Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-04-2024 02:45
Static task
static1
Behavioral task
behavioral1
Sample
e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca.exe
Resource
win7-20240221-en
General
-
Target
e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca.exe
-
Size
1.1MB
-
MD5
e88bab5d7caf5f30f87e56fce21b8eb4
-
SHA1
32bf71fcec9a64e9d8adf36201b15803a9d5812d
-
SHA256
e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca
-
SHA512
7cff1f10c83247257d30508ac9d8aa6a12bd1f536bcc3aee95b61144584d839e350d38f3fc1cf11b4b1da6530e5191291af1bfdbf8c906e124b7abcf14e5f3e1
-
SSDEEP
24576:mJwXnr79xF09allHpm/rhUZqACJy5aGU:mu3rl7PmThVAOycGU
Malware Config
Extracted
darkcomet
crypter
184.144.223.8:51800
overcrash.no-ip.biz:51800
DC_MUTEX-E5P79CY
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
7LSrP3sXvcog
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 4828 attrib.exe 2168 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
vbc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation vbc.exe -
Executes dropped EXE 2 IoCs
Processes:
vbc.exemsdcsc.exepid process 4856 vbc.exe 1776 msdcsc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca.exedescription pid process target process PID 3968 set thread context of 4856 3968 e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vbc.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4856 vbc.exe Token: SeSecurityPrivilege 4856 vbc.exe Token: SeTakeOwnershipPrivilege 4856 vbc.exe Token: SeLoadDriverPrivilege 4856 vbc.exe Token: SeSystemProfilePrivilege 4856 vbc.exe Token: SeSystemtimePrivilege 4856 vbc.exe Token: SeProfSingleProcessPrivilege 4856 vbc.exe Token: SeIncBasePriorityPrivilege 4856 vbc.exe Token: SeCreatePagefilePrivilege 4856 vbc.exe Token: SeBackupPrivilege 4856 vbc.exe Token: SeRestorePrivilege 4856 vbc.exe Token: SeShutdownPrivilege 4856 vbc.exe Token: SeDebugPrivilege 4856 vbc.exe Token: SeSystemEnvironmentPrivilege 4856 vbc.exe Token: SeChangeNotifyPrivilege 4856 vbc.exe Token: SeRemoteShutdownPrivilege 4856 vbc.exe Token: SeUndockPrivilege 4856 vbc.exe Token: SeManageVolumePrivilege 4856 vbc.exe Token: SeImpersonatePrivilege 4856 vbc.exe Token: SeCreateGlobalPrivilege 4856 vbc.exe Token: 33 4856 vbc.exe Token: 34 4856 vbc.exe Token: 35 4856 vbc.exe Token: 36 4856 vbc.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca.exevbc.execmd.execmd.exedescription pid process target process PID 3968 wrote to memory of 4856 3968 e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca.exe vbc.exe PID 3968 wrote to memory of 4856 3968 e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca.exe vbc.exe PID 3968 wrote to memory of 4856 3968 e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca.exe vbc.exe PID 3968 wrote to memory of 4856 3968 e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca.exe vbc.exe PID 3968 wrote to memory of 4856 3968 e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca.exe vbc.exe PID 3968 wrote to memory of 4856 3968 e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca.exe vbc.exe PID 3968 wrote to memory of 4856 3968 e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca.exe vbc.exe PID 3968 wrote to memory of 4856 3968 e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca.exe vbc.exe PID 3968 wrote to memory of 4856 3968 e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca.exe vbc.exe PID 3968 wrote to memory of 4856 3968 e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca.exe vbc.exe PID 3968 wrote to memory of 4856 3968 e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca.exe vbc.exe PID 3968 wrote to memory of 4856 3968 e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca.exe vbc.exe PID 3968 wrote to memory of 4856 3968 e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca.exe vbc.exe PID 3968 wrote to memory of 4856 3968 e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca.exe vbc.exe PID 3968 wrote to memory of 4856 3968 e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca.exe vbc.exe PID 3968 wrote to memory of 4856 3968 e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca.exe vbc.exe PID 4856 wrote to memory of 3232 4856 vbc.exe cmd.exe PID 4856 wrote to memory of 3232 4856 vbc.exe cmd.exe PID 4856 wrote to memory of 3232 4856 vbc.exe cmd.exe PID 4856 wrote to memory of 2912 4856 vbc.exe cmd.exe PID 4856 wrote to memory of 2912 4856 vbc.exe cmd.exe PID 4856 wrote to memory of 2912 4856 vbc.exe cmd.exe PID 4856 wrote to memory of 220 4856 vbc.exe notepad.exe PID 4856 wrote to memory of 220 4856 vbc.exe notepad.exe PID 4856 wrote to memory of 220 4856 vbc.exe notepad.exe PID 4856 wrote to memory of 220 4856 vbc.exe notepad.exe PID 4856 wrote to memory of 220 4856 vbc.exe notepad.exe PID 4856 wrote to memory of 220 4856 vbc.exe notepad.exe PID 4856 wrote to memory of 220 4856 vbc.exe notepad.exe PID 4856 wrote to memory of 220 4856 vbc.exe notepad.exe PID 4856 wrote to memory of 220 4856 vbc.exe notepad.exe PID 4856 wrote to memory of 220 4856 vbc.exe notepad.exe PID 4856 wrote to memory of 220 4856 vbc.exe notepad.exe PID 4856 wrote to memory of 220 4856 vbc.exe notepad.exe PID 4856 wrote to memory of 220 4856 vbc.exe notepad.exe PID 4856 wrote to memory of 220 4856 vbc.exe notepad.exe PID 4856 wrote to memory of 220 4856 vbc.exe notepad.exe PID 4856 wrote to memory of 220 4856 vbc.exe notepad.exe PID 4856 wrote to memory of 220 4856 vbc.exe notepad.exe PID 2912 wrote to memory of 4828 2912 cmd.exe attrib.exe PID 2912 wrote to memory of 4828 2912 cmd.exe attrib.exe PID 2912 wrote to memory of 4828 2912 cmd.exe attrib.exe PID 3232 wrote to memory of 2168 3232 cmd.exe attrib.exe PID 3232 wrote to memory of 2168 3232 cmd.exe attrib.exe PID 3232 wrote to memory of 2168 3232 cmd.exe attrib.exe PID 4856 wrote to memory of 1776 4856 vbc.exe msdcsc.exe PID 4856 wrote to memory of 1776 4856 vbc.exe msdcsc.exe PID 4856 wrote to memory of 1776 4856 vbc.exe msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2168 attrib.exe 4828 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca.exe"C:\Users\Admin\AppData\Local\Temp\e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Users\Admin\AppData\Local\Temp\vbc.exeC:\Users\Admin\AppData\Local\Temp\vbc.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\vbc.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\vbc.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2168 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4828 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:220
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
PID:1776
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵PID:1156
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34