Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:42
Behavioral task
behavioral1
Sample
d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe
Resource
win7-20220414-en
General
-
Target
d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe
-
Size
659KB
-
MD5
6ea013f9f0eb1aa74f82928a81ecffd1
-
SHA1
9c23422cfa55dea80866774ea16c019226175449
-
SHA256
d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b
-
SHA512
888ef5266a4f761965aa176ddf7b8ae8b699f4b2ec7ab589679fad2f5fdd37b80da7d5d3290ed3f6ba1d29b60a338e7463e71f6c5e0ec7a491996977eda0eed5
Malware Config
Extracted
darkcomet
Sazan
0.tcp.ngrok.io:10277
DC_MUTEX-CYFYV25
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
834bxKalF1Bf
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
iexplore.exemsdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" iexplore.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 2008 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exepid process 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 2008 set thread context of 656 2008 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 656 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeSecurityPrivilege 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeTakeOwnershipPrivilege 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeLoadDriverPrivilege 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeSystemProfilePrivilege 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeSystemtimePrivilege 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeProfSingleProcessPrivilege 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeIncBasePriorityPrivilege 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeCreatePagefilePrivilege 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeBackupPrivilege 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeRestorePrivilege 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeShutdownPrivilege 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeDebugPrivilege 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeSystemEnvironmentPrivilege 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeChangeNotifyPrivilege 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeRemoteShutdownPrivilege 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeUndockPrivilege 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeManageVolumePrivilege 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeImpersonatePrivilege 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeCreateGlobalPrivilege 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: 33 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: 34 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: 35 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeIncreaseQuotaPrivilege 2008 msdcsc.exe Token: SeSecurityPrivilege 2008 msdcsc.exe Token: SeTakeOwnershipPrivilege 2008 msdcsc.exe Token: SeLoadDriverPrivilege 2008 msdcsc.exe Token: SeSystemProfilePrivilege 2008 msdcsc.exe Token: SeSystemtimePrivilege 2008 msdcsc.exe Token: SeProfSingleProcessPrivilege 2008 msdcsc.exe Token: SeIncBasePriorityPrivilege 2008 msdcsc.exe Token: SeCreatePagefilePrivilege 2008 msdcsc.exe Token: SeBackupPrivilege 2008 msdcsc.exe Token: SeRestorePrivilege 2008 msdcsc.exe Token: SeShutdownPrivilege 2008 msdcsc.exe Token: SeDebugPrivilege 2008 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2008 msdcsc.exe Token: SeChangeNotifyPrivilege 2008 msdcsc.exe Token: SeRemoteShutdownPrivilege 2008 msdcsc.exe Token: SeUndockPrivilege 2008 msdcsc.exe Token: SeManageVolumePrivilege 2008 msdcsc.exe Token: SeImpersonatePrivilege 2008 msdcsc.exe Token: SeCreateGlobalPrivilege 2008 msdcsc.exe Token: 33 2008 msdcsc.exe Token: 34 2008 msdcsc.exe Token: 35 2008 msdcsc.exe Token: SeIncreaseQuotaPrivilege 656 iexplore.exe Token: SeSecurityPrivilege 656 iexplore.exe Token: SeTakeOwnershipPrivilege 656 iexplore.exe Token: SeLoadDriverPrivilege 656 iexplore.exe Token: SeSystemProfilePrivilege 656 iexplore.exe Token: SeSystemtimePrivilege 656 iexplore.exe Token: SeProfSingleProcessPrivilege 656 iexplore.exe Token: SeIncBasePriorityPrivilege 656 iexplore.exe Token: SeCreatePagefilePrivilege 656 iexplore.exe Token: SeBackupPrivilege 656 iexplore.exe Token: SeRestorePrivilege 656 iexplore.exe Token: SeShutdownPrivilege 656 iexplore.exe Token: SeDebugPrivilege 656 iexplore.exe Token: SeSystemEnvironmentPrivilege 656 iexplore.exe Token: SeChangeNotifyPrivilege 656 iexplore.exe Token: SeRemoteShutdownPrivilege 656 iexplore.exe Token: SeUndockPrivilege 656 iexplore.exe Token: SeManageVolumePrivilege 656 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 656 iexplore.