Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 12:32
Static task
static1
Behavioral task
behavioral1
Sample
53eacf566350a00d0e86b5886a51668f.exe
Resource
win7v20201028
General
-
Target
53eacf566350a00d0e86b5886a51668f.exe
-
Size
252KB
-
MD5
80611b7935abbf4b7023ff75cca94df1
-
SHA1
ca2a351513c169d1a6b074c68db4f3eb060b7fc8
-
SHA256
31a5f14f1a0ae9c67c11d3a73c3d5265c72ff5e00791e868aff01796293f613d
-
SHA512
6a6c14206bfc791d5daf7b349cc2f37099979f4691e9d8c4a7d98f28f9d23b44f92175eb8a106d3da9606b0d690c65137cad93011e9f2ac49ea61e577d60262f
Malware Config
Extracted
darkcomet
lox
logan.bounceme.net:1604
DC_MUTEX-HKYPFJY
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
UoVSUsqvZCVe
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
vshost
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
53eacf566350a00d0e86b5886a51668f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" 53eacf566350a00d0e86b5886a51668f.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
iexplore.exemsdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 196 msdcsc.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe upx C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe upx behavioral2/memory/2316-6-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2316-8-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2316-9-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
53eacf566350a00d0e86b5886a51668f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation 53eacf566350a00d0e86b5886a51668f.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 400 notepad.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
53eacf566350a00d0e86b5886a51668f.exemsdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\vshost = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" 53eacf566350a00d0e86b5886a51668f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\vshost = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\vshost = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 196 set thread context of 2316 196 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
53eacf566350a00d0e86b5886a51668f.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance 53eacf566350a00d0e86b5886a51668f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
53eacf566350a00d0e86b5886a51668f.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 1052 53eacf566350a00d0e86b5886a51668f.exe Token: SeSecurityPrivilege 1052 53eacf566350a00d0e86b5886a51668f.exe Token: SeTakeOwnershipPrivilege 1052 53eacf566350a00d0e86b5886a51668f.exe Token: SeLoadDriverPrivilege 1052 53eacf566350a00d0e86b5886a51668f.exe Token: SeSystemProfilePrivilege 1052 53eacf566350a00d0e86b5886a51668f.exe Token: SeSystemtimePrivilege 1052 53eacf566350a00d0e86b5886a51668f.exe Token: SeProfSingleProcessPrivilege 1052 53eacf566350a00d0e86b5886a51668f.exe Token: SeIncBasePriorityPrivilege 1052 53eacf566350a00d0e86b5886a51668f.exe Token: SeCreatePagefilePrivilege 1052 53eacf566350a00d0e86b5886a51668f.exe Token: SeBackupPrivilege 1052 53eacf566350a00d0e86b5886a51668f.exe Token: SeRestorePrivilege 1052 53eacf566350a00d0e86b5886a51668f.exe Token: SeShutdownPrivilege 1052 53eacf566350a00d0e86b5886a51668f.exe Token: SeDebugPrivilege 1052 53eacf566350a00d0e86b5886a51668f.exe Token: SeSystemEnvironmentPrivilege 1052 53eacf566350a00d0e86b5886a51668f.exe Token: SeChangeNotifyPrivilege 1052 53eacf566350a00d0e86b5886a51668f.exe Token: SeRemoteShutdownPrivilege 1052 53eacf566350a00d0e86b5886a51668f.exe Token: SeUndockPrivilege 1052 53eacf566350a00d0e86b5886a51668f.exe Token: SeManageVolumePrivilege 1052 53eacf566350a00d0e86b5886a51668f.exe Token: SeImpersonatePrivilege 1052 53eacf566350a00d0e86b5886a51668f.exe Token: SeCreateGlobalPrivilege 1052 53eacf566350a00d0e86b5886a51668f.exe Token: 33 1052 53eacf566350a00d0e86b5886a51668f.exe Token: 34 1052 53eacf566350a00d0e86b5886a51668f.exe Token: 35 1052 53eacf566350a00d0e86b5886a51668f.exe Token: 36 1052 53eacf566350a00d0e86b5886a51668f.exe Token: SeIncreaseQuotaPrivilege 196 msdcsc.exe Token: SeSecurityPrivilege 196 msdcsc.exe Token: SeTakeOwnershipPrivilege 196 msdcsc.exe Token: SeLoadDriverPrivilege 196 msdcsc.exe Token: SeSystemProfilePrivilege 196 msdcsc.exe Token: SeSystemtimePrivilege 196 msdcsc.exe Token: SeProfSingleProcessPrivilege 196 msdcsc.exe Token: SeIncBasePriorityPrivilege 196 msdcsc.exe Token: SeCreatePagefilePrivilege 196 msdcsc.exe Token: SeBackupPrivilege 196 msdcsc.exe Token: SeRestorePrivilege 196 msdcsc.exe Token: SeShutdownPrivilege 196 msdcsc.exe Token: SeDebugPrivilege 196 msdcsc.exe Token: SeSystemEnvironmentPrivilege 196 msdcsc.exe Token: SeChangeNotifyPrivilege 196 msdcsc.exe Token: SeRemoteShutdownPrivilege 196 msdcsc.exe Token: SeUndockPrivilege 196 msdcsc.exe Token: SeManageVolumePrivilege 196 msdcsc.exe Token: SeImpersonatePrivilege 196 msdcsc.exe Token: SeCreateGlobalPrivilege 196 msdcsc.exe Token: 33 196 msdcsc.exe Token: 34 196 msdcsc.exe Token: 35 196 msdcsc.exe Token: 36 196 msdcsc.exe Token: SeIncreaseQuotaPrivilege 2316 iexplore.exe Token: SeSecurityPrivilege 2316 iexplore.exe Token: SeTakeOwnershipPrivilege 2316 iexplore.exe Token: SeLoadDriverPrivilege 2316 iexplore.exe Token: SeSystemProfilePrivilege 2316 iexplore.exe Token: SeSystemtimePrivilege 2316 iexplore.exe Token: SeProfSingleProcessPrivilege 2316 iexplore.exe Token: SeIncBasePriorityPrivilege 2316 iexplore.exe Token: SeCreatePagefilePrivilege 2316 iexplore.exe Token: SeBackupPrivilege 2316 iexplore.exe Token: SeRestorePrivilege 2316 iexplore.exe Token: SeShutdownPrivilege 2316 iexplore.exe Token: SeDebugPrivilege 2316 iexplore.exe Token: SeSystemEnvironmentPrivilege 2316 iexplore.exe Token: SeChangeNotifyPrivilege 2316 iexplore.exe Token: SeRemoteShutdownPrivilege 2316 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 2316 iexplore.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
53eacf566350a00d0e86b5886a51668f.exemsdcsc.exedescription pid process target process PID 1052 wrote to memory of 400 1052 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 1052 wrote to memory of 400 1052 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 1052 wrote to memory of 400 1052 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 1052 wrote to memory of 400 1052 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 1052 wrote to memory of 400 1052 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 1052 wrote to memory of 400 1052 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 1052 wrote to memory of 400 1052 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 1052 wrote to memory of 400 1052 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 1052 wrote to memory of 400 1052 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 1052 wrote to memory of 400 1052 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 1052 wrote to memory of 400 1052 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 1052 wrote to memory of 400 1052 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 1052 wrote to memory of 400 1052 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 1052 wrote to memory of 400 1052 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 1052 wrote to memory of 400 1052 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 1052 wrote to memory of 400 1052 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 1052 wrote to memory of 400 1052 53eacf566350a00d0e86b5886a51668f.exe notepad.exe PID 1052 wrote to memory of 196 1052 53eacf566350a00d0e86b5886a51668f.exe msdcsc.exe PID 1052 wrote to memory of 196 1052 53eacf566350a00d0e86b5886a51668f.exe msdcsc.exe PID 1052 wrote to memory of 196 1052 53eacf566350a00d0e86b5886a51668f.exe msdcsc.exe PID 196 wrote to memory of 2316 196 msdcsc.exe iexplore.exe PID 196 wrote to memory of 2316 196 msdcsc.exe iexplore.exe PID 196 wrote to memory of 2316 196 msdcsc.exe iexplore.exe PID 196 wrote to memory of 2316 196 msdcsc.exe iexplore.exe PID 196 wrote to memory of 2316 196 msdcsc.exe iexplore.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\53eacf566350a00d0e86b5886a51668f.exe"C:\Users\Admin\AppData\Local\Temp\53eacf566350a00d0e86b5886a51668f.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeMD5
80611b7935abbf4b7023ff75cca94df1
SHA1ca2a351513c169d1a6b074c68db4f3eb060b7fc8
SHA25631a5f14f1a0ae9c67c11d3a73c3d5265c72ff5e00791e868aff01796293f613d
SHA5126a6c14206bfc791d5daf7b349cc2f37099979f4691e9d8c4a7d98f28f9d23b44f92175eb8a106d3da9606b0d690c65137cad93011e9f2ac49ea61e577d60262f
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeMD5
80611b7935abbf4b7023ff75cca94df1
SHA1ca2a351513c169d1a6b074c68db4f3eb060b7fc8
SHA25631a5f14f1a0ae9c67c11d3a73c3d5265c72ff5e00791e868aff01796293f613d
SHA5126a6c14206bfc791d5daf7b349cc2f37099979f4691e9d8c4a7d98f28f9d23b44f92175eb8a106d3da9606b0d690c65137cad93011e9f2ac49ea61e577d60262f
-
memory/196-3-0x0000000000000000-mapping.dmp
-
memory/400-0-0x0000000000000000-mapping.dmp
-
memory/400-1-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB
-
memory/400-2-0x0000000000000000-mapping.dmp
-
memory/2316-6-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2316-7-0x00000000004B5850-mapping.dmp
-
memory/2316-8-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2316-9-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB