Analysis
-
max time kernel
152s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-11-2020 10:41
Static task
static1
Behavioral task
behavioral1
Sample
5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exe
Resource
win7v20201028
General
-
Target
5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exe
-
Size
3.5MB
-
MD5
1d1d1d3bbd32a651a4d3a5f7921d85f2
-
SHA1
cabc5f91a11bda3a0b25b477093d7e7204b0c056
-
SHA256
5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0
-
SHA512
40c4f55e07e6a8df507408fdd7443883fecd767d77ea57a0475e517050bcb2a31ba961d207b67d38ff64b673ff949822f734a8a3bfc1cfa13197769ad92a959a
Malware Config
Extracted
darkcomet
Guest16
console-wifi.ddns.net:1604
DC_MUTEX-8VGGSVK
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
ifCVVYKKmA7g
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" Server.exe -
Executes dropped EXE 6 IoCs
Processes:
Server.exeProgram.exesetup.exeServer.exemsdcsc.exemsdcsc.exepid process 3684 Server.exe 2596 Program.exe 3840 setup.exe 2128 Server.exe 2364 msdcsc.exe 804 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Server.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation Server.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" Server.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Server.exemsdcsc.exedescription pid process target process PID 3684 set thread context of 2128 3684 Server.exe Server.exe PID 2364 set thread context of 804 2364 msdcsc.exe msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
Server.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance Server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 804 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
Server.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2128 Server.exe Token: SeSecurityPrivilege 2128 Server.exe Token: SeTakeOwnershipPrivilege 2128 Server.exe Token: SeLoadDriverPrivilege 2128 Server.exe Token: SeSystemProfilePrivilege 2128 Server.exe Token: SeSystemtimePrivilege 2128 Server.exe Token: SeProfSingleProcessPrivilege 2128 Server.exe Token: SeIncBasePriorityPrivilege 2128 Server.exe Token: SeCreatePagefilePrivilege 2128 Server.exe Token: SeBackupPrivilege 2128 Server.exe Token: SeRestorePrivilege 2128 Server.exe Token: SeShutdownPrivilege 2128 Server.exe Token: SeDebugPrivilege 2128 Server.exe Token: SeSystemEnvironmentPrivilege 2128 Server.exe Token: SeChangeNotifyPrivilege 2128 Server.exe Token: SeRemoteShutdownPrivilege 2128 Server.exe Token: SeUndockPrivilege 2128 Server.exe Token: SeManageVolumePrivilege 2128 Server.exe Token: SeImpersonatePrivilege 2128 Server.exe Token: SeCreateGlobalPrivilege 2128 Server.exe Token: 33 2128 Server.exe Token: 34 2128 Server.exe Token: 35 2128 Server.exe Token: 36 2128 Server.exe Token: SeIncreaseQuotaPrivilege 804 msdcsc.exe Token: SeSecurityPrivilege 804 msdcsc.exe Token: SeTakeOwnershipPrivilege 804 msdcsc.exe Token: SeLoadDriverPrivilege 804 msdcsc.exe Token: SeSystemProfilePrivilege 804 msdcsc.exe Token: SeSystemtimePrivilege 804 msdcsc.exe Token: SeProfSingleProcessPrivilege 804 msdcsc.exe Token: SeIncBasePriorityPrivilege 804 msdcsc.exe Token: SeCreatePagefilePrivilege 804 msdcsc.exe Token: SeBackupPrivilege 804 msdcsc.exe Token: SeRestorePrivilege 804 msdcsc.exe Token: SeShutdownPrivilege 804 msdcsc.exe Token: SeDebugPrivilege 804 msdcsc.exe Token: SeSystemEnvironmentPrivilege 804 msdcsc.exe Token: SeChangeNotifyPrivilege 804 msdcsc.exe Token: SeRemoteShutdownPrivilege 804 msdcsc.exe Token: SeUndockPrivilege 804 msdcsc.exe Token: SeManageVolumePrivilege 804 msdcsc.exe Token: SeImpersonatePrivilege 804 msdcsc.exe Token: SeCreateGlobalPrivilege 804 msdcsc.exe Token: 33 804 msdcsc.exe Token: 34 804 msdcsc.exe Token: 35 804 msdcsc.exe Token: 36 804 msdcsc.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exepid process 640 5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exe 640 5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exe 640 5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exe 640 5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exe 640 5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exe 640 5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exe -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exepid process 640 5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exe 640 5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exe 640 5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exe 640 5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exe 640 5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exe 640 5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
Program.exesetup.exemsdcsc.exepid process 2596 Program.exe 3840 setup.exe 804 msdcsc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exeProgram.exeServer.exeServer.execmd.execmd.exemsdcsc.exedescription pid process target process PID 640 wrote to memory of 3684 640 5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exe Server.exe PID 640 wrote to memory of 3684 640 5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exe Server.exe PID 640 wrote to memory of 3684 640 5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exe Server.exe PID 640 wrote to memory of 2596 640 5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exe Program.exe PID 640 wrote to memory of 2596 640 5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exe Program.exe PID 640 wrote to memory of 2596 640 5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exe Program.exe PID 2596 wrote to memory of 3840 2596 Program.exe setup.exe PID 2596 wrote to memory of 3840 2596 Program.exe setup.exe PID 2596 wrote to memory of 3840 2596 Program.exe setup.exe PID 3684 wrote to memory of 2128 3684 Server.exe Server.exe PID 3684 wrote to memory of 2128 3684 Server.exe Server.exe PID 3684 wrote to memory of 2128 3684 Server.exe Server.exe PID 3684 wrote to memory of 2128 3684 Server.exe Server.exe PID 3684 wrote to memory of 2128 3684 Server.exe Server.exe PID 3684 wrote to memory of 2128 3684 Server.exe Server.exe PID 3684 wrote to memory of 2128 3684 Server.exe Server.exe PID 3684 wrote to memory of 2128 3684 Server.exe Server.exe PID 3684 wrote to memory of 2128 3684 Server.exe Server.exe PID 3684 wrote to memory of 2128 3684 Server.exe Server.exe PID 3684 wrote to memory of 2128 3684 Server.exe Server.exe PID 3684 wrote to memory of 2128 3684 Server.exe Server.exe PID 3684 wrote to memory of 2128 3684 Server.exe Server.exe PID 3684 wrote to memory of 2128 3684 Server.exe Server.exe PID 2128 wrote to memory of 3988 2128 Server.exe cmd.exe PID 2128 wrote to memory of 3988 2128 Server.exe cmd.exe PID 2128 wrote to memory of 3988 2128 Server.exe cmd.exe PID 2128 wrote to memory of 3968 2128 Server.exe cmd.exe PID 2128 wrote to memory of 3968 2128 Server.exe cmd.exe PID 2128 wrote to memory of 3968 2128 Server.exe cmd.exe PID 2128 wrote to memory of 1832 2128 Server.exe notepad.exe PID 2128 wrote to memory of 1832 2128 Server.exe notepad.exe PID 2128 wrote to memory of 1832 2128 Server.exe notepad.exe PID 2128 wrote to memory of 1832 2128 Server.exe notepad.exe PID 2128 wrote to memory of 1832 2128 Server.exe notepad.exe PID 2128 wrote to memory of 1832 2128 Server.exe notepad.exe PID 2128 wrote to memory of 1832 2128 Server.exe notepad.exe PID 2128 wrote to memory of 1832 2128 Server.exe notepad.exe PID 2128 wrote to memory of 1832 2128 Server.exe notepad.exe PID 2128 wrote to memory of 1832 2128 Server.exe notepad.exe PID 2128 wrote to memory of 1832 2128 Server.exe notepad.exe PID 2128 wrote to memory of 1832 2128 Server.exe notepad.exe PID 2128 wrote to memory of 1832 2128 Server.exe notepad.exe PID 2128 wrote to memory of 1832 2128 Server.exe notepad.exe PID 2128 wrote to memory of 1832 2128 Server.exe notepad.exe PID 2128 wrote to memory of 1832 2128 Server.exe notepad.exe PID 2128 wrote to memory of 1832 2128 Server.exe notepad.exe PID 3988 wrote to memory of 3164 3988 cmd.exe attrib.exe PID 3968 wrote to memory of 3156 3968 cmd.exe attrib.exe PID 3988 wrote to memory of 3164 3988 cmd.exe attrib.exe PID 3968 wrote to memory of 3156 3968 cmd.exe attrib.exe PID 3988 wrote to memory of 3164 3988 cmd.exe attrib.exe PID 3968 wrote to memory of 3156 3968 cmd.exe attrib.exe PID 2128 wrote to memory of 2364 2128 Server.exe msdcsc.exe PID 2128 wrote to memory of 2364 2128 Server.exe msdcsc.exe PID 2128 wrote to memory of 2364 2128 Server.exe msdcsc.exe PID 2364 wrote to memory of 804 2364 msdcsc.exe msdcsc.exe PID 2364 wrote to memory of 804 2364 msdcsc.exe msdcsc.exe PID 2364 wrote to memory of 804 2364 msdcsc.exe msdcsc.exe PID 2364 wrote to memory of 804 2364 msdcsc.exe msdcsc.exe PID 2364 wrote to memory of 804 2364 msdcsc.exe msdcsc.exe PID 2364 wrote to memory of 804 2364 msdcsc.exe msdcsc.exe PID 2364 wrote to memory of 804 2364 msdcsc.exe msdcsc.exe PID 2364 wrote to memory of 804 2364 msdcsc.exe msdcsc.exe PID 2364 wrote to memory of 804 2364 msdcsc.exe msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3156 attrib.exe 3164 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exe"C:\Users\Admin\AppData\Local\Temp\5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp\Server.exe3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\Server.exe" +s +h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\Server.exe" +s +h5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe5⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\notepad.exenotepad6⤵
-
C:\Users\Admin\AppData\Local\Temp\Program.exe"C:\Users\Admin\AppData\Local\Temp\Program.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\setup.exe".\setup.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Program.exeMD5
eb1463293c4ac8e5c99f26d3bbfd921a
SHA149e748069393dd518f32c285b8c666509e161f96
SHA256a68cfb6e60498b2d9127e66bde8f57df7e4f3ec5ce4201718520d0e309e06976
SHA512eaf3e70b79905812fa388643d211a7cf055e54261762d5d80a7ed73b617e5f2df5781492250a45523ea4cbcef7522902d643d403fa86aeb06b72fc15381c241a
-
C:\Users\Admin\AppData\Local\Temp\Program.exeMD5
eb1463293c4ac8e5c99f26d3bbfd921a
SHA149e748069393dd518f32c285b8c666509e161f96
SHA256a68cfb6e60498b2d9127e66bde8f57df7e4f3ec5ce4201718520d0e309e06976
SHA512eaf3e70b79905812fa388643d211a7cf055e54261762d5d80a7ed73b617e5f2df5781492250a45523ea4cbcef7522902d643d403fa86aeb06b72fc15381c241a
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
20c3e0029c9b5456c5ac15d93cc65904
SHA1ced8d8ca4fae7af284196b050cce0f3ac57ed9ae
SHA256a92d4c3236ec8bbadb74f42de7ebafbc66c3f11f5ae84903032e50bd83793928
SHA5129f63578f350c5aeaca3e3b9bdb8c0c93cc1d2d44bc494f24430dbd193303135c766204ec6b1352c458e580781762c6ddbe45a82e20f4ac99ee208130c4a2e2de
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
20c3e0029c9b5456c5ac15d93cc65904
SHA1ced8d8ca4fae7af284196b050cce0f3ac57ed9ae
SHA256a92d4c3236ec8bbadb74f42de7ebafbc66c3f11f5ae84903032e50bd83793928
