Analysis
-
max time kernel
268s -
max time network
313s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 18:54
Behavioral task
behavioral1
Sample
85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe
Resource
win7-20221111-en
General
-
Target
85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe
-
Size
261KB
-
MD5
4530a82649bd16a3a7baa70faa1caa50
-
SHA1
f9ce0ceaa7bccf18ef23570e0d550d9b43e9e166
-
SHA256
85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc
-
SHA512
3721f299f303b8c040a43a020a09fb55ef412b59d597e1bc6b8a3e5bc886afc44859832693c45e6eef5ff0f5d83760f81bb78bb59c5b3c7d656f277b5b63fb30
-
SSDEEP
6144:Hco4dnaXTsWxDcQHlemO9fRI6oh/h8oGWINlmR9wryQ:8PnaDskYaAmU66yh5GHD09AyQ
Malware Config
Extracted
darkcomet
hack
bikaalov.noip.me:1604
DC_MUTEX-7G2PFJD
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
tKukSM5w3M83
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Processes:
resource yara_rule C:\Users\Admin\Documents\MSDCSC\msdcsc.exe aspack_v212_v242 C:\Users\Admin\Documents\MSDCSC\msdcsc.exe aspack_v212_v242 C:\Users\Admin\Documents\MSDCSC\msdcsc.exe aspack_v212_v242 -
Executes dropped EXE 2 IoCs
Processes:
msdcsc.exemsdcsc.exepid process 4324 msdcsc.exe 4548 msdcsc.exe -
Processes:
resource yara_rule behavioral2/memory/2824-135-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2824-136-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2824-137-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2824-139-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2824-140-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2824-141-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2824-142-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4548-156-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4548-157-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exemsdcsc.exedescription pid process target process PID 700 set thread context of 2824 700 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe PID 4324 set thread context of 4548 4324 msdcsc.exe msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe Token: SeSecurityPrivilege 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe Token: SeTakeOwnershipPrivilege 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe Token: SeLoadDriverPrivilege 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe Token: SeSystemProfilePrivilege 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe Token: SeSystemtimePrivilege 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe Token: SeProfSingleProcessPrivilege 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe Token: SeIncBasePriorityPrivilege 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe Token: SeCreatePagefilePrivilege 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe Token: SeBackupPrivilege 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe Token: SeRestorePrivilege 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe Token: SeShutdownPrivilege 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe Token: SeDebugPrivilege 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe Token: SeSystemEnvironmentPrivilege 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe Token: SeChangeNotifyPrivilege 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe Token: SeRemoteShutdownPrivilege 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe Token: SeUndockPrivilege 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe Token: SeManageVolumePrivilege 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe Token: SeImpersonatePrivilege 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe Token: SeCreateGlobalPrivilege 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe Token: 33 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe Token: 34 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe Token: 35 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe Token: 36 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe Token: SeIncreaseQuotaPrivilege 4548 msdcsc.exe Token: SeSecurityPrivilege 4548 msdcsc.exe Token: SeTakeOwnershipPrivilege 4548 msdcsc.exe Token: SeLoadDriverPrivilege 4548 msdcsc.exe Token: SeSystemProfilePrivilege 4548 msdcsc.exe Token: SeSystemtimePrivilege 4548 msdcsc.exe Token: SeProfSingleProcessPrivilege 4548 msdcsc.exe Token: SeIncBasePriorityPrivilege 4548 msdcsc.exe Token: SeCreatePagefilePrivilege 4548 msdcsc.exe Token: SeBackupPrivilege 4548 msdcsc.exe Token: SeRestorePrivilege 4548 msdcsc.exe Token: SeShutdownPrivilege 4548 msdcsc.exe Token: SeDebugPrivilege 4548 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4548 msdcsc.exe Token: SeChangeNotifyPrivilege 4548 msdcsc.exe Token: SeRemoteShutdownPrivilege 4548 msdcsc.exe Token: SeUndockPrivilege 4548 msdcsc.exe Token: SeManageVolumePrivilege 4548 msdcsc.exe Token: SeImpersonatePrivilege 4548 msdcsc.exe Token: SeCreateGlobalPrivilege 4548 msdcsc.exe Token: 33 4548 msdcsc.exe Token: 34 4548 msdcsc.exe Token: 35 4548 msdcsc.exe Token: 36 4548 msdcsc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exemsdcsc.exemsdcsc.exepid process 700 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe 4324 msdcsc.exe 4548 msdcsc.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exemsdcsc.exedescription pid process target process PID 700 wrote to memory of 2824 700 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe PID 700 wrote to memory of 2824 700 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe PID 700 wrote to memory of 2824 700 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe PID 700 wrote to memory of 2824 700 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe PID 700 wrote to memory of 2824 700 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe PID 700 wrote to memory of 2824 700 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe PID 700 wrote to memory of 2824 700 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe PID 700 wrote to memory of 2824 700 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe PID 2824 wrote to memory of 4324 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe msdcsc.exe PID 2824 wrote to memory of 4324 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe msdcsc.exe PID 2824 wrote to memory of 4324 2824 85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe msdcsc.exe PID 4324 wrote to memory of 4548 4324 msdcsc.exe msdcsc.exe PID 4324 wrote to memory of 4548 4324 msdcsc.exe msdcsc.exe PID 4324 wrote to memory of 4548 4324 msdcsc.exe msdcsc.exe PID 4324 wrote to memory of 4548 4324 msdcsc.exe msdcsc.exe PID 4324 wrote to memory of 4548 4324 msdcsc.exe msdcsc.exe PID 4324 wrote to memory of 4548 4324 msdcsc.exe msdcsc.exe PID 4324 wrote to memory of 4548 4324 msdcsc.exe msdcsc.exe PID 4324 wrote to memory of 4548 4324 msdcsc.exe msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe"C:\Users\Admin\AppData\Local\Temp\85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\85fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc.exe
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
- Modifies firewall policy service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
261KB
MD54530a82649bd16a3a7baa70faa1caa50
SHA1f9ce0ceaa7bccf18ef23570e0d550d9b43e9e166
SHA25685fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc
SHA5123721f299f303b8c040a43a020a09fb55ef412b59d597e1bc6b8a3e5bc886afc44859832693c45e6eef5ff0f5d83760f81bb78bb59c5b3c7d656f277b5b63fb30
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
261KB
MD54530a82649bd16a3a7baa70faa1caa50
SHA1f9ce0ceaa7bccf18ef23570e0d550d9b43e9e166
SHA25685fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc
SHA5123721f299f303b8c040a43a020a09fb55ef412b59d597e1bc6b8a3e5bc886afc44859832693c45e6eef5ff0f5d83760f81bb78bb59c5b3c7d656f277b5b63fb30
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
261KB
MD54530a82649bd16a3a7baa70faa1caa50
SHA1f9ce0ceaa7bccf18ef23570e0d550d9b43e9e166
SHA25685fdde2e17ec0b56ce564a98c6220745c6950f44932abe5dce5cba66605db2bc
SHA5123721f299f303b8c040a43a020a09fb55ef412b59d597e1bc6b8a3e5bc886afc44859832693c45e6eef5ff0f5d83760f81bb78bb59c5b3c7d656f277b5b63fb30
-
memory/700-138-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2824-142-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2824-136-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2824-140-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2824-141-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2824-134-0x0000000000000000-mapping.dmp
-
memory/2824-135-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2824-137-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2824-139-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4324-146-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4324-143-0x0000000000000000-mapping.dmp
-
memory/4324-155-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4548-149-0x0000000000000000-mapping.dmp
-
memory/4548-156-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4548-157-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB