Analysis
-
max time kernel
134s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:18
Static task
static1
Behavioral task
behavioral1
Sample
643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.exe
Resource
win10v20201028
General
-
Target
643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.exe
-
Size
758KB
-
MD5
363b1f1af6f481e6498a1195272abe79
-
SHA1
9712b3c3df12c673623fd392adb97b239986fed4
-
SHA256
dcee7332f062683247eeb635ffea3a09c742e19bb0ea0f717b43bc1663195fd7
-
SHA512
e4f1490741fbe4ccd51f22e45e9c76a889492f47c45085cac9f38b7b7589d4733c3db01e1a2033a56640141f4d00660fe9a58589348a39613d58db279616d758
Malware Config
Extracted
darkcomet
Guest16
37.53.94.245:1604
DC_MUTEX-CA3JPES
-
InstallPath
MSDCSC\msdcsa.exe
-
gencode
NTfqNtVkHorv
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsa.exe" 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE -
Executes dropped EXE 2 IoCs
Processes:
msdcsa.exemsdcsa.EXEpid process 3208 msdcsa.exe 3576 msdcsa.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsa.exe" 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE -
Drops file in System32 directory 4 IoCs
Processes:
643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXEmsdcsa.exedescription ioc process File created C:\Windows\SysWOW64\MSDCSC\msdcsa.exe 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsa.exe 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE File opened for modification C:\Windows\SysWOW64\MSDCSC\ 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsa.EXE msdcsa.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.exemsdcsa.exedescription pid process target process PID 508 set thread context of 3980 508 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.exe 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE PID 3208 set thread context of 3576 3208 msdcsa.exe msdcsa.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXEmsdcsa.EXEdescription pid process Token: SeIncreaseQuotaPrivilege 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE Token: SeSecurityPrivilege 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE Token: SeTakeOwnershipPrivilege 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE Token: SeLoadDriverPrivilege 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE Token: SeSystemProfilePrivilege 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE Token: SeSystemtimePrivilege 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE Token: SeProfSingleProcessPrivilege 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE Token: SeIncBasePriorityPrivilege 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE Token: SeCreatePagefilePrivilege 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE Token: SeBackupPrivilege 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE Token: SeRestorePrivilege 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE Token: SeShutdownPrivilege 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE Token: SeDebugPrivilege 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE Token: SeSystemEnvironmentPrivilege 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE Token: SeChangeNotifyPrivilege 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE Token: SeRemoteShutdownPrivilege 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE Token: SeUndockPrivilege 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE Token: SeManageVolumePrivilege 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE Token: SeImpersonatePrivilege 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE Token: SeCreateGlobalPrivilege 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE Token: 33 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE Token: 34 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE Token: 35 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE Token: 36 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE Token: SeIncreaseQuotaPrivilege 3576 msdcsa.EXE Token: SeSecurityPrivilege 3576 msdcsa.EXE Token: SeTakeOwnershipPrivilege 3576 msdcsa.EXE Token: SeLoadDriverPrivilege 3576 msdcsa.EXE Token: SeSystemProfilePrivilege 3576 msdcsa.EXE Token: SeSystemtimePrivilege 3576 msdcsa.EXE Token: SeProfSingleProcessPrivilege 3576 msdcsa.EXE Token: SeIncBasePriorityPrivilege 3576 msdcsa.EXE Token: SeCreatePagefilePrivilege 3576 msdcsa.EXE Token: SeBackupPrivilege 3576 msdcsa.EXE Token: SeRestorePrivilege 3576 msdcsa.EXE Token: SeShutdownPrivilege 3576 msdcsa.EXE Token: SeDebugPrivilege 3576 msdcsa.EXE Token: SeSystemEnvironmentPrivilege 3576 msdcsa.EXE Token: SeChangeNotifyPrivilege 3576 msdcsa.EXE Token: SeRemoteShutdownPrivilege 3576 msdcsa.EXE Token: SeUndockPrivilege 3576 msdcsa.EXE Token: SeManageVolumePrivilege 3576 msdcsa.EXE Token: SeImpersonatePrivilege 3576 msdcsa.EXE Token: SeCreateGlobalPrivilege 3576 msdcsa.EXE Token: 33 3576 msdcsa.EXE Token: 34 3576 msdcsa.EXE Token: 35 3576 msdcsa.EXE Token: 36 3576 msdcsa.