Analysis
-
max time kernel
154s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-06-2022 17:52
Behavioral task
behavioral1
Sample
ZulaHax.exe
Resource
win7-20220414-en
General
-
Target
ZulaHax.exe
-
Size
659KB
-
MD5
949573ea355757e37f217798fd335478
-
SHA1
ba103d18dd84409cd2cba837ae64d42ec75613e7
-
SHA256
222e2ddd2cd5cb4156b9d1845c833d644d8a62d367004a271f6ec290a8aa2fb3
-
SHA512
ba7174bd8d6cb88066a7c18a1cd57b603680bfee9a94bf2ceca7a0784246f2e3a35f1856f91e3b9973f7a576cf8366fc3d10ee0268f80a3f077c174b4d2a2881
Malware Config
Extracted
darkcomet
Sazan
sussysdfffdfff343.duckdns.org:1604
DC_MUTEX-5BJ61CT
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
hSQMSMbHss9o
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
ZulaHax.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" ZulaHax.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1692 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
ZulaHax.exepid process 1472 ZulaHax.exe 1472 ZulaHax.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msdcsc.exeZulaHax.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" ZulaHax.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
ZulaHax.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1472 ZulaHax.exe Token: SeSecurityPrivilege 1472 ZulaHax.exe Token: SeTakeOwnershipPrivilege 1472 ZulaHax.exe Token: SeLoadDriverPrivilege 1472 ZulaHax.exe Token: SeSystemProfilePrivilege 1472 ZulaHax.exe Token: SeSystemtimePrivilege 1472 ZulaHax.exe Token: SeProfSingleProcessPrivilege 1472 ZulaHax.exe Token: SeIncBasePriorityPrivilege 1472 ZulaHax.exe Token: SeCreatePagefilePrivilege 1472 ZulaHax.exe Token: SeBackupPrivilege 1472 ZulaHax.exe Token: SeRestorePrivilege 1472 ZulaHax.exe Token: SeShutdownPrivilege 1472 ZulaHax.exe Token: SeDebugPrivilege 1472 ZulaHax.exe Token: SeSystemEnvironmentPrivilege 1472 ZulaHax.exe Token: SeChangeNotifyPrivilege 1472 ZulaHax.exe Token: SeRemoteShutdownPrivilege 1472 ZulaHax.exe Token: SeUndockPrivilege 1472 ZulaHax.exe Token: SeManageVolumePrivilege 1472 ZulaHax.exe Token: SeImpersonatePrivilege 1472 ZulaHax.exe Token: SeCreateGlobalPrivilege 1472 ZulaHax.exe Token: 33 1472 ZulaHax.exe Token: 34 1472 ZulaHax.exe Token: 35 1472 ZulaHax.exe Token: SeIncreaseQuotaPrivilege 1692 msdcsc.exe Token: SeSecurityPrivilege 1692 msdcsc.exe Token: SeTakeOwnershipPrivilege 1692 msdcsc.exe Token: SeLoadDriverPrivilege 1692 msdcsc.exe Token: SeSystemProfilePrivilege 1692 msdcsc.exe Token: SeSystemtimePrivilege 1692 msdcsc.exe Token: SeProfSingleProcessPrivilege 1692 msdcsc.exe Token: SeIncBasePriorityPrivilege 1692 msdcsc.exe Token: SeCreatePagefilePrivilege 1692 msdcsc.exe Token: SeBackupPrivilege 1692 msdcsc.exe Token: SeRestorePrivilege 1692 msdcsc.exe Token: SeShutdownPrivilege 1692 msdcsc.exe Token: SeDebugPrivilege 1692 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1692 msdcsc.exe Token: SeChangeNotifyPrivilege 1692 msdcsc.exe Token: SeRemoteShutdownPrivilege 1692 msdcsc.exe Token: SeUndockPrivilege 1692 msdcsc.exe Token: SeManageVolumePrivilege 1692 msdcsc.exe Token: SeImpersonatePrivilege 1692 msdcsc.exe Token: SeCreateGlobalPrivilege 1692 msdcsc.exe Token: 33 1692 msdcsc.exe Token: 34 1692 msdcsc.exe Token: 35 1692 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1692 msdcsc.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
ZulaHax.exemsdcsc.exedescription pid process target process PID 1472 wrote to memory of 1692 1472 ZulaHax.exe msdcsc.exe PID 1472 wrote to memory of 1692 1472 ZulaHax.exe msdcsc.exe PID 1472 wrote to memory of 1692 1472 ZulaHax.exe msdcsc.exe PID 1472 wrote to memory of 1692 1472 ZulaHax.exe msdcsc.exe PID 1692 wrote to memory of 1932 1692 msdcsc.exe iexplore.exe PID 1692 wrote to memory of 1932 1692 msdcsc.exe iexplore.exe PID 1692 wrote to memory of 1932 1692 msdcsc.exe iexplore.exe PID 1692 wrote to memory of 1932 1692 msdcsc.exe iexplore.exe PID 1692 wrote to memory of 1800 1692 msdcsc.exe explorer.exe PID 1692 wrote to memory of 1800 1692 msdcsc.exe explorer.exe PID 1692 wrote to memory of 1800 1692 msdcsc.exe explorer.exe PID 1692 wrote to memory of 1800 1692 msdcsc.exe explorer.exe PID 1692 wrote to memory of 1924 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 1924 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 1924 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 1924 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 1924 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 1924 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 1924 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 1924 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 1924 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 1924 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 1924 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 1924 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 1924 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 1924 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 1924 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 1924 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 1924 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 1924 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 1924 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 1924 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 1924 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 1924 1692 msdcsc.exe notepad.exe PID 1692 wrote to memory of 1924 1692 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZulaHax.exe"C:\Users\Admin\AppData\Local\Temp\ZulaHax.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
659KB
MD5949573ea355757e37f217798fd335478
SHA1ba103d18dd84409cd2cba837ae64d42ec75613e7
SHA256222e2ddd2cd5cb4156b9d1845c833d644d8a62d367004a271f6ec290a8aa2fb3
SHA512ba7174bd8d6cb88066a7c18a1cd57b603680bfee9a94bf2ceca7a0784246f2e3a35f1856f91e3b9973f7a576cf8366fc3d10ee0268f80a3f077c174b4d2a2881
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
659KB
MD5949573ea355757e37f217798fd335478
SHA1ba103d18dd84409cd2cba837ae64d42ec75613e7
SHA256222e2ddd2cd5cb4156b9d1845c833d644d8a62d367004a271f6ec290a8aa2fb3
SHA512ba7174bd8d6cb88066a7c18a1cd57b603680bfee9a94bf2ceca7a0784246f2e3a35f1856f91e3b9973f7a576cf8366fc3d10ee0268f80a3f077c174b4d2a2881
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
659KB
MD5949573ea355757e37f217798fd335478
SHA1ba103d18dd84409cd2cba837ae64d42ec75613e7
SHA256222e2ddd2cd5cb4156b9d1845c833d644d8a62d367004a271f6ec290a8aa2fb3
SHA512ba7174bd8d6cb88066a7c18a1cd57b603680bfee9a94bf2ceca7a0784246f2e3a35f1856f91e3b9973f7a576cf8366fc3d10ee0268f80a3f077c174b4d2a2881
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
659KB
MD5949573ea355757e37f217798fd335478
SHA1ba103d18dd84409cd2cba837ae64d42ec75613e7
SHA256222e2ddd2cd5cb4156b9d1845c833d644d8a62d367004a271f6ec290a8aa2fb3
SHA512ba7174bd8d6cb88066a7c18a1cd57b603680bfee9a94bf2ceca7a0784246f2e3a35f1856f91e3b9973f7a576cf8366fc3d10ee0268f80a3f077c174b4d2a2881
-
memory/1472-54-0x0000000074F21000-0x0000000074F23000-memory.dmpFilesize
8KB
-
memory/1692-57-0x0000000000000000-mapping.dmp
-
memory/1924-61-0x0000000000000000-mapping.dmp