Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 02:13
Behavioral task
behavioral1
Sample
afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe
Resource
win7-20220715-en
General
-
Target
afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe
-
Size
253KB
-
MD5
19bc4cf35e9543073c59853085837019
-
SHA1
d86e8c0747c9a1de28f8f9242ac7a08049d7d7bc
-
SHA256
afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af
-
SHA512
033a00f12bd0c035175594b742a10405109bdec8b8e07ba86cfcda7b141c4e2b5803446a86640ff89c89b42e0bcc73309da2d54d0311d8b2565bdc1f75d7a574
Malware Config
Extracted
darkcomet
Guest16
bdsm32.ddns.net:1604
bdsm32.ddns.net:27015
DC_MUTEX-0PJGSJG
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
oM938oV7BtsY
-
install
true
-
offline_keylogger
false
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\MSDCSC\\msdcsc.exe" afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1408 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1508 attrib.exe 1660 attrib.exe -
Processes:
resource yara_rule behavioral1/memory/1056-55-0x0000000000400000-0x00000000004BA000-memory.dmp upx \Windows\MSDCSC\msdcsc.exe upx \Windows\MSDCSC\msdcsc.exe upx behavioral1/memory/1056-65-0x0000000000400000-0x00000000004BA000-memory.dmp upx C:\Windows\MSDCSC\msdcsc.exe upx behavioral1/memory/1408-66-0x0000000000400000-0x00000000004BA000-memory.dmp upx C:\Windows\MSDCSC\msdcsc.exe upx behavioral1/memory/1408-70-0x0000000000400000-0x00000000004BA000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exepid process 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\MSDCSC\\msdcsc.exe" afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe -
Drops file in Windows directory 3 IoCs
Processes:
afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exedescription ioc process File created C:\Windows\MSDCSC\msdcsc.exe afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe File opened for modification C:\Windows\MSDCSC\msdcsc.exe afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe File opened for modification C:\Windows\MSDCSC\ afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1408 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeSecurityPrivilege 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeTakeOwnershipPrivilege 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeLoadDriverPrivilege 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeSystemProfilePrivilege 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeSystemtimePrivilege 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeProfSingleProcessPrivilege 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeIncBasePriorityPrivilege 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeCreatePagefilePrivilege 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeBackupPrivilege 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeRestorePrivilege 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeShutdownPrivilege 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeDebugPrivilege 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeSystemEnvironmentPrivilege 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeChangeNotifyPrivilege 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeRemoteShutdownPrivilege 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeUndockPrivilege 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeManageVolumePrivilege 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeImpersonatePrivilege 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeCreateGlobalPrivilege 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: 33 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: 34 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: 35 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeIncreaseQuotaPrivilege 1408 msdcsc.exe Token: SeSecurityPrivilege 1408 msdcsc.exe Token: SeTakeOwnershipPrivilege 1408 msdcsc.exe Token: SeLoadDriverPrivilege 1408 msdcsc.exe Token: SeSystemProfilePrivilege 1408 msdcsc.exe Token: SeSystemtimePrivilege 1408 msdcsc.exe Token: SeProfSingleProcessPrivilege 1408 msdcsc.exe Token: SeIncBasePriorityPrivilege 1408 msdcsc.exe Token: SeCreatePagefilePrivilege 1408 msdcsc.exe Token: SeBackupPrivilege 1408 msdcsc.exe Token: SeRestorePrivilege 1408 msdcsc.exe Token: SeShutdownPrivilege 1408 msdcsc.exe Token: SeDebugPrivilege 1408 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1408 msdcsc.exe Token: SeChangeNotifyPrivilege 1408 msdcsc.exe Token: SeRemoteShutdownPrivilege 1408 msdcsc.exe Token: SeUndockPrivilege 1408 msdcsc.exe Token: SeManageVolumePrivilege 1408 msdcsc.exe Token: SeImpersonatePrivilege 1408 msdcsc.exe Token: SeCreateGlobalPrivilege 1408 msdcsc.exe Token: 33 1408 msdcsc.exe Token: 34 1408 msdcsc.exe Token: 35 1408 msdcsc.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.execmd.execmd.exemsdcsc.exedescription pid process target process PID 1056 wrote to memory of 1956 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe cmd.exe PID 1056 wrote to memory of 1956 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe cmd.exe PID 1056 wrote to memory of 1956 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe cmd.exe PID 1056 wrote to memory of 1956 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe cmd.exe PID 1056 wrote to memory of 1372 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe cmd.exe PID 1056 wrote to memory of 1372 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe cmd.exe PID 1056 wrote to memory of 1372 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe cmd.exe PID 1056 wrote to memory of 1372 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe cmd.exe PID 1956 wrote to memory of 1508 1956 cmd.exe attrib.exe PID 1956 wrote to memory of 1508 1956 cmd.exe attrib.exe PID 1956 wrote to memory of 1508 1956 cmd.exe attrib.exe PID 1956 wrote to memory of 1508 1956 cmd.exe attrib.exe PID 1372 wrote to memory of 1660 1372 cmd.exe attrib.exe PID 1372 wrote to memory of 1660 1372 cmd.exe attrib.exe PID 1372 wrote to memory of 1660 1372 cmd.exe attrib.exe PID 1372 wrote to memory of 1660 1372 cmd.exe attrib.exe PID 1056 wrote to memory of 1408 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe msdcsc.exe PID 1056 wrote to memory of 1408 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe msdcsc.exe PID 1056 wrote to memory of 1408 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe msdcsc.exe PID 1056 wrote to memory of 1408 1056 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe msdcsc.exe PID 1408 wrote to memory of 984 1408 msdcsc.exe iexplore.exe PID 1408 wrote to memory of 984 1408 msdcsc.exe iexplore.exe PID 1408 wrote to memory of 984 1408 msdcsc.exe iexplore.exe PID 1408 wrote to memory of 984 1408 msdcsc.exe iexplore.exe PID 1408 wrote to memory of 1700 1408 msdcsc.exe explorer.exe PID 1408 wrote to memory of 1700 1408 msdcsc.exe explorer.exe PID 1408 wrote to memory of 1700 1408 msdcsc.exe explorer.exe PID 1408 wrote to memory of 1700 1408 msdcsc.exe explorer.exe PID 1408 wrote to memory of 1680 1408 msdcsc.exe notepad.exe PID 1408 wrote to memory of 1680 1408 msdcsc.exe notepad.exe PID 1408 wrote to memory of 1680 1408 msdcsc.exe notepad.exe PID 1408 wrote to memory of 1680 1408 msdcsc.exe notepad.exe PID 1408 wrote to memory of 1680 1408 msdcsc.exe notepad.exe PID 1408 wrote to memory of 1680 1408 msdcsc.exe notepad.exe PID 1408 wrote to memory of 1680 1408 msdcsc.exe notepad.exe PID 1408 wrote to memory of 1680 1408 msdcsc.exe notepad.exe PID 1408 wrote to memory of 1680 1408 msdcsc.exe notepad.exe PID 1408 wrote to memory of 1680 1408 msdcsc.exe notepad.exe PID 1408 wrote to memory of 1680 1408 msdcsc.exe notepad.exe PID 1408 wrote to memory of 1680 1408 msdcsc.exe notepad.exe PID 1408 wrote to memory of 1680 1408 msdcsc.exe notepad.exe PID 1408 wrote to memory of 1680 1408 msdcsc.exe notepad.exe PID 1408 wrote to memory of 1680 1408 msdcsc.exe notepad.exe PID 1408 wrote to memory of 1680 1408 msdcsc.exe notepad.exe PID 1408 wrote to memory of 1680 1408 msdcsc.exe notepad.exe PID 1408 wrote to memory of 1680 1408 msdcsc.exe notepad.exe PID 1408 wrote to memory of 1680 1408 msdcsc.exe notepad.exe PID 1408 wrote to memory of 1680 1408 msdcsc.exe notepad.exe PID 1408 wrote to memory of 1680 1408 msdcsc.exe notepad.exe PID 1408 wrote to memory of 1680 1408 msdcsc.exe notepad.exe PID 1408 wrote to memory of 1680 1408 msdcsc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1660 attrib.exe 1508 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe"C:\Users\Admin\AppData\Local\Temp\afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\MSDCSC\msdcsc.exe"C:\Windows\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\MSDCSC\msdcsc.exeFilesize
253KB
MD519bc4cf35e9543073c59853085837019
SHA1d86e8c0747c9a1de28f8f9242ac7a08049d7d7bc
SHA256afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af
SHA512033a00f12bd0c035175594b742a10405109bdec8b8e07ba86cfcda7b141c4e2b5803446a86640ff89c89b42e0bcc73309da2d54d0311d8b2565bdc1f75d7a574
-
C:\Windows\MSDCSC\msdcsc.exeFilesize
253KB
MD519bc4cf35e9543073c59853085837019
SHA1d86e8c0747c9a1de28f8f9242ac7a08049d7d7bc
SHA256afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af
SHA512033a00f12bd0c035175594b742a10405109bdec8b8e07ba86cfcda7b141c4e2b5803446a86640ff89c89b42e0bcc73309da2d54d0311d8b2565bdc1f75d7a574
-
\Windows\MSDCSC\msdcsc.exeFilesize
253KB
MD519bc4cf35e9543073c59853085837019
SHA1d86e8c0747c9a1de28f8f9242ac7a08049d7d7bc
SHA256afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af
SHA512033a00f12bd0c035175594b742a10405109bdec8b8e07ba86cfcda7b141c4e2b5803446a86640ff89c89b42e0bcc73309da2d54d0311d8b2565bdc1f75d7a574
-
\Windows\MSDCSC\msdcsc.exeFilesize
253KB
MD519bc4cf35e9543073c59853085837019
SHA1d86e8c0747c9a1de28f8f9242ac7a08049d7d7bc
SHA256afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af
SHA512033a00f12bd0c035175594b742a10405109bdec8b8e07ba86cfcda7b141c4e2b5803446a86640ff89c89b42e0bcc73309da2d54d0311d8b2565bdc1f75d7a574
-
memory/1056-65-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1056-54-0x0000000074E11000-0x0000000074E13000-memory.dmpFilesize
8KB
-
memory/1056-55-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1372-57-0x0000000000000000-mapping.dmp
-
memory/1408-62-0x0000000000000000-mapping.dmp
-
memory/1408-66-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1408-70-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1508-58-0x0000000000000000-mapping.dmp
-
memory/1660-59-0x0000000000000000-mapping.dmp
-
memory/1680-68-0x0000000000000000-mapping.dmp
-
memory/1956-56-0x0000000000000000-mapping.dmp