Analysis
-
max time kernel
39s -
max time network
40s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:50
Static task
static1
Behavioral task
behavioral1
Sample
5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe
Resource
win7v20201028
General
-
Target
5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe
-
Size
943KB
-
MD5
73bcf2b04c92a924efbf970ee4b51f27
-
SHA1
9adc5d462452977b5f0a803e909eac78b4b3ae5a
-
SHA256
5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944
-
SHA512
4ab52efc47766ea073f5501767f709829a4b178bc5fd823c932c66f57e1a4cf27726ff9c197a662b7dfbe5a21449692da8fcc79f3e95cb313d6969e18af394d5
Malware Config
Extracted
darkcomet
Sazan
127.0.0.1:1604
DC_MUTEX-19R9P6E
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
FExQJU0T6CCU
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" RegAsm.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1480 msdcsc.exe -
Loads dropped DLL 1 IoCs
Processes:
RegAsm.exepid process 1764 RegAsm.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
RegAsm.exe5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" RegAsm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows = "/windows\\windows.exe" 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exedescription pid process target process PID 2024 set thread context of 1764 2024 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe -
Drops file in Windows directory 4 IoCs
Processes:
attrib.exe5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exeattrib.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe attrib.exe File created C:\windows\windows.exe 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe File opened for modification C:\windows\windows.exe 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1016 1928 WerFault.exe notepad.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe 1016 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
RegAsm.exeWerFault.exedescription pid process Token: SeIncreaseQuotaPrivilege 1764 RegAsm.exe Token: SeSecurityPrivilege 1764 RegAsm.exe Token: SeTakeOwnershipPrivilege 1764 RegAsm.exe Token: SeLoadDriverPrivilege 1764 RegAsm.exe Token: SeSystemProfilePrivilege 1764 RegAsm.exe Token: SeSystemtimePrivilege 1764 RegAsm.exe Token: SeProfSingleProcessPrivilege 1764 RegAsm.exe Token: SeIncBasePriorityPrivilege 1764 RegAsm.exe Token: SeCreatePagefilePrivilege 1764 RegAsm.exe Token: SeBackupPrivilege 1764 RegAsm.exe Token: SeRestorePrivilege 1764 RegAsm.exe Token: SeShutdownPrivilege 1764 RegAsm.exe Token: SeDebugPrivilege 1764 RegAsm.exe Token: SeSystemEnvironmentPrivilege 1764 RegAsm.exe Token: SeChangeNotifyPrivilege 1764 RegAsm.exe Token: SeRemoteShutdownPrivilege 1764 RegAsm.exe Token: SeUndockPrivilege 1764 RegAsm.exe Token: SeManageVolumePrivilege 1764 RegAsm.exe Token: SeImpersonatePrivilege 1764 RegAsm.exe Token: SeCreateGlobalPrivilege 1764 RegAsm.exe Token: 33 1764 RegAsm.exe Token: 34 1764 RegAsm.exe Token: 35 1764 RegAsm.exe Token: SeDebugPrivilege 1016 WerFault.exe -
Suspicious use of WriteProcessMemory 58 IoCs
Processes:
5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exeRegAsm.exenotepad.execmd.execmd.exedescription pid process target process PID 2024 wrote to memory of 1764 2024 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 2024 wrote to memory of 1764 2024 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 2024 wrote to memory of 1764 2024 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 2024 wrote to memory of 1764 2024 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 2024 wrote to memory of 1764 2024 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 2024 wrote to memory of 1764 2024 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 2024 wrote to memory of 1764 2024 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 2024 wrote to memory of 1764 2024 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 2024 wrote to memory of 1764 2024 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 2024 wrote to memory of 1764 2024 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 2024 wrote to memory of 1764 2024 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 2024 wrote to memory of 1764 2024 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 2024 wrote to memory of 1764 2024 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 2024 wrote to memory of 1764 2024 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 2024 wrote to memory of 1764 2024 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 2024 wrote to memory of 1764 2024 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 1764 wrote to memory of 1840 1764 RegAsm.exe cmd.exe PID 1764 wrote to memory of 1840 1764 RegAsm.exe cmd.exe PID 1764 wrote to memory of 1840 1764 RegAsm.exe cmd.exe PID 1764 wrote to memory of 1840 1764 RegAsm.exe cmd.exe PID 1764 wrote to memory of 1084 1764 RegAsm.exe cmd.exe PID 1764 wrote to memory of 1084 1764 RegAsm.exe cmd.exe PID 1764 wrote to memory of 1084 1764 RegAsm.exe cmd.exe PID 1764 wrote to memory of 1084 1764 RegAsm.exe cmd.exe PID 1764 wrote to memory of 1928 1764 RegAsm.exe notepad.exe PID 1764 wrote to memory of 1928 1764 RegAsm.exe notepad.exe PID 1764 wrote to memory of 1928 1764 RegAsm.exe notepad.exe PID 1764 wrote to memory of 1928 1764 RegAsm.exe notepad.exe PID 1764 wrote to memory of 1928 1764 RegAsm.exe notepad.exe PID 1764 wrote to memory of 1928 1764 RegAsm.exe notepad.exe PID 1764 wrote to memory of 1928 1764 RegAsm.exe notepad.exe PID 1764 wrote to memory of 1928 1764 RegAsm.exe notepad.exe PID 1764 wrote to memory of 1928 1764 RegAsm.exe notepad.exe PID 1764 wrote to memory of 1928 1764 RegAsm.exe notepad.exe PID 1764 wrote to memory of 1928 1764 RegAsm.exe notepad.exe PID 1764 wrote to memory of 1928 1764 RegAsm.exe notepad.exe PID 1764 wrote to memory of 1928 1764 RegAsm.exe notepad.exe PID 1764 wrote to memory of 1928 1764 RegAsm.exe notepad.exe PID 1764 wrote to memory of 1928 1764 RegAsm.exe notepad.exe PID 1764 wrote to memory of 1928 1764 RegAsm.exe notepad.exe PID 1764 wrote to memory of 1928 1764 RegAsm.exe notepad.exe PID 1764 wrote to memory of 1928 1764 RegAsm.exe notepad.exe PID 1928 wrote to memory of 1016 1928 notepad.exe WerFault.exe PID 1928 wrote to memory of 1016 1928 notepad.exe WerFault.exe PID 1928 wrote to memory of 1016 1928 notepad.exe WerFault.exe PID 1928 wrote to memory of 1016 1928 notepad.exe WerFault.exe PID 1840 wrote to memory of 336 1840 cmd.exe attrib.exe PID 1840 wrote to memory of 336 1840 cmd.exe attrib.exe PID 1840 wrote to memory of 336 1840 cmd.exe attrib.exe PID 1840 wrote to memory of 336 1840 cmd.exe attrib.exe PID 1084 wrote to memory of 1848 1084 cmd.exe attrib.exe PID 1084 wrote to memory of 1848 1084 cmd.exe attrib.exe PID 1084 wrote to memory of 1848 1084 cmd.exe attrib.exe PID 1084 wrote to memory of 1848 1084 cmd.exe attrib.exe PID 1764 wrote to memory of 1480 1764 RegAsm.exe msdcsc.exe PID 1764 wrote to memory of 1480 1764 RegAsm.exe msdcsc.exe PID 1764 wrote to memory of 1480 1764 RegAsm.exe msdcsc.exe PID 1764 wrote to memory of 1480 1764 RegAsm.exe msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 336 attrib.exe 1848 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe"C:\Users\Admin\AppData\Local\Temp\5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" +s +h4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 1964⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
278edbd499374bf73621f8c1f969d894
SHA1a81170af14747781c5f5f51bb1215893136f0bc0
SHA256c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA51293b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
278edbd499374bf73621f8c1f969d894
SHA1a81170af14747781c5f5f51bb1215893136f0bc0
SHA256c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA51293b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
278edbd499374bf73621f8c1f969d894
SHA1a81170af14747781c5f5f51bb1215893136f0bc0
SHA256c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA51293b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9
-
memory/336-12-0x0000000000000000-mapping.dmp
-
memory/1016-17-0x00000000024E0000-0x00000000024F1000-memory.dmpFilesize
68KB
-
memory/1016-11-0x0000000000000000-mapping.dmp
-
memory/1016-14-0x0000000001F00000-0x0000000001F11000-memory.dmpFilesize
68KB
-
memory/1084-7-0x0000000000000000-mapping.dmp
-
memory/1480-19-0x0000000000000000-mapping.dmp
-
memory/1764-5-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1764-3-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1764-4-0x000000000048F888-mapping.dmp
-
memory/1840-6-0x0000000000000000-mapping.dmp
-
memory/1848-13-0x0000000000000000-mapping.dmp
-
memory/1928-8-0x0000000000000000-mapping.dmp
-
memory/1928-15-0x0000000000000000-mapping.dmp
-
memory/1928-16-0x0000000000000000-mapping.dmp
-
memory/1928-9-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/1928-10-0x0000000000000000-mapping.dmp
-
memory/2024-0-0x00000000047D0000-0x0000000004B3F000-memory.dmpFilesize
3.4MB