Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2022 16:00
Behavioral task
behavioral1
Sample
bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Resource
win7-20220812-en
General
-
Target
bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
-
Size
690KB
-
MD5
2461a56cc107723c2bbbf1ca4531cda0
-
SHA1
c995b848906006b28a87ad7e6eeda3e7009d7d6d
-
SHA256
bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9
-
SHA512
ec00f0bed2ac52f374c2e84bcfa6cdf990ed7d02d8ede549e69c2c85b8d57858863f65753cc24a3e719597d3d14f5361a92aa1eb80660e85fbbe0a5edb5c4417
-
SSDEEP
12288:p9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hi8:zZ1xuVVjfFoynPaVBUR8f+kN10EBR
Malware Config
Extracted
darkcomet
Hack
masakalasosas.no-ip.biz:1604
DC_MUTEX-WWW0WYT
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
lUw27RbiEGYV
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
rundl32
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe -
Processes:
iexplore.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Disables RegEdit via registry modification 2 IoCs
Processes:
iexplore.exemsdcsc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 4204 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exemsdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundl32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundl32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundl32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 4204 set thread context of 4324 4204 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe Token: SeSecurityPrivilege 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe Token: SeTakeOwnershipPrivilege 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe Token: SeLoadDriverPrivilege 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe Token: SeSystemProfilePrivilege 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe Token: SeSystemtimePrivilege 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe Token: SeProfSingleProcessPrivilege 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe Token: SeIncBasePriorityPrivilege 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe Token: SeCreatePagefilePrivilege 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe Token: SeBackupPrivilege 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe Token: SeRestorePrivilege 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe Token: SeShutdownPrivilege 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe Token: SeDebugPrivilege 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe Token: SeSystemEnvironmentPrivilege 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe Token: SeChangeNotifyPrivilege 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe Token: SeRemoteShutdownPrivilege 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe Token: SeUndockPrivilege 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe Token: SeManageVolumePrivilege 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe Token: SeImpersonatePrivilege 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe Token: SeCreateGlobalPrivilege 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe Token: 33 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe Token: 34 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe Token: 35 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe Token: 36 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe Token: SeIncreaseQuotaPrivilege 4204 msdcsc.exe Token: SeSecurityPrivilege 4204 msdcsc.exe Token: SeTakeOwnershipPrivilege 4204 msdcsc.exe Token: SeLoadDriverPrivilege 4204 msdcsc.exe Token: SeSystemProfilePrivilege 4204 msdcsc.exe Token: SeSystemtimePrivilege 4204 msdcsc.exe Token: SeProfSingleProcessPrivilege 4204 msdcsc.exe Token: SeIncBasePriorityPrivilege 4204 msdcsc.exe Token: SeCreatePagefilePrivilege 4204 msdcsc.exe Token: SeBackupPrivilege 4204 msdcsc.exe Token: SeRestorePrivilege 4204 msdcsc.exe Token: SeShutdownPrivilege 4204 msdcsc.exe Token: SeDebugPrivilege 4204 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4204 msdcsc.exe Token: SeChangeNotifyPrivilege 4204 msdcsc.exe Token: SeRemoteShutdownPrivilege 4204 msdcsc.exe Token: SeUndockPrivilege 4204 msdcsc.exe Token: SeManageVolumePrivilege 4204 msdcsc.exe Token: SeImpersonatePrivilege 4204 msdcsc.exe Token: SeCreateGlobalPrivilege 4204 msdcsc.exe Token: 33 4204 msdcsc.exe Token: 34 4204 msdcsc.exe Token: 35 4204 msdcsc.exe Token: 36 4204 msdcsc.exe Token: SeIncreaseQuotaPrivilege 4324 iexplore.exe Token: SeSecurityPrivilege 4324 iexplore.exe Token: SeTakeOwnershipPrivilege 4324 iexplore.exe Token: SeLoadDriverPrivilege 4324 iexplore.exe Token: SeSystemProfilePrivilege 4324 iexplore.exe Token: SeSystemtimePrivilege 4324 iexplore.exe Token: SeProfSingleProcessPrivilege 4324 iexplore.exe Token: SeIncBasePriorityPrivilege 4324 iexplore.exe Token: SeCreatePagefilePrivilege 4324 iexplore.exe Token: SeBackupPrivilege 4324 iexplore.exe Token: SeRestorePrivilege 4324 iexplore.exe Token: SeShutdownPrivilege 4324 iexplore.exe Token: SeDebugPrivilege 4324 iexplore.exe Token: SeSystemEnvironmentPrivilege 4324 iexplore.exe Token: SeChangeNotifyPrivilege 4324 iexplore.exe Token: SeRemoteShutdownPrivilege 4324 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 4324 iexplore.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exemsdcsc.exedescription pid process target process PID 4928 wrote to memory of 640 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe notepad.exe PID 4928 wrote to memory of 640 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe notepad.exe PID 4928 wrote to memory of 640 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe notepad.exe PID 4928 wrote to memory of 640 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe notepad.exe PID 4928 wrote to memory of 640 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe notepad.exe PID 4928 wrote to memory of 640 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe notepad.exe PID 4928 wrote to memory of 640 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe notepad.exe PID 4928 wrote to memory of 640 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe notepad.exe PID 4928 wrote to memory of 640 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe notepad.exe PID 4928 wrote to memory of 640 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe notepad.exe PID 4928 wrote to memory of 640 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe notepad.exe PID 4928 wrote to memory of 640 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe notepad.exe PID 4928 wrote to memory of 640 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe notepad.exe PID 4928 wrote to memory of 640 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe notepad.exe PID 4928 wrote to memory of 640 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe notepad.exe PID 4928 wrote to memory of 640 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe notepad.exe PID 4928 wrote to memory of 640 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe notepad.exe PID 4928 wrote to memory of 4204 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe msdcsc.exe PID 4928 wrote to memory of 4204 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe msdcsc.exe PID 4928 wrote to memory of 4204 4928 bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe msdcsc.exe PID 4204 wrote to memory of 4324 4204 msdcsc.exe iexplore.exe PID 4204 wrote to memory of 4324 4204 msdcsc.exe iexplore.exe PID 4204 wrote to memory of 4324 4204 msdcsc.exe iexplore.exe PID 4204 wrote to memory of 4324 4204 msdcsc.exe iexplore.exe PID 4204 wrote to memory of 4324 4204 msdcsc.exe iexplore.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe"C:\Users\Admin\AppData\Local\Temp\bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
690KB
MD52461a56cc107723c2bbbf1ca4531cda0
SHA1c995b848906006b28a87ad7e6eeda3e7009d7d6d
SHA256bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9
SHA512ec00f0bed2ac52f374c2e84bcfa6cdf990ed7d02d8ede549e69c2c85b8d57858863f65753cc24a3e719597d3d14f5361a92aa1eb80660e85fbbe0a5edb5c4417
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
690KB
MD52461a56cc107723c2bbbf1ca4531cda0
SHA1c995b848906006b28a87ad7e6eeda3e7009d7d6d
SHA256bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9
SHA512ec00f0bed2ac52f374c2e84bcfa6cdf990ed7d02d8ede549e69c2c85b8d57858863f65753cc24a3e719597d3d14f5361a92aa1eb80660e85fbbe0a5edb5c4417
-
memory/640-132-0x0000000000000000-mapping.dmp
-
memory/4204-133-0x0000000000000000-mapping.dmp