Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
14-08-2021 13:40
Static task
static1
Behavioral task
behavioral1
Sample
SBHJYT.exe
Resource
win7v20210408
General
-
Target
SBHJYT.exe
-
Size
13.9MB
-
MD5
20799f295c5b0e5aa27b5896b230b57a
-
SHA1
e0e72f3a636f4dcd87bb5606f24fe0ff298fbb74
-
SHA256
3d96847f7962c01a7951f95acb29dff7999b7e8d54c946b3b1ccd035cbf2bcb1
-
SHA512
70cd3984c49da18dc9aeb852f745a8324a93583ab892af7f08bf5372cdb4ffc0cb0cce4033988d9088aaf1b0c740f612690addf9598ad3349ef6ef79112b3d16
Malware Config
Extracted
darkcomet
Guest16
onlinebonjour1pt.ddns.net:1605
DC_MUTEX-K9JEE5J
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
PPlJGVizdNKt
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Microdaptxx
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
SBHJYT.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" SBHJYT.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
msdcsc.exemsdcsc.exepid process 3920 msdcsc.exe 2840 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SBHJYT.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation SBHJYT.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
SBHJYT.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microdaptxx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" SBHJYT.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microdaptxx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
SBHJYT.exemsdcsc.exedescription pid process target process PID 3908 set thread context of 1940 3908 SBHJYT.exe SBHJYT.exe PID 3920 set thread context of 2840 3920 msdcsc.exe msdcsc.exe -
autoit_exe 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
SBHJYT.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance SBHJYT.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 2840 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
SBHJYT.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1940 SBHJYT.exe Token: SeSecurityPrivilege 1940 SBHJYT.exe Token: SeTakeOwnershipPrivilege 1940 SBHJYT.exe Token: SeLoadDriverPrivilege 1940 SBHJYT.exe Token: SeSystemProfilePrivilege 1940 SBHJYT.exe Token: SeSystemtimePrivilege 1940 SBHJYT.exe Token: SeProfSingleProcessPrivilege 1940 SBHJYT.exe Token: SeIncBasePriorityPrivilege 1940 SBHJYT.exe Token: SeCreatePagefilePrivilege 1940 SBHJYT.exe Token: SeBackupPrivilege 1940 SBHJYT.exe Token: SeRestorePrivilege 1940 SBHJYT.exe Token: SeShutdownPrivilege 1940 SBHJYT.exe Token: SeDebugPrivilege 1940 SBHJYT.exe Token: SeSystemEnvironmentPrivilege 1940 SBHJYT.exe Token: SeChangeNotifyPrivilege 1940 SBHJYT.exe Token: SeRemoteShutdownPrivilege 1940 SBHJYT.exe Token: SeUndockPrivilege 1940 SBHJYT.exe Token: SeManageVolumePrivilege 1940 SBHJYT.exe Token: SeImpersonatePrivilege 1940 SBHJYT.exe Token: SeCreateGlobalPrivilege 1940 SBHJYT.exe Token: 33 1940 SBHJYT.exe Token: 34 1940 SBHJYT.exe Token: 35 1940 SBHJYT.exe Token: 36 1940 SBHJYT.exe Token: SeIncreaseQuotaPrivilege 2840 msdcsc.exe Token: SeSecurityPrivilege 2840 msdcsc.exe Token: SeTakeOwnershipPrivilege 2840 msdcsc.exe Token: SeLoadDriverPrivilege 2840 msdcsc.exe Token: SeSystemProfilePrivilege 