Analysis
-
max time kernel
15s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:50
Static task
static1
Behavioral task
behavioral1
Sample
5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe
Resource
win7v20201028
General
-
Target
5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe
-
Size
943KB
-
MD5
73bcf2b04c92a924efbf970ee4b51f27
-
SHA1
9adc5d462452977b5f0a803e909eac78b4b3ae5a
-
SHA256
5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944
-
SHA512
4ab52efc47766ea073f5501767f709829a4b178bc5fd823c932c66f57e1a4cf27726ff9c197a662b7dfbe5a21449692da8fcc79f3e95cb313d6969e18af394d5
Malware Config
Extracted
darkcomet
Sazan
127.0.0.1:1604
DC_MUTEX-19R9P6E
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
FExQJU0T6CCU
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" RegAsm.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 3548 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exeRegAsm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows = "/windows\\windows.exe" 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exedescription pid process target process PID 812 set thread context of 3248 812 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe -
Drops file in Windows directory 4 IoCs
Processes:
attrib.exe5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exeattrib.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe File created C:\windows\windows.exe 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe File opened for modification C:\windows\windows.exe 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
RegAsm.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
RegAsm.exedescription pid process Token: SeIncreaseQuotaPrivilege 3248 RegAsm.exe Token: SeSecurityPrivilege 3248 RegAsm.exe Token: SeTakeOwnershipPrivilege 3248 RegAsm.exe Token: SeLoadDriverPrivilege 3248 RegAsm.exe Token: SeSystemProfilePrivilege 3248 RegAsm.exe Token: SeSystemtimePrivilege 3248 RegAsm.exe Token: SeProfSingleProcessPrivilege 3248 RegAsm.exe Token: SeIncBasePriorityPrivilege 3248 RegAsm.exe Token: SeCreatePagefilePrivilege 3248 RegAsm.exe Token: SeBackupPrivilege 3248 RegAsm.exe Token: SeRestorePrivilege 3248 RegAsm.exe Token: SeShutdownPrivilege 3248 RegAsm.exe Token: SeDebugPrivilege 3248 RegAsm.exe Token: SeSystemEnvironmentPrivilege 3248 RegAsm.exe Token: SeChangeNotifyPrivilege 3248 RegAsm.exe Token: SeRemoteShutdownPrivilege 3248 RegAsm.exe Token: SeUndockPrivilege 3248 RegAsm.exe Token: SeManageVolumePrivilege 3248 RegAsm.exe Token: SeImpersonatePrivilege 3248 RegAsm.exe Token: SeCreateGlobalPrivilege 3248 RegAsm.exe Token: 33 3248 RegAsm.exe Token: 34 3248 RegAsm.exe Token: 35 3248 RegAsm.exe Token: 36 3248 RegAsm.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exeRegAsm.execmd.execmd.exedescription pid process target process PID 812 wrote to memory of 3248 812 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 812 wrote to memory of 3248 812 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 812 wrote to memory of 3248 812 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 812 wrote to memory of 3248 812 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 812 wrote to memory of 3248 812 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 812 wrote to memory of 3248 812 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 812 wrote to memory of 3248 812 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 812 wrote to memory of 3248 812 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 812 wrote to memory of 3248 812 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 812 wrote to memory of 3248 812 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 812 wrote to memory of 3248 812 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 812 wrote to memory of 3248 812 5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe RegAsm.exe PID 3248 wrote to memory of 2916 3248 RegAsm.exe cmd.exe PID 3248 wrote to memory of 2916 3248 RegAsm.exe cmd.exe PID 3248 wrote to memory of 2916 3248 RegAsm.exe cmd.exe PID 3248 wrote to memory of 2928 3248 RegAsm.exe cmd.exe PID 3248 wrote to memory of 2928 3248 RegAsm.exe cmd.exe PID 3248 wrote to memory of 2928 3248 RegAsm.exe cmd.exe PID 3248 wrote to memory of 2732 3248 RegAsm.exe notepad.exe PID 3248 wrote to memory of 2732 3248 RegAsm.exe notepad.exe PID 3248 wrote to memory of 2732 3248 RegAsm.exe notepad.exe PID 3248 wrote to memory of 2732 3248 RegAsm.exe notepad.exe PID 3248 wrote to memory of 2732 3248 RegAsm.exe notepad.exe PID 3248 wrote to memory of 2732 3248 RegAsm.exe notepad.exe PID 3248 wrote to memory of 2732 3248 RegAsm.exe notepad.exe PID 3248 wrote to memory of 2732 3248 RegAsm.exe notepad.exe PID 3248 wrote to memory of 2732 3248 RegAsm.exe notepad.exe PID 3248 wrote to memory of 2732 3248 RegAsm.exe notepad.exe PID 3248 wrote to memory of 2732 3248 RegAsm.exe notepad.exe PID 3248 wrote to memory of 2732 3248 RegAsm.exe notepad.exe PID 3248 wrote to memory of 2732 3248 RegAsm.exe notepad.exe PID 3248 wrote to memory of 2732 3248 RegAsm.exe notepad.exe PID 3248 wrote to memory of 2732 3248 RegAsm.exe notepad.exe PID 3248 wrote to memory of 2732 3248 RegAsm.exe notepad.exe PID 3248 wrote to memory of 2732 3248 RegAsm.exe notepad.exe PID 2928 wrote to memory of 3872 2928 cmd.exe attrib.exe PID 2928 wrote to memory of 3872 2928 cmd.exe attrib.exe PID 2928 wrote to memory of 3872 2928 cmd.exe attrib.exe PID 2916 wrote to memory of 2120 2916 cmd.exe attrib.exe PID 2916 wrote to memory of 2120 2916 cmd.exe attrib.exe PID 2916 wrote to memory of 2120 2916 cmd.exe attrib.exe PID 3248 wrote to memory of 3548 3248 RegAsm.exe msdcsc.exe PID 3248 wrote to memory of 3548 3248 RegAsm.exe msdcsc.exe PID 3248 wrote to memory of 3548 3248 RegAsm.exe msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2120 attrib.exe 3872 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe"C:\Users\Admin\AppData\Local\Temp\5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" +s +h4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
2b1a3a3fcf0717af55696df58471ab53
SHA1f3bac5265a01f896fede7440a278ad1814c4ed01
SHA2568790792d4f545683ed8ae9ed05f5d80df9666fd8f115987c330b82abd3b89222
SHA512055bea3475a2039ea511e5e7aced6d23f9ccaa3f9f4042f0a7a4014f91b71a42d087cd8292d47d8869f73e04a1dcf5bbcdd43341e84305046f29447eb5fcd7be
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
2b1a3a3fcf0717af55696df58471ab53
SHA1f3bac5265a01f896fede7440a278ad1814c4ed01
SHA2568790792d4f545683ed8ae9ed05f5d80df9666fd8f115987c330b82abd3b89222
SHA512055bea3475a2039ea511e5e7aced6d23f9ccaa3f9f4042f0a7a4014f91b71a42d087cd8292d47d8869f73e04a1dcf5bbcdd43341e84305046f29447eb5fcd7be
-
memory/2120-13-0x0000000000000000-mapping.dmp
-
memory/2732-10-0x00000000030E0000-0x00000000030E1000-memory.dmpFilesize
4KB
-
memory/2732-9-0x0000000000000000-mapping.dmp
-
memory/2732-11-0x0000000000000000-mapping.dmp
-
memory/2916-7-0x0000000000000000-mapping.dmp
-
memory/2928-8-0x0000000000000000-mapping.dmp
-
memory/3248-4-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3248-6-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3248-5-0x000000000048F888-mapping.dmp
-
memory/3548-14-0x0000000000000000-mapping.dmp
-
memory/3872-12-0x0000000000000000-mapping.dmp