Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-10-2024 01:23
Behavioral task
behavioral1
Sample
rwrqrqrq.exe
Resource
win7-20240903-en
windows7-x64
21 signatures
150 seconds
General
-
Target
rwrqrqrq.exe
-
Size
658KB
-
MD5
68cb9c61d6eb5f11e8107b166fef83e2
-
SHA1
106f56b444c63b0487eef32f53accb892a6beb0b
-
SHA256
31c4d97466554dd0511b6226a4877f176a49d2f41a90656b399de3a3a1081245
-
SHA512
b057bb8ba484657b1311351703bb15e4e6148f4e3f2827198f062706b65b5f998d34be658b21c3877c9bc87cf1745b8c5eb500f7f6c01996286f420686d393c9
-
SSDEEP
12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hv:KZ1xuVVjfFoynPaVBUR8f+kN10EB9
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
8.tcp.us-cal-1.ngrok.io:18582
Mutex
DC_MUTEX-84CFJ9A
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
WlVKwcLuNaTo
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
rwrqrqrq.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" rwrqrqrq.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
msdcsc.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid Process 3168 attrib.exe 4164 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rwrqrqrq.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation rwrqrqrq.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid Process 4436 msdcsc.exe -
Processes:
msdcsc.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msdcsc.exerwrqrqrq.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" rwrqrqrq.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rwrqrqrq.execmd.execmd.exeattrib.exeattrib.exemsdcsc.exenotepad.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rwrqrqrq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe -
Modifies registry class 1 IoCs
Processes:
rwrqrqrq.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ rwrqrqrq.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid Process 4436 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
rwrqrqrq.exemsdcsc.exedescription pid Process Token: SeIncreaseQuotaPrivilege 4188 rwrqrqrq.exe Token: SeSecurityPrivilege 4188 rwrqrqrq.exe Token: SeTakeOwnershipPrivilege 4188 rwrqrqrq.exe Token: SeLoadDriverPrivilege 4188 rwrqrqrq.exe Token: SeSystemProfilePrivilege 4188 rwrqrqrq.exe Token: SeSystemtimePrivilege 4188 rwrqrqrq.exe Token: SeProfSingleProcessPrivilege 4188 rwrqrqrq.exe Token: SeIncBasePriorityPrivilege 4188 rwrqrqrq.exe Token: SeCreatePagefilePrivilege 4188 rwrqrqrq.exe Token: SeBackupPrivilege 4188 rwrqrqrq.exe Token: SeRestorePrivilege 4188 rwrqrqrq.exe Token: SeShutdownPrivilege 4188 rwrqrqrq.exe Token: SeDebugPrivilege 4188 rwrqrqrq.exe Token: SeSystemEnvironmentPrivilege 4188 rwrqrqrq.exe Token: SeChangeNotifyPrivilege 4188 rwrqrqrq.exe Token: SeRemoteShutdownPrivilege 4188 rwrqrqrq.exe Token: SeUndockPrivilege 4188 rwrqrqrq.exe Token: SeManageVolumePrivilege 4188 rwrqrqrq.exe Token: SeImpersonatePrivilege 4188 rwrqrqrq.exe Token: SeCreateGlobalPrivilege 4188 rwrqrqrq.exe Token: 33 4188 rwrqrqrq.exe Token: 34 4188 rwrqrqrq.exe Token: 35 4188 rwrqrqrq.exe Token: 36 4188 rwrqrqrq.exe Token: SeIncreaseQuotaPrivilege 4436 msdcsc.exe Token: SeSecurityPrivilege 4436 msdcsc.exe Token: SeTakeOwnershipPrivilege 4436 msdcsc.exe Token: SeLoadDriverPrivilege 4436 msdcsc.exe Token: SeSystemProfilePrivilege 4436 msdcsc.exe Token: SeSystemtimePrivilege 4436 msdcsc.exe Token: SeProfSingleProcessPrivilege 4436 msdcsc.exe Token: SeIncBasePriorityPrivilege 4436 msdcsc.exe Token: SeCreatePagefilePrivilege 4436 msdcsc.exe Token: SeBackupPrivilege 4436 msdcsc.exe Token: SeRestorePrivilege 4436 msdcsc.exe Token: SeShutdownPrivilege 4436 msdcsc.exe Token: SeDebugPrivilege 4436 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4436 msdcsc.exe Token: SeChangeNotifyPrivilege 4436 msdcsc.exe Token: SeRemoteShutdownPrivilege 4436 msdcsc.exe Token: SeUndockPrivilege 4436 msdcsc.exe Token: SeManageVolumePrivilege 4436 msdcsc.exe Token: SeImpersonatePrivilege 4436 msdcsc.exe Token: SeCreateGlobalPrivilege 4436 msdcsc.exe Token: 33 4436 msdcsc.exe Token: 34 4436 msdcsc.exe Token: 35 4436 msdcsc.exe Token: 36 4436 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid Process 4436 msdcsc.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
rwrqrqrq.execmd.execmd.exemsdcsc.exedescription pid Process procid_target PID 4188 wrote to memory of 2832 4188 rwrqrqrq.exe 87 PID 4188 wrote to memory of 2832 4188 rwrqrqrq.exe 87 PID 4188 wrote to memory of 2832 4188 rwrqrqrq.exe 87 PID 4188 wrote to memory of 1564 4188 rwrqrqrq.exe 89 PID 4188 wrote to memory of 1564 4188 rwrqrqrq.exe 89 PID 4188 wrote to memory of 1564 4188 rwrqrqrq.exe 89 PID 2832 wrote to memory of 3168 2832 cmd.exe 91 PID 2832 wrote to memory of 3168 2832 cmd.exe 91 PID 2832 wrote to memory of 3168 2832 cmd.exe 91 PID 1564 wrote to memory of 4164 1564 cmd.exe 92 PID 1564 wrote to memory of 4164 1564 cmd.exe 92 PID 1564 wrote to memory of 4164 1564 cmd.exe 92 PID 4188 wrote to memory of 4436 4188 rwrqrqrq.exe 94 PID 4188 wrote to memory of 4436 4188 rwrqrqrq.exe 94 PID 4188 wrote to memory of 4436 4188 rwrqrqrq.exe 94 PID 4436 wrote to memory of 4944 4436 msdcsc.exe 96 PID 4436 wrote to memory of 4944 4436 msdcsc.exe 96 PID 4436 wrote to memory of 4944 4436 msdcsc.exe 96 PID 4436 wrote to memory of 4944 4436 msdcsc.exe 96 PID 4436 wrote to memory of 4944 4436 msdcsc.exe 96 PID 4436 wrote to memory of 4944 4436 msdcsc.exe 96 PID 4436 wrote to memory of 4944 4436 msdcsc.exe 96 PID 4436 wrote to memory of 4944 4436 msdcsc.exe 96 PID 4436 wrote to memory of 4944 4436 msdcsc.exe 96 PID 4436 wrote to memory of 4944 4436 msdcsc.exe 96 PID 4436 wrote to memory of 4944 4436 msdcsc.exe 96 PID 4436 wrote to memory of 4944 4436 msdcsc.exe 96 PID 4436 wrote to memory of 4944 4436 msdcsc.exe 96 PID 4436 wrote to memory of 4944 4436 msdcsc.exe 96 PID 4436 wrote to memory of 4944 4436 msdcsc.exe 96 PID 4436 wrote to memory of 4944 4436 msdcsc.exe 96 PID 4436 wrote to memory of 4944 4436 msdcsc.exe 96 PID 4436 wrote to memory of 4944 4436 msdcsc.exe 96 PID 4436 wrote to memory of 4944 4436 msdcsc.exe 96 PID 4436 wrote to memory of 4944 4436 msdcsc.exe 96 PID 4436 wrote to memory of 4944 4436 msdcsc.exe 96 PID 4436 wrote to memory of 4944 4436 msdcsc.exe 96 -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 3168 attrib.exe 4164 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\rwrqrqrq.exe"C:\Users\Admin\AppData\Local\Temp\rwrqrqrq.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\rwrqrqrq.exe" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\rwrqrqrq.exe" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3168
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4164
-
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4436 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- System Location Discovery: System Language Discovery
PID:4944
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
658KB
MD568cb9c61d6eb5f11e8107b166fef83e2
SHA1106f56b444c63b0487eef32f53accb892a6beb0b
SHA25631c4d97466554dd0511b6226a4877f176a49d2f41a90656b399de3a3a1081245
SHA512b057bb8ba484657b1311351703bb15e4e6148f4e3f2827198f062706b65b5f998d34be658b21c3877c9bc87cf1745b8c5eb500f7f6c01996286f420686d393c9