Analysis
-
max time kernel
111s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
03-05-2024 14:02
General
-
Target
fnfree.exe
-
Size
2.5MB
-
MD5
6ba1a478a0e5f61d6394aba252c1a13b
-
SHA1
caa8705c38084facd231914cc9adf72ad26f74aa
-
SHA256
c3a6fa449ef70565a6b5eba1deb4bf069098d9e6dd4706937a9df4418bc08b07
-
SHA512
e9c7d2fef0b52ee949fa378143d48c9f52c1f94426109b21a2452ca8d579343788e6592ab3eaf046d5604bc3132637c12457088a65a0e0cbf644be08bbff2091
-
SSDEEP
49152:mQDgok30M5ROmcDQEOrQ+FTKKioIRh9UXEKJWl4yNP6grg:mQU/JbglOkwTKHPjUEKJWh13rg
Malware Config
Extracted
darkcomet
Cap
91.93.172.78:1604
DC_MUTEX-CG4P2XS
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
to2DGe4wqYwK
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Runtime Broker
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
fnfree.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" fnfree.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid Process 1956 attrib.exe 4108 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fnfree.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation fnfree.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid Process 8 msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
fnfree.exemsdcsc.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" fnfree.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Drops file in System32 directory 3 IoCs
Processes:
fnfree.exedescription ioc Process File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe fnfree.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe fnfree.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ fnfree.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 7 IoCs
Processes:
taskmgr.exefnfree.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings fnfree.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ fnfree.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell taskmgr.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid Process 3564 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid Process 3564 vlc.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
fnfree.exemsdcsc.exeAUDIODG.EXEvlc.exedescription pid Process Token: SeIncreaseQuotaPrivilege 4356 fnfree.exe Token: SeSecurityPrivilege 4356 fnfree.exe Token: SeTakeOwnershipPrivilege 4356 fnfree.exe Token: SeLoadDriverPrivilege 4356 fnfree.exe Token: SeSystemProfilePrivilege 4356 fnfree.exe Token: SeSystemtimePrivilege 4356 fnfree.exe Token: SeProfSingleProcessPrivilege 4356 fnfree.exe Token: SeIncBasePriorityPrivilege 4356 fnfree.exe Token: SeCreatePagefilePrivilege 4356 fnfree.exe Token: SeBackupPrivilege 4356 fnfree.exe Token: SeRestorePrivilege 4356 fnfree.exe Token: SeShutdownPrivilege 4356 fnfree.exe Token: SeDebugPrivilege 4356 fnfree.exe Token: SeSystemEnvironmentPrivilege 4356 fnfree.exe Token: SeChangeNotifyPrivilege 4356 fnfree.exe Token: SeRemoteShutdownPrivilege 4356 fnfree.exe Token: SeUndockPrivilege 4356 fnfree.exe Token: SeManageVolumePrivilege 4356 fnfree.exe Token: SeImpersonatePrivilege 4356 fnfree.exe Token: SeCreateGlobalPrivilege 4356 fnfree.exe Token: 33 4356 fnfree.exe Token: 34 4356 fnfree.exe Token: 35 4356 fnfree.exe Token: 36 4356 fnfree.exe Token: SeIncreaseQuotaPrivilege 8 msdcsc.exe Token: SeSecurityPrivilege 8 msdcsc.exe Token: SeTakeOwnershipPrivilege 8 msdcsc.exe Token: SeLoadDriverPrivilege 8 msdcsc.exe Token: SeSystemProfilePrivilege 8 msdcsc.exe Token: SeSystemtimePrivilege 8 msdcsc.exe Token: SeProfSingleProcessPrivilege 8 msdcsc.exe Token: SeIncBasePriorityPrivilege 8 msdcsc.exe Token: SeCreatePagefilePrivilege 8 msdcsc.exe Token: SeBackupPrivilege 8 msdcsc.exe Token: SeRestorePrivilege 8 msdcsc.exe Token: SeShutdownPrivilege 8 msdcsc.exe Token: SeDebugPrivilege 8 msdcsc.exe Token: SeSystemEnvironmentPrivilege 8 msdcsc.exe Token: SeChangeNotifyPrivilege 8 msdcsc.exe Token: SeRemoteShutdownPrivilege 8 msdcsc.exe Token: SeUndockPrivilege 8 msdcsc.exe Token: SeManageVolumePrivilege 8 msdcsc.exe Token: SeImpersonatePrivilege 8 msdcsc.exe Token: SeCreateGlobalPrivilege 8 msdcsc.exe Token: 33 8 msdcsc.exe Token: 34 8 msdcsc.exe Token: 35 8 msdcsc.exe Token: 36 8 msdcsc.exe Token: 33 2264 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2264 AUDIODG.EXE Token: 33 3564 vlc.exe Token: SeIncBasePriorityPrivilege 3564 vlc.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
