Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 09:55
Behavioral task
behavioral1
Sample
dark.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dark.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
server.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
server.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
sss.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
sss.exe
Resource
win10v2004-20240508-en
General
-
Target
dark.exe
-
Size
658KB
-
MD5
230751a9ef1cdccc11aa40a70a259f22
-
SHA1
84f530c5b6313e9bad82c7d1d0826a3948658149
-
SHA256
bc1ad6c5ba21d4007f5b06b13bd9f1647188fc4605dea8e13a039ce5ec5f7eb2
-
SHA512
31ce9157cdfb89e7f28303c9bcb4c5a10fa1c0a150119d7abfe016858031dc4e9987175139f5768846eeb03cdb93afb8fd46f816f2a286c35eb2d6ac1cba6269
-
SSDEEP
12288:y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hU:eZ1xuVVjfFoynPaVBUR8f+kN10EBm
Malware Config
Extracted
darkcomet
tek
gecce.no-ip.biz:3461
DC_MUTEX-M0JG7NY
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
Q7wXAkJLgEkp
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
dark.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" dark.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 3024 notepad.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 2576 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
dark.exepid process 1548 dark.exe 1548 dark.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
dark.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" dark.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 2576 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
dark.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1548 dark.exe Token: SeSecurityPrivilege 1548 dark.exe Token: SeTakeOwnershipPrivilege 1548 dark.exe Token: SeLoadDriverPrivilege 1548 dark.exe Token: SeSystemProfilePrivilege 1548 dark.exe Token: SeSystemtimePrivilege 1548 dark.exe Token: SeProfSingleProcessPrivilege 1548 dark.exe Token: SeIncBasePriorityPrivilege 1548 dark.exe Token: SeCreatePagefilePrivilege 1548 dark.exe Token: SeBackupPrivilege 1548 dark.exe Token: SeRestorePrivilege 1548 dark.exe Token: SeShutdownPrivilege 1548 dark.exe Token: SeDebugPrivilege 1548 dark.exe Token: SeSystemEnvironmentPrivilege 1548 dark.exe Token: SeChangeNotifyPrivilege 1548 dark.exe Token: SeRemoteShutdownPrivilege 1548 dark.exe Token: SeUndockPrivilege 1548 dark.exe Token: SeManageVolumePrivilege 1548 dark.exe Token: SeImpersonatePrivilege 1548 dark.exe Token: SeCreateGlobalPrivilege 1548 dark.exe Token: 33 1548 dark.exe Token: 34 1548 dark.exe Token: 35 1548 dark.exe Token: SeIncreaseQuotaPrivilege 2576 msdcsc.exe Token: SeSecurityPrivilege 2576 msdcsc.exe Token: SeTakeOwnershipPrivilege 2576 msdcsc.exe Token: SeLoadDriverPrivilege 2576 msdcsc.exe Token: SeSystemProfilePrivilege 2576 msdcsc.exe Token: SeSystemtimePrivilege 2576 msdcsc.exe Token: SeProfSingleProcessPrivilege 2576 msdcsc.exe Token: SeIncBasePriorityPrivilege 2576 msdcsc.exe Token: SeCreatePagefilePrivilege 2576 msdcsc.exe Token: SeBackupPrivilege 2576 msdcsc.exe Token: SeRestorePrivilege 2576 msdcsc.exe Token: SeShutdownPrivilege 2576 msdcsc.exe Token: SeDebugPrivilege 2576 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2576 msdcsc.exe Token: SeChangeNotifyPrivilege 2576 msdcsc.exe Token: SeRemoteShutdownPrivilege 2576 msdcsc.exe Token: SeUndockPrivilege 2576 msdcsc.exe Token: SeManageVolumePrivilege 2576 msdcsc.exe Token: SeImpersonatePrivilege 2576 msdcsc.exe Token: SeCreateGlobalPrivilege 2576 msdcsc.exe Token: 33 2576 msdcsc.exe Token: 34 2576 msdcsc.exe Token: 35 2576 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 2576 msdcsc.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
