Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 02:33
Static task
static1
Behavioral task
behavioral1
Sample
553042bd72a07ada473128811ca5a4e56249c2e749cbb8699e6d88d9bcb25833.exe
Resource
win7-20220812-en
General
-
Target
553042bd72a07ada473128811ca5a4e56249c2e749cbb8699e6d88d9bcb25833.exe
-
Size
827KB
-
MD5
65bb78e2781f8a31d30946f75661bab0
-
SHA1
b63034503555aaa131e0d6f2a4be0c92a4d2ccc2
-
SHA256
553042bd72a07ada473128811ca5a4e56249c2e749cbb8699e6d88d9bcb25833
-
SHA512
97ca39a02a186c944a975b12c98a2df1fedeaaa5b07f2818137b5f1fc8e70557c36af37ef60375901aba9d6bd394d46dc70392bcc80d77d0558bd267d83e97fd
-
SSDEEP
12288:vYUAMakAq1mmesJGR0zwnLbIrndRQHuVqe25EEk4NvWT7bkMhJnmvkmXhQnltj60:haNqleuGgwsMuE5E+NeT7av5hQuY
Malware Config
Extracted
darkcomet
Guest16
hashtagyolo.sytes.net:1604
77.248.186.202:1604
DC_MUTEX-AMVW5LU
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
HY70tdZhA2dU
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" Crypted.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
pid Process 1892 Crypted.exe 696 msdcsc.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1980 attrib.exe -
Loads dropped DLL 2 IoCs
pid Process 1892 Crypted.exe 1892 Crypted.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" Crypted.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 696 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1892 Crypted.exe Token: SeSecurityPrivilege 1892 Crypted.exe Token: SeTakeOwnershipPrivilege 1892 Crypted.exe Token: SeLoadDriverPrivilege 1892 Crypted.exe Token: SeSystemProfilePrivilege 1892 Crypted.exe Token: SeSystemtimePrivilege 1892 Crypted.exe Token: SeProfSingleProcessPrivilege 1892 Crypted.exe Token: SeIncBasePriorityPrivilege 1892 Crypted.exe Token: SeCreatePagefilePrivilege 1892 Crypted.exe Token: SeBackupPrivilege 1892 Crypted.exe Token: SeRestorePrivilege 1892 Crypted.exe Token: SeShutdownPrivilege 1892 Crypted.exe Token: SeDebugPrivilege 1892 Crypted.exe Token: SeSystemEnvironmentPrivilege 1892 Crypted.exe Token: SeChangeNotifyPrivilege 1892 Crypted.exe Token: SeRemoteShutdownPrivilege 1892 Crypted.exe Token: SeUndockPrivilege 1892 Crypted.exe Token: SeManageVolumePrivilege 1892 Crypted.exe Token: SeImpersonatePrivilege 1892 Crypted.exe Token: SeCreateGlobalPrivilege 1892 Crypted.exe Token: 33 1892 Crypted.exe Token: 34 1892 Crypted.exe Token: 35 1892 Crypted.exe Token: SeIncreaseQuotaPrivilege 696 msdcsc.exe Token: SeSecurityPrivilege 696 msdcsc.exe Token: SeTakeOwnershipPrivilege 696 msdcsc.exe Token: SeLoadDriverPrivilege 696 msdcsc.exe Token: SeSystemProfilePrivilege 696 msdcsc.exe Token: SeSystemtimePrivilege 696 msdcsc.exe Token: SeProfSingleProcessPrivilege 696 msdcsc.exe Token: SeIncBasePriorityPrivilege 696 msdcsc.exe Token: SeCreatePagefilePrivilege 696 msdcsc.exe Token: SeBackupPrivilege 696 msdcsc.exe Token: SeRestorePrivilege 696 msdcsc.exe Token: SeShutdownPrivilege 696 msdcsc.exe Token: SeDebugPrivilege 696 msdcsc.exe Token: SeSystemEnvironmentPrivilege 696 msdcsc.exe Token: SeChangeNotifyPrivilege 696 msdcsc.exe Token: SeRemoteShutdownPrivilege 696 msdcsc.exe Token: SeUndockPrivilege 696 msdcsc.exe Token: SeManageVolumePrivilege 696 msdcsc.exe Token: SeImpersonatePrivilege 696 msdcsc.exe Token: SeCreateGlobalPrivilege 696 msdcsc.exe Token: 33 696 msdcsc.exe Token: 34 696 msdcsc.exe Token: 35 696 msdcsc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1092 DllHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 696 msdcsc.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 832 wrote to memory of 1892 832 553042bd72a07ada473128811ca5a4e56249c2e749cbb8699e6d88d9bcb25833.exe 28 PID 832 wrote to memory of 1892 832 553042bd72a07ada473128811ca5a4e56249c2e749cbb8699e6d88d9bcb25833.exe 28 PID 832 wrote to memory of 1892 832 553042bd72a07ada473128811ca5a4e56249c2e749cbb8699e6d88d9bcb25833.exe 28 PID 832 wrote to memory of 1892 832 553042bd72a07ada473128811ca5a4e56249c2e749cbb8699e6d88d9bcb25833.exe 28 PID 1892 wrote to memory of 1956 1892 Crypted.exe 29 PID 1892 wrote to memory of 1956 1892 Crypted.exe 29 PID 1892 wrote to memory of 1956 1892 Crypted.exe 29 PID 1892 wrote to memory of 1956 1892 Crypted.exe 29 PID 1956 wrote to memory of 1980 1956 cmd.exe 31 PID 1956 wrote to memory of 1980 1956 cmd.exe 31 PID 1956 wrote to memory of 1980 1956 cmd.exe 31 PID 1956 wrote to memory of 1980 1956 cmd.exe 31 PID 1892 wrote to memory of 696 1892 Crypted.exe 33 PID 1892 wrote to memory of 696 1892 Crypted.exe 33 PID 1892 wrote to memory of 696 1892 Crypted.exe 33 PID 1892 wrote to memory of 696 1892 Crypted.exe 33 PID 696 wrote to memory of 1224 696 msdcsc.exe 34 PID 696 wrote to memory of 1224 696 msdcsc.exe 34 PID 696 wrote to memory of 1224 696 msdcsc.exe 34 PID 696 wrote to memory of 1224 696 msdcsc.exe 34 PID 696 wrote to memory of 1224 696 msdcsc.exe 34 PID 696 wrote to memory of 1224 696 msdcsc.exe 34 PID 696 wrote to memory of 1224 696 msdcsc.exe 34 PID 696 wrote to memory of 1224 696 msdcsc.exe 34 PID 696 wrote to memory of 1224 696 msdcsc.exe 34 PID 696 wrote to memory of 1224 696 msdcsc.exe 34 PID 696 wrote to memory of 1224 696 msdcsc.exe 34 PID 696 wrote to memory of 1224 696 msdcsc.exe 34 PID 696 wrote to memory of 1224 696 msdcsc.exe 34 PID 696 wrote to memory of 1224 696 msdcsc.exe 34 PID 696 wrote to memory of 1224 696 msdcsc.exe 34 PID 696 wrote to memory of 1224 696 msdcsc.exe 34 PID 696 wrote to memory of 1224 696 msdcsc.exe 34 PID 696 wrote to memory of 1224 696 msdcsc.exe 34 PID 696 wrote to memory of 1224 696 msdcsc.exe 34 PID 696 wrote to memory of 1224 696 msdcsc.exe 34 PID 696 wrote to memory of 1224 696 msdcsc.exe 34 PID 696 wrote to memory of 1224 696 msdcsc.exe 34 PID 696 wrote to memory of 1224 696 msdcsc.exe 34 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1980 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\553042bd72a07ada473128811ca5a4e56249c2e749cbb8699e6d88d9bcb25833.exe"C:\Users\Admin\AppData\Local\Temp\553042bd72a07ada473128811ca5a4e56249c2e749cbb8699e6d88d9bcb25833.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Users\Admin\AppData\Local\Temp\Crypted.exe"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\Crypted.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\Crypted.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1980
-
-
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"3⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:696 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵PID:1224
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1092
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD5fe6804f85ed930ddf37a07add7531f94
SHA12b9e231e203bdd6595e017452a6f46ae877346f5
SHA2565de2a01b97d3368692effdf3d2cf4ed31de4cc756728a67035c75d2887bc004b
SHA512cfc686809511c2672ed86ef6c4311e9c2904a69ac794b8135ee18c80e24a14db850a69240cbb2e555c4051dd93093b3c8c849e6f3e14e0fe7dcbefa00410ab6c
-
Filesize
766KB
MD5a5301725ad37183aeb89e4515fcff0d5
SHA117ac030c7ea4d427548e9b4fdd456425c8a6ac9e
SHA25600197e1dd48e47f58023c1f92715a5dae72022d5bd27c8fa6922e108be7fc37a
SHA51295e422dc9828b690d6938e0f372b6a74a13c91b56c8f1c57752eb8e92f67edbb609084a128e41c471c6fdbfab83103332c084a3a94be3639d3083e3cb77ce2dc
-
Filesize
766KB
MD5a5301725ad37183aeb89e4515fcff0d5
SHA117ac030c7ea4d427548e9b4fdd456425c8a6ac9e
SHA25600197e1dd48e47f58023c1f92715a5dae72022d5bd27c8fa6922e108be7fc37a
SHA51295e422dc9828b690d6938e0f372b6a74a13c91b56c8f1c57752eb8e92f67edbb609084a128e41c471c6fdbfab83103332c084a3a94be3639d3083e3cb77ce2dc
-
Filesize
766KB
MD5a5301725ad37183aeb89e4515fcff0d5
SHA117ac030c7ea4d427548e9b4fdd456425c8a6ac9e
SHA25600197e1dd48e47f58023c1f92715a5dae72022d5bd27c8fa6922e108be7fc37a
SHA51295e422dc9828b690d6938e0f372b6a74a13c91b56c8f1c57752eb8e92f67edbb609084a128e41c471c6fdbfab83103332c084a3a94be3639d3083e3cb77ce2dc
-
Filesize
766KB
MD5a5301725ad37183aeb89e4515fcff0d5
SHA117ac030c7ea4d427548e9b4fdd456425c8a6ac9e
SHA25600197e1dd48e47f58023c1f92715a5dae72022d5bd27c8fa6922e108be7fc37a
SHA51295e422dc9828b690d6938e0f372b6a74a13c91b56c8f1c57752eb8e92f67edbb609084a128e41c471c6fdbfab83103332c084a3a94be3639d3083e3cb77ce2dc
-
Filesize
766KB
MD5a5301725ad37183aeb89e4515fcff0d5
SHA117ac030c7ea4d427548e9b4fdd456425c8a6ac9e
SHA25600197e1dd48e47f58023c1f92715a5dae72022d5bd27c8fa6922e108be7fc37a
SHA51295e422dc9828b690d6938e0f372b6a74a13c91b56c8f1c57752eb8e92f67edbb609084a128e41c471c6fdbfab83103332c084a3a94be3639d3083e3cb77ce2dc
-
Filesize
766KB
MD5a5301725ad37183aeb89e4515fcff0d5
SHA117ac030c7ea4d427548e9b4fdd456425c8a6ac9e
SHA25600197e1dd48e47f58023c1f92715a5dae72022d5bd27c8fa6922e108be7fc37a
SHA51295e422dc9828b690d6938e0f372b6a74a13c91b56c8f1c57752eb8e92f67edbb609084a128e41c471c6fdbfab83103332c084a3a94be3639d3083e3cb77ce2dc