vlc.exepid Process 3564 vlc.exe 3564 vlc.exe 3564 vlc.exe 3564 vlc.exe 3564 vlc.exe 3564 vlc.exe 3564 vlc.exe 3564 vlc.exe 3564 vlc.exe 3564 vlc.exe -
Suspicious use of SendNotifyMessage 9 IoCs
Processes:
vlc.exepid Process 3564 vlc.exe 3564 vlc.exe 3564 vlc.exe 3564 vlc.exe 3564 vlc.exe 3564 vlc.exe 3564 vlc.exe 3564 vlc.exe 3564 vlc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
vlc.exemsdcsc.exepid Process 3564 vlc.exe 8 msdcsc.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
fnfree.execmd.execmd.exemsdcsc.exedescription pid Process procid_target PID 4356 wrote to memory of 3008 4356 fnfree.exe 100 PID 4356 wrote to memory of 3008 4356 fnfree.exe 100 PID 4356 wrote to memory of 3008 4356 fnfree.exe 100 PID 4356 wrote to memory of 4640 4356 fnfree.exe 102 PID 4356 wrote to memory of 4640 4356 fnfree.exe 102 PID 4356 wrote to memory of 4640 4356 fnfree.exe 102 PID 3008 wrote to memory of 1956 3008 cmd.exe 104 PID 3008 wrote to memory of 1956 3008 cmd.exe 104 PID 3008 wrote to memory of 1956 3008 cmd.exe 104 PID 4640 wrote to memory of 4108 4640 cmd.exe 106 PID 4640 wrote to memory of 4108 4640 cmd.exe 106 PID 4640 wrote to memory of 4108 4640 cmd.exe 106 PID 4356 wrote to memory of 3564 4356 fnfree.exe 105 PID 4356 wrote to memory of 3564 4356 fnfree.exe 105 PID 4356 wrote to memory of 8 4356 fnfree.exe 107 PID 4356 wrote to memory of 8 4356 fnfree.exe 107 PID 4356 wrote to memory of 8 4356 fnfree.exe 107 PID 8 wrote to memory of 1352 8 msdcsc.exe 109 PID 8 wrote to memory of 1352 8 msdcsc.exe 109 PID 8 wrote to memory of 1352 8 msdcsc.exe 109 PID 8 wrote to memory of 1352 8 msdcsc.exe 109 PID 8 wrote to memory of 1352 8 msdcsc.exe 109 PID 8 wrote to memory of 1352 8 msdcsc.exe 109 PID 8 wrote to memory of 1352 8 msdcsc.exe 109 PID 8 wrote to memory of 1352 8 msdcsc.exe 109 PID 8 wrote to memory of 1352 8 msdcsc.exe 109 PID 8 wrote to memory of 1352 8 msdcsc.exe 109 PID 8 wrote to memory of 1352 8 msdcsc.exe 109 PID 8 wrote to memory of 1352 8 msdcsc.exe 109 PID 8 wrote to memory of 1352 8 msdcsc.exe 109 PID 8 wrote to memory of 1352 8 msdcsc.exe 109 PID 8 wrote to memory of 1352 8 msdcsc.exe 109 PID 8 wrote to memory of 1352 8 msdcsc.exe 109 PID 8 wrote to memory of 1352 8 msdcsc.exe 109 PID 8 wrote to memory of 1352 8 msdcsc.exe 109 PID 8 wrote to memory of 1352 8 msdcsc.exe 109 PID 8 wrote to memory of 1352 8 msdcsc.exe 109 PID 8 wrote to memory of 1352 8 msdcsc.exe 109 PID 8 wrote to memory of 1352 8 msdcsc.exe 109 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 1956 attrib.exe 4108 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fnfree.exe"C:\Users\Admin\AppData\Local\Temp\fnfree.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\fnfree.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\fnfree.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1956
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4108
-
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\UNRARELYLOL.WAV"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3564
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:1352
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2ec 0x2f41⤵
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Modifies registry class
PID:3948
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3196
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5cf9a94b3dd9d22d501789789b1076a46
SHA160c76b8b3731e9094106cb9fbf2e1f3a644c050b
SHA256247a70fa86cbad1bc05681e64d0de186f41220fcf64ebc9af90720ba6a79b08c
SHA51240cf25b62c183940816ab10b8b47660371011b833c5a9b66ff5461eb26920c19e2d6e383056449e9d7b673c7725b34900ad6348ac9d985be0913d489bd8b0dcf
-
Filesize
2.5MB
MD56ba1a478a0e5f61d6394aba252c1a13b
SHA1caa8705c38084facd231914cc9adf72ad26f74aa
SHA256c3a6fa449ef70565a6b5eba1deb4bf069098d9e6dd4706937a9df4418bc08b07
SHA512e9c7d2fef0b52ee949fa378143d48c9f52c1f94426109b21a2452ca8d579343788e6592ab3eaf046d5604bc3132637c12457088a65a0e0cbf644be08bbff2091