Analysis
-
max time kernel
153s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
17-10-2022 23:30
Behavioral task
behavioral1
Sample
cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
Resource
win7-20220812-en
General
-
Target
cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
-
Size
28.3MB
-
MD5
668c94eba455cc5ff70d132c321418ec
-
SHA1
02b9bc9efda3e7d1269a3c6d9dbcb04691a0416c
-
SHA256
cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429
-
SHA512
4802bdf6cce94b4fd065affc5ff9470cf9a9892a2963df2567a28390ba3603456173f2571a3ae39ce08dc26b059cea5b2ea35865f732c24230059dbd0582185a
-
SSDEEP
786432:m5NgWSIq8kjHIVkNXqp5jIqsL9wMkuhVGxxGM+LePAREz+UNK/:mvp9GHIVkNap5jFC+Mkuh+GJLexTi
Malware Config
Extracted
darkcomet
Sazan
46.1.103.13:1604
DC_MUTEX-LFFAWM6
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
8mlW7yUboqwX
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Executes dropped EXE 2 IoCs
Processes:
CG_LOADER.EXEmsdcsc.exepid process 2960 CG_LOADER.EXE 4192 msdcsc.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\CG_LOADER.EXE vmprotect C:\Users\Admin\AppData\Local\Temp\CG_LOADER.EXE vmprotect behavioral2/memory/2960-141-0x0000000000110000-0x0000000001C9C000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Drops file in System32 directory 3 IoCs
Processes:
cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exedescription ioc process File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
CG_LOADER.EXEpid process 2960 CG_LOADER.EXE -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exemsdcsc.exeCG_LOADER.EXEdescription pid process Token: SeIncreaseQuotaPrivilege 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe Token: SeSecurityPrivilege 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe Token: SeTakeOwnershipPrivilege 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe Token: SeLoadDriverPrivilege 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe Token: SeSystemProfilePrivilege 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe Token: SeSystemtimePrivilege 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe Token: SeProfSingleProcessPrivilege 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe Token: SeIncBasePriorityPrivilege 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe Token: SeCreatePagefilePrivilege 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe Token: SeBackupPrivilege 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe Token: SeRestorePrivilege 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe Token: SeShutdownPrivilege 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe Token: SeDebugPrivilege 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe Token: SeSystemEnvironmentPrivilege 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe Token: SeChangeNotifyPrivilege 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe Token: SeRemoteShutdownPrivilege 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe Token: SeUndockPrivilege 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe Token: SeManageVolumePrivilege 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe Token: SeImpersonatePrivilege 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe Token: SeCreateGlobalPrivilege 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe Token: 33 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe Token: 34 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe Token: 35 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe Token: 36 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe Token: SeIncreaseQuotaPrivilege 4192 msdcsc.exe Token: SeSecurityPrivilege 4192 msdcsc.exe Token: SeTakeOwnershipPrivilege 4192 msdcsc.exe Token: SeLoadDriverPrivilege 4192 msdcsc.exe Token: SeSystemProfilePrivilege 4192 msdcsc.exe Token: SeSystemtimePrivilege 4192 msdcsc.exe Token: SeProfSingleProcessPrivilege 4192 msdcsc.exe Token: SeIncBasePriorityPrivilege 4192 msdcsc.exe Token: SeCreatePagefilePrivilege 4192 msdcsc.exe Token: SeBackupPrivilege 4192 msdcsc.exe Token: SeRestorePrivilege 4192 msdcsc.exe Token: SeShutdownPrivilege 4192 msdcsc.exe Token: SeDebugPrivilege 4192 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4192 msdcsc.exe Token: SeChangeNotifyPrivilege 4192 msdcsc.exe Token: SeRemoteShutdownPrivilege 4192 msdcsc.exe Token: SeUndockPrivilege 4192 msdcsc.exe Token: SeManageVolumePrivilege 4192 msdcsc.exe Token: SeImpersonatePrivilege 4192 msdcsc.exe Token: SeCreateGlobalPrivilege 4192 msdcsc.exe Token: 33 4192 msdcsc.exe Token: 34 4192 msdcsc.exe Token: 35 4192 msdcsc.exe Token: 36 4192 msdcsc.exe Token: SeDebugPrivilege 2960 CG_LOADER.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 4192 msdcsc.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.execmd.exemsdcsc.exedescription pid process target process PID 4932 wrote to memory of 1568 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe cmd.exe PID 4932 wrote to memory of 1568 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe cmd.exe PID 4932 wrote to memory of 1568 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe cmd.exe PID 1568 wrote to memory of 1472 1568 cmd.exe attrib.exe PID 1568 wrote to memory of 1472 1568 cmd.exe attrib.exe PID 1568 wrote to memory of 1472 1568 cmd.exe attrib.exe PID 4932 wrote to memory of 2960 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe CG_LOADER.EXE PID 4932 wrote to memory of 2960 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe CG_LOADER.EXE PID 4932 wrote to memory of 2960 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe CG_LOADER.EXE PID 4932 wrote to memory of 4192 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe msdcsc.exe PID 4932 wrote to memory of 4192 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe msdcsc.exe PID 4932 wrote to memory of 4192 4932 cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe msdcsc.exe PID 4192 wrote to memory of 364 4192 msdcsc.exe notepad.exe PID 4192 wrote to memory of 364 4192 msdcsc.exe notepad.exe PID 4192 wrote to memory of 364 4192 msdcsc.exe notepad.exe PID 4192 wrote to memory of 364 4192 msdcsc.exe notepad.exe PID 4192 wrote to memory of 364 4192 msdcsc.exe notepad.exe PID 4192 wrote to memory of 364 4192 msdcsc.exe notepad.exe PID 4192 wrote to memory of 364 4192 msdcsc.exe notepad.exe PID 4192 wrote to memory of 364 4192 msdcsc.exe notepad.exe PID 4192 wrote to memory of 364 4192 msdcsc.exe notepad.exe PID 4192 wrote to memory of 364 4192 msdcsc.exe notepad.exe PID 4192 wrote to memory of 364 4192 msdcsc.exe notepad.exe PID 4192 wrote to memory of 364 4192 msdcsc.exe notepad.exe PID 4192 wrote to memory of 364 4192 msdcsc.exe notepad.exe PID 4192 wrote to memory of 364 4192 msdcsc.exe notepad.exe PID 4192 wrote to memory of 364 4192 msdcsc.exe notepad.exe PID 4192 wrote to memory of 364 4192 msdcsc.exe notepad.exe PID 4192 wrote to memory of 364 4192 msdcsc.exe notepad.exe PID 4192 wrote to memory of 364 4192 msdcsc.exe notepad.exe PID 4192 wrote to memory of 364 4192 msdcsc.exe notepad.exe PID 4192 wrote to memory of 364 4192 msdcsc.exe notepad.exe PID 4192 wrote to memory of 364 4192 msdcsc.exe notepad.exe PID 4192 wrote to memory of 364 4192 msdcsc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe"C:\Users\Admin\AppData\Local\Temp\cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\CG_LOADER.EXE"C:\Users\Admin\AppData\Local\Temp\CG_LOADER.EXE"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CG_LOADER.EXEFilesize
27.6MB
MD5345fc46071de77ab039482051ef3fcff
SHA1e9e3ace58241d3c4531ac0093579c99a88276751
SHA2566f956e7712bbe4387bb2d7b5028bd7cae4927cf3212b98e3a8cce127cd4e9cb0
SHA512a6d11fab37c1e464f9a9e10324456b20da72cbb74079983919d4f27fd8b750233af03ef46677f6b85aa0a8fe7f15c4688e7883903e345da044055f3b68097081
-
C:\Users\Admin\AppData\Local\Temp\CG_LOADER.EXEFilesize
27.6MB
MD5345fc46071de77ab039482051ef3fcff
SHA1e9e3ace58241d3c4531ac0093579c99a88276751
SHA2566f956e7712bbe4387bb2d7b5028bd7cae4927cf3212b98e3a8cce127cd4e9cb0
SHA512a6d11fab37c1e464f9a9e10324456b20da72cbb74079983919d4f27fd8b750233af03ef46677f6b85aa0a8fe7f15c4688e7883903e345da044055f3b68097081
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
28.3MB
MD5668c94eba455cc5ff70d132c321418ec
SHA102b9bc9efda3e7d1269a3c6d9dbcb04691a0416c
SHA256cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429
SHA5124802bdf6cce94b4fd065affc5ff9470cf9a9892a2963df2567a28390ba3603456173f2571a3ae39ce08dc26b059cea5b2ea35865f732c24230059dbd0582185a
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
28.3MB
MD5668c94eba455cc5ff70d132c321418ec
SHA102b9bc9efda3e7d1269a3c6d9dbcb04691a0416c
SHA256cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429
SHA5124802bdf6cce94b4fd065affc5ff9470cf9a9892a2963df2567a28390ba3603456173f2571a3ae39ce08dc26b059cea5b2ea35865f732c24230059dbd0582185a
-
memory/364-140-0x0000000000000000-mapping.dmp
-
memory/1472-133-0x0000000000000000-mapping.dmp
-
memory/1568-132-0x0000000000000000-mapping.dmp
-
memory/2960-134-0x0000000000000000-mapping.dmp
-
memory/2960-141-0x0000000000110000-0x0000000001C9C000-memory.dmpFilesize
27.5MB
-
memory/2960-142-0x000000000A860000-0x000000000A8FC000-memory.dmpFilesize
624KB
-
memory/2960-143-0x000000000AEB0000-0x000000000B454000-memory.dmpFilesize
5.6MB
-
memory/2960-144-0x000000000A9A0000-0x000000000AA32000-memory.dmpFilesize
584KB
-
memory/2960-145-0x000000000A940000-0x000000000A94A000-memory.dmpFilesize
40KB
-
memory/2960-146-0x000000000ABF0000-0x000000000AC46000-memory.dmpFilesize
344KB
-
memory/2960-147-0x000000000D1A0000-0x000000000D362000-memory.dmpFilesize
1.8MB
-
memory/4192-137-0x0000000000000000-mapping.dmp