Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
03-01-2025 08:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Simple BTC Trader v1.3/Simple BTC Trader v1.3 [Trial Version].exe
Resource
win7-20241023-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
Simple BTC Trader v1.3/Simple BTC Trader v1.3 [Trial Version].exe
Resource
win10v2004-20241007-en
windows10-2004-x64
19 signatures
150 seconds
Behavioral task
behavioral3
Sample
Simple BTC Trader v1.3/api-ms-win-core-libraryloader-l1-1-0.dll
Resource
win7-20241010-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral4
Sample
Simple BTC Trader v1.3/api-ms-win-core-libraryloader-l1-1-0.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral5
Sample
Simple BTC Trader v1.3/crypt32.dll
Resource
win7-20240903-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral6
Sample
Simple BTC Trader v1.3/crypt32.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
Simple BTC Trader v1.3/Simple BTC Trader v1.3 [Trial Version].exe
-
Size
1.0MB
-
MD5
d493ef686bd337ee99459886c3ef6f93
-
SHA1
e0b99011aec22e73f0eb362d503e724567b2ae33
-
SHA256
fc46fddea9f07579ff17ca2045151449488c44c30435df61f560797d9e4a1bff
-
SHA512
96074111f22fbb6c7d13a42d0fc6a60a50f98e3e0ddc79458469b6edcec24c596bc5966419516225fc26fa9b2bf85c9dd6ce6933d4cbb42faf41d1aa3c16068c
-
SSDEEP
12288:rhE5xyytgDbV5WC2Mry6Wzgo0Rl7yX5vWL1wajud:NE5Yd5ZrG2lO+1O
Malware Config
Extracted
Family
darkcomet
Botnet
Coin
C2
89.173.7.7:200
Mutex
DC_MUTEX-YG8ENTR
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
g43hiCLbWeZk
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" Simple BTC Trader v1.3 [Trial Version].exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2716 attrib.exe 2908 attrib.exe -
Deletes itself 1 IoCs
pid Process 2916 notepad.exe -
Executes dropped EXE 2 IoCs
pid Process 2780 msdcsc.exe 848 msdcsc.exe -
Loads dropped DLL 3 IoCs
pid Process 2488 Simple BTC Trader v1.3 [Trial Version].exe 2488 Simple BTC Trader v1.3 [Trial Version].exe 2780 msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" Simple BTC Trader v1.3 [Trial Version].exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 684 set thread context of 2488 684 Simple BTC Trader v1.3 [Trial Version].exe 30 PID 2780 set thread context of 848 2780 msdcsc.exe 39 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Simple BTC Trader v1.3 [Trial Version].exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Simple BTC Trader v1.3 [Trial Version].exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 848 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2488 Simple BTC Trader v1.3 [Trial Version].exe Token: SeSecurityPrivilege 2488 Simple BTC Trader v1.3 [Trial Version].exe Token: SeTakeOwnershipPrivilege 2488 Simple BTC Trader v1.3 [Trial Version].exe Token: SeLoadDriverPrivilege 2488 Simple BTC Trader v1.3 [Trial Version].exe Token: SeSystemProfilePrivilege 2488 Simple BTC Trader v1.3 [Trial Version].exe Token: SeSystemtimePrivilege 2488 Simple BTC Trader v1.3 [Trial Version].exe Token: SeProfSingleProcessPrivilege 2488 Simple BTC Trader v1.3 [Trial Version].exe Token: SeIncBasePriorityPrivilege 2488 Simple BTC Trader v1.3 [Trial Version].exe Token: SeCreatePagefilePrivilege 2488 Simple BTC Trader v1.3 [Trial Version].exe Token: SeBackupPrivilege 2488 Simple BTC Trader v1.3 [Trial Version].exe Token: SeRestorePrivilege 2488 Simple BTC Trader v1.3 [Trial Version].exe Token: SeShutdownPrivilege 2488 Simple BTC Trader v1.3 [Trial Version].exe Token: SeDebugPrivilege 2488 Simple BTC Trader v1.3 [Trial Version].exe Token: SeSystemEnvironmentPrivilege 2488 Simple BTC Trader v1.3 [Trial Version].exe Token: SeChangeNotifyPrivilege 2488 Simple BTC Trader v1.3 [Trial Version].exe Token: SeRemoteShutdownPrivilege 2488 Simple BTC Trader v1.3 [Trial Version].exe Token: SeUndockPrivilege 2488 Simple BTC Trader v1.3 [Trial Version].exe Token: SeManageVolumePrivilege 2488 Simple BTC Trader v1.3 [Trial Version].exe Token: SeImpersonatePrivilege 2488 Simple BTC Trader v1.3 [Trial Version].exe Token: SeCreateGlobalPrivilege 2488 Simple BTC Trader v1.3 [Trial Version].exe Token: 33 2488 Simple BTC Trader v1.3 [Trial Version].exe Token: 34 2488 Simple BTC Trader v1.3 [Trial Version].exe Token: 35 2488 Simple BTC Trader v1.3 [Trial Version].exe Token: SeIncreaseQuotaPrivilege 848 msdcsc.exe Token: SeSecurityPrivilege 848 msdcsc.exe Token: SeTakeOwnershipPrivilege 848 msdcsc.exe Token: SeLoadDriverPrivilege 848 msdcsc.exe Token: SeSystemProfilePrivilege 848 msdcsc.exe Token: SeSystemtimePrivilege 848 msdcsc.exe Token: SeProfSingleProcessPrivilege 848 msdcsc.exe Token: SeIncBasePriorityPrivilege 848 msdcsc.exe Token: SeCreatePagefilePrivilege 848 msdcsc.exe Token: SeBackupPrivilege 848 msdcsc.exe Token: SeRestorePrivilege 848 msdcsc.exe Token: SeShutdownPrivilege 848 msdcsc.exe Token: SeDebugPrivilege 848 msdcsc.exe Token: SeSystemEnvironmentPrivilege 848 msdcsc.exe Token: SeChangeNotifyPrivilege 848 msdcsc.exe Token: SeRemoteShutdownPrivilege 848 msdcsc.exe Token: SeUndockPrivilege 848 msdcsc.exe Token: SeManageVolumePrivilege 848 msdcsc.exe Token: SeImpersonatePrivilege 848 msdcsc.exe Token: SeCreateGlobalPrivilege 848 msdcsc.exe Token: 33 848 msdcsc.exe Token: 34 848 msdcsc.exe Token: 35 848 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 848 msdcsc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 684 wrote to memory of 2488 684 Simple BTC Trader v1.3 [Trial Version].exe 30 PID 684 wrote to memory of 2488 684 Simple BTC Trader v1.3 [Trial Version].exe 30 PID 684 wrote to memory of 2488 684 Simple BTC Trader v1.3 [Trial Version].exe 30 PID 684 wrote to memory of 2488 684 Simple BTC Trader v1.3 [Trial Version].exe 30 PID 684 wrote to memory of 2488 684 Simple BTC Trader v1.3 [Trial Version].exe 30 PID 684 wrote to memory of 2488 684 Simple BTC Trader v1.3 [Trial Version].exe 30 PID 684 wrote to memory of 2488 684 Simple BTC Trader v1.3 [Trial Version].exe 30 PID 684 wrote to memory of 2488 684 Simple BTC Trader v1.3 [Trial Version].exe 30 PID 684 wrote to memory of 2488 684 Simple BTC Trader v1.3 [Trial Version].exe 30 PID 684 wrote to memory of 2488 684 Simple BTC Trader v1.3 [Trial Version].exe 30 PID 684 wrote to memory of 2488 684 Simple BTC Trader v1.3 [Trial Version].exe 30 PID 684 wrote to memory of 2488 684 Simple BTC Trader v1.3 [Trial Version].exe 30 PID 684 wrote to memory of 2488 684 Simple BTC Trader v1.3 [Trial Version].exe 30 PID 2488 wrote to memory of 2540 2488 Simple BTC Trader v1.3 [Trial Version].exe 31 PID 2488 wrote to memory of 2540 2488 Simple BTC Trader v1.3 [Trial Version].exe 31 PID 2488 wrote to memory of 2540 2488 Simple BTC Trader v1.3 [Trial Version].exe 31 PID 2488 wrote to memory of 2540 2488 Simple BTC Trader v1.3 [Trial Version].exe 31 PID 2488 wrote to memory of 2784 2488 Simple BTC Trader v1.3 [Trial Version].exe 32 PID 2488 wrote to memory of 2784 2488 Simple BTC Trader v1.3 [Trial Version].exe 32 PID 2488 wrote to memory of 2784 2488 Simple BTC Trader v1.3 [Trial Version].exe 32 PID 2488 wrote to memory of 2784 2488 Simple BTC Trader v1.3 [Trial Version].exe 32 PID 2488 wrote to memory of 2916 2488 Simple BTC Trader v1.3 [Trial Version].exe 34 PID 2488 wrote to memory of 2916 2488 Simple BTC Trader v1.3 [Trial Version].exe 34 PID 2488 wrote to memory of 2916 2488 Simple BTC Trader v1.3 [Trial Version].exe 34 PID 2488 wrote to memory of 2916 2488 Simple BTC Trader v1.3 [Trial Version].exe 34 PID 2488 wrote to memory of 2916 2488 Simple BTC Trader v1.3 [Trial Version].exe 34 PID 2488 wrote to memory of 2916 2488 Simple BTC Trader v1.3 [Trial Version].exe 34 PID 2488 wrote to memory of 2916 2488 Simple BTC Trader v1.3 [Trial Version].exe 34 PID 2488 wrote to memory of 2916 2488 Simple BTC Trader