Analysis
-
max time kernel
4294109s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
25-02-2022 06:13
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20220223-en
General
-
Target
1.exe
-
Size
661KB
-
MD5
f0e7f5c44d69cb03d87b634c3d695c7e
-
SHA1
f46ef1eb3ba47a62ebf645238aad3af66ebed012
-
SHA256
1f2ead28ecdc21f65c33e8f929466d39cd618c25b1ff488eaadd27302022bda5
-
SHA512
07f66d65f728887b755137c07fd1f3941c92f6fb7dd10d3ea59e30031ac2e96cd77cfc0c364a51441047b87102b9f81ec766698ec776dcffa141d6dcdf0560fc
Malware Config
Extracted
darkcomet
Sazan
akordion.duckdns.org:1604
DC_MUTEX-CADHQZA
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
344KSen6NjLL
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 1.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1716 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
1.exepid process 1620 1.exe 1620 1.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 1.exe Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
1.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1620 1.exe Token: SeSecurityPrivilege 1620 1.exe Token: SeTakeOwnershipPrivilege 1620 1.exe Token: SeLoadDriverPrivilege 1620 1.exe Token: SeSystemProfilePrivilege 1620 1.exe Token: SeSystemtimePrivilege 1620 1.exe Token: SeProfSingleProcessPrivilege 1620 1.exe Token: SeIncBasePriorityPrivilege 1620 1.exe Token: SeCreatePagefilePrivilege 1620 1.exe Token: SeBackupPrivilege 1620 1.exe Token: SeRestorePrivilege 1620 1.exe Token: SeShutdownPrivilege 1620 1.exe Token: SeDebugPrivilege 1620 1.exe Token: SeSystemEnvironmentPrivilege 1620 1.exe Token: SeChangeNotifyPrivilege 1620 1.exe Token: SeRemoteShutdownPrivilege 1620 1.exe Token: SeUndockPrivilege 1620 1.exe Token: SeManageVolumePrivilege 1620 1.exe Token: SeImpersonatePrivilege 1620 1.exe Token: SeCreateGlobalPrivilege 1620 1.exe Token: 33 1620 1.exe Token: 34 1620 1.exe Token: 35 1620 1.exe Token: SeIncreaseQuotaPrivilege 1716 msdcsc.exe Token: SeSecurityPrivilege 1716 msdcsc.exe Token: SeTakeOwnershipPrivilege 1716 msdcsc.exe Token: SeLoadDriverPrivilege 1716 msdcsc.exe Token: SeSystemProfilePrivilege 1716 msdcsc.exe Token: SeSystemtimePrivilege 1716 msdcsc.exe Token: SeProfSingleProcessPrivilege 1716 msdcsc.exe Token: SeIncBasePriorityPrivilege 1716 msdcsc.exe Token: SeCreatePagefilePrivilege 1716 msdcsc.exe Token: SeBackupPrivilege 1716 msdcsc.exe Token: SeRestorePrivilege 1716 msdcsc.exe Token: SeShutdownPrivilege 1716 msdcsc.exe Token: SeDebugPrivilege 1716 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1716 msdcsc.exe Token: SeChangeNotifyPrivilege 1716 msdcsc.exe Token: SeRemoteShutdownPrivilege 1716 msdcsc.exe Token: SeUndockPrivilege 1716 msdcsc.exe Token: SeManageVolumePrivilege 1716 msdcsc.exe Token: SeImpersonatePrivilege 1716 msdcsc.exe Token: SeCreateGlobalPrivilege 1716 msdcsc.exe Token: 33 1716 msdcsc.exe Token: 34 1716 msdcsc.exe Token: 35 1716 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1716 msdcsc.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
1.execmd.execmd.exemsdcsc.exedescription pid process target process PID 1620 wrote to memory of 1084 1620 1.exe cmd.exe PID 1620 wrote to memory of 1084 1620 1.exe cmd.exe PID 1620 wrote to memory of 1084 1620 1.exe cmd.exe PID 1620 wrote to memory of 1084 1620 1.exe cmd.exe PID 1620 wrote to memory of 1096 1620 1.exe cmd.exe PID 1620 wrote to memory of 1096 1620 1.exe cmd.exe PID 1620 wrote to memory of 1096 1620 1.exe cmd.exe PID 1620 wrote to memory of 1096 1620 1.exe cmd.exe PID 1084 wrote to memory of 1820 1084 cmd.exe attrib.exe PID 1084 wrote to memory of 1820 1084 cmd.exe attrib.exe PID 1084 wrote to memory of 1820 1084 cmd.exe attrib.exe PID 1084 wrote to memory of 1820 1084 cmd.exe attrib.exe PID 