Analysis
-
max time kernel
156s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
25-02-2022 06:13
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20220223-en
General
-
Target
1.exe
-
Size
661KB
-
MD5
f0e7f5c44d69cb03d87b634c3d695c7e
-
SHA1
f46ef1eb3ba47a62ebf645238aad3af66ebed012
-
SHA256
1f2ead28ecdc21f65c33e8f929466d39cd618c25b1ff488eaadd27302022bda5
-
SHA512
07f66d65f728887b755137c07fd1f3941c92f6fb7dd10d3ea59e30031ac2e96cd77cfc0c364a51441047b87102b9f81ec766698ec776dcffa141d6dcdf0560fc
Malware Config
Extracted
darkcomet
Sazan
akordion.duckdns.org:1604
DC_MUTEX-CADHQZA
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
344KSen6NjLL
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 1.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1808 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 1.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 1.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 1.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
1.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 3316 1.exe Token: SeSecurityPrivilege 3316 1.exe Token: SeTakeOwnershipPrivilege 3316 1.exe Token: SeLoadDriverPrivilege 3316 1.exe Token: SeSystemProfilePrivilege 3316 1.exe Token: SeSystemtimePrivilege 3316 1.exe Token: SeProfSingleProcessPrivilege 3316 1.exe Token: SeIncBasePriorityPrivilege 3316 1.exe Token: SeCreatePagefilePrivilege 3316 1.exe Token: SeBackupPrivilege 3316 1.exe Token: SeRestorePrivilege 3316 1.exe Token: SeShutdownPrivilege 3316 1.exe Token: SeDebugPrivilege 3316 1.exe Token: SeSystemEnvironmentPrivilege 3316 1.exe Token: SeChangeNotifyPrivilege 3316 1.exe Token: SeRemoteShutdownPrivilege 3316 1.exe Token: SeUndockPrivilege 3316 1.exe Token: SeManageVolumePrivilege 3316 1.exe Token: SeImpersonatePrivilege 3316 1.exe Token: SeCreateGlobalPrivilege 3316 1.exe Token: 33 3316 1.exe Token: 34 3316 1.exe Token: 35 3316 1.exe Token: 36 3316 1.exe Token: SeIncreaseQuotaPrivilege 1808 msdcsc.exe Token: SeSecurityPrivilege 1808 msdcsc.exe Token: SeTakeOwnershipPrivilege 1808 msdcsc.exe Token: SeLoadDriverPrivilege 1808 msdcsc.exe Token: SeSystemProfilePrivilege 1808 msdcsc.exe Token: SeSystemtimePrivilege 1808 msdcsc.exe Token: SeProfSingleProcessPrivilege 1808 msdcsc.exe Token: SeIncBasePriorityPrivilege 1808 msdcsc.exe Token: SeCreatePagefilePrivilege 1808 msdcsc.exe Token: SeBackupPrivilege 1808 msdcsc.exe Token: SeRestorePrivilege 1808 msdcsc.exe Token: SeShutdownPrivilege 1808 msdcsc.exe Token: SeDebugPrivilege 1808 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1808 msdcsc.exe Token: SeChangeNotifyPrivilege 1808 msdcsc.exe Token: SeRemoteShutdownPrivilege 1808 msdcsc.exe Token: SeUndockPrivilege 1808 msdcsc.exe Token: SeManageVolumePrivilege 1808 msdcsc.exe Token: SeImpersonatePrivilege 1808 msdcsc.exe Token: SeCreateGlobalPrivilege 1808 msdcsc.exe Token: 33 1808 msdcsc.exe Token: 34 1808 msdcsc.exe Token: 35 1808 msdcsc.exe Token: 36 1808 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1808 msdcsc.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
