Analysis
-
max time kernel
160s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-06-2022 17:47
Behavioral task
behavioral1
Sample
ZulaHax.exe
Resource
win7-20220414-en
General
-
Target
ZulaHax.exe
-
Size
659KB
-
MD5
949573ea355757e37f217798fd335478
-
SHA1
ba103d18dd84409cd2cba837ae64d42ec75613e7
-
SHA256
222e2ddd2cd5cb4156b9d1845c833d644d8a62d367004a271f6ec290a8aa2fb3
-
SHA512
ba7174bd8d6cb88066a7c18a1cd57b603680bfee9a94bf2ceca7a0784246f2e3a35f1856f91e3b9973f7a576cf8366fc3d10ee0268f80a3f077c174b4d2a2881
Malware Config
Extracted
darkcomet
Sazan
sussysdfffdfff343.duckdns.org:1604
DC_MUTEX-5BJ61CT
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
hSQMSMbHss9o
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
ZulaHax.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" ZulaHax.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
iexplore.exemsdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe -
Disables RegEdit via registry modification 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1164 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ZulaHax.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation ZulaHax.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
ZulaHax.exemsdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" ZulaHax.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 1164 set thread context of 3160 1164 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
ZulaHax.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ZulaHax.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
ZulaHax.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 4880 ZulaHax.exe Token: SeSecurityPrivilege 4880 ZulaHax.exe Token: SeTakeOwnershipPrivilege 4880 ZulaHax.exe Token: SeLoadDriverPrivilege 4880 ZulaHax.exe Token: SeSystemProfilePrivilege 4880 ZulaHax.exe Token: SeSystemtimePrivilege 4880 ZulaHax.exe Token: SeProfSingleProcessPrivilege 4880 ZulaHax.exe Token: SeIncBasePriorityPrivilege 4880 ZulaHax.exe Token: SeCreatePagefilePrivilege 4880 ZulaHax.exe Token: SeBackupPrivilege 4880 ZulaHax.exe Token: SeRestorePrivilege 4880 ZulaHax.exe Token: SeShutdownPrivilege 4880 ZulaHax.exe Token: SeDebugPrivilege 4880 ZulaHax.exe Token: SeSystemEnvironmentPrivilege 4880 ZulaHax.exe Token: SeChangeNotifyPrivilege 4880 ZulaHax.exe Token: SeRemoteShutdownPrivilege 4880 ZulaHax.exe Token: SeUndockPrivilege 4880 ZulaHax.exe Token: SeManageVolumePrivilege 4880 ZulaHax.exe Token: SeImpersonatePrivilege 4880 ZulaHax.exe Token: SeCreateGlobalPrivilege 4880 ZulaHax.exe Token: 33 4880 ZulaHax.exe Token: 34 4880 ZulaHax.exe Token: 35 4880 ZulaHax.exe Token: 36 4880 ZulaHax.exe Token: SeIncreaseQuotaPrivilege 1164 msdcsc.exe Token: SeSecurityPrivilege 1164 msdcsc.exe Token: SeTakeOwnershipPrivilege 1164 msdcsc.exe Token: SeLoadDriverPrivilege 1164 msdcsc.exe Token: SeSystemProfilePrivilege 1164 msdcsc.exe Token: SeSystemtimePrivilege 1164 msdcsc.exe Token: SeProfSingleProcessPrivilege 1164 msdcsc.exe Token: SeIncBasePriorityPrivilege 1164 msdcsc.exe Token: SeCreatePagefilePrivilege 1164 msdcsc.exe Token: SeBackupPrivilege 1164 msdcsc.exe Token: SeRestorePrivilege 1164 msdcsc.exe Token: SeShutdownPrivilege 1164 msdcsc.exe Token: SeDebugPrivilege 1164 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1164 msdcsc.exe Token: SeChangeNotifyPrivilege 1164 msdcsc.exe Token: SeRemoteShutdownPrivilege 1164 msdcsc.exe Token: SeUndockPrivilege 1164 msdcsc.exe Token: SeManageVolumePrivilege 1164 msdcsc.exe Token: SeImpersonatePrivilege 1164 msdcsc.exe Token: SeCreateGlobalPrivilege 1164 msdcsc.exe Token: 33 1164 msdcsc.exe Token: 34 1164 msdcsc.exe Token: 35 1164 msdcsc.exe Token: 36 1164 msdcsc.exe Token: SeIncreaseQuotaPrivilege 3160 iexplore.exe Token: SeSecurityPrivilege 3160 iexplore.exe Token: SeTakeOwnershipPrivilege 3160 iexplore.exe Token: SeLoadDriverPrivilege 3160 iexplore.exe Token: SeSystemProfilePrivilege 3160 iexplore.exe Token: SeSystemtimePrivilege 3160 iexplore.exe Token: SeProfSingleProcessPrivilege 3160 iexplore.exe Token: SeIncBasePriorityPrivilege 3160 iexplore.exe Token: SeCreatePagefilePrivilege 3160 iexplore.exe Token: SeBackupPrivilege 3160 iexplore.exe Token: SeRestorePrivilege 3160 iexplore.exe Token: SeShutdownPrivilege 3160 iexplore.exe Token: SeDebugPrivilege 3160 iexplore.exe Token: SeSystemEnvironmentPrivilege 3160 iexplore.exe Token: SeChangeNotifyPrivilege 3160 iexplore.exe Token: SeRemoteShutdownPrivilege 3160 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 3160 iexplore.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
ZulaHax.exemsdcsc.exeiexplore.exedescription pid process target process PID 4880 wrote to memory of 1164 4880 ZulaHax.exe msdcsc.exe PID 4880 wrote to memory of 1164 4880 ZulaHax.exe msdcsc.exe PID 4880 wrote to memory of 1164 4880 ZulaHax.exe msdcsc.exe PID 1164 wrote to memory of 3160 1164 msdcsc.exe iexplore.exe PID 1164 wrote to memory of 3160 1164 msdcsc.exe iexplore.exe PID 1164 wrote to memory of 3160 1164 msdcsc.exe iexplore.exe PID 1164 wrote to memory of 3160 1164 msdcsc.exe iexplore.exe PID 1164 wrote to memory of 3160 1164 msdcsc.exe iexplore.exe PID 3160 wrote to memory of 1500 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 1500 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 1500 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 1500 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 1500 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 1500 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 1500 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 1500 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 1500 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 1500 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 1500 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 1500 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 1500 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 1500 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 1500 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 1500 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 1500 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 1500 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 1500 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 1500 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 1500 3160 iexplore.exe notepad.exe PID 3160 wrote to memory of 1500 3160 iexplore.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZulaHax.exe"C:\Users\Admin\AppData\Local\Temp\ZulaHax.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
659KB
MD5949573ea355757e37f217798fd335478
SHA1ba103d18dd84409cd2cba837ae64d42ec75613e7
SHA256222e2ddd2cd5cb4156b9d1845c833d644d8a62d367004a271f6ec290a8aa2fb3
SHA512ba7174bd8d6cb88066a7c18a1cd57b603680bfee9a94bf2ceca7a0784246f2e3a35f1856f91e3b9973f7a576cf8366fc3d10ee0268f80a3f077c174b4d2a2881
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
659KB
MD5949573ea355757e37f217798fd335478
SHA1ba103d18dd84409cd2cba837ae64d42ec75613e7
SHA256222e2ddd2cd5cb4156b9d1845c833d644d8a62d367004a271f6ec290a8aa2fb3
SHA512ba7174bd8d6cb88066a7c18a1cd57b603680bfee9a94bf2ceca7a0784246f2e3a35f1856f91e3b9973f7a576cf8366fc3d10ee0268f80a3f077c174b4d2a2881
-
memory/1164-130-0x0000000000000000-mapping.dmp
-
memory/1500-133-0x0000000000000000-mapping.dmp