Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 05:17
Behavioral task
behavioral1
Sample
fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe
Resource
win10v2004-20220414-en
General
-
Target
fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe
-
Size
690KB
-
MD5
8c3d9ce08799aa0c07ceb6b50f626d28
-
SHA1
3d82bce6926365c9c19cb5bad5a2c8e155b6a171
-
SHA256
fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8
-
SHA512
5e39cb5728c39930871cef521c7656ee491f26e60cc8243b7665da501dd2a8a1e40245198011a23daacefa771e51e1f99d6914e60564fdec488483ebbb6acf21
Malware Config
Extracted
darkcomet
Sazan
seximamun.duckdns.org:1604
DC_MUTEX-CGHFZD9
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
PaiZlau2UT6i
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1508 msdcsc.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 1608 notepad.exe -
Loads dropped DLL 2 IoCs
Processes:
fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exepid process 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exemsdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 1508 set thread context of 2004 1508 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe Token: SeSecurityPrivilege 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe Token: SeTakeOwnershipPrivilege 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe Token: SeLoadDriverPrivilege 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe Token: SeSystemProfilePrivilege 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe Token: SeSystemtimePrivilege 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe Token: SeProfSingleProcessPrivilege 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe Token: SeIncBasePriorityPrivilege 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe Token: SeCreatePagefilePrivilege 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe Token: SeBackupPrivilege 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe Token: SeRestorePrivilege 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe Token: SeShutdownPrivilege 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe Token: SeDebugPrivilege 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe Token: SeSystemEnvironmentPrivilege 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe Token: SeChangeNotifyPrivilege 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe Token: SeRemoteShutdownPrivilege 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe Token: SeUndockPrivilege 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe Token: SeManageVolumePrivilege 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe Token: SeImpersonatePrivilege 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe Token: SeCreateGlobalPrivilege 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe Token: 33 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe Token: 34 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe Token: 35 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe Token: SeIncreaseQuotaPrivilege 1508 msdcsc.exe Token: SeSecurityPrivilege 1508 msdcsc.exe Token: SeTakeOwnershipPrivilege 1508 msdcsc.exe Token: SeLoadDriverPrivilege 1508 msdcsc.exe Token: SeSystemProfilePrivilege 1508 msdcsc.exe Token: SeSystemtimePrivilege 1508 msdcsc.exe Token: SeProfSingleProcessPrivilege 1508 msdcsc.exe Token: SeIncBasePriorityPrivilege 1508 msdcsc.exe Token: SeCreatePagefilePrivilege 1508 msdcsc.exe Token: SeBackupPrivilege 1508 msdcsc.exe Token: SeRestorePrivilege 1508 msdcsc.exe Token: SeShutdownPrivilege 1508 msdcsc.exe Token: SeDebugPrivilege 1508 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1508 msdcsc.exe Token: SeChangeNotifyPrivilege 1508 msdcsc.exe Token: SeRemoteShutdownPrivilege 1508 msdcsc.exe Token: SeUndockPrivilege 1508 msdcsc.exe Token: SeManageVolumePrivilege 1508 msdcsc.exe Token: SeImpersonatePrivilege 1508 msdcsc.exe Token: SeCreateGlobalPrivilege 1508 msdcsc.exe Token: 33 1508 msdcsc.exe Token: 34 1508 msdcsc.exe Token: 35 1508 msdcsc.exe Token: SeIncreaseQuotaPrivilege 2004 iexplore.exe Token: SeSecurityPrivilege 2004 iexplore.exe Token: SeTakeOwnershipPrivilege 2004 iexplore.exe Token: SeLoadDriverPrivilege 2004 iexplore.exe Token: SeSystemProfilePrivilege 2004 iexplore.exe Token: SeSystemtimePrivilege 2004 iexplore.exe Token: SeProfSingleProcessPrivilege 2004 iexplore.exe Token: SeIncBasePriorityPrivilege 2004 iexplore.exe Token: SeCreatePagefilePrivilege 2004 iexplore.exe Token: SeBackupPrivilege 2004 iexplore.exe Token: SeRestorePrivilege 2004 iexplore.exe Token: SeShutdownPrivilege 2004 iexplore.exe Token: SeDebugPrivilege 2004 iexplore.exe Token: SeSystemEnvironmentPrivilege 2004 iexplore.exe Token: SeChangeNotifyPrivilege 2004 iexplore.exe Token: SeRemoteShutdownPrivilege 2004 iexplore.exe Token: SeUndockPrivilege 2004 iexplore.exe Token: SeManageVolumePrivilege 2004 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 2004 iexplore.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exemsdcsc.exedescription pid process target process PID 908 wrote to memory of 1608 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe notepad.exe PID 908 wrote to memory of 1608 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe notepad.exe PID 908 wrote to memory of 1608 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe notepad.exe PID 908 wrote to memory of 1608 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe notepad.exe PID 908 wrote to memory of 1608 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe notepad.exe PID 908 wrote to memory of 1608 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe notepad.exe PID 908 wrote to memory of 1608 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe notepad.exe PID 908 wrote to memory of 1608 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe notepad.exe PID 908 wrote to memory of 1608 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe notepad.exe PID 908 wrote to memory of 1608 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe notepad.exe PID 908 wrote to memory of 1608 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe notepad.exe PID 908 wrote to memory of 1608 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe notepad.exe PID 908 wrote to memory of 1608 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe notepad.exe PID 908 wrote to memory of 1608 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe notepad.exe PID 908 wrote to memory of 1608 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe notepad.exe PID 908 wrote to memory of 1608 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe notepad.exe PID 908 wrote to memory of 1608 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe notepad.exe PID 908 wrote to memory of 1608 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe notepad.exe PID 908 wrote to memory of 1508 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe msdcsc.exe PID 908 wrote to memory of 1508 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe msdcsc.exe PID 908 wrote to memory of 1508 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe msdcsc.exe PID 908 wrote to memory of 1508 908 fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe msdcsc.exe PID 1508 wrote to memory of 2004 1508 msdcsc.exe iexplore.exe PID 1508 wrote to memory of 2004 1508 msdcsc.exe iexplore.exe PID 1508 wrote to memory of 2004 1508 msdcsc.exe iexplore.exe PID 1508 wrote to memory of 2004 1508 msdcsc.exe iexplore.exe PID 1508 wrote to memory of 2004 1508 msdcsc.exe iexplore.exe PID 1508 wrote to memory of 2004 1508 msdcsc.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe"C:\Users\Admin\AppData\Local\Temp\fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
690KB
MD58c3d9ce08799aa0c07ceb6b50f626d28
SHA13d82bce6926365c9c19cb5bad5a2c8e155b6a171
SHA256fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8
SHA5125e39cb5728c39930871cef521c7656ee491f26e60cc8243b7665da501dd2a8a1e40245198011a23daacefa771e51e1f99d6914e60564fdec488483ebbb6acf21
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
690KB
MD58c3d9ce08799aa0c07ceb6b50f626d28
SHA13d82bce6926365c9c19cb5bad5a2c8e155b6a171
SHA256fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8
SHA5125e39cb5728c39930871cef521c7656ee491f26e60cc8243b7665da501dd2a8a1e40245198011a23daacefa771e51e1f99d6914e60564fdec488483ebbb6acf21
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
690KB
MD58c3d9ce08799aa0c07ceb6b50f626d28
SHA13d82bce6926365c9c19cb5bad5a2c8e155b6a171
SHA256fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8
SHA5125e39cb5728c39930871cef521c7656ee491f26e60cc8243b7665da501dd2a8a1e40245198011a23daacefa771e51e1f99d6914e60564fdec488483ebbb6acf21
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
690KB
MD58c3d9ce08799aa0c07ceb6b50f626d28
SHA13d82bce6926365c9c19cb5bad5a2c8e155b6a171
SHA256fc90b85e15d5d314d4a0c4a7f73e7eff48390720ad8b3c25de51b82296d97ff8
SHA5125e39cb5728c39930871cef521c7656ee491f26e60cc8243b7665da501dd2a8a1e40245198011a23daacefa771e51e1f99d6914e60564fdec488483ebbb6acf21
-
memory/908-54-0x0000000074E91000-0x0000000074E93000-memory.dmpFilesize
8KB
-
memory/1508-59-0x0000000000000000-mapping.dmp
-
memory/1608-55-0x0000000000000000-mapping.dmp