Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 22:32
Behavioral task
behavioral1
Sample
5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe
Resource
win7-20220812-en
General
-
Target
5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe
-
Size
758KB
-
MD5
984cc506b7124dafeb1a401124d315b7
-
SHA1
e2938d7c3bfd74179fcb8f0b7e7c79e6c76f0798
-
SHA256
5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381
-
SHA512
de2d06123119f1ddea521fecda32130c25904235ee729ec168747f40f3ae9da484a64df67dc2aa7ad579cbab6eeebba325965e1c8d2ba83161660e397879a834
-
SSDEEP
12288:rXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452Ul:znAw2WWeFcfbP9VPSPMTSPL/rWvzq4JV
Malware Config
Extracted
darkcomet
Guest16
blinko.no-ip.biz:1604
DC_MUTEX-XEP2LCR
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
Qx6wzbzu70U9
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Executes dropped EXE 1 IoCs
pid Process 4492 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4036 attrib.exe 1724 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4492 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeSecurityPrivilege 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeTakeOwnershipPrivilege 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeLoadDriverPrivilege 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeSystemProfilePrivilege 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeSystemtimePrivilege 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeProfSingleProcessPrivilege 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeIncBasePriorityPrivilege 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeCreatePagefilePrivilege 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeBackupPrivilege 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeRestorePrivilege 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeShutdownPrivilege 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeDebugPrivilege 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeSystemEnvironmentPrivilege 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeChangeNotifyPrivilege 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeRemoteShutdownPrivilege 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeUndockPrivilege 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeManageVolumePrivilege 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeImpersonatePrivilege 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeCreateGlobalPrivilege 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: 33 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: 34 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: 35 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: 36 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeIncreaseQuotaPrivilege 4492 msdcsc.exe Token: SeSecurityPrivilege 4492 msdcsc.exe Token: SeTakeOwnershipPrivilege 4492 msdcsc.exe Token: SeLoadDriverPrivilege 4492 msdcsc.exe Token: SeSystemProfilePrivilege 4492 msdcsc.exe Token: SeSystemtimePrivilege 4492 msdcsc.exe Token: SeProfSingleProcessPrivilege 4492 msdcsc.exe Token: SeIncBasePriorityPrivilege 4492 msdcsc.exe Token: SeCreatePagefilePrivilege 4492 msdcsc.exe Token: SeBackupPrivilege 4492 msdcsc.exe Token: SeRestorePrivilege 4492 msdcsc.exe Token: SeShutdownPrivilege 4492 msdcsc.exe Token: SeDebugPrivilege 4492 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4492 msdcsc.exe Token: SeChangeNotifyPrivilege 4492 msdcsc.exe Token: SeRemoteShutdownPrivilege 4492 msdcsc.exe Token: SeUndockPrivilege 4492 msdcsc.exe Token: SeManageVolumePrivilege 4492 msdcsc.exe Token: SeImpersonatePrivilege 4492 msdcsc.exe Token: SeCreateGlobalPrivilege 4492 msdcsc.exe Token: 33 4492 msdcsc.exe Token: 34 4492 msdcsc.exe Token: 35 4492 msdcsc.exe Token: 36 4492 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4492 msdcsc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2536 wrote to memory of 4476 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe 79 PID 2536 wrote to memory of 4476 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe 79 PID 2536 wrote to memory of 4476 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe 79 PID 2536 wrote to memory of 2576 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe 81 PID 2536 wrote to memory of 2576 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe 81 PID 2536 wrote to memory of 2576 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe 81 PID 2536 wrote to memory of 4492 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe 83 PID 2536 wrote to memory of 4492 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe 83 PID 2536 wrote to memory of 4492 2536 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe 83 PID 4476 wrote to memory of 4036 4476 cmd.exe 84 PID 4476 wrote to memory of 4036 4476 cmd.exe 84 PID 4476 wrote to memory of 4036 4476 cmd.exe 84 PID 2576 wrote to memory of 1724 2576 cmd.exe 85 PID 2576 wrote to memory of 1724 2576 cmd.exe 85 PID 2576 wrote to memory of 1724 2576 cmd.exe 85 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 4036 attrib.exe 1724 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe"C:\Users\Admin\AppData\Local\Temp\5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4036
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1724
-
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4492
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
758KB
MD5984cc506b7124dafeb1a401124d315b7
SHA1e2938d7c3bfd74179fcb8f0b7e7c79e6c76f0798
SHA2565e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381
SHA512de2d06123119f1ddea521fecda32130c25904235ee729ec168747f40f3ae9da484a64df67dc2aa7ad579cbab6eeebba325965e1c8d2ba83161660e397879a834
-
Filesize
758KB
MD5984cc506b7124dafeb1a401124d315b7
SHA1e2938d7c3bfd74179fcb8f0b7e7c79e6c76f0798
SHA2565e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381
SHA512de2d06123119f1ddea521fecda32130c25904235ee729ec168747f40f3ae9da484a64df67dc2aa7ad579cbab6eeebba325965e1c8d2ba83161660e397879a834