Analysis
-
max time kernel
4294213s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
28-03-2022 14:28
Static task
static1
Behavioral task
behavioral1
Sample
eab3fbe0ffb03366b67145f3e3c49d425c373bdef029ff3602b59e9580285e6c.exe
Resource
win7-20220311-en
General
-
Target
eab3fbe0ffb03366b67145f3e3c49d425c373bdef029ff3602b59e9580285e6c.exe
-
Size
1.1MB
-
MD5
3fe1770420f1625c60a395e91b665ea6
-
SHA1
55a317a2ef7e3e18b94d69bfb86bb25c10a31a7b
-
SHA256
eab3fbe0ffb03366b67145f3e3c49d425c373bdef029ff3602b59e9580285e6c
-
SHA512
dbafbf8f46d04d3a37b22bbf2bd6c13a3b04fbe5cac7d075cc00cc1befa7db8667497fc048b96ea43286d397ec20fbf5fe35794600bf6099dc9cc6f2d4bfcb62
Malware Config
Extracted
darkcomet
Sazan
adm44.duckdns.org:1604
DC_MUTEX-5LRPLCA
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
ADsR0jwEcc6b
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
aa.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" aa.exe -
Executes dropped EXE 2 IoCs
Processes:
aa.exemsdcsc.exepid process 672 aa.exe 1836 msdcsc.exe -
Loads dropped DLL 4 IoCs
Processes:
eab3fbe0ffb03366b67145f3e3c49d425c373bdef029ff3602b59e9580285e6c.exeaa.exepid process 1824 eab3fbe0ffb03366b67145f3e3c49d425c373bdef029ff3602b59e9580285e6c.exe 1824 eab3fbe0ffb03366b67145f3e3c49d425c373bdef029ff3602b59e9580285e6c.exe 672 aa.exe 672 aa.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
aa.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" aa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1836 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
aa.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 672 aa.exe Token: SeSecurityPrivilege 672 aa.exe Token: SeTakeOwnershipPrivilege 672 aa.exe Token: SeLoadDriverPrivilege 672 aa.exe Token: SeSystemProfilePrivilege 672 aa.exe Token: SeSystemtimePrivilege 672 aa.exe Token: SeProfSingleProcessPrivilege 672 aa.exe Token: SeIncBasePriorityPrivilege 672 aa.exe Token: SeCreatePagefilePrivilege 672 aa.exe Token: SeBackupPrivilege 672 aa.exe Token: SeRestorePrivilege 672 aa.exe Token: SeShutdownPrivilege 672 aa.exe Token: SeDebugPrivilege 672 aa.exe Token: SeSystemEnvironmentPrivilege 672 aa.exe Token: SeChangeNotifyPrivilege 672 aa.exe Token: SeRemoteShutdownPrivilege 672 aa.exe Token: SeUndockPrivilege 672 aa.exe Token: SeManageVolumePrivilege 672 aa.exe Token: SeImpersonatePrivilege 672 aa.exe Token: SeCreateGlobalPrivilege 672 aa.exe Token: 33 672 aa.exe Token: 34 672 aa.exe Token: 35 672 aa.exe Token: SeIncreaseQuotaPrivilege 1836 msdcsc.exe Token: SeSecurityPrivilege 1836 msdcsc.exe Token: SeTakeOwnershipPrivilege 1836 msdcsc.exe Token: SeLoadDriverPrivilege 1836 msdcsc.exe Token: SeSystemProfilePrivilege 1836 msdcsc.exe Token: SeSystemtimePrivilege 1836 msdcsc.exe Token: SeProfSingleProcessPrivilege 1836 msdcsc.exe Token: SeIncBasePriorityPrivilege 1836 msdcsc.exe Token: SeCreatePagefilePrivilege 1836 msdcsc.exe Token: SeBackupPrivilege 1836 msdcsc.exe Token: SeRestorePrivilege 1836 msdcsc.exe Token: SeShutdownPrivilege 1836 msdcsc.exe Token: SeDebugPrivilege 1836 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1836 msdcsc.exe Token: SeChangeNotifyPrivilege 1836 msdcsc.exe Token: SeRemoteShutdownPrivilege 1836 msdcsc.exe Token: SeUndockPrivilege 1836 msdcsc.exe Token: SeManageVolumePrivilege 1836 msdcsc.exe Token: SeImpersonatePrivilege 1836 msdcsc.exe Token: SeCreateGlobalPrivilege 1836 msdcsc.exe Token: 33 1836 msdcsc.exe Token: 34 1836 msdcsc.exe Token: 35 1836 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1836 msdcsc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
eab3fbe0ffb03366b67145f3e3c49d425c373bdef029ff3602b59e9580285e6c.exeaa.execmd.execmd.exemsdcsc.exedescription pid process target process PID 1824 wrote to memory of 672 1824 eab3fbe0ffb03366b67145f3e3c49d425c373bdef029ff3602b59e9580285e6c.exe aa.exe PID 1824 wrote to memory of 672 1824 eab3fbe0ffb03366b67145f3e3c49d425c373bdef029ff3602b59e9580285e6c.exe aa.exe PID 1824 wrote to memory of 672 1824 eab3fbe0ffb03366b67145f3e3c49d425c373bdef029ff3602b59e9580285e6c.exe aa.exe PID 1824 wrote to memory of 672 1824 eab3fbe0ffb03366b67145f3e3c49d425c373bdef029ff3602b59e9580285e6c.exe aa.exe PID 672 wrote to memory of 1596 672 aa.exe cmd.exe PID 672 wrote to memory of 1596 672 aa.exe cmd.exe PID 672 wrote to memory of 1596 672 aa.exe cmd.exe PID 672 wrote to memory of 1596 672 aa.exe cmd.exe PID 672 wrote to memory of 1664 672 aa.exe cmd.exe PID 672 wrote to memory of 1664 672 aa.exe cmd.exe PID 672 wrote to memory of 1664 672 aa.exe cmd.exe PID 672 wrote to memory of 1664 672 aa.exe cmd.exe PID 672 wrote to memory of 1840 672 aa.exe notepad.exe PID 672 wrote to memory of 1840 672 aa.exe notepad.exe PID 672 wrote to memory of 1840 672 aa.exe notepad.exe PID 672 wrote to memory of 1840 672 aa.exe notepad.exe PID 672 wrote to memory of 1840 672 aa.exe notepad.exe PID 672 wrote to memory of 1840 672 aa.exe notepad.exe PID 1664 wrote to memory of 1328 1664 cmd.exe attrib.exe PID 1664 wrote to memory of 1328 1664 cmd.exe attrib.exe PID 1664 wrote to memory of 1328 1664 cmd.exe attrib.exe PID 1664 wrote to memory of 1328 1664 cmd.exe attrib.exe PID 1596 wrote to memory of 1036 1596 cmd.exe attrib.exe PID 1596 wrote to memory of 1036 1596 cmd.exe attrib.exe PID 1596 wrote to memory of 1036 1596 cmd.exe attrib.exe PID 1596 wrote to memory of 1036 1596 cmd.exe attrib.exe PID 672 wrote to memory of 1840 672 aa.exe notepad.exe PID 672 wrote to memory of 1840 672 aa.exe notepad.exe PID 672 wrote to memory of 1840 672 aa.exe notepad.exe PID 672 wrote to memory of 1840 672 aa.exe notepad.exe PID 672 wrote to memory of 1840 672 aa.exe notepad.exe PID 672 wrote to memory of 1840 672 aa.exe notepad.exe PID 672 wrote to memory of 1840 672 aa.exe notepad.exe PID 672 wrote to memory of 1840 672 aa.exe notepad.exe PID 672 wrote to memory of 1840 672 aa.exe notepad.exe PID 672 wrote to memory of 1840 672 aa.exe notepad.exe PID 672 wrote to memory of 1840 672 aa.exe notepad.exe PID 672 wrote to memory of 1840 672 aa.exe notepad.exe PID 672 wrote to memory of 1836 672 aa.exe msdcsc.exe PID 672 wrote to memory of 1836 672 aa.exe msdcsc.exe PID 672 wrote to memory of 1836 672 aa.exe msdcsc.exe PID 672 wrote to memory of 1836 672 aa.exe msdcsc.exe PID 1836 wrote to memory of 884 1836 msdcsc.exe notepad.exe PID 1836 wrote to memory of 884 1836 msdcsc.exe notepad.exe PID 1836 wrote to memory of 884 1836 msdcsc.exe notepad.exe PID 1836 wrote to memory of 884 1836 msdcsc.exe notepad.exe PID 1836 wrote to memory of 884 1836 msdcsc.exe notepad.exe PID 1836 wrote to memory of 884 1836 msdcsc.exe notepad.exe PID 1836 wrote to memory of 884 1836 msdcsc.exe notepad.exe PID 1836 wrote to memory of 884 1836 msdcsc.exe notepad.exe PID 1836 wrote to memory of 884 1836 msdcsc.exe notepad.exe PID 1836 wrote to memory of 884 1836 msdcsc.exe notepad.exe PID 1836 wrote to memory of 884 1836 msdcsc.exe notepad.exe PID 1836 wrote to memory of 884 1836 msdcsc.exe notepad.exe PID 1836 wrote to memory of 884 1836 msdcsc.exe notepad.exe PID 1836 wrote to memory of 884 1836 msdcsc.exe notepad.exe PID 1836 wrote to memory of 884 1836 msdcsc.exe notepad.exe PID 1836 wrote to memory of 884 1836 msdcsc.exe notepad.exe PID 1836 wrote to memory of 884 1836 msdcsc.exe notepad.exe PID 1836 wrote to memory of 884 1836 msdcsc.exe notepad.exe PID 1836 wrote to memory of 884 1836 msdcsc.exe notepad.exe PID 1836 wrote to memory of 884 1836 msdcsc.exe notepad.exe PID 1836 wrote to memory of 884 1836 msdcsc.exe notepad.exe PID 1836 wrote to memory of 884 1836 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1328 attrib.exe 1036 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eab3fbe0ffb03366b67145f3e3c49d425c373bdef029ff3602b59e9580285e6c.exe"C:\Users\Admin\AppData\Local\Temp\eab3fbe0ffb03366b67145f3e3c49d425c373bdef029ff3602b59e9580285e6c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\aa.exe"C:\Users\Admin\AppData\Local\Temp\aa.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\aa.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\aa.exe" +s +h4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\aa.exeFilesize
864KB
MD5864aba87aed3af2b99ed39b10796f407
SHA1e66f968111d8bd5fe2cb7fb2e5e0ebb36d5d51bc
SHA256e52d1bc3cfa5af2157f1f3ef2b04b9f03619696920114eb02b36919c40f0286e
SHA512ee19af44fe33c4bf8c597853f7443ef49fe6c5899806850346c368e1c74d60fd7dbc3c925be240d2ce6d2c20ff6156263f93a68c0bb28b541c0a5e38235727d8
-
C:\Users\Admin\AppData\Local\Temp\aa.exeFilesize
864KB
MD5864aba87aed3af2b99ed39b10796f407
SHA1e66f968111d8bd5fe2cb7fb2e5e0ebb36d5d51bc
SHA256e52d1bc3cfa5af2157f1f3ef2b04b9f03619696920114eb02b36919c40f0286e
SHA512ee19af44fe33c4bf8c597853f7443ef49fe6c5899806850346c368e1c74d60fd7dbc3c925be240d2ce6d2c20ff6156263f93a68c0bb28b541c0a5e38235727d8
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
864KB
MD5864aba87aed3af2b99ed39b10796f407
SHA1e66f968111d8bd5fe2cb7fb2e5e0ebb36d5d51bc
SHA256e52d1bc3cfa5af2157f1f3ef2b04b9f03619696920114eb02b36919c40f0286e
SHA512ee19af44fe33c4bf8c597853f7443ef49fe6c5899806850346c368e1c74d60fd7dbc3c925be240d2ce6d2c20ff6156263f93a68c0bb28b541c0a5e38235727d8
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
864KB
MD5864aba87aed3af2b99ed39b10796f407
SHA1e66f968111d8bd5fe2cb7fb2e5e0ebb36d5d51bc
SHA256e52d1bc3cfa5af2157f1f3ef2b04b9f03619696920114eb02b36919c40f0286e
SHA512ee19af44fe33c4bf8c597853f7443ef49fe6c5899806850346c368e1c74d60fd7dbc3c925be240d2ce6d2c20ff6156263f93a68c0bb28b541c0a5e38235727d8
-
\Users\Admin\AppData\Local\Temp\aa.exeFilesize
864KB
MD5864aba87aed3af2b99ed39b10796f407
SHA1e66f968111d8bd5fe2cb7fb2e5e0ebb36d5d51bc
SHA256e52d1bc3cfa5af2157f1f3ef2b04b9f03619696920114eb02b36919c40f0286e
SHA512ee19af44fe33c4bf8c597853f7443ef49fe6c5899806850346c368e1c74d60fd7dbc3c925be240d2ce6d2c20ff6156263f93a68c0bb28b541c0a5e38235727d8
-
\Users\Admin\AppData\Local\Temp\aa.exeFilesize
864KB
MD5864aba87aed3af2b99ed39b10796f407
SHA1e66f968111d8bd5fe2cb7fb2e5e0ebb36d5d51bc
SHA256e52d1bc3cfa5af2157f1f3ef2b04b9f03619696920114eb02b36919c40f0286e
SHA512ee19af44fe33c4bf8c597853f7443ef49fe6c5899806850346c368e1c74d60fd7dbc3c925be240d2ce6d2c20ff6156263f93a68c0bb28b541c0a5e38235727d8
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
864KB
MD5864aba87aed3af2b99ed39b10796f407
SHA1e66f968111d8bd5fe2cb7fb2e5e0ebb36d5d51bc
SHA256e52d1bc3cfa5af2157f1f3ef2b04b9f03619696920114eb02b36919c40f0286e
SHA512ee19af44fe33c4bf8c597853f7443ef49fe6c5899806850346c368e1c74d60fd7dbc3c925be240d2ce6d2c20ff6156263f93a68c0bb28b541c0a5e38235727d8
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
864KB
MD5864aba87aed3af2b99ed39b10796f407
SHA1e66f968111d8bd5fe2cb7fb2e5e0ebb36d5d51bc
SHA256e52d1bc3cfa5af2157f1f3ef2b04b9f03619696920114eb02b36919c40f0286e
SHA512ee19af44fe33c4bf8c597853f7443ef49fe6c5899806850346c368e1c74d60fd7dbc3c925be240d2ce6d2c20ff6156263f93a68c0bb28b541c0a5e38235727d8
-
memory/672-57-0x0000000000000000-mapping.dmp
-
memory/672-59-0x0000000075271000-0x0000000075273000-memory.dmpFilesize
8KB
-
memory/884-101-0x0000000000000000-mapping.dmp
-
memory/1036-72-0x0000000000000000-mapping.dmp
-
memory/1328-71-0x0000000000000000-mapping.dmp
-
memory/1596-61-0x0000000000000000-mapping.dmp
-
memory/1664-62-0x0000000000000000-mapping.dmp
-
memory/1824-54-0x0000000000EF0000-0x0000000000EFA000-memory.dmpFilesize
40KB
-
memory/1836-97-0x0000000000000000-mapping.dmp
-
memory/1840-63-0x0000000000000000-mapping.dmp
-
memory/1840-64-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB