Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 02:06
Behavioral task
behavioral1
Sample
f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe
Resource
win7-20220812-en
windows7-x64
19 signatures
150 seconds
General
-
Target
f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe
-
Size
254KB
-
MD5
ef2711be866414d385e6bbb815e89063
-
SHA1
a37ca66873eaf900e63d2ba9423795a4a3c2b340
-
SHA256
f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb
-
SHA512
14975e3e97a3cb33cad1be88cb055452b111f946b7372690ff8fad7e3d78dcda2f64ffaac8c8d86ad4eff734789feb11bff3ac8c561fb604bbda036d19525f36
-
SSDEEP
6144:ycNYk1yuwEDBum3qYWnl0pd0EX3Zq2b6wfIDYm0Pq:ycWkbgTYWnYnt/IDYhPq
Malware Config
Extracted
Family
darkcomet
Botnet
Guest163
C2
kli4ka1989.ddns.net:1604
Mutex
DC_MUTEX-5XCBYZM
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
pBfa4kKyXtru
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Executes dropped EXE 1 IoCs
pid Process 5080 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4484 attrib.exe 652 attrib.exe -
resource yara_rule behavioral2/memory/4980-132-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/files/0x0003000000000721-139.dat upx behavioral2/files/0x0003000000000721-140.dat upx behavioral2/memory/5080-142-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4980-143-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/5080-144-0x0000000000400000-0x00000000004B8000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5080 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe Token: SeSecurityPrivilege 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe Token: SeTakeOwnershipPrivilege 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe Token: SeLoadDriverPrivilege 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe Token: SeSystemProfilePrivilege 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe Token: SeSystemtimePrivilege 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe Token: SeProfSingleProcessPrivilege 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe Token: SeIncBasePriorityPrivilege 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe Token: SeCreatePagefilePrivilege 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe Token: SeBackupPrivilege 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe Token: SeRestorePrivilege 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe Token: SeShutdownPrivilege 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe Token: SeDebugPrivilege 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe Token: SeSystemEnvironmentPrivilege 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe Token: SeChangeNotifyPrivilege 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe Token: SeRemoteShutdownPrivilege 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe Token: SeUndockPrivilege 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe Token: SeManageVolumePrivilege 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe Token: SeImpersonatePrivilege 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe Token: SeCreateGlobalPrivilege 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe Token: 33 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe Token: 34 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe Token: 35 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe Token: 36 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe Token: SeIncreaseQuotaPrivilege 5080 msdcsc.exe Token: SeSecurityPrivilege 5080 msdcsc.exe Token: SeTakeOwnershipPrivilege 5080 msdcsc.exe Token: SeLoadDriverPrivilege 5080 msdcsc.exe Token: SeSystemProfilePrivilege 5080 msdcsc.exe Token: SeSystemtimePrivilege 5080 msdcsc.exe Token: SeProfSingleProcessPrivilege 5080 msdcsc.exe Token: SeIncBasePriorityPrivilege 5080 msdcsc.exe Token: SeCreatePagefilePrivilege 5080 msdcsc.exe Token: SeBackupPrivilege 5080 msdcsc.exe Token: SeRestorePrivilege 5080 msdcsc.exe Token: SeShutdownPrivilege 5080 msdcsc.exe Token: SeDebugPrivilege 5080 msdcsc.exe Token: SeSystemEnvironmentPrivilege 5080 msdcsc.exe Token: SeChangeNotifyPrivilege 5080 msdcsc.exe Token: SeRemoteShutdownPrivilege 5080 msdcsc.exe Token: SeUndockPrivilege 5080 msdcsc.exe Token: SeManageVolumePrivilege 5080 msdcsc.exe Token: SeImpersonatePrivilege 5080 msdcsc.exe Token: SeCreateGlobalPrivilege 5080 msdcsc.exe Token: 33 5080 msdcsc.exe Token: 34 5080 msdcsc.exe Token: 35 5080 msdcsc.exe Token: 36 5080 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5080 msdcsc.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 4980 wrote to memory of 3252 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe 81 PID 4980 wrote to memory of 3252 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe 81 PID 4980 wrote to memory of 3252 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe 81 PID 4980 wrote to memory of 3932 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe 83 PID 4980 wrote to memory of 3932 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe 83 PID 4980 wrote to memory of 3932 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe 83 PID 4980 wrote to memory of 1832 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe 84 PID 4980 wrote to memory of 1832 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe 84 PID 4980 wrote to memory of 1832 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe 84 PID 4980 wrote to memory of 1832 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe 84 PID 4980 wrote to memory of 1832 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe 84 PID 4980 wrote to memory of 1832 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe 84 PID 4980 wrote to memory of 1832 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe 84 PID 4980 wrote to memory of 1832 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe 84 PID 4980 wrote to memory of 1832 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe 84 PID 4980 wrote to memory of 1832 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe 84 PID 4980 wrote to memory of 1832 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe 84 PID 4980 wrote to memory of 1832 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe 84 PID 4980 wrote to memory of 1832 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe 84 PID 4980 wrote to memory of 1832 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe 84 PID 4980 wrote to memory of 1832 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe 84 PID 4980 wrote to memory of 1832 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe 84 PID 4980 wrote to memory of 1832 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe 84 PID 3932 wrote to memory of 4484 3932 cmd.exe 86 PID 3932 wrote to memory of 4484 3932 cmd.exe 86 PID 3932 wrote to memory of 4484 3932 cmd.exe 86 PID 3252 wrote to memory of 652 3252 cmd.exe 87 PID 3252 wrote to memory of 652 3252 cmd.exe 87 PID 3252 wrote to memory of 652 3252 cmd.exe 87 PID 4980 wrote to memory of 5080 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe 88 PID 4980 wrote to memory of 5080 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe 88 PID 4980 wrote to memory of 5080 4980 f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe 88 PID 5080 wrote to memory of 1272 5080 msdcsc.exe 89 PID 5080 wrote to memory of 1272 5080 msdcsc.exe 89 PID 5080 wrote to memory of 1272 5080 msdcsc.exe 89 PID 5080 wrote to memory of 1272 5080 msdcsc.exe 89 PID 5080 wrote to memory of 1272 5080 msdcsc.exe 89 PID 5080 wrote to memory of 1272 5080 msdcsc.exe 89 PID 5080 wrote to memory of 1272 5080 msdcsc.exe 89 PID 5080 wrote to memory of 1272 5080 msdcsc.exe 89 PID 5080 wrote to memory of 1272 5080 msdcsc.exe 89 PID 5080 wrote to memory of 1272 5080 msdcsc.exe 89 PID 5080 wrote to memory of 1272 5080 msdcsc.exe 89 PID 5080 wrote to memory of 1272 5080 msdcsc.exe 89 PID 5080 wrote to memory of 1272 5080 msdcsc.exe 89 PID 5080 wrote to memory of 1272 5080 msdcsc.exe 89 PID 5080 wrote to memory of 1272 5080 msdcsc.exe 89 PID 5080 wrote to memory of 1272 5080 msdcsc.exe 89 PID 5080 wrote to memory of 1272 5080 msdcsc.exe 89 PID 5080 wrote to memory of 1272 5080 msdcsc.exe 89 PID 5080 wrote to memory of 1272 5080 msdcsc.exe 89 PID 5080 wrote to memory of 1272 5080 msdcsc.exe 89 PID 5080 wrote to memory of 1272 5080 msdcsc.exe 89 PID 5080 wrote to memory of 1272 5080 msdcsc.exe 89 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 4484 attrib.exe 652 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe"C:\Users\Admin\AppData\Local\Temp\f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:652
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4484
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵PID:1832
-
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5080 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:1272
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD5ef2711be866414d385e6bbb815e89063
SHA1a37ca66873eaf900e63d2ba9423795a4a3c2b340
SHA256f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb
SHA51214975e3e97a3cb33cad1be88cb055452b111f946b7372690ff8fad7e3d78dcda2f64ffaac8c8d86ad4eff734789feb11bff3ac8c561fb604bbda036d19525f36
-
Filesize
254KB
MD5ef2711be866414d385e6bbb815e89063
SHA1a37ca66873eaf900e63d2ba9423795a4a3c2b340
SHA256f4baaba9c0ebc1cc971dc073976a09c2904bb4a44c4db9cdf28da9266bd2d0bb
SHA51214975e3e97a3cb33cad1be88cb055452b111f946b7372690ff8fad7e3d78dcda2f64ffaac8c8d86ad4eff734789feb11bff3ac8c561fb604bbda036d19525f36