Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2022 03:00
Static task
static1
Behavioral task
behavioral1
Sample
ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.exe
Resource
win7-20220901-en
General
-
Target
ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.exe
-
Size
1.2MB
-
MD5
33fdbcf3a82778a8ea00249107bc8fe5
-
SHA1
202fa6601456532d10ffe3060d5a7ad92b53c072
-
SHA256
ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c
-
SHA512
0ec581b76f5a7ba20ccdabdda7ab4a4df79e4e99bbf7c6b60118965b271025a1d2c9ed57661cdc7fdbcd05f1a4e83d3e64444b18bbe312460b5f1168f8ab624a
-
SSDEEP
12288:lMEybYDzia5HqVG2Xc9cRYBfoozHwC1qgdB/Cfv2XyTkKORtRWAsENB0GSEMkN91:C9XHR0Q4/CGXyTn7AsENBprMMNvX5
Malware Config
Extracted
darkcomet
Zombie
anonymous-hr.zapto.org:5150
127.0.0.1:5150
DC_MUTEX-A7UL2P5
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
5dY8i3S9M0Ys
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
cf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" cf.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe -
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe -
Executes dropped EXE 2 IoCs
Processes:
cf.exemsdcsc.exepid process 640 cf.exe 396 msdcsc.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.execf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cf.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
cf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" cf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 396 set thread context of 3184 396 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.execf.exemsdcsc.exeiexplore.exedescription pid process Token: SeDebugPrivilege 1284 ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.exe Token: SeIncreaseQuotaPrivilege 640 cf.exe Token: SeSecurityPrivilege 640 cf.exe Token: SeTakeOwnershipPrivilege 640 cf.exe Token: SeLoadDriverPrivilege 640 cf.exe Token: SeSystemProfilePrivilege 640 cf.exe Token: SeSystemtimePrivilege 640 cf.exe Token: SeProfSingleProcessPrivilege 640 cf.exe Token: SeIncBasePriorityPrivilege 640 cf.exe Token: SeCreatePagefilePrivilege 640 cf.exe Token: SeBackupPrivilege 640 cf.exe Token: SeRestorePrivilege 640 cf.exe Token: SeShutdownPrivilege 640 cf.exe Token: SeDebugPrivilege 640 cf.exe Token: SeSystemEnvironmentPrivilege 640 cf.exe Token: SeChangeNotifyPrivilege 640 cf.exe Token: SeRemoteShutdownPrivilege 640 cf.exe Token: SeUndockPrivilege 640 cf.exe Token: SeManageVolumePrivilege 640 cf.exe Token: SeImpersonatePrivilege 640 cf.exe Token: SeCreateGlobalPrivilege 640 cf.exe Token: 33 640 cf.exe Token: 34 640 cf.exe Token: 35 640 cf.exe Token: 36 640 cf.exe Token: SeIncreaseQuotaPrivilege 396 msdcsc.exe Token: SeSecurityPrivilege 396 msdcsc.exe Token: SeTakeOwnershipPrivilege 396 msdcsc.exe Token: SeLoadDriverPrivilege 396 msdcsc.exe Token: SeSystemProfilePrivilege 396 msdcsc.exe Token: SeSystemtimePrivilege 396 msdcsc.exe Token: SeProfSingleProcessPrivilege 396 msdcsc.exe Token: SeIncBasePriorityPrivilege 396 msdcsc.exe Token: SeCreatePagefilePrivilege 396 msdcsc.exe Token: SeBackupPrivilege 396 msdcsc.exe Token: SeRestorePrivilege 396 msdcsc.exe Token: SeShutdownPrivilege 396 msdcsc.exe Token: SeDebugPrivilege 396 msdcsc.exe Token: SeSystemEnvironmentPrivilege 396 msdcsc.exe Token: SeChangeNotifyPrivilege 396 msdcsc.exe Token: SeRemoteShutdownPrivilege 396 msdcsc.exe Token: SeUndockPrivilege 396 msdcsc.exe Token: SeManageVolumePrivilege 396 msdcsc.exe Token: SeImpersonatePrivilege 396 msdcsc.exe Token: SeCreateGlobalPrivilege 396 msdcsc.exe Token: 33 396 msdcsc.exe Token: 34 396 msdcsc.exe Token: 35 396 msdcsc.exe Token: 36 396 msdcsc.exe Token: SeIncreaseQuotaPrivilege 3184 iexplore.exe Token: SeSecurityPrivilege 3184 iexplore.exe Token: SeTakeOwnershipPrivilege 3184 iexplore.exe Token: SeLoadDriverPrivilege 3184 iexplore.exe Token: SeSystemProfilePrivilege 3184 iexplore.exe Token: SeSystemtimePrivilege 3184 iexplore.exe Token: SeProfSingleProcessPrivilege 3184 iexplore.exe Token: SeIncBasePriorityPrivilege 3184 iexplore.exe Token: SeCreatePagefilePrivilege 3184 iexplore.exe Token: SeBackupPrivilege 3184 iexplore.exe Token: SeRestorePrivilege 3184 iexplore.exe Token: SeShutdownPrivilege 3184 iexplore.exe Token: SeDebugPrivilege 3184 iexplore.exe Token: SeSystemEnvironmentPrivilege 3184 iexplore.exe Token: SeChangeNotifyPrivilege 3184 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 3184 iexplore.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.execf.exemsdcsc.exedescription pid process target process PID 1284 wrote to memory of 640 1284 ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.exe cf.exe PID 1284 wrote to memory of 640 1284 ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.exe cf.exe PID 1284 wrote to memory of 640 1284 ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.exe cf.exe PID 640 wrote to memory of 396 640 cf.exe msdcsc.exe PID 640 wrote to memory of 396 640 cf.exe msdcsc.exe PID 640 wrote to memory of 396 640 cf.exe msdcsc.exe PID 396 wrote to memory of 3184 396 msdcsc.exe iexplore.exe PID 396 wrote to memory of 3184 396 msdcsc.exe iexplore.exe PID 396 wrote to memory of 3184 396 msdcsc.exe iexplore.exe PID 396 wrote to memory of 3184 396 msdcsc.exe iexplore.exe PID 396 wrote to memory of 3184 396 msdcsc.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.exe"C:\Users\Admin\AppData\Local\Temp\ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cf.exe"C:\Users\Admin\AppData\Local\Temp\cf.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Modifies security service
- Windows security bypass
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cf.exeFilesize
681KB
MD56b652684ca5fab95cbf89f217b501f6b
SHA1eb1462c14cbc60e8ebb82c611e523d3fc85e6959
SHA256570b93789988900fddb7587135dbf50d8252795116d1ecd5cd0180213bba32fa
SHA512ea7fdcd57dffc3b279ce19222ffaef1d9ced64cf6f0c645f2efb8bca8f4d63aefe5a6cf5d99e6a60b66a699f5c96a1a10dda4de6784311b6e99fffc86d6d89bb
-
C:\Users\Admin\AppData\Local\Temp\cf.exeFilesize
681KB
MD56b652684ca5fab95cbf89f217b501f6b
SHA1eb1462c14cbc60e8ebb82c611e523d3fc85e6959
SHA256570b93789988900fddb7587135dbf50d8252795116d1ecd5cd0180213bba32fa
SHA512ea7fdcd57dffc3b279ce19222ffaef1d9ced64cf6f0c645f2efb8bca8f4d63aefe5a6cf5d99e6a60b66a699f5c96a1a10dda4de6784311b6e99fffc86d6d89bb
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
681KB
MD56b652684ca5fab95cbf89f217b501f6b
SHA1eb1462c14cbc60e8ebb82c611e523d3fc85e6959
SHA256570b93789988900fddb7587135dbf50d8252795116d1ecd5cd0180213bba32fa
SHA512ea7fdcd57dffc3b279ce19222ffaef1d9ced64cf6f0c645f2efb8bca8f4d63aefe5a6cf5d99e6a60b66a699f5c96a1a10dda4de6784311b6e99fffc86d6d89bb
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
681KB
MD56b652684ca5fab95cbf89f217b501f6b
SHA1eb1462c14cbc60e8ebb82c611e523d3fc85e6959
SHA256570b93789988900fddb7587135dbf50d8252795116d1ecd5cd0180213bba32fa
SHA512ea7fdcd57dffc3b279ce19222ffaef1d9ced64cf6f0c645f2efb8bca8f4d63aefe5a6cf5d99e6a60b66a699f5c96a1a10dda4de6784311b6e99fffc86d6d89bb
-
memory/396-136-0x0000000000000000-mapping.dmp
-
memory/640-133-0x0000000000000000-mapping.dmp
-
memory/1284-132-0x00007FFC45C10000-0x00007FFC46646000-memory.dmpFilesize
10.2MB