Overview
overview
10Static
static
10bazaar.202...nt.exe
windows7-x64
10bazaar.202...nt.exe
windows10-2004-x64
10bazaar.202...nt.exe
windows7-x64
10bazaar.202...nt.exe
windows10-2004-x64
10bazaar.202...an.exe
windows7-x64
10bazaar.202...an.exe
windows10-2004-x64
10bazaar.202...et.exe
windows7-x64
10bazaar.202...et.exe
windows10-2004-x64
10bazaar.202...lf.exe
windows7-x64
10bazaar.202...lf.exe
windows10-2004-x64
10bazaar.202...lf.exe
windows7-x64
10bazaar.202...lf.exe
windows10-2004-x64
10bazaar.202...it.exe
windows7-x64
9bazaar.202...it.exe
windows10-2004-x64
10bazaar.202...nt.exe
windows7-x64
10bazaar.202...nt.exe
windows10-2004-x64
10bazaar.202...an.exe
windows7-x64
10bazaar.202...an.exe
windows10-2004-x64
10bazaar.202...an.exe
windows7-x64
10bazaar.202...an.exe
windows10-2004-x64
10bazaar.202...an.exe
windows7-x64
10bazaar.202...an.exe
windows10-2004-x64
10bazaar.202...an.exe
windows7-x64
10bazaar.202...an.exe
windows10-2004-x64
10bazaar.202...an.exe
windows7-x64
10bazaar.202...an.exe
windows10-2004-x64
10bazaar.202...an.exe
windows7-x64
1bazaar.202...an.exe
windows10-2004-x64
1bazaar.202...an.exe
windows7-x64
10bazaar.202...an.exe
windows10-2004-x64
10bazaar.202...an.exe
windows7-x64
10bazaar.202...an.exe
windows10-2004-x64
10Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2024 16:40
Static task
static1
Behavioral task
behavioral1
Sample
bazaar.2020.02/Backdoor.MSIL.Agent.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
bazaar.2020.02/Backdoor.MSIL.Agent.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
bazaar.2020.02/Backdoor.MSIL.Agent.exe
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
bazaar.2020.02/Backdoor.MSIL.Agent.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
bazaar.2020.02/Backdoor.MSIL.Crysan.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
bazaar.2020.02/Backdoor.MSIL.Crysan.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
bazaar.2020.02/Backdoor.Win32.DarkKomet.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
bazaar.2020.02/Backdoor.Win32.DarkKomet.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
bazaar.2020.02/Backdoor.Win32.Delf.exe
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
bazaar.2020.02/Backdoor.Win32.Delf.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
bazaar.2020.02/Backdoor.Win32.Delf.exe
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
bazaar.2020.02/Backdoor.Win32.Delf.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
bazaar.2020.02/Backdoor.Win32.Parazit.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
bazaar.2020.02/Backdoor.Win32.Parazit.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Agent.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Agent.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win10v2004-20240910-en
Behavioral task
behavioral21
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win7-20240729-en
Behavioral task
behavioral26
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win7-20240903-en
General
-
Target
bazaar.2020.02/Backdoor.Win32.DarkKomet.exe
-
Size
251KB
-
MD5
b7b88850bc66c349bc02f81a3b443f39
-
SHA1
4c4fe6f2dc874ca6c3b1d117e8da00e7114860e0
-
SHA256
4c1b6befb06152412567869f27c006cba39f4ac3b1c5dbcf8694a65367444df5
-
SHA512
47c7cd05d6716eaefc1a4305f227e9f95423ede5bb991135d6839c0d1f4b65d7c204bc9c07696ec5d4f71214adc4d6b0976d2fe03d2434e68fd8637a40dad282
-
SSDEEP
6144:QcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37:QcW7KEZlPzCy37
Malware Config
Extracted
darkcomet
hacked
sexystar.myq-see.com:5552
DC_MUTEX-6BSXQXU
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
1JlJEAuNqqm6
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" Backdoor.Win32.DarkKomet.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation Backdoor.Win32.DarkKomet.exe -
Executes dropped EXE 1 IoCs
pid Process 2616 msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" Backdoor.Win32.DarkKomet.exe -
resource yara_rule behavioral8/memory/4876-0-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral8/files/0x0008000000023474-6.dat upx behavioral8/memory/4876-15-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral8/memory/2616-16-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral8/memory/2616-19-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral8/memory/2616-21-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral8/memory/2616-23-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral8/memory/2616-25-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Backdoor.Win32.DarkKomet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4876 Backdoor.Win32.DarkKomet.exe Token: SeSecurityPrivilege 4876 Backdoor.Win32.DarkKomet.exe Token: SeTakeOwnershipPrivilege 4876 Backdoor.Win32.DarkKomet.exe Token: SeLoadDriverPrivilege 4876 Backdoor.Win32.DarkKomet.exe Token: SeSystemProfilePrivilege 4876 Backdoor.Win32.DarkKomet.exe Token: SeSystemtimePrivilege 4876 Backdoor.Win32.DarkKomet.exe Token: SeProfSingleProcessPrivilege 4876 Backdoor.Win32.DarkKomet.exe Token: SeIncBasePriorityPrivilege 4876 Backdoor.Win32.DarkKomet.exe Token: SeCreatePagefilePrivilege 4876 Backdoor.Win32.DarkKomet.exe Token: SeBackupPrivilege 4876 Backdoor.Win32.DarkKomet.exe Token: SeRestorePrivilege 4876 Backdoor.Win32.DarkKomet.exe Token: SeShutdownPrivilege 4876 Backdoor.Win32.DarkKomet.exe Token: SeDebugPrivilege 4876 Backdoor.Win32.DarkKomet.exe Token: SeSystemEnvironmentPrivilege 4876 Backdoor.Win32.DarkKomet.exe Token: SeChangeNotifyPrivilege 4876 Backdoor.Win32.DarkKomet.exe Token: SeRemoteShutdownPrivilege 4876 Backdoor.Win32.DarkKomet.exe Token: SeUndockPrivilege 4876 Backdoor.Win32.DarkKomet.exe Token: SeManageVolumePrivilege 4876 Backdoor.Win32.DarkKomet.exe Token: SeImpersonatePrivilege 4876 Backdoor.Win32.DarkKomet.exe Token: SeCreateGlobalPrivilege 4876 Backdoor.Win32.DarkKomet.exe Token: 33 4876 Backdoor.Win32.DarkKomet.exe Token: 34 4876 Backdoor.Win32.DarkKomet.exe Token: 35 4876 Backdoor.Win32.DarkKomet.exe Token: 36 4876 Backdoor.Win32.DarkKomet.exe Token: SeIncreaseQuotaPrivilege 2616 msdcsc.exe Token: SeSecurityPrivilege 2616 msdcsc.exe Token: SeTakeOwnershipPrivilege 2616 msdcsc.exe Token: SeLoadDriverPrivilege 2616 msdcsc.exe Token: SeSystemProfilePrivilege 2616 msdcsc.exe Token: SeSystemtimePrivilege 2616 msdcsc.exe Token: SeProfSingleProcessPrivilege 2616 msdcsc.exe Token: SeIncBasePriorityPrivilege 2616 msdcsc.exe Token: SeCreatePagefilePrivilege 2616 msdcsc.exe Token: SeBackupPrivilege 2616 msdcsc.exe Token: SeRestorePrivilege 2616 msdcsc.exe Token: SeShutdownPrivilege 2616 msdcsc.exe Token: SeDebugPrivilege 2616 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2616 msdcsc.exe Token: SeChangeNotifyPrivilege 2616 msdcsc.exe Token: SeRemoteShutdownPrivilege 2616 msdcsc.exe Token: SeUndockPrivilege 2616 msdcsc.exe Token: SeManageVolumePrivilege 2616 msdcsc.exe Token: SeImpersonatePrivilege 2616 msdcsc.exe Token: SeCreateGlobalPrivilege 2616 msdcsc.exe Token: 33 2616 msdcsc.exe Token: 34 2616 msdcsc.exe Token: 35 2616 msdcsc.exe Token: 36 2616 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2616 msdcsc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4876 wrote to memory of 2616 4876 Backdoor.Win32.DarkKomet.exe 81 PID 4876 wrote to memory of 2616 4876 Backdoor.Win32.DarkKomet.exe 81 PID 4876 wrote to memory of 2616 4876 Backdoor.Win32.DarkKomet.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\Backdoor.Win32.DarkKomet.exe"C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\Backdoor.Win32.DarkKomet.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2616
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5b7b88850bc66c349bc02f81a3b443f39
SHA14c4fe6f2dc874ca6c3b1d117e8da00e7114860e0
SHA2564c1b6befb06152412567869f27c006cba39f4ac3b1c5dbcf8694a65367444df5
SHA51247c7cd05d6716eaefc1a4305f227e9f95423ede5bb991135d6839c0d1f4b65d7c204bc9c07696ec5d4f71214adc4d6b0976d2fe03d2434e68fd8637a40dad282