Analysis
-
max time kernel
150s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-11-2020 17:45
Static task
static1
Behavioral task
behavioral1
Sample
46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe
Resource
win7v20201028
General
-
Target
46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe
-
Size
251KB
-
MD5
fede7a68bdb1f79b5f09c590b1226e34
-
SHA1
48037cae2e1fbd08b80f39e43c8209acaf3e4dd6
-
SHA256
46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f
-
SHA512
4926d0eb30428c18e09553a3a66a677bb746c635c3bbe024a14270a6bf4da089c4564d449856d15e3ba4bd515fbe1daedbc3af631b064feafe2a333d12b821ff
Malware Config
Extracted
darkcomet
Sazan
127.0.0.1:1604
DC_MUTEX-FG9B2GA
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
j5zPqt9UKPk3
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
iexplore.exemsdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 2408 msdcsc.exe -
Processes:
resource yara_rule C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx behavioral2/memory/2716-3-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2716-5-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2716-6-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 2408 set thread context of 2716 2408 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeSecurityPrivilege 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeTakeOwnershipPrivilege 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeLoadDriverPrivilege 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeSystemProfilePrivilege 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeSystemtimePrivilege 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeProfSingleProcessPrivilege 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeIncBasePriorityPrivilege 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeCreatePagefilePrivilege 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeBackupPrivilege 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeRestorePrivilege 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeShutdownPrivilege 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeDebugPrivilege 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeSystemEnvironmentPrivilege 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeChangeNotifyPrivilege 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeRemoteShutdownPrivilege 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeUndockPrivilege 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeManageVolumePrivilege 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeImpersonatePrivilege 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeCreateGlobalPrivilege 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: 33 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: 34 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: 35 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: 36 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeIncreaseQuotaPrivilege 2408 msdcsc.exe Token: SeSecurityPrivilege 2408 msdcsc.exe Token: SeTakeOwnershipPrivilege 2408 msdcsc.exe Token: SeLoadDriverPrivilege 2408 msdcsc.exe Token: SeSystemProfilePrivilege 2408 msdcsc.exe Token: SeSystemtimePrivilege 2408 msdcsc.exe Token: SeProfSingleProcessPrivilege 2408 msdcsc.exe Token: SeIncBasePriorityPrivilege 2408 msdcsc.exe Token: SeCreatePagefilePrivilege 2408 msdcsc.exe Token: SeBackupPrivilege 2408 msdcsc.exe Token: SeRestorePrivilege 2408 msdcsc.exe Token: SeShutdownPrivilege 2408 msdcsc.exe Token: SeDebugPrivilege 2408 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2408 msdcsc.exe Token: SeChangeNotifyPrivilege 2408 msdcsc.exe Token: SeRemoteShutdownPrivilege 2408 msdcsc.exe Token: SeUndockPrivilege 2408 msdcsc.exe Token: SeManageVolumePrivilege 2408 msdcsc.exe Token: SeImpersonatePrivilege 2408 msdcsc.exe Token: SeCreateGlobalPrivilege 2408 msdcsc.exe Token: 33 2408 msdcsc.exe Token: 34 2408 msdcsc.exe Token: 35 2408 msdcsc.exe Token: 36 2408 msdcsc.exe Token: SeIncreaseQuotaPrivilege 2716 iexplore.exe Token: SeSecurityPrivilege 2716 iexplore.exe Token: SeTakeOwnershipPrivilege 2716 iexplore.exe Token: SeLoadDriverPrivilege 2716 iexplore.exe Token: SeSystemProfilePrivilege 2716 iexplore.exe Token: SeSystemtimePrivilege 2716 iexplore.exe Token: SeProfSingleProcessPrivilege 2716 iexplore.exe Token: SeIncBasePriorityPrivilege 2716 iexplore.exe Token: SeCreatePagefilePrivilege 2716 iexplore.exe Token: SeBackupPrivilege 2716 iexplore.exe Token: SeRestorePrivilege 2716 iexplore.exe Token: SeShutdownPrivilege 2716 iexplore.exe Token: SeDebugPrivilege 2716 iexplore.exe Token: SeSystemEnvironmentPrivilege 2716 iexplore.exe Token: SeChangeNotifyPrivilege 2716 iexplore.exe Token: SeRemoteShutdownPrivilege 2716 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 2716 iexplore.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exemsdcsc.exedescription pid process target process PID 756 wrote to memory of 2408 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe msdcsc.exe PID 756 wrote to memory of 2408 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe msdcsc.exe PID 756 wrote to memory of 2408 756 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe msdcsc.exe PID 2408 wrote to memory of 2716 2408 msdcsc.exe iexplore.exe PID 2408 wrote to memory of 2716 2408 msdcsc.exe iexplore.exe PID 2408 wrote to memory of 2716 2408 msdcsc.exe iexplore.exe PID 2408 wrote to memory of 2716 2408 msdcsc.exe iexplore.exe PID 2408 wrote to memory of 2716 2408 msdcsc.exe iexplore.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe"C:\Users\Admin\AppData\Local\Temp\46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies security service
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
fede7a68bdb1f79b5f09c590b1226e34
SHA148037cae2e1fbd08b80f39e43c8209acaf3e4dd6
SHA25646e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f
SHA5124926d0eb30428c18e09553a3a66a677bb746c635c3bbe024a14270a6bf4da089c4564d449856d15e3ba4bd515fbe1daedbc3af631b064feafe2a333d12b821ff
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
fede7a68bdb1f79b5f09c590b1226e34
SHA148037cae2e1fbd08b80f39e43c8209acaf3e4dd6
SHA25646e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f
SHA5124926d0eb30428c18e09553a3a66a677bb746c635c3bbe024a14270a6bf4da089c4564d449856d15e3ba4bd515fbe1daedbc3af631b064feafe2a333d12b821ff
-
memory/2408-0-0x0000000000000000-mapping.dmp
-
memory/2716-3-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2716-4-0x00000000004B5790-mapping.dmp
-
memory/2716-5-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2716-6-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB