Analysis
-
max time kernel
151s -
max time network
178s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
17-04-2022 15:19
Behavioral task
behavioral1
Sample
8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe
Resource
win7-20220414-en
General
-
Target
8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe
-
Size
658KB
-
MD5
8899aa46145889974270e7e2077d36b8
-
SHA1
ccd586872274f37bd9c612594719f83124a26071
-
SHA256
8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47
-
SHA512
6747a2f7874b711cdc41a2dd76ed3073508cb104cd7f8f7e4a215966ad820417786ace600fff62fa98018b4d8af87d0325ab864519221d71dd0bf958e8d7e3d6
Malware Config
Extracted
darkcomet
Sazan
esxcatty.duckdns.org:1604
DC_MUTEX-8SPQRNE
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
s8oBWPt7xvyh
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1872 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exepid process 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe Token: SeSecurityPrivilege 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe Token: SeTakeOwnershipPrivilege 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe Token: SeLoadDriverPrivilege 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe Token: SeSystemProfilePrivilege 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe Token: SeSystemtimePrivilege 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe Token: SeProfSingleProcessPrivilege 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe Token: SeIncBasePriorityPrivilege 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe Token: SeCreatePagefilePrivilege 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe Token: SeBackupPrivilege 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe Token: SeRestorePrivilege 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe Token: SeShutdownPrivilege 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe Token: SeDebugPrivilege 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe Token: SeSystemEnvironmentPrivilege 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe Token: SeChangeNotifyPrivilege 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe Token: SeRemoteShutdownPrivilege 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe Token: SeUndockPrivilege 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe Token: SeManageVolumePrivilege 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe Token: SeImpersonatePrivilege 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe Token: SeCreateGlobalPrivilege 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe Token: 33 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe Token: 34 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe Token: 35 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe Token: SeIncreaseQuotaPrivilege 1872 msdcsc.exe Token: SeSecurityPrivilege 1872 msdcsc.exe Token: SeTakeOwnershipPrivilege 1872 msdcsc.exe Token: SeLoadDriverPrivilege 1872 msdcsc.exe Token: SeSystemProfilePrivilege 1872 msdcsc.exe Token: SeSystemtimePrivilege 1872 msdcsc.exe Token: SeProfSingleProcessPrivilege 1872 msdcsc.exe Token: SeIncBasePriorityPrivilege 1872 msdcsc.exe Token: SeCreatePagefilePrivilege 1872 msdcsc.exe Token: SeBackupPrivilege 1872 msdcsc.exe Token: SeRestorePrivilege 1872 msdcsc.exe Token: SeShutdownPrivilege 1872 msdcsc.exe Token: SeDebugPrivilege 1872 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1872 msdcsc.exe Token: SeChangeNotifyPrivilege 1872 msdcsc.exe Token: SeRemoteShutdownPrivilege 1872 msdcsc.exe Token: SeUndockPrivilege 1872 msdcsc.exe Token: SeManageVolumePrivilege 1872 msdcsc.exe Token: SeImpersonatePrivilege 1872 msdcsc.exe Token: SeCreateGlobalPrivilege 1872 msdcsc.exe Token: 33 1872 msdcsc.exe Token: 34 1872 msdcsc.exe Token: 35 1872 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1872 msdcsc.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.execmd.execmd.exemsdcsc.exedescription pid process target process PID 1664 wrote to memory of 1712 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe cmd.exe PID 1664 wrote to memory of 1712 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe cmd.exe PID 1664 wrote to memory of 1712 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe cmd.exe PID 1664 wrote to memory of 1712 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe cmd.exe PID 1664 wrote to memory of 2012 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe cmd.exe PID 1664 wrote to memory of 2012 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe cmd.exe PID 1664 wrote to memory of 2012 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe cmd.exe PID 1664 wrote to memory of 2012 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe cmd.exe PID 2012 wrote to memory of 1992 2012 cmd.exe attrib.exe PID 2012 wrote to memory of 1992 2012 cmd.exe attrib.exe PID 2012 wrote to memory of 1992 2012 cmd.exe attrib.exe PID 2012 wrote to memory of 1992 2012 cmd.exe attrib.exe PID 1712 wrote to memory of 1880 1712 cmd.exe attrib.exe PID 1712 wrote to memory of 1880 1712 cmd.exe attrib.exe PID 1712 wrote to memory of 1880 1712 cmd.exe attrib.exe PID 1712 wrote to memory of 1880 1712 cmd.exe attrib.exe PID 1664 wrote to memory of 1872 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe msdcsc.exe PID 1664 wrote to memory of 1872 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe msdcsc.exe PID 1664 wrote to memory of 1872 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe msdcsc.exe PID 1664 wrote to memory of 1872 1664 8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe msdcsc.exe PID 1872 wrote to memory of 1056 1872 msdcsc.exe notepad.exe PID 1872 wrote to memory of 1056 1872 msdcsc.exe notepad.exe PID 1872 wrote to memory of 1056 1872 msdcsc.exe notepad.exe PID 1872 wrote to memory of 1056 1872 msdcsc.exe notepad.exe PID 1872 wrote to memory of 1056 1872 msdcsc.exe notepad.exe PID 1872 wrote to memory of 1056 1872 msdcsc.exe notepad.exe PID 1872 wrote to memory of 1056 1872 msdcsc.exe notepad.exe PID 1872 wrote to memory of 1056 1872 msdcsc.exe notepad.exe PID 1872 wrote to memory of 1056 1872 msdcsc.exe notepad.exe PID 1872 wrote to memory of 1056 1872 msdcsc.exe notepad.exe PID 1872 wrote to memory of 1056 1872 msdcsc.exe notepad.exe PID 1872 wrote to memory of 1056 1872 msdcsc.exe notepad.exe PID 1872 wrote to memory of 1056 1872 msdcsc.exe notepad.exe PID 1872 wrote to memory of 1056 1872 msdcsc.exe notepad.exe PID 1872 wrote to memory of 1056 1872 msdcsc.exe notepad.exe PID 1872 wrote to memory of 1056 1872 msdcsc.exe notepad.exe PID 1872 wrote to memory of 1056 1872 msdcsc.exe notepad.exe PID 1872 wrote to memory of 1056 1872 msdcsc.exe notepad.exe PID 1872 wrote to memory of 1056 1872 msdcsc.exe notepad.exe PID 1872 wrote to memory of 1056 1872 msdcsc.exe notepad.exe PID 1872 wrote to memory of 1056 1872 msdcsc.exe notepad.exe PID 1872 wrote to memory of 1056 1872 msdcsc.exe notepad.exe PID 1872 wrote to memory of 1056 1872 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1992 attrib.exe 1880 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe"C:\Users\Admin\AppData\Local\Temp\8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\8cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD58899aa46145889974270e7e2077d36b8
SHA1ccd586872274f37bd9c612594719f83124a26071
SHA2568cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47
SHA5126747a2f7874b711cdc41a2dd76ed3073508cb104cd7f8f7e4a215966ad820417786ace600fff62fa98018b4d8af87d0325ab864519221d71dd0bf958e8d7e3d6
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD58899aa46145889974270e7e2077d36b8
SHA1ccd586872274f37bd9c612594719f83124a26071
SHA2568cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47
SHA5126747a2f7874b711cdc41a2dd76ed3073508cb104cd7f8f7e4a215966ad820417786ace600fff62fa98018b4d8af87d0325ab864519221d71dd0bf958e8d7e3d6
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD58899aa46145889974270e7e2077d36b8
SHA1ccd586872274f37bd9c612594719f83124a26071
SHA2568cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47
SHA5126747a2f7874b711cdc41a2dd76ed3073508cb104cd7f8f7e4a215966ad820417786ace600fff62fa98018b4d8af87d0325ab864519221d71dd0bf958e8d7e3d6
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD58899aa46145889974270e7e2077d36b8
SHA1ccd586872274f37bd9c612594719f83124a26071
SHA2568cf4b09c013b583515894483ee4677831da9abdd031215b7129994170108bf47
SHA5126747a2f7874b711cdc41a2dd76ed3073508cb104cd7f8f7e4a215966ad820417786ace600fff62fa98018b4d8af87d0325ab864519221d71dd0bf958e8d7e3d6
-
memory/1056-66-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/1056-65-0x0000000000000000-mapping.dmp
-
memory/1664-54-0x00000000755C1000-0x00000000755C3000-memory.dmpFilesize
8KB
-
memory/1712-55-0x0000000000000000-mapping.dmp
-
memory/1872-61-0x0000000000000000-mapping.dmp
-
memory/1880-58-0x0000000000000000-mapping.dmp
-
memory/1992-57-0x0000000000000000-mapping.dmp
-
memory/2012-56-0x0000000000000000-mapping.dmp