Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
10-12-2024 16:55
Behavioral task
behavioral1
Sample
niggt.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
26 signatures
150 seconds
General
-
Target
niggt.exe
-
Size
690KB
-
MD5
4c9704749ddbb514b5c60184f13fe7e7
-
SHA1
20e83ba94bda82acd3bd89a012b22143cc1ddb94
-
SHA256
109ebb16b070770f48359880d6f643c23612a1bb56054790c164b0cde4312880
-
SHA512
2d964ebb467e0ac41904dd8650ecfc4386da1e7ec52727a665239586809b52faec72c7e7ecf7e93b7b4dcb36c69dc239d79772bab4e9d6b57800b09691f9fabc
-
SSDEEP
12288:F9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h2x:PZ1xuVVjfFoynPaVBUR8f+kN10EBk
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
rose324-37147.portmap.host:37147
Mutex
DC_MUTEX-2DNRPLM
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
tLDL0GjSYFsS
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
realtekaudio
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MSDCSC\\msdcsc.exe" niggt.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe Set value (int) \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe -
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4420 attrib.exe 4980 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation niggt.exe -
Deletes itself 1 IoCs
pid Process 4708 notepad.exe -
Executes dropped EXE 1 IoCs
pid Process 3448 msdcsc.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\realtekaudio = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\realtekaudio = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MSDCSC\\msdcsc.exe" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\realtekaudio = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MSDCSC\\msdcsc.exe" niggt.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\Desktop\Wallpaper iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3448 set thread context of 1520 3448 msdcsc.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language niggt.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ niggt.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 252 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1520 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2400 niggt.exe Token: SeSecurityPrivilege 2400 niggt.exe Token: SeTakeOwnershipPrivilege 2400 niggt.exe Token: SeLoadDriverPrivilege 2400 niggt.exe Token: SeSystemProfilePrivilege 2400 niggt.exe Token: SeSystemtimePrivilege 2400 niggt.exe Token: SeProfSingleProcessPrivilege 2400 niggt.exe Token: SeIncBasePriorityPrivilege 2400 niggt.exe Token: SeCreatePagefilePrivilege 2400 niggt.exe Token: SeBackupPrivilege 2400 niggt.exe Token: SeRestorePrivilege 2400 niggt.exe Token: SeShutdownPrivilege 2400 niggt.exe Token: SeDebugPrivilege 2400 niggt.exe Token: SeSystemEnvironmentPrivilege 2400 niggt.exe Token: SeChangeNotifyPrivilege 2400 niggt.exe Token: SeRemoteShutdownPrivilege 2400 niggt.exe Token: SeUndockPrivilege 2400 niggt.exe Token: SeManageVolumePrivilege 2400 niggt.exe Token: SeImpersonatePrivilege 2400 niggt.exe Token: SeCreateGlobalPrivilege 2400 niggt.exe Token: 33 2400 niggt.exe Token: 34 2400 niggt.exe Token: 35 2400 niggt.exe Token: 36 2400 niggt.exe Token: SeIncreaseQuotaPrivilege 3448 msdcsc.exe Token: SeSecurityPrivilege 3448 msdcsc.exe Token: SeTakeOwnershipPrivilege 3448 msdcsc.exe Token: SeLoadDriverPrivilege 3448 msdcsc.exe Token: SeSystemProfilePrivilege 3448 msdcsc.exe Token: SeSystemtimePrivilege 3448 msdcsc.exe Token: SeProfSingleProcessPrivilege 3448 msdcsc.exe Token: SeIncBasePriorityPrivilege 3448 msdcsc.exe Token: SeCreatePagefilePrivilege 3448 msdcsc.exe Token: SeBackupPrivilege 3448 msdcsc.exe Token: SeRestorePrivilege 3448 msdcsc.exe Token: SeShutdownPrivilege 3448 msdcsc.exe Token: SeDebugPrivilege 3448 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3448 msdcsc.exe Token: SeChangeNotifyPrivilege 3448 msdcsc.exe Token: SeRemoteShutdownPrivilege 3448 msdcsc.exe Token: SeUndockPrivilege 3448 msdcsc.exe Token: SeManageVolumePrivilege 3448 msdcsc.exe Token: SeImpersonatePrivilege 3448 msdcsc.exe Token: SeCreateGlobalPrivilege 3448 msdcsc.exe Token: 33 3448 msdcsc.exe Token: 34 3448 msdcsc.exe Token: 35 3448 msdcsc.exe Token: 36 3448 msdcsc.exe Token: SeIncreaseQuotaPrivilege 1520 iexplore.exe Token: SeSecurityPrivilege 1520 iexplore.exe Token: SeTakeOwnershipPrivilege 1520 iexplore.exe Token: SeLoadDriverPrivilege 1520 iexplore.exe Token: SeSystemProfilePrivilege 1520 iexplore.exe Token: SeSystemtimePrivilege 1520 iexplore.exe Token: SeProfSingleProcessPrivilege 1520 iexplore.exe Token: SeIncBasePriorityPrivilege 1520 iexplore.exe Token: SeCreatePagefilePrivilege 1520 iexplore.exe Token: SeBackupPrivilege 1520 iexplore.exe Token: SeRestorePrivilege 1520 iexplore.exe Token: SeShutdownPrivilege 1520 iexplore.exe Token: SeDebugPrivilege 1520 iexplore.exe Token: SeSystemEnvironmentPrivilege 1520 iexplore.exe Token: SeChangeNotifyPrivilege 1520 iexplore.exe Token: SeRemoteShutdownPrivilege 1520 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1520 iexplore.exe -
Suspicious use of WriteProcessMemory 59 IoCs
description pid Process procid_target PID 2400 wrote to memory of 3436 2400 niggt.exe 80 PID 2400 wrote to memory of 3436 2400 niggt.exe 80 PID 2400 wrote to memory of 3436 2400 niggt.exe 80 PID 2400 wrote to memory of 1680 2400 niggt.exe 82 PID 2400 wrote to memory of 1680 2400 niggt.exe 82 PID 2400 wrote to memory of 1680 2400 niggt.exe 82 PID 2400 wrote to memory of 4708 2400 niggt.exe 83 PID 2400 wrote to memory of 4708 2400 niggt.exe 83 PID 2400 wrote to memory of 4708 2400 niggt.exe 83 PID 2400 wrote to memory of 4708 2400 niggt.exe 83 PID 2400 wrote to memory of 4708 2400 niggt.exe 83 PID 2400 wrote to memory of 4708 2400 niggt.exe 83 PID 2400 wrote to memory of 4708 2400 niggt.exe 83 PID 2400 wrote to memory of 4708 2400 niggt.exe 83 PID 2400 wrote to memory of 4708 2400 niggt.exe 83 PID 2400 wrote to memory of 4708 2400 niggt.exe 83 PID 2400 wrote to memory of 4708 2400 niggt.exe 83 PID 2400 wrote to memory of 4708 2400 niggt.exe 83 PID 2400 wrote to memory of 4708 2400 niggt.exe 83 PID 2400 wrote to memory of 4708 2400 niggt.exe 83 PID 2400 wrote to memory of 4708 2400 niggt.exe 83 PID 2400 wrote to memory of 4708 2400 niggt.exe 83 PID 2400 wrote to memory of 4708 2400 niggt.exe 83 PID 3436 wrote to memory of 4420 3436 cmd.exe 85 PID 3436 wrote to memory of 4420 3436 cmd.exe 85 PID 3436 wrote to memory of 4420 3436 cmd.exe 85 PID 1680 wrote to memory of 4980 1680 cmd.exe 86 PID 1680 wrote to memory of 4980 1680 cmd.exe 86 PID 1680 wrote to memory of 4980 1680 cmd.exe 86 PID 2400 wrote to memory of 3448 2400 niggt.exe 87 PID 2400 wrote to memory of 3448 2400 niggt.exe 87 PID 2400 wrote to memory of 3448 2400 niggt.exe 87 PID 3448 wrote to memory of 1520 3448 msdcsc.exe 88 PID 3448 wrote to memory of 1520 3448 msdcsc.exe 88 PID 3448 wrote to memory of 1520 3448 msdcsc.exe 88 PID 3448 wrote to memory of 1520 3448 msdcsc.exe 88 PID 3448 wrote to memory of 1520 3448 msdcsc.exe 88 PID 1520 wrote to memory of 2480 1520 iexplore.exe 89 PID 1520 wrote to memory of 2480 1520 iexplore.exe 89 PID 1520 wrote to memory of 2480 1520 iexplore.exe 89 PID 1520 wrote to memory of 2480 1520 iexplore.exe 89 PID 1520 wrote to memory of 2480 1520 iexplore.exe 89 PID 1520 wrote to memory of 2480 1520 iexplore.exe 89 PID 1520 wrote to memory of 2480 1520 iexplore.exe 89 PID 1520 wrote to memory of 2480 1520 iexplore.exe 89 PID 1520 wrote to memory of 2480 1520 iexplore.exe 89 PID 1520 wrote to memory of 2480 1520 iexplore.exe 89 PID 1520 wrote to memory of 2480 1520 iexplore.exe 89 PID 1520 wrote to memory of 2480 1520 iexplore.exe 89 PID 1520 wrote to memory of 2480 1520 iexplore.exe 89 PID 1520 wrote to memory of 2480 1520 iexplore.exe 89 PID 1520 wrote to memory of 2480 1520 iexplore.exe 89 PID 1520 wrote to memory of 2480 1520 iexplore.exe 89 PID 1520 wrote to memory of 2480 1520 iexplore.exe 89 PID 1520 wrote to memory of 2480 1520 iexplore.exe 89 PID 1520 wrote to memory of 2480 1520 iexplore.exe 89 PID 1520 wrote to memory of 2480 1520 iexplore.exe 89 PID 1520 wrote to memory of 2480 1520 iexplore.exe 89 PID 1520 wrote to memory of 2480 1520 iexplore.exe 89 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 4420 attrib.exe 4980 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\niggt.exe"C:\Users\Admin\AppData\Local\Temp\niggt.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\niggt.exe" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\niggt.exe" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4420
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4980
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:4708
-
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3448 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- System Location Discovery: System Language Discovery
PID:2480
-
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\nigger.txt1⤵
- Opens file in notepad (likely ransom note)
PID:252
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
690KB
MD54c9704749ddbb514b5c60184f13fe7e7
SHA120e83ba94bda82acd3bd89a012b22143cc1ddb94
SHA256109ebb16b070770f48359880d6f643c23612a1bb56054790c164b0cde4312880
SHA5122d964ebb467e0ac41904dd8650ecfc4386da1e7ec52727a665239586809b52faec72c7e7ecf7e93b7b4dcb36c69dc239d79772bab4e9d6b57800b09691f9fabc