1.execmd.execmd.exemsdcsc.exedescription pid process target process PID 3316 wrote to memory of 3728 3316 1.exe cmd.exe PID 3316 wrote to memory of 3728 3316 1.exe cmd.exe PID 3316 wrote to memory of 3728 3316 1.exe cmd.exe PID 3316 wrote to memory of 1536 3316 1.exe cmd.exe PID 3316 wrote to memory of 1536 3316 1.exe cmd.exe PID 3316 wrote to memory of 1536 3316 1.exe cmd.exe PID 3728 wrote to memory of 636 3728 cmd.exe attrib.exe PID 3728 wrote to memory of 636 3728 cmd.exe attrib.exe PID 3728 wrote to memory of 636 3728 cmd.exe attrib.exe PID 1536 wrote to memory of 1832 1536 cmd.exe attrib.exe PID 1536 wrote to memory of 1832 1536 cmd.exe attrib.exe PID 1536 wrote to memory of 1832 1536 cmd.exe attrib.exe PID 3316 wrote to memory of 1808 3316 1.exe msdcsc.exe PID 3316 wrote to memory of 1808 3316 1.exe msdcsc.exe PID 3316 wrote to memory of 1808 3316 1.exe msdcsc.exe PID 1808 wrote to memory of 1880 1808 msdcsc.exe notepad.exe PID 1808 wrote to memory of 1880 1808 msdcsc.exe notepad.exe PID 1808 wrote to memory of 1880 1808 msdcsc.exe notepad.exe PID 1808 wrote to memory of 1880 1808 msdcsc.exe notepad.exe PID 1808 wrote to memory of 1880 1808 msdcsc.exe notepad.exe PID 1808 wrote to memory of 1880 1808 msdcsc.exe notepad.exe PID 1808 wrote to memory of 1880 1808 msdcsc.exe notepad.exe PID 1808 wrote to memory of 1880 1808 msdcsc.exe notepad.exe PID 1808 wrote to memory of 1880 1808 msdcsc.exe notepad.exe PID 1808 wrote to memory of 1880 1808 msdcsc.exe notepad.exe PID 1808 wrote to memory of 1880 1808 msdcsc.exe notepad.exe PID 1808 wrote to memory of 1880 1808 msdcsc.exe notepad.exe PID 1808 wrote to memory of 1880 1808 msdcsc.exe notepad.exe PID 1808 wrote to memory of 1880 1808 msdcsc.exe notepad.exe PID 1808 wrote to memory of 1880 1808 msdcsc.exe notepad.exe PID 1808 wrote to memory of 1880 1808 msdcsc.exe notepad.exe PID 1808 wrote to memory of 1880 1808 msdcsc.exe notepad.exe PID 1808 wrote to memory of 1880 1808 msdcsc.exe notepad.exe PID 1808 wrote to memory of 1880 1808 msdcsc.exe notepad.exe PID 1808 wrote to memory of 1880 1808 msdcsc.exe notepad.exe PID 1808 wrote to memory of 1880 1808 msdcsc.exe notepad.exe PID 1808 wrote to memory of 1880 1808 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1832 attrib.exe 636 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\1.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\1.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
f0e7f5c44d69cb03d87b634c3d695c7e
SHA1f46ef1eb3ba47a62ebf645238aad3af66ebed012
SHA2561f2ead28ecdc21f65c33e8f929466d39cd618c25b1ff488eaadd27302022bda5
SHA51207f66d65f728887b755137c07fd1f3941c92f6fb7dd10d3ea59e30031ac2e96cd77cfc0c364a51441047b87102b9f81ec766698ec776dcffa141d6dcdf0560fc
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
f0e7f5c44d69cb03d87b634c3d695c7e
SHA1f46ef1eb3ba47a62ebf645238aad3af66ebed012
SHA2561f2ead28ecdc21f65c33e8f929466d39cd618c25b1ff488eaadd27302022bda5
SHA51207f66d65f728887b755137c07fd1f3941c92f6fb7dd10d3ea59e30031ac2e96cd77cfc0c364a51441047b87102b9f81ec766698ec776dcffa141d6dcdf0560fc
-
memory/1808-136-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB
-
memory/1880-137-0x0000000004750000-0x0000000004751000-memory.dmpFilesize
4KB
-
memory/3316-133-0x0000000002280000-0x0000000002281000-memory.dmpFilesize
4KB