Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220715-en -
resource tags
arch:x64arch:x86image:win10v2004-20220715-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2022 09:10
Behavioral task
behavioral1
Sample
HAXIMIZE-V2.0 CRACKED.exe
Resource
win7-20220715-en
windows7-x64
17 signatures
150 seconds
General
-
Target
HAXIMIZE-V2.0 CRACKED.exe
-
Size
658KB
-
MD5
efa6a56bc92b0d9e88d95bdeae626fca
-
SHA1
99a1864c799f9c79ac646c9bdab868ba55fc7029
-
SHA256
d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6
-
SHA512
439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
sussysdfffdfff343.duckdns.org:1604
Mutex
DC_MUTEX-QH9A6P4
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
YBnxcFaotAui
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
JavaUpdater
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" HAXIMIZE-V2.0 CRACKED.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2280897447-3291712302-3137480060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2280897447-3291712302-3137480060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe -
Executes dropped EXE 1 IoCs
pid Process 4412 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4520 attrib.exe 3888 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2280897447-3291712302-3137480060-1000\Control Panel\International\Geo\Nation HAXIMIZE-V2.0 CRACKED.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2280897447-3291712302-3137480060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2280897447-3291712302-3137480060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" HAXIMIZE-V2.0 CRACKED.exe Set value (str) \REGISTRY\USER\S-1-5-21-2280897447-3291712302-3137480060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4412 set thread context of 4500 4412 msdcsc.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ HAXIMIZE-V2.0 CRACKED.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4500 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4340 HAXIMIZE-V2.0 CRACKED.exe Token: SeSecurityPrivilege 4340 HAXIMIZE-V2.0 CRACKED.exe Token: SeTakeOwnershipPrivilege 4340 HAXIMIZE-V2.0 CRACKED.exe Token: SeLoadDriverPrivilege 4340 HAXIMIZE-V2.0 CRACKED.exe Token: SeSystemProfilePrivilege 4340 HAXIMIZE-V2.0 CRACKED.exe Token: SeSystemtimePrivilege 4340 HAXIMIZE-V2.0 CRACKED.exe Token: SeProfSingleProcessPrivilege 4340 HAXIMIZE-V2.0 CRACKED.exe Token: SeIncBasePriorityPrivilege 4340 HAXIMIZE-V2.0 CRACKED.exe Token: SeCreatePagefilePrivilege 4340 HAXIMIZE-V2.0 CRACKED.exe Token: SeBackupPrivilege 4340 HAXIMIZE-V2.0 CRACKED.exe Token: SeRestorePrivilege 4340 HAXIMIZE-V2.0 CRACKED.exe Token: SeShutdownPrivilege 4340 HAXIMIZE-V2.0 CRACKED.exe Token: SeDebugPrivilege 4340 HAXIMIZE-V2.0 CRACKED.exe Token: SeSystemEnvironmentPrivilege 4340 HAXIMIZE-V2.0 CRACKED.exe Token: SeChangeNotifyPrivilege 4340 HAXIMIZE-V2.0 CRACKED.exe Token: SeRemoteShutdownPrivilege 4340 HAXIMIZE-V2.0 CRACKED.exe Token: SeUndockPrivilege 4340 HAXIMIZE-V2.0 CRACKED.exe Token: SeManageVolumePrivilege 4340 HAXIMIZE-V2.0 CRACKED.exe Token: SeImpersonatePrivilege 4340 HAXIMIZE-V2.0 CRACKED.exe Token: SeCreateGlobalPrivilege 4340 HAXIMIZE-V2.0 CRACKED.exe Token: 33 4340 HAXIMIZE-V2.0 CRACKED.exe Token: 34 4340 HAXIMIZE-V2.0 CRACKED.exe Token: 35 4340 HAXIMIZE-V2.0 CRACKED.exe Token: 36 4340 HAXIMIZE-V2.0 CRACKED.exe Token: SeIncreaseQuotaPrivilege 4412 msdcsc.exe Token: SeSecurityPrivilege 4412 msdcsc.exe Token: SeTakeOwnershipPrivilege 4412 msdcsc.exe Token: SeLoadDriverPrivilege 4412 msdcsc.exe Token: SeSystemProfilePrivilege 4412 msdcsc.exe Token: SeSystemtimePrivilege 4412 msdcsc.exe Token: SeProfSingleProcessPrivilege 4412 msdcsc.exe Token: SeIncBasePriorityPrivilege 4412 msdcsc.exe Token: SeCreatePagefilePrivilege 4412 msdcsc.exe Token: SeBackupPrivilege 4412 msdcsc.exe Token: SeRestorePrivilege 4412 msdcsc.exe Token: SeShutdownPrivilege 4412 msdcsc.exe Token: SeDebugPrivilege 4412 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4412 msdcsc.exe Token: SeChangeNotifyPrivilege 4412 msdcsc.exe Token: SeRemoteShutdownPrivilege 4412 msdcsc.exe Token: SeUndockPrivilege 4412 msdcsc.exe Token: SeManageVolumePrivilege 4412 msdcsc.exe Token: SeImpersonatePrivilege 4412 msdcsc.exe Token: SeCreateGlobalPrivilege 4412 msdcsc.exe Token: 33 4412 msdcsc.exe Token: 34 4412 msdcsc.exe Token: 35 4412 msdcsc.exe Token: 36 4412 msdcsc.exe Token: SeIncreaseQuotaPrivilege 4500 iexplore.exe Token: SeSecurityPrivilege 4500 iexplore.exe Token: SeTakeOwnershipPrivilege 4500 iexplore.exe Token: SeLoadDriverPrivilege 4500 iexplore.exe Token: SeSystemProfilePrivilege 4500 iexplore.exe Token: SeSystemtimePrivilege 4500 iexplore.exe Token: SeProfSingleProcessPrivilege 4500 iexplore.exe Token: SeIncBasePriorityPrivilege 4500 iexplore.exe Token: SeCreatePagefilePrivilege 4500 iexplore.exe Token: SeBackupPrivilege 4500 iexplore.exe Token: SeRestorePrivilege 4500 iexplore.exe Token: SeShutdownPrivilege 4500 iexplore.exe Token: SeDebugPrivilege 4500 iexplore.exe Token: SeSystemEnvironmentPrivilege 4500 iexplore.exe Token: SeChangeNotifyPrivilege 4500 iexplore.exe Token: SeRemoteShutdownPrivilege 4500 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4500 iexplore.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4340 wrote to memory of 3616 4340 HAXIMIZE-V2.0 CRACKED.exe 82 PID 4340 wrote to memory of 3616 4340 HAXIMIZE-V2.0 CRACKED.exe 82 PID 4340 wrote to memory of 3616 4340 HAXIMIZE-V2.0 CRACKED.exe 82 PID 4340 wrote to memory of 2816 4340 HAXIMIZE-V2.0 CRACKED.exe 83 PID 4340 wrote to memory of 2816 4340 HAXIMIZE-V2.0 CRACKED.exe 83 PID 4340 wrote to memory of 2816 4340 HAXIMIZE-V2.0 CRACKED.exe 83 PID 3616 wrote to memory of 4520 3616 cmd.exe 86 PID 3616 wrote to memory of 4520 3616 cmd.exe 86 PID 3616 wrote to memory of 4520 3616 cmd.exe 86 PID 2816 wrote to memory of 3888 2816 cmd.exe 87 PID 2816 wrote to memory of 3888 2816 cmd.exe 87 PID 2816 wrote to memory of 3888 2816 cmd.exe 87 PID 4340 wrote to memory of 4412 4340 HAXIMIZE-V2.0 CRACKED.exe 88 PID 4340 wrote to memory of 4412 4340 HAXIMIZE-V2.0 CRACKED.exe 88 PID 4340 wrote to memory of 4412 4340 HAXIMIZE-V2.0 CRACKED.exe 88 PID 4412 wrote to memory of 4500 4412 msdcsc.exe 89 PID 4412 wrote to memory of 4500 4412 msdcsc.exe 89 PID 4412 wrote to memory of 4500 4412 msdcsc.exe 89 PID 4412 wrote to memory of 4500 4412 msdcsc.exe 89 PID 4412 wrote to memory of 4500 4412 msdcsc.exe 89 PID 4500 wrote to memory of 1504 4500 iexplore.exe 90 PID 4500 wrote to memory of 1504 4500 iexplore.exe 90 PID 4500 wrote to memory of 1504 4500 iexplore.exe 90 PID 4500 wrote to memory of 1504 4500 iexplore.exe 90 PID 4500 wrote to memory of 1504 4500 iexplore.exe 90 PID 4500 wrote to memory of 1504 4500 iexplore.exe 90 PID 4500 wrote to memory of 1504 4500 iexplore.exe 90 PID 4500 wrote to memory of 1504 4500 iexplore.exe 90 PID 4500 wrote to memory of 1504 4500 iexplore.exe 90 PID 4500 wrote to memory of 1504 4500 iexplore.exe 90 PID 4500 wrote to memory of 1504 4500 iexplore.exe 90 PID 4500 wrote to memory of 1504 4500 iexplore.exe 90 PID 4500 wrote to memory of 1504 4500 iexplore.exe 90 PID 4500 wrote to memory of 1504 4500 iexplore.exe 90 PID 4500 wrote to memory of 1504 4500 iexplore.exe 90 PID 4500 wrote to memory of 1504 4500 iexplore.exe 90 PID 4500 wrote to memory of 1504 4500 iexplore.exe 90 PID 4500 wrote to memory of 1504 4500 iexplore.exe 90 PID 4500 wrote to memory of 1504 4500 iexplore.exe 90 PID 4500 wrote to memory of 1504 4500 iexplore.exe 90 PID 4500 wrote to memory of 1504 4500 iexplore.exe 90 PID 4500 wrote to memory of 1504 4500 iexplore.exe 90 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 3888 attrib.exe 4520 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.exe"C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4520
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3888
-
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵PID:1504
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
658KB
MD5efa6a56bc92b0d9e88d95bdeae626fca
SHA199a1864c799f9c79ac646c9bdab868ba55fc7029
SHA256d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6
SHA512439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0
-
Filesize
658KB
MD5efa6a56bc92b0d9e88d95bdeae626fca
SHA199a1864c799f9c79ac646c9bdab868ba55fc7029
SHA256d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6
SHA512439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0