Analysis
-
max time kernel
140s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
19-09-2022 03:00
Static task
static1
Behavioral task
behavioral1
Sample
ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.exe
Resource
win7-20220901-en
General
-
Target
ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.exe
-
Size
1.2MB
-
MD5
33fdbcf3a82778a8ea00249107bc8fe5
-
SHA1
202fa6601456532d10ffe3060d5a7ad92b53c072
-
SHA256
ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c
-
SHA512
0ec581b76f5a7ba20ccdabdda7ab4a4df79e4e99bbf7c6b60118965b271025a1d2c9ed57661cdc7fdbcd05f1a4e83d3e64444b18bbe312460b5f1168f8ab624a
-
SSDEEP
12288:lMEybYDzia5HqVG2Xc9cRYBfoozHwC1qgdB/Cfv2XyTkKORtRWAsENB0GSEMkN91:C9XHR0Q4/CGXyTn7AsENBprMMNvX5
Malware Config
Extracted
darkcomet
Zombie
anonymous-hr.zapto.org:5150
127.0.0.1:5150
DC_MUTEX-A7UL2P5
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
5dY8i3S9M0Ys
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
cf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" cf.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" iexplore.exe -
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe -
Executes dropped EXE 2 IoCs
Processes:
cf.exemsdcsc.exepid process 276 cf.exe 1936 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
cf.exepid process 276 cf.exe 276 cf.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
cf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" cf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 1936 set thread context of 524 1936 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.execf.exemsdcsc.exeiexplore.exedescription pid process Token: SeDebugPrivilege 1492 ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.exe Token: SeIncreaseQuotaPrivilege 276 cf.exe Token: SeSecurityPrivilege 276 cf.exe Token: SeTakeOwnershipPrivilege 276 cf.exe Token: SeLoadDriverPrivilege 276 cf.exe Token: SeSystemProfilePrivilege 276 cf.exe Token: SeSystemtimePrivilege 276 cf.exe Token: SeProfSingleProcessPrivilege 276 cf.exe Token: SeIncBasePriorityPrivilege 276 cf.exe Token: SeCreatePagefilePrivilege 276 cf.exe Token: SeBackupPrivilege 276 cf.exe Token: SeRestorePrivilege 276 cf.exe Token: SeShutdownPrivilege 276 cf.exe Token: SeDebugPrivilege 276 cf.exe Token: SeSystemEnvironmentPrivilege 276 cf.exe Token: SeChangeNotifyPrivilege 276 cf.exe Token: SeRemoteShutdownPrivilege 276 cf.exe Token: SeUndockPrivilege 276 cf.exe Token: SeManageVolumePrivilege 276 cf.exe Token: SeImpersonatePrivilege 276 cf.exe Token: SeCreateGlobalPrivilege 276 cf.exe Token: 33 276 cf.exe Token: 34 276 cf.exe Token: 35 276 cf.exe Token: SeIncreaseQuotaPrivilege 1936 msdcsc.exe Token: SeSecurityPrivilege 1936 msdcsc.exe Token: SeTakeOwnershipPrivilege 1936 msdcsc.exe Token: SeLoadDriverPrivilege 1936 msdcsc.exe Token: SeSystemProfilePrivilege 1936 msdcsc.exe Token: SeSystemtimePrivilege 1936 msdcsc.exe Token: SeProfSingleProcessPrivilege 1936 msdcsc.exe Token: SeIncBasePriorityPrivilege 1936 msdcsc.exe Token: SeCreatePagefilePrivilege 1936 msdcsc.exe Token: SeBackupPrivilege 1936 msdcsc.exe Token: SeRestorePrivilege 1936 msdcsc.exe Token: SeShutdownPrivilege 1936 msdcsc.exe Token: SeDebugPrivilege 1936 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1936 msdcsc.exe Token: SeChangeNotifyPrivilege 1936 msdcsc.exe Token: SeRemoteShutdownPrivilege 1936 msdcsc.exe Token: SeUndockPrivilege 1936 msdcsc.exe Token: SeManageVolumePrivilege 1936 msdcsc.exe Token: SeImpersonatePrivilege 1936 msdcsc.exe Token: SeCreateGlobalPrivilege 1936 msdcsc.exe Token: 33 1936 msdcsc.exe Token: 34 1936 msdcsc.exe Token: 35 1936 msdcsc.exe Token: SeIncreaseQuotaPrivilege 524 iexplore.exe Token: SeSecurityPrivilege 524 iexplore.exe Token: SeTakeOwnershipPrivilege 524 iexplore.exe Token: SeLoadDriverPrivilege 524 iexplore.exe Token: SeSystemProfilePrivilege 524 iexplore.exe Token: SeSystemtimePrivilege 524 iexplore.exe Token: SeProfSingleProcessPrivilege 524 iexplore.exe Token: SeIncBasePriorityPrivilege 524 iexplore.exe Token: SeCreatePagefilePrivilege 524 iexplore.exe Token: SeBackupPrivilege 524 iexplore.exe Token: SeRestorePrivilege 524 iexplore.exe Token: SeShutdownPrivilege 524 iexplore.exe Token: SeDebugPrivilege 524 iexplore.exe Token: SeSystemEnvironmentPrivilege 524 iexplore.exe Token: SeChangeNotifyPrivilege 524 iexplore.exe Token: SeRemoteShutdownPrivilege 524 iexplore.exe Token: SeUndockPrivilege 524 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 524 iexplore.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.execf.exemsdcsc.exedescription pid process target process PID 1492 wrote to memory of 276 1492 ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.exe cf.exe PID 1492 wrote to memory of 276 1492 ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.exe cf.exe PID 1492 wrote to memory of 276 1492 ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.exe cf.exe PID 1492 wrote to memory of 276 1492 ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.exe cf.exe PID 276 wrote to memory of 1936 276 cf.exe msdcsc.exe PID 276 wrote to memory of 1936 276 cf.exe msdcsc.exe PID 276 wrote to memory of 1936 276 cf.exe msdcsc.exe PID 276 wrote to memory of 1936 276 cf.exe msdcsc.exe PID 1936 wrote to memory of 524 1936 msdcsc.exe iexplore.exe PID 1936 wrote to memory of 524 1936 msdcsc.exe iexplore.exe PID 1936 wrote to memory of 524 1936 msdcsc.exe iexplore.exe PID 1936 wrote to memory of 524 1936 msdcsc.exe iexplore.exe PID 1936 wrote to memory of 524 1936 msdcsc.exe iexplore.exe PID 1936 wrote to memory of 524 1936 msdcsc.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.exe"C:\Users\Admin\AppData\Local\Temp\ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cf.exe"C:\Users\Admin\AppData\Local\Temp\cf.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Modifies security service
- Windows security bypass
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cf.exeFilesize
681KB
MD56b652684ca5fab95cbf89f217b501f6b
SHA1eb1462c14cbc60e8ebb82c611e523d3fc85e6959
SHA256570b93789988900fddb7587135dbf50d8252795116d1ecd5cd0180213bba32fa
SHA512ea7fdcd57dffc3b279ce19222ffaef1d9ced64cf6f0c645f2efb8bca8f4d63aefe5a6cf5d99e6a60b66a699f5c96a1a10dda4de6784311b6e99fffc86d6d89bb
-
C:\Users\Admin\AppData\Local\Temp\cf.exeFilesize
681KB
MD56b652684ca5fab95cbf89f217b501f6b
SHA1eb1462c14cbc60e8ebb82c611e523d3fc85e6959
SHA256570b93789988900fddb7587135dbf50d8252795116d1ecd5cd0180213bba32fa
SHA512ea7fdcd57dffc3b279ce19222ffaef1d9ced64cf6f0c645f2efb8bca8f4d63aefe5a6cf5d99e6a60b66a699f5c96a1a10dda4de6784311b6e99fffc86d6d89bb
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
681KB
MD56b652684ca5fab95cbf89f217b501f6b
SHA1eb1462c14cbc60e8ebb82c611e523d3fc85e6959
SHA256570b93789988900fddb7587135dbf50d8252795116d1ecd5cd0180213bba32fa
SHA512ea7fdcd57dffc3b279ce19222ffaef1d9ced64cf6f0c645f2efb8bca8f4d63aefe5a6cf5d99e6a60b66a699f5c96a1a10dda4de6784311b6e99fffc86d6d89bb
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
681KB
MD56b652684ca5fab95cbf89f217b501f6b
SHA1eb1462c14cbc60e8ebb82c611e523d3fc85e6959
SHA256570b93789988900fddb7587135dbf50d8252795116d1ecd5cd0180213bba32fa
SHA512ea7fdcd57dffc3b279ce19222ffaef1d9ced64cf6f0c645f2efb8bca8f4d63aefe5a6cf5d99e6a60b66a699f5c96a1a10dda4de6784311b6e99fffc86d6d89bb
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
681KB
MD56b652684ca5fab95cbf89f217b501f6b
SHA1eb1462c14cbc60e8ebb82c611e523d3fc85e6959
SHA256570b93789988900fddb7587135dbf50d8252795116d1ecd5cd0180213bba32fa
SHA512ea7fdcd57dffc3b279ce19222ffaef1d9ced64cf6f0c645f2efb8bca8f4d63aefe5a6cf5d99e6a60b66a699f5c96a1a10dda4de6784311b6e99fffc86d6d89bb
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
681KB
MD56b652684ca5fab95cbf89f217b501f6b
SHA1eb1462c14cbc60e8ebb82c611e523d3fc85e6959
SHA256570b93789988900fddb7587135dbf50d8252795116d1ecd5cd0180213bba32fa
SHA512ea7fdcd57dffc3b279ce19222ffaef1d9ced64cf6f0c645f2efb8bca8f4d63aefe5a6cf5d99e6a60b66a699f5c96a1a10dda4de6784311b6e99fffc86d6d89bb
-
memory/276-56-0x0000000000000000-mapping.dmp
-
memory/276-58-0x0000000076BA1000-0x0000000076BA3000-memory.dmpFilesize
8KB
-
memory/1492-54-0x000007FEF49D0000-0x000007FEF53F3000-memory.dmpFilesize
10.1MB
-
memory/1492-55-0x000007FEFC5A1000-0x000007FEFC5A3000-memory.dmpFilesize
8KB
-
memory/1936-62-0x0000000000000000-mapping.dmp