Analysis
-
max time kernel
151s -
max time network
50s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-11-2020 15:43
Static task
static1
Behavioral task
behavioral1
Sample
4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe
Resource
win7v20201028
General
-
Target
4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe
-
Size
251KB
-
MD5
44fa6d3ed60372a6e2fc42a8d37d1a0f
-
SHA1
b37f23945917b4a32e20f8e0760a002164f39e85
-
SHA256
4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1
-
SHA512
1bfde61583860f33e2375cfcd0e9fcfa334520db541e47281f8d5e188ea5a0c978f4153b5bcc1a5304a7a187910d2c0dba777bd724b39ccb2bdf862f2843f63b
Malware Config
Extracted
darkcomet
Sazan
127.0.0.1:1604
DC_MUTEX-FG9B2GA
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
j5zPqt9UKPk3
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
iexplore.exemsdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1968 msdcsc.exe -
Processes:
resource yara_rule \Users\Admin\Documents\MSDCSC\msdcsc.exe upx \Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx behavioral1/memory/1716-5-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1716-7-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1716-8-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exepid process 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 1968 set thread context of 1716 1968 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeSecurityPrivilege 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeTakeOwnershipPrivilege 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeLoadDriverPrivilege 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeSystemProfilePrivilege 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeSystemtimePrivilege 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeProfSingleProcessPrivilege 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeIncBasePriorityPrivilege 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeCreatePagefilePrivilege 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeBackupPrivilege 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeRestorePrivilege 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeShutdownPrivilege 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeDebugPrivilege 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeSystemEnvironmentPrivilege 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeChangeNotifyPrivilege 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeRemoteShutdownPrivilege 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeUndockPrivilege 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeManageVolumePrivilege 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeImpersonatePrivilege 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeCreateGlobalPrivilege 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: 33 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: 34 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: 35 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeIncreaseQuotaPrivilege 1968 msdcsc.exe Token: SeSecurityPrivilege 1968 msdcsc.exe Token: SeTakeOwnershipPrivilege 1968 msdcsc.exe Token: SeLoadDriverPrivilege 1968 msdcsc.exe Token: SeSystemProfilePrivilege 1968 msdcsc.exe Token: SeSystemtimePrivilege 1968 msdcsc.exe Token: SeProfSingleProcessPrivilege 1968 msdcsc.exe Token: SeIncBasePriorityPrivilege 1968 msdcsc.exe Token: SeCreatePagefilePrivilege 1968 msdcsc.exe Token: SeBackupPrivilege 1968 msdcsc.exe Token: SeRestorePrivilege 1968 msdcsc.exe Token: SeShutdownPrivilege 1968 msdcsc.exe Token: SeDebugPrivilege 1968 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1968 msdcsc.exe Token: SeChangeNotifyPrivilege 1968 msdcsc.exe Token: SeRemoteShutdownPrivilege 1968 msdcsc.exe Token: SeUndockPrivilege 1968 msdcsc.exe Token: SeManageVolumePrivilege 1968 msdcsc.exe Token: SeImpersonatePrivilege 1968 msdcsc.exe Token: SeCreateGlobalPrivilege 1968 msdcsc.exe Token: 33 1968 msdcsc.exe Token: 34 1968 msdcsc.exe Token: 35 1968 msdcsc.exe Token: SeIncreaseQuotaPrivilege 1716 iexplore.exe Token: SeSecurityPrivilege 1716 iexplore.exe Token: SeTakeOwnershipPrivilege 1716 iexplore.exe Token: SeLoadDriverPrivilege 1716 iexplore.exe Token: SeSystemProfilePrivilege 1716 iexplore.exe Token: SeSystemtimePrivilege 1716 iexplore.exe Token: SeProfSingleProcessPrivilege 1716 iexplore.exe Token: SeIncBasePriorityPrivilege 1716 iexplore.exe Token: SeCreatePagefilePrivilege 1716 iexplore.exe Token: SeBackupPrivilege 1716 iexplore.exe Token: SeRestorePrivilege 1716 iexplore.exe Token: SeShutdownPrivilege 1716 iexplore.exe Token: SeDebugPrivilege 1716 iexplore.exe Token: SeSystemEnvironmentPrivilege 1716 iexplore.exe Token: SeChangeNotifyPrivilege 1716 iexplore.exe Token: SeRemoteShutdownPrivilege 1716 iexplore.exe Token: SeUndockPrivilege 1716 iexplore.exe Token: SeManageVolumePrivilege 1716 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 1716 iexplore.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exemsdcsc.exedescription pid process target process PID 288 wrote to memory of 1968 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe msdcsc.exe PID 288 wrote to memory of 1968 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe msdcsc.exe PID 288 wrote to memory of 1968 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe msdcsc.exe PID 288 wrote to memory of 1968 288 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe msdcsc.exe PID 1968 wrote to memory of 1716 1968 msdcsc.exe iexplore.exe PID 1968 wrote to memory of 1716 1968 msdcsc.exe iexplore.exe PID 1968 wrote to memory of 1716 1968 msdcsc.exe iexplore.exe PID 1968 wrote to memory of 1716 1968 msdcsc.exe iexplore.exe PID 1968 wrote to memory of 1716 1968 msdcsc.exe iexplore.exe PID 1968 wrote to memory of 1716 1968 msdcsc.exe iexplore.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe"C:\Users\Admin\AppData\Local\Temp\4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies security service
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
44fa6d3ed60372a6e2fc42a8d37d1a0f
SHA1b37f23945917b4a32e20f8e0760a002164f39e85
SHA2564f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1
SHA5121bfde61583860f33e2375cfcd0e9fcfa334520db541e47281f8d5e188ea5a0c978f4153b5bcc1a5304a7a187910d2c0dba777bd724b39ccb2bdf862f2843f63b
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
44fa6d3ed60372a6e2fc42a8d37d1a0f
SHA1b37f23945917b4a32e20f8e0760a002164f39e85
SHA2564f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1
SHA5121bfde61583860f33e2375cfcd0e9fcfa334520db541e47281f8d5e188ea5a0c978f4153b5bcc1a5304a7a187910d2c0dba777bd724b39ccb2bdf862f2843f63b
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
44fa6d3ed60372a6e2fc42a8d37d1a0f
SHA1b37f23945917b4a32e20f8e0760a002164f39e85
SHA2564f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1
SHA5121bfde61583860f33e2375cfcd0e9fcfa334520db541e47281f8d5e188ea5a0c978f4153b5bcc1a5304a7a187910d2c0dba777bd724b39ccb2bdf862f2843f63b
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
44fa6d3ed60372a6e2fc42a8d37d1a0f
SHA1b37f23945917b4a32e20f8e0760a002164f39e85
SHA2564f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1
SHA5121bfde61583860f33e2375cfcd0e9fcfa334520db541e47281f8d5e188ea5a0c978f4153b5bcc1a5304a7a187910d2c0dba777bd724b39ccb2bdf862f2843f63b
-
memory/1716-5-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1716-6-0x00000000004B5790-mapping.dmp
-
memory/1716-7-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1716-8-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1968-2-0x0000000000000000-mapping.dmp