Analysis
-
max time kernel
235s -
max time network
96s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 13:37
Behavioral task
behavioral1
Sample
2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe
Resource
win7-20220812-en
General
-
Target
2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe
-
Size
756KB
-
MD5
2fa4b346f9d431e8bbfa63e6f1dcf6a1
-
SHA1
e8601bf601a9a2d0b1871fa49a05aab1cefec1b9
-
SHA256
2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5
-
SHA512
64cb8d487c9dd36204bcb0fba11b2c7ec384049221bf35ce2076242b63559f26010dbaca9bf962df9faf818d1549bec7153b41cccec8b188f2b116cda48138b4
-
SSDEEP
12288:n9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hVsvv/:BZ1xuVVjfFoynPaVBUR8f+kN10EBsvv/
Malware Config
Extracted
darkcomet
R1
csgohackzz.ddns.net:1096
DC_MUTEX-46JEUN6
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
X6gK8NP6mhLx
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 2004 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exepid process 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 2004 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeSecurityPrivilege 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeTakeOwnershipPrivilege 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeLoadDriverPrivilege 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeSystemProfilePrivilege 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeSystemtimePrivilege 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeProfSingleProcessPrivilege 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeIncBasePriorityPrivilege 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeCreatePagefilePrivilege 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeBackupPrivilege 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeRestorePrivilege 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeShutdownPrivilege 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeDebugPrivilege 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeSystemEnvironmentPrivilege 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeChangeNotifyPrivilege 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeRemoteShutdownPrivilege 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeUndockPrivilege 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeManageVolumePrivilege 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeImpersonatePrivilege 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeCreateGlobalPrivilege 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: 33 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: 34 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: 35 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeIncreaseQuotaPrivilege 2004 msdcsc.exe Token: SeSecurityPrivilege 2004 msdcsc.exe Token: SeTakeOwnershipPrivilege 2004 msdcsc.exe Token: SeLoadDriverPrivilege 2004 msdcsc.exe Token: SeSystemProfilePrivilege 2004 msdcsc.exe Token: SeSystemtimePrivilege 2004 msdcsc.exe Token: SeProfSingleProcessPrivilege 2004 msdcsc.exe Token: SeIncBasePriorityPrivilege 2004 msdcsc.exe Token: SeCreatePagefilePrivilege 2004 msdcsc.exe Token: SeBackupPrivilege 2004 msdcsc.exe Token: SeRestorePrivilege 2004 msdcsc.exe Token: SeShutdownPrivilege 2004 msdcsc.exe Token: SeDebugPrivilege 2004 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2004 msdcsc.exe Token: SeChangeNotifyPrivilege 2004 msdcsc.exe Token: SeRemoteShutdownPrivilege 2004 msdcsc.exe Token: SeUndockPrivilege 2004 msdcsc.exe Token: SeManageVolumePrivilege 2004 msdcsc.exe Token: SeImpersonatePrivilege 2004 msdcsc.exe Token: SeCreateGlobalPrivilege 2004 msdcsc.exe Token: 33 2004 msdcsc.exe Token: 34 2004 msdcsc.exe Token: 35 2004 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 2004 msdcsc.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exemsdcsc.exedescription pid process target process PID 1936 wrote to memory of 2004 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe msdcsc.exe PID 1936 wrote to memory of 2004 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe msdcsc.exe PID 1936 wrote to memory of 2004 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe msdcsc.exe PID 1936 wrote to memory of 2004 1936 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe msdcsc.exe PID 2004 wrote to memory of 1988 2004 msdcsc.exe notepad.exe PID 2004 wrote to memory of 1988 2004 msdcsc.exe notepad.exe PID 2004 wrote to memory of 1988 2004 msdcsc.exe notepad.exe PID 2004 wrote to memory of 1988 2004 msdcsc.exe notepad.exe PID 2004 wrote to memory of 1988 2004 msdcsc.exe notepad.exe PID 2004 wrote to memory of 1988 2004 msdcsc.exe notepad.exe PID 2004 wrote to memory of 1988 2004 msdcsc.exe notepad.exe PID 2004 wrote to memory of 1988 2004 msdcsc.exe notepad.exe PID 2004 wrote to memory of 1988 2004 msdcsc.exe notepad.exe PID 2004 wrote to memory of 1988 2004 msdcsc.exe notepad.exe PID 2004 wrote to memory of 1988 2004 msdcsc.exe notepad.exe PID 2004 wrote to memory of 1988 2004 msdcsc.exe notepad.exe PID 2004 wrote to memory of 1988 2004 msdcsc.exe notepad.exe PID 2004 wrote to memory of 1988 2004 msdcsc.exe notepad.exe PID 2004 wrote to memory of 1988 2004 msdcsc.exe notepad.exe PID 2004 wrote to memory of 1988 2004 msdcsc.exe notepad.exe PID 2004 wrote to memory of 1988 2004 msdcsc.exe notepad.exe PID 2004 wrote to memory of 1988 2004 msdcsc.exe notepad.exe PID 2004 wrote to memory of 1988 2004 msdcsc.exe notepad.exe PID 2004 wrote to memory of 1988 2004 msdcsc.exe notepad.exe PID 2004 wrote to memory of 1988 2004 msdcsc.exe notepad.exe PID 2004 wrote to memory of 1988 2004 msdcsc.exe notepad.exe PID 2004 wrote to memory of 1988 2004 msdcsc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe"C:\Users\Admin\AppData\Local\Temp\2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
756KB
MD52fa4b346f9d431e8bbfa63e6f1dcf6a1
SHA1e8601bf601a9a2d0b1871fa49a05aab1cefec1b9
SHA2562243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5
SHA51264cb8d487c9dd36204bcb0fba11b2c7ec384049221bf35ce2076242b63559f26010dbaca9bf962df9faf818d1549bec7153b41cccec8b188f2b116cda48138b4
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
756KB
MD52fa4b346f9d431e8bbfa63e6f1dcf6a1
SHA1e8601bf601a9a2d0b1871fa49a05aab1cefec1b9
SHA2562243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5
SHA51264cb8d487c9dd36204bcb0fba11b2c7ec384049221bf35ce2076242b63559f26010dbaca9bf962df9faf818d1549bec7153b41cccec8b188f2b116cda48138b4
-
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
756KB
MD52fa4b346f9d431e8bbfa63e6f1dcf6a1
SHA1e8601bf601a9a2d0b1871fa49a05aab1cefec1b9
SHA2562243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5
SHA51264cb8d487c9dd36204bcb0fba11b2c7ec384049221bf35ce2076242b63559f26010dbaca9bf962df9faf818d1549bec7153b41cccec8b188f2b116cda48138b4
-
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
756KB
MD52fa4b346f9d431e8bbfa63e6f1dcf6a1
SHA1e8601bf601a9a2d0b1871fa49a05aab1cefec1b9
SHA2562243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5
SHA51264cb8d487c9dd36204bcb0fba11b2c7ec384049221bf35ce2076242b63559f26010dbaca9bf962df9faf818d1549bec7153b41cccec8b188f2b116cda48138b4
-
memory/1936-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmpFilesize
8KB
-
memory/1988-61-0x0000000000000000-mapping.dmp
-
memory/2004-57-0x0000000000000000-mapping.dmp