Analysis
-
max time kernel
142s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-03-2024 15:02
Behavioral task
behavioral1
Sample
e1f41131a5909b59e2126a98b5a15139.exe
Resource
win7-20240221-en
General
-
Target
e1f41131a5909b59e2126a98b5a15139.exe
-
Size
807KB
-
MD5
e1f41131a5909b59e2126a98b5a15139
-
SHA1
407ebacb446a1eb6e688b5f4a2290c12d9dc7a31
-
SHA256
14d44c2ac475e13bbe43de5ac7e1bd3ffb45c4d7886d4429949ab57e7eefaa98
-
SHA512
08e1ee1ba8ff96cfaf024e35dd43110eb42ab95d8ec4fbcd8adbfcb330bf5afc70c1a48d0ffe48bcaf8c76e3d2a0ca18911e30b79a9a92d9c6ca10235e140e10
-
SSDEEP
12288:HepGUR5k59o1Ihp13OnTPsmhZ9RE5pHUk7vL6vgxOu6oy8w/F/Kk9tfo:6H5kTOIhgTPs09RE7HUGXwEM/Ft9tg
Malware Config
Extracted
darkcomet
Guest16
amanj.no-ip.biz:1604
DC_MUTEX-NEE0M4Q
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
qXkrSF0LD23D
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
e1f41131a5909b59e2126a98b5a15139.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" e1f41131a5909b59e2126a98b5a15139.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 2524 MsiExec.exe 2524 MsiExec.exe -
Processes:
resource yara_rule behavioral1/memory/2972-0-0x0000000000400000-0x00000000005DD000-memory.dmp upx behavioral1/memory/2972-21-0x0000000000400000-0x00000000005DD000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e1f41131a5909b59e2126a98b5a15139.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" e1f41131a5909b59e2126a98b5a15139.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msiexec.exepid process 3008 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e1f41131a5909b59e2126a98b5a15139.exemsiexec.exemsiexec.exedescription pid process Token: SeIncreaseQuotaPrivilege 2972 e1f41131a5909b59e2126a98b5a15139.exe Token: SeSecurityPrivilege 2972 e1f41131a5909b59e2126a98b5a15139.exe Token: SeTakeOwnershipPrivilege 2972 e1f41131a5909b59e2126a98b5a15139.exe Token: SeLoadDriverPrivilege 2972 e1f41131a5909b59e2126a98b5a15139.exe Token: SeSystemProfilePrivilege 2972 e1f41131a5909b59e2126a98b5a15139.exe Token: SeSystemtimePrivilege 2972 e1f41131a5909b59e2126a98b5a15139.exe Token: SeProfSingleProcessPrivilege 2972 e1f41131a5909b59e2126a98b5a15139.exe Token: SeIncBasePriorityPrivilege 2972 e1f41131a5909b59e2126a98b5a15139.exe Token: SeCreatePagefilePrivilege 2972 e1f41131a5909b59e2126a98b5a15139.exe Token: SeBackupPrivilege 2972 e1f41131a5909b59e2126a98b5a15139.exe Token: SeRestorePrivilege 2972 e1f41131a5909b59e2126a98b5a15139.exe Token: SeShutdownPrivilege 2972 e1f41131a5909b59e2126a98b5a15139.exe Token: SeDebugPrivilege 2972 e1f41131a5909b59e2126a98b5a15139.exe Token: SeSystemEnvironmentPrivilege 2972 e1f41131a5909b59e2126a98b5a15139.exe Token: SeChangeNotifyPrivilege 2972 e1f41131a5909b59e2126a98b5a15139.exe Token: SeRemoteShutdownPrivilege 2972 e1f41131a5909b59e2126a98b5a15139.exe Token: SeUndockPrivilege 2972 e1f41131a5909b59e2126a98b5a15139.exe Token: SeManageVolumePrivilege 2972 e1f41131a5909b59e2126a98b5a15139.exe Token: SeImpersonatePrivilege 2972 e1f41131a5909b59e2126a98b5a15139.exe Token: SeCreateGlobalPrivilege 2972 e1f41131a5909b59e2126a98b5a15139.exe Token: 33 2972 e1f41131a5909b59e2126a98b5a15139.exe Token: 34 2972 e1f41131a5909b59e2126a98b5a15139.exe Token: 35 2972 e1f41131a5909b59e2126a98b5a15139.exe Token: SeShutdownPrivilege 3008 msiexec.exe Token: SeIncreaseQuotaPrivilege 3008 msiexec.exe Token: SeRestorePrivilege 1224 msiexec.exe Token: SeTakeOwnershipPrivilege 1224 msiexec.exe Token: SeSecurityPrivilege 1224 msiexec.exe Token: SeCreateTokenPrivilege 3008 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3008 msiexec.exe Token: SeLockMemoryPrivilege 3008 msiexec.exe Token: SeIncreaseQuotaPrivilege 3008 msiexec.exe Token: SeMachineAccountPrivilege 3008 msiexec.exe Token: SeTcbPrivilege 3008 msiexec.exe Token: SeSecurityPrivilege 3008 msiexec.exe Token: SeTakeOwnershipPrivilege 3008 msiexec.exe Token: SeLoadDriverPrivilege 3008 msiexec.exe Token: SeSystemProfilePrivilege 3008 msiexec.exe Token: SeSystemtimePrivilege 3008 msiexec.exe Token: SeProfSingleProcessPrivilege 3008 msiexec.exe Token: SeIncBasePriorityPrivilege 3008 msiexec.exe Token: SeCreatePagefilePrivilege 3008 msiexec.exe Token: SeCreatePermanentPrivilege 3008 msiexec.exe Token: SeBackupPrivilege 3008 msiexec.exe Token: SeRestorePrivilege 3008 msiexec.exe Token: SeShutdownPrivilege 3008 msiexec.exe Token: SeDebugPrivilege 3008 msiexec.exe Token: SeAuditPrivilege 3008 msiexec.exe Token: SeSystemEnvironmentPrivilege 3008 msiexec.exe Token: SeChangeNotifyPrivilege 3008 msiexec.exe Token: SeRemoteShutdownPrivilege 3008 msiexec.exe Token: SeUndockPrivilege 3008 msiexec.exe Token: SeSyncAgentPrivilege 3008 msiexec.exe Token: SeEnableDelegationPrivilege 3008 msiexec.exe Token: SeManageVolumePrivilege 3008 msiexec.exe Token: SeImpersonatePrivilege 3008 msiexec.exe Token: SeCreateGlobalPrivilege 3008 msiexec.exe Token: SeCreateTokenPrivilege 3008 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3008 msiexec.exe Token: SeLockMemoryPrivilege 3008 msiexec.exe Token: SeIncreaseQuotaPrivilege 3008 msiexec.exe Token: SeMachineAccountPrivilege 3008 msiexec.exe Token: SeTcbPrivilege 3008 msiexec.exe Token: SeSecurityPrivilege 3008 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 3008 msiexec.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
e1f41131a5909b59e2126a98b5a15139.exemsiexec.exedescription pid process target process PID 2972 wrote to memory of 3008 2972 e1f41131a5909b59e2126a98b5a15139.exe msiexec.exe PID 2972 wrote to memory of 3008 2972 e1f41131a5909b59e2126a98b5a15139.exe msiexec.exe PID 2972 wrote to memory of 3008 2972 e1f41131a5909b59e2126a98b5a15139.exe msiexec.exe PID 2972 wrote to memory of 3008 2972 e1f41131a5909b59e2126a98b5a15139.exe msiexec.exe PID 2972 wrote to memory of 3008 2972 e1f41131a5909b59e2126a98b5a15139.exe msiexec.exe PID 2972 wrote to memory of 3008 2972 e1f41131a5909b59e2126a98b5a15139.exe msiexec.exe PID 2972 wrote to memory of 3008 2972 e1f41131a5909b59e2126a98b5a15139.exe msiexec.exe PID 2972 wrote to memory of 2676 2972 e1f41131a5909b59e2126a98b5a15139.exe notepad.exe PID 2972 wrote to memory of 2676 2972 e1f41131a5909b59e2126a98b5a15139.exe notepad.exe PID 2972 wrote to memory of 2676 2972 e1f41131a5909b59e2126a98b5a15139.exe notepad.exe PID 2972 wrote to memory of 2676 2972 e1f41131a5909b59e2126a98b5a15139.exe notepad.exe PID 2972 wrote to memory of 2676 2972 e1f41131a5909b59e2126a98b5a15139.exe notepad.exe PID 2972 wrote to memory of 2676 2972 e1f41131a5909b59e2126a98b5a15139.exe notepad.exe PID 1224 wrote to memory of 2524 1224 msiexec.exe MsiExec.exe PID 1224 wrote to memory of 2524 1224 msiexec.exe MsiExec.exe PID 1224 wrote to memory of 2524 1224 msiexec.exe MsiExec.exe PID 1224 wrote to memory of 2524 1224 msiexec.exe MsiExec.exe PID 1224 wrote to memory of 2524 1224 msiexec.exe MsiExec.exe PID 1224 wrote to memory of 2524 1224 msiexec.exe MsiExec.exe PID 1224 wrote to memory of 2524 1224 msiexec.exe MsiExec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1f41131a5909b59e2126a98b5a15139.exe"C:\Users\Admin\AppData\Local\Temp\e1f41131a5909b59e2126a98b5a15139.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\POOL5.0 SETUP.MSI"2⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding ADE1477D33A181DB5F71C2BA2781A4C1 C2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSI4A49.tmpFilesize
231KB
MD50a2626fc9e4e0ca18386c029e9efffd9
SHA1ac5576497afac2456f485cdb14bf52d895769651
SHA25697a55524e0bf06419143b1b71778c0ec867716079ab477e8404a0f3125da7dc3
SHA51240b25e507e64b5634e13e83d4bc420196b1294d533e60b01dae8898a8eed939417aec8341b409f59a722d14fb63884c24c5a31985da63933b761f1fc3acb24da
-
C:\Users\Admin\AppData\Local\Temp\POOL5.0 SETUP.MSIFilesize
914KB
MD5af4969ab784240fedaf4e45848493844
SHA1f485db967765bf6d0a8340555371727c2da47c67
SHA2562b1f51b8c023d74ff9078dcd30b89777345d9154cd2a14e6c4b69252e24165fc
SHA512f274b05449588fef86a5ad9eda42a9a4cc83479502d8e03b82209e27dd5b44751b4f4e8ab1702f0f00d49211ee60c61dfab319c28e8c33f02e1f02607cea7dd3
-
memory/2676-7-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/2972-0-0x0000000000400000-0x00000000005DD000-memory.dmpFilesize
1.9MB
-
memory/2972-1-0x00000000003C0000-0x00000000003C1000-memory.dmpFilesize
4KB
-
memory/2972-21-0x0000000000400000-0x00000000005DD000-memory.dmpFilesize
1.9MB
-
memory/2972-23-0x00000000003C0000-0x00000000003C1000-memory.dmpFilesize
4KB