Analysis
-
max time kernel
27s -
max time network
17s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
23-02-2022 04:21
Static task
static1
Behavioral task
behavioral1
Sample
a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a.exe
Resource
win10v2004-en-20220113
General
-
Target
a.exe
-
Size
1.5MB
-
MD5
7264b8eb7076a2b78617e0e38058d0f3
-
SHA1
03cd675e664f434773d9c069c0a59b428cd1bedc
-
SHA256
728418b13e48aacdb925ae8b891e0f0a35ec8482c92f65fefe8bd4ab890224d2
-
SHA512
47f1d0fef411ab7fcc587b1fad1b143c69dc0723ff58f7d0d8f9d29efe2bcc8ca016b6536996a2a3bc7af2b49a378c68d03876962d5a84eea01c0f119a0643e1
Malware Config
Extracted
darkcomet
Sazan
akordion.duckdns.org:1604
DC_MUTEX-CADHQZA
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
344KSen6NjLL
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1664 msdcsc.exe -
Loads dropped DLL 1 IoCs
Processes:
vbc.exepid process 1204 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
a.exevbc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\DelhiBrosBP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a.exe" a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a.exedescription pid process target process PID 1184 set thread context of 1204 1184 a.exe vbc.exe -
Drops file in Windows directory 2 IoCs
Processes:
attrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319 attrib.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1204 vbc.exe Token: SeSecurityPrivilege 1204 vbc.exe Token: SeTakeOwnershipPrivilege 1204 vbc.exe Token: SeLoadDriverPrivilege 1204 vbc.exe Token: SeSystemProfilePrivilege 1204 vbc.exe Token: SeSystemtimePrivilege 1204 vbc.exe Token: SeProfSingleProcessPrivilege 1204 vbc.exe Token: SeIncBasePriorityPrivilege 1204 vbc.exe Token: SeCreatePagefilePrivilege 1204 vbc.exe Token: SeBackupPrivilege 1204 vbc.exe Token: SeRestorePrivilege 1204 vbc.exe Token: SeShutdownPrivilege 1204 vbc.exe Token: SeDebugPrivilege 1204 vbc.exe Token: SeSystemEnvironmentPrivilege 1204 vbc.exe Token: SeChangeNotifyPrivilege 1204 vbc.exe Token: SeRemoteShutdownPrivilege 1204 vbc.exe Token: SeUndockPrivilege 1204 vbc.exe Token: SeManageVolumePrivilege 1204 vbc.exe Token: SeImpersonatePrivilege 1204 vbc.exe Token: SeCreateGlobalPrivilege 1204 vbc.exe Token: 33 1204 vbc.exe Token: 34 1204 vbc.exe Token: 35 1204 vbc.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
a.exepid process 1184 a.exe 1184 a.exe 1184 a.exe 1184 a.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
a.exepid process 1184 a.exe 1184 a.exe 1184 a.exe 1184 a.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
a.exevbc.execmd.execmd.exedescription pid process target process PID 1184 wrote to memory of 1204 1184 a.exe vbc.exe PID 1184 wrote to memory of 1204 1184 a.exe vbc.exe PID 1184 wrote to memory of 1204 1184 a.exe vbc.exe PID 1184 wrote to memory of 1204 1184 a.exe vbc.exe PID 1184 wrote to memory of 1204 1184 a.exe vbc.exe PID 1184 wrote to memory of 1204 1184 a.exe vbc.exe PID 1184 wrote to memory of 1204 1184 a.exe vbc.exe PID 1184 wrote to memory of 1204 1184 a.exe vbc.exe PID 1184 wrote to memory of 1204 1184 a.exe vbc.exe PID 1184 wrote to memory of 1204 1184 a.exe vbc.exe PID 1184 wrote to memory of 1204 1184 a.exe vbc.exe PID 1184 wrote to memory of 1204 1184 a.exe vbc.exe PID 1184 wrote to memory of 1204 1184 a.exe vbc.exe PID 1204 wrote to memory of 560 1204 vbc.exe cmd.exe PID 1204 wrote to memory of 560 1204 vbc.exe cmd.exe PID 1204 wrote to memory of 560 1204 vbc.exe cmd.exe PID 1204 wrote to memory of 560 1204 vbc.exe cmd.exe PID 1204 wrote to memory of 1380 1204 vbc.exe cmd.exe PID 1204 wrote to memory of 1380 1204 vbc.exe cmd.exe PID 1204 wrote to memory of 1380 1204 vbc.exe cmd.exe PID 1204 wrote to memory of 1380 1204 vbc.exe cmd.exe PID 560 wrote to memory of 1640 560 cmd.exe attrib.exe PID 560 wrote to memory of 1640 560 cmd.exe attrib.exe PID 560 wrote to memory of 1640 560 cmd.exe attrib.exe PID 560 wrote to memory of 1640 560 cmd.exe attrib.exe PID 1380 wrote to memory of 1676 1380 cmd.exe attrib.exe PID 1380 wrote to memory of 1676 1380 cmd.exe attrib.exe PID 1380 wrote to memory of 1676 1380 cmd.exe attrib.exe PID 1380 wrote to memory of 1676 1380 cmd.exe attrib.exe PID 1204 wrote to memory of 1664 1204 vbc.exe msdcsc.exe PID 1204 wrote to memory of 1664 1204 vbc.exe msdcsc.exe PID 1204 wrote to memory of 1664 1204 vbc.exe msdcsc.exe PID 1204 wrote to memory of 1664 1204 vbc.exe msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1676 attrib.exe 1640 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a.exe"C:\Users\Admin\AppData\Local\Temp\a.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" +s +h4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v4.0.30319" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v4.0.30319" +s +h4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1f7bccc57d21a4bfeddaafe514cfd74d
SHA14dab09179a12468cb1757cb7ca26e06d616b0a8d
SHA256d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061
SHA5129e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1f7bccc57d21a4bfeddaafe514cfd74d
SHA14dab09179a12468cb1757cb7ca26e06d616b0a8d
SHA256d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061
SHA5129e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1f7bccc57d21a4bfeddaafe514cfd74d
SHA14dab09179a12468cb1757cb7ca26e06d616b0a8d
SHA256d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061
SHA5129e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8
-
memory/1184-55-0x0000000075831000-0x0000000075833000-memory.dmpFilesize
8KB
-
memory/1204-61-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1204-60-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1204-59-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1204-62-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1204-63-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1204-64-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1204-66-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1204-67-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1204-58-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1204-57-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1204-56-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB