Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 02:33
Static task
static1
Behavioral task
behavioral1
Sample
553042bd72a07ada473128811ca5a4e56249c2e749cbb8699e6d88d9bcb25833.exe
Resource
win7-20220812-en
General
-
Target
553042bd72a07ada473128811ca5a4e56249c2e749cbb8699e6d88d9bcb25833.exe
-
Size
827KB
-
MD5
65bb78e2781f8a31d30946f75661bab0
-
SHA1
b63034503555aaa131e0d6f2a4be0c92a4d2ccc2
-
SHA256
553042bd72a07ada473128811ca5a4e56249c2e749cbb8699e6d88d9bcb25833
-
SHA512
97ca39a02a186c944a975b12c98a2df1fedeaaa5b07f2818137b5f1fc8e70557c36af37ef60375901aba9d6bd394d46dc70392bcc80d77d0558bd267d83e97fd
-
SSDEEP
12288:vYUAMakAq1mmesJGR0zwnLbIrndRQHuVqe25EEk4NvWT7bkMhJnmvkmXhQnltj60:haNqleuGgwsMuE5E+NeT7av5hQuY
Malware Config
Extracted
darkcomet
Guest16
hashtagyolo.sytes.net:1604
77.248.186.202:1604
DC_MUTEX-AMVW5LU
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
HY70tdZhA2dU
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" Crypted.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
pid Process 1764 Crypted.exe 228 msdcsc.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1132 attrib.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 553042bd72a07ada473128811ca5a4e56249c2e749cbb8699e6d88d9bcb25833.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Crypted.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" Crypted.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Crypted.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 228 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1764 Crypted.exe Token: SeSecurityPrivilege 1764 Crypted.exe Token: SeTakeOwnershipPrivilege 1764 Crypted.exe Token: SeLoadDriverPrivilege 1764 Crypted.exe Token: SeSystemProfilePrivilege 1764 Crypted.exe Token: SeSystemtimePrivilege 1764 Crypted.exe Token: SeProfSingleProcessPrivilege 1764 Crypted.exe Token: SeIncBasePriorityPrivilege 1764 Crypted.exe Token: SeCreatePagefilePrivilege 1764 Crypted.exe Token: SeBackupPrivilege 1764 Crypted.exe Token: SeRestorePrivilege 1764 Crypted.exe Token: SeShutdownPrivilege 1764 Crypted.exe Token: SeDebugPrivilege 1764 Crypted.exe Token: SeSystemEnvironmentPrivilege 1764 Crypted.exe Token: SeChangeNotifyPrivilege 1764 Crypted.exe Token: SeRemoteShutdownPrivilege 1764 Crypted.exe Token: SeUndockPrivilege 1764 Crypted.exe Token: SeManageVolumePrivilege 1764 Crypted.exe Token: SeImpersonatePrivilege 1764 Crypted.exe Token: SeCreateGlobalPrivilege 1764 Crypted.exe Token: 33 1764 Crypted.exe Token: 34 1764 Crypted.exe Token: 35 1764 Crypted.exe Token: 36 1764 Crypted.exe Token: SeIncreaseQuotaPrivilege 228 msdcsc.exe Token: SeSecurityPrivilege 228 msdcsc.exe Token: SeTakeOwnershipPrivilege 228 msdcsc.exe Token: SeLoadDriverPrivilege 228 msdcsc.exe Token: SeSystemProfilePrivilege 228 msdcsc.exe Token: SeSystemtimePrivilege 228 msdcsc.exe Token: SeProfSingleProcessPrivilege 228 msdcsc.exe Token: SeIncBasePriorityPrivilege 228 msdcsc.exe Token: SeCreatePagefilePrivilege 228 msdcsc.exe Token: SeBackupPrivilege 228 msdcsc.exe Token: SeRestorePrivilege 228 msdcsc.exe Token: SeShutdownPrivilege 228 msdcsc.exe Token: SeDebugPrivilege 228 msdcsc.exe Token: SeSystemEnvironmentPrivilege 228 msdcsc.exe Token: SeChangeNotifyPrivilege 228 msdcsc.exe Token: SeRemoteShutdownPrivilege 228 msdcsc.exe Token: SeUndockPrivilege 228 msdcsc.exe Token: SeManageVolumePrivilege 228 msdcsc.exe Token: SeImpersonatePrivilege 228 msdcsc.exe Token: SeCreateGlobalPrivilege 228 msdcsc.exe Token: 33 228 msdcsc.exe Token: 34 228 msdcsc.exe Token: 35 228 msdcsc.exe Token: 36 228 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 228 msdcsc.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 4448 wrote to memory of 1764 4448 553042bd72a07ada473128811ca5a4e56249c2e749cbb8699e6d88d9bcb25833.exe 85 PID 4448 wrote to memory of 1764 4448 553042bd72a07ada473128811ca5a4e56249c2e749cbb8699e6d88d9bcb25833.exe 85 PID 4448 wrote to memory of 1764 4448 553042bd72a07ada473128811ca5a4e56249c2e749cbb8699e6d88d9bcb25833.exe 85 PID 1764 wrote to memory of 5008 1764 Crypted.exe 86 PID 1764 wrote to memory of 5008 1764 Crypted.exe 86 PID 1764 wrote to memory of 5008 1764 Crypted.exe 86 PID 5008 wrote to memory of 1132 5008 cmd.exe 88 PID 5008 wrote to memory of 1132 5008 cmd.exe 88 PID 5008 wrote to memory of 1132 5008 cmd.exe 88 PID 1764 wrote to memory of 228 1764 Crypted.exe 89 PID 1764 wrote to memory of 228 1764 Crypted.exe 89 PID 1764 wrote to memory of 228 1764 Crypted.exe 89 PID 228 wrote to memory of 4788 228 msdcsc.exe 90 PID 228 wrote to memory of 4788 228 msdcsc.exe 90 PID 228 wrote to memory of 4788 228 msdcsc.exe 90 PID 228 wrote to memory of 4788 228 msdcsc.exe 90 PID 228 wrote to memory of 4788 228 msdcsc.exe 90 PID 228 wrote to memory of 4788 228 msdcsc.exe 90 PID 228 wrote to memory of 4788 228 msdcsc.exe 90 PID 228 wrote to memory of 4788 228 msdcsc.exe 90 PID 228 wrote to memory of 4788 228 msdcsc.exe 90 PID 228 wrote to memory of 4788 228 msdcsc.exe 90 PID 228 wrote to memory of 4788 228 msdcsc.exe 90 PID 228 wrote to memory of 4788 228 msdcsc.exe 90 PID 228 wrote to memory of 4788 228 msdcsc.exe 90 PID 228 wrote to memory of 4788 228 msdcsc.exe 90 PID 228 wrote to memory of 4788 228 msdcsc.exe 90 PID 228 wrote to memory of 4788 228 msdcsc.exe 90 PID 228 wrote to memory of 4788 228 msdcsc.exe 90 PID 228 wrote to memory of 4788 228 msdcsc.exe 90 PID 228 wrote to memory of 4788 228 msdcsc.exe 90 PID 228 wrote to memory of 4788 228 msdcsc.exe 90 PID 228 wrote to memory of 4788 228 msdcsc.exe 90 PID 228 wrote to memory of 4788 228 msdcsc.exe 90 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1132 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\553042bd72a07ada473128811ca5a4e56249c2e749cbb8699e6d88d9bcb25833.exe"C:\Users\Admin\AppData\Local\Temp\553042bd72a07ada473128811ca5a4e56249c2e749cbb8699e6d88d9bcb25833.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Users\Admin\AppData\Local\Temp\Crypted.exe"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\Crypted.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\Crypted.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1132
-
-
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"3⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:228 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵PID:4788
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
766KB
MD5a5301725ad37183aeb89e4515fcff0d5
SHA117ac030c7ea4d427548e9b4fdd456425c8a6ac9e
SHA25600197e1dd48e47f58023c1f92715a5dae72022d5bd27c8fa6922e108be7fc37a
SHA51295e422dc9828b690d6938e0f372b6a74a13c91b56c8f1c57752eb8e92f67edbb609084a128e41c471c6fdbfab83103332c084a3a94be3639d3083e3cb77ce2dc
-
Filesize
766KB
MD5a5301725ad37183aeb89e4515fcff0d5
SHA117ac030c7ea4d427548e9b4fdd456425c8a6ac9e
SHA25600197e1dd48e47f58023c1f92715a5dae72022d5bd27c8fa6922e108be7fc37a
SHA51295e422dc9828b690d6938e0f372b6a74a13c91b56c8f1c57752eb8e92f67edbb609084a128e41c471c6fdbfab83103332c084a3a94be3639d3083e3cb77ce2dc
-
Filesize
766KB
MD5a5301725ad37183aeb89e4515fcff0d5
SHA117ac030c7ea4d427548e9b4fdd456425c8a6ac9e
SHA25600197e1dd48e47f58023c1f92715a5dae72022d5bd27c8fa6922e108be7fc37a
SHA51295e422dc9828b690d6938e0f372b6a74a13c91b56c8f1c57752eb8e92f67edbb609084a128e41c471c6fdbfab83103332c084a3a94be3639d3083e3cb77ce2dc
-
Filesize
766KB
MD5a5301725ad37183aeb89e4515fcff0d5
SHA117ac030c7ea4d427548e9b4fdd456425c8a6ac9e
SHA25600197e1dd48e47f58023c1f92715a5dae72022d5bd27c8fa6922e108be7fc37a
SHA51295e422dc9828b690d6938e0f372b6a74a13c91b56c8f1c57752eb8e92f67edbb609084a128e41c471c6fdbfab83103332c084a3a94be3639d3083e3cb77ce2dc