SHA5129f63578f350c5aeaca3e3b9bdb8c0c93cc1d2d44bc494f24430dbd193303135c766204ec6b1352c458e580781762c6ddbe45a82e20f4ac99ee208130c4a2e2de
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
20c3e0029c9b5456c5ac15d93cc65904
SHA1ced8d8ca4fae7af284196b050cce0f3ac57ed9ae
SHA256a92d4c3236ec8bbadb74f42de7ebafbc66c3f11f5ae84903032e50bd83793928
SHA5129f63578f350c5aeaca3e3b9bdb8c0c93cc1d2d44bc494f24430dbd193303135c766204ec6b1352c458e580781762c6ddbe45a82e20f4ac99ee208130c4a2e2de
-
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\FTwister.exeMD5
77b433be94c9eca443c11fcf77c1d72b
SHA1769769015bf74d009f0740bdadea247e1ee64705
SHA256d87131fc3ae4851c0adcc61ea7fc07f8568f32ce1bd069ef6f56cae69292a700
SHA512a3e229f000e2a8675e1a482f11204b4e516a68fb80667a04f546d4c76f7f9f79a8367f7c8dc00abb77233ba50febf9d319a4a68f93fe61e85daf125180613ed6
-
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\Setup.exeMD5
70129043d8e6c20865eddf71d76dda25
SHA1466fff0b395f280e60f5f7da573bd965aec8c60d
SHA256ddd24730907c8320457fb87838a073707fee197b87eeba0b6fb36a9f4288d643
SHA5124b72bfc245940934a448d6cc64e9369a2d1b60d6d3eaf9a29bb290dbd89ca61fad8c41eb3f4f4cc99bcef7adf02c606a76a21fb833785f1eb1f0064071deedd6
-
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\setup.exeMD5
70129043d8e6c20865eddf71d76dda25
SHA1466fff0b395f280e60f5f7da573bd965aec8c60d
SHA256ddd24730907c8320457fb87838a073707fee197b87eeba0b6fb36a9f4288d643
SHA5124b72bfc245940934a448d6cc64e9369a2d1b60d6d3eaf9a29bb290dbd89ca61fad8c41eb3f4f4cc99bcef7adf02c606a76a21fb833785f1eb1f0064071deedd6
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
20c3e0029c9b5456c5ac15d93cc65904
SHA1ced8d8ca4fae7af284196b050cce0f3ac57ed9ae
SHA256a92d4c3236ec8bbadb74f42de7ebafbc66c3f11f5ae84903032e50bd83793928
SHA5129f63578f350c5aeaca3e3b9bdb8c0c93cc1d2d44bc494f24430dbd193303135c766204ec6b1352c458e580781762c6ddbe45a82e20f4ac99ee208130c4a2e2de
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
20c3e0029c9b5456c5ac15d93cc65904
SHA1ced8d8ca4fae7af284196b050cce0f3ac57ed9ae
SHA256a92d4c3236ec8bbadb74f42de7ebafbc66c3f11f5ae84903032e50bd83793928
SHA5129f63578f350c5aeaca3e3b9bdb8c0c93cc1d2d44bc494f24430dbd193303135c766204ec6b1352c458e580781762c6ddbe45a82e20f4ac99ee208130c4a2e2de
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
20c3e0029c9b5456c5ac15d93cc65904
SHA1ced8d8ca4fae7af284196b050cce0f3ac57ed9ae
SHA256a92d4c3236ec8bbadb74f42de7ebafbc66c3f11f5ae84903032e50bd83793928
SHA5129f63578f350c5aeaca3e3b9bdb8c0c93cc1d2d44bc494f24430dbd193303135c766204ec6b1352c458e580781762c6ddbe45a82e20f4ac99ee208130c4a2e2de
-
memory/804-26-0x000000000048F888-mapping.dmp
-
memory/1832-17-0x0000000000000000-mapping.dmp
-
memory/1832-18-0x0000000000640000-0x0000000000641000-memory.dmpFilesize
4KB
-
memory/1832-19-0x0000000000000000-mapping.dmp
-
memory/2128-12-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2128-13-0x000000000048F888-mapping.dmp
-
memory/2364-22-0x0000000000000000-mapping.dmp
-
memory/2596-6-0x00000000745A0000-0x0000000074633000-memory.dmpFilesize
588KB
-
memory/2596-3-0x0000000000000000-mapping.dmp
-
memory/3156-21-0x0000000000000000-mapping.dmp
-
memory/3164-20-0x0000000000000000-mapping.dmp
-
memory/3684-0-0x0000000000000000-mapping.dmp
-
memory/3840-10-0x00000000745A0000-0x0000000074633000-memory.dmpFilesize
588KB
-
memory/3840-7-0x0000000000000000-mapping.dmp
-
memory/3928-28-0x0000000000000000-mapping.dmp
-
memory/3928-29-0x0000000003370000-0x0000000003371000-memory.dmpFilesize
4KB
-
memory/3928-30-0x0000000000000000-mapping.dmp
-
memory/3968-16-0x0000000000000000-mapping.dmp
-
memory/3988-15-0x0000000000000000-mapping.dmp