Analysis
-
max time kernel
152s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 13:53
Static task
static1
Behavioral task
behavioral1
Sample
eddb245a5dc0d8f70ffb66c033cbaa38ea4639d900739c5580bc37d86f258816.exe
Resource
win7-20240221-en
General
-
Target
eddb245a5dc0d8f70ffb66c033cbaa38ea4639d900739c5580bc37d86f258816.exe
-
Size
350KB
-
MD5
220fd88ed61a81dd7238c8385fc8c5f7
-
SHA1
b4c6ea98e705912f38816bd4aff085871b1bae80
-
SHA256
eddb245a5dc0d8f70ffb66c033cbaa38ea4639d900739c5580bc37d86f258816
-
SHA512
355aad3cc89c3d6acaf53a7091903d6b0b4092e1f4c7bc6c41255a7aafce00d3807ddad4b5c027a0437938e17278f7a8d591a085b4e014fff8d6165fdeb6838f
-
SSDEEP
6144:hSncRldcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37wxM:Q4jcW7KEZlPzCy37
Malware Config
Extracted
darkcomet
Guest16
sussynv83dj893.duckdns.org:1604
DC_MUTEX-RU83HNV
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
MFz6heXQQ4jP
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
ASDKODGS.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" ASDKODGS.EXE -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 492 attrib.exe 2732 attrib.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
eddb245a5dc0d8f70ffb66c033cbaa38ea4639d900739c5580bc37d86f258816.exeASDKODGS.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation eddb245a5dc0d8f70ffb66c033cbaa38ea4639d900739c5580bc37d86f258816.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation ASDKODGS.EXE -
Executes dropped EXE 3 IoCs
Processes:
ASDKODGS.EXEZBYTE2.0.EXEmsdcsc.exepid process 4632 ASDKODGS.EXE 2176 ZBYTE2.0.EXE 3856 msdcsc.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ASDKODGS.EXE upx behavioral2/memory/4632-11-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3856-38-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4632-41-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3856-45-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3856-52-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3856-55-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3856-58-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3856-60-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3856-62-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ASDKODGS.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" ASDKODGS.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 3856 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
ASDKODGS.EXEmsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4632 ASDKODGS.EXE Token: SeSecurityPrivilege 4632 ASDKODGS.EXE Token: SeTakeOwnershipPrivilege 4632 ASDKODGS.EXE Token: SeLoadDriverPrivilege 4632 ASDKODGS.EXE Token: SeSystemProfilePrivilege 4632 ASDKODGS.EXE Token: SeSystemtimePrivilege 4632 ASDKODGS.EXE Token: SeProfSingleProcessPrivilege 4632 ASDKODGS.EXE Token: SeIncBasePriorityPrivilege 4632 ASDKODGS.EXE Token: SeCreatePagefilePrivilege 4632 ASDKODGS.EXE Token: SeBackupPrivilege 4632 ASDKODGS.EXE Token: SeRestorePrivilege 4632 ASDKODGS.EXE Token: SeShutdownPrivilege 4632 ASDKODGS.EXE Token: SeDebugPrivilege 4632 ASDKODGS.EXE Token: SeSystemEnvironmentPrivilege 4632 ASDKODGS.EXE Token: SeChangeNotifyPrivilege 4632 ASDKODGS.EXE Token: SeRemoteShutdownPrivilege 4632 ASDKODGS.EXE Token: SeUndockPrivilege 4632 ASDKODGS.EXE Token: SeManageVolumePrivilege 4632 ASDKODGS.EXE Token: SeImpersonatePrivilege 4632 ASDKODGS.EXE Token: SeCreateGlobalPrivilege 4632 ASDKODGS.EXE Token: 33 4632 ASDKODGS.EXE Token: 34 4632 ASDKODGS.EXE Token: 35 4632 ASDKODGS.EXE Token: 36 4632 ASDKODGS.EXE Token: SeIncreaseQuotaPrivilege 3856 msdcsc.exe Token: SeSecurityPrivilege 3856 msdcsc.exe Token: SeTakeOwnershipPrivilege 3856 