Analysis
-
max time kernel
179s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 13:37
Behavioral task
behavioral1
Sample
2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe
Resource
win7-20220812-en
General
-
Target
2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe
-
Size
756KB
-
MD5
2fa4b346f9d431e8bbfa63e6f1dcf6a1
-
SHA1
e8601bf601a9a2d0b1871fa49a05aab1cefec1b9
-
SHA256
2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5
-
SHA512
64cb8d487c9dd36204bcb0fba11b2c7ec384049221bf35ce2076242b63559f26010dbaca9bf962df9faf818d1549bec7153b41cccec8b188f2b116cda48138b4
-
SSDEEP
12288:n9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hVsvv/:BZ1xuVVjfFoynPaVBUR8f+kN10EBsvv/
Malware Config
Extracted
darkcomet
R1
csgohackzz.ddns.net:1096
DC_MUTEX-46JEUN6
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
X6gK8NP6mhLx
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 5080 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 5080 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeSecurityPrivilege 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeTakeOwnershipPrivilege 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeLoadDriverPrivilege 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeSystemProfilePrivilege 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeSystemtimePrivilege 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeProfSingleProcessPrivilege 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeIncBasePriorityPrivilege 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeCreatePagefilePrivilege 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeBackupPrivilege 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeRestorePrivilege 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeShutdownPrivilege 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeDebugPrivilege 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeSystemEnvironmentPrivilege 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeChangeNotifyPrivilege 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeRemoteShutdownPrivilege 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeUndockPrivilege 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeManageVolumePrivilege 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeImpersonatePrivilege 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeCreateGlobalPrivilege 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: 33 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: 34 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: 35 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: 36 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe Token: SeIncreaseQuotaPrivilege 5080 msdcsc.exe Token: SeSecurityPrivilege 5080 msdcsc.exe Token: SeTakeOwnershipPrivilege 5080 msdcsc.exe Token: SeLoadDriverPrivilege 5080 msdcsc.exe Token: SeSystemProfilePrivilege 5080 msdcsc.exe Token: SeSystemtimePrivilege 5080 msdcsc.exe Token: SeProfSingleProcessPrivilege 5080 msdcsc.exe Token: SeIncBasePriorityPrivilege 5080 msdcsc.exe Token: SeCreatePagefilePrivilege 5080 msdcsc.exe Token: SeBackupPrivilege 5080 msdcsc.exe Token: SeRestorePrivilege 5080 msdcsc.exe Token: SeShutdownPrivilege 5080 msdcsc.exe Token: SeDebugPrivilege 5080 msdcsc.exe Token: SeSystemEnvironmentPrivilege 5080 msdcsc.exe Token: SeChangeNotifyPrivilege 5080 msdcsc.exe Token: SeRemoteShutdownPrivilege 5080 msdcsc.exe Token: SeUndockPrivilege 5080 msdcsc.exe Token: SeManageVolumePrivilege 5080 msdcsc.exe Token: SeImpersonatePrivilege 5080 msdcsc.exe Token: SeCreateGlobalPrivilege 5080 msdcsc.exe Token: 33 5080 msdcsc.exe Token: 34 5080 msdcsc.exe Token: 35 5080 msdcsc.exe Token: 36 5080 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 5080 msdcsc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exemsdcsc.exedescription pid process target process PID 5104 wrote to memory of 5080 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe msdcsc.exe PID 5104 wrote to memory of 5080 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe msdcsc.exe PID 5104 wrote to memory of 5080 5104 2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe msdcsc.exe PID 5080 wrote to memory of 640 5080 msdcsc.exe notepad.exe PID 5080 wrote to memory of 640 5080 msdcsc.exe notepad.exe PID 5080 wrote to memory of 640 5080 msdcsc.exe notepad.exe PID 5080 wrote to memory of 640 5080 msdcsc.exe notepad.exe PID 5080 wrote to memory of 640 5080 msdcsc.exe notepad.exe PID 5080 wrote to memory of 640 5080 msdcsc.exe notepad.exe PID 5080 wrote to memory of 640 5080 msdcsc.exe notepad.exe PID 5080 wrote to memory of 640 5080 msdcsc.exe notepad.exe PID 5080 wrote to memory of 640 5080 msdcsc.exe notepad.exe PID 5080 wrote to memory of 640 5080 msdcsc.exe notepad.exe PID 5080 wrote to memory of 640 5080 msdcsc.exe notepad.exe PID 5080 wrote to memory of 640 5080 msdcsc.exe notepad.exe PID 5080 wrote to memory of 640 5080 msdcsc.exe notepad.exe PID 5080 wrote to memory of 640 5080 msdcsc.exe notepad.exe PID 5080 wrote to memory of 640 5080 msdcsc.exe notepad.exe PID 5080 wrote to memory of 640 5080 msdcsc.exe notepad.exe PID 5080 wrote to memory of 640 5080 msdcsc.exe notepad.exe PID 5080 wrote to memory of 640 5080 msdcsc.exe notepad.exe PID 5080 wrote to memory of 640 5080 msdcsc.exe notepad.exe PID 5080 wrote to memory of 640 5080 msdcsc.exe notepad.exe PID 5080 wrote to memory of 640 5080 msdcsc.exe notepad.exe PID 5080 wrote to memory of 640 5080 msdcsc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe"C:\Users\Admin\AppData\Local\Temp\2243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
756KB
MD52fa4b346f9d431e8bbfa63e6f1dcf6a1
SHA1e8601bf601a9a2d0b1871fa49a05aab1cefec1b9
SHA2562243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5
SHA51264cb8d487c9dd36204bcb0fba11b2c7ec384049221bf35ce2076242b63559f26010dbaca9bf962df9faf818d1549bec7153b41cccec8b188f2b116cda48138b4
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
756KB
MD52fa4b346f9d431e8bbfa63e6f1dcf6a1
SHA1e8601bf601a9a2d0b1871fa49a05aab1cefec1b9
SHA2562243df2e91e114754b72250f4bb753edfc6d6dc6518656cad0890f743dca22f5
SHA51264cb8d487c9dd36204bcb0fba11b2c7ec384049221bf35ce2076242b63559f26010dbaca9bf962df9faf818d1549bec7153b41cccec8b188f2b116cda48138b4
-
memory/640-135-0x0000000000000000-mapping.dmp
-
memory/5080-132-0x0000000000000000-mapping.dmp