Analysis
-
max time kernel
151s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2024 22:34
Behavioral task
behavioral1
Sample
9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe
Resource
win10v2004-20240226-en
General
-
Target
9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe
-
Size
658KB
-
MD5
3f373a61431dcfda4b1a0db8b4321c71
-
SHA1
3a6f03440b869b725eb0aa98f6dadcd834394b72
-
SHA256
9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2
-
SHA512
9c5f32818f3f485d8a3e73f0bf1812c79186128516141da49029dac3858899e6d9acf526e74e15ffb895c1c692e27860ea98bb7eee5682129066a795ac55cd7e
-
SSDEEP
12288:e9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hp:qZ1xuVVjfFoynPaVBUR8f+kN10EBT
Malware Config
Extracted
darkcomet
Guest17
91.210.106.47:1604
AP_Microsoft_ax
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
cocYNPSytj54
-
install
true
-
offline_keylogger
true
-
password
7Gtv4n9bg.
-
persistence
false
-
reg_key
Bonjour
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 3988 msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bonjour = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 3988 set thread context of 3600 3988 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeSecurityPrivilege 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeTakeOwnershipPrivilege 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeLoadDriverPrivilege 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeSystemProfilePrivilege 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeSystemtimePrivilege 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeProfSingleProcessPrivilege 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeIncBasePriorityPrivilege 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeCreatePagefilePrivilege 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeBackupPrivilege 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeRestorePrivilege 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeShutdownPrivilege 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeDebugPrivilege 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeSystemEnvironmentPrivilege 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeChangeNotifyPrivilege 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeRemoteShutdownPrivilege 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeUndockPrivilege 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeManageVolumePrivilege 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeImpersonatePrivilege 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeCreateGlobalPrivilege 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: 33 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: 34 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: 35 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: 36 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe Token: SeIncreaseQuotaPrivilege 3988 msdcsc.exe Token: SeSecurityPrivilege 3988 msdcsc.exe Token: SeTakeOwnershipPrivilege 3988 msdcsc.exe Token: SeLoadDriverPrivilege 3988 msdcsc.exe Token: SeSystemProfilePrivilege 3988 msdcsc.exe Token: SeSystemtimePrivilege 3988 msdcsc.exe Token: SeProfSingleProcessPrivilege 3988 msdcsc.exe Token: SeIncBasePriorityPrivilege 3988 msdcsc.exe Token: SeCreatePagefilePrivilege 3988 msdcsc.exe Token: SeBackupPrivilege 3988 msdcsc.exe Token: SeRestorePrivilege 3988 msdcsc.exe Token: SeShutdownPrivilege 3988 msdcsc.exe Token: SeDebugPrivilege 3988 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3988 msdcsc.exe Token: SeChangeNotifyPrivilege 3988 msdcsc.exe Token: SeRemoteShutdownPrivilege 3988 msdcsc.exe Token: SeUndockPrivilege 3988 msdcsc.exe Token: SeManageVolumePrivilege 3988 msdcsc.exe Token: SeImpersonatePrivilege 3988 msdcsc.exe Token: SeCreateGlobalPrivilege 3988 msdcsc.exe Token: 33 3988 msdcsc.exe Token: 34 3988 msdcsc.exe Token: 35 3988 msdcsc.exe Token: 36 3988 msdcsc.exe Token: SeIncreaseQuotaPrivilege 3600 iexplore.exe Token: SeSecurityPrivilege 3600 iexplore.exe Token: SeTakeOwnershipPrivilege 3600 iexplore.exe Token: SeLoadDriverPrivilege 3600 iexplore.exe Token: SeSystemProfilePrivilege 3600 iexplore.exe Token: SeSystemtimePrivilege 3600 iexplore.exe Token: SeProfSingleProcessPrivilege 3600 iexplore.exe Token: SeIncBasePriorityPrivilege 3600 iexplore.exe Token: SeCreatePagefilePrivilege 3600 iexplore.exe Token: SeBackupPrivilege 3600 iexplore.exe Token: SeRestorePrivilege 3600 iexplore.exe Token: SeShutdownPrivilege 3600 iexplore.exe Token: SeDebugPrivilege 3600 iexplore.exe Token: SeSystemEnvironmentPrivilege 3600 iexplore.exe Token: SeChangeNotifyPrivilege 3600 iexplore.exe Token: SeRemoteShutdownPrivilege 3600 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 3600 iexplore.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exemsdcsc.exedescription pid process target process PID 3080 wrote to memory of 3988 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe msdcsc.exe PID 3080 wrote to memory of 3988 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe msdcsc.exe PID 3080 wrote to memory of 3988 3080 9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe msdcsc.exe PID 3988 wrote to memory of 3600 3988 msdcsc.exe iexplore.exe PID 3988 wrote to memory of 3600 3988 msdcsc.exe iexplore.exe PID 3988 wrote to memory of 3600 3988 msdcsc.exe iexplore.exe PID 3988 wrote to memory of 3600 3988 msdcsc.exe iexplore.exe PID 3988 wrote to memory of 3600 3988 msdcsc.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe"C:\Users\Admin\AppData\Local\Temp\9d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
658KB
MD53f373a61431dcfda4b1a0db8b4321c71
SHA13a6f03440b869b725eb0aa98f6dadcd834394b72
SHA2569d1822c44c81ef49b145377a9424156527ca2edf0007e57ceb4636d814ba4ec2
SHA5129c5f32818f3f485d8a3e73f0bf1812c79186128516141da49029dac3858899e6d9acf526e74e15ffb895c1c692e27860ea98bb7eee5682129066a795ac55cd7e
-
memory/3080-0-0x00000000022C0000-0x00000000022C1000-memory.dmpFilesize
4KB
-
memory/3080-17-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3600-15-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3988-14-0x00000000023C0000-0x00000000023C1000-memory.dmpFilesize
4KB
-
memory/3988-16-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB