Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18-09-2022 15:53
Behavioral task
behavioral1
Sample
screen.exe
Resource
win7-20220901-en
windows7-x64
17 signatures
150 seconds
General
-
Target
screen.exe
-
Size
658KB
-
MD5
0e9b4f38f1c0f6a615e01bdb13a76baf
-
SHA1
aff3f945c11837cfa8ba4da23057a86204e8932d
-
SHA256
04789bb1e63b81997e53786d1f19a6dde477b29b54ad5bcb12aeb9bce3d0f72b
-
SHA512
11cfd1987d51e641917ccdc67255606e8185c2582ce07e4cc8eef520bb8c2e48bc73e8edd9b740c72cd22c28a3486908a15e6b64e0ff97957bff5839e11e12ca
-
SSDEEP
12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h4:KZ1xuVVjfFoynPaVBUR8f+kN10EB6
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
sussysdfffdfff343.duckdns.org:1604
Mutex
DC_MUTEX-V4RZ15F
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
2Z95GCg0bJk8
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" screen.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe -
Executes dropped EXE 1 IoCs
pid Process 4752 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4504 attrib.exe 1812 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation screen.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" screen.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4752 set thread context of 1536 4752 msdcsc.exe 83 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ screen.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1536 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3196 screen.exe Token: SeSecurityPrivilege 3196 screen.exe Token: SeTakeOwnershipPrivilege 3196 screen.exe Token: SeLoadDriverPrivilege 3196 screen.exe Token: SeSystemProfilePrivilege 3196 screen.exe Token: SeSystemtimePrivilege 3196 screen.exe Token: SeProfSingleProcessPrivilege 3196 screen.exe Token: SeIncBasePriorityPrivilege 3196 screen.exe Token: SeCreatePagefilePrivilege 3196 screen.exe Token: SeBackupPrivilege 3196 screen.exe Token: SeRestorePrivilege 3196 screen.exe Token: SeShutdownPrivilege 3196 screen.exe Token: SeDebugPrivilege 3196 screen.exe Token: SeSystemEnvironmentPrivilege 3196 screen.exe Token: SeChangeNotifyPrivilege 3196 screen.exe Token: SeRemoteShutdownPrivilege 3196 screen.exe Token: SeUndockPrivilege 3196 screen.exe Token: SeManageVolumePrivilege 3196 screen.exe Token: SeImpersonatePrivilege 3196 screen.exe Token: SeCreateGlobalPrivilege 3196 screen.exe Token: 33 3196 screen.exe Token: 34 3196 screen.exe Token: 35 3196 screen.exe Token: 36 3196 screen.exe Token: SeIncreaseQuotaPrivilege 4752 msdcsc.exe Token: SeSecurityPrivilege 4752 msdcsc.exe Token: SeTakeOwnershipPrivilege 4752 msdcsc.exe Token: SeLoadDriverPrivilege 4752 msdcsc.exe Token: SeSystemProfilePrivilege 4752 msdcsc.exe Token: SeSystemtimePrivilege 4752 msdcsc.exe Token: SeProfSingleProcessPrivilege 4752 msdcsc.exe Token: SeIncBasePriorityPrivilege 4752 msdcsc.exe Token: SeCreatePagefilePrivilege 4752 msdcsc.exe Token: SeBackupPrivilege 4752 msdcsc.exe Token: SeRestorePrivilege 4752 msdcsc.exe Token: SeShutdownPrivilege 4752 msdcsc.exe Token: SeDebugPrivilege 4752 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4752 msdcsc.exe Token: SeChangeNotifyPrivilege 4752 msdcsc.exe Token: SeRemoteShutdownPrivilege 4752 msdcsc.exe Token: SeUndockPrivilege 4752 msdcsc.exe Token: SeManageVolumePrivilege 4752 msdcsc.exe Token: SeImpersonatePrivilege 4752 msdcsc.exe Token: SeCreateGlobalPrivilege 4752 msdcsc.exe Token: 33 4752 msdcsc.exe Token: 34 4752 msdcsc.exe Token: 35 4752 msdcsc.exe Token: 36 4752 msdcsc.exe Token: SeIncreaseQuotaPrivilege 1536 iexplore.exe Token: SeSecurityPrivilege 1536 iexplore.exe Token: SeTakeOwnershipPrivilege 1536 iexplore.exe Token: SeLoadDriverPrivilege 1536 iexplore.exe Token: SeSystemProfilePrivilege 1536 iexplore.exe Token: SeSystemtimePrivilege 1536 iexplore.exe Token: SeProfSingleProcessPrivilege 1536 iexplore.exe Token: SeIncBasePriorityPrivilege 1536 iexplore.exe Token: SeCreatePagefilePrivilege 1536 iexplore.exe Token: SeBackupPrivilege 1536 iexplore.exe Token: SeRestorePrivilege 1536 iexplore.exe Token: SeShutdownPrivilege 1536 iexplore.exe Token: SeDebugPrivilege 1536 iexplore.exe Token: SeSystemEnvironmentPrivilege 1536 iexplore.exe Token: SeChangeNotifyPrivilege 1536 iexplore.exe Token: SeRemoteShutdownPrivilege 1536 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1536 iexplore.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3196 wrote to memory of 4624 3196 screen.exe 85 PID 3196 wrote to memory of 4624 3196 screen.exe 85 PID 3196 wrote to memory of 4624 3196 screen.exe 85 PID 3196 wrote to memory of 2788 3196 screen.exe 81 PID 3196 wrote to memory of 2788 3196 screen.exe 81 PID 3196 wrote to memory of 2788 3196 screen.exe 81 PID 4624 wrote to memory of 4504 4624 cmd.exe 79 PID 2788 wrote to memory of 1812 2788 cmd.exe 78 PID 4624 wrote to memory of 4504 4624 cmd.exe 79 PID 2788 wrote to memory of 1812 2788 cmd.exe 78 PID 4624 wrote to memory of 4504 4624 cmd.exe 79 PID 2788 wrote to memory of 1812 2788 cmd.exe 78 PID 3196 wrote to memory of 4752 3196 screen.exe 82 PID 3196 wrote to memory of 4752 3196 screen.exe 82 PID 3196 wrote to memory of 4752 3196 screen.exe 82 PID 4752 wrote to memory of 1536 4752 msdcsc.exe 83 PID 4752 wrote to memory of 1536 4752 msdcsc.exe 83 PID 4752 wrote to memory of 1536 4752 msdcsc.exe 83 PID 4752 wrote to memory of 1536 4752 msdcsc.exe 83 PID 4752 wrote to memory of 1536 4752 msdcsc.exe 83 PID 1536 wrote to memory of 4720 1536 iexplore.exe 84 PID 1536 wrote to memory of 4720 1536 iexplore.exe 84 PID 1536 wrote to memory of 4720 1536 iexplore.exe 84 PID 1536 wrote to memory of 4720 1536 iexplore.exe 84 PID 1536 wrote to memory of 4720 1536 iexplore.exe 84 PID 1536 wrote to memory of 4720 1536 iexplore.exe 84 PID 1536 wrote to memory of 4720 1536 iexplore.exe 84 PID 1536 wrote to memory of 4720 1536 iexplore.exe 84 PID 1536 wrote to memory of 4720 1536 iexplore.exe 84 PID 1536 wrote to memory of 4720 1536 iexplore.exe 84 PID 1536 wrote to memory of 4720 1536 iexplore.exe 84 PID 1536 wrote to memory of 4720 1536 iexplore.exe 84 PID 1536 wrote to memory of 4720 1536 iexplore.exe 84 PID 1536 wrote to memory of 4720 1536 iexplore.exe 84 PID 1536 wrote to memory of 4720 1536 iexplore.exe 84 PID 1536 wrote to memory of 4720 1536 iexplore.exe 84 PID 1536 wrote to memory of 4720 1536 iexplore.exe 84 PID 1536 wrote to memory of 4720 1536 iexplore.exe 84 PID 1536 wrote to memory of 4720 1536 iexplore.exe 84 PID 1536 wrote to memory of 4720 1536 iexplore.exe 84 PID 1536 wrote to memory of 4720 1536 iexplore.exe 84 PID 1536 wrote to memory of 4720 1536 iexplore.exe 84 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1812 attrib.exe 4504 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\screen.exe"C:\Users\Admin\AppData\Local\Temp\screen.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:2788
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵PID:4720
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\screen.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:4624
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1812
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\screen.exe" +s +h1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4504
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
658KB
MD50e9b4f38f1c0f6a615e01bdb13a76baf
SHA1aff3f945c11837cfa8ba4da23057a86204e8932d
SHA25604789bb1e63b81997e53786d1f19a6dde477b29b54ad5bcb12aeb9bce3d0f72b
SHA51211cfd1987d51e641917ccdc67255606e8185c2582ce07e4cc8eef520bb8c2e48bc73e8edd9b740c72cd22c28a3486908a15e6b64e0ff97957bff5839e11e12ca
-
Filesize
658KB
MD50e9b4f38f1c0f6a615e01bdb13a76baf
SHA1aff3f945c11837cfa8ba4da23057a86204e8932d
SHA25604789bb1e63b81997e53786d1f19a6dde477b29b54ad5bcb12aeb9bce3d0f72b
SHA51211cfd1987d51e641917ccdc67255606e8185c2582ce07e4cc8eef520bb8c2e48bc73e8edd9b740c72cd22c28a3486908a15e6b64e0ff97957bff5839e11e12ca