1096 wrote to memory of 1424 1096 cmd.exe attrib.exe PID 1096 wrote to memory of 1424 1096 cmd.exe attrib.exe PID 1096 wrote to memory of 1424 1096 cmd.exe attrib.exe PID 1096 wrote to memory of 1424 1096 cmd.exe attrib.exe PID 1620 wrote to memory of 1716 1620 1.exe msdcsc.exe PID 1620 wrote to memory of 1716 1620 1.exe msdcsc.exe PID 1620 wrote to memory of 1716 1620 1.exe msdcsc.exe PID 1620 wrote to memory of 1716 1620 1.exe msdcsc.exe PID 1716 wrote to memory of 1160 1716 msdcsc.exe notepad.exe PID 1716 wrote to memory of 1160 1716 msdcsc.exe notepad.exe PID 1716 wrote to memory of 1160 1716 msdcsc.exe notepad.exe PID 1716 wrote to memory of 1160 1716 msdcsc.exe notepad.exe PID 1716 wrote to memory of 1160 1716 msdcsc.exe notepad.exe PID 1716 wrote to memory of 1160 1716 msdcsc.exe notepad.exe PID 1716 wrote to memory of 1160 1716 msdcsc.exe notepad.exe PID 1716 wrote to memory of 1160 1716 msdcsc.exe notepad.exe PID 1716 wrote to memory of 1160 1716 msdcsc.exe notepad.exe PID 1716 wrote to memory of 1160 1716 msdcsc.exe notepad.exe PID 1716 wrote to memory of 1160 1716 msdcsc.exe notepad.exe PID 1716 wrote to memory of 1160 1716 msdcsc.exe notepad.exe PID 1716 wrote to memory of 1160 1716 msdcsc.exe notepad.exe PID 1716 wrote to memory of 1160 1716 msdcsc.exe notepad.exe PID 1716 wrote to memory of 1160 1716 msdcsc.exe notepad.exe PID 1716 wrote to memory of 1160 1716 msdcsc.exe notepad.exe PID 1716 wrote to memory of 1160 1716 msdcsc.exe notepad.exe PID 1716 wrote to memory of 1160 1716 msdcsc.exe notepad.exe PID 1716 wrote to memory of 1160 1716 msdcsc.exe notepad.exe PID 1716 wrote to memory of 1160 1716 msdcsc.exe notepad.exe PID 1716 wrote to memory of 1160 1716 msdcsc.exe notepad.exe PID 1716 wrote to memory of 1160 1716 msdcsc.exe notepad.exe PID 1716 wrote to memory of 1160 1716 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1820 attrib.exe 1424 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\1.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\1.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
f0e7f5c44d69cb03d87b634c3d695c7e
SHA1f46ef1eb3ba47a62ebf645238aad3af66ebed012
SHA2561f2ead28ecdc21f65c33e8f929466d39cd618c25b1ff488eaadd27302022bda5
SHA51207f66d65f728887b755137c07fd1f3941c92f6fb7dd10d3ea59e30031ac2e96cd77cfc0c364a51441047b87102b9f81ec766698ec776dcffa141d6dcdf0560fc
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
f0e7f5c44d69cb03d87b634c3d695c7e
SHA1f46ef1eb3ba47a62ebf645238aad3af66ebed012
SHA2561f2ead28ecdc21f65c33e8f929466d39cd618c25b1ff488eaadd27302022bda5
SHA51207f66d65f728887b755137c07fd1f3941c92f6fb7dd10d3ea59e30031ac2e96cd77cfc0c364a51441047b87102b9f81ec766698ec776dcffa141d6dcdf0560fc
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
f0e7f5c44d69cb03d87b634c3d695c7e
SHA1f46ef1eb3ba47a62ebf645238aad3af66ebed012
SHA2561f2ead28ecdc21f65c33e8f929466d39cd618c25b1ff488eaadd27302022bda5
SHA51207f66d65f728887b755137c07fd1f3941c92f6fb7dd10d3ea59e30031ac2e96cd77cfc0c364a51441047b87102b9f81ec766698ec776dcffa141d6dcdf0560fc
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
f0e7f5c44d69cb03d87b634c3d695c7e
SHA1f46ef1eb3ba47a62ebf645238aad3af66ebed012
SHA2561f2ead28ecdc21f65c33e8f929466d39cd618c25b1ff488eaadd27302022bda5
SHA51207f66d65f728887b755137c07fd1f3941c92f6fb7dd10d3ea59e30031ac2e96cd77cfc0c364a51441047b87102b9f81ec766698ec776dcffa141d6dcdf0560fc
-
memory/1160-61-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/1160-82-0x0000000000430000-0x0000000000431000-memory.dmpFilesize
4KB
-
memory/1620-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmpFilesize
8KB
-
memory/1620-55-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1716-81-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB