Analysis
-
max time kernel
155s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-06-2022 17:52
Behavioral task
behavioral1
Sample
ZulaHax.exe
Resource
win7-20220414-en
General
-
Target
ZulaHax.exe
-
Size
659KB
-
MD5
949573ea355757e37f217798fd335478
-
SHA1
ba103d18dd84409cd2cba837ae64d42ec75613e7
-
SHA256
222e2ddd2cd5cb4156b9d1845c833d644d8a62d367004a271f6ec290a8aa2fb3
-
SHA512
ba7174bd8d6cb88066a7c18a1cd57b603680bfee9a94bf2ceca7a0784246f2e3a35f1856f91e3b9973f7a576cf8366fc3d10ee0268f80a3f077c174b4d2a2881
Malware Config
Extracted
darkcomet
Sazan
sussysdfffdfff343.duckdns.org:1604
DC_MUTEX-5BJ61CT
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
hSQMSMbHss9o
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
ZulaHax.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" ZulaHax.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 4436 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ZulaHax.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation ZulaHax.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ZulaHax.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" ZulaHax.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
ZulaHax.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ZulaHax.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
ZulaHax.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1812 ZulaHax.exe Token: SeSecurityPrivilege 1812 ZulaHax.exe Token: SeTakeOwnershipPrivilege 1812 ZulaHax.exe Token: SeLoadDriverPrivilege 1812 ZulaHax.exe Token: SeSystemProfilePrivilege 1812 ZulaHax.exe Token: SeSystemtimePrivilege 1812 ZulaHax.exe Token: SeProfSingleProcessPrivilege 1812 ZulaHax.exe Token: SeIncBasePriorityPrivilege 1812 ZulaHax.exe Token: SeCreatePagefilePrivilege 1812 ZulaHax.exe Token: SeBackupPrivilege 1812 ZulaHax.exe Token: SeRestorePrivilege 1812 ZulaHax.exe Token: SeShutdownPrivilege 1812 ZulaHax.exe Token: SeDebugPrivilege 1812 ZulaHax.exe Token: SeSystemEnvironmentPrivilege 1812 ZulaHax.exe Token: SeChangeNotifyPrivilege 1812 ZulaHax.exe Token: SeRemoteShutdownPrivilege 1812 ZulaHax.exe Token: SeUndockPrivilege 1812 ZulaHax.exe Token: SeManageVolumePrivilege 1812 ZulaHax.exe Token: SeImpersonatePrivilege 1812 ZulaHax.exe Token: SeCreateGlobalPrivilege 1812 ZulaHax.exe Token: 33 1812 ZulaHax.exe Token: 34 1812 ZulaHax.exe Token: 35 1812 ZulaHax.exe Token: 36 1812 ZulaHax.exe Token: SeIncreaseQuotaPrivilege 4436 msdcsc.exe Token: SeSecurityPrivilege 4436 msdcsc.exe Token: SeTakeOwnershipPrivilege 4436 msdcsc.exe Token: SeLoadDriverPrivilege 4436 msdcsc.exe Token: SeSystemProfilePrivilege 4436 msdcsc.exe Token: SeSystemtimePrivilege 4436 msdcsc.exe Token: SeProfSingleProcessPrivilege 4436 msdcsc.exe Token: SeIncBasePriorityPrivilege 4436 msdcsc.exe Token: SeCreatePagefilePrivilege 4436 msdcsc.exe Token: SeBackupPrivilege 4436 msdcsc.exe Token: SeRestorePrivilege 4436 msdcsc.exe Token: SeShutdownPrivilege 4436 msdcsc.exe Token: SeDebugPrivilege 4436 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4436 msdcsc.exe Token: SeChangeNotifyPrivilege 4436 msdcsc.exe Token: SeRemoteShutdownPrivilege 4436 msdcsc.exe Token: SeUndockPrivilege 4436 msdcsc.exe Token: SeManageVolumePrivilege 4436 msdcsc.exe Token: SeImpersonatePrivilege 4436 msdcsc.exe Token: SeCreateGlobalPrivilege 4436 msdcsc.exe Token: 33 4436 msdcsc.exe Token: 34 4436 msdcsc.exe Token: 35 4436 msdcsc.exe Token: 36 4436 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 4436 msdcsc.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
