Analysis
-
max time kernel
150s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
01-10-2022 23:38
Behavioral task
behavioral1
Sample
242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe
Resource
win7-20220901-en
General
-
Target
242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe
-
Size
1.3MB
-
MD5
65335c3362c2a5af1662e5d596e812c0
-
SHA1
49d54432fc1691d0f6b477e7c4ccc4162ea6bd41
-
SHA256
242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21
-
SHA512
043828beaffc5e73707021320877e65dc26b4d7957702f855241ed777087dd8c608af71f14a5d4c4d5ff3229c42a4ab831bc2310c5f6bf6a7452d697783bd7f4
-
SSDEEP
24576:xQtAJH+PECTpJzNYDoKVf7LtxBezzJ34GAx+0QRWoJEfg0oChGdJQbjPbNW5tYeH:+SH+PECTpJzNYDnVjLtxclmJQRV2o3Mj
Malware Config
Extracted
darkcomet
Guest16
herorivals.ddns.net:1604
herorivals.ddns.net:1605
DC_MUTEX-F54S21D
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
jZMx1931CGta
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Microsoft
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
systeminf2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" systeminf2.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Executes dropped EXE 3 IoCs
Processes:
systeminf1.exesysteminf2.exemsdcsc.exepid process 1256 systeminf1.exe 2036 systeminf2.exe 1792 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1788 attrib.exe 1380 attrib.exe -
Loads dropped DLL 5 IoCs
Processes:
242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exesysteminf2.exepid process 1632 242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe 1632 242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe 1632 242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe 2036 systeminf2.exe 2036 systeminf2.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
systeminf2.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" systeminf2.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Drops file in System32 directory 3 IoCs
Processes:
242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exeattrib.exedescription ioc process File created C:\Windows\SysWOW64\systeminf2.exe 242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe File opened for modification C:\Windows\SysWOW64\systeminf2.exe attrib.exe File created C:\Windows\SysWOW64\systeminf1.exe 242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe -
Drops file in Windows directory 1 IoCs
Processes:
attrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64 attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
systeminf2.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2036 systeminf2.exe Token: SeSecurityPrivilege 2036 systeminf2.exe Token: SeTakeOwnershipPrivilege 2036 systeminf2.exe Token: SeLoadDriverPrivilege 2036 systeminf2.exe Token: SeSystemProfilePrivilege 2036 systeminf2.exe Token: SeSystemtimePrivilege 2036 systeminf2.exe Token: SeProfSingleProcessPrivilege 2036 systeminf2.exe Token: SeIncBasePriorityPrivilege 2036 systeminf2.exe Token: SeCreatePagefilePrivilege 2036 systeminf2.exe Token: SeBackupPrivilege 2036 systeminf2.exe Token: SeRestorePrivilege 2036 systeminf2.exe Token: SeShutdownPrivilege 2036 systeminf2.exe Token: SeDebugPrivilege 2036 systeminf2.exe Token: SeSystemEnvironmentPrivilege 2036 systeminf2.exe Token: SeChangeNotifyPrivilege 2036 systeminf2.exe Token: SeRemoteShutdownPrivilege 2036 systeminf2.exe Token: SeUndockPrivilege 2036 systeminf2.exe Token: SeManageVolumePrivilege 2036 systeminf2.exe Token: SeImpersonatePrivilege 2036 systeminf2.exe Token: SeCreateGlobalPrivilege 2036 systeminf2.exe Token: 33 2036 systeminf2.exe Token: 34 2036 systeminf2.exe Token: 35 2036 systeminf2.exe Token: SeIncreaseQuotaPrivilege 1792 msdcsc.exe Token: SeSecurityPrivilege 1792 msdcsc.exe Token: SeTakeOwnershipPrivilege 1792 msdcsc.exe Token: SeLoadDriverPrivilege 1792 msdcsc.exe Token: SeSystemProfilePrivilege 1792 msdcsc.exe Token: SeSystemtimePrivilege 1792 msdcsc.exe Token: SeProfSingleProcessPrivilege 1792 msdcsc.exe Token: SeIncBasePriorityPrivilege 1792 msdcsc.exe Token: SeCreatePagefilePrivilege 1792 msdcsc.exe Token: SeBackupPrivilege 1792 msdcsc.exe Token: SeRestorePrivilege 1792 msdcsc.exe Token: SeShutdownPrivilege 1792 msdcsc.exe Token: SeDebugPrivilege 1792 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1792 msdcsc.exe Token: SeChangeNotifyPrivilege 1792 msdcsc.exe Token: SeRemoteShutdownPrivilege 1792 msdcsc.exe Token: SeUndockPrivilege 1792 msdcsc.exe Token: SeManageVolumePrivilege 1792 msdcsc.exe Token: SeImpersonatePrivilege 1792 msdcsc.exe Token: SeCreateGlobalPrivilege 1792 msdcsc.exe Token: 33 1792 msdcsc.exe Token: 34 1792 msdcsc.exe Token: 35 1792 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1792 msdcsc.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exesysteminf2.execmd.execmd.execmd.exemsdcsc.exedescription pid process target process PID 1632 wrote to memory of 1256 1632 242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe systeminf1.exe PID 1632 wrote to memory of 1256 1632 242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe systeminf1.exe PID 1632 wrote to memory of 1256 1632 242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe systeminf1.exe PID 1632 wrote to memory of 1256 1632 242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe systeminf1.exe PID 1632 wrote to memory of 2036 1632 242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe systeminf2.exe PID 1632 wrote to memory of 2036 1632 242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe systeminf2.exe PID 1632 wrote to memory of 2036 1632 242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe systeminf2.exe PID 1632 wrote to memory of 2036 1632 242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe systeminf2.exe PID 2036 wrote to memory of 1532 2036 systeminf2.exe cmd.exe PID 2036 wrote to memory of 1532 2036 systeminf2.exe cmd.exe PID 2036 wrote to memory of 1532 2036 systeminf2.exe cmd.exe PID 2036 wrote to memory of 1532 2036 systeminf2.exe cmd.exe PID 2036 wrote to memory of 1284 2036 systeminf2.exe cmd.exe PID 2036 wrote to memory of 1284 2036 systeminf2.exe cmd.exe PID 2036 wrote to memory of 1284 2036 systeminf2.exe cmd.exe PID 2036 wrote to memory of 1284 2036 systeminf2.exe cmd.exe PID 2036 wrote to memory of 1528 2036 systeminf2.exe cmd.exe PID 2036 wrote to memory of 1528 2036 systeminf2.exe cmd.exe PID 2036 wrote to memory of 1528 2036 systeminf2.exe cmd.exe PID 2036 wrote to memory of 1528 2036 systeminf2.exe cmd.exe PID 1532 wrote to memory of 1788 1532 cmd.exe attrib.exe PID 1532 wrote to memory of 1788 1532 cmd.exe attrib.exe PID 1532 wrote to memory of 1788 1532 cmd.exe attrib.exe PID 1532 wrote to memory of 1788 1532 cmd.exe attrib.exe PID 1284 wrote to memory of 1380 1284 cmd.exe attrib.exe PID 1284 wrote to memory of 1380 1284 cmd.exe attrib.exe PID 1284 wrote to memory of 1380 1284 cmd.exe attrib.exe PID 1284 wrote to memory of 1380 1284 cmd.exe attrib.exe PID 1528 wrote to memory of 1856 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 1856 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 1856 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 1856 1528 cmd.exe PING.EXE PID 2036 wrote to memory of 1792 2036 systeminf2.exe msdcsc.exe PID 2036 wrote to memory of 1792 2036 systeminf2.exe msdcsc.exe PID 2036 wrote to memory of 1792 2036 systeminf2.exe msdcsc.exe PID 2036 wrote to memory of 1792 2036 systeminf2.exe msdcsc.exe PID 1792 wrote to memory of 1512 1792 msdcsc.exe iexplore.exe PID 1792 wrote to memory of 1512 1792 msdcsc.exe iexplore.exe PID 1792 wrote to memory of 1512 1792 msdcsc.exe iexplore.exe PID 1792 wrote to memory of 1512 1792 msdcsc.exe iexplore.exe PID 1792 wrote to memory of 1576 1792 msdcsc.exe explorer.exe PID 1792 wrote to memory of 1576 1792 msdcsc.exe explorer.exe PID 1792 wrote to memory of 1576 1792 msdcsc.exe explorer.exe PID 1792 wrote to memory of 1576 1792 msdcsc.exe explorer.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1380 attrib.exe 1788 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe"C:\Users\Admin\AppData\Local\Temp\242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\systeminf1.exe"C:\Windows\system32\systeminf1.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\systeminf2.exe"C:\Windows\system32\systeminf2.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\systeminf2.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\systeminf2.exe" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\systeminf2.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 44⤵
- Runs ping.exe
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
650KB
MD5552473949ab5541cf86c13a5d0687ccf
