Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:42
Behavioral task
behavioral1
Sample
d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe
Resource
win7-20220414-en
General
-
Target
d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe
-
Size
659KB
-
MD5
6ea013f9f0eb1aa74f82928a81ecffd1
-
SHA1
9c23422cfa55dea80866774ea16c019226175449
-
SHA256
d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b
-
SHA512
888ef5266a4f761965aa176ddf7b8ae8b699f4b2ec7ab589679fad2f5fdd37b80da7d5d3290ed3f6ba1d29b60a338e7463e71f6c5e0ec7a491996977eda0eed5
Malware Config
Extracted
darkcomet
Sazan
0.tcp.ngrok.io:10277
DC_MUTEX-CYFYV25
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
834bxKalF1Bf
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
iexplore.exemsdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1028 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 1028 set thread context of 3160 1028 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 3160 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeSecurityPrivilege 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeTakeOwnershipPrivilege 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeLoadDriverPrivilege 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeSystemProfilePrivilege 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeSystemtimePrivilege 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeProfSingleProcessPrivilege 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeIncBasePriorityPrivilege 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeCreatePagefilePrivilege 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeBackupPrivilege 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeRestorePrivilege 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeShutdownPrivilege 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeDebugPrivilege 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeSystemEnvironmentPrivilege 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeChangeNotifyPrivilege 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeRemoteShutdownPrivilege 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeUndockPrivilege 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeManageVolumePrivilege 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeImpersonatePrivilege 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeCreateGlobalPrivilege 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: 33 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: 34 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: 35 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: 36 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe Token: SeIncreaseQuotaPrivilege 1028 msdcsc.exe Token: SeSecurityPrivilege 1028 msdcsc.exe Token: SeTakeOwnershipPrivilege 1028 msdcsc.exe Token: SeLoadDriverPrivilege 1028 msdcsc.exe Token: SeSystemProfilePrivilege 1028 msdcsc.exe Token: SeSystemtimePrivilege 1028 msdcsc.exe Token: SeProfSingleProcessPrivilege 1028 msdcsc.exe Token: SeIncBasePriorityPrivilege 1028 msdcsc.exe Token: SeCreatePagefilePrivilege 1028 msdcsc.exe Token: SeBackupPrivilege 1028 msdcsc.exe Token: SeRestorePrivilege 1028 msdcsc.exe Token: SeShutdownPrivilege 1028 msdcsc.exe Token: SeDebugPrivilege 1028 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1028 msdcsc.exe Token: SeChangeNotifyPrivilege 1028 msdcsc.exe Token: SeRemoteShutdownPrivilege 1028 msdcsc.exe Token: SeUndockPrivilege 1028 msdcsc.exe Token: SeManageVolumePrivilege 1028 msdcsc.exe Token: SeImpersonatePrivilege 1028 msdcsc.exe Token: SeCreateGlobalPrivilege 1028 msdcsc.exe Token: 33 1028 msdcsc.exe Token: 34 1028 msdcsc.exe Token: 35 1028 msdcsc.exe Token: 36 1028 msdcsc.exe Token: SeIncreaseQuotaPrivilege 3160 iexplore.exe Token: SeSecurityPrivilege 3160 iexplore.exe Token: SeTakeOwnershipPrivilege 3160 iexplore.exe Token: SeLoadDriverPrivilege 3160 iexplore.exe Token: SeSystemProfilePrivilege 3160 iexplore.exe Token: SeSystemtimePrivilege 3160 iexplore.exe Token: SeProfSingleProcessPrivilege 3160 iexplore.exe Token: SeIncBasePriorityPrivilege 3160 iexplore.exe Token: SeCreatePagefilePrivilege 3160 iexplore.exe Token: SeBackupPrivilege 3160 iexplore.exe Token: SeRestorePrivilege 3160 iexplore.exe Token: SeShutdownPrivilege 3160 iexplore.exe Token: SeDebugPrivilege 3160 iexplore.exe Token: SeSystemEnvironmentPrivilege 3160 iexplore.exe Token: SeChangeNotifyPrivilege 3160 iexplore.exe Token: SeRemoteShutdownPrivilege 3160 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 3160 iexplore.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.execmd.execmd.exemsdcsc.exeiexplore.exedescription pid process target process PID 4836 wrote to memory of 2188 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe cmd.exe PID 4836 wrote to memory of 2188 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe cmd.exe PID 4836 wrote to memory of 2188 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe cmd.exe PID 4836 wrote to memory of 4740 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe cmd.exe PID 4836 wrote to memory of 4740 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe cmd.exe PID 4836 wrote to memory of 4740 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe cmd.exe PID 2188 wrote to memory of 1668 2188 cmd.exe attrib.exe PID 2188 wrote to memory of 1668 2188 cmd.exe attrib.exe PID 2188 wrote to memory of 1668 2188 cmd.exe attrib.exe PID 4740 wrote to memory of 1044 4740 cmd.exe attrib.exe PID 4740 wrote to memory of 1044 4740 cmd.exe attrib.exe PID 4740 wrote to memory of 1044 4740 cmd.exe attrib.exe PID 4836 wrote to memory of 1028 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe msdcsc.exe PID 4836 wrote to memory of 1028 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe msdcsc.exe PID 4836 wrote to memory of 1028 4836 d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe msdcsc.exe PID 1028 wrote to memory of 3160 1028 msdcsc.exe iexplore.exe PID 1028 wrote to memory of 3160 1028 msdcsc.exe iexplore.exe PID 1028 wrote to memory of 3160 1028 msdcsc.exe iexplore.exe PID 1028 wrote to memory of 3160 1028 msdcsc.exe iexplore.exe PID 1028 wrote to memory of 3160 1028 msdcsc.exe iexplore.exe PID 3160 wrote to memory of 3248 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 3248 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 3248 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 3248 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 3248 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 3248 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 3248 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 3248 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 3248 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 3248 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 3248 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 3248 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 3248 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 3248 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 3248 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 3248 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 3248 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 3248 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 3248 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 3248 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 3248 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 3248 3160 iexplore.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1668 attrib.exe 1044 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe"C:\Users\Admin\AppData\Local\Temp\d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
659KB
MD56ea013f9f0eb1aa74f82928a81ecffd1
SHA19c23422cfa55dea80866774ea16c019226175449
SHA256d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b
SHA512888ef5266a4f761965aa176ddf7b8ae8b699f4b2ec7ab589679fad2f5fdd37b80da7d5d3290ed3f6ba1d29b60a338e7463e71f6c5e0ec7a491996977eda0eed5
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
659KB
MD56ea013f9f0eb1aa74f82928a81ecffd1
SHA19c23422cfa55dea80866774ea16c019226175449
SHA256d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b
SHA512888ef5266a4f761965aa176ddf7b8ae8b699f4b2ec7ab589679fad2f5fdd37b80da7d5d3290ed3f6ba1d29b60a338e7463e71f6c5e0ec7a491996977eda0eed5
-
memory/1028-134-0x0000000000000000-mapping.dmp
-
memory/1044-133-0x0000000000000000-mapping.dmp
-
memory/1668-132-0x0000000000000000-mapping.dmp
-
memory/2188-130-0x0000000000000000-mapping.dmp
-
memory/3248-137-0x0000000000000000-mapping.dmp
-
memory/4740-131-0x0000000000000000-mapping.dmp