Analysis
-
max time kernel
152s -
max time network
173s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
14-08-2021 13:40
Static task
static1
Behavioral task
behavioral1
Sample
SBHJYT.exe
Resource
win7v20210408
General
-
Target
SBHJYT.exe
-
Size
13.9MB
-
MD5
20799f295c5b0e5aa27b5896b230b57a
-
SHA1
e0e72f3a636f4dcd87bb5606f24fe0ff298fbb74
-
SHA256
3d96847f7962c01a7951f95acb29dff7999b7e8d54c946b3b1ccd035cbf2bcb1
-
SHA512
70cd3984c49da18dc9aeb852f745a8324a93583ab892af7f08bf5372cdb4ffc0cb0cce4033988d9088aaf1b0c740f612690addf9598ad3349ef6ef79112b3d16
Malware Config
Extracted
darkcomet
Guest16
onlinebonjour1pt.ddns.net:1605
DC_MUTEX-K9JEE5J
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
PPlJGVizdNKt
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Microdaptxx
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
SBHJYT.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" SBHJYT.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
msdcsc.exemsdcsc.exepid process 1640 msdcsc.exe 1072 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
SBHJYT.exemsdcsc.exepid process 1396 SBHJYT.exe 1640 msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
SBHJYT.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microdaptxx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" SBHJYT.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microdaptxx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
SBHJYT.exemsdcsc.exedescription pid process target process PID 1960 set thread context of 1396 1960 SBHJYT.exe SBHJYT.exe PID 1640 set thread context of 1072 1640 msdcsc.exe msdcsc.exe -
autoit_exe 5 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe autoit_exe \Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1072 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
SBHJYT.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1396 SBHJYT.exe Token: SeSecurityPrivilege 1396 SBHJYT.exe Token: SeTakeOwnershipPrivilege 1396 SBHJYT.exe Token: SeLoadDriverPrivilege 1396 SBHJYT.exe Token: SeSystemProfilePrivilege 1396 SBHJYT.exe Token: SeSystemtimePrivilege 1396 SBHJYT.exe Token: SeProfSingleProcessPrivilege 1396 SBHJYT.exe Token: SeIncBasePriorityPrivilege 1396 SBHJYT.exe Token: SeCreatePagefilePrivilege 1396 SBHJYT.exe Token: SeBackupPrivilege 1396 SBHJYT.exe Token: SeRestorePrivilege 1396 SBHJYT.exe Token: SeShutdownPrivilege 1396 SBHJYT.exe Token: SeDebugPrivilege 1396 SBHJYT.exe Token: SeSystemEnvironmentPrivilege 1396 SBHJYT.exe Token: SeChangeNotifyPrivilege 1396 SBHJYT.exe Token: SeRemoteShutdownPrivilege 1396 SBHJYT.exe Token: SeUndockPrivilege 1396 SBHJYT.exe Token: SeManageVolumePrivilege 1396 SBHJYT.exe Token: SeImpersonatePrivilege 1396 SBHJYT.exe Token: SeCreateGlobalPrivilege 1396 SBHJYT.exe Token: 33 1396 SBHJYT.exe Token: 34 1396 SBHJYT.exe Token: 35 1396 SBHJYT.exe Token: SeIncreaseQuotaPrivilege 1072 msdcsc.exe Token: SeSecurityPrivilege 1072 msdcsc.exe Token: SeTakeOwnershipPrivilege 1072 msdcsc.exe Token: SeLoadDriverPrivilege 1072 msdcsc.exe Token: SeSystemProfilePrivilege 1072 msdcsc.exe Token: SeSystemtimePrivilege 1072 msdcsc.exe Token: SeProfSingleProcessPrivilege 1072 msdcsc.exe Token: SeIncBasePriorityPrivilege 1072 msdcsc.exe Token: SeCreatePagefilePrivilege 1072 msdcsc.exe Token: SeBackupPrivilege 1072 msdcsc.exe Token: SeRestorePrivilege 1072 msdcsc.exe Token: SeShutdownPrivilege 1072 msdcsc.exe Token: SeDebugPrivilege 1072 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1072 msdcsc.exe Token: SeChangeNotifyPrivilege 1072 msdcsc.exe Token: SeRemoteShutdownPrivilege 1072 msdcsc.exe Token: SeUndockPrivilege 1072 msdcsc.exe Token: SeManageVolumePrivilege 1072 msdcsc.exe Token: SeImpersonatePrivilege 1072 msdcsc.exe Token: SeCreateGlobalPrivilege 1072 msdcsc.exe Token: 33 1072 msdcsc.exe Token: 34 1072 msdcsc.exe Token: 35 1072 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1072 msdcsc.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
SBHJYT.exeSBHJYT.execmd.execmd.exemsdcsc.exemsdcsc.exedescription pid process target process PID 1960 wrote to memory of 1396 1960 SBHJYT.exe SBHJYT.exe PID 1960 wrote to memory of 1396 1960 SBHJYT.exe SBHJYT.exe PID 1960 wrote to memory of 1396 1960 SBHJYT.exe SBHJYT.exe PID 1960 wrote to memory of 1396 1960 SBHJYT.exe SBHJYT.exe PID 1960 wrote to memory of 1396 1960 SBHJYT.exe SBHJYT.exe PID 1960 wrote to memory of 1396 1960 SBHJYT.exe SBHJYT.exe PID 1396 wrote to memory of 892 1396 SBHJYT.exe cmd.exe PID 1396 wrote to memory of 892 1396 SBHJYT.exe cmd.exe PID 1396 wrote to memory of 892 1396 SBHJYT.exe cmd.exe PID 1396 wrote to memory of 892 1396 SBHJYT.exe cmd.exe PID 1396 wrote to memory of 324 1396 SBHJYT.exe cmd.exe PID 1396 wrote to memory of 324 1396 SBHJYT.exe cmd.exe PID 1396 wrote to memory of 324 1396 SBHJYT.exe cmd.exe PID 1396 wrote to memory of 324 1396 SBHJYT.exe cmd.exe PID 324 wrote to memory of 824 324 cmd.exe attrib.exe PID 324 wrote to memory of 824 324 cmd.exe attrib.exe PID 324 wrote to memory of 824 324 cmd.exe attrib.exe PID 324 wrote to memory of 824 324 cmd.exe attrib.exe PID 892 wrote to memory of 1592 892 cmd.exe attrib.exe PID 892 wrote to memory of 1592 892 cmd.exe attrib.exe PID 892 wrote to memory of 1592 892 cmd.exe attrib.exe PID 892 wrote to memory of 1592 892 cmd.exe attrib.exe PID 1396 wrote to memory of 1640 1396 SBHJYT.exe msdcsc.exe PID 1396 wrote to memory of 1640 1396 SBHJYT.exe msdcsc.exe PID 1396 wrote to memory of 1640 1396 SBHJYT.exe msdcsc.exe PID 1396 wrote to memory of 1640 1396 SBHJYT.exe msdcsc.exe PID 1640 wrote to memory of 1072 1640 msdcsc.exe msdcsc.exe PID 1640 wrote to memory of 1072 1640 msdcsc.exe msdcsc.exe PID 1640 wrote to memory of 1072 1640 msdcsc.exe msdcsc.exe PID 1640 wrote to memory of 1072 1640 msdcsc.exe msdcsc.exe PID 1640 wrote to memory of 1072 1640 msdcsc.exe msdcsc.exe PID 1640 wrote to memory of 1072 1640 msdcsc.exe msdcsc.exe PID 1072 wrote to memory of 968 1072 msdcsc.exe notepad.exe PID 1072 wrote to memory of 968 1072 msdcsc.exe notepad.exe PID 1072 wrote to memory of 968 1072 msdcsc.exe notepad.exe PID 1072 wrote to memory of 968 1072 msdcsc.exe notepad.exe PID 1072 wrote to memory of 968 1072 msdcsc.exe notepad.exe PID 1072 wrote to memory of 968 1072 msdcsc.exe notepad.exe PID 1072 wrote to memory of 968 1072 msdcsc.exe notepad.exe PID 1072 wrote to memory of 968 1072 msdcsc.exe notepad.exe PID 1072 wrote to memory of 968 1072 msdcsc.exe notepad.exe PID 1072 wrote to memory of 968 1072 msdcsc.exe notepad.exe PID 1072 wrote to memory of 968 1072 msdcsc.exe notepad.exe PID 1072 wrote to memory of 968 1072 msdcsc.exe notepad.exe PID 1072 wrote to memory of 968 1072 msdcsc.exe notepad.exe PID 1072 wrote to memory of 968 1072 msdcsc.exe notepad.exe PID 1072 wrote to memory of 968 1072 msdcsc.exe notepad.exe PID 1072 wrote to memory of 968 1072 msdcsc.exe notepad.exe PID 1072 wrote to memory of 968 1072 msdcsc.exe notepad.exe PID 1072 wrote to memory of 968 1072 msdcsc.exe notepad.exe PID 1072 wrote to memory of 968 1072 msdcsc.exe