Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
30-09-2021 11:33
Behavioral task
behavioral1
Sample
2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe
Resource
win7v20210408
General
-
Target
2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe
-
Size
807KB
-
MD5
1b65c2a3c7627597b54d16d3f1b80418
-
SHA1
383a0d1115b33a50e7c8e9875155e9033a37c8c0
-
SHA256
2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf
-
SHA512
b7ae5b9df4758c5638a332a8896292aa0e567f0253fd8f4bbb178feb0544085889972605b49baf1e8432ab944881aad69d64a9d64968a89dee2a7ab3b9abd381
Malware Config
Extracted
darkcomet
Sazan
0.tcp.ngrok.io:14298
DC_MUTEX-03KLHJJ
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
JmWdVpbgJaAR
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 752 msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 752 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeSecurityPrivilege 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeTakeOwnershipPrivilege 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeLoadDriverPrivilege 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeSystemProfilePrivilege 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeSystemtimePrivilege 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeProfSingleProcessPrivilege 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeIncBasePriorityPrivilege 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeCreatePagefilePrivilege 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeBackupPrivilege 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeRestorePrivilege 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeShutdownPrivilege 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeDebugPrivilege 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeSystemEnvironmentPrivilege 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeChangeNotifyPrivilege 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeRemoteShutdownPrivilege 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeUndockPrivilege 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeManageVolumePrivilege 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeImpersonatePrivilege 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeCreateGlobalPrivilege 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: 33 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: 34 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: 35 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: 36 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe Token: SeIncreaseQuotaPrivilege 752 msdcsc.exe Token: SeSecurityPrivilege 752 msdcsc.exe Token: SeTakeOwnershipPrivilege 752 msdcsc.exe Token: SeLoadDriverPrivilege 752 msdcsc.exe Token: SeSystemProfilePrivilege 752 msdcsc.exe Token: SeSystemtimePrivilege 752 msdcsc.exe Token: SeProfSingleProcessPrivilege 752 msdcsc.exe Token: SeIncBasePriorityPrivilege 752 msdcsc.exe Token: SeCreatePagefilePrivilege 752 msdcsc.exe Token: SeBackupPrivilege 752 msdcsc.exe Token: SeRestorePrivilege 752 msdcsc.exe Token: SeShutdownPrivilege 752 msdcsc.exe Token: SeDebugPrivilege 752 msdcsc.exe Token: SeSystemEnvironmentPrivilege 752 msdcsc.exe Token: SeChangeNotifyPrivilege 752 msdcsc.exe Token: SeRemoteShutdownPrivilege 752 msdcsc.exe Token: SeUndockPrivilege 752 msdcsc.exe Token: SeManageVolumePrivilege 752 msdcsc.exe Token: SeImpersonatePrivilege 752 msdcsc.exe Token: SeCreateGlobalPrivilege 752 msdcsc.exe Token: 33 752 msdcsc.exe Token: 34 752 msdcsc.exe Token: 35 752 msdcsc.exe Token: 36 752 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 752 msdcsc.