Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 02:13
Behavioral task
behavioral1
Sample
afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe
Resource
win7-20220715-en
General
-
Target
afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe
-
Size
253KB
-
MD5
19bc4cf35e9543073c59853085837019
-
SHA1
d86e8c0747c9a1de28f8f9242ac7a08049d7d7bc
-
SHA256
afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af
-
SHA512
033a00f12bd0c035175594b742a10405109bdec8b8e07ba86cfcda7b141c4e2b5803446a86640ff89c89b42e0bcc73309da2d54d0311d8b2565bdc1f75d7a574
Malware Config
Extracted
darkcomet
Guest16
bdsm32.ddns.net:1604
bdsm32.ddns.net:27015
DC_MUTEX-0PJGSJG
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
oM938oV7BtsY
-
install
true
-
offline_keylogger
false
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\MSDCSC\\msdcsc.exe" afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe -
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 4424 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2392 attrib.exe 2344 attrib.exe -
Processes:
resource yara_rule behavioral2/memory/4156-130-0x0000000000400000-0x00000000004BA000-memory.dmp upx C:\Windows\MSDCSC\msdcsc.exe upx C:\Windows\MSDCSC\msdcsc.exe upx behavioral2/memory/4156-138-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral2/memory/4424-139-0x0000000000400000-0x00000000004BA000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\MSDCSC\\msdcsc.exe" afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 4424 set thread context of 3084 4424 msdcsc.exe iexplore.exe -
Drops file in Windows directory 3 IoCs
Processes:
afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exedescription ioc process File opened for modification C:\Windows\MSDCSC\msdcsc.exe afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe File opened for modification C:\Windows\MSDCSC\ afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe File created C:\Windows\MSDCSC\msdcsc.exe afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 3084 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeSecurityPrivilege 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeTakeOwnershipPrivilege 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeLoadDriverPrivilege 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeSystemProfilePrivilege 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeSystemtimePrivilege 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeProfSingleProcessPrivilege 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeIncBasePriorityPrivilege 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeCreatePagefilePrivilege 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeBackupPrivilege 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeRestorePrivilege 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeShutdownPrivilege 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeDebugPrivilege 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeSystemEnvironmentPrivilege 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeChangeNotifyPrivilege 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeRemoteShutdownPrivilege 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeUndockPrivilege 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeManageVolumePrivilege 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeImpersonatePrivilege 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeCreateGlobalPrivilege 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: 33 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: 34 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: 35 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: 36 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe Token: SeIncreaseQuotaPrivilege 4424 msdcsc.exe Token: SeSecurityPrivilege 4424 msdcsc.exe Token: SeTakeOwnershipPrivilege 4424 msdcsc.exe Token: SeLoadDriverPrivilege 4424 msdcsc.exe Token: SeSystemProfilePrivilege 4424 msdcsc.exe Token: SeSystemtimePrivilege 4424 msdcsc.exe Token: SeProfSingleProcessPrivilege 4424 msdcsc.exe Token: SeIncBasePriorityPrivilege 4424 msdcsc.exe Token: SeCreatePagefilePrivilege 4424 msdcsc.exe Token: SeBackupPrivilege 4424 msdcsc.exe Token: SeRestorePrivilege 4424 msdcsc.exe Token: SeShutdownPrivilege 4424 msdcsc.exe Token: SeDebugPrivilege 4424 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4424 msdcsc.exe Token: SeChangeNotifyPrivilege 4424 msdcsc.exe Token: SeRemoteShutdownPrivilege 4424 msdcsc.exe Token: SeUndockPrivilege 4424 msdcsc.exe Token: SeManageVolumePrivilege 4424 msdcsc.exe Token: SeImpersonatePrivilege 4424 msdcsc.exe Token: SeCreateGlobalPrivilege 4424 msdcsc.exe Token: 33 4424 msdcsc.exe Token: 34 4424 msdcsc.exe Token: 35 4424 msdcsc.exe Token: 36 4424 msdcsc.exe Token: SeIncreaseQuotaPrivilege 3084 iexplore.exe Token: SeSecurityPrivilege 3084 iexplore.exe Token: SeTakeOwnershipPrivilege 3084 iexplore.exe Token: SeLoadDriverPrivilege 3084 iexplore.exe Token: SeSystemProfilePrivilege 3084 iexplore.exe Token: SeSystemtimePrivilege 3084 iexplore.exe Token: SeProfSingleProcessPrivilege 3084 iexplore.exe Token: SeIncBasePriorityPrivilege 3084 iexplore.exe Token: SeCreatePagefilePrivilege 3084 iexplore.exe Token: SeBackupPrivilege 3084 iexplore.exe Token: SeRestorePrivilege 3084 iexplore.exe Token: SeShutdownPrivilege 3084 iexplore.exe Token: SeDebugPrivilege 3084 iexplore.exe Token: SeSystemEnvironmentPrivilege 3084 iexplore.exe Token: SeChangeNotifyPrivilege 3084 iexplore.exe Token: SeRemoteShutdownPrivilege 3084 iexplore.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.execmd.execmd.exemsdcsc.exeiexplore.exedescription pid process target process PID 4156 wrote to memory of 4460 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe cmd.exe PID 4156 wrote to memory of 4460 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe cmd.exe PID 4156 wrote to memory of 4460 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe cmd.exe PID 4156 wrote to memory of 4288 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe cmd.exe PID 4156 wrote to memory of 4288 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe cmd.exe PID 4156 wrote to memory of 4288 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe cmd.exe PID 4460 wrote to memory of 2344 4460 cmd.exe attrib.exe PID 4460 wrote to memory of 2344 4460 cmd.exe attrib.exe PID 4460 wrote to memory of 2344 4460 cmd.exe attrib.exe PID 4288 wrote to memory of 2392 4288 cmd.exe attrib.exe PID 4288 wrote to memory of 2392 4288 cmd.exe attrib.exe PID 4288 wrote to memory of 2392 4288 cmd.exe attrib.exe PID 4156 wrote to memory of 4424 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe msdcsc.exe PID 4156 wrote to memory of 4424 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe msdcsc.exe PID 4156 wrote to memory of 4424 4156 afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe msdcsc.exe PID 4424 wrote to memory of 3084 4424 msdcsc.exe iexplore.exe PID 4424 wrote to memory of 3084 4424 msdcsc.exe iexplore.exe PID 4424 wrote to memory of 3084 4424 msdcsc.exe iexplore.exe PID 4424 wrote to memory of 3084 4424 msdcsc.exe iexplore.exe PID 4424 wrote to memory of 3084 4424 msdcsc.exe iexplore.exe PID 3084 wrote to memory of 3304 3084 iexplore.exe notepad.exe PID 3084 wrote to memory of 3304 3084 iexplore.exe notepad.exe PID 3084 wrote to memory of 3304 3084 iexplore.exe notepad.exe PID 3084 wrote to memory of 3304 3084 iexplore.exe notepad.exe PID 3084 wrote to memory of 3304 3084 iexplore.exe notepad.exe PID 3084 wrote to memory of 3304 3084 iexplore.exe notepad.exe PID 3084 wrote to memory of 3304 3084 iexplore.exe notepad.exe PID 3084 wrote to memory of 3304 3084 iexplore.exe notepad.exe PID 3084 wrote to memory of 3304 3084 iexplore.exe notepad.exe PID 3084 wrote to memory of 3304 3084 iexplore.exe notepad.exe PID 3084 wrote to memory of 3304 3084 iexplore.exe notepad.exe PID 3084 wrote to memory of 3304 3084 iexplore.exe notepad.exe PID 3084 wrote to memory of 3304 3084 iexplore.exe notepad.exe PID 3084 wrote to memory of 3304 3084 iexplore.exe notepad.exe PID 3084 wrote to memory of 3304 3084 iexplore.exe notepad.exe PID 3084 wrote to memory of 3304 3084 iexplore.exe notepad.exe PID 3084 wrote to memory of 3304 3084 iexplore.exe notepad.exe PID 3084 wrote to memory of 3304 3084 iexplore.exe notepad.exe PID 3084 wrote to memory of 3304 3084 iexplore.exe notepad.exe PID 3084 wrote to memory of 3304 3084 iexplore.exe notepad.exe PID 3084 wrote to memory of 3304 3084 iexplore.exe notepad.exe PID 3084 wrote to memory of 3304 3084 iexplore.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2392 attrib.exe 2344 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe"C:\Users\Admin\AppData\Local\Temp\afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\MSDCSC\msdcsc.exe"C:\Windows\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies security service
- Windows security bypass
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\MSDCSC\msdcsc.exeFilesize
253KB
MD519bc4cf35e9543073c59853085837019
SHA1d86e8c0747c9a1de28f8f9242ac7a08049d7d7bc
SHA256afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af
SHA512033a00f12bd0c035175594b742a10405109bdec8b8e07ba86cfcda7b141c4e2b5803446a86640ff89c89b42e0bcc73309da2d54d0311d8b2565bdc1f75d7a574
-
C:\Windows\MSDCSC\msdcsc.exeFilesize
253KB
MD519bc4cf35e9543073c59853085837019
SHA1d86e8c0747c9a1de28f8f9242ac7a08049d7d7bc
SHA256afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af
SHA512033a00f12bd0c035175594b742a10405109bdec8b8e07ba86cfcda7b141c4e2b5803446a86640ff89c89b42e0bcc73309da2d54d0311d8b2565bdc1f75d7a574
-
memory/2344-133-0x0000000000000000-mapping.dmp
-
memory/2392-134-0x0000000000000000-mapping.dmp
-
memory/3304-140-0x0000000000000000-mapping.dmp
-
memory/4156-130-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/4156-138-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/4288-132-0x0000000000000000-mapping.dmp
-
memory/4424-135-0x0000000000000000-mapping.dmp
-
memory/4424-139-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/4460-131-0x0000000000000000-mapping.dmp