notepad.exe PID 1072 wrote to memory of 968 1072 msdcsc.exe notepad.exe PID 1072 wrote to memory of 968 1072 msdcsc.exe notepad.exe PID 1072 wrote to memory of 968 1072 msdcsc.exe notepad.exe PID 1072 wrote to memory of 968 1072 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 824 attrib.exe 1592 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SBHJYT.exe"C:\Users\Admin\AppData\Local\Temp\SBHJYT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\SBHJYT.exe"C:\Users\Admin\AppData\Local\Temp\SBHJYT.exe"2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\SBHJYT.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\SBHJYT.exe" +s +h4⤵
- Views/modifies file attributes
PID:1592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Views/modifies file attributes
PID:824 -
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"4⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\notepad.exenotepad5⤵PID:968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
20799f295c5b0e5aa27b5896b230b57a
SHA1e0e72f3a636f4dcd87bb5606f24fe0ff298fbb74
SHA2563d96847f7962c01a7951f95acb29dff7999b7e8d54c946b3b1ccd035cbf2bcb1
SHA51270cd3984c49da18dc9aeb852f745a8324a93583ab892af7f08bf5372cdb4ffc0cb0cce4033988d9088aaf1b0c740f612690addf9598ad3349ef6ef79112b3d16
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
20799f295c5b0e5aa27b5896b230b57a
SHA1e0e72f3a636f4dcd87bb5606f24fe0ff298fbb74
SHA2563d96847f7962c01a7951f95acb29dff7999b7e8d54c946b3b1ccd035cbf2bcb1
SHA51270cd3984c49da18dc9aeb852f745a8324a93583ab892af7f08bf5372cdb4ffc0cb0cce4033988d9088aaf1b0c740f612690addf9598ad3349ef6ef79112b3d16
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
20799f295c5b0e5aa27b5896b230b57a
SHA1e0e72f3a636f4dcd87bb5606f24fe0ff298fbb74
SHA2563d96847f7962c01a7951f95acb29dff7999b7e8d54c946b3b1ccd035cbf2bcb1
SHA51270cd3984c49da18dc9aeb852f745a8324a93583ab892af7f08bf5372cdb4ffc0cb0cce4033988d9088aaf1b0c740f612690addf9598ad3349ef6ef79112b3d16
-
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
20799f295c5b0e5aa27b5896b230b57a
SHA1e0e72f3a636f4dcd87bb5606f24fe0ff298fbb74
SHA2563d96847f7962c01a7951f95acb29dff7999b7e8d54c946b3b1ccd035cbf2bcb1
SHA51270cd3984c49da18dc9aeb852f745a8324a93583ab892af7f08bf5372cdb4ffc0cb0cce4033988d9088aaf1b0c740f612690addf9598ad3349ef6ef79112b3d16
-
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
20799f295c5b0e5aa27b5896b230b57a
SHA1e0e72f3a636f4dcd87bb5606f24fe0ff298fbb74
SHA2563d96847f7962c01a7951f95acb29dff7999b7e8d54c946b3b1ccd035cbf2bcb1
SHA51270cd3984c49da18dc9aeb852f745a8324a93583ab892af7f08bf5372cdb4ffc0cb0cce4033988d9088aaf1b0c740f612690addf9598ad3349ef6ef79112b3d16
-
memory/324-67-0x0000000000000000-mapping.dmp
-
memory/824-68-0x0000000000000000-mapping.dmp
-
memory/892-66-0x0000000000000000-mapping.dmp
-
memory/968-80-0x0000000000000000-mapping.dmp
-
memory/968-84-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1072-77-0x000000000014F888-mapping.dmp
-
memory/1072-82-0x00000000000C0000-0x0000000000176000-memory.dmpFilesize
728KB
-
memory/1072-83-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1396-65-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/1396-64-0x00000000000C0000-0x0000000000176000-memory.dmpFilesize
728KB
-
memory/1396-62-0x000000000014F888-mapping.dmp
-
memory/1396-61-0x00000000000C0000-0x0000000000176000-memory.dmpFilesize
728KB
-
memory/1592-69-0x0000000000000000-mapping.dmp
-
memory/1640-71-0x0000000000000000-mapping.dmp
-
memory/1960-60-0x0000000075201000-0x0000000075203000-memory.dmpFilesize
8KB