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.execmd.execmd.exemsdcsc.exeiexplore.exedescription pid process target process PID 1948 wrote to memory of 1880 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe cmd.exe PID 1948 wrote to memory of 1880 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe cmd.exe PID 1948 wrote to memory of 1880 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe cmd.exe PID 1948 wrote to memory of 1880 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe cmd.exe PID 1948 wrote to memory of 1176 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe cmd.exe PID 1948 wrote to memory of 1176 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe cmd.exe PID 1948 wrote to memory of 1176 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe cmd.exe PID 1948 wrote to memory of 1176 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe cmd.exe PID 1880 wrote to memory of 1116 1880 cmd.exe attrib.exe PID 1880 wrote to memory of 1116 1880 cmd.exe attrib.exe PID 1880 wrote to memory of 1116 1880 cmd.exe attrib.exe PID 1880 wrote to memory of 1116 1880 cmd.exe attrib.exe PID 1176 wrote to memory of 1040 1176 cmd.exe attrib.exe PID 1176 wrote to memory of 1040 1176 cmd.exe attrib.exe PID 1176 wrote to memory of 1040 1176 cmd.exe attrib.exe PID 1176 wrote to memory of 1040 1176 cmd.exe attrib.exe PID 1948 wrote to memory of 2008 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe msdcsc.exe PID 1948 wrote to memory of 2008 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe msdcsc.exe PID 1948 wrote to memory of 2008 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe msdcsc.exe PID 1948 wrote to memory of 2008 1948 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe msdcsc.exe PID 2008 wrote to memory of 656 2008 msdcsc.exe iexplore.exe PID 2008 wrote to memory of 656 2008 msdcsc.exe iexplore.exe PID 2008 wrote to memory of 656 2008 msdcsc.exe iexplore.exe PID 2008 wrote to memory of 656 2008 msdcsc.exe iexplore.exe PID 2008 wrote to memory of 656 2008 msdcsc.exe iexplore.exe PID 2008 wrote to memory of 656 2008 msdcsc.exe iexplore.exe PID 656 wrote to memory of 240 656 iexplore.exe notepad.exe PID 656 wrote to memory of 240 656 iexplore.exe notepad.exe PID 656 wrote to memory of 240 656 iexplore.exe notepad.exe PID 656 wrote to memory of 240 656 iexplore.exe notepad.exe PID 656 wrote to memory of 240 656 iexplore.exe notepad.exe PID 656 wrote to memory of 240 656 iexplore.exe notepad.exe PID 656 wrote to memory of 240 656 iexplore.exe notepad.exe PID 656 wrote to memory of 240 656 iexplore.exe notepad.exe PID 656 wrote to memory of 240 656 iexplore.exe notepad.exe PID 656 wrote to memory of 240 656 iexplore.exe notepad.exe PID 656 wrote to memory of 240 656 iexplore.exe notepad.exe PID 656 wrote to memory of 240 656 iexplore.exe notepad.exe PID 656 wrote to memory of 240 656 iexplore.exe notepad.exe PID 656 wrote to memory of 240 656 iexplore.exe notepad.exe PID 656 wrote to memory of 240 656 iexplore.exe notepad.exe PID 656 wrote to memory of 240 656 iexplore.exe notepad.exe PID 656 wrote to memory of 240 656 iexplore.exe notepad.exe PID 656 wrote to memory of 240 656 iexplore.exe notepad.exe PID 656 wrote to memory of 240 656 iexplore.exe notepad.exe PID 656 wrote to memory of 240 656 iexplore.exe notepad.exe PID 656 wrote to memory of 240 656 iexplore.exe notepad.exe PID 656 wrote to memory of 240 656 iexplore.exe notepad.exe PID 656 wrote to memory of 240 656 iexplore.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1116 attrib.exe 1040 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe"C:\Users\Admin\AppData\Local\Temp\d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
659KB
MD56ea013f9f0eb1aa74f82928a81ecffd1
SHA19c23422cfa55dea80866774ea16c019226175449
SHA256d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b
SHA512888ef5266a4f761965aa176ddf7b8ae8b699f4b2ec7ab589679fad2f5fdd37b80da7d5d3290ed3f6ba1d29b60a338e7463e71f6c5e0ec7a491996977eda0eed5
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
659KB
MD56ea013f9f0eb1aa74f82928a81ecffd1
SHA19c23422cfa55dea80866774ea16c019226175449
SHA256d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b
SHA512888ef5266a4f761965aa176ddf7b8ae8b699f4b2ec7ab589679fad2f5fdd37b80da7d5d3290ed3f6ba1d29b60a338e7463e71f6c5e0ec7a491996977eda0eed5
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
659KB
MD56ea013f9f0eb1aa74f82928a81ecffd1
SHA19c23422cfa55dea80866774ea16c019226175449
SHA256d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b
SHA512888ef5266a4f761965aa176ddf7b8ae8b699f4b2ec7ab589679fad2f5fdd37b80da7d5d3290ed3f6ba1d29b60a338e7463e71f6c5e0ec7a491996977eda0eed5
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
659KB
MD56ea013f9f0eb1aa74f82928a81ecffd1
SHA19c23422cfa55dea80866774ea16c019226175449
SHA256d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b
SHA512888ef5266a4f761965aa176ddf7b8ae8b699f4b2ec7ab589679fad2f5fdd37b80da7d5d3290ed3f6ba1d29b60a338e7463e71f6c5e0ec7a491996977eda0eed5
-
memory/240-65-0x0000000000000000-mapping.dmp
-
memory/1040-58-0x0000000000000000-mapping.dmp
-
memory/1116-57-0x0000000000000000-mapping.dmp
-
memory/1176-56-0x0000000000000000-mapping.dmp
-
memory/1880-55-0x0000000000000000-mapping.dmp
-
memory/1948-54-0x0000000075401000-0x0000000075403000-memory.dmpFilesize
8KB
-
memory/2008-61-0x0000000000000000-mapping.dmp