2840 msdcsc.exe Token: SeSystemtimePrivilege 2840 msdcsc.exe Token: SeProfSingleProcessPrivilege 2840 msdcsc.exe Token: SeIncBasePriorityPrivilege 2840 msdcsc.exe Token: SeCreatePagefilePrivilege 2840 msdcsc.exe Token: SeBackupPrivilege 2840 msdcsc.exe Token: SeRestorePrivilege 2840 msdcsc.exe Token: SeShutdownPrivilege 2840 msdcsc.exe Token: SeDebugPrivilege 2840 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2840 msdcsc.exe Token: SeChangeNotifyPrivilege 2840 msdcsc.exe Token: SeRemoteShutdownPrivilege 2840 msdcsc.exe Token: SeUndockPrivilege 2840 msdcsc.exe Token: SeManageVolumePrivilege 2840 msdcsc.exe Token: SeImpersonatePrivilege 2840 msdcsc.exe Token: SeCreateGlobalPrivilege 2840 msdcsc.exe Token: 33 2840 msdcsc.exe Token: 34 2840 msdcsc.exe Token: 35 2840 msdcsc.exe Token: 36 2840 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 2840 msdcsc.exe -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
SBHJYT.exeSBHJYT.execmd.execmd.exemsdcsc.exemsdcsc.exedescription pid process target process PID 3908 wrote to memory of 1940 3908 SBHJYT.exe SBHJYT.exe PID 3908 wrote to memory of 1940 3908 SBHJYT.exe SBHJYT.exe PID 3908 wrote to memory of 1940 3908 SBHJYT.exe SBHJYT.exe PID 3908 wrote to memory of 1940 3908 SBHJYT.exe SBHJYT.exe PID 3908 wrote to memory of 1940 3908 SBHJYT.exe SBHJYT.exe PID 1940 wrote to memory of 3512 1940 SBHJYT.exe cmd.exe PID 1940 wrote to memory of 3512 1940 SBHJYT.exe cmd.exe PID 1940 wrote to memory of 3512 1940 SBHJYT.exe cmd.exe PID 1940 wrote to memory of 3520 1940 SBHJYT.exe cmd.exe PID 1940 wrote to memory of 3520 1940 SBHJYT.exe cmd.exe PID 1940 wrote to memory of 3520 1940 SBHJYT.exe cmd.exe PID 3512 wrote to memory of 2704 3512 cmd.exe attrib.exe PID 3512 wrote to memory of 2704 3512 cmd.exe attrib.exe PID 3512 wrote to memory of 2704 3512 cmd.exe attrib.exe PID 3520 wrote to memory of 2460 3520 cmd.exe attrib.exe PID 3520 wrote to memory of 2460 3520 cmd.exe attrib.exe PID 3520 wrote to memory of 2460 3520 cmd.exe attrib.exe PID 1940 wrote to memory of 3920 1940 SBHJYT.exe msdcsc.exe PID 1940 wrote to memory of 3920 1940 SBHJYT.exe msdcsc.exe PID 1940 wrote to memory of 3920 1940 SBHJYT.exe msdcsc.exe PID 3920 wrote to memory of 2840 3920 msdcsc.exe msdcsc.exe PID 3920 wrote to memory of 2840 3920 msdcsc.exe msdcsc.exe PID 3920 wrote to memory of 2840 3920 msdcsc.exe msdcsc.exe PID 3920 wrote to memory of 2840 3920 msdcsc.exe msdcsc.exe PID 3920 wrote to memory of 2840 3920 msdcsc.exe msdcsc.exe PID 2840 wrote to memory of 3488 2840 msdcsc.exe notepad.exe PID 2840 wrote to memory of 3488 2840 msdcsc.exe notepad.exe PID 2840 wrote to memory of 3488 2840 msdcsc.exe notepad.exe PID 2840 wrote to memory of 3488 2840 msdcsc.exe notepad.exe PID 2840 wrote to memory of 3488 2840 msdcsc.exe notepad.exe PID 2840 wrote to memory of 3488 2840 msdcsc.exe notepad.exe PID 2840 wrote to memory of 3488 2840 msdcsc.exe notepad.exe PID 2840 wrote to memory of 3488 2840 msdcsc.exe notepad.exe PID 2840 wrote to memory of 3488 2840 msdcsc.exe notepad.exe PID 2840 wrote to memory of 3488 2840 msdcsc.exe notepad.exe PID 2840 wrote to memory of 3488 2840 msdcsc.exe notepad.exe PID 2840 wrote to memory of 3488 2840 msdcsc.exe notepad.exe PID 2840 wrote to memory of 3488 2840 msdcsc.exe notepad.exe PID 2840 wrote to memory of 3488 2840 msdcsc.exe notepad.exe PID 2840 wrote to memory of 3488 2840 msdcsc.exe notepad.exe PID 2840 wrote to memory of 3488 2840 msdcsc.exe notepad.exe PID 2840 wrote to memory of 3488 2840 msdcsc.exe notepad.exe PID 2840 wrote to memory of 3488 2840 msdcsc.exe notepad.exe PID 2840 wrote to memory of 3488 2840 msdcsc.exe notepad.exe PID 2840 wrote to memory of 3488 2840 msdcsc.exe notepad.exe PID 2840 wrote to memory of 3488 2840 msdcsc.exe notepad.exe PID 2840 wrote to memory of 3488 2840 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2460 attrib.exe 2704 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SBHJYT.exe"C:\Users\Admin\AppData\Local\Temp\SBHJYT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SBHJYT.exe"C:\Users\Admin\AppData\Local\Temp\SBHJYT.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\SBHJYT.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\SBHJYT.exe" +s +h4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"4⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
20799f295c5b0e5aa27b5896b230b57a
SHA1e0e72f3a636f4dcd87bb5606f24fe0ff298fbb74
SHA2563d96847f7962c01a7951f95acb29dff7999b7e8d54c946b3b1ccd035cbf2bcb1
SHA51270cd3984c49da18dc9aeb852f745a8324a93583ab892af7f08bf5372cdb4ffc0cb0cce4033988d9088aaf1b0c740f612690addf9598ad3349ef6ef79112b3d16
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
20799f295c5b0e5aa27b5896b230b57a
SHA1e0e72f3a636f4dcd87bb5606f24fe0ff298fbb74
SHA2563d96847f7962c01a7951f95acb29dff7999b7e8d54c946b3b1ccd035cbf2bcb1
SHA51270cd3984c49da18dc9aeb852f745a8324a93583ab892af7f08bf5372cdb4ffc0cb0cce4033988d9088aaf1b0c740f612690addf9598ad3349ef6ef79112b3d16
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
20799f295c5b0e5aa27b5896b230b57a
SHA1e0e72f3a636f4dcd87bb5606f24fe0ff298fbb74
SHA2563d96847f7962c01a7951f95acb29dff7999b7e8d54c946b3b1ccd035cbf2bcb1
SHA51270cd3984c49da18dc9aeb852f745a8324a93583ab892af7f08bf5372cdb4ffc0cb0cce4033988d9088aaf1b0c740f612690addf9598ad3349ef6ef79112b3d16
-
memory/1940-116-0x00000000000D0000-0x0000000000186000-memory.dmpFilesize
728KB
-
memory/1940-114-0x00000000000D0000-0x0000000000186000-memory.dmpFilesize
728KB
-
memory/1940-117-0x0000000002740000-0x0000000002741000-memory.dmpFilesize
4KB
-
memory/1940-115-0x000000000015F888-mapping.dmp
-
memory/2460-121-0x0000000000000000-mapping.dmp
-
memory/2704-120-0x0000000000000000-mapping.dmp
-
memory/2840-129-0x0000000002600000-0x0000000002601000-memory.dmpFilesize
4KB
-
memory/2840-126-0x000000000015F888-mapping.dmp
-
memory/2840-128-0x00000000000D0000-0x0000000000186000-memory.dmpFilesize
728KB
-
memory/3488-131-0x0000000000AE0000-0x0000000000AE1000-memory.dmpFilesize
4KB
-
memory/3488-130-0x0000000000000000-mapping.dmp
-
memory/3512-118-0x0000000000000000-mapping.dmp
-
memory/3520-119-0x0000000000000000-mapping.dmp
-
memory/3920-122-0x0000000000000000-mapping.dmp