iexplore.exe PID 3012 wrote to memory of 2408 3012 msdcsc.exe iexplore.exe PID 3012 wrote to memory of 2408 3012 msdcsc.exe iexplore.exe PID 3012 wrote to memory of 2408 3012 msdcsc.exe iexplore.exe PID 3012 wrote to memory of 2408 3012 msdcsc.exe iexplore.exe PID 3012 wrote to memory of 2408 3012 msdcsc.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe"C:\Users\Admin\AppData\Local\Temp\9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
615KB
MD578f4cd07ab66a2affd22d0bc5a174afb
SHA137d7036575f82b2864bf4cdfcb2cd2e4d8185918
SHA25675b588bcaaeab11ef9c9b3a827fd31f9a865ba091e8780a41224774fde9d9d87
SHA512098682ccb7c48755b9e28f51aa1cb82beb5565939e1e995aef2436089dd38d71675667bebfb6f0931e99319bdfcdf3855c0c2f16a12f5f339d5ca00f7bd305e0
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
658KB
MD53f373a61431dcfda4b1a0db8b4321c71
SHA13a6f03440b869b725eb0aa98f6dadcd834394b72
SHA2569d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2
SHA5129c5f32818f3f485d8a3e73f0bf1812c79186128516141da49029dac3858899e6d9acf526e74e15ffb895c1c692e27860ea98bb7eee5682129066a795ac55cd7e
-
memory/2408-14-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2884-0-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/2884-16-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3012-12-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/3012-15-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB