Analysis
-
max time kernel
32s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
29-04-2021 11:00
Static task
static1
Behavioral task
behavioral1
Sample
Подключение к Cheater HAer VPsu202epdr.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Подключение к Cheater HAer VPsu202epdr.exe
Resource
win10v20210410
General
-
Target
Подключение к Cheater HAer VPsu202epdr.exe
-
Size
1.2MB
-
MD5
89819d45a907c55d273e9d4e2a64f2a9
-
SHA1
18db069eb82c31af3cb577ea392e4b42775d37f4
-
SHA256
e50cf3f7139ac7f4924b835334a98f7c426b66d0d19e986d885bd4080433d7bd
-
SHA512
bb2eee52e673c8e2ae44c60f0df8dc69890df2108f5278f1928f207055d5e8660fd8d8eaab9d67ee3ed950574184cbc94af77d831b601323afc31d715b9ec248
Malware Config
Extracted
darkcomet
Guest16
radgoodnow.mooo.com:7777
DC_MUTEX-0E720ZB
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
ReysmuLVc5ah
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" RegAsm.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1796 msdcsc.exe -
Loads dropped DLL 1 IoCs
Processes:
RegAsm.exepid process 1624 RegAsm.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Подключение к Cheater HAer VPsu202epdr.exedescription pid process target process PID 1848 set thread context of 1624 1848 Подключение к Cheater HAer VPsu202epdr.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
RegAsm.exedescription pid process Token: SeIncreaseQuotaPrivilege 1624 RegAsm.exe Token: SeSecurityPrivilege 1624 RegAsm.exe Token: SeTakeOwnershipPrivilege 1624 RegAsm.exe Token: SeLoadDriverPrivilege 1624 RegAsm.exe Token: SeSystemProfilePrivilege 1624 RegAsm.exe Token: SeSystemtimePrivilege 1624 RegAsm.exe Token: SeProfSingleProcessPrivilege 1624 RegAsm.exe Token: SeIncBasePriorityPrivilege 1624 RegAsm.exe Token: SeCreatePagefilePrivilege 1624 RegAsm.exe Token: SeBackupPrivilege 1624 RegAsm.exe Token: SeRestorePrivilege 1624 RegAsm.exe Token: SeShutdownPrivilege 1624 RegAsm.exe Token: SeDebugPrivilege 1624 RegAsm.exe Token: SeSystemEnvironmentPrivilege 1624 RegAsm.exe Token: SeChangeNotifyPrivilege 1624 RegAsm.exe Token: SeRemoteShutdownPrivilege 1624 RegAsm.exe Token: SeUndockPrivilege 1624 RegAsm.exe Token: SeManageVolumePrivilege 1624 RegAsm.exe Token: SeImpersonatePrivilege 1624 RegAsm.exe Token: SeCreateGlobalPrivilege 1624 RegAsm.exe Token: 33 1624 RegAsm.exe Token: 34 1624 RegAsm.exe Token: 35 1624 RegAsm.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Подключение к Cheater HAer VPsu202epdr.exeRegAsm.exedescription pid process target process PID 1848 wrote to memory of 1624 1848 Подключение к Cheater HAer VPsu202epdr.exe RegAsm.exe PID 1848 wrote to memory of 1624 1848 Подключение к Cheater HAer VPsu202epdr.exe RegAsm.exe PID 1848 wrote to memory of 1624 1848 Подключение к Cheater HAer VPsu202epdr.exe RegAsm.exe PID 1848 wrote to memory of 1624 1848 Подключение к Cheater HAer VPsu202epdr.exe RegAsm.exe PID 1848 wrote to memory of 1624 1848 Подключение к Cheater HAer VPsu202epdr.exe RegAsm.exe PID 1848 wrote to memory of 1624 1848 Подключение к Cheater HAer VPsu202epdr.exe RegAsm.exe PID 1848 wrote to memory of 1624 1848 Подключение к Cheater HAer VPsu202epdr.exe RegAsm.exe PID 1848 wrote to memory of 1624 1848 Подключение к Cheater HAer VPsu202epdr.exe RegAsm.exe PID 1848 wrote to memory of 1624 1848 Подключение к Cheater HAer VPsu202epdr.exe RegAsm.exe PID 1848 wrote to memory of 1624 1848 Подключение к Cheater HAer VPsu202epdr.exe RegAsm.exe PID 1848 wrote to memory of 1624 1848 Подключение к Cheater HAer VPsu202epdr.exe RegAsm.exe PID 1848 wrote to memory of 1624 1848 Подключение к Cheater HAer VPsu202epdr.exe RegAsm.exe PID 1848 wrote to memory of 1624 1848 Подключение к Cheater HAer VPsu202epdr.exe RegAsm.exe PID 1848 wrote to memory of 1624 1848 Подключение к Cheater HAer VPsu202epdr.exe RegAsm.exe PID 1848 wrote to memory of 1624 1848 Подключение к Cheater HAer VPsu202epdr.exe RegAsm.exe PID 1848 wrote to memory of 1624 1848 Подключение к Cheater HAer VPsu202epdr.exe RegAsm.exe PID 1624 wrote to memory of 1796 1624 RegAsm.exe msdcsc.exe PID 1624 wrote to memory of 1796 1624 RegAsm.exe msdcsc.exe PID 1624 wrote to memory of 1796 1624 RegAsm.exe msdcsc.exe PID 1624 wrote to memory of 1796 1624 RegAsm.exe msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Подключение к Cheater HAer VPsu202epdr.exe"C:\Users\Admin\AppData\Local\Temp\Подключение к Cheater HAer VPsu202epdr.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
memory/1624-64-0x000000000048F888-mapping.dmp
-
memory/1624-63-0x0000000000400000-0x00000000004F4000-memory.dmpFilesize
976KB
-
memory/1624-65-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1624-71-0x0000000000400000-0x00000000004F4000-memory.dmpFilesize
976KB
-
memory/1624-72-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/1796-67-0x0000000000000000-mapping.dmp
-
memory/1796-70-0x0000000001150000-0x0000000001151000-memory.dmpFilesize
4KB
-
memory/1848-59-0x00000000012A0000-0x00000000012A1000-memory.dmpFilesize
4KB
-
memory/1848-62-0x0000000004940000-0x0000000004A2A000-memory.dmpFilesize
936KB
-
memory/1848-61-0x0000000004AA0000-0x0000000004AA1000-memory.dmpFilesize
4KB