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.execmd.exemsdcsc.execmd.exedescription pid process target process PID 2208 wrote to memory of 2704 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe cmd.exe PID 2208 wrote to memory of 2704 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe cmd.exe PID 2208 wrote to memory of 2704 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe cmd.exe PID 2208 wrote to memory of 2744 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe cmd.exe PID 2208 wrote to memory of 2744 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe cmd.exe PID 2208 wrote to memory of 2744 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe cmd.exe PID 2208 wrote to memory of 752 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe msdcsc.exe PID 2208 wrote to memory of 752 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe msdcsc.exe PID 2208 wrote to memory of 752 2208 2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe msdcsc.exe PID 2744 wrote to memory of 3644 2744 cmd.exe attrib.exe PID 2744 wrote to memory of 3644 2744 cmd.exe attrib.exe PID 2744 wrote to memory of 3644 2744 cmd.exe attrib.exe PID 752 wrote to memory of 3584 752 msdcsc.exe iexplore.exe PID 752 wrote to memory of 3584 752 msdcsc.exe iexplore.exe PID 752 wrote to memory of 3584 752 msdcsc.exe iexplore.exe PID 2704 wrote to memory of 1964 2704 cmd.exe attrib.exe PID 2704 wrote to memory of 1964 2704 cmd.exe attrib.exe PID 2704 wrote to memory of 1964 2704 cmd.exe attrib.exe PID 752 wrote to memory of 2280 752 msdcsc.exe explorer.exe PID 752 wrote to memory of 2280 752 msdcsc.exe explorer.exe PID 752 wrote to memory of 2580 752 msdcsc.exe notepad.exe PID 752 wrote to memory of 2580 752 msdcsc.exe notepad.exe PID 752 wrote to memory of 2580 752 msdcsc.exe notepad.exe PID 752 wrote to memory of 2580 752 msdcsc.exe notepad.exe PID 752 wrote to memory of 2580 752 msdcsc.exe notepad.exe PID 752 wrote to memory of 2580 752 msdcsc.exe notepad.exe PID 752 wrote to memory of 2580 752 msdcsc.exe notepad.exe PID 752 wrote to memory of 2580 752 msdcsc.exe notepad.exe PID 752 wrote to memory of 2580 752 msdcsc.exe notepad.exe PID 752 wrote to memory of 2580 752 msdcsc.exe notepad.exe PID 752 wrote to memory of 2580 752 msdcsc.exe notepad.exe PID 752 wrote to memory of 2580 752 msdcsc.exe notepad.exe PID 752 wrote to memory of 2580 752 msdcsc.exe notepad.exe PID 752 wrote to memory of 2580 752 msdcsc.exe notepad.exe PID 752 wrote to memory of 2580 752 msdcsc.exe notepad.exe PID 752 wrote to memory of 2580 752 msdcsc.exe notepad.exe PID 752 wrote to memory of 2580 752 msdcsc.exe notepad.exe PID 752 wrote to memory of 2580 752 msdcsc.exe notepad.exe PID 752 wrote to memory of 2580 752 msdcsc.exe notepad.exe PID 752 wrote to memory of 2580 752 msdcsc.exe notepad.exe PID 752 wrote to memory of 2580 752 msdcsc.exe notepad.exe PID 752 wrote to memory of 2580 752 msdcsc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3644 attrib.exe 1964 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe"C:\Users\Admin\AppData\Local\Temp\2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\2e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1b65c2a3c7627597b54d16d3f1b80418
SHA1383a0d1115b33a50e7c8e9875155e9033a37c8c0
SHA2562e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf
SHA512b7ae5b9df4758c5638a332a8896292aa0e567f0253fd8f4bbb178feb0544085889972605b49baf1e8432ab944881aad69d64a9d64968a89dee2a7ab3b9abd381
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1b65c2a3c7627597b54d16d3f1b80418
SHA1383a0d1115b33a50e7c8e9875155e9033a37c8c0
SHA2562e15ef27dc6e9b414c7cb2cf9ae5ce50f13f889461442c33f3128b569ede31bf
SHA512b7ae5b9df4758c5638a332a8896292aa0e567f0253fd8f4bbb178feb0544085889972605b49baf1e8432ab944881aad69d64a9d64968a89dee2a7ab3b9abd381
-
memory/752-118-0x0000000000000000-mapping.dmp
-
memory/752-124-0x00000000021C0000-0x00000000021C1000-memory.dmpFilesize
4KB
-
memory/1964-122-0x0000000000000000-mapping.dmp
-
memory/2208-115-0x0000000002240000-0x0000000002241000-memory.dmpFilesize
4KB
-
memory/2580-123-0x0000000000000000-mapping.dmp
-
memory/2580-125-0x0000000002CC0000-0x0000000002CC1000-memory.dmpFilesize
4KB
-
memory/2704-116-0x0000000000000000-mapping.dmp
-
memory/2744-117-0x0000000000000000-mapping.dmp
-
memory/3644-121-0x0000000000000000-mapping.dmp