Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 15:47
Behavioral task
behavioral1
Sample
b02479bd2f3ff635c7379a62ca54e502.exe
Resource
win7v20201028
General
-
Target
b02479bd2f3ff635c7379a62ca54e502.exe
-
Size
658KB
-
MD5
b02479bd2f3ff635c7379a62ca54e502
-
SHA1
ab25e517492161e240093753a9fb41d8cca6aa98
-
SHA256
668b49adbd859ede384b13bfa1082ad5254df49d8841e39fcff375bf15e057ca
-
SHA512
6b767502a250ee86dbece2ea14dce930ead6b0fadf97431fbb8363bc046ef5528444f875ce9a18fde72c8a2d88271a095d559b43bd1301b397fa0f303641a312
Malware Config
Extracted
darkcomet
Guest16
95.31.38.1:1604
lololoshka228.ddns.net:1604
DC_MUTEX-QBCS1A4
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
NNCa8eHTowkP
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
b02479bd2f3ff635c7379a62ca54e502.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" b02479bd2f3ff635c7379a62ca54e502.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
iexplore.exemsdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 3164 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b02479bd2f3ff635c7379a62ca54e502.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation b02479bd2f3ff635c7379a62ca54e502.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
b02479bd2f3ff635c7379a62ca54e502.exemsdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" b02479bd2f3ff635c7379a62ca54e502.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 3164 set thread context of 1016 3164 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
b02479bd2f3ff635c7379a62ca54e502.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance b02479bd2f3ff635c7379a62ca54e502.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 1016 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
b02479bd2f3ff635c7379a62ca54e502.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 8 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeSecurityPrivilege 8 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeTakeOwnershipPrivilege 8 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeLoadDriverPrivilege 8 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeSystemProfilePrivilege 8 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeSystemtimePrivilege 8 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeProfSingleProcessPrivilege 8 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeIncBasePriorityPrivilege 8 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeCreatePagefilePrivilege 8 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeBackupPrivilege 8 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeRestorePrivilege 8 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeShutdownPrivilege 8 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeDebugPrivilege 8 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeSystemEnvironmentPrivilege 8 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeChangeNotifyPrivilege 8 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeRemoteShutdownPrivilege 8 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeUndockPrivilege 8 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeManageVolumePrivilege 8 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeImpersonatePrivilege 8 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeCreateGlobalPrivilege 8 b02479bd2f3ff635c7379a62ca54e502.exe Token: 33 8 b02479bd2f3ff635c7379a62ca54e502.exe Token: 34 8 b02479bd2f3ff635c7379a62ca54e502.exe Token: 35 8 b02479bd2f3ff635c7379a62ca54e502.exe Token: 36 8 b02479bd2f3ff635c7379a62ca54e502.exe Token: SeIncreaseQuotaPrivilege 3164 msdcsc.exe Token: SeSecurityPrivilege 3164 msdcsc.exe Token: SeTakeOwnershipPrivilege 3164 msdcsc.exe Token: SeLoadDriverPrivilege 3164 msdcsc.exe Token: SeSystemProfilePrivilege 3164 msdcsc.exe Token: SeSystemtimePrivilege 3164 msdcsc.exe Token: SeProfSingleProcessPrivilege 3164 msdcsc.exe Token: SeIncBasePriorityPrivilege 3164 msdcsc.exe Token: SeCreatePagefilePrivilege 3164 msdcsc.exe Token: SeBackupPrivilege 3164 msdcsc.exe Token: SeRestorePrivilege 3164 msdcsc.exe Token: SeShutdownPrivilege 3164 msdcsc.exe Token: SeDebugPrivilege 3164 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3164 msdcsc.exe Token: SeChangeNotifyPrivilege 3164 msdcsc.exe Token: SeRemoteShutdownPrivilege 3164 msdcsc.exe Token: SeUndockPrivilege 3164 msdcsc.exe Token: SeManageVolumePrivilege 3164 msdcsc.exe Token: SeImpersonatePrivilege 3164 msdcsc.exe Token: SeCreateGlobalPrivilege 3164 msdcsc.exe Token: 33 3164 msdcsc.exe Token: 34 3164 msdcsc.exe Token: 35 3164 msdcsc.exe Token: 36 3164 msdcsc.exe Token: SeIncreaseQuotaPrivilege 1016 iexplore.exe Token: SeSecurityPrivilege 1016 iexplore.exe Token: SeTakeOwnershipPrivilege 1016 iexplore.exe Token: SeLoadDriverPrivilege 1016 iexplore.exe Token: SeSystemProfilePrivilege 1016 iexplore.exe Token: SeSystemtimePrivilege 1016 iexplore.exe Token: SeProfSingleProcessPrivilege 1016 iexplore.exe Token: SeIncBasePriorityPrivilege 1016 iexplore.exe Token: SeCreatePagefilePrivilege 1016 iexplore.exe Token: SeBackupPrivilege 1016 iexplore.exe Token: SeRestorePrivilege 1016 iexplore.exe Token: SeShutdownPrivilege 1016 iexplore.exe Token: SeDebugPrivilege 1016 iexplore.exe Token: SeSystemEnvironmentPrivilege 1016 iexplore.exe Token: SeChangeNotifyPrivilege 1016 iexplore.exe Token: SeRemoteShutdownPrivilege 1016 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 1016 iexplore.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
b02479bd2f3ff635c7379a62ca54e502.execmd.execmd.exemsdcsc.exeiexplore.exedescription pid process target process PID 8 wrote to memory of 3240 8 b02479bd2f3ff635c7379a62ca54e502.exe cmd.exe PID 8 wrote to memory of 3240 8 b02479bd2f3ff635c7379a62ca54e502.exe cmd.exe PID 8 wrote to memory of 3240 8 b02479bd2f3ff635c7379a62ca54e502.exe cmd.exe PID 8 wrote to memory of 3736 8 b02479bd2f3ff635c7379a62ca54e502.exe cmd.exe PID 8 wrote to memory of 3736 8 b02479bd2f3ff635c7379a62ca54e502.exe cmd.exe PID 8 wrote to memory of 3736 8 b02479bd2f3ff635c7379a62ca54e502.exe cmd.exe PID 3736 wrote to memory of 388 3736 cmd.exe attrib.exe PID 3736 wrote to memory of 388 3736 cmd.exe attrib.exe PID 3736 wrote to memory of 388 3736 cmd.exe attrib.exe PID 3240 wrote to memory of 868 3240 cmd.exe attrib.exe PID 3240 wrote to memory of 868 3240 cmd.exe attrib.exe PID 3240 wrote to memory of 868 3240 cmd.exe attrib.exe PID 8 wrote to memory of 3164 8 b02479bd2f3ff635c7379a62ca54e502.exe msdcsc.exe PID 8 wrote to memory of 3164 8 b02479bd2f3ff635c7379a62ca54e502.exe msdcsc.exe PID 8 wrote to memory of 3164 8 b02479bd2f3ff635c7379a62ca54e502.exe msdcsc.exe PID 3164 wrote to memory of 1016 3164 msdcsc.exe iexplore.exe PID 3164 wrote to memory of 1016 3164 msdcsc.exe iexplore.exe PID 3164 wrote to memory of 1016 3164 msdcsc.exe iexplore.exe PID 3164 wrote to memory of 1016 3164 msdcsc.exe iexplore.exe PID 3164 wrote to memory of 1016 3164 msdcsc.exe iexplore.exe PID 1016 wrote to memory of 2696 1016 iexplore.exe notepad.exe PID 1016 wrote to memory of 2696 1016 iexplore.exe notepad.exe PID 1016 wrote to memory of 2696 1016 iexplore.exe notepad.exe PID 1016 wrote to memory of 2696 1016 iexplore.exe notepad.exe PID 1016 wrote to memory of 2696 1016 iexplore.exe notepad.exe PID 1016 wrote to memory of 2696 1016 iexplore.exe notepad.exe PID 1016 wrote to memory of 2696 1016 iexplore.exe notepad.exe PID 1016 wrote to memory of 2696 1016 iexplore.exe notepad.exe PID 1016 wrote to memory of 2696 1016 iexplore.exe notepad.exe PID 1016 wrote to memory of 2696 1016 iexplore.exe notepad.exe PID 1016 wrote to memory of 2696 1016 iexplore.exe notepad.exe PID 1016 wrote to memory of 2696 1016 iexplore.exe notepad.exe PID 1016 wrote to memory of 2696 1016 iexplore.exe notepad.exe PID 1016 wrote to memory of 2696 1016 iexplore.exe notepad.exe PID 1016 wrote to memory of 2696 1016 iexplore.exe notepad.exe PID 1016 wrote to memory of 2696 1016 iexplore.exe notepad.exe PID 1016 wrote to memory of 2696 1016 iexplore.exe notepad.exe PID 1016 wrote to memory of 2696 1016 iexplore.exe notepad.exe PID 1016 wrote to memory of 2696 1016 iexplore.exe notepad.exe PID 1016 wrote to memory of 2696 1016 iexplore.exe notepad.exe PID 1016 wrote to memory of 2696 1016 iexplore.exe notepad.exe PID 1016 wrote to memory of 2696 1016 iexplore.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 388 attrib.exe 868 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b02479bd2f3ff635c7379a62ca54e502.exe"C:\Users\Admin\AppData\Local\Temp\b02479bd2f3ff635c7379a62ca54e502.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\b02479bd2f3ff635c7379a62ca54e502.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\b02479bd2f3ff635c7379a62ca54e502.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
b02479bd2f3ff635c7379a62ca54e502
SHA1ab25e517492161e240093753a9fb41d8cca6aa98
SHA256668b49adbd859ede384b13bfa1082ad5254df49d8841e39fcff375bf15e057ca
SHA5126b767502a250ee86dbece2ea14dce930ead6b0fadf97431fbb8363bc046ef5528444f875ce9a18fde72c8a2d88271a095d559b43bd1301b397fa0f303641a312
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
b02479bd2f3ff635c7379a62ca54e502
SHA1ab25e517492161e240093753a9fb41d8cca6aa98
SHA256668b49adbd859ede384b13bfa1082ad5254df49d8841e39fcff375bf15e057ca
SHA5126b767502a250ee86dbece2ea14dce930ead6b0fadf97431fbb8363bc046ef5528444f875ce9a18fde72c8a2d88271a095d559b43bd1301b397fa0f303641a312
-
memory/388-4-0x0000000000000000-mapping.dmp
-
memory/868-5-0x0000000000000000-mapping.dmp
-
memory/1016-9-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1016-10-0x000000000048F888-mapping.dmp
-
memory/1016-11-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2696-12-0x0000000000000000-mapping.dmp
-
memory/2696-13-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB
-
memory/2696-14-0x0000000000000000-mapping.dmp
-
memory/3164-6-0x0000000000000000-mapping.dmp
-
memory/3240-2-0x0000000000000000-mapping.dmp
-
memory/3736-3-0x0000000000000000-mapping.dmp