Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
30-06-2022 17:01
Behavioral task
behavioral1
Sample
13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe
Resource
win10v2004-20220414-en
General
-
Target
13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe
-
Size
658KB
-
MD5
c46b0c1ead56ed1933dd375b6b22e1f2
-
SHA1
97f05c8a9847e8e396d5916deb831466111ae2a4
-
SHA256
13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3
-
SHA512
83cbc641d4a32cb2e8a92c5bb8a7e57e024be7ce977896997cff70e9cb307f7038a40085192d0160058fb195e49e817dcf2cc19286773121a4ec9b2a1e41681c
Malware Config
Extracted
darkcomet
Sazan
85.98.17.207:1604
DC_MUTEX-T147BU8
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
LMpE3BXrLHns
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
JokerRinaHack
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 908 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JokerRinaHack = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JokerRinaHack = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe Token: SeSecurityPrivilege 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe Token: SeTakeOwnershipPrivilege 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe Token: SeLoadDriverPrivilege 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe Token: SeSystemProfilePrivilege 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe Token: SeSystemtimePrivilege 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe Token: SeProfSingleProcessPrivilege 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe Token: SeIncBasePriorityPrivilege 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe Token: SeCreatePagefilePrivilege 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe Token: SeBackupPrivilege 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe Token: SeRestorePrivilege 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe Token: SeShutdownPrivilege 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe Token: SeDebugPrivilege 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe Token: SeSystemEnvironmentPrivilege 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe Token: SeChangeNotifyPrivilege 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe Token: SeRemoteShutdownPrivilege 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe Token: SeUndockPrivilege 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe Token: SeManageVolumePrivilege 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe Token: SeImpersonatePrivilege 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe Token: SeCreateGlobalPrivilege 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe Token: 33 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe Token: 34 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe Token: 35 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe Token: 36 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe Token: SeIncreaseQuotaPrivilege 908 msdcsc.exe Token: SeSecurityPrivilege 908 msdcsc.exe Token: SeTakeOwnershipPrivilege 908 msdcsc.exe Token: SeLoadDriverPrivilege 908 msdcsc.exe Token: SeSystemProfilePrivilege 908 msdcsc.exe Token: SeSystemtimePrivilege 908 msdcsc.exe Token: SeProfSingleProcessPrivilege 908 msdcsc.exe Token: SeIncBasePriorityPrivilege 908 msdcsc.exe Token: SeCreatePagefilePrivilege 908 msdcsc.exe Token: SeBackupPrivilege 908 msdcsc.exe Token: SeRestorePrivilege 908 msdcsc.exe Token: SeShutdownPrivilege 908 msdcsc.exe Token: SeDebugPrivilege 908 msdcsc.exe Token: SeSystemEnvironmentPrivilege 908 msdcsc.exe Token: SeChangeNotifyPrivilege 908 msdcsc.exe Token: SeRemoteShutdownPrivilege 908 msdcsc.exe Token: SeUndockPrivilege 908 msdcsc.exe Token: SeManageVolumePrivilege 908 msdcsc.exe Token: SeImpersonatePrivilege 908 msdcsc.exe Token: SeCreateGlobalPrivilege 908 msdcsc.exe Token: 33 908 msdcsc.exe Token: 34 908 msdcsc.exe Token: 35 908 msdcsc.exe Token: 36 908 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 908 msdcsc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exemsdcsc.exedescription pid process target process PID 2576 wrote to memory of 908 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe msdcsc.exe PID 2576 wrote to memory of 908 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe msdcsc.exe PID 2576 wrote to memory of 908 2576 13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe msdcsc.exe PID 908 wrote to memory of 1928 908 msdcsc.exe notepad.exe PID 908 wrote to memory of 1928 908 msdcsc.exe notepad.exe PID 908 wrote to memory of 1928 908 msdcsc.exe notepad.exe PID 908 wrote to memory of 1928 908 msdcsc.exe notepad.exe PID 908 wrote to memory of 1928 908 msdcsc.exe notepad.exe PID 908 wrote to memory of 1928 908 msdcsc.exe notepad.exe PID 908 wrote to memory of 1928 908 msdcsc.exe notepad.exe PID 908 wrote to memory of 1928 908 msdcsc.exe notepad.exe PID 908 wrote to memory of 1928 908 msdcsc.exe notepad.exe PID 908 wrote to memory of 1928 908 msdcsc.exe notepad.exe PID 908 wrote to memory of 1928 908 msdcsc.exe notepad.exe PID 908 wrote to memory of 1928 908 msdcsc.exe notepad.exe PID 908 wrote to memory of 1928 908 msdcsc.exe notepad.exe PID 908 wrote to memory of 1928 908 msdcsc.exe notepad.exe PID 908 wrote to memory of 1928 908 msdcsc.exe notepad.exe PID 908 wrote to memory of 1928 908 msdcsc.exe notepad.exe PID 908 wrote to memory of 1928 908 msdcsc.exe notepad.exe PID 908 wrote to memory of 1928 908 msdcsc.exe notepad.exe PID 908 wrote to memory of 1928 908 msdcsc.exe notepad.exe PID 908 wrote to memory of 1928 908 msdcsc.exe notepad.exe PID 908 wrote to memory of 1928 908 msdcsc.exe notepad.exe PID 908 wrote to memory of 1928 908 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe"C:\Users\Admin\AppData\Local\Temp\13a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD5c46b0c1ead56ed1933dd375b6b22e1f2
SHA197f05c8a9847e8e396d5916deb831466111ae2a4
SHA25613a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3
SHA51283cbc641d4a32cb2e8a92c5bb8a7e57e024be7ce977896997cff70e9cb307f7038a40085192d0160058fb195e49e817dcf2cc19286773121a4ec9b2a1e41681c
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD5c46b0c1ead56ed1933dd375b6b22e1f2
SHA197f05c8a9847e8e396d5916deb831466111ae2a4
SHA25613a9b67591848e9500b93b7e22a11e0adaee46774b55f6a3c1e543b4d7cc3fd3
SHA51283cbc641d4a32cb2e8a92c5bb8a7e57e024be7ce977896997cff70e9cb307f7038a40085192d0160058fb195e49e817dcf2cc19286773121a4ec9b2a1e41681c
-
memory/908-130-0x0000000000000000-mapping.dmp
-
memory/1928-133-0x0000000000000000-mapping.dmp