Analysis
-
max time kernel
151s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20-10-2022 09:53
Behavioral task
behavioral1
Sample
ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe
Resource
win7-20220812-en
General
-
Target
ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe
-
Size
690KB
-
MD5
80267c15810275b30d9c5d1f2bd57fa4
-
SHA1
124b3dd84f4eb5b0ddfe679c832d83b6b75d73ff
-
SHA256
ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa
-
SHA512
65ebc3e2b945b173b3fbe4e7c69ca291e8d574cce0c80a3fa8caef997a80ef98cc919335823bc90a053bf42a70f2ba9cee83a9d77f4948d9262d90019729b2c3
-
SSDEEP
12288:59HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hzW:DZ1xuVVjfFoynPaVBUR8f+kN10EBk
Malware Config
Extracted
darkcomet
victime
mysteranonymous.zapto.org:1604
DC_MUTEX-TU1DCJY
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
uzgErSzmfQYY
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\MSDCSC\\msdcsc.exe" ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1324 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 976 attrib.exe 1944 attrib.exe -
Loads dropped DLL 2 IoCs
Processes:
ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exepid process 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msdcsc.execa582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\MSDCSC\\msdcsc.exe" ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe Token: SeSecurityPrivilege 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe Token: SeTakeOwnershipPrivilege 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe Token: SeLoadDriverPrivilege 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe Token: SeSystemProfilePrivilege 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe Token: SeSystemtimePrivilege 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe Token: SeProfSingleProcessPrivilege 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe Token: SeIncBasePriorityPrivilege 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe Token: SeCreatePagefilePrivilege 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe Token: SeBackupPrivilege 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe Token: SeRestorePrivilege 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe Token: SeShutdownPrivilege 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe Token: SeDebugPrivilege 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe Token: SeSystemEnvironmentPrivilege 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe Token: SeChangeNotifyPrivilege 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe Token: SeRemoteShutdownPrivilege 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe Token: SeUndockPrivilege 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe Token: SeManageVolumePrivilege 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe Token: SeImpersonatePrivilege 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe Token: SeCreateGlobalPrivilege 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe Token: 33 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe Token: 34 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe Token: 35 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe Token: SeIncreaseQuotaPrivilege 1324 msdcsc.exe Token: SeSecurityPrivilege 1324 msdcsc.exe Token: SeTakeOwnershipPrivilege 1324 msdcsc.exe Token: SeLoadDriverPrivilege 1324 msdcsc.exe Token: SeSystemProfilePrivilege 1324 msdcsc.exe Token: SeSystemtimePrivilege 1324 msdcsc.exe Token: SeProfSingleProcessPrivilege 1324 msdcsc.exe Token: SeIncBasePriorityPrivilege 1324 msdcsc.exe Token: SeCreatePagefilePrivilege 1324 msdcsc.exe Token: SeBackupPrivilege 1324 msdcsc.exe Token: SeRestorePrivilege 1324 msdcsc.exe Token: SeShutdownPrivilege 1324 msdcsc.exe Token: SeDebugPrivilege 1324 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1324 msdcsc.exe Token: SeChangeNotifyPrivilege 1324 msdcsc.exe Token: SeRemoteShutdownPrivilege 1324 msdcsc.exe Token: SeUndockPrivilege 1324 msdcsc.exe Token: SeManageVolumePrivilege 1324 msdcsc.exe Token: SeImpersonatePrivilege 1324 msdcsc.exe Token: SeCreateGlobalPrivilege 1324 msdcsc.exe Token: 33 1324 msdcsc.exe Token: 34 1324 msdcsc.exe Token: 35 1324 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1324 msdcsc.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.execmd.execmd.exemsdcsc.exedescription pid process target process PID 1608 wrote to memory of 1712 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe cmd.exe PID 1608 wrote to memory of 1712 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe cmd.exe PID 1608 wrote to memory of 1712 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe cmd.exe PID 1608 wrote to memory of 1712 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe cmd.exe PID 1608 wrote to memory of 1696 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe cmd.exe PID 1608 wrote to memory of 1696 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe cmd.exe PID 1608 wrote to memory of 1696 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe cmd.exe PID 1608 wrote to memory of 1696 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe cmd.exe PID 1712 wrote to memory of 976 1712 cmd.exe attrib.exe PID 1712 wrote to memory of 976 1712 cmd.exe attrib.exe PID 1712 wrote to memory of 976 1712 cmd.exe attrib.exe PID 1712 wrote to memory of 976 1712 cmd.exe attrib.exe PID 1696 wrote to memory of 1944 1696 cmd.exe attrib.exe PID 1696 wrote to memory of 1944 1696 cmd.exe attrib.exe PID 1696 wrote to memory of 1944 1696 cmd.exe attrib.exe PID 1696 wrote to memory of 1944 1696 cmd.exe attrib.exe PID 1608 wrote to memory of 1324 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe msdcsc.exe PID 1608 wrote to memory of 1324 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe msdcsc.exe PID 1608 wrote to memory of 1324 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe msdcsc.exe PID 1608 wrote to memory of 1324 1608 ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe msdcsc.exe PID 1324 wrote to memory of 2020 1324 msdcsc.exe notepad.exe PID 1324 wrote to memory of 2020 1324 msdcsc.exe notepad.exe PID 1324 wrote to memory of 2020 1324 msdcsc.exe notepad.exe PID 1324 wrote to memory of 2020 1324 msdcsc.exe notepad.exe PID 1324 wrote to memory of 2020 1324 msdcsc.exe notepad.exe PID 1324 wrote to memory of 2020 1324 msdcsc.exe notepad.exe PID 1324 wrote to memory of 2020 1324 msdcsc.exe notepad.exe PID 1324 wrote to memory of 2020 1324 msdcsc.exe notepad.exe PID 1324 wrote to memory of 2020 1324 msdcsc.exe notepad.exe PID 1324 wrote to memory of 2020 1324 msdcsc.exe notepad.exe PID 1324 wrote to memory of 2020 1324 msdcsc.exe notepad.exe PID 1324 wrote to memory of 2020 1324 msdcsc.exe notepad.exe PID 1324 wrote to memory of 2020 1324 msdcsc.exe notepad.exe PID 1324 wrote to memory of 2020 1324 msdcsc.exe notepad.exe PID 1324 wrote to memory of 2020 1324 msdcsc.exe notepad.exe PID 1324 wrote to memory of 2020 1324 msdcsc.exe notepad.exe PID 1324 wrote to memory of 2020 1324 msdcsc.exe notepad.exe PID 1324 wrote to memory of 2020 1324 msdcsc.exe notepad.exe PID 1324 wrote to memory of 2020 1324 msdcsc.exe notepad.exe PID 1324 wrote to memory of 2020 1324 msdcsc.exe notepad.exe PID 1324 wrote to memory of 2020 1324 msdcsc.exe notepad.exe PID 1324 wrote to memory of 2020 1324 msdcsc.exe notepad.exe PID 1324 wrote to memory of 2020 1324 msdcsc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 976 attrib.exe 1944 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe"C:\Users\Admin\AppData\Local\Temp\ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\MSDCSC\msdcsc.exe"C:\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSDCSC\msdcsc.exeFilesize
690KB
MD580267c15810275b30d9c5d1f2bd57fa4
SHA1124b3dd84f4eb5b0ddfe679c832d83b6b75d73ff
SHA256ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa
SHA51265ebc3e2b945b173b3fbe4e7c69ca291e8d574cce0c80a3fa8caef997a80ef98cc919335823bc90a053bf42a70f2ba9cee83a9d77f4948d9262d90019729b2c3
-
C:\MSDCSC\msdcsc.exeFilesize
690KB
MD580267c15810275b30d9c5d1f2bd57fa4
SHA1124b3dd84f4eb5b0ddfe679c832d83b6b75d73ff
SHA256ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa
SHA51265ebc3e2b945b173b3fbe4e7c69ca291e8d574cce0c80a3fa8caef997a80ef98cc919335823bc90a053bf42a70f2ba9cee83a9d77f4948d9262d90019729b2c3
-
\MSDCSC\msdcsc.exeFilesize
690KB
MD580267c15810275b30d9c5d1f2bd57fa4
SHA1124b3dd84f4eb5b0ddfe679c832d83b6b75d73ff
SHA256ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa
SHA51265ebc3e2b945b173b3fbe4e7c69ca291e8d574cce0c80a3fa8caef997a80ef98cc919335823bc90a053bf42a70f2ba9cee83a9d77f4948d9262d90019729b2c3
-
\MSDCSC\msdcsc.exeFilesize
690KB
MD580267c15810275b30d9c5d1f2bd57fa4
SHA1124b3dd84f4eb5b0ddfe679c832d83b6b75d73ff
SHA256ca582eb808454d1cde38c8b2f774edb3c73241b37e95ad369afaea95ca83e7fa
SHA51265ebc3e2b945b173b3fbe4e7c69ca291e8d574cce0c80a3fa8caef997a80ef98cc919335823bc90a053bf42a70f2ba9cee83a9d77f4948d9262d90019729b2c3
-
memory/976-57-0x0000000000000000-mapping.dmp
-
memory/1324-61-0x0000000000000000-mapping.dmp
-
memory/1608-54-0x0000000075A91000-0x0000000075A93000-memory.dmpFilesize
8KB
-
memory/1696-56-0x0000000000000000-mapping.dmp
-
memory/1712-55-0x0000000000000000-mapping.dmp
-
memory/1944-58-0x0000000000000000-mapping.dmp
-
memory/2020-65-0x0000000000000000-mapping.dmp