ZulaHax.exemsdcsc.exedescription pid process target process PID 1812 wrote to memory of 4436 1812 ZulaHax.exe msdcsc.exe PID 1812 wrote to memory of 4436 1812 ZulaHax.exe msdcsc.exe PID 1812 wrote to memory of 4436 1812 ZulaHax.exe msdcsc.exe PID 4436 wrote to memory of 1800 4436 msdcsc.exe iexplore.exe PID 4436 wrote to memory of 1800 4436 msdcsc.exe iexplore.exe PID 4436 wrote to memory of 1800 4436 msdcsc.exe iexplore.exe PID 4436 wrote to memory of 1500 4436 msdcsc.exe explorer.exe PID 4436 wrote to memory of 1500 4436 msdcsc.exe explorer.exe PID 4436 wrote to memory of 452 4436 msdcsc.exe notepad.exe PID 4436 wrote to memory of 452 4436 msdcsc.exe notepad.exe PID 4436 wrote to memory of 452 4436 msdcsc.exe notepad.exe PID 4436 wrote to memory of 452 4436 msdcsc.exe notepad.exe PID 4436 wrote to memory of 452 4436 msdcsc.exe notepad.exe PID 4436 wrote to memory of 452 4436 msdcsc.exe notepad.exe PID 4436 wrote to memory of 452 4436 msdcsc.exe notepad.exe PID 4436 wrote to memory of 452 4436 msdcsc.exe notepad.exe PID 4436 wrote to memory of 452 4436 msdcsc.exe notepad.exe PID 4436 wrote to memory of 452 4436 msdcsc.exe notepad.exe PID 4436 wrote to memory of 452 4436 msdcsc.exe notepad.exe PID 4436 wrote to memory of 452 4436 msdcsc.exe notepad.exe PID 4436 wrote to memory of 452 4436 msdcsc.exe notepad.exe PID 4436 wrote to memory of 452 4436 msdcsc.exe notepad.exe PID 4436 wrote to memory of 452 4436 msdcsc.exe notepad.exe PID 4436 wrote to memory of 452 4436 msdcsc.exe notepad.exe PID 4436 wrote to memory of 452 4436 msdcsc.exe notepad.exe PID 4436 wrote to memory of 452 4436 msdcsc.exe notepad.exe PID 4436 wrote to memory of 452 4436 msdcsc.exe notepad.exe PID 4436 wrote to memory of 452 4436 msdcsc.exe notepad.exe PID 4436 wrote to memory of 452 4436 msdcsc.exe notepad.exe PID 4436 wrote to memory of 452 4436 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZulaHax.exe"C:\Users\Admin\AppData\Local\Temp\ZulaHax.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
659KB
MD5949573ea355757e37f217798fd335478
SHA1ba103d18dd84409cd2cba837ae64d42ec75613e7
SHA256222e2ddd2cd5cb4156b9d1845c833d644d8a62d367004a271f6ec290a8aa2fb3
SHA512ba7174bd8d6cb88066a7c18a1cd57b603680bfee9a94bf2ceca7a0784246f2e3a35f1856f91e3b9973f7a576cf8366fc3d10ee0268f80a3f077c174b4d2a2881
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
659KB
MD5949573ea355757e37f217798fd335478
SHA1ba103d18dd84409cd2cba837ae64d42ec75613e7
SHA256222e2ddd2cd5cb4156b9d1845c833d644d8a62d367004a271f6ec290a8aa2fb3
SHA512ba7174bd8d6cb88066a7c18a1cd57b603680bfee9a94bf2ceca7a0784246f2e3a35f1856f91e3b9973f7a576cf8366fc3d10ee0268f80a3f077c174b4d2a2881
-
memory/452-134-0x0000000000000000-mapping.dmp
-
memory/1500-133-0x0000000000000000-mapping.dmp
-
memory/4436-130-0x0000000000000000-mapping.dmp