v1.3 [Trial Version].exe 34 PID 2488 wrote to memory of 2916 2488 Simple BTC Trader v1.3 [Trial Version].exe 34 PID 2488 wrote to memory of 2916 2488 Simple BTC Trader v1.3 [Trial Version].exe 34 PID 2488 wrote to memory of 2916 2488 Simple BTC Trader v1.3 [Trial Version].exe 34 PID 2488 wrote to memory of 2916 2488 Simple BTC Trader v1.3 [Trial Version].exe 34 PID 2488 wrote to memory of 2916 2488 Simple BTC Trader v1.3 [Trial Version].exe 34 PID 2488 wrote to memory of 2916 2488 Simple BTC Trader v1.3 [Trial Version].exe 34 PID 2488 wrote to memory of 2916 2488 Simple BTC Trader v1.3 [Trial Version].exe 34 PID 2488 wrote to memory of 2916 2488 Simple BTC Trader v1.3 [Trial Version].exe 34 PID 2488 wrote to memory of 2916 2488 Simple BTC Trader v1.3 [Trial Version].exe 34 PID 2488 wrote to memory of 2916 2488 Simple BTC Trader v1.3 [Trial Version].exe 34 PID 2540 wrote to memory of 2716 2540 cmd.exe 36 PID 2540 wrote to memory of 2716 2540 cmd.exe 36 PID 2540 wrote to memory of 2716 2540 cmd.exe 36 PID 2540 wrote to memory of 2716 2540 cmd.exe 36 PID 2784 wrote to memory of 2908 2784 cmd.exe 37 PID 2784 wrote to memory of 2908 2784 cmd.exe 37 PID 2784 wrote to memory of 2908 2784 cmd.exe 37 PID 2784 wrote to memory of 2908 2784 cmd.exe 37 PID 2488 wrote to memory of 2780 2488 Simple BTC Trader v1.3 [Trial Version].exe 38 PID 2488 wrote to memory of 2780 2488 Simple BTC Trader v1.3 [Trial Version].exe 38 PID 2488 wrote to memory of 2780 2488 Simple BTC Trader v1.3 [Trial Version].exe 38 PID 2488 wrote to memory of 2780 2488 Simple BTC Trader v1.3 [Trial Version].exe 38 PID 2780 wrote to memory of 848 2780 msdcsc.exe 39 PID 2780 wrote to memory of 848 2780 msdcsc.exe 39 PID 2780 wrote to memory of 848 2780 msdcsc.exe 39 PID 2780 wrote to memory of 848 2780 msdcsc.exe 39 PID 2780 wrote to memory of 848 2780 msdcsc.exe 39 PID 2780 wrote to memory of 848 2780 msdcsc.exe 39 PID 2780 wrote to memory of 848 2780 msdcsc.exe 39 PID 2780 wrote to memory of 848 2780 msdcsc.exe 39 PID 2780 wrote to memory of 848 2780 msdcsc.exe 39 PID 2780 wrote to memory of 848 2780 msdcsc.exe 39 PID 2780 wrote to memory of 848 2780 msdcsc.exe 39 PID 2780 wrote to memory of 848 2780 msdcsc.exe 39 PID 2780 wrote to memory of 848 2780 msdcsc.exe 39 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2716 attrib.exe 2908 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Simple BTC Trader v1.3\Simple BTC Trader v1.3 [Trial Version].exe"C:\Users\Admin\AppData\Local\Temp\Simple BTC Trader v1.3\Simple BTC Trader v1.3 [Trial Version].exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Users\Admin\AppData\Local\Temp\Simple BTC Trader v1.3\Simple BTC Trader v1.3 [Trial Version].exe"C:\Users\Admin\AppData\Local\Temp\Simple BTC Trader v1.3\Simple BTC Trader v1.3 [Trial Version].exe"2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\Simple BTC Trader v1.3\Simple BTC Trader v1.3 [Trial Version].exe" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\Simple BTC Trader v1.3\Simple BTC Trader v1.3 [Trial Version].exe" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2716
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\Simple BTC Trader v1.3" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\Simple BTC Trader v1.3" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2908
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2916
-
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:848 -
C:\Windows\SysWOW64\notepad.exenotepad5⤵
- System Location Discovery: System Language Discovery
PID:1796
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5d493ef686bd337ee99459886c3ef6f93
SHA1e0b99011aec22e73f0eb362d503e724567b2ae33
SHA256fc46fddea9f07579ff17ca2045151449488c44c30435df61f560797d9e4a1bff
SHA51296074111f22fbb6c7d13a42d0fc6a60a50f98e3e0ddc79458469b6edcec24c596bc5966419516225fc26fa9b2bf85c9dd6ce6933d4cbb42faf41d1aa3c16068c