Analysis
-
max time kernel
333s -
max time network
392s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 12:30
Behavioral task
behavioral1
Sample
flexabyprojectv2.exe
Resource
win7-20221111-en
General
-
Target
flexabyprojectv2.exe
-
Size
252KB
-
MD5
b414dba465bb735661e18eae4e7aca89
-
SHA1
30c69c395ef9bc6cbcf0fbc7dc8a8f07b1b696c2
-
SHA256
82df3f039af299fd82ac54b1c8e02346509f9a2c8f09cb843d9d7a6d2d842b2c
-
SHA512
7de9df971ca0deda15a408e9f4b7c15210453b38072d5b6192ecfc35e65cfb1eb6c772ce3bc1499f82d76c20d40e6b552879c21b0856ec283192847130914d08
-
SSDEEP
6144:FcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37:FcW7KEZlPzCy37
Malware Config
Extracted
darkcomet
Sazan
hckexe.duckdns.org:1604
DC_MUTEX-DY54MEJ
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
aBlcf64AC80d
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
flexabyprojectv2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" flexabyprojectv2.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe -
Disables RegEdit via registry modification 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 4688 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 4496 attrib.exe 3068 attrib.exe -
Processes:
resource yara_rule behavioral2/memory/3088-132-0x0000000000400000-0x00000000004B7000-memory.dmp upx C:\Windows\SysWOW64\MSDCSC\msdcsc.exe upx C:\Windows\SysWOW64\MSDCSC\msdcsc.exe upx behavioral2/memory/4688-140-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4688-141-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3088-142-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
flexabyprojectv2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation flexabyprojectv2.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
msdcsc.exeiexplore.exeflexabyprojectv2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" flexabyprojectv2.exe -
Drops file in System32 directory 3 IoCs
Processes:
flexabyprojectv2.exedescription ioc process File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe flexabyprojectv2.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ flexabyprojectv2.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe flexabyprojectv2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 4688 set thread context of 2000 4688 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
flexabyprojectv2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ flexabyprojectv2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
flexabyprojectv2.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 3088 flexabyprojectv2.exe Token: SeSecurityPrivilege 3088 flexabyprojectv2.exe Token: SeTakeOwnershipPrivilege 3088 flexabyprojectv2.exe Token: SeLoadDriverPrivilege 3088 flexabyprojectv2.exe Token: SeSystemProfilePrivilege 3088 flexabyprojectv2.exe Token: SeSystemtimePrivilege 3088 flexabyprojectv2.exe Token: SeProfSingleProcessPrivilege 3088 flexabyprojectv2.exe Token: SeIncBasePriorityPrivilege 3088 flexabyprojectv2.exe Token: SeCreatePagefilePrivilege 3088 flexabyprojectv2.exe Token: SeBackupPrivilege 3088 flexabyprojectv2.exe Token: SeRestorePrivilege 3088 flexabyprojectv2.exe Token: SeShutdownPrivilege 3088 flexabyprojectv2.exe Token: SeDebugPrivilege 3088 flexabyprojectv2.exe Token: SeSystemEnvironmentPrivilege 3088 flexabyprojectv2.exe Token: SeChangeNotifyPrivilege 3088 flexabyprojectv2.exe Token: SeRemoteShutdownPrivilege 3088 flexabyprojectv2.exe Token: SeUndockPrivilege 3088 flexabyprojectv2.exe Token: SeManageVolumePrivilege 3088 flexabyprojectv2.exe Token: SeImpersonatePrivilege 3088 flexabyprojectv2.exe Token: SeCreateGlobalPrivilege 3088 flexabyprojectv2.exe Token: 33 3088 flexabyprojectv2.exe Token: 34 3088 flexabyprojectv2.exe Token: 35 3088 flexabyprojectv2.exe Token: 36 3088 flexabyprojectv2.exe Token: SeIncreaseQuotaPrivilege 4688 msdcsc.exe Token: SeSecurityPrivilege 4688 msdcsc.exe Token: SeTakeOwnershipPrivilege 4688 msdcsc.exe Token: SeLoadDriverPrivilege 4688 msdcsc.exe Token: SeSystemProfilePrivilege 4688 msdcsc.exe Token: SeSystemtimePrivilege 4688 msdcsc.exe Token: SeProfSingleProcessPrivilege 4688 msdcsc.exe Token: SeIncBasePriorityPrivilege 4688 msdcsc.exe Token: SeCreatePagefilePrivilege 4688 msdcsc.exe Token: SeBackupPrivilege 4688 msdcsc.exe Token: SeRestorePrivilege 4688 msdcsc.exe Token: SeShutdownPrivilege 4688 msdcsc.exe Token: SeDebugPrivilege 4688 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4688 msdcsc.exe Token: SeChangeNotifyPrivilege 4688 msdcsc.exe Token: SeRemoteShutdownPrivilege 4688 msdcsc.exe Token: SeUndockPrivilege 4688 msdcsc.exe Token: SeManageVolumePrivilege 4688 msdcsc.exe Token: SeImpersonatePrivilege 4688 msdcsc.exe Token: SeCreateGlobalPrivilege 4688 msdcsc.exe Token: 33 4688 msdcsc.exe Token: 34 4688 msdcsc.exe Token: 35 4688 msdcsc.exe Token: 36 4688 msdcsc.exe Token: SeIncreaseQuotaPrivilege 2000 iexplore.exe Token: SeSecurityPrivilege 2000 iexplore.exe Token: SeTakeOwnershipPrivilege 2000 iexplore.exe Token: SeLoadDriverPrivilege 2000 iexplore.exe Token: SeSystemProfilePrivilege 2000 iexplore.exe Token: SeSystemtimePrivilege 2000 iexplore.exe Token: SeProfSingleProcessPrivilege 2000 iexplore.exe Token: SeIncBasePriorityPrivilege 2000 iexplore.exe Token: SeCreatePagefilePrivilege 2000 iexplore.exe Token: SeBackupPrivilege 2000 iexplore.exe Token: SeRestorePrivilege 2000 iexplore.exe Token: SeShutdownPrivilege 2000 iexplore.exe Token: SeDebugPrivilege 2000 iexplore.exe Token: SeSystemEnvironmentPrivilege 2000 iexplore.exe Token: SeChangeNotifyPrivilege 2000 iexplore.exe Token: SeRemoteShutdownPrivilege 2000 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 2000 iexplore.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
flexabyprojectv2.execmd.execmd.exemsdcsc.exedescription pid process target process PID 3088 wrote to memory of 2012 3088 flexabyprojectv2.exe cmd.exe PID 3088 wrote to memory of 2012 3088 flexabyprojectv2.exe cmd.exe PID 3088 wrote to memory of 2012 3088 flexabyprojectv2.exe cmd.exe PID 3088 wrote to memory of 448 3088 flexabyprojectv2.exe cmd.exe PID 3088 wrote to memory of 448 3088 flexabyprojectv2.exe cmd.exe PID 3088 wrote to memory of 448 3088 flexabyprojectv2.exe cmd.exe PID 2012 wrote to memory of 4496 2012 cmd.exe attrib.exe PID 2012 wrote to memory of 4496 2012 cmd.exe attrib.exe PID 2012 wrote to memory of 4496 2012 cmd.exe attrib.exe PID 448 wrote to memory of 3068 448 cmd.exe attrib.exe PID 448 wrote to memory of 3068 448 cmd.exe attrib.exe PID 448 wrote to memory of 3068 448 cmd.exe attrib.exe PID 3088 wrote to memory of 4688 3088 flexabyprojectv2.exe msdcsc.exe PID 3088 wrote to memory of 4688 3088 flexabyprojectv2.exe msdcsc.exe PID 3088 wrote to memory of 4688 3088 flexabyprojectv2.exe msdcsc.exe PID 4688 wrote to memory of 2000 4688 msdcsc.exe iexplore.exe PID 4688 wrote to memory of 2000 4688 msdcsc.exe iexplore.exe PID 4688 wrote to memory of 2000 4688 msdcsc.exe iexplore.exe PID 4688 wrote to memory of 2000 4688 msdcsc.exe iexplore.exe PID 4688 wrote to memory of 2000 4688 msdcsc.exe iexplore.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4496 attrib.exe 3068 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\flexabyprojectv2.exe"C:\Users\Admin\AppData\Local\Temp\flexabyprojectv2.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\flexabyprojectv2.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\flexabyprojectv2.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies security service
- Disables RegEdit via registry modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
252KB
MD5b414dba465bb735661e18eae4e7aca89
SHA130c69c395ef9bc6cbcf0fbc7dc8a8f07b1b696c2
SHA25682df3f039af299fd82ac54b1c8e02346509f9a2c8f09cb843d9d7a6d2d842b2c
SHA5127de9df971ca0deda15a408e9f4b7c15210453b38072d5b6192ecfc35e65cfb1eb6c772ce3bc1499f82d76c20d40e6b552879c21b0856ec283192847130914d08
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
252KB
MD5b414dba465bb735661e18eae4e7aca89
SHA130c69c395ef9bc6cbcf0fbc7dc8a8f07b1b696c2
SHA25682df3f039af299fd82ac54b1c8e02346509f9a2c8f09cb843d9d7a6d2d842b2c
SHA5127de9df971ca0deda15a408e9f4b7c15210453b38072d5b6192ecfc35e65cfb1eb6c772ce3bc1499f82d76c20d40e6b552879c21b0856ec283192847130914d08
-
memory/448-134-0x0000000000000000-mapping.dmp
-
memory/2012-133-0x0000000000000000-mapping.dmp
-
memory/3068-136-0x0000000000000000-mapping.dmp
-
memory/3088-132-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3088-142-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4496-135-0x0000000000000000-mapping.dmp
-
memory/4688-137-0x0000000000000000-mapping.dmp
-
memory/4688-140-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4688-141-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB