Analysis
-
max time kernel
157s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 19:28
Static task
static1
Behavioral task
behavioral1
Sample
cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe
Resource
win10v2004-20220721-en
General
-
Target
cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe
-
Size
738KB
-
MD5
5eb58198721d4ded363e41e243e685cc
-
SHA1
d3e349f052d215f392fbbdc657583d808fe51828
-
SHA256
cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8
-
SHA512
8fd1ee50b3cd82d8764f818a78fc3f4fca83a689a8927b856feca15a469eb9e32447902cfd819ddbf5b97fabcfbea2de2464c0304bb3f5e10ff1ebe26e7737b6
Malware Config
Extracted
darkcomet
delvie
saw-88.no-ip.biz:1604
DC_MUTEX-T3GAC5L
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
zSVFbDa27L2S
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\MSDCSC\\msdcsc.exe" cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe -
Executes dropped EXE 2 IoCs
Processes:
msdcsc.exemsdcsc.exepid process 1132 msdcsc.exe 2236 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\MSDCSC\\msdcsc.exe" cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exemsdcsc.exemsdcsc.exeiexplore.exedescription pid process target process PID 4608 set thread context of 4580 4608 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe PID 1132 set thread context of 2236 1132 msdcsc.exe msdcsc.exe PID 2236 set thread context of 4244 2236 msdcsc.exe iexplore.exe PID 4244 set thread context of 4872 4244 iexplore.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe Token: SeSecurityPrivilege 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe Token: SeTakeOwnershipPrivilege 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe Token: SeLoadDriverPrivilege 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe Token: SeSystemProfilePrivilege 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe Token: SeSystemtimePrivilege 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe Token: SeProfSingleProcessPrivilege 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe Token: SeIncBasePriorityPrivilege 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe Token: SeCreatePagefilePrivilege 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe Token: SeBackupPrivilege 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe Token: SeRestorePrivilege 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe Token: SeShutdownPrivilege 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe Token: SeDebugPrivilege 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe Token: SeSystemEnvironmentPrivilege 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe Token: SeChangeNotifyPrivilege 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe Token: SeRemoteShutdownPrivilege 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe Token: SeUndockPrivilege 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe Token: SeManageVolumePrivilege 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe Token: SeImpersonatePrivilege 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe Token: SeCreateGlobalPrivilege 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe Token: 33 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe Token: 34 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe Token: 35 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe Token: 36 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe Token: SeIncreaseQuotaPrivilege 2236 msdcsc.exe Token: SeSecurityPrivilege 2236 msdcsc.exe Token: SeTakeOwnershipPrivilege 2236 msdcsc.exe Token: SeLoadDriverPrivilege 2236 msdcsc.exe Token: SeSystemProfilePrivilege 2236 msdcsc.exe Token: SeSystemtimePrivilege 2236 msdcsc.exe Token: SeProfSingleProcessPrivilege 2236 msdcsc.exe Token: SeIncBasePriorityPrivilege 2236 msdcsc.exe Token: SeCreatePagefilePrivilege 2236 msdcsc.exe Token: SeBackupPrivilege 2236 msdcsc.exe Token: SeRestorePrivilege 2236 msdcsc.exe Token: SeShutdownPrivilege 2236 msdcsc.exe Token: SeDebugPrivilege 2236 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2236 msdcsc.exe Token: SeChangeNotifyPrivilege 2236 msdcsc.exe Token: SeRemoteShutdownPrivilege 2236 msdcsc.exe Token: SeUndockPrivilege 2236 msdcsc.exe Token: SeManageVolumePrivilege 2236 msdcsc.exe Token: SeImpersonatePrivilege 2236 msdcsc.exe Token: SeCreateGlobalPrivilege 2236 msdcsc.exe Token: 33 2236 msdcsc.exe Token: 34 2236 msdcsc.exe Token: 35 2236 msdcsc.exe Token: 36 2236 msdcsc.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.execb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exemsdcsc.exemsdcsc.exeiexplore.exedescription pid process target process PID 4608 wrote to memory of 4580 4608 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe PID 4608 wrote to memory of 4580 4608 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe PID 4608 wrote to memory of 4580 4608 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe PID 4608 wrote to memory of 4580 4608 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe PID 4608 wrote to memory of 4580 4608 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe PID 4608 wrote to memory of 4580 4608 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe PID 4608 wrote to memory of 4580 4608 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe PID 4608 wrote to memory of 4580 4608 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe PID 4608 wrote to memory of 4580 4608 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe PID 4608 wrote to memory of 4580 4608 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe PID 4608 wrote to memory of 4580 4608 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe PID 4608 wrote to memory of 4580 4608 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe PID 4608 wrote to memory of 4580 4608 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe PID 4608 wrote to memory of 4580 4608 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe PID 4580 wrote to memory of 1132 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe msdcsc.exe PID 4580 wrote to memory of 1132 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe msdcsc.exe PID 4580 wrote to memory of 1132 4580 cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe msdcsc.exe PID 1132 wrote to memory of 2236 1132 msdcsc.exe msdcsc.exe PID 1132 wrote to memory of 2236 1132 msdcsc.exe msdcsc.exe PID 1132 wrote to memory of 2236 1132 msdcsc.exe msdcsc.exe PID 1132 wrote to memory of 2236 1132 msdcsc.exe msdcsc.exe PID 1132 wrote to memory of 2236 1132 msdcsc.exe msdcsc.exe PID 1132 wrote to memory of 2236 1132 msdcsc.exe msdcsc.exe PID 1132 wrote to memory of 2236 1132 msdcsc.exe msdcsc.exe PID 1132 wrote to memory of 2236 1132 msdcsc.exe msdcsc.exe PID 1132 wrote to memory of 2236 1132 msdcsc.exe msdcsc.exe PID 1132 wrote to memory of 2236 1132 msdcsc.exe msdcsc.exe PID 1132 wrote to memory of 2236 1132 msdcsc.exe msdcsc.exe PID 1132 wrote to memory of 2236 1132 msdcsc.exe msdcsc.exe PID 1132 wrote to memory of 2236 1132 msdcsc.exe msdcsc.exe PID 1132 wrote to memory of 2236 1132 msdcsc.exe msdcsc.exe PID 2236 wrote to memory of 4244 2236 msdcsc.exe iexplore.exe PID 2236 wrote to memory of 4244 2236 msdcsc.exe iexplore.exe PID 2236 wrote to memory of 4244 2236 msdcsc.exe iexplore.exe PID 2236 wrote to memory of 4244 2236 msdcsc.exe iexplore.exe PID 2236 wrote to memory of 4244 2236 msdcsc.exe iexplore.exe PID 4244 wrote to memory of 4872 4244 iexplore.exe iexplore.exe PID 4244 wrote to memory of 4872 4244 iexplore.exe iexplore.exe PID 4244 wrote to memory of 4872 4244 iexplore.exe iexplore.exe PID 4244 wrote to memory of 4872 4244 iexplore.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe"C:\Users\Admin\AppData\Local\Temp\cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exeC:\Users\Admin\AppData\Local\Temp\cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\MSDCSC\msdcsc.exe"C:\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\MSDCSC\msdcsc.exeC:\MSDCSC\msdcsc.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4872 -ip 48721⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSDCSC\msdcsc.exeFilesize
738KB
MD55eb58198721d4ded363e41e243e685cc
SHA1d3e349f052d215f392fbbdc657583d808fe51828
SHA256cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8
SHA5128fd1ee50b3cd82d8764f818a78fc3f4fca83a689a8927b856feca15a469eb9e32447902cfd819ddbf5b97fabcfbea2de2464c0304bb3f5e10ff1ebe26e7737b6
-
C:\MSDCSC\msdcsc.exeFilesize
738KB
MD55eb58198721d4ded363e41e243e685cc
SHA1d3e349f052d215f392fbbdc657583d808fe51828
SHA256cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8
SHA5128fd1ee50b3cd82d8764f818a78fc3f4fca83a689a8927b856feca15a469eb9e32447902cfd819ddbf5b97fabcfbea2de2464c0304bb3f5e10ff1ebe26e7737b6
-
C:\MSDCSC\msdcsc.exeFilesize
738KB
MD55eb58198721d4ded363e41e243e685cc
SHA1d3e349f052d215f392fbbdc657583d808fe51828
SHA256cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8
SHA5128fd1ee50b3cd82d8764f818a78fc3f4fca83a689a8927b856feca15a469eb9e32447902cfd819ddbf5b97fabcfbea2de2464c0304bb3f5e10ff1ebe26e7737b6
-
memory/1132-145-0x0000000000000000-mapping.dmp
-
memory/1132-162-0x0000000000400000-0x0000000000565000-memory.dmpFilesize
1.4MB
-
memory/1132-148-0x0000000000400000-0x0000000000565000-memory.dmpFilesize
1.4MB
-
memory/2236-163-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2236-149-0x0000000000000000-mapping.dmp
-
memory/4580-136-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4580-142-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4580-144-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4580-140-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4580-139-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4580-138-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4580-134-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4580-133-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4580-132-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4580-131-0x0000000000000000-mapping.dmp
-
memory/4608-143-0x0000000000400000-0x0000000000565000-memory.dmpFilesize
1.4MB
-
memory/4608-130-0x0000000000400000-0x0000000000565000-memory.dmpFilesize
1.4MB