SHA138c1a2f1bdb20e810a827201531748ec22f9f021
SHA256fab5a805543b152f3cca1a3096d95003cc434897eeebe50520fa304ae114b124
SHA5128ff686d433a34de9fb56c01c71255b698be635e5994a8565130e1ab6566019f4e093f92e4bfc287abc842aca5a8ab7d6aac272760cacc8e84a3767f85e132619
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
650KB
MD5552473949ab5541cf86c13a5d0687ccf
SHA138c1a2f1bdb20e810a827201531748ec22f9f021
SHA256fab5a805543b152f3cca1a3096d95003cc434897eeebe50520fa304ae114b124
SHA5128ff686d433a34de9fb56c01c71255b698be635e5994a8565130e1ab6566019f4e093f92e4bfc287abc842aca5a8ab7d6aac272760cacc8e84a3767f85e132619
-
C:\Windows\SysWOW64\systeminf1.exeFilesize
94KB
MD58f6ee86140c12ebc9d2b640112db78a4
SHA15c9af3a3df26b7129649d0961895bf6f58e6e265
SHA256fdad7fe01215afeb8aff1a74c9c69f34ac5fcddc622da622591ce42825f84bde
SHA5125091ff6f7befdccebaa31ff1da79299460aa9a919cc51bd48cd24e8ddb8f7eed165ae032c70f30897cdae3da9a1fec99d502fbe526d8a890887119acf387362f
-
C:\Windows\SysWOW64\systeminf1.exeFilesize
94KB
MD58f6ee86140c12ebc9d2b640112db78a4
SHA15c9af3a3df26b7129649d0961895bf6f58e6e265
SHA256fdad7fe01215afeb8aff1a74c9c69f34ac5fcddc622da622591ce42825f84bde
SHA5125091ff6f7befdccebaa31ff1da79299460aa9a919cc51bd48cd24e8ddb8f7eed165ae032c70f30897cdae3da9a1fec99d502fbe526d8a890887119acf387362f
-
C:\Windows\SysWOW64\systeminf2.exeFilesize
650KB
MD5552473949ab5541cf86c13a5d0687ccf
SHA138c1a2f1bdb20e810a827201531748ec22f9f021
SHA256fab5a805543b152f3cca1a3096d95003cc434897eeebe50520fa304ae114b124
SHA5128ff686d433a34de9fb56c01c71255b698be635e5994a8565130e1ab6566019f4e093f92e4bfc287abc842aca5a8ab7d6aac272760cacc8e84a3767f85e132619
-
C:\Windows\SysWOW64\systeminf2.exeFilesize
650KB
MD5552473949ab5541cf86c13a5d0687ccf
SHA138c1a2f1bdb20e810a827201531748ec22f9f021
SHA256fab5a805543b152f3cca1a3096d95003cc434897eeebe50520fa304ae114b124
SHA5128ff686d433a34de9fb56c01c71255b698be635e5994a8565130e1ab6566019f4e093f92e4bfc287abc842aca5a8ab7d6aac272760cacc8e84a3767f85e132619
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
650KB
MD5552473949ab5541cf86c13a5d0687ccf
SHA138c1a2f1bdb20e810a827201531748ec22f9f021
SHA256fab5a805543b152f3cca1a3096d95003cc434897eeebe50520fa304ae114b124
SHA5128ff686d433a34de9fb56c01c71255b698be635e5994a8565130e1ab6566019f4e093f92e4bfc287abc842aca5a8ab7d6aac272760cacc8e84a3767f85e132619
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
650KB
MD5552473949ab5541cf86c13a5d0687ccf
SHA138c1a2f1bdb20e810a827201531748ec22f9f021
SHA256fab5a805543b152f3cca1a3096d95003cc434897eeebe50520fa304ae114b124
SHA5128ff686d433a34de9fb56c01c71255b698be635e5994a8565130e1ab6566019f4e093f92e4bfc287abc842aca5a8ab7d6aac272760cacc8e84a3767f85e132619
-
\Windows\SysWOW64\systeminf1.exeFilesize
94KB
MD58f6ee86140c12ebc9d2b640112db78a4
SHA15c9af3a3df26b7129649d0961895bf6f58e6e265
SHA256fdad7fe01215afeb8aff1a74c9c69f34ac5fcddc622da622591ce42825f84bde
SHA5125091ff6f7befdccebaa31ff1da79299460aa9a919cc51bd48cd24e8ddb8f7eed165ae032c70f30897cdae3da9a1fec99d502fbe526d8a890887119acf387362f
-
\Windows\SysWOW64\systeminf2.exeFilesize
650KB
MD5552473949ab5541cf86c13a5d0687ccf
SHA138c1a2f1bdb20e810a827201531748ec22f9f021
SHA256fab5a805543b152f3cca1a3096d95003cc434897eeebe50520fa304ae114b124
SHA5128ff686d433a34de9fb56c01c71255b698be635e5994a8565130e1ab6566019f4e093f92e4bfc287abc842aca5a8ab7d6aac272760cacc8e84a3767f85e132619
-
\Windows\SysWOW64\systeminf2.exeFilesize
650KB
MD5552473949ab5541cf86c13a5d0687ccf
SHA138c1a2f1bdb20e810a827201531748ec22f9f021
SHA256fab5a805543b152f3cca1a3096d95003cc434897eeebe50520fa304ae114b124
SHA5128ff686d433a34de9fb56c01c71255b698be635e5994a8565130e1ab6566019f4e093f92e4bfc287abc842aca5a8ab7d6aac272760cacc8e84a3767f85e132619
-
memory/1256-78-0x000000001B176000-0x000000001B195000-memory.dmpFilesize
124KB
-
memory/1256-56-0x0000000000000000-mapping.dmp
-
memory/1256-65-0x0000000000A10000-0x0000000000A2E000-memory.dmpFilesize
120KB
-
memory/1284-67-0x0000000000000000-mapping.dmp
-
memory/1380-70-0x0000000000000000-mapping.dmp
-
memory/1528-68-0x0000000000000000-mapping.dmp
-
memory/1532-66-0x0000000000000000-mapping.dmp
-
memory/1632-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmpFilesize
8KB
-
memory/1788-69-0x0000000000000000-mapping.dmp
-
memory/1792-74-0x0000000000000000-mapping.dmp
-
memory/1856-71-0x0000000000000000-mapping.dmp
-
memory/2036-61-0x0000000000000000-mapping.dmp