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.exemsdcsa.exemsdcsa.EXEpid process 508 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.exe 3208 msdcsa.exe 3576 msdcsa.EXE -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.exe643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXEmsdcsa.exedescription pid process target process PID 508 wrote to memory of 3980 508 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.exe 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE PID 508 wrote to memory of 3980 508 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.exe 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE PID 508 wrote to memory of 3980 508 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.exe 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE PID 508 wrote to memory of 3980 508 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.exe 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE PID 508 wrote to memory of 3980 508 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.exe 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE PID 508 wrote to memory of 3980 508 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.exe 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE PID 508 wrote to memory of 3980 508 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.exe 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE PID 508 wrote to memory of 3980 508 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.exe 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE PID 508 wrote to memory of 3980 508 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.exe 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE PID 508 wrote to memory of 3980 508 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.exe 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE PID 508 wrote to memory of 3980 508 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.exe 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE PID 508 wrote to memory of 3980 508 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.exe 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE PID 508 wrote to memory of 3980 508 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.exe 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE PID 508 wrote to memory of 3980 508 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.exe 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE PID 3980 wrote to memory of 3208 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE msdcsa.exe PID 3980 wrote to memory of 3208 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE msdcsa.exe PID 3980 wrote to memory of 3208 3980 643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE msdcsa.exe PID 3208 wrote to memory of 3576 3208 msdcsa.exe msdcsa.EXE PID 3208 wrote to memory of 3576 3208 msdcsa.exe msdcsa.EXE PID 3208 wrote to memory of 3576 3208 msdcsa.exe msdcsa.EXE PID 3208 wrote to memory of 3576 3208 msdcsa.exe msdcsa.EXE PID 3208 wrote to memory of 3576 3208 msdcsa.exe msdcsa.EXE PID 3208 wrote to memory of 3576 3208 msdcsa.exe msdcsa.EXE PID 3208 wrote to memory of 3576 3208 msdcsa.exe msdcsa.EXE PID 3208 wrote to memory of 3576 3208 msdcsa.exe msdcsa.EXE PID 3208 wrote to memory of 3576 3208 msdcsa.exe msdcsa.EXE PID 3208 wrote to memory of 3576 3208 msdcsa.exe msdcsa.EXE PID 3208 wrote to memory of 3576 3208 msdcsa.exe msdcsa.EXE PID 3208 wrote to memory of 3576 3208 msdcsa.exe msdcsa.EXE PID 3208 wrote to memory of 3576 3208 msdcsa.exe msdcsa.EXE PID 3208 wrote to memory of 3576 3208 msdcsa.exe msdcsa.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.exe"C:\Users\Admin\AppData\Local\Temp\643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:508 -
C:\Users\Admin\AppData\Local\Temp\643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE"C:\Users\Admin\AppData\Local\Temp\643360deb1ae0864baad3e8c8edea7ee5693720fe9fad84b4ddac29cb5f63891.EXE"2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\MSDCSC\msdcsa.exe"C:\Windows\system32\MSDCSC\msdcsa.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\MSDCSC\msdcsa.EXE"C:\Windows\SysWOW64\MSDCSC\msdcsa.EXE"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3576
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\MSDCSC\msdcsa.exeMD5
363b1f1af6f481e6498a1195272abe79
SHA19712b3c3df12c673623fd392adb97b239986fed4
SHA256dcee7332f062683247eeb635ffea3a09c742e19bb0ea0f717b43bc1663195fd7
SHA512e4f1490741fbe4ccd51f22e45e9c76a889492f47c45085cac9f38b7b7589d4733c3db01e1a2033a56640141f4d00660fe9a58589348a39613d58db279616d758
-
C:\Windows\SysWOW64\MSDCSC\msdcsa.exeMD5
363b1f1af6f481e6498a1195272abe79
SHA19712b3c3df12c673623fd392adb97b239986fed4
SHA256dcee7332f062683247eeb635ffea3a09c742e19bb0ea0f717b43bc1663195fd7
SHA512e4f1490741fbe4ccd51f22e45e9c76a889492f47c45085cac9f38b7b7589d4733c3db01e1a2033a56640141f4d00660fe9a58589348a39613d58db279616d758
-
C:\Windows\SysWOW64\MSDCSC\msdcsa.exeMD5
363b1f1af6f481e6498a1195272abe79
SHA19712b3c3df12c673623fd392adb97b239986fed4
SHA256dcee7332f062683247eeb635ffea3a09c742e19bb0ea0f717b43bc1663195fd7
SHA512e4f1490741fbe4ccd51f22e45e9c76a889492f47c45085cac9f38b7b7589d4733c3db01e1a2033a56640141f4d00660fe9a58589348a39613d58db279616d758
-
memory/3208-5-0x0000000000000000-mapping.dmp
-
memory/3576-11-0x000000000048F888-mapping.dmp
-
memory/3980-2-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3980-3-0x000000000048F888-mapping.dmp
-
memory/3980-4-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB