Analysis
-
max time kernel
152s -
max time network
164s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-10-2022 23:37
Behavioral task
behavioral1
Sample
f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe
Resource
win7-20220812-en
General
-
Target
f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe
-
Size
351KB
-
MD5
68570f555fc1595e6ce6b2d8f34c059c
-
SHA1
28e3ba38749acf761fcb0e2c46c6ea6d2e7fe726
-
SHA256
f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d
-
SHA512
ad27cbb422c5f8c4401a725509a97de4fd75239fb2717fa4f8250e77af2125e12f518e178b3c0d4eea3616e6ba3a108fdd6ac4172f17303fb8f7df170a4f4340
-
SSDEEP
6144:8D7cY2fgssM7Wirg9KXylmRiL+QMeC/i6isqX7UovnONztByipwxZ69I2hgplSZ1:8l8E4w5huat7UovONzbXwOlh/NVR
Malware Config
Extracted
darkcomet
Guest16
79.203.54.214:1604
DC_MUTEX-15E21A0
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
Zw1LapYfDnkx
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1908 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2024 attrib.exe 2028 attrib.exe -
Processes:
resource yara_rule behavioral1/memory/1200-55-0x0000000000400000-0x00000000004EC000-memory.dmp upx \ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe upx \ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe upx C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe upx behavioral1/memory/1200-65-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/1908-68-0x0000000000400000-0x00000000004EC000-memory.dmp upx behavioral1/memory/1908-69-0x0000000000400000-0x00000000004EC000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exepid process 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1908 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe Token: SeSecurityPrivilege 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe Token: SeTakeOwnershipPrivilege 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe Token: SeLoadDriverPrivilege 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe Token: SeSystemProfilePrivilege 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe Token: SeSystemtimePrivilege 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe Token: SeProfSingleProcessPrivilege 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe Token: SeIncBasePriorityPrivilege 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe Token: SeCreatePagefilePrivilege 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe Token: SeBackupPrivilege 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe Token: SeRestorePrivilege 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe Token: SeShutdownPrivilege 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe Token: SeDebugPrivilege 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe Token: SeSystemEnvironmentPrivilege 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe Token: SeChangeNotifyPrivilege 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe Token: SeRemoteShutdownPrivilege 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe Token: SeUndockPrivilege 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe Token: SeManageVolumePrivilege 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe Token: SeImpersonatePrivilege 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe Token: SeCreateGlobalPrivilege 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe Token: 33 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe Token: 34 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe Token: 35 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe Token: SeIncreaseQuotaPrivilege 1908 msdcsc.exe Token: SeSecurityPrivilege 1908 msdcsc.exe Token: SeTakeOwnershipPrivilege 1908 msdcsc.exe Token: SeLoadDriverPrivilege 1908 msdcsc.exe Token: SeSystemProfilePrivilege 1908 msdcsc.exe Token: SeSystemtimePrivilege 1908 msdcsc.exe Token: SeProfSingleProcessPrivilege 1908 msdcsc.exe Token: SeIncBasePriorityPrivilege 1908 msdcsc.exe Token: SeCreatePagefilePrivilege 1908 msdcsc.exe Token: SeBackupPrivilege 1908 msdcsc.exe Token: SeRestorePrivilege 1908 msdcsc.exe Token: SeShutdownPrivilege 1908 msdcsc.exe Token: SeDebugPrivilege 1908 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1908 msdcsc.exe Token: SeChangeNotifyPrivilege 1908 msdcsc.exe Token: SeRemoteShutdownPrivilege 1908 msdcsc.exe Token: SeUndockPrivilege 1908 msdcsc.exe Token: SeManageVolumePrivilege 1908 msdcsc.exe Token: SeImpersonatePrivilege 1908 msdcsc.exe Token: SeCreateGlobalPrivilege 1908 msdcsc.exe Token: 33 1908 msdcsc.exe Token: 34 1908 msdcsc.exe Token: 35 1908 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1908 msdcsc.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.execmd.execmd.exemsdcsc.exedescription pid process target process PID 1200 wrote to memory of 968 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe cmd.exe PID 1200 wrote to memory of 968 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe cmd.exe PID 1200 wrote to memory of 968 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe cmd.exe PID 1200 wrote to memory of 968 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe cmd.exe PID 1200 wrote to memory of 2040 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe cmd.exe PID 1200 wrote to memory of 2040 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe cmd.exe PID 1200 wrote to memory of 2040 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe cmd.exe PID 1200 wrote to memory of 2040 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe cmd.exe PID 2040 wrote to memory of 2028 2040 cmd.exe attrib.exe PID 2040 wrote to memory of 2028 2040 cmd.exe attrib.exe PID 2040 wrote to memory of 2028 2040 cmd.exe attrib.exe PID 2040 wrote to memory of 2028 2040 cmd.exe attrib.exe PID 968 wrote to memory of 2024 968 cmd.exe attrib.exe PID 968 wrote to memory of 2024 968 cmd.exe attrib.exe PID 968 wrote to memory of 2024 968 cmd.exe attrib.exe PID 968 wrote to memory of 2024 968 cmd.exe attrib.exe PID 1200 wrote to memory of 1908 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe msdcsc.exe PID 1200 wrote to memory of 1908 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe msdcsc.exe PID 1200 wrote to memory of 1908 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe msdcsc.exe PID 1200 wrote to memory of 1908 1200 f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe msdcsc.exe PID 1908 wrote to memory of 1960 1908 msdcsc.exe notepad.exe PID 1908 wrote to memory of 1960 1908 msdcsc.exe notepad.exe PID 1908 wrote to memory of 1960 1908 msdcsc.exe notepad.exe PID 1908 wrote to memory of 1960 1908 msdcsc.exe notepad.exe PID 1908 wrote to memory of 1960 1908 msdcsc.exe notepad.exe PID 1908 wrote to memory of 1960 1908 msdcsc.exe notepad.exe PID 1908 wrote to memory of 1960 1908 msdcsc.exe notepad.exe PID 1908 wrote to memory of 1960 1908 msdcsc.exe notepad.exe PID 1908 wrote to memory of 1960 1908 msdcsc.exe notepad.exe PID 1908 wrote to memory of 1960 1908 msdcsc.exe notepad.exe PID 1908 wrote to memory of 1960 1908 msdcsc.exe notepad.exe PID 1908 wrote to memory of 1960 1908 msdcsc.exe notepad.exe PID 1908 wrote to memory of 1960 1908 msdcsc.exe notepad.exe PID 1908 wrote to memory of 1960 1908 msdcsc.exe notepad.exe PID 1908 wrote to memory of 1960 1908 msdcsc.exe notepad.exe PID 1908 wrote to memory of 1960 1908 msdcsc.exe notepad.exe PID 1908 wrote to memory of 1960 1908 msdcsc.exe notepad.exe PID 1908 wrote to memory of 1960 1908 msdcsc.exe notepad.exe PID 1908 wrote to memory of 1960 1908 msdcsc.exe notepad.exe PID 1908 wrote to memory of 1960 1908 msdcsc.exe notepad.exe PID 1908 wrote to memory of 1960 1908 msdcsc.exe notepad.exe PID 1908 wrote to memory of 1960 1908 msdcsc.exe notepad.exe PID 1908 wrote to memory of 1960 1908 msdcsc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2024 attrib.exe 2028 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe"C:\Users\Admin\AppData\Local\Temp\f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exeFilesize
351KB
MD568570f555fc1595e6ce6b2d8f34c059c
SHA128e3ba38749acf761fcb0e2c46c6ea6d2e7fe726
SHA256f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d
SHA512ad27cbb422c5f8c4401a725509a97de4fd75239fb2717fa4f8250e77af2125e12f518e178b3c0d4eea3616e6ba3a108fdd6ac4172f17303fb8f7df170a4f4340
-
\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exeFilesize
351KB
MD568570f555fc1595e6ce6b2d8f34c059c
SHA128e3ba38749acf761fcb0e2c46c6ea6d2e7fe726
SHA256f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d
SHA512ad27cbb422c5f8c4401a725509a97de4fd75239fb2717fa4f8250e77af2125e12f518e178b3c0d4eea3616e6ba3a108fdd6ac4172f17303fb8f7df170a4f4340
-
\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exeFilesize
351KB
MD568570f555fc1595e6ce6b2d8f34c059c
SHA128e3ba38749acf761fcb0e2c46c6ea6d2e7fe726
SHA256f39577e2b9f1f072160f1a7a568949e0399952e8f674bdf4a32b3f1d2ab6500d
SHA512ad27cbb422c5f8c4401a725509a97de4fd75239fb2717fa4f8250e77af2125e12f518e178b3c0d4eea3616e6ba3a108fdd6ac4172f17303fb8f7df170a4f4340
-
memory/968-56-0x0000000000000000-mapping.dmp
-
memory/1200-54-0x0000000075091000-0x0000000075093000-memory.dmpFilesize
8KB
-
memory/1200-55-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/1200-65-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/1908-62-0x0000000000000000-mapping.dmp
-
memory/1908-68-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/1908-69-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/1960-66-0x0000000000000000-mapping.dmp
-
memory/2024-59-0x0000000000000000-mapping.dmp
-
memory/2028-58-0x0000000000000000-mapping.dmp
-
memory/2040-57-0x0000000000000000-mapping.dmp