Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
30-09-2021 12:05
Behavioral task
behavioral1
Sample
2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe
Resource
win7-en-20210920
General
-
Target
2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe
-
Size
807KB
-
MD5
1b65c2a3c7627597b54d16d3f1b80418
-
SHA1
383a0d1115b33a50e7c8e9875155e9033a37c8c0
-
SHA256
2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf
-
SHA512
b7ae5b9df4758c5638a332a8896292aa0e567f0253fd8f4bbb178feb0544085889972605b49baf1e8432ab944881aad69d64a9d64968a89dee2a7ab3b9abd381
Malware Config
Extracted
darkcomet
Sazan
0.tcp.ngrok.io:14298
DC_MUTEX-03KLHJJ
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
JmWdVpbgJaAR
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" iexplore.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 904 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exepid process 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exemsdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 904 set thread context of 792 904 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 792 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeSecurityPrivilege 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeTakeOwnershipPrivilege 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeLoadDriverPrivilege 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeSystemProfilePrivilege 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeSystemtimePrivilege 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeProfSingleProcessPrivilege 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeIncBasePriorityPrivilege 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeCreatePagefilePrivilege 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeBackupPrivilege 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeRestorePrivilege 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeShutdownPrivilege 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeDebugPrivilege 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeSystemEnvironmentPrivilege 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeChangeNotifyPrivilege 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeRemoteShutdownPrivilege 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeUndockPrivilege 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeManageVolumePrivilege 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeImpersonatePrivilege 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeCreateGlobalPrivilege 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: 33 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: 34 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: 35 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeIncreaseQuotaPrivilege 904 msdcsc.exe Token: SeSecurityPrivilege 904 msdcsc.exe Token: SeTakeOwnershipPrivilege 904 msdcsc.exe Token: SeLoadDriverPrivilege 904 msdcsc.exe Token: SeSystemProfilePrivilege 904 msdcsc.exe Token: SeSystemtimePrivilege 904 msdcsc.exe Token: SeProfSingleProcessPrivilege 904 msdcsc.exe Token: SeIncBasePriorityPrivilege 904 msdcsc.exe Token: SeCreatePagefilePrivilege 904 msdcsc.exe Token: SeBackupPrivilege 904 msdcsc.exe Token: SeRestorePrivilege 904 msdcsc.exe Token: SeShutdownPrivilege 904 msdcsc.exe Token: SeDebugPrivilege 904 msdcsc.exe Token: SeSystemEnvironmentPrivilege 904 msdcsc.exe Token: SeChangeNotifyPrivilege 904 msdcsc.exe Token: SeRemoteShutdownPrivilege 904 msdcsc.exe Token: SeUndockPrivilege 904 msdcsc.exe Token: SeManageVolumePrivilege 904 msdcsc.exe Token: SeImpersonatePrivilege 904 msdcsc.exe Token: SeCreateGlobalPrivilege 904 msdcsc.exe Token: 33 904 msdcsc.exe Token: 34 904 msdcsc.exe Token: 35 904 msdcsc.exe Token: SeIncreaseQuotaPrivilege 792 iexplore.exe Token: SeSecurityPrivilege 792 iexplore.exe Token: SeTakeOwnershipPrivilege 792 iexplore.exe Token: SeLoadDriverPrivilege 792 iexplore.exe Token: SeSystemProfilePrivilege 792 iexplore.exe Token: SeSystemtimePrivilege 792 iexplore.exe Token: SeProfSingleProcessPrivilege 792 iexplore.exe Token: SeIncBasePriorityPrivilege 792 iexplore.exe Token: SeCreatePagefilePrivilege 792 iexplore.exe Token: SeBackupPrivilege 792 iexplore.exe Token: SeRestorePrivilege 792 iexplore.exe Token: SeShutdownPrivilege 792 iexplore.exe Token: SeDebugPrivilege 792 iexplore.exe Token: SeSystemEnvironmentPrivilege 792 iexplore.exe Token: SeChangeNotifyPrivilege 792 iexplore.exe Token: SeRemoteShutdownPrivilege 792 iexplore.exe Token: SeUndockPrivilege 792 iexplore.exe Token: SeManageVolumePrivilege 792 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 792 iexplore.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.execmd.execmd.exemsdcsc.exeiexplore.exedescription pid process target process PID 1596 wrote to memory of 1696 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe cmd.exe PID 1596 wrote to memory of 1696 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe cmd.exe PID 1596 wrote to memory of 1696 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe cmd.exe PID 1596 wrote to memory of 1696 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe cmd.exe PID 1596 wrote to memory of 968 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe cmd.exe PID 1596 wrote to memory of 968 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe cmd.exe PID 1596 wrote to memory of 968 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe cmd.exe PID 1596 wrote to memory of 968 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe cmd.exe PID 968 wrote to memory of 1620 968 cmd.exe attrib.exe PID 968 wrote to memory of 1620 968 cmd.exe attrib.exe PID 968 wrote to memory of 1620 968 cmd.exe attrib.exe PID 968 wrote to memory of 1620 968 cmd.exe attrib.exe PID 1696 wrote to memory of 1856 1696 cmd.exe attrib.exe PID 1696 wrote to memory of 1856 1696 cmd.exe attrib.exe PID 1696 wrote to memory of 1856 1696 cmd.exe attrib.exe PID 1696 wrote to memory of 1856 1696 cmd.exe attrib.exe PID 1596 wrote to memory of 904 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe msdcsc.exe PID 1596 wrote to memory of 904 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe msdcsc.exe PID 1596 wrote to memory of 904 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe msdcsc.exe PID 1596 wrote to memory of 904 1596 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe msdcsc.exe PID 904 wrote to memory of 792 904 msdcsc.exe iexplore.exe PID 904 wrote to memory of 792 904 msdcsc.exe iexplore.exe PID 904 wrote to memory of 792 904 msdcsc.exe iexplore.exe PID 904 wrote to memory of 792 904 msdcsc.exe iexplore.exe PID 904 wrote to memory of 792 904 msdcsc.exe iexplore.exe PID 904 wrote to memory of 792 904 msdcsc.exe iexplore.exe PID 792 wrote to memory of 568 792 iexplore.exe notepad.exe PID 792 wrote to memory of 568 792 iexplore.exe notepad.exe PID 792 wrote to memory of 568 792 iexplore.exe notepad.exe PID 792 wrote to memory of 568 792 iexplore.exe notepad.exe PID 792 wrote to memory of 568 792 iexplore.exe notepad.exe PID 792 wrote to memory of 568 792 iexplore.exe notepad.exe PID 792 wrote to memory of 568 792 iexplore.exe notepad.exe PID 792 wrote to memory of 568 792 iexplore.exe notepad.exe PID 792 wrote to memory of 568 792 iexplore.exe notepad.exe PID 792 wrote to memory of 568 792 iexplore.exe notepad.exe PID 792 wrote to memory of 568 792 iexplore.exe notepad.exe PID 792 wrote to memory of 568 792 iexplore.exe notepad.exe PID 792 wrote to memory of 568 792 iexplore.exe notepad.exe PID 792 wrote to memory of 568 792 iexplore.exe notepad.exe PID 792 wrote to memory of 568 792 iexplore.exe notepad.exe PID 792 wrote to memory of 568 792 iexplore.exe notepad.exe PID 792 wrote to memory of 568 792 iexplore.exe notepad.exe PID 792 wrote to memory of 568 792 iexplore.exe notepad.exe PID 792 wrote to memory of 568 792 iexplore.exe notepad.exe PID 792 wrote to memory of 568 792 iexplore.exe notepad.exe PID 792 wrote to memory of 568 792 iexplore.exe notepad.exe PID 792 wrote to memory of 568 792 iexplore.exe notepad.exe PID 792 wrote to memory of 568 792 iexplore.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1620 attrib.exe 1856 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe"C:\Users\Admin\AppData\Local\Temp\2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1b65c2a3c7627597b54d16d3f1b80418
SHA1383a0d1115b33a50e7c8e9875155e9033a37c8c0
SHA2562e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf
SHA512b7ae5b9df4758c5638a332a8896292aa0e567f0253fd8f4bbb178feb0544085889972605b49baf1e8432ab944881aad69d64a9d64968a89dee2a7ab3b9abd381
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1b65c2a3c7627597b54d16d3f1b80418
SHA1383a0d1115b33a50e7c8e9875155e9033a37c8c0
SHA2562e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf
SHA512b7ae5b9df4758c5638a332a8896292aa0e567f0253fd8f4bbb178feb0544085889972605b49baf1e8432ab944881aad69d64a9d64968a89dee2a7ab3b9abd381
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1b65c2a3c7627597b54d16d3f1b80418
SHA1383a0d1115b33a50e7c8e9875155e9033a37c8c0
SHA2562e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf
SHA512b7ae5b9df4758c5638a332a8896292aa0e567f0253fd8f4bbb178feb0544085889972605b49baf1e8432ab944881aad69d64a9d64968a89dee2a7ab3b9abd381
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1b65c2a3c7627597b54d16d3f1b80418
SHA1383a0d1115b33a50e7c8e9875155e9033a37c8c0
SHA2562e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf
SHA512b7ae5b9df4758c5638a332a8896292aa0e567f0253fd8f4bbb178feb0544085889972605b49baf1e8432ab944881aad69d64a9d64968a89dee2a7ab3b9abd381
-
memory/568-72-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/568-70-0x0000000000000000-mapping.dmp
-
memory/792-67-0x000000000048F888-mapping.dmp
-
memory/792-66-0x0000000000400000-0x00000000004D7000-memory.dmpFilesize
860KB
-
memory/904-62-0x0000000000000000-mapping.dmp
-
memory/904-68-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/968-57-0x0000000000000000-mapping.dmp
-
memory/1596-54-0x00000000757B1000-0x00000000757B3000-memory.dmpFilesize
8KB
-
memory/1596-55-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/1620-58-0x0000000000000000-mapping.dmp
-
memory/1696-56-0x0000000000000000-mapping.dmp
-
memory/1856-59-0x0000000000000000-mapping.dmp