msdcsc.exe Token: SeLoadDriverPrivilege 3856 msdcsc.exe Token: SeSystemProfilePrivilege 3856 msdcsc.exe Token: SeSystemtimePrivilege 3856 msdcsc.exe Token: SeProfSingleProcessPrivilege 3856 msdcsc.exe Token: SeIncBasePriorityPrivilege 3856 msdcsc.exe Token: SeCreatePagefilePrivilege 3856 msdcsc.exe Token: SeBackupPrivilege 3856 msdcsc.exe Token: SeRestorePrivilege 3856 msdcsc.exe Token: SeShutdownPrivilege 3856 msdcsc.exe Token: SeDebugPrivilege 3856 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3856 msdcsc.exe Token: SeChangeNotifyPrivilege 3856 msdcsc.exe Token: SeRemoteShutdownPrivilege 3856 msdcsc.exe Token: SeUndockPrivilege 3856 msdcsc.exe Token: SeManageVolumePrivilege 3856 msdcsc.exe Token: SeImpersonatePrivilege 3856 msdcsc.exe Token: SeCreateGlobalPrivilege 3856 msdcsc.exe Token: 33 3856 msdcsc.exe Token: 34 3856 msdcsc.exe Token: 35 3856 msdcsc.exe Token: 36 3856 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 3856 msdcsc.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
eddb245a5dc0d8f70ffb66c033cbaa38ea4639d900739c5580bc37d86f258816.exeASDKODGS.EXEcmd.execmd.exemsdcsc.exedescription pid process target process PID 4776 wrote to memory of 4632 4776 eddb245a5dc0d8f70ffb66c033cbaa38ea4639d900739c5580bc37d86f258816.exe ASDKODGS.EXE PID 4776 wrote to memory of 4632 4776 eddb245a5dc0d8f70ffb66c033cbaa38ea4639d900739c5580bc37d86f258816.exe ASDKODGS.EXE PID 4776 wrote to memory of 4632 4776 eddb245a5dc0d8f70ffb66c033cbaa38ea4639d900739c5580bc37d86f258816.exe ASDKODGS.EXE PID 4776 wrote to memory of 2176 4776 eddb245a5dc0d8f70ffb66c033cbaa38ea4639d900739c5580bc37d86f258816.exe ZBYTE2.0.EXE PID 4776 wrote to memory of 2176 4776 eddb245a5dc0d8f70ffb66c033cbaa38ea4639d900739c5580bc37d86f258816.exe ZBYTE2.0.EXE PID 4776 wrote to memory of 2176 4776 eddb245a5dc0d8f70ffb66c033cbaa38ea4639d900739c5580bc37d86f258816.exe ZBYTE2.0.EXE PID 4632 wrote to memory of 2508 4632 ASDKODGS.EXE cmd.exe PID 4632 wrote to memory of 2508 4632 ASDKODGS.EXE cmd.exe PID 4632 wrote to memory of 2508 4632 ASDKODGS.EXE cmd.exe PID 4632 wrote to memory of 3196 4632 ASDKODGS.EXE cmd.exe PID 4632 wrote to memory of 3196 4632 ASDKODGS.EXE cmd.exe PID 4632 wrote to memory of 3196 4632 ASDKODGS.EXE cmd.exe PID 4632 wrote to memory of 3856 4632 ASDKODGS.EXE msdcsc.exe PID 4632 wrote to memory of 3856 4632 ASDKODGS.EXE msdcsc.exe PID 4632 wrote to memory of 3856 4632 ASDKODGS.EXE msdcsc.exe PID 2508 wrote to memory of 492 2508 cmd.exe attrib.exe PID 2508 wrote to memory of 492 2508 cmd.exe attrib.exe PID 2508 wrote to memory of 492 2508 cmd.exe attrib.exe PID 3196 wrote to memory of 2732 3196 cmd.exe attrib.exe PID 3196 wrote to memory of 2732 3196 cmd.exe attrib.exe PID 3196 wrote to memory of 2732 3196 cmd.exe attrib.exe PID 3856 wrote to memory of 3360 3856 msdcsc.exe notepad.exe PID 3856 wrote to memory of 3360 3856 msdcsc.exe notepad.exe PID 3856 wrote to memory of 3360 3856 msdcsc.exe notepad.exe PID 3856 wrote to memory of 3360 3856 msdcsc.exe notepad.exe PID 3856 wrote to memory of 3360 3856 msdcsc.exe notepad.exe PID 3856 wrote to memory of 3360 3856 msdcsc.exe notepad.exe PID 3856 wrote to memory of 3360 3856 msdcsc.exe notepad.exe PID 3856 wrote to memory of 3360 3856 msdcsc.exe notepad.exe PID 3856 wrote to memory of 3360 3856 msdcsc.exe notepad.exe PID 3856 wrote to memory of 3360 3856 msdcsc.exe notepad.exe PID 3856 wrote to memory of 3360 3856 msdcsc.exe notepad.exe PID 3856 wrote to memory of 3360 3856 msdcsc.exe notepad.exe PID 3856 wrote to memory of 3360 3856 msdcsc.exe notepad.exe PID 3856 wrote to memory of 3360 3856 msdcsc.exe notepad.exe PID 3856 wrote to memory of 3360 3856 msdcsc.exe notepad.exe PID 3856 wrote to memory of 3360 3856 msdcsc.exe notepad.exe PID 3856 wrote to memory of 3360 3856 msdcsc.exe notepad.exe PID 3856 wrote to memory of 3360 3856 msdcsc.exe notepad.exe PID 3856 wrote to memory of 3360 3856 msdcsc.exe notepad.exe PID 3856 wrote to memory of 3360 3856 msdcsc.exe notepad.exe PID 3856 wrote to memory of 3360 3856 msdcsc.exe notepad.exe PID 3856 wrote to memory of 3360 3856 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 492 attrib.exe 2732 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eddb245a5dc0d8f70ffb66c033cbaa38ea4639d900739c5580bc37d86f258816.exe"C:\Users\Admin\AppData\Local\Temp\eddb245a5dc0d8f70ffb66c033cbaa38ea4639d900739c5580bc37d86f258816.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ASDKODGS.EXE"C:\Users\Admin\AppData\Local\Temp\ASDKODGS.EXE"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\ASDKODGS.EXE" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\ASDKODGS.EXE" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
-
C:\Users\Admin\AppData\Local\Temp\ZBYTE2.0.EXE"C:\Users\Admin\AppData\Local\Temp\ZBYTE2.0.EXE"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4032 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ASDKODGS.EXEFilesize
251KB
MD50055ec3943749262735d79fcb4f04119
SHA1b2c2dce19536c945785534f9fa4b5062ec43d541
SHA25685bfcf8f009f442c997e9aa5ddb9430fd8e55b98c1c6108e248d9aa901f15c0b
SHA51272b1873565f9fe8c8ae273df2805f2f1a126581f67bdead56c6818637c9026d6ff7f36bc4280de58b18e9670b209006db404ee7122cd5fd830e6464590f3b807
-
C:\Users\Admin\AppData\Local\Temp\ZBYTE2.0.EXEFilesize
46KB
MD5fc90c2fb06b099a072bd23f4722c591d
SHA169c2f9af2391b3311ce344a922ac650b0f3456b9
SHA256e0df4445f3486b15b57da921ddc15b3137a5f2eb035f34130bc51f6be16d747e
SHA512c3e87df8217d421abe951492809c7a89a5aaae341242c03428731362cb4907801e21da4bc6271d455ca7280131c59f2cb0137b829556d9c2f2a944be471cd619
-
memory/2176-51-0x0000000005730000-0x0000000005740000-memory.dmpFilesize
64KB
-
memory/2176-47-0x00000000056D0000-0x00000000056DA000-memory.dmpFilesize
40KB
-
memory/2176-36-0x0000000073150000-0x0000000073900000-memory.dmpFilesize
7.7MB
-
memory/2176-44-0x0000000005800000-0x0000000005892000-memory.dmpFilesize
584KB
-
memory/2176-56-0x0000000005730000-0x0000000005740000-memory.dmpFilesize
64KB
-
memory/2176-40-0x0000000000CC0000-0x0000000000CD4000-memory.dmpFilesize
80KB
-
memory/2176-53-0x0000000005730000-0x0000000005740000-memory.dmpFilesize
64KB
-
memory/2176-42-0x0000000005760000-0x00000000057FC000-memory.dmpFilesize
624KB
-
memory/2176-43-0x0000000005DB0000-0x0000000006354000-memory.dmpFilesize
5.6MB
-
memory/2176-49-0x0000000073150000-0x0000000073900000-memory.dmpFilesize
7.7MB
-
memory/2176-46-0x0000000005730000-0x0000000005740000-memory.dmpFilesize
64KB
-
memory/2176-48-0x0000000005A10000-0x0000000005A66000-memory.dmpFilesize
344KB
-
memory/3360-39-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/3856-58-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3856-62-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3856-52-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3856-55-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3856-38-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3856-45-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3856-60-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3856-37-0x00000000009E0000-0x00000000009E1000-memory.dmpFilesize
4KB
-
memory/4632-23-0x0000000002500000-0x0000000002501000-memory.dmpFilesize
4KB
-
memory/4632-11-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4632-41-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB