Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows7_x64 -
resource
win7 -
submitted
06-07-2020 06:38
Static task
static1
Behavioral task
behavioral1
Sample
6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe
Resource
win7
Behavioral task
behavioral2
Sample
6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe
Resource
win10
General
-
Target
6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe
-
Size
1.5MB
-
MD5
3588c7e12a3dcf3fdd74ca1828873a05
-
SHA1
1cae954471e543fdf22e2f332635a92e652c7992
-
SHA256
6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e
-
SHA512
6c1b3e3621a3018a87e61259895fe2fe34feef6e6c8836cb32caac7a8d6ceaf4a001dbf014ec226f9ea8c3d5b92f2f97fb78e7189fbf9fc5a0d28fbc716999b4
Malware Config
Extracted
darkcomet
Sazan
192.168.0.10:1604
DC_MUTEX-W4T2SBC
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
nlveCPNhWUHe
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1764 msdcsc.exe -
Loads dropped DLL 1 IoCs
Processes:
vbc.exepid process 1688 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exevbc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run 6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft@Service = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe" 6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exedescription pid process target process PID 1516 set thread context of 1688 1516 6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe vbc.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1688 vbc.exe Token: SeSecurityPrivilege 1688 vbc.exe Token: SeTakeOwnershipPrivilege 1688 vbc.exe Token: SeLoadDriverPrivilege 1688 vbc.exe Token: SeSystemProfilePrivilege 1688 vbc.exe Token: SeSystemtimePrivilege 1688 vbc.exe Token: SeProfSingleProcessPrivilege 1688 vbc.exe Token: SeIncBasePriorityPrivilege 1688 vbc.exe Token: SeCreatePagefilePrivilege 1688 vbc.exe Token: SeBackupPrivilege 1688 vbc.exe Token: SeRestorePrivilege 1688 vbc.exe Token: SeShutdownPrivilege 1688 vbc.exe Token: SeDebugPrivilege 1688 vbc.exe Token: SeSystemEnvironmentPrivilege 1688 vbc.exe Token: SeChangeNotifyPrivilege 1688 vbc.exe Token: SeRemoteShutdownPrivilege 1688 vbc.exe Token: SeUndockPrivilege 1688 vbc.exe Token: SeManageVolumePrivilege 1688 vbc.exe Token: SeImpersonatePrivilege 1688 vbc.exe Token: SeCreateGlobalPrivilege 1688 vbc.exe Token: 33 1688 vbc.exe Token: 34 1688 vbc.exe Token: 35 1688 vbc.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exepid process 1516 6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe 1516 6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe 1516 6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exepid process 1516 6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe 1516 6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe 1516 6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exevbc.exedescription pid process target process PID 1516 wrote to memory of 1688 1516 6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe vbc.exe PID 1516 wrote to memory of 1688 1516 6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe vbc.exe PID 1516 wrote to memory of 1688 1516 6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe vbc.exe PID 1516 wrote to memory of 1688 1516 6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe vbc.exe PID 1516 wrote to memory of 1688 1516 6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe vbc.exe PID 1516 wrote to memory of 1688 1516 6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe vbc.exe PID 1516 wrote to memory of 1688 1516 6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe vbc.exe PID 1516 wrote to memory of 1688 1516 6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe vbc.exe PID 1516 wrote to memory of 1688 1516 6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe vbc.exe PID 1516 wrote to memory of 1688 1516 6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe vbc.exe PID 1516 wrote to memory of 1688 1516 6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe vbc.exe PID 1516 wrote to memory of 1688 1516 6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe vbc.exe PID 1516 wrote to memory of 1688 1516 6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe vbc.exe PID 1688 wrote to memory of 1764 1688 vbc.exe msdcsc.exe PID 1688 wrote to memory of 1764 1688 vbc.exe msdcsc.exe PID 1688 wrote to memory of 1764 1688 vbc.exe msdcsc.exe PID 1688 wrote to memory of 1764 1688 vbc.exe msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe"C:\Users\Admin\AppData\Local\Temp\6a90e5d6b3a93cf1d6b87a99c6fc23a0c3b798478238a1dc20838c4a25b5cd2e.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1f7bccc57d21a4bfeddaafe514cfd74d
SHA14dab09179a12468cb1757cb7ca26e06d616b0a8d
SHA256d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061
SHA5129e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1f7bccc57d21a4bfeddaafe514cfd74d
SHA14dab09179a12468cb1757cb7ca26e06d616b0a8d
SHA256d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061
SHA5129e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1f7bccc57d21a4bfeddaafe514cfd74d
SHA14dab09179a12468cb1757cb7ca26e06d616b0a8d
SHA256d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061
SHA5129e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8
-
memory/1688-0-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1688-1-0x000000000048F888-mapping.dmp
-
memory/1688-2-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1764-4-0x0000000000000000-mapping.dmp