Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
30-09-2021 12:05
Behavioral task
behavioral1
Sample
2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe
Resource
win7-en-20210920
General
-
Target
2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe
-
Size
807KB
-
MD5
1b65c2a3c7627597b54d16d3f1b80418
-
SHA1
383a0d1115b33a50e7c8e9875155e9033a37c8c0
-
SHA256
2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf
-
SHA512
b7ae5b9df4758c5638a332a8896292aa0e567f0253fd8f4bbb178feb0544085889972605b49baf1e8432ab944881aad69d64a9d64968a89dee2a7ab3b9abd381
Malware Config
Extracted
darkcomet
Sazan
0.tcp.ngrok.io:14298
DC_MUTEX-03KLHJJ
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
JmWdVpbgJaAR
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
iexplore.exemsdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1304 msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
msdcsc.exeiexplore.exe2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 1304 set thread context of 1916 1304 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 1916 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeSecurityPrivilege 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeTakeOwnershipPrivilege 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeLoadDriverPrivilege 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeSystemProfilePrivilege 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeSystemtimePrivilege 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeProfSingleProcessPrivilege 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeIncBasePriorityPrivilege 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeCreatePagefilePrivilege 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeBackupPrivilege 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeRestorePrivilege 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeShutdownPrivilege 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeDebugPrivilege 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeSystemEnvironmentPrivilege 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeChangeNotifyPrivilege 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeRemoteShutdownPrivilege 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeUndockPrivilege 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeManageVolumePrivilege 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeImpersonatePrivilege 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeCreateGlobalPrivilege 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: 33 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: 34 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: 35 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: 36 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeIncreaseQuotaPrivilege 1304 msdcsc.exe Token: SeSecurityPrivilege 1304 msdcsc.exe Token: SeTakeOwnershipPrivilege 1304 msdcsc.exe Token: SeLoadDriverPrivilege 1304 msdcsc.exe Token: SeSystemProfilePrivilege 1304 msdcsc.exe Token: SeSystemtimePrivilege 1304 msdcsc.exe Token: SeProfSingleProcessPrivilege 1304 msdcsc.exe Token: SeIncBasePriorityPrivilege 1304 msdcsc.exe Token: SeCreatePagefilePrivilege 1304 msdcsc.exe Token: SeBackupPrivilege 1304 msdcsc.exe Token: SeRestorePrivilege 1304 msdcsc.exe Token: SeShutdownPrivilege 1304 msdcsc.exe Token: SeDebugPrivilege 1304 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1304 msdcsc.exe Token: SeChangeNotifyPrivilege 1304 msdcsc.exe Token: SeRemoteShutdownPrivilege 1304 msdcsc.exe Token: SeUndockPrivilege 1304 msdcsc.exe Token: SeManageVolumePrivilege 1304 msdcsc.exe Token: SeImpersonatePrivilege 1304 msdcsc.exe Token: SeCreateGlobalPrivilege 1304 msdcsc.exe Token: 33 1304 msdcsc.exe Token: 34 1304 msdcsc.exe Token: 35 1304 msdcsc.exe Token: 36 1304 msdcsc.exe Token: SeIncreaseQuotaPrivilege 1916 iexplore.exe Token: SeSecurityPrivilege 1916 iexplore.exe Token: SeTakeOwnershipPrivilege 1916 iexplore.exe Token: SeLoadDriverPrivilege 1916 iexplore.exe Token: SeSystemProfilePrivilege 1916 iexplore.exe Token: SeSystemtimePrivilege 1916 iexplore.exe Token: SeProfSingleProcessPrivilege 1916 iexplore.exe Token: SeIncBasePriorityPrivilege 1916 iexplore.exe Token: SeCreatePagefilePrivilege 1916 iexplore.exe Token: SeBackupPrivilege 1916 iexplore.exe Token: SeRestorePrivilege 1916 iexplore.exe Token: SeShutdownPrivilege 1916 iexplore.exe Token: SeDebugPrivilege 1916 iexplore.exe Token: SeSystemEnvironmentPrivilege 1916 iexplore.exe Token: SeChangeNotifyPrivilege 1916 iexplore.exe Token: SeRemoteShutdownPrivilege 1916 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 1916 iexplore.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.execmd.execmd.exemsdcsc.exeiexplore.exedescription pid process target process PID 900 wrote to memory of 1052 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe cmd.exe PID 900 wrote to memory of 1052 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe cmd.exe PID 900 wrote to memory of 1052 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe cmd.exe PID 900 wrote to memory of 1036 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe cmd.exe PID 900 wrote to memory of 1036 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe cmd.exe PID 900 wrote to memory of 1036 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe cmd.exe PID 900 wrote to memory of 1304 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe msdcsc.exe PID 900 wrote to memory of 1304 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe msdcsc.exe PID 900 wrote to memory of 1304 900 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe msdcsc.exe PID 1036 wrote to memory of 1820 1036 cmd.exe attrib.exe PID 1036 wrote to memory of 1820 1036 cmd.exe attrib.exe PID 1036 wrote to memory of 1820 1036 cmd.exe attrib.exe PID 1052 wrote to memory of 1816 1052 cmd.exe attrib.exe PID 1052 wrote to memory of 1816 1052 cmd.exe attrib.exe PID 1052 wrote to memory of 1816 1052 cmd.exe attrib.exe PID 1304 wrote to memory of 1916 1304 msdcsc.exe iexplore.exe PID 1304 wrote to memory of 1916 1304 msdcsc.exe iexplore.exe PID 1304 wrote to memory of 1916 1304 msdcsc.exe iexplore.exe PID 1304 wrote to memory of 1916 1304 msdcsc.exe iexplore.exe PID 1304 wrote to memory of 1916 1304 msdcsc.exe iexplore.exe PID 1916 wrote to memory of 2352 1916 iexplore.exe notepad.exe PID 1916 wrote to memory of 2352 1916 iexplore.exe notepad.exe PID 1916 wrote to memory of 2352 1916 iexplore.exe notepad.exe PID 1916 wrote to memory of 2352 1916 iexplore.exe notepad.exe PID 1916 wrote to memory of 2352 1916 iexplore.exe notepad.exe PID 1916 wrote to memory of 2352 1916 iexplore.exe notepad.exe PID 1916 wrote to memory of 2352 1916 iexplore.exe notepad.exe PID 1916 wrote to memory of 2352 1916 iexplore.exe notepad.exe PID 1916 wrote to memory of 2352 1916 iexplore.exe notepad.exe PID 1916 wrote to memory of 2352 1916 iexplore.exe notepad.exe PID 1916 wrote to memory of 2352 1916 iexplore.exe notepad.exe PID 1916 wrote to memory of 2352 1916 iexplore.exe notepad.exe PID 1916 wrote to memory of 2352 1916 iexplore.exe notepad.exe PID 1916 wrote to memory of 2352 1916 iexplore.exe notepad.exe PID 1916 wrote to memory of 2352 1916 iexplore.exe notepad.exe PID 1916 wrote to memory of 2352 1916 iexplore.exe notepad.exe PID 1916 wrote to memory of 2352 1916 iexplore.exe notepad.exe PID 1916 wrote to memory of 2352 1916 iexplore.exe notepad.exe PID 1916 wrote to memory of 2352 1916 iexplore.exe notepad.exe PID 1916 wrote to memory of 2352 1916 iexplore.exe notepad.exe PID 1916 wrote to memory of 2352 1916 iexplore.exe notepad.exe PID 1916 wrote to memory of 2352 1916 iexplore.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1816 attrib.exe 1820 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe"C:\Users\Admin\AppData\Local\Temp\2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1b65c2a3c7627597b54d16d3f1b80418
SHA1383a0d1115b33a50e7c8e9875155e9033a37c8c0
SHA2562e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf
SHA512b7ae5b9df4758c5638a332a8896292aa0e567f0253fd8f4bbb178feb0544085889972605b49baf1e8432ab944881aad69d64a9d64968a89dee2a7ab3b9abd381
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1b65c2a3c7627597b54d16d3f1b80418
SHA1383a0d1115b33a50e7c8e9875155e9033a37c8c0
SHA2562e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf
SHA512b7ae5b9df4758c5638a332a8896292aa0e567f0253fd8f4bbb178feb0544085889972605b49baf1e8432ab944881aad69d64a9d64968a89dee2a7ab3b9abd381
-
memory/900-114-0x00000000007A0000-0x00000000007A1000-memory.dmpFilesize
4KB
-
memory/1036-116-0x0000000000000000-mapping.dmp
-
memory/1052-115-0x0000000000000000-mapping.dmp
-
memory/1304-123-0x0000000002240000-0x0000000002241000-memory.dmpFilesize
4KB
-
memory/1304-117-0x0000000000000000-mapping.dmp
-
memory/1816-121-0x0000000000000000-mapping.dmp
-
memory/1820-120-0x0000000000000000-mapping.dmp
-
memory/1916-122-0x0000000000400000-0x00000000004D7000-memory.dmpFilesize
860KB
-
memory/1916-124-0x000000000048F888-mapping.dmp
-
memory/2352-127-0x0000000000000000-mapping.dmp
-
memory/2352-128-0x0000000003160000-0x0000000003161000-memory.dmpFilesize
4KB