Analysis
-
max time kernel
152s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:38
Behavioral task
behavioral1
Sample
d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe
Resource
win7-20220414-en
General
-
Target
d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe
-
Size
658KB
-
MD5
4d693fde464e00a60c0c87d8a8c4e27c
-
SHA1
9efd17718385a0445d40ce1c3de86b9bd18a33a0
-
SHA256
d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2
-
SHA512
05e358afa6d9419a501125cc57fe8976cddf1b358a7a30d8158d08b439379e00d068e8c8dcde6e65de98a19bedb3ae6521ce412835c7a64348438f05042eaab4
Malware Config
Extracted
darkcomet
Guest16
sasha8787.hopto.org:1604
DC_MUTEX-0E94YVE
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
jc8H9yZoi6Sf
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
Disables RegEdit via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1040 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exepid process 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msdcsc.exed8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1040 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeSecurityPrivilege 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeTakeOwnershipPrivilege 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeLoadDriverPrivilege 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeSystemProfilePrivilege 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeSystemtimePrivilege 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeProfSingleProcessPrivilege 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeIncBasePriorityPrivilege 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeCreatePagefilePrivilege 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeBackupPrivilege 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeRestorePrivilege 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeShutdownPrivilege 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeDebugPrivilege 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeSystemEnvironmentPrivilege 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeChangeNotifyPrivilege 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeRemoteShutdownPrivilege 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeUndockPrivilege 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeManageVolumePrivilege 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeImpersonatePrivilege 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeCreateGlobalPrivilege 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: 33 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: 34 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: 35 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe Token: SeIncreaseQuotaPrivilege 1040 msdcsc.exe Token: SeSecurityPrivilege 1040 msdcsc.exe Token: SeTakeOwnershipPrivilege 1040 msdcsc.exe Token: SeLoadDriverPrivilege 1040 msdcsc.exe Token: SeSystemProfilePrivilege 1040 msdcsc.exe Token: SeSystemtimePrivilege 1040 msdcsc.exe Token: SeProfSingleProcessPrivilege 1040 msdcsc.exe Token: SeIncBasePriorityPrivilege 1040 msdcsc.exe Token: SeCreatePagefilePrivilege 1040 msdcsc.exe Token: SeBackupPrivilege 1040 msdcsc.exe Token: SeRestorePrivilege 1040 msdcsc.exe Token: SeShutdownPrivilege 1040 msdcsc.exe Token: SeDebugPrivilege 1040 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1040 msdcsc.exe Token: SeChangeNotifyPrivilege 1040 msdcsc.exe Token: SeRemoteShutdownPrivilege 1040 msdcsc.exe Token: SeUndockPrivilege 1040 msdcsc.exe Token: SeManageVolumePrivilege 1040 msdcsc.exe Token: SeImpersonatePrivilege 1040 msdcsc.exe Token: SeCreateGlobalPrivilege 1040 msdcsc.exe Token: 33 1040 msdcsc.exe Token: 34 1040 msdcsc.exe Token: 35 1040 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1040 msdcsc.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.execmd.execmd.exemsdcsc.exedescription pid process target process PID 1884 wrote to memory of 1532 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe cmd.exe PID 1884 wrote to memory of 1532 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe cmd.exe PID 1884 wrote to memory of 1532 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe cmd.exe PID 1884 wrote to memory of 1532 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe cmd.exe PID 1884 wrote to memory of 276 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe cmd.exe PID 1884 wrote to memory of 276 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe cmd.exe PID 1884 wrote to memory of 276 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe cmd.exe PID 1884 wrote to memory of 276 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe cmd.exe PID 1884 wrote to memory of 1040 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe msdcsc.exe PID 1884 wrote to memory of 1040 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe msdcsc.exe PID 1884 wrote to memory of 1040 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe msdcsc.exe PID 1884 wrote to memory of 1040 1884 d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe msdcsc.exe PID 276 wrote to memory of 320 276 cmd.exe attrib.exe PID 276 wrote to memory of 320 276 cmd.exe attrib.exe PID 276 wrote to memory of 320 276 cmd.exe attrib.exe PID 276 wrote to memory of 320 276 cmd.exe attrib.exe PID 1532 wrote to memory of 316 1532 cmd.exe attrib.exe PID 1532 wrote to memory of 316 1532 cmd.exe attrib.exe PID 1532 wrote to memory of 316 1532 cmd.exe attrib.exe PID 1532 wrote to memory of 316 1532 cmd.exe attrib.exe PID 1040 wrote to memory of 1692 1040 msdcsc.exe notepad.exe PID 1040 wrote to memory of 1692 1040 msdcsc.exe notepad.exe PID 1040 wrote to memory of 1692 1040 msdcsc.exe notepad.exe PID 1040 wrote to memory of 1692 1040 msdcsc.exe notepad.exe PID 1040 wrote to memory of 1692 1040 msdcsc.exe notepad.exe PID 1040 wrote to memory of 1692 1040 msdcsc.exe notepad.exe PID 1040 wrote to memory of 1692 1040 msdcsc.exe notepad.exe PID 1040 wrote to memory of 1692 1040 msdcsc.exe notepad.exe PID 1040 wrote to memory of 1692 1040 msdcsc.exe notepad.exe PID 1040 wrote to memory of 1692 1040 msdcsc.exe notepad.exe PID 1040 wrote to memory of 1692 1040 msdcsc.exe notepad.exe PID 1040 wrote to memory of 1692 1040 msdcsc.exe notepad.exe PID 1040 wrote to memory of 1692 1040 msdcsc.exe notepad.exe PID 1040 wrote to memory of 1692 1040 msdcsc.exe notepad.exe PID 1040 wrote to memory of 1692 1040 msdcsc.exe notepad.exe PID 1040 wrote to memory of 1692 1040 msdcsc.exe notepad.exe PID 1040 wrote to memory of 1692 1040 msdcsc.exe notepad.exe PID 1040 wrote to memory of 1692 1040 msdcsc.exe notepad.exe PID 1040 wrote to memory of 1692 1040 msdcsc.exe notepad.exe PID 1040 wrote to memory of 1692 1040 msdcsc.exe notepad.exe PID 1040 wrote to memory of 1692 1040 msdcsc.exe notepad.exe PID 1040 wrote to memory of 1692 1040 msdcsc.exe notepad.exe PID 1040 wrote to memory of 1692 1040 msdcsc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 320 attrib.exe 316 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe"C:\Users\Admin\AppData\Local\Temp\d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeFilesize
658KB
MD54d693fde464e00a60c0c87d8a8c4e27c
SHA19efd17718385a0445d40ce1c3de86b9bd18a33a0
SHA256d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2
SHA51205e358afa6d9419a501125cc57fe8976cddf1b358a7a30d8158d08b439379e00d068e8c8dcde6e65de98a19bedb3ae6521ce412835c7a64348438f05042eaab4
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeFilesize
658KB
MD54d693fde464e00a60c0c87d8a8c4e27c
SHA19efd17718385a0445d40ce1c3de86b9bd18a33a0
SHA256d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2
SHA51205e358afa6d9419a501125cc57fe8976cddf1b358a7a30d8158d08b439379e00d068e8c8dcde6e65de98a19bedb3ae6521ce412835c7a64348438f05042eaab4
-
\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeFilesize
658KB
MD54d693fde464e00a60c0c87d8a8c4e27c
SHA19efd17718385a0445d40ce1c3de86b9bd18a33a0
SHA256d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2
SHA51205e358afa6d9419a501125cc57fe8976cddf1b358a7a30d8158d08b439379e00d068e8c8dcde6e65de98a19bedb3ae6521ce412835c7a64348438f05042eaab4
-
\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeFilesize
658KB
MD54d693fde464e00a60c0c87d8a8c4e27c
SHA19efd17718385a0445d40ce1c3de86b9bd18a33a0
SHA256d8aeefe49869abecc7719bedc0eed1e0630a1c4d9208db72a06be52c9e6343f2
SHA51205e358afa6d9419a501125cc57fe8976cddf1b358a7a30d8158d08b439379e00d068e8c8dcde6e65de98a19bedb3ae6521ce412835c7a64348438f05042eaab4
-
memory/276-56-0x0000000000000000-mapping.dmp
-
memory/316-61-0x0000000000000000-mapping.dmp
-
memory/320-60-0x0000000000000000-mapping.dmp
-
memory/1040-59-0x0000000000000000-mapping.dmp
-
memory/1532-55-0x0000000000000000-mapping.dmp
-
memory/1692-65-0x0000000000000000-mapping.dmp
-
memory/1884-54-0x00000000759E1000-0x00000000759E3000-memory.dmpFilesize
8KB