Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 15:47
Behavioral task
behavioral1
Sample
b02479bd2f3ff635c7379a62ca54e502.exe
Resource
win7v20201028
General
-
Target
b02479bd2f3ff635c7379a62ca54e502.exe
-
Size
658KB
-
MD5
b02479bd2f3ff635c7379a62ca54e502
-
SHA1
ab25e517492161e240093753a9fb41d8cca6aa98
-
SHA256
668b49adbd859ede384b13bfa1082ad5254df49d8841e39fcff375bf15e057ca
-
SHA512
6b767502a250ee86dbece2ea14dce930ead6b0fadf97431fbb8363bc046ef5528444f875ce9a18fde72c8a2d88271a095d559b43bd1301b397fa0f303641a312
Malware Config
Extracted
darkcomet
Guest16
95.31.38.1:1604
lololoshka228.ddns.net:1604
DC_MUTEX-QBCS1A4
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
NNCa8eHTowkP
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
b02479bd2f3ff635c7379a62ca54e502.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" b02479bd2f3ff635c7379a62ca54e502.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1484 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
b02479bd2f3ff635c7379a62ca54e502.exepid process 1980 b02479bd2f3ff635c7379a62ca54e502.exe 1980 b02479bd2f3ff635c7379a62ca54e502.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b02479bd2f3ff635c7379a62ca54e502.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" b02479bd2f3ff635c7379a62ca54e502.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1484 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
b02479bd2f3ff635c7379a62ca54e502.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1980 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeSecurityPrivilege 1980 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeTakeOwnershipPrivilege 1980 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeLoadDriverPrivilege 1980 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeSystemProfilePrivilege 1980 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeSystemtimePrivilege 1980 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeProfSingleProcessPrivilege 1980 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeIncBasePriorityPrivilege 1980 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeCreatePagefilePrivilege 1980 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeBackupPrivilege 1980 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeRestorePrivilege 1980 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeShutdownPrivilege 1980 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeDebugPrivilege 1980 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeSystemEnvironmentPrivilege 1980 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeChangeNotifyPrivilege 1980 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeRemoteShutdownPrivilege 1980 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeUndockPrivilege 1980 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeManageVolumePrivilege 1980 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeImpersonatePrivilege 1980 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeCreateGlobalPrivilege 1980 b02479bd2f3ff635c7379a62ca54e502.exe Token: 33 1980 b02479bd2f3ff635c7379a62ca54e502.exe Token: 34 1980 b02479bd2f3ff635c7379a62ca54e502.exe Token: 35 1980 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeIncreaseQuotaPrivilege 1484 msdcsc.exe Token: SeSecurityPrivilege 1484 msdcsc.exe Token: SeTakeOwnershipPrivilege 1484 msdcsc.exe Token: SeLoadDriverPrivilege 1484 msdcsc.exe Token: SeSystemProfilePrivilege 1484 msdcsc.exe Token: SeSystemtimePrivilege 1484 msdcsc.exe Token: SeProfSingleProcessPrivilege 1484 msdcsc.exe Token: SeIncBasePriorityPrivilege 1484 msdcsc.exe Token: SeCreatePagefilePrivilege 1484 msdcsc.exe Token: SeBackupPrivilege 1484 msdcsc.exe Token: SeRestorePrivilege 1484 msdcsc.exe Token: SeShutdownPrivilege 1484 msdcsc.exe Token: SeDebugPrivilege 1484 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1484 msdcsc.exe Token: SeChangeNotifyPrivilege 1484 msdcsc.exe Token: SeRemoteShutdownPrivilege 1484 msdcsc.exe Token: SeUndockPrivilege 1484 msdcsc.exe Token: SeManageVolumePrivilege 1484 msdcsc.exe Token: SeImpersonatePrivilege 1484 msdcsc.exe Token: SeCreateGlobalPrivilege 1484 msdcsc.exe Token: 33 1484 msdcsc.exe Token: 34 1484 msdcsc.exe Token: 35 1484 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1484 msdcsc.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
b02479bd2f3ff635c7379a62ca54e502.execmd.execmd.exemsdcsc.exedescription pid process target process PID 1980 wrote to memory of 1176 1980 b02479bd2f3ff635c7379a62ca54e502.exe cmd.exe PID 1980 wrote to memory of 1176 1980 b02479bd2f3ff635c7379a62ca54e502.exe cmd.exe PID 1980 wrote to memory of 1176 1980 b02479bd2f3ff635c7379a62ca54e502.exe cmd.exe PID 1980 wrote to memory of 1176 1980 b02479bd2f3ff635c7379a62ca54e502.exe cmd.exe PID 1980 wrote to memory of 1472 1980 b02479bd2f3ff635c7379a62ca54e502.exe cmd.exe PID 1980 wrote to memory of 1472 1980 b02479bd2f3ff635c7379a62ca54e502.exe cmd.exe PID 1980 wrote to memory of 1472 1980 b02479bd2f3ff635c7379a62ca54e502.exe cmd.exe PID 1980 wrote to memory of 1472 1980 b02479bd2f3ff635c7379a62ca54e502.exe cmd.exe PID 1472 wrote to memory of 2028 1472 cmd.exe attrib.exe PID 1472 wrote to memory of 2028 1472 cmd.exe attrib.exe PID 1472 wrote to memory of 2028 1472 cmd.exe attrib.exe PID 1472 wrote to memory of 2028 1472 cmd.exe attrib.exe PID 1176 wrote to memory of 2008 1176 cmd.exe attrib.exe PID 1176 wrote to memory of 2008 1176 cmd.exe attrib.exe PID 1176 wrote to memory of 2008 1176 cmd.exe attrib.exe PID 1176 wrote to memory of 2008 1176 cmd.exe attrib.exe PID 1980 wrote to memory of 1484 1980 b02479bd2f3ff635c7379a62ca54e502.exe msdcsc.exe PID 1980 wrote to memory of 1484 1980 b02479bd2f3ff635c7379a62ca54e502.exe msdcsc.exe PID 1980 wrote to memory of 1484 1980 b02479bd2f3ff635c7379a62ca54e502.exe msdcsc.exe PID 1980 wrote to memory of 1484 1980 b02479bd2f3ff635c7379a62ca54e502.exe msdcsc.exe PID 1484 wrote to memory of 1792 1484 msdcsc.exe iexplore.exe PID 1484 wrote to memory of 1792 1484 msdcsc.exe iexplore.exe PID 1484 wrote to memory of 1792 1484 msdcsc.exe iexplore.exe PID 1484 wrote to memory of 1792 1484 msdcsc.exe iexplore.exe PID 1484 wrote to memory of 1900 1484 msdcsc.exe explorer.exe PID 1484 wrote to memory of 1900 1484 msdcsc.exe explorer.exe PID 1484 wrote to memory of 1900 1484 msdcsc.exe explorer.exe PID 1484 wrote to memory of 1900 1484 msdcsc.exe explorer.exe PID 1484 wrote to memory of 1716 1484 msdcsc.exe notepad.exe PID 1484 wrote to memory of 1716 1484 msdcsc.exe notepad.exe PID 1484 wrote to memory of 1716 1484 msdcsc.exe notepad.exe PID 1484 wrote to memory of 1716 1484 msdcsc.exe notepad.exe PID 1484 wrote to memory of 1716 1484 msdcsc.exe notepad.exe PID 1484 wrote to memory of 1716 1484 msdcsc.exe notepad.exe PID 1484 wrote to memory of 1716 1484 msdcsc.exe notepad.exe PID 1484 wrote to memory of 1716 1484 msdcsc.exe notepad.exe PID 1484 wrote to memory of 1716 1484 msdcsc.exe notepad.exe PID 1484 wrote to memory of 1716 1484 msdcsc.exe notepad.exe PID 1484 wrote to memory of 1716 1484 msdcsc.exe notepad.exe PID 1484 wrote to memory of 1716 1484 msdcsc.exe notepad.exe PID 1484 wrote to memory of 1716 1484 msdcsc.exe notepad.exe PID 1484 wrote to memory of 1716 1484 msdcsc.exe notepad.exe PID 1484 wrote to memory of 1716 1484 msdcsc.exe notepad.exe PID 1484 wrote to memory of 1716 1484 msdcsc.exe notepad.exe PID 1484 wrote to memory of 1716 1484 msdcsc.exe notepad.exe PID 1484 wrote to memory of 1716 1484 msdcsc.exe notepad.exe PID 1484 wrote to memory of 1716 1484 msdcsc.exe notepad.exe PID 1484 wrote to memory of 1716 1484 msdcsc.exe notepad.exe PID 1484 wrote to memory of 1716 1484 msdcsc.exe notepad.exe PID 1484 wrote to memory of 1716 1484 msdcsc.exe notepad.exe PID 1484 wrote to memory of 1716 1484 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2028 attrib.exe 2008 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b02479bd2f3ff635c7379a62ca54e502.exe"C:\Users\Admin\AppData\Local\Temp\b02479bd2f3ff635c7379a62ca54e502.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\b02479bd2f3ff635c7379a62ca54e502.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\b02479bd2f3ff635c7379a62ca54e502.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
b02479bd2f3ff635c7379a62ca54e502
SHA1ab25e517492161e240093753a9fb41d8cca6aa98
SHA256668b49adbd859ede384b13bfa1082ad5254df49d8841e39fcff375bf15e057ca
SHA5126b767502a250ee86dbece2ea14dce930ead6b0fadf97431fbb8363bc046ef5528444f875ce9a18fde72c8a2d88271a095d559b43bd1301b397fa0f303641a312
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
b02479bd2f3ff635c7379a62ca54e502
SHA1ab25e517492161e240093753a9fb41d8cca6aa98
SHA256668b49adbd859ede384b13bfa1082ad5254df49d8841e39fcff375bf15e057ca
SHA5126b767502a250ee86dbece2ea14dce930ead6b0fadf97431fbb8363bc046ef5528444f875ce9a18fde72c8a2d88271a095d559b43bd1301b397fa0f303641a312
-
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
b02479bd2f3ff635c7379a62ca54e502
SHA1ab25e517492161e240093753a9fb41d8cca6aa98
SHA256668b49adbd859ede384b13bfa1082ad5254df49d8841e39fcff375bf15e057ca
SHA5126b767502a250ee86dbece2ea14dce930ead6b0fadf97431fbb8363bc046ef5528444f875ce9a18fde72c8a2d88271a095d559b43bd1301b397fa0f303641a312
-
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
b02479bd2f3ff635c7379a62ca54e502
SHA1ab25e517492161e240093753a9fb41d8cca6aa98
SHA256668b49adbd859ede384b13bfa1082ad5254df49d8841e39fcff375bf15e057ca
SHA5126b767502a250ee86dbece2ea14dce930ead6b0fadf97431fbb8363bc046ef5528444f875ce9a18fde72c8a2d88271a095d559b43bd1301b397fa0f303641a312
-
memory/1176-2-0x0000000000000000-mapping.dmp
-
memory/1472-3-0x0000000000000000-mapping.dmp
-
memory/1484-8-0x0000000000000000-mapping.dmp
-
memory/1716-11-0x0000000000000000-mapping.dmp
-
memory/1716-12-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/1716-13-0x0000000000000000-mapping.dmp
-
memory/2008-5-0x0000000000000000-mapping.dmp
-
memory/2028-4-0x0000000000000000-mapping.dmp