Analysis
-
max time kernel
147s -
max time network
136s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
28-09-2021 09:19
Static task
static1
Behavioral task
behavioral1
Sample
e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe
Resource
win10-en-20210920
General
-
Target
e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe
-
Size
1.5MB
-
MD5
f548e99a9e0b219930e28696a0979619
-
SHA1
fc09b9c82ac761f28a04c2d4d3bdf07b000d6b47
-
SHA256
e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2
-
SHA512
bf875c949a83a1babd1f6c91fc707aac7e759cfa043f7289c96ff1ebdee30ea423277896cd2ebabfaf206d4a8e81a708aa93cdbe2d6255487582ff85d50aded7
Malware Config
Extracted
darkcomet
Sazan
127.0.0.1:1604
DC_MUTEX-SWYB0HA
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
jA5Q6JBljsdN
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1232 msdcsc.exe -
Loads dropped DLL 1 IoCs
Processes:
vbc.exepid process 2024 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exevbc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft@Service = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe" e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exedescription pid process target process PID 1112 set thread context of 2024 1112 e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe vbc.exe -
Drops file in Windows directory 2 IoCs
Processes:
attrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319 attrib.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2024 vbc.exe Token: SeSecurityPrivilege 2024 vbc.exe Token: SeTakeOwnershipPrivilege 2024 vbc.exe Token: SeLoadDriverPrivilege 2024 vbc.exe Token: SeSystemProfilePrivilege 2024 vbc.exe Token: SeSystemtimePrivilege 2024 vbc.exe Token: SeProfSingleProcessPrivilege 2024 vbc.exe Token: SeIncBasePriorityPrivilege 2024 vbc.exe Token: SeCreatePagefilePrivilege 2024 vbc.exe Token: SeBackupPrivilege 2024 vbc.exe Token: SeRestorePrivilege 2024 vbc.exe Token: SeShutdownPrivilege 2024 vbc.exe Token: SeDebugPrivilege 2024 vbc.exe Token: SeSystemEnvironmentPrivilege 2024 vbc.exe Token: SeChangeNotifyPrivilege 2024 vbc.exe Token: SeRemoteShutdownPrivilege 2024 vbc.exe Token: SeUndockPrivilege 2024 vbc.exe Token: SeManageVolumePrivilege 2024 vbc.exe Token: SeImpersonatePrivilege 2024 vbc.exe Token: SeCreateGlobalPrivilege 2024 vbc.exe Token: 33 2024 vbc.exe Token: 34 2024 vbc.exe Token: 35 2024 vbc.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exepid process 1112 e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe 1112 e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe 1112 e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe 1112 e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exepid process 1112 e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe 1112 e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe 1112 e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe 1112 e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exevbc.execmd.execmd.exedescription pid process target process PID 1112 wrote to memory of 2024 1112 e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe vbc.exe PID 1112 wrote to memory of 2024 1112 e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe vbc.exe PID 1112 wrote to memory of 2024 1112 e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe vbc.exe PID 1112 wrote to memory of 2024 1112 e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe vbc.exe PID 1112 wrote to memory of 2024 1112 e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe vbc.exe PID 1112 wrote to memory of 2024 1112 e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe vbc.exe PID 1112 wrote to memory of 2024 1112 e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe vbc.exe PID 1112 wrote to memory of 2024 1112 e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe vbc.exe PID 1112 wrote to memory of 2024 1112 e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe vbc.exe PID 1112 wrote to memory of 2024 1112 e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe vbc.exe PID 1112 wrote to memory of 2024 1112 e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe vbc.exe PID 1112 wrote to memory of 2024 1112 e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe vbc.exe PID 1112 wrote to memory of 2024 1112 e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe vbc.exe PID 2024 wrote to memory of 1580 2024 vbc.exe cmd.exe PID 2024 wrote to memory of 1580 2024 vbc.exe cmd.exe PID 2024 wrote to memory of 1580 2024 vbc.exe cmd.exe PID 2024 wrote to memory of 1580 2024 vbc.exe cmd.exe PID 2024 wrote to memory of 1556 2024 vbc.exe cmd.exe PID 2024 wrote to memory of 1556 2024 vbc.exe cmd.exe PID 2024 wrote to memory of 1556 2024 vbc.exe cmd.exe PID 2024 wrote to memory of 1556 2024 vbc.exe cmd.exe PID 1580 wrote to memory of 1480 1580 cmd.exe attrib.exe PID 1580 wrote to memory of 1480 1580 cmd.exe attrib.exe PID 1580 wrote to memory of 1480 1580 cmd.exe attrib.exe PID 1580 wrote to memory of 1480 1580 cmd.exe attrib.exe PID 1556 wrote to memory of 1904 1556 cmd.exe attrib.exe PID 1556 wrote to memory of 1904 1556 cmd.exe attrib.exe PID 1556 wrote to memory of 1904 1556 cmd.exe attrib.exe PID 1556 wrote to memory of 1904 1556 cmd.exe attrib.exe PID 2024 wrote to memory of 1232 2024 vbc.exe msdcsc.exe PID 2024 wrote to memory of 1232 2024 vbc.exe msdcsc.exe PID 2024 wrote to memory of 1232 2024 vbc.exe msdcsc.exe PID 2024 wrote to memory of 1232 2024 vbc.exe msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1904 attrib.exe 1480 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe"C:\Users\Admin\AppData\Local\Temp\e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" +s +h4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v4.0.30319" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v4.0.30319" +s +h4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1f7bccc57d21a4bfeddaafe514cfd74d
SHA14dab09179a12468cb1757cb7ca26e06d616b0a8d
SHA256d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061
SHA5129e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1f7bccc57d21a4bfeddaafe514cfd74d
SHA14dab09179a12468cb1757cb7ca26e06d616b0a8d
SHA256d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061
SHA5129e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1f7bccc57d21a4bfeddaafe514cfd74d
SHA14dab09179a12468cb1757cb7ca26e06d616b0a8d
SHA256d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061
SHA5129e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8
-
memory/1112-54-0x0000000075871000-0x0000000075873000-memory.dmpFilesize
8KB
-
memory/1232-65-0x0000000000000000-mapping.dmp
-
memory/1480-60-0x0000000000000000-mapping.dmp
-
memory/1556-59-0x0000000000000000-mapping.dmp
-
memory/1580-58-0x0000000000000000-mapping.dmp
-
memory/1904-61-0x0000000000000000-mapping.dmp
-
memory/2024-63-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/2024-62-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2024-56-0x000000000048F888-mapping.dmp
-
memory/2024-55-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB