Analysis
-
max time kernel
189s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 21:51
Behavioral task
behavioral1
Sample
820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
Resource
win7-20221111-en
General
-
Target
820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
-
Size
690KB
-
MD5
3de246eb9d010063ce300153818e5be1
-
SHA1
0917adce4af364967ce71d4c9d3c206273045e83
-
SHA256
820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7
-
SHA512
f2bf5669287b2c4baad50ace30f971317dc254b713a2d516cf2049444590469c30c919bab8caf8043cf0a84d6f233cfd00ee71c14b1ba798b04a5c089ffef130
-
SSDEEP
12288:l9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hBB:vZ1xuVVjfFoynPaVBUR8f+kN10EBV
Malware Config
Extracted
darkcomet
Hacker
docteurkkk.sytes.net:80
docteurkkk.sytes.net:81
jpasta.servemp3.com:81
jpasta.servemp3.com:80
DC_MUTEX-E0APM9B
-
InstallPath
MSDCSC\msdsc.exe
-
gencode
uREkEp3UCJUZ
-
install
true
-
offline_keylogger
true
-
password
sqd654
-
persistence
true
-
reg_key
rundll32
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdsc.exe" 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdsc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdsc.exepid process 1628 msdsc.exe -
Loads dropped DLL 2 IoCs
Processes:
820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exepid process 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exemsdsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdsc.exe" 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdsc.exe" msdsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdsc.exepid process 1628 msdsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exemsdsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe Token: SeSecurityPrivilege 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe Token: SeTakeOwnershipPrivilege 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe Token: SeLoadDriverPrivilege 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe Token: SeSystemProfilePrivilege 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe Token: SeSystemtimePrivilege 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe Token: SeProfSingleProcessPrivilege 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe Token: SeIncBasePriorityPrivilege 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe Token: SeCreatePagefilePrivilege 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe Token: SeBackupPrivilege 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe Token: SeRestorePrivilege 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe Token: SeShutdownPrivilege 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe Token: SeDebugPrivilege 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe Token: SeSystemEnvironmentPrivilege 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe Token: SeChangeNotifyPrivilege 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe Token: SeRemoteShutdownPrivilege 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe Token: SeUndockPrivilege 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe Token: SeManageVolumePrivilege 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe Token: SeImpersonatePrivilege 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe Token: SeCreateGlobalPrivilege 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe Token: 33 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe Token: 34 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe Token: 35 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe Token: SeIncreaseQuotaPrivilege 1628 msdsc.exe Token: SeSecurityPrivilege 1628 msdsc.exe Token: SeTakeOwnershipPrivilege 1628 msdsc.exe Token: SeLoadDriverPrivilege 1628 msdsc.exe Token: SeSystemProfilePrivilege 1628 msdsc.exe Token: SeSystemtimePrivilege 1628 msdsc.exe Token: SeProfSingleProcessPrivilege 1628 msdsc.exe Token: SeIncBasePriorityPrivilege 1628 msdsc.exe Token: SeCreatePagefilePrivilege 1628 msdsc.exe Token: SeBackupPrivilege 1628 msdsc.exe Token: SeRestorePrivilege 1628 msdsc.exe Token: SeShutdownPrivilege 1628 msdsc.exe Token: SeDebugPrivilege 1628 msdsc.exe Token: SeSystemEnvironmentPrivilege 1628 msdsc.exe Token: SeChangeNotifyPrivilege 1628 msdsc.exe Token: SeRemoteShutdownPrivilege 1628 msdsc.exe Token: SeUndockPrivilege 1628 msdsc.exe Token: SeManageVolumePrivilege 1628 msdsc.exe Token: SeImpersonatePrivilege 1628 msdsc.exe Token: SeCreateGlobalPrivilege 1628 msdsc.exe Token: 33 1628 msdsc.exe Token: 34 1628 msdsc.exe Token: 35 1628 msdsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdsc.exepid process 1628 msdsc.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exemsdsc.exedescription pid process target process PID 1208 wrote to memory of 1628 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe msdsc.exe PID 1208 wrote to memory of 1628 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe msdsc.exe PID 1208 wrote to memory of 1628 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe msdsc.exe PID 1208 wrote to memory of 1628 1208 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe msdsc.exe PID 1628 wrote to memory of 1404 1628 msdsc.exe notepad.exe PID 1628 wrote to memory of 1404 1628 msdsc.exe notepad.exe PID 1628 wrote to memory of 1404 1628 msdsc.exe notepad.exe PID 1628 wrote to memory of 1404 1628 msdsc.exe notepad.exe PID 1628 wrote to memory of 1404 1628 msdsc.exe notepad.exe PID 1628 wrote to memory of 1404 1628 msdsc.exe notepad.exe PID 1628 wrote to memory of 1404 1628 msdsc.exe notepad.exe PID 1628 wrote to memory of 1404 1628 msdsc.exe notepad.exe PID 1628 wrote to memory of 1404 1628 msdsc.exe notepad.exe PID 1628 wrote to memory of 1404 1628 msdsc.exe notepad.exe PID 1628 wrote to memory of 1404 1628 msdsc.exe notepad.exe PID 1628 wrote to memory of 1404 1628 msdsc.exe notepad.exe PID 1628 wrote to memory of 1404 1628 msdsc.exe notepad.exe PID 1628 wrote to memory of 1404 1628 msdsc.exe notepad.exe PID 1628 wrote to memory of 1404 1628 msdsc.exe notepad.exe PID 1628 wrote to memory of 1404 1628 msdsc.exe notepad.exe PID 1628 wrote to memory of 1404 1628 msdsc.exe notepad.exe PID 1628 wrote to memory of 1404 1628 msdsc.exe notepad.exe PID 1628 wrote to memory of 1404 1628 msdsc.exe notepad.exe PID 1628 wrote to memory of 1404 1628 msdsc.exe notepad.exe PID 1628 wrote to memory of 1404 1628 msdsc.exe notepad.exe PID 1628 wrote to memory of 1404 1628 msdsc.exe notepad.exe PID 1628 wrote to memory of 1404 1628 msdsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe"C:\Users\Admin\AppData\Local\Temp\820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdsc.exe"2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdsc.exeFilesize
690KB
MD53de246eb9d010063ce300153818e5be1
SHA10917adce4af364967ce71d4c9d3c206273045e83
SHA256820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7
SHA512f2bf5669287b2c4baad50ace30f971317dc254b713a2d516cf2049444590469c30c919bab8caf8043cf0a84d6f233cfd00ee71c14b1ba798b04a5c089ffef130
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdsc.exeFilesize
690KB
MD53de246eb9d010063ce300153818e5be1
SHA10917adce4af364967ce71d4c9d3c206273045e83
SHA256820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7
SHA512f2bf5669287b2c4baad50ace30f971317dc254b713a2d516cf2049444590469c30c919bab8caf8043cf0a84d6f233cfd00ee71c14b1ba798b04a5c089ffef130
-
\Users\Admin\AppData\Local\Temp\MSDCSC\msdsc.exeFilesize
690KB
MD53de246eb9d010063ce300153818e5be1
SHA10917adce4af364967ce71d4c9d3c206273045e83
SHA256820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7
SHA512f2bf5669287b2c4baad50ace30f971317dc254b713a2d516cf2049444590469c30c919bab8caf8043cf0a84d6f233cfd00ee71c14b1ba798b04a5c089ffef130
-
\Users\Admin\AppData\Local\Temp\MSDCSC\msdsc.exeFilesize
690KB
MD53de246eb9d010063ce300153818e5be1
SHA10917adce4af364967ce71d4c9d3c206273045e83
SHA256820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7
SHA512f2bf5669287b2c4baad50ace30f971317dc254b713a2d516cf2049444590469c30c919bab8caf8043cf0a84d6f233cfd00ee71c14b1ba798b04a5c089ffef130
-
memory/1208-54-0x0000000075F51000-0x0000000075F53000-memory.dmpFilesize
8KB
-
memory/1404-61-0x0000000000000000-mapping.dmp
-
memory/1628-57-0x0000000000000000-mapping.dmp