Analysis
-
max time kernel
152s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-09-2021 08:37
Behavioral task
behavioral1
Sample
5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe
Resource
win7-en-20210920
General
-
Target
5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe
-
Size
659KB
-
MD5
1d9b720db2f4e23c3502f1456f09b927
-
SHA1
a68034b6084112066cc02565dd519a23757c1b15
-
SHA256
5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1
-
SHA512
39cf1a7b5d12dfb19439676e9d692cc4536cd04c22872ef67370759e34dfba805e52c38ee0a58420b265aa29d8c91c563936e9be90fd578fe2418cb3c389c3d1
Malware Config
Extracted
darkcomet
Sazan
8.tcp.ngrok.io:13738
DC_MUTEX-RYGMJ3G
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
1rG7r70RosbW
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\MSDCSC\\msdcsc.exe" 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 836 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exepid process 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\MSDCSC\\msdcsc.exe" 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe -
Drops file in Windows directory 3 IoCs
Processes:
5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exedescription ioc process File created C:\Windows\MSDCSC\msdcsc.exe 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe File opened for modification C:\Windows\MSDCSC\msdcsc.exe 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe File opened for modification C:\Windows\MSDCSC\ 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe Token: SeSecurityPrivilege 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe Token: SeTakeOwnershipPrivilege 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe Token: SeLoadDriverPrivilege 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe Token: SeSystemProfilePrivilege 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe Token: SeSystemtimePrivilege 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe Token: SeProfSingleProcessPrivilege 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe Token: SeIncBasePriorityPrivilege 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe Token: SeCreatePagefilePrivilege 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe Token: SeBackupPrivilege 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe Token: SeRestorePrivilege 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe Token: SeShutdownPrivilege 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe Token: SeDebugPrivilege 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe Token: SeSystemEnvironmentPrivilege 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe Token: SeChangeNotifyPrivilege 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe Token: SeRemoteShutdownPrivilege 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe Token: SeUndockPrivilege 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe Token: SeManageVolumePrivilege 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe Token: SeImpersonatePrivilege 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe Token: SeCreateGlobalPrivilege 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe Token: 33 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe Token: 34 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe Token: 35 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe Token: SeIncreaseQuotaPrivilege 836 msdcsc.exe Token: SeSecurityPrivilege 836 msdcsc.exe Token: SeTakeOwnershipPrivilege 836 msdcsc.exe Token: SeLoadDriverPrivilege 836 msdcsc.exe Token: SeSystemProfilePrivilege 836 msdcsc.exe Token: SeSystemtimePrivilege 836 msdcsc.exe Token: SeProfSingleProcessPrivilege 836 msdcsc.exe Token: SeIncBasePriorityPrivilege 836 msdcsc.exe Token: SeCreatePagefilePrivilege 836 msdcsc.exe Token: SeBackupPrivilege 836 msdcsc.exe Token: SeRestorePrivilege 836 msdcsc.exe Token: SeShutdownPrivilege 836 msdcsc.exe Token: SeDebugPrivilege 836 msdcsc.exe Token: SeSystemEnvironmentPrivilege 836 msdcsc.exe Token: SeChangeNotifyPrivilege 836 msdcsc.exe Token: SeRemoteShutdownPrivilege 836 msdcsc.exe Token: SeUndockPrivilege 836 msdcsc.exe Token: SeManageVolumePrivilege 836 msdcsc.exe Token: SeImpersonatePrivilege 836 msdcsc.exe Token: SeCreateGlobalPrivilege 836 msdcsc.exe Token: 33 836 msdcsc.exe Token: 34 836 msdcsc.exe Token: 35 836 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 836 msdcsc.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.execmd.execmd.exemsdcsc.exedescription pid process target process PID 1172 wrote to memory of 2016 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe cmd.exe PID 1172 wrote to memory of 2016 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe cmd.exe PID 1172 wrote to memory of 2016 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe cmd.exe PID 1172 wrote to memory of 2016 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe cmd.exe PID 1172 wrote to memory of 1544 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe cmd.exe PID 1172 wrote to memory of 1544 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe cmd.exe PID 1172 wrote to memory of 1544 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe cmd.exe PID 1172 wrote to memory of 1544 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe cmd.exe PID 1544 wrote to memory of 1420 1544 cmd.exe attrib.exe PID 1544 wrote to memory of 1420 1544 cmd.exe attrib.exe PID 1544 wrote to memory of 1420 1544 cmd.exe attrib.exe PID 1544 wrote to memory of 1420 1544 cmd.exe attrib.exe PID 2016 wrote to memory of 1600 2016 cmd.exe attrib.exe PID 2016 wrote to memory of 1600 2016 cmd.exe attrib.exe PID 2016 wrote to memory of 1600 2016 cmd.exe attrib.exe PID 2016 wrote to memory of 1600 2016 cmd.exe attrib.exe PID 1172 wrote to memory of 836 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe msdcsc.exe PID 1172 wrote to memory of 836 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe msdcsc.exe PID 1172 wrote to memory of 836 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe msdcsc.exe PID 1172 wrote to memory of 836 1172 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe msdcsc.exe PID 836 wrote to memory of 656 836 msdcsc.exe notepad.exe PID 836 wrote to memory of 656 836 msdcsc.exe notepad.exe PID 836 wrote to memory of 656 836 msdcsc.exe notepad.exe PID 836 wrote to memory of 656 836 msdcsc.exe notepad.exe PID 836 wrote to memory of 656 836 msdcsc.exe notepad.exe PID 836 wrote to memory of 656 836 msdcsc.exe notepad.exe PID 836 wrote to memory of 656 836 msdcsc.exe notepad.exe PID 836 wrote to memory of 656 836 msdcsc.exe notepad.exe PID 836 wrote to memory of 656 836 msdcsc.exe notepad.exe PID 836 wrote to memory of 656 836 msdcsc.exe notepad.exe PID 836 wrote to memory of 656 836 msdcsc.exe notepad.exe PID 836 wrote to memory of 656 836 msdcsc.exe notepad.exe PID 836 wrote to memory of 656 836 msdcsc.exe notepad.exe PID 836 wrote to memory of 656 836 msdcsc.exe notepad.exe PID 836 wrote to memory of 656 836 msdcsc.exe notepad.exe PID 836 wrote to memory of 656 836 msdcsc.exe notepad.exe PID 836 wrote to memory of 656 836 msdcsc.exe notepad.exe PID 836 wrote to memory of 656 836 msdcsc.exe notepad.exe PID 836 wrote to memory of 656 836 msdcsc.exe notepad.exe PID 836 wrote to memory of 656 836 msdcsc.exe notepad.exe PID 836 wrote to memory of 656 836 msdcsc.exe notepad.exe PID 836 wrote to memory of 656 836 msdcsc.exe notepad.exe PID 836 wrote to memory of 656 836 msdcsc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1600 attrib.exe 1420 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe"C:\Users\Admin\AppData\Local\Temp\5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\MSDCSC\msdcsc.exe"C:\Windows\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\MSDCSC\msdcsc.exeMD5
1d9b720db2f4e23c3502f1456f09b927
SHA1a68034b6084112066cc02565dd519a23757c1b15
SHA2565a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1
SHA51239cf1a7b5d12dfb19439676e9d692cc4536cd04c22872ef67370759e34dfba805e52c38ee0a58420b265aa29d8c91c563936e9be90fd578fe2418cb3c389c3d1
-
C:\Windows\MSDCSC\msdcsc.exeMD5
1d9b720db2f4e23c3502f1456f09b927
SHA1a68034b6084112066cc02565dd519a23757c1b15
SHA2565a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1
SHA51239cf1a7b5d12dfb19439676e9d692cc4536cd04c22872ef67370759e34dfba805e52c38ee0a58420b265aa29d8c91c563936e9be90fd578fe2418cb3c389c3d1
-
\Windows\MSDCSC\msdcsc.exeMD5
1d9b720db2f4e23c3502f1456f09b927
SHA1a68034b6084112066cc02565dd519a23757c1b15
SHA2565a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1
SHA51239cf1a7b5d12dfb19439676e9d692cc4536cd04c22872ef67370759e34dfba805e52c38ee0a58420b265aa29d8c91c563936e9be90fd578fe2418cb3c389c3d1
-
\Windows\MSDCSC\msdcsc.exeMD5
1d9b720db2f4e23c3502f1456f09b927
SHA1a68034b6084112066cc02565dd519a23757c1b15
SHA2565a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1
SHA51239cf1a7b5d12dfb19439676e9d692cc4536cd04c22872ef67370759e34dfba805e52c38ee0a58420b265aa29d8c91c563936e9be90fd578fe2418cb3c389c3d1
-
memory/656-69-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/656-66-0x0000000000000000-mapping.dmp
-
memory/836-62-0x0000000000000000-mapping.dmp
-
memory/836-68-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB
-
memory/1172-54-0x0000000075821000-0x0000000075823000-memory.dmpFilesize
8KB
-
memory/1172-55-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1420-58-0x0000000000000000-mapping.dmp
-
memory/1544-57-0x0000000000000000-mapping.dmp
-
memory/1600-59-0x0000000000000000-mapping.dmp
-
memory/2016-56-0x0000000000000000-mapping.dmp