Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-09-2021 06:12
Behavioral task
behavioral1
Sample
a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe
Resource
win7v20210408
General
-
Target
a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe
-
Size
659KB
-
MD5
1d8488e1531d6a0b880347ac3c90aa55
-
SHA1
1240d4284b9a4d30b573cf3530a70cc109426051
-
SHA256
a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b
-
SHA512
765a2a9d7f365ebc9c9082ea24ab9c5256b1bc44aa13596fec69c082cf0ac4a320f05ee78d7cd3df43237ac1246719dfc01d571bdf34d272141a5fb572e6388a
Malware Config
Extracted
darkcomet
Sazan
carbonkarlduckdns.org:1604
DC_MUTEX-A82WM2C
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
AYz297gj1pvL
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
suricata: ET MALWARE Zeus GameOver Possible DGA NXDOMAIN Responses
suricata: ET MALWARE Zeus GameOver Possible DGA NXDOMAIN Responses
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1144 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1144 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeSecurityPrivilege 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeTakeOwnershipPrivilege 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeLoadDriverPrivilege 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeSystemProfilePrivilege 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeSystemtimePrivilege 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeProfSingleProcessPrivilege 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeIncBasePriorityPrivilege 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeCreatePagefilePrivilege 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeBackupPrivilege 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeRestorePrivilege 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeShutdownPrivilege 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeDebugPrivilege 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeSystemEnvironmentPrivilege 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeChangeNotifyPrivilege 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeRemoteShutdownPrivilege 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeUndockPrivilege 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeManageVolumePrivilege 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeImpersonatePrivilege 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeCreateGlobalPrivilege 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: 33 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: 34 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: 35 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: 36 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe Token: SeIncreaseQuotaPrivilege 1144 msdcsc.exe Token: SeSecurityPrivilege 1144 msdcsc.exe Token: SeTakeOwnershipPrivilege 1144 msdcsc.exe Token: SeLoadDriverPrivilege 1144 msdcsc.exe Token: SeSystemProfilePrivilege 1144 msdcsc.exe Token: SeSystemtimePrivilege 1144 msdcsc.exe Token: SeProfSingleProcessPrivilege 1144 msdcsc.exe Token: SeIncBasePriorityPrivilege 1144 msdcsc.exe Token: SeCreatePagefilePrivilege 1144 msdcsc.exe Token: SeBackupPrivilege 1144 msdcsc.exe Token: SeRestorePrivilege 1144 msdcsc.exe Token: SeShutdownPrivilege 1144 msdcsc.exe Token: SeDebugPrivilege 1144 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1144 msdcsc.exe Token: SeChangeNotifyPrivilege 1144 msdcsc.exe Token: SeRemoteShutdownPrivilege 1144 msdcsc.exe Token: SeUndockPrivilege 1144 msdcsc.exe Token: SeManageVolumePrivilege 1144 msdcsc.exe Token: SeImpersonatePrivilege 1144 msdcsc.exe Token: SeCreateGlobalPrivilege 1144 msdcsc.exe Token: 33 1144 msdcsc.exe Token: 34 1144 msdcsc.exe Token: 35 1144 msdcsc.exe Token: 36 1144 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1144 msdcsc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exemsdcsc.exedescription pid process target process PID 992 wrote to memory of 1144 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe msdcsc.exe PID 992 wrote to memory of 1144 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe msdcsc.exe PID 992 wrote to memory of 1144 992 a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe msdcsc.exe PID 1144 wrote to memory of 1420 1144 msdcsc.exe notepad.exe PID 1144 wrote to memory of 1420 1144 msdcsc.exe notepad.exe PID 1144 wrote to memory of 1420 1144 msdcsc.exe notepad.exe PID 1144 wrote to memory of 1420 1144 msdcsc.exe notepad.exe PID 1144 wrote to memory of 1420 1144 msdcsc.exe notepad.exe PID 1144 wrote to memory of 1420 1144 msdcsc.exe notepad.exe PID 1144 wrote to memory of 1420 1144 msdcsc.exe notepad.exe PID 1144 wrote to memory of 1420 1144 msdcsc.exe notepad.exe PID 1144 wrote to memory of 1420 1144 msdcsc.exe notepad.exe PID 1144 wrote to memory of 1420 1144 msdcsc.exe notepad.exe PID 1144 wrote to memory of 1420 1144 msdcsc.exe notepad.exe PID 1144 wrote to memory of 1420 1144 msdcsc.exe notepad.exe PID 1144 wrote to memory of 1420 1144 msdcsc.exe notepad.exe PID 1144 wrote to memory of 1420 1144 msdcsc.exe notepad.exe PID 1144 wrote to memory of 1420 1144 msdcsc.exe notepad.exe PID 1144 wrote to memory of 1420 1144 msdcsc.exe notepad.exe PID 1144 wrote to memory of 1420 1144 msdcsc.exe notepad.exe PID 1144 wrote to memory of 1420 1144 msdcsc.exe notepad.exe PID 1144 wrote to memory of 1420 1144 msdcsc.exe notepad.exe PID 1144 wrote to memory of 1420 1144 msdcsc.exe notepad.exe PID 1144 wrote to memory of 1420 1144 msdcsc.exe notepad.exe PID 1144 wrote to memory of 1420 1144 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe"C:\Users\Admin\AppData\Local\Temp\a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1d8488e1531d6a0b880347ac3c90aa55
SHA11240d4284b9a4d30b573cf3530a70cc109426051
SHA256a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b
SHA512765a2a9d7f365ebc9c9082ea24ab9c5256b1bc44aa13596fec69c082cf0ac4a320f05ee78d7cd3df43237ac1246719dfc01d571bdf34d272141a5fb572e6388a
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1d8488e1531d6a0b880347ac3c90aa55
SHA11240d4284b9a4d30b573cf3530a70cc109426051
SHA256a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b
SHA512765a2a9d7f365ebc9c9082ea24ab9c5256b1bc44aa13596fec69c082cf0ac4a320f05ee78d7cd3df43237ac1246719dfc01d571bdf34d272141a5fb572e6388a
-
memory/992-114-0x0000000000680000-0x0000000000681000-memory.dmpFilesize
4KB
-
memory/1144-115-0x0000000000000000-mapping.dmp
-
memory/1144-119-0x0000000000610000-0x000000000075A000-memory.dmpFilesize
1.3MB
-
memory/1420-118-0x0000000000000000-mapping.dmp
-
memory/1420-120-0x0000000000A20000-0x0000000000A21000-memory.dmpFilesize
4KB