dark.exemsdcsc.exedescription pid process target process PID 1548 wrote to memory of 3024 1548 dark.exe notepad.exe PID 1548 wrote to memory of 3024 1548 dark.exe notepad.exe PID 1548 wrote to memory of 3024 1548 dark.exe notepad.exe PID 1548 wrote to memory of 3024 1548 dark.exe notepad.exe PID 1548 wrote to memory of 3024 1548 dark.exe notepad.exe PID 1548 wrote to memory of 3024 1548 dark.exe notepad.exe PID 1548 wrote to memory of 3024 1548 dark.exe notepad.exe PID 1548 wrote to memory of 3024 1548 dark.exe notepad.exe PID 1548 wrote to memory of 3024 1548 dark.exe notepad.exe PID 1548 wrote to memory of 3024 1548 dark.exe notepad.exe PID 1548 wrote to memory of 3024 1548 dark.exe notepad.exe PID 1548 wrote to memory of 3024 1548 dark.exe notepad.exe PID 1548 wrote to memory of 3024 1548 dark.exe notepad.exe PID 1548 wrote to memory of 3024 1548 dark.exe notepad.exe PID 1548 wrote to memory of 3024 1548 dark.exe notepad.exe PID 1548 wrote to memory of 3024 1548 dark.exe notepad.exe PID 1548 wrote to memory of 3024 1548 dark.exe notepad.exe PID 1548 wrote to memory of 3024 1548 dark.exe notepad.exe PID 1548 wrote to memory of 2576 1548 dark.exe msdcsc.exe PID 1548 wrote to memory of 2576 1548 dark.exe msdcsc.exe PID 1548 wrote to memory of 2576 1548 dark.exe msdcsc.exe PID 1548 wrote to memory of 2576 1548 dark.exe msdcsc.exe PID 2576 wrote to memory of 2720 2576 msdcsc.exe notepad.exe PID 2576 wrote to memory of 2720 2576 msdcsc.exe notepad.exe PID 2576 wrote to memory of 2720 2576 msdcsc.exe notepad.exe PID 2576 wrote to memory of 2720 2576 msdcsc.exe notepad.exe PID 2576 wrote to memory of 2720 2576 msdcsc.exe notepad.exe PID 2576 wrote to memory of 2720 2576 msdcsc.exe notepad.exe PID 2576 wrote to memory of 2720 2576 msdcsc.exe notepad.exe PID 2576 wrote to memory of 2720 2576 msdcsc.exe notepad.exe PID 2576 wrote to memory of 2720 2576 msdcsc.exe notepad.exe PID 2576 wrote to memory of 2720 2576 msdcsc.exe notepad.exe PID 2576 wrote to memory of 2720 2576 msdcsc.exe notepad.exe PID 2576 wrote to memory of 2720 2576 msdcsc.exe notepad.exe PID 2576 wrote to memory of 2720 2576 msdcsc.exe notepad.exe PID 2576 wrote to memory of 2720 2576 msdcsc.exe notepad.exe PID 2576 wrote to memory of 2720 2576 msdcsc.exe notepad.exe PID 2576 wrote to memory of 2720 2576 msdcsc.exe notepad.exe PID 2576 wrote to memory of 2720 2576 msdcsc.exe notepad.exe PID 2576 wrote to memory of 2720 2576 msdcsc.exe notepad.exe PID 2576 wrote to memory of 2720 2576 msdcsc.exe notepad.exe PID 2576 wrote to memory of 2720 2576 msdcsc.exe notepad.exe PID 2576 wrote to memory of 2720 2576 msdcsc.exe notepad.exe PID 2576 wrote to memory of 2720 2576 msdcsc.exe notepad.exe PID 2576 wrote to memory of 2720 2576 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dark.exe"C:\Users\Admin\AppData\Local\Temp\dark.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD5230751a9ef1cdccc11aa40a70a259f22
SHA184f530c5b6313e9bad82c7d1d0826a3948658149
SHA256bc1ad6c5ba21d4007f5b06b13bd9f1647188fc4605dea8e13a039ce5ec5f7eb2
SHA51231ce9157cdfb89e7f28303c9bcb4c5a10fa1c0a150119d7abfe016858031dc4e9987175139f5768846eeb03cdb93afb8fd46f816f2a286c35eb2d6ac1cba6269
-
memory/1548-0-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1548-55-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-65-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-62-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-70-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-28-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/2576-57-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-58-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-59-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-60-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-61-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-69-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-63-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-64-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-68-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-66-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-67-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2720-54-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/3024-19-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/3024-3-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB