Analysis
-
max time kernel
122s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 12:40
Behavioral task
behavioral1
Sample
a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Resource
win10v2004-20220414-en
General
-
Target
a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
-
Size
742KB
-
MD5
7b4ad9815aa9ffb197aa5ba3a545136e
-
SHA1
811fc574e57f7d4de796d8e3e1b090f7fb8a3ff6
-
SHA256
a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c
-
SHA512
adf05818c131811f40b6b24c376a4861d5e292144647b5d1383d110a6db9120e92a4847b0ab2363378ff1aead7b9281e546e600049b98d7297bdb8cdf1cfbe28
Malware Config
Extracted
darkcomet
Sazan
192.168.1.105:1604
DC_MUTEX-KWRE19J
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
dhFX5VGm1dAU
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 3616 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeSecurityPrivilege 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeTakeOwnershipPrivilege 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeLoadDriverPrivilege 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeSystemProfilePrivilege 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeSystemtimePrivilege 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeProfSingleProcessPrivilege 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeIncBasePriorityPrivilege 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeCreatePagefilePrivilege 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeBackupPrivilege 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeRestorePrivilege 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeShutdownPrivilege 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeDebugPrivilege 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeSystemEnvironmentPrivilege 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeChangeNotifyPrivilege 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeRemoteShutdownPrivilege 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeUndockPrivilege 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeManageVolumePrivilege 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeImpersonatePrivilege 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeCreateGlobalPrivilege 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: 33 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: 34 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: 35 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: 36 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe Token: SeIncreaseQuotaPrivilege 3616 msdcsc.exe Token: SeSecurityPrivilege 3616 msdcsc.exe Token: SeTakeOwnershipPrivilege 3616 msdcsc.exe Token: SeLoadDriverPrivilege 3616 msdcsc.exe Token: SeSystemProfilePrivilege 3616 msdcsc.exe Token: SeSystemtimePrivilege 3616 msdcsc.exe Token: SeProfSingleProcessPrivilege 3616 msdcsc.exe Token: SeIncBasePriorityPrivilege 3616 msdcsc.exe Token: SeCreatePagefilePrivilege 3616 msdcsc.exe Token: SeBackupPrivilege 3616 msdcsc.exe Token: SeRestorePrivilege 3616 msdcsc.exe Token: SeShutdownPrivilege 3616 msdcsc.exe Token: SeDebugPrivilege 3616 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3616 msdcsc.exe Token: SeChangeNotifyPrivilege 3616 msdcsc.exe Token: SeRemoteShutdownPrivilege 3616 msdcsc.exe Token: SeUndockPrivilege 3616 msdcsc.exe Token: SeManageVolumePrivilege 3616 msdcsc.exe Token: SeImpersonatePrivilege 3616 msdcsc.exe Token: SeCreateGlobalPrivilege 3616 msdcsc.exe Token: 33 3616 msdcsc.exe Token: 34 3616 msdcsc.exe Token: 35 3616 msdcsc.exe Token: 36 3616 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 3616 msdcsc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exedescription pid process target process PID 2204 wrote to memory of 3616 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe msdcsc.exe PID 2204 wrote to memory of 3616 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe msdcsc.exe PID 2204 wrote to memory of 3616 2204 a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe"C:\Users\Admin\AppData\Local\Temp\a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
742KB
MD57b4ad9815aa9ffb197aa5ba3a545136e
SHA1811fc574e57f7d4de796d8e3e1b090f7fb8a3ff6
SHA256a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c
SHA512adf05818c131811f40b6b24c376a4861d5e292144647b5d1383d110a6db9120e92a4847b0ab2363378ff1aead7b9281e546e600049b98d7297bdb8cdf1cfbe28
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
742KB
MD57b4ad9815aa9ffb197aa5ba3a545136e
SHA1811fc574e57f7d4de796d8e3e1b090f7fb8a3ff6
SHA256a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c
SHA512adf05818c131811f40b6b24c376a4861d5e292144647b5d1383d110a6db9120e92a4847b0ab2363378ff1aead7b9281e546e600049b98d7297bdb8cdf1cfbe28
-
memory/3616-130-0x0000000000000000-mapping.dmp