Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 12:40
Behavioral task
behavioral1
Sample
a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Resource
win10v2004-20220414-en
General
-
Target
a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
-
Size
742KB
-
MD5
7b4ad9815aa9ffb197aa5ba3a545136e
-
SHA1
811fc574e57f7d4de796d8e3e1b090f7fb8a3ff6
-
SHA256
a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c
-
SHA512
adf05818c131811f40b6b24c376a4861d5e292144647b5d1383d110a6db9120e92a4847b0ab2363378ff1aead7b9281e546e600049b98d7297bdb8cdf1cfbe28
Malware Config
Extracted
darkcomet
Sazan
192.168.1.105:1604
DC_MUTEX-KWRE19J
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
dhFX5VGm1dAU
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1964 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exepid process 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeSecurityPrivilege 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeTakeOwnershipPrivilege 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeLoadDriverPrivilege 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeSystemProfilePrivilege 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeSystemtimePrivilege 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeProfSingleProcessPrivilege 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeIncBasePriorityPrivilege 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeCreatePagefilePrivilege 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeBackupPrivilege 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeRestorePrivilege 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeShutdownPrivilege 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeDebugPrivilege 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeSystemEnvironmentPrivilege 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeChangeNotifyPrivilege 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeRemoteShutdownPrivilege 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeUndockPrivilege 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeManageVolumePrivilege 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeImpersonatePrivilege 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeCreateGlobalPrivilege 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: 33 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: 34 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: 35 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeIncreaseQuotaPrivilege 1964 msdcsc.exe Token: SeSecurityPrivilege 1964 msdcsc.exe Token: SeTakeOwnershipPrivilege 1964 msdcsc.exe Token: SeLoadDriverPrivilege 1964 msdcsc.exe Token: SeSystemProfilePrivilege 1964 msdcsc.exe Token: SeSystemtimePrivilege 1964 msdcsc.exe Token: SeProfSingleProcessPrivilege 1964 msdcsc.exe Token: SeIncBasePriorityPrivilege 1964 msdcsc.exe Token: SeCreatePagefilePrivilege 1964 msdcsc.exe Token: SeBackupPrivilege 1964 msdcsc.exe Token: SeRestorePrivilege 1964 msdcsc.exe Token: SeShutdownPrivilege 1964 msdcsc.exe Token: SeDebugPrivilege 1964 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1964 msdcsc.exe Token: SeChangeNotifyPrivilege 1964 msdcsc.exe Token: SeRemoteShutdownPrivilege 1964 msdcsc.exe Token: SeUndockPrivilege 1964 msdcsc.exe Token: SeManageVolumePrivilege 1964 msdcsc.exe Token: SeImpersonatePrivilege 1964 msdcsc.exe Token: SeCreateGlobalPrivilege 1964 msdcsc.exe Token: 33 1964 msdcsc.exe Token: 34 1964 msdcsc.exe Token: 35 1964 msdcsc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 972 DllHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1964 msdcsc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exedescription pid process target process PID 1504 wrote to memory of 1964 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe msdcsc.exe PID 1504 wrote to memory of 1964 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe msdcsc.exe PID 1504 wrote to memory of 1964 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe msdcsc.exe PID 1504 wrote to memory of 1964 1504 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe"C:\Users\Admin\AppData\Local\Temp\a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MAXRESDEFAULT.JPGFilesize
84KB
MD54fc9cda82e170c79dec1ace4c512801c
SHA1077fc47cc9ff408747bb9823c18ad0e2833eac55
SHA2569aed45e811acdb42763323e60dfa9b1e28fc6df520cc5a525c013335d82cebba
SHA5123ca4ce50fd1a938225cd60fa15efd31007c7ccfb6ea2bc05cda499414ba35213a13e9631678690aaf2d8b1940993cfa34f42353ea4f0d7970f67acc48a572e17
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
742KB
MD57b4ad9815aa9ffb197aa5ba3a545136e
SHA1811fc574e57f7d4de796d8e3e1b090f7fb8a3ff6
SHA256a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c
SHA512adf05818c131811f40b6b24c376a4861d5e292144647b5d1383d110a6db9120e92a4847b0ab2363378ff1aead7b9281e546e600049b98d7297bdb8cdf1cfbe28
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
742KB
MD57b4ad9815aa9ffb197aa5ba3a545136e
SHA1811fc574e57f7d4de796d8e3e1b090f7fb8a3ff6
SHA256a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c
SHA512adf05818c131811f40b6b24c376a4861d5e292144647b5d1383d110a6db9120e92a4847b0ab2363378ff1aead7b9281e546e600049b98d7297bdb8cdf1cfbe28
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
742KB
MD57b4ad9815aa9ffb197aa5ba3a545136e
SHA1811fc574e57f7d4de796d8e3e1b090f7fb8a3ff6
SHA256a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c
SHA512adf05818c131811f40b6b24c376a4861d5e292144647b5d1383d110a6db9120e92a4847b0ab2363378ff1aead7b9281e546e600049b98d7297bdb8cdf1cfbe28
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
742KB
MD57b4ad9815aa9ffb197aa5ba3a545136e
SHA1811fc574e57f7d4de796d8e3e1b090f7fb8a3ff6
SHA256a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c
SHA512adf05818c131811f40b6b24c376a4861d5e292144647b5d1383d110a6db9120e92a4847b0ab2363378ff1aead7b9281e546e600049b98d7297bdb8cdf1cfbe28
-
memory/1504-54-0x0000000075271000-0x0000000075273000-memory.dmpFilesize
8KB
-
memory/1964-58-0x0000000000000000-mapping.dmp