Analysis
-
max time kernel
154s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2022 01:09
Behavioral task
behavioral1
Sample
37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe
Resource
win7-20220901-en
windows7-x64
21 signatures
150 seconds
General
-
Target
37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe
-
Size
252KB
-
MD5
a243180b33c2882019b2e3a1e23337b0
-
SHA1
ab5536347e5bcc31bb450b133089b76fb00b93f6
-
SHA256
37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72
-
SHA512
775aeff15e91eb418b3a7d7a2489f39a730b43a115bbe7f95e97c209504a09524e207d58c8082445d11bf033c56fd29cdde7d954ad35efaadb39cca5d6b1fe22
-
SSDEEP
6144:/cNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37KA:/cW7KEZlPzCy37L
Malware Config
Extracted
Family
darkcomet
Botnet
Anonymous
C2
thaiduong.ddns.net:80
thaiduong.ddns.net:81
thaiduong.ddns.net:88
thaiduong.ddns.net:99
parker8888.ddns.net:80
parker8888.ddns.net:81
parker8888.ddns.net:88
parker8888.ddns.net:99
anonymous8888.ddns.net:80
anonymous8888.ddns.net:81
anonymous8888.ddns.net:88
anonymous8888.ddns.net:99
Mutex
DC_MUTEX-GFY57DB
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
lWRxBdsCyvwt
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 1964 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4048 attrib.exe 316 attrib.exe -
resource yara_rule behavioral2/memory/1372-132-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/1372-138-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/files/0x0007000000022f5a-140.dat upx behavioral2/files/0x0007000000022f5a-141.dat upx behavioral2/memory/1964-143-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/1964-144-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1964 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe Token: SeSecurityPrivilege 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe Token: SeTakeOwnershipPrivilege 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe Token: SeLoadDriverPrivilege 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe Token: SeSystemProfilePrivilege 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe Token: SeSystemtimePrivilege 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe Token: SeProfSingleProcessPrivilege 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe Token: SeIncBasePriorityPrivilege 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe Token: SeCreatePagefilePrivilege 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe Token: SeBackupPrivilege 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe Token: SeRestorePrivilege 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe Token: SeShutdownPrivilege 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe Token: SeDebugPrivilege 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe Token: SeSystemEnvironmentPrivilege 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe Token: SeChangeNotifyPrivilege 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe Token: SeRemoteShutdownPrivilege 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe Token: SeUndockPrivilege 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe Token: SeManageVolumePrivilege 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe Token: SeImpersonatePrivilege 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe Token: SeCreateGlobalPrivilege 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe Token: 33 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe Token: 34 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe Token: 35 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe Token: 36 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe Token: SeIncreaseQuotaPrivilege 1964 msdcsc.exe Token: SeSecurityPrivilege 1964 msdcsc.exe Token: SeTakeOwnershipPrivilege 1964 msdcsc.exe Token: SeLoadDriverPrivilege 1964 msdcsc.exe Token: SeSystemProfilePrivilege 1964 msdcsc.exe Token: SeSystemtimePrivilege 1964 msdcsc.exe Token: SeProfSingleProcessPrivilege 1964 msdcsc.exe Token: SeIncBasePriorityPrivilege 1964 msdcsc.exe Token: SeCreatePagefilePrivilege 1964 msdcsc.exe Token: SeBackupPrivilege 1964 msdcsc.exe Token: SeRestorePrivilege 1964 msdcsc.exe Token: SeShutdownPrivilege 1964 msdcsc.exe Token: SeDebugPrivilege 1964 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1964 msdcsc.exe Token: SeChangeNotifyPrivilege 1964 msdcsc.exe Token: SeRemoteShutdownPrivilege 1964 msdcsc.exe Token: SeUndockPrivilege 1964 msdcsc.exe Token: SeManageVolumePrivilege 1964 msdcsc.exe Token: SeImpersonatePrivilege 1964 msdcsc.exe Token: SeCreateGlobalPrivilege 1964 msdcsc.exe Token: 33 1964 msdcsc.exe Token: 34 1964 msdcsc.exe Token: 35 1964 msdcsc.exe Token: 36 1964 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1964 msdcsc.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 1372 wrote to memory of 4844 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe 83 PID 1372 wrote to memory of 4844 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe 83 PID 1372 wrote to memory of 4844 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe 83 PID 1372 wrote to memory of 4148 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe 84 PID 1372 wrote to memory of 4148 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe 84 PID 1372 wrote to memory of 4148 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe 84 PID 1372 wrote to memory of 4924 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe 87 PID 1372 wrote to memory of 4924 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe 87 PID 1372 wrote to memory of 4924 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe 87 PID 1372 wrote to memory of 4924 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe 87 PID 1372 wrote to memory of 4924 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe 87 PID 1372 wrote to memory of 4924 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe 87 PID 1372 wrote to memory of 4924 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe 87 PID 1372 wrote to memory of 4924 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe 87 PID 1372 wrote to memory of 4924 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe 87 PID 1372 wrote to memory of 4924 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe 87 PID 1372 wrote to memory of 4924 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe 87 PID 1372 wrote to memory of 4924 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe 87 PID 1372 wrote to memory of 4924 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe 87 PID 1372 wrote to memory of 4924 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe 87 PID 1372 wrote to memory of 4924 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe 87 PID 1372 wrote to memory of 4924 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe 87 PID 1372 wrote to memory of 4924 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe 87 PID 4148 wrote to memory of 4048 4148 cmd.exe 89 PID 4148 wrote to memory of 4048 4148 cmd.exe 89 PID 4148 wrote to memory of 4048 4148 cmd.exe 89 PID 4844 wrote to memory of 316 4844 cmd.exe 88 PID 4844 wrote to memory of 316 4844 cmd.exe 88 PID 4844 wrote to memory of 316 4844 cmd.exe 88 PID 1372 wrote to memory of 1964 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe 90 PID 1372 wrote to memory of 1964 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe 90 PID 1372 wrote to memory of 1964 1372 37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe 90 PID 1964 wrote to memory of 3740 1964 msdcsc.exe 91 PID 1964 wrote to memory of 3740 1964 msdcsc.exe 91 PID 1964 wrote to memory of 3740 1964 msdcsc.exe 91 PID 1964 wrote to memory of 3740 1964 msdcsc.exe 91 PID 1964 wrote to memory of 3740 1964 msdcsc.exe 91 PID 1964 wrote to memory of 3740 1964 msdcsc.exe 91 PID 1964 wrote to memory of 3740 1964 msdcsc.exe 91 PID 1964 wrote to memory of 3740 1964 msdcsc.exe 91 PID 1964 wrote to memory of 3740 1964 msdcsc.exe 91 PID 1964 wrote to memory of 3740 1964 msdcsc.exe 91 PID 1964 wrote to memory of 3740 1964 msdcsc.exe 91 PID 1964 wrote to memory of 3740 1964 msdcsc.exe 91 PID 1964 wrote to memory of 3740 1964 msdcsc.exe 91 PID 1964 wrote to memory of 3740 1964 msdcsc.exe 91 PID 1964 wrote to memory of 3740 1964 msdcsc.exe 91 PID 1964 wrote to memory of 3740 1964 msdcsc.exe 91 PID 1964 wrote to memory of 3740 1964 msdcsc.exe 91 PID 1964 wrote to memory of 3740 1964 msdcsc.exe 91 PID 1964 wrote to memory of 3740 1964 msdcsc.exe 91 PID 1964 wrote to memory of 3740 1964 msdcsc.exe 91 PID 1964 wrote to memory of 3740 1964 msdcsc.exe 91 PID 1964 wrote to memory of 3740 1964 msdcsc.exe 91 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 316 attrib.exe 4048 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe"C:\Users\Admin\AppData\Local\Temp\37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\37fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:316
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4048
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵PID:4924
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1964 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:3740
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD5a243180b33c2882019b2e3a1e23337b0
SHA1ab5536347e5bcc31bb450b133089b76fb00b93f6
SHA25637fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72
SHA512775aeff15e91eb418b3a7d7a2489f39a730b43a115bbe7f95e97c209504a09524e207d58c8082445d11bf033c56fd29cdde7d954ad35efaadb39cca5d6b1fe22
-
Filesize
252KB
MD5a243180b33c2882019b2e3a1e23337b0
SHA1ab5536347e5bcc31bb450b133089b76fb00b93f6
SHA25637fdcfd7d3d1b550bc90116c1b11ffadee6ef30ad6cf221d7347c3822f52ca72
SHA512775aeff15e91eb418b3a7d7a2489f39a730b43a115bbe7f95e97c209504a09524e207d58c8082445d11bf033c56fd29cdde7d954ad35efaadb39cca5d6b1fe22