Analysis
-
max time kernel
157s -
max time network
57s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
24-09-2021 06:12
Behavioral task
behavioral1
Sample
a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe
Resource
win7v20210408
General
-
Target
a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe
-
Size
659KB
-
MD5
1d8488e1531d6a0b880347ac3c90aa55
-
SHA1
1240d4284b9a4d30b573cf3530a70cc109426051
-
SHA256
a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b
-
SHA512
765a2a9d7f365ebc9c9082ea24ab9c5256b1bc44aa13596fec69c082cf0ac4a320f05ee78d7cd3df43237ac1246719dfc01d571bdf34d272141a5fb572e6388a
Malware Config
Extracted
darkcomet
Sazan
carbonkarlduckdns.org:1604
DC_MUTEX-A82WM2C
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
AYz297gj1pvL
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1892 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exepid process 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1892 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeSecurityPrivilege 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeTakeOwnershipPrivilege 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeLoadDriverPrivilege 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeSystemProfilePrivilege 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeSystemtimePrivilege 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeProfSingleProcessPrivilege 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeIncBasePriorityPrivilege 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeCreatePagefilePrivilege 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeBackupPrivilege 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeRestorePrivilege 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeShutdownPrivilege 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeDebugPrivilege 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeSystemEnvironmentPrivilege 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeChangeNotifyPrivilege 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeRemoteShutdownPrivilege 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeUndockPrivilege 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeManageVolumePrivilege 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeImpersonatePrivilege 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeCreateGlobalPrivilege 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: 33 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: 34 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: 35 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeIncreaseQuotaPrivilege 1892 msdcsc.exe Token: SeSecurityPrivilege 1892 msdcsc.exe Token: SeTakeOwnershipPrivilege 1892 msdcsc.exe Token: SeLoadDriverPrivilege 1892 msdcsc.exe Token: SeSystemProfilePrivilege 1892 msdcsc.exe Token: SeSystemtimePrivilege 1892 msdcsc.exe Token: SeProfSingleProcessPrivilege 1892 msdcsc.exe Token: SeIncBasePriorityPrivilege 1892 msdcsc.exe Token: SeCreatePagefilePrivilege 1892 msdcsc.exe Token: SeBackupPrivilege 1892 msdcsc.exe Token: SeRestorePrivilege 1892 msdcsc.exe Token: SeShutdownPrivilege 1892 msdcsc.exe Token: SeDebugPrivilege 1892 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1892 msdcsc.exe Token: SeChangeNotifyPrivilege 1892 msdcsc.exe Token: SeRemoteShutdownPrivilege 1892 msdcsc.exe Token: SeUndockPrivilege 1892 msdcsc.exe Token: SeManageVolumePrivilege 1892 msdcsc.exe Token: SeImpersonatePrivilege 1892 msdcsc.exe Token: SeCreateGlobalPrivilege 1892 msdcsc.exe Token: 33 1892 msdcsc.exe Token: 34 1892 msdcsc.exe Token: 35 1892 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1892 msdcsc.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exemsdcsc.exedescription pid process target process PID 1308 wrote to memory of 1892 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe msdcsc.exe PID 1308 wrote to memory of 1892 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe msdcsc.exe PID 1308 wrote to memory of 1892 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe msdcsc.exe PID 1308 wrote to memory of 1892 1308 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe msdcsc.exe PID 1892 wrote to memory of 1504 1892 msdcsc.exe notepad.exe PID 1892 wrote to memory of 1504 1892 msdcsc.exe notepad.exe PID 1892 wrote to memory of 1504 1892 msdcsc.exe notepad.exe PID 1892 wrote to memory of 1504 1892 msdcsc.exe notepad.exe PID 1892 wrote to memory of 1504 1892 msdcsc.exe notepad.exe PID 1892 wrote to memory of 1504 1892 msdcsc.exe notepad.exe PID 1892 wrote to memory of 1504 1892 msdcsc.exe notepad.exe PID 1892 wrote to memory of 1504 1892 msdcsc.exe notepad.exe PID 1892 wrote to memory of 1504 1892 msdcsc.exe notepad.exe PID 1892 wrote to memory of 1504 1892 msdcsc.exe notepad.exe PID 1892 wrote to memory of 1504 1892 msdcsc.exe notepad.exe PID 1892 wrote to memory of 1504 1892 msdcsc.exe notepad.exe PID 1892 wrote to memory of 1504 1892 msdcsc.exe notepad.exe PID 1892 wrote to memory of 1504 1892 msdcsc.exe notepad.exe PID 1892 wrote to memory of 1504 1892 msdcsc.exe notepad.exe PID 1892 wrote to memory of 1504 1892 msdcsc.exe notepad.exe PID 1892 wrote to memory of 1504 1892 msdcsc.exe notepad.exe PID 1892 wrote to memory of 1504 1892 msdcsc.exe notepad.exe PID 1892 wrote to memory of 1504 1892 msdcsc.exe notepad.exe PID 1892 wrote to memory of 1504 1892 msdcsc.exe notepad.exe PID 1892 wrote to memory of 1504 1892 msdcsc.exe notepad.exe PID 1892 wrote to memory of 1504 1892 msdcsc.exe notepad.exe PID 1892 wrote to memory of 1504 1892 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe"C:\Users\Admin\AppData\Local\Temp\a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1d8488e1531d6a0b880347ac3c90aa55
SHA11240d4284b9a4d30b573cf3530a70cc109426051
SHA256a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b
SHA512765a2a9d7f365ebc9c9082ea24ab9c5256b1bc44aa13596fec69c082cf0ac4a320f05ee78d7cd3df43237ac1246719dfc01d571bdf34d272141a5fb572e6388a
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1d8488e1531d6a0b880347ac3c90aa55
SHA11240d4284b9a4d30b573cf3530a70cc109426051
SHA256a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b
SHA512765a2a9d7f365ebc9c9082ea24ab9c5256b1bc44aa13596fec69c082cf0ac4a320f05ee78d7cd3df43237ac1246719dfc01d571bdf34d272141a5fb572e6388a
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1d8488e1531d6a0b880347ac3c90aa55
SHA11240d4284b9a4d30b573cf3530a70cc109426051
SHA256a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b
SHA512765a2a9d7f365ebc9c9082ea24ab9c5256b1bc44aa13596fec69c082cf0ac4a320f05ee78d7cd3df43237ac1246719dfc01d571bdf34d272141a5fb572e6388a
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1d8488e1531d6a0b880347ac3c90aa55
SHA11240d4284b9a4d30b573cf3530a70cc109426051
SHA256a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b
SHA512765a2a9d7f365ebc9c9082ea24ab9c5256b1bc44aa13596fec69c082cf0ac4a320f05ee78d7cd3df43237ac1246719dfc01d571bdf34d272141a5fb572e6388a
-
memory/1308-60-0x0000000075AD1000-0x0000000075AD3000-memory.dmpFilesize
8KB
-
memory/1308-61-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/1504-68-0x0000000000000000-mapping.dmp
-
memory/1504-71-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1892-64-0x0000000000000000-mapping.dmp
-
memory/1892-70-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB