Analysis
-
max time kernel
171s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 21:58
Static task
static1
Behavioral task
behavioral1
Sample
ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe
Resource
win7-20220812-en
General
-
Target
ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe
-
Size
482KB
-
MD5
33d82a7ba4545a1c220fe5eaca758c9c
-
SHA1
1ef9db72bf84b1c5d2a4ea19ae94f15706275927
-
SHA256
ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e
-
SHA512
c3171b8ec6a0507e58b31300a8f5df5643a4dfa49b0f46ae22eda475d76f82a22ba9b0b477ac1976126571dd845606450e53fc10e5a3a8f500a23eb3ef2240e9
-
SSDEEP
12288:biO58NPU8EOwIk7/1Cy0b9GbGv6J6rB725WqOv7//Kr:T1nOwP/9qGbGv6Je7287G
Malware Config
Extracted
darkcomet
1
dnlserver392.servemp3.com:88
dnlserver392.servemp3.com:1609
dnlserver392.servemp3.com:1039
dnlserver392.servemp3.com:27892
dnlserver392.servemp3.com:39892
CLE982335NAZ4MN
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
fMQfllcSj5tf
-
install
true
-
offline_keylogger
true
-
password
ib2HAc2i832kg
-
persistence
true
-
reg_key
AdobeFlash
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Executes dropped EXE 2 IoCs
Processes:
msdcsc.exemsdcsc.exepid process 4832 msdcsc.exe 4320 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 3368 attrib.exe 4472 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeFlash = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeFlash = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exemsdcsc.exedescription pid process target process PID 604 set thread context of 4656 604 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe PID 4832 set thread context of 4320 4832 msdcsc.exe msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 4320 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeSecurityPrivilege 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeTakeOwnershipPrivilege 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeLoadDriverPrivilege 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeSystemProfilePrivilege 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeSystemtimePrivilege 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeProfSingleProcessPrivilege 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeIncBasePriorityPrivilege 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeCreatePagefilePrivilege 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeBackupPrivilege 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeRestorePrivilege 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeShutdownPrivilege 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeDebugPrivilege 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeSystemEnvironmentPrivilege 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeChangeNotifyPrivilege 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeRemoteShutdownPrivilege 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeUndockPrivilege 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeManageVolumePrivilege 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeImpersonatePrivilege 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeCreateGlobalPrivilege 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: 33 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: 34 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: 35 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: 36 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe Token: SeIncreaseQuotaPrivilege 4320 msdcsc.exe Token: SeSecurityPrivilege 4320 msdcsc.exe Token: SeTakeOwnershipPrivilege 4320 msdcsc.exe Token: SeLoadDriverPrivilege 4320 msdcsc.exe Token: SeSystemProfilePrivilege 4320 msdcsc.exe Token: SeSystemtimePrivilege 4320 msdcsc.exe Token: SeProfSingleProcessPrivilege 4320 msdcsc.exe Token: SeIncBasePriorityPrivilege 4320 msdcsc.exe Token: SeCreatePagefilePrivilege 4320 msdcsc.exe Token: SeBackupPrivilege 4320 msdcsc.exe Token: SeRestorePrivilege 4320 msdcsc.exe Token: SeShutdownPrivilege 4320 msdcsc.exe Token: SeDebugPrivilege 4320 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4320 msdcsc.exe Token: SeChangeNotifyPrivilege 4320 msdcsc.exe Token: SeRemoteShutdownPrivilege 4320 msdcsc.exe Token: SeUndockPrivilege 4320 msdcsc.exe Token: SeManageVolumePrivilege 4320 msdcsc.exe Token: SeImpersonatePrivilege 4320 msdcsc.exe Token: SeCreateGlobalPrivilege 4320 msdcsc.exe Token: 33 4320 msdcsc.exe Token: 34 4320 msdcsc.exe Token: 35 4320 msdcsc.exe Token: 36 4320 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 4320 msdcsc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exead070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.execmd.execmd.exemsdcsc.exedescription pid process target process PID 604 wrote to memory of 4656 604 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe PID 604 wrote to memory of 4656 604 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe PID 604 wrote to memory of 4656 604 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe PID 604 wrote to memory of 4656 604 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe PID 604 wrote to memory of 4656 604 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe PID 4656 wrote to memory of 4324 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe cmd.exe PID 4656 wrote to memory of 4324 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe cmd.exe PID 4656 wrote to memory of 4324 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe cmd.exe PID 4656 wrote to memory of 4952 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe cmd.exe PID 4656 wrote to memory of 4952 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe cmd.exe PID 4656 wrote to memory of 4952 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe cmd.exe PID 4324 wrote to memory of 4472 4324 cmd.exe attrib.exe PID 4324 wrote to memory of 4472 4324 cmd.exe attrib.exe PID 4324 wrote to memory of 4472 4324 cmd.exe attrib.exe PID 4952 wrote to memory of 3368 4952 cmd.exe attrib.exe PID 4952 wrote to memory of 3368 4952 cmd.exe attrib.exe PID 4952 wrote to memory of 3368 4952 cmd.exe attrib.exe PID 4656 wrote to memory of 4832 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe msdcsc.exe PID 4656 wrote to memory of 4832 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe msdcsc.exe PID 4656 wrote to memory of 4832 4656 ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe msdcsc.exe PID 4832 wrote to memory of 4320 4832 msdcsc.exe msdcsc.exe PID 4832 wrote to memory of 4320 4832 msdcsc.exe msdcsc.exe PID 4832 wrote to memory of 4320 4832 msdcsc.exe msdcsc.exe PID 4832 wrote to memory of 4320 4832 msdcsc.exe msdcsc.exe PID 4832 wrote to memory of 4320 4832 msdcsc.exe msdcsc.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4472 attrib.exe 3368 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe"C:\Users\Admin\AppData\Local\Temp\ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe"C:\Users\Admin\AppData\Local\Temp\ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
482KB
MD533d82a7ba4545a1c220fe5eaca758c9c
SHA11ef9db72bf84b1c5d2a4ea19ae94f15706275927
SHA256ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e
SHA512c3171b8ec6a0507e58b31300a8f5df5643a4dfa49b0f46ae22eda475d76f82a22ba9b0b477ac1976126571dd845606450e53fc10e5a3a8f500a23eb3ef2240e9
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
482KB
MD533d82a7ba4545a1c220fe5eaca758c9c
SHA11ef9db72bf84b1c5d2a4ea19ae94f15706275927
SHA256ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e
SHA512c3171b8ec6a0507e58b31300a8f5df5643a4dfa49b0f46ae22eda475d76f82a22ba9b0b477ac1976126571dd845606450e53fc10e5a3a8f500a23eb3ef2240e9
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
482KB
MD533d82a7ba4545a1c220fe5eaca758c9c
SHA11ef9db72bf84b1c5d2a4ea19ae94f15706275927
SHA256ad070f84f0be3f151a00a368b36795ed8a59d4daef83ebd0a32ffce7a6b3f78e
SHA512c3171b8ec6a0507e58b31300a8f5df5643a4dfa49b0f46ae22eda475d76f82a22ba9b0b477ac1976126571dd845606450e53fc10e5a3a8f500a23eb3ef2240e9
-
memory/3368-140-0x0000000000000000-mapping.dmp
-
memory/4320-151-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4320-150-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4320-149-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4320-145-0x0000000000000000-mapping.dmp
-
memory/4324-137-0x0000000000000000-mapping.dmp
-
memory/4472-139-0x0000000000000000-mapping.dmp
-
memory/4656-136-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4656-144-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4656-132-0x0000000000000000-mapping.dmp
-
memory/4656-135-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4656-134-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4656-133-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4832-141-0x0000000000000000-mapping.dmp
-
memory/4952-138-0x0000000000000000-mapping.dmp