Analysis
-
max time kernel
189s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-12-2022 21:58
Static task
static1
Behavioral task
behavioral1
Sample
ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe
Resource
win7-20220812-en
General
-
Target
ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe
-
Size
482KB
-
MD5
33d82a7ba4545a1c220fe5eaca758c9c
-
SHA1
1ef9db72bf84b1c5d2a4ea19ae94f15706275927
-
SHA256
ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e
-
SHA512
c3171b8ec6a0507e58b31300a8f5df5643a4dfa49b0f46ae22eda475d76f82a22ba9b0b477ac1976126571dd845606450e53fc10e5a3a8f500a23eb3ef2240e9
-
SSDEEP
12288:biO58NPU8EOwIk7/1Cy0b9GbGv6J6rB725WqOv7//Kr:T1nOwP/9qGbGv6Je7287G
Malware Config
Extracted
darkcomet
1
dnlserver392.servemp3.com:88
dnlserver392.servemp3.com:1609
dnlserver392.servemp3.com:1039
dnlserver392.servemp3.com:27892
dnlserver392.servemp3.com:39892
CLE982335NAZ4MN
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
fMQfllcSj5tf
-
install
true
-
offline_keylogger
true
-
password
ib2HAc2i832kg
-
persistence
true
-
reg_key
AdobeFlash
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Executes dropped EXE 2 IoCs
Processes:
msdcsc.exemsdcsc.exepid process 1980 msdcsc.exe 364 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1824 attrib.exe 1764 attrib.exe -
Loads dropped DLL 1 IoCs
Processes:
ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exepid process 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeFlash = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeFlash = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exemsdcsc.exedescription pid process target process PID 1900 set thread context of 1336 1900 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe PID 1980 set thread context of 364 1980 msdcsc.exe msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeSecurityPrivilege 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeTakeOwnershipPrivilege 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeLoadDriverPrivilege 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeSystemProfilePrivilege 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeSystemtimePrivilege 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeProfSingleProcessPrivilege 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeIncBasePriorityPrivilege 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeCreatePagefilePrivilege 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeBackupPrivilege 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeRestorePrivilege 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeShutdownPrivilege 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeDebugPrivilege 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeSystemEnvironmentPrivilege 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeChangeNotifyPrivilege 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeRemoteShutdownPrivilege 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeUndockPrivilege 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeManageVolumePrivilege 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeImpersonatePrivilege 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeCreateGlobalPrivilege 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: 33 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: 34 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: 35 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeIncreaseQuotaPrivilege 364 msdcsc.exe Token: SeSecurityPrivilege 364 msdcsc.exe Token: SeTakeOwnershipPrivilege 364 msdcsc.exe Token: SeLoadDriverPrivilege 364 msdcsc.exe Token: SeSystemProfilePrivilege 364 msdcsc.exe Token: SeSystemtimePrivilege 364 msdcsc.exe Token: SeProfSingleProcessPrivilege 364 msdcsc.exe Token: SeIncBasePriorityPrivilege 364 msdcsc.exe Token: SeCreatePagefilePrivilege 364 msdcsc.exe Token: SeBackupPrivilege 364 msdcsc.exe Token: SeRestorePrivilege 364 msdcsc.exe Token: SeShutdownPrivilege 364 msdcsc.exe Token: SeDebugPrivilege 364 msdcsc.exe Token: SeSystemEnvironmentPrivilege 364 msdcsc.exe Token: SeChangeNotifyPrivilege 364 msdcsc.exe Token: SeRemoteShutdownPrivilege 364 msdcsc.exe Token: SeUndockPrivilege 364 msdcsc.exe Token: SeManageVolumePrivilege 364 msdcsc.exe Token: SeImpersonatePrivilege 364 msdcsc.exe Token: SeCreateGlobalPrivilege 364 msdcsc.exe Token: 33 364 msdcsc.exe Token: 34 364 msdcsc.exe Token: 35 364 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 364 msdcsc.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exead070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.execmd.execmd.exemsdcsc.exedescription pid process target process PID 1900 wrote to memory of 1336 1900 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe PID 1900 wrote to memory of 1336 1900 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe PID 1900 wrote to memory of 1336 1900 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe PID 1900 wrote to memory of 1336 1900 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe PID 1900 wrote to memory of 1336 1900 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe PID 1900 wrote to memory of 1336 1900 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe PID 1336 wrote to memory of 2008 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe cmd.exe PID 1336 wrote to memory of 2008 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe cmd.exe PID 1336 wrote to memory of 2008 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe cmd.exe PID 1336 wrote to memory of 2008 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe cmd.exe PID 1336 wrote to memory of 2020 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe cmd.exe PID 1336 wrote to memory of 2020 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe cmd.exe PID 1336 wrote to memory of 2020 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe cmd.exe PID 1336 wrote to memory of 2020 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe cmd.exe PID 2008 wrote to memory of 1824 2008 cmd.exe attrib.exe PID 2008 wrote to memory of 1824 2008 cmd.exe attrib.exe PID 2008 wrote to memory of 1824 2008 cmd.exe attrib.exe PID 2008 wrote to memory of 1824 2008 cmd.exe attrib.exe PID 2020 wrote to memory of 1764 2020 cmd.exe attrib.exe PID 2020 wrote to memory of 1764 2020 cmd.exe attrib.exe PID 2020 wrote to memory of 1764 2020 cmd.exe attrib.exe PID 2020 wrote to memory of 1764 2020 cmd.exe attrib.exe PID 1336 wrote to memory of 1980 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe msdcsc.exe PID 1336 wrote to memory of 1980 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe msdcsc.exe PID 1336 wrote to memory of 1980 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe msdcsc.exe PID 1336 wrote to memory of 1980 1336 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe msdcsc.exe PID 1980 wrote to memory of 364 1980 msdcsc.exe msdcsc.exe PID 1980 wrote to memory of 364 1980 msdcsc.exe msdcsc.exe PID 1980 wrote to memory of 364 1980 msdcsc.exe msdcsc.exe PID 1980 wrote to memory of 364 1980 msdcsc.exe msdcsc.exe PID 1980 wrote to memory of 364 1980 msdcsc.exe msdcsc.exe PID 1980 wrote to memory of 364 1980 msdcsc.exe msdcsc.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1824 attrib.exe 1764 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe"C:\Users\Admin\AppData\Local\Temp\ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe"C:\Users\Admin\AppData\Local\Temp\ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe"2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
482KB
MD533d82a7ba4545a1c220fe5eaca758c9c
SHA11ef9db72bf84b1c5d2a4ea19ae94f15706275927
SHA256ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e
SHA512c3171b8ec6a0507e58b31300a8f5df5643a4dfa49b0f46ae22eda475d76f82a22ba9b0b477ac1976126571dd845606450e53fc10e5a3a8f500a23eb3ef2240e9
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
482KB
MD533d82a7ba4545a1c220fe5eaca758c9c
SHA11ef9db72bf84b1c5d2a4ea19ae94f15706275927
SHA256ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e
SHA512c3171b8ec6a0507e58b31300a8f5df5643a4dfa49b0f46ae22eda475d76f82a22ba9b0b477ac1976126571dd845606450e53fc10e5a3a8f500a23eb3ef2240e9
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
482KB
MD533d82a7ba4545a1c220fe5eaca758c9c
SHA11ef9db72bf84b1c5d2a4ea19ae94f15706275927
SHA256ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e
SHA512c3171b8ec6a0507e58b31300a8f5df5643a4dfa49b0f46ae22eda475d76f82a22ba9b0b477ac1976126571dd845606450e53fc10e5a3a8f500a23eb3ef2240e9
-
memory/364-79-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/364-78-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/364-77-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/364-73-0x000000000048D888-mapping.dmp
-
memory/1336-60-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1336-61-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1336-69-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1336-54-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1336-59-0x0000000075091000-0x0000000075093000-memory.dmpFilesize
8KB
-
memory/1336-56-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1336-57-0x000000000048D888-mapping.dmp
-
memory/1336-58-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1764-65-0x0000000000000000-mapping.dmp
-
memory/1824-64-0x0000000000000000-mapping.dmp
-
memory/1980-67-0x0000000000000000-mapping.dmp
-
memory/2008-62-0x0000000000000000-mapping.dmp
-
memory/2020-63-0x0000000000000000-mapping.dmp