Analysis
-
max time kernel
165s -
max time network
203s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
02-12-2022 12:30
Behavioral task
behavioral1
Sample
flexabyprojectv2.exe
Resource
win7-20221111-en
General
-
Target
flexabyprojectv2.exe
-
Size
252KB
-
MD5
b414dba465bb735661e18eae4e7aca89
-
SHA1
30c69c395ef9bc6cbcf0fbc7dc8a8f07b1b696c2
-
SHA256
82df3f039af299fd82ac54b1c8e02346509f9a2c8f09cb843d9d7a6d2d842b2c
-
SHA512
7de9df971ca0deda15a408e9f4b7c15210453b38072d5b6192ecfc35e65cfb1eb6c772ce3bc1499f82d76c20d40e6b552879c21b0856ec283192847130914d08
-
SSDEEP
6144:FcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37:FcW7KEZlPzCy37
Malware Config
Extracted
darkcomet
Sazan
hckexe.duckdns.org:1604
DC_MUTEX-DY54MEJ
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
aBlcf64AC80d
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
flexabyprojectv2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" flexabyprojectv2.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" iexplore.exe -
Disables RegEdit via registry modification 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 992 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 524 attrib.exe 1256 attrib.exe -
Processes:
resource yara_rule behavioral1/memory/2028-55-0x0000000000400000-0x00000000004B7000-memory.dmp upx \Windows\SysWOW64\MSDCSC\msdcsc.exe upx \Windows\SysWOW64\MSDCSC\msdcsc.exe upx C:\Windows\SysWOW64\MSDCSC\msdcsc.exe upx C:\Windows\SysWOW64\MSDCSC\msdcsc.exe upx behavioral1/memory/992-67-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2028-68-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/992-69-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
flexabyprojectv2.exepid process 2028 flexabyprojectv2.exe 2028 flexabyprojectv2.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
flexabyprojectv2.exemsdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" flexabyprojectv2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" iexplore.exe -
Drops file in System32 directory 3 IoCs
Processes:
flexabyprojectv2.exedescription ioc process File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe flexabyprojectv2.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ flexabyprojectv2.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe flexabyprojectv2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 992 set thread context of 296 992 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
flexabyprojectv2.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 2028 flexabyprojectv2.exe Token: SeSecurityPrivilege 2028 flexabyprojectv2.exe Token: SeTakeOwnershipPrivilege 2028 flexabyprojectv2.exe Token: SeLoadDriverPrivilege 2028 flexabyprojectv2.exe Token: SeSystemProfilePrivilege 2028 flexabyprojectv2.exe Token: SeSystemtimePrivilege 2028 flexabyprojectv2.exe Token: SeProfSingleProcessPrivilege 2028 flexabyprojectv2.exe Token: SeIncBasePriorityPrivilege 2028 flexabyprojectv2.exe Token: SeCreatePagefilePrivilege 2028 flexabyprojectv2.exe Token: SeBackupPrivilege 2028 flexabyprojectv2.exe Token: SeRestorePrivilege 2028 flexabyprojectv2.exe Token: SeShutdownPrivilege 2028 flexabyprojectv2.exe Token: SeDebugPrivilege 2028 flexabyprojectv2.exe Token: SeSystemEnvironmentPrivilege 2028 flexabyprojectv2.exe Token: SeChangeNotifyPrivilege 2028 flexabyprojectv2.exe Token: SeRemoteShutdownPrivilege 2028 flexabyprojectv2.exe Token: SeUndockPrivilege 2028 flexabyprojectv2.exe Token: SeManageVolumePrivilege 2028 flexabyprojectv2.exe Token: SeImpersonatePrivilege 2028 flexabyprojectv2.exe Token: SeCreateGlobalPrivilege 2028 flexabyprojectv2.exe Token: 33 2028 flexabyprojectv2.exe Token: 34 2028 flexabyprojectv2.exe Token: 35 2028 flexabyprojectv2.exe Token: SeIncreaseQuotaPrivilege 992 msdcsc.exe Token: SeSecurityPrivilege 992 msdcsc.exe Token: SeTakeOwnershipPrivilege 992 msdcsc.exe Token: SeLoadDriverPrivilege 992 msdcsc.exe Token: SeSystemProfilePrivilege 992 msdcsc.exe Token: SeSystemtimePrivilege 992 msdcsc.exe Token: SeProfSingleProcessPrivilege 992 msdcsc.exe Token: SeIncBasePriorityPrivilege 992 msdcsc.exe Token: SeCreatePagefilePrivilege 992 msdcsc.exe Token: SeBackupPrivilege 992 msdcsc.exe Token: SeRestorePrivilege 992 msdcsc.exe Token: SeShutdownPrivilege 992 msdcsc.exe Token: SeDebugPrivilege 992 msdcsc.exe Token: SeSystemEnvironmentPrivilege 992 msdcsc.exe Token: SeChangeNotifyPrivilege 992 msdcsc.exe Token: SeRemoteShutdownPrivilege 992 msdcsc.exe Token: SeUndockPrivilege 992 msdcsc.exe Token: SeManageVolumePrivilege 992 msdcsc.exe Token: SeImpersonatePrivilege 992 msdcsc.exe Token: SeCreateGlobalPrivilege 992 msdcsc.exe Token: 33 992 msdcsc.exe Token: 34 992 msdcsc.exe Token: 35 992 msdcsc.exe Token: SeIncreaseQuotaPrivilege 296 iexplore.exe Token: SeSecurityPrivilege 296 iexplore.exe Token: SeTakeOwnershipPrivilege 296 iexplore.exe Token: SeLoadDriverPrivilege 296 iexplore.exe Token: SeSystemProfilePrivilege 296 iexplore.exe Token: SeSystemtimePrivilege 296 iexplore.exe Token: SeProfSingleProcessPrivilege 296 iexplore.exe Token: SeIncBasePriorityPrivilege 296 iexplore.exe Token: SeCreatePagefilePrivilege 296 iexplore.exe Token: SeBackupPrivilege 296 iexplore.exe Token: SeRestorePrivilege 296 iexplore.exe Token: SeShutdownPrivilege 296 iexplore.exe Token: SeDebugPrivilege 296 iexplore.exe Token: SeSystemEnvironmentPrivilege 296 iexplore.exe Token: SeChangeNotifyPrivilege 296 iexplore.exe Token: SeRemoteShutdownPrivilege 296 iexplore.exe Token: SeUndockPrivilege 296 iexplore.exe Token: SeManageVolumePrivilege 296 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 296 iexplore.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
flexabyprojectv2.execmd.execmd.exemsdcsc.exedescription pid process target process PID 2028 wrote to memory of 764 2028 flexabyprojectv2.exe cmd.exe PID 2028 wrote to memory of 764 2028 flexabyprojectv2.exe cmd.exe PID 2028 wrote to memory of 764 2028 flexabyprojectv2.exe cmd.exe PID 2028 wrote to memory of 764 2028 flexabyprojectv2.exe cmd.exe PID 2028 wrote to memory of 1912 2028 flexabyprojectv2.exe cmd.exe PID 2028 wrote to memory of 1912 2028 flexabyprojectv2.exe cmd.exe PID 2028 wrote to memory of 1912 2028 flexabyprojectv2.exe cmd.exe PID 2028 wrote to memory of 1912 2028 flexabyprojectv2.exe cmd.exe PID 764 wrote to memory of 524 764 cmd.exe attrib.exe PID 764 wrote to memory of 524 764 cmd.exe attrib.exe PID 764 wrote to memory of 524 764 cmd.exe attrib.exe PID 764 wrote to memory of 524 764 cmd.exe attrib.exe PID 1912 wrote to memory of 1256 1912 cmd.exe attrib.exe PID 1912 wrote to memory of 1256 1912 cmd.exe attrib.exe PID 1912 wrote to memory of 1256 1912 cmd.exe attrib.exe PID 1912 wrote to memory of 1256 1912 cmd.exe attrib.exe PID 2028 wrote to memory of 992 2028 flexabyprojectv2.exe msdcsc.exe PID 2028 wrote to memory of 992 2028 flexabyprojectv2.exe msdcsc.exe PID 2028 wrote to memory of 992 2028 flexabyprojectv2.exe msdcsc.exe PID 2028 wrote to memory of 992 2028 flexabyprojectv2.exe msdcsc.exe PID 992 wrote to memory of 296 992 msdcsc.exe iexplore.exe PID 992 wrote to memory of 296 992 msdcsc.exe iexplore.exe PID 992 wrote to memory of 296 992 msdcsc.exe iexplore.exe PID 992 wrote to memory of 296 992 msdcsc.exe iexplore.exe PID 992 wrote to memory of 296 992 msdcsc.exe iexplore.exe PID 992 wrote to memory of 296 992 msdcsc.exe iexplore.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 524 attrib.exe 1256 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\flexabyprojectv2.exe"C:\Users\Admin\AppData\Local\Temp\flexabyprojectv2.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\flexabyprojectv2.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\flexabyprojectv2.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies security service
- Disables RegEdit via registry modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
252KB
MD5b414dba465bb735661e18eae4e7aca89
SHA130c69c395ef9bc6cbcf0fbc7dc8a8f07b1b696c2
SHA25682df3f039af299fd82ac54b1c8e02346509f9a2c8f09cb843d9d7a6d2d842b2c
SHA5127de9df971ca0deda15a408e9f4b7c15210453b38072d5b6192ecfc35e65cfb1eb6c772ce3bc1499f82d76c20d40e6b552879c21b0856ec283192847130914d08
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
252KB
MD5b414dba465bb735661e18eae4e7aca89
SHA130c69c395ef9bc6cbcf0fbc7dc8a8f07b1b696c2
SHA25682df3f039af299fd82ac54b1c8e02346509f9a2c8f09cb843d9d7a6d2d842b2c
SHA5127de9df971ca0deda15a408e9f4b7c15210453b38072d5b6192ecfc35e65cfb1eb6c772ce3bc1499f82d76c20d40e6b552879c21b0856ec283192847130914d08
-
\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
252KB
MD5b414dba465bb735661e18eae4e7aca89
SHA130c69c395ef9bc6cbcf0fbc7dc8a8f07b1b696c2
SHA25682df3f039af299fd82ac54b1c8e02346509f9a2c8f09cb843d9d7a6d2d842b2c
SHA5127de9df971ca0deda15a408e9f4b7c15210453b38072d5b6192ecfc35e65cfb1eb6c772ce3bc1499f82d76c20d40e6b552879c21b0856ec283192847130914d08
-
\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
252KB
MD5b414dba465bb735661e18eae4e7aca89
SHA130c69c395ef9bc6cbcf0fbc7dc8a8f07b1b696c2
SHA25682df3f039af299fd82ac54b1c8e02346509f9a2c8f09cb843d9d7a6d2d842b2c
SHA5127de9df971ca0deda15a408e9f4b7c15210453b38072d5b6192ecfc35e65cfb1eb6c772ce3bc1499f82d76c20d40e6b552879c21b0856ec283192847130914d08
-
memory/524-58-0x0000000000000000-mapping.dmp
-
memory/764-56-0x0000000000000000-mapping.dmp
-
memory/992-62-0x0000000000000000-mapping.dmp
-
memory/992-67-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/992-69-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1256-59-0x0000000000000000-mapping.dmp
-
memory/1912-57-0x0000000000000000-mapping.dmp
-
memory/2028-54-0x0000000076651000-0x0000000076653000-memory.dmpFilesize
8KB
-
memory/2028-55-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2028-66-0x0000000003A70000-0x0000000003B27000-memory.dmpFilesize
732KB
-
memory/2028-68-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB