Analysis
-
max time kernel
151s -
max time network
48s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-11-2020 12:32
Static task
static1
Behavioral task
behavioral1
Sample
53eacf566350a00d0e86b5886a51668f.exe
Resource
win7v20201028
General
-
Target
53eacf566350a00d0e86b5886a51668f.exe
-
Size
252KB
-
MD5
80611b7935abbf4b7023ff75cca94df1
-
SHA1
ca2a351513c169d1a6b074c68db4f3eb060b7fc8
-
SHA256
31a5f14f1a0ae9c67c11d3a73c3d5265c72ff5e00791e868aff01796293f613d
-
SHA512
6a6c14206bfc791d5daf7b349cc2f37099979f4691e9d8c4a7d98f28f9d23b44f92175eb8a106d3da9606b0d690c65137cad93011e9f2ac49ea61e577d60262f
Malware Config
Extracted
darkcomet
lox
logan.bounceme.net:1604
DC_MUTEX-HKYPFJY
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
UoVSUsqvZCVe
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
vshost
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
53eacf566350a00d0e86b5886a51668f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" 53eacf566350a00d0e86b5886a51668f.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
iexplore.exemsdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" iexplore.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1364 msdcsc.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe upx \Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe upx C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe upx C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe upx behavioral1/memory/1028-8-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1028-10-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1028-11-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 1996 notepad.exe -
Loads dropped DLL 2 IoCs
Processes:
53eacf566350a00d0e86b5886a51668f.exepid process 756 53eacf566350a00d0e86b5886a51668f.exe 756 53eacf566350a00d0e86b5886a51668f.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
iexplore.exe53eacf566350a00d0e86b5886a51668f.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\vshost = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\vshost = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" 53eacf566350a00d0e86b5886a51668f.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\vshost = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 1364 set thread context of 1028 1364 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
53eacf566350a00d0e86b5886a51668f.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 756 53eacf566350a00d0e86b5886a51668f.exe Token: SeSecurityPrivilege 756 53eacf566350a00d0e86b5886a51668f.exe Token: SeTakeOwnershipPrivilege 756 53eacf566350a00d0e86b5886a51668f.exe Token: SeLoadDriverPrivilege 756 53eacf566350a00d0e86b5886a51668f.exe Token: SeSystemProfilePrivilege 756 53eacf566350a00d0e86b5886a51668f.exe Token: SeSystemtimePrivilege 756 53eacf566350a00d0e86b5886a51668f.exe Token: SeProfSingleProcessPrivilege 756 53eacf566350a00d0e86b5886a51668f.exe Token: SeIncBasePriorityPrivilege 756 53eacf566350a00d0e86b5886a51668f.exe Token: SeCreatePagefilePrivilege 756 53eacf566350a00d0e86b5886a51668f.exe Token: SeBackupPrivilege 756 53eacf566350a00d0e86b5886a51668f.exe Token: SeRestorePrivilege 756 53eacf566350a00d0e86b5886a51668f.exe Token: SeShutdownPrivilege 756 53eacf566350a00d0e86b5886a51668f.exe Token: SeDebugPrivilege 756 53eacf566350a00d0e86b5886a51668f.exe Token: SeSystemEnvironmentPrivilege 756 53eacf566350a00d0e86b5886a51668f.exe Token: SeChangeNotifyPrivilege 756 53eacf566350a00d0e86b5886a51668f.exe Token: SeRemoteShutdownPrivilege 756 53eacf566350a00d0e86b5886a51668f.exe Token: SeUndockPrivilege 756 53eacf566350a00d0e86b5886a51668f.exe Token: SeManageVolumePrivilege 756 53eacf566350a00d0e86b5886a51668f.exe Token: SeImpersonatePrivilege 756 53eacf566350a00d0e86b5886a51668f.exe Token: SeCreateGlobalPrivilege 756 53eacf566350a00d0e86b5886a51668f.exe Token: 33 756 53eacf566350a00d0e86b5886a51668f.exe Token: 34 756 53eacf566350a00d0e86b5886a51668f.exe Token: 35 756 53eacf566350a00d0e86b5886a51668f.exe Token: SeIncreaseQuotaPrivilege 1364 msdcsc.exe Token: SeSecurityPrivilege 1364 msdcsc.exe Token: SeTakeOwnershipPrivilege 1364 msdcsc.exe Token: SeLoadDriverPrivilege 1364 msdcsc.exe Token: SeSystemProfilePrivilege 1364 msdcsc.exe Token: SeSystemtimePrivilege 1364 msdcsc.exe Token: SeProfSingleProcessPrivilege 1364 msdcsc.exe Token: SeIncBasePriorityPrivilege 1364 msdcsc.exe Token: SeCreatePagefilePrivilege 1364 msdcsc.exe Token: SeBackupPrivilege 1364 msdcsc.exe Token: SeRestorePrivilege 1364 msdcsc.exe Token: SeShutdownPrivilege 1364 msdcsc.exe Token: SeDebugPrivilege 1364 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1364 msdcsc.exe Token: SeChangeNotifyPrivilege 1364 msdcsc.exe Token: SeRemoteShutdownPrivilege 1364 msdcsc.exe Token: SeUndockPrivilege 1364 msdcsc.exe Token: SeManageVolumePrivilege 1364 msdcsc.exe Token: SeImpersonatePrivilege 1364 msdcsc.exe Token: SeCreateGlobalPrivilege 1364 msdcsc.exe Token: 33 1364 msdcsc.exe Token: 34 1364 msdcsc.exe Token: 35 1364 msdcsc.exe Token: SeIncreaseQuotaPrivilege 1028 iexplore.exe Token: SeSecurityPrivilege 1028 iexplore.exe Token: SeTakeOwnershipPrivilege 1028 iexplore.exe Token: SeLoadDriverPrivilege 1028 iexplore.exe Token: SeSystemProfilePrivilege 1028 iexplore.exe Token: SeSystemtimePrivilege 1028 iexplore.exe Token: SeProfSingleProcessPrivilege 1028 iexplore.exe Token: SeIncBasePriorityPrivilege 1028 iexplore.exe Token: SeCreatePagefilePrivilege 1028 iexplore.exe Token: SeBackupPrivilege 1028 iexplore.exe Token: SeRestorePrivilege 1028 iexplore.exe Token: SeShutdownPrivilege 1028 iexplore.exe Token: SeDebugPrivilege 1028 iexplore.exe Token: SeSystemEnvironmentPrivilege 1028 iexplore.exe Token: SeChangeNotifyPrivilege 1028 iexplore.exe Token: SeRemoteShutdownPrivilege 1028 iexplore.exe Token: SeUndockPrivilege 1028 iexplore.exe Token: SeManageVolumePrivilege 1028 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 1028 iexplore.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
53eacf566350a00d0e86b5886a51668f.exemsdcsc.exedescription pid process target process PID 756 wrote to memory of 1996 756 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 756 wrote to memory of 1996 756 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 756 wrote to memory of 1996 756 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 756 wrote to memory of 1996 756 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 756 wrote to memory of 1996 756 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 756 wrote to memory of 1996 756 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 756 wrote to memory of 1996 756 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 756 wrote to memory of 1996 756 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 756 wrote to memory of 1996 756 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 756 wrote to memory of 1996 756 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 756 wrote to memory of 1996 756 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 756 wrote to memory of 1996 756 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 756 wrote to memory of 1996 756 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 756 wrote to memory of 1996 756 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 756 wrote to memory of 1996 756 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 756 wrote to memory of 1996 756 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 756 wrote to memory of 1996 756 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 756 wrote to memory of 1996 756 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 756 wrote to memory of 1364 756 53eacf566350a00d0e86b5886a51668f.exe msdcsc.exe PID 756 wrote to memory of 1364 756 53eacf566350a00d0e86b5886a51668f.exe msdcsc.exe PID 756 wrote to memory of 1364 756 53eacf566350a00d0e86b5886a51668f.exe msdcsc.exe PID 756 wrote to memory of 1364 756 53eacf566350a00d0e86b5886a51668f.exe msdcsc.exe PID 1364 wrote to memory of 1028 1364 msdcsc.exe iexplore.exe PID 1364 wrote to memory of 1028 1364 msdcsc.exe iexplore.exe PID 1364 wrote to memory of 1028 1364 msdcsc.exe iexplore.exe PID 1364 wrote to memory of 1028 1364 msdcsc.exe iexplore.exe PID 1364 wrote to memory of 1028 1364 msdcsc.exe iexplore.exe PID 1364 wrote to memory of 1028 1364 msdcsc.exe iexplore.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\53eacf566350a00d0e86b5886a51668f.exe"C:\Users\Admin\AppData\Local\Temp\53eacf566350a00d0e86b5886a51668f.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeMD5
80611b7935abbf4b7023ff75cca94df1
SHA1ca2a351513c169d1a6b074c68db4f3eb060b7fc8
SHA25631a5f14f1a0ae9c67c11d3a73c3d5265c72ff5e00791e868aff01796293f613d
SHA5126a6c14206bfc791d5daf7b349cc2f37099979f4691e9d8c4a7d98f28f9d23b44f92175eb8a106d3da9606b0d690c65137cad93011e9f2ac49ea61e577d60262f
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeMD5
80611b7935abbf4b7023ff75cca94df1
SHA1ca2a351513c169d1a6b074c68db4f3eb060b7fc8
SHA25631a5f14f1a0ae9c67c11d3a73c3d5265c72ff5e00791e868aff01796293f613d
SHA5126a6c14206bfc791d5daf7b349cc2f37099979f4691e9d8c4a7d98f28f9d23b44f92175eb8a106d3da9606b0d690c65137cad93011e9f2ac49ea61e577d60262f
-
\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeMD5
80611b7935abbf4b7023ff75cca94df1
SHA1ca2a351513c169d1a6b074c68db4f3eb060b7fc8
SHA25631a5f14f1a0ae9c67c11d3a73c3d5265c72ff5e00791e868aff01796293f613d
SHA5126a6c14206bfc791d5daf7b349cc2f37099979f4691e9d8c4a7d98f28f9d23b44f92175eb8a106d3da9606b0d690c65137cad93011e9f2ac49ea61e577d60262f
-
\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeMD5
80611b7935abbf4b7023ff75cca94df1
SHA1ca2a351513c169d1a6b074c68db4f3eb060b7fc8
SHA25631a5f14f1a0ae9c67c11d3a73c3d5265c72ff5e00791e868aff01796293f613d
SHA5126a6c14206bfc791d5daf7b349cc2f37099979f4691e9d8c4a7d98f28f9d23b44f92175eb8a106d3da9606b0d690c65137cad93011e9f2ac49ea61e577d60262f
-
memory/1028-9-0x00000000004B5850-mapping.dmp
-
memory/1028-8-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1028-10-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1028-11-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1364-5-0x0000000000000000-mapping.dmp
-
memory/1996-0-0x0000000000000000-mapping.dmp
-
memory/1996-1-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/1996-2-0x0000000000000000-mapping.dmp