Analysis
-
max time kernel
144s -
max time network
165s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
02-12-2022 16:27
Behavioral task
behavioral1
Sample
flexabyprojectv2.exe
Resource
win7-20221111-en
General
-
Target
flexabyprojectv2.exe
-
Size
252KB
-
MD5
b414dba465bb735661e18eae4e7aca89
-
SHA1
30c69c395ef9bc6cbcf0fbc7dc8a8f07b1b696c2
-
SHA256
82df3f039af299fd82ac54b1c8e02346509f9a2c8f09cb843d9d7a6d2d842b2c
-
SHA512
7de9df971ca0deda15a408e9f4b7c15210453b38072d5b6192ecfc35e65cfb1eb6c772ce3bc1499f82d76c20d40e6b552879c21b0856ec283192847130914d08
-
SSDEEP
6144:FcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37:FcW7KEZlPzCy37
Malware Config
Extracted
darkcomet
Sazan
hckexe.duckdns.org:1604
DC_MUTEX-DY54MEJ
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
aBlcf64AC80d
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
flexabyprojectv2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" flexabyprojectv2.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" iexplore.exe -
Disables RegEdit via registry modification 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1736 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1396 attrib.exe 580 attrib.exe -
Processes:
resource yara_rule behavioral1/memory/1264-55-0x0000000000400000-0x00000000004B7000-memory.dmp upx \Windows\SysWOW64\MSDCSC\msdcsc.exe upx C:\Windows\SysWOW64\MSDCSC\msdcsc.exe upx \Windows\SysWOW64\MSDCSC\msdcsc.exe upx C:\Windows\SysWOW64\MSDCSC\msdcsc.exe upx behavioral1/memory/1736-66-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1264-68-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
flexabyprojectv2.exepid process 1264 flexabyprojectv2.exe 1264 flexabyprojectv2.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
msdcsc.exeiexplore.exeflexabyprojectv2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" flexabyprojectv2.exe -
Drops file in System32 directory 3 IoCs
Processes:
flexabyprojectv2.exedescription ioc process File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe flexabyprojectv2.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe flexabyprojectv2.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ flexabyprojectv2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 1736 set thread context of 1844 1736 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
flexabyprojectv2.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 1264 flexabyprojectv2.exe Token: SeSecurityPrivilege 1264 flexabyprojectv2.exe Token: SeTakeOwnershipPrivilege 1264 flexabyprojectv2.exe Token: SeLoadDriverPrivilege 1264 flexabyprojectv2.exe Token: SeSystemProfilePrivilege 1264 flexabyprojectv2.exe Token: SeSystemtimePrivilege 1264 flexabyprojectv2.exe Token: SeProfSingleProcessPrivilege 1264 flexabyprojectv2.exe Token: SeIncBasePriorityPrivilege 1264 flexabyprojectv2.exe Token: SeCreatePagefilePrivilege 1264 flexabyprojectv2.exe Token: SeBackupPrivilege 1264 flexabyprojectv2.exe Token: SeRestorePrivilege 1264 flexabyprojectv2.exe Token: SeShutdownPrivilege 1264 flexabyprojectv2.exe Token: SeDebugPrivilege 1264 flexabyprojectv2.exe Token: SeSystemEnvironmentPrivilege 1264 flexabyprojectv2.exe Token: SeChangeNotifyPrivilege 1264 flexabyprojectv2.exe Token: SeRemoteShutdownPrivilege 1264 flexabyprojectv2.exe Token: SeUndockPrivilege 1264 flexabyprojectv2.exe Token: SeManageVolumePrivilege 1264 flexabyprojectv2.exe Token: SeImpersonatePrivilege 1264 flexabyprojectv2.exe Token: SeCreateGlobalPrivilege 1264 flexabyprojectv2.exe Token: 33 1264 flexabyprojectv2.exe Token: 34 1264 flexabyprojectv2.exe Token: 35 1264 flexabyprojectv2.exe Token: SeIncreaseQuotaPrivilege 1736 msdcsc.exe Token: SeSecurityPrivilege 1736 msdcsc.exe Token: SeTakeOwnershipPrivilege 1736 msdcsc.exe Token: SeLoadDriverPrivilege 1736 msdcsc.exe Token: SeSystemProfilePrivilege 1736 msdcsc.exe Token: SeSystemtimePrivilege 1736 msdcsc.exe Token: SeProfSingleProcessPrivilege 1736 msdcsc.exe Token: SeIncBasePriorityPrivilege 1736 msdcsc.exe Token: SeCreatePagefilePrivilege 1736 msdcsc.exe Token: SeBackupPrivilege 1736 msdcsc.exe Token: SeRestorePrivilege 1736 msdcsc.exe Token: SeShutdownPrivilege 1736 msdcsc.exe Token: SeDebugPrivilege 1736 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1736 msdcsc.exe Token: SeChangeNotifyPrivilege 1736 msdcsc.exe Token: SeRemoteShutdownPrivilege 1736 msdcsc.exe Token: SeUndockPrivilege 1736 msdcsc.exe Token: SeManageVolumePrivilege 1736 msdcsc.exe Token: SeImpersonatePrivilege 1736 msdcsc.exe Token: SeCreateGlobalPrivilege 1736 msdcsc.exe Token: 33 1736 msdcsc.exe Token: 34 1736 msdcsc.exe Token: 35 1736 msdcsc.exe Token: SeIncreaseQuotaPrivilege 1844 iexplore.exe Token: SeSecurityPrivilege 1844 iexplore.exe Token: SeTakeOwnershipPrivilege 1844 iexplore.exe Token: SeLoadDriverPrivilege 1844 iexplore.exe Token: SeSystemProfilePrivilege 1844 iexplore.exe Token: SeSystemtimePrivilege 1844 iexplore.exe Token: SeProfSingleProcessPrivilege 1844 iexplore.exe Token: SeIncBasePriorityPrivilege 1844 iexplore.exe Token: SeCreatePagefilePrivilege 1844 iexplore.exe Token: SeBackupPrivilege 1844 iexplore.exe Token: SeRestorePrivilege 1844 iexplore.exe Token: SeShutdownPrivilege 1844 iexplore.exe Token: SeDebugPrivilege 1844 iexplore.exe Token: SeSystemEnvironmentPrivilege 1844 iexplore.exe Token: SeChangeNotifyPrivilege 1844 iexplore.exe Token: SeRemoteShutdownPrivilege 1844 iexplore.exe Token: SeUndockPrivilege 1844 iexplore.exe Token: SeManageVolumePrivilege 1844 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 1844 iexplore.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
flexabyprojectv2.execmd.execmd.exemsdcsc.exedescription pid process target process PID 1264 wrote to memory of 996 1264 flexabyprojectv2.exe cmd.exe PID 1264 wrote to memory of 996 1264 flexabyprojectv2.exe cmd.exe PID 1264 wrote to memory of 996 1264 flexabyprojectv2.exe cmd.exe PID 1264 wrote to memory of 996 1264 flexabyprojectv2.exe cmd.exe PID 1264 wrote to memory of 688 1264 flexabyprojectv2.exe cmd.exe PID 1264 wrote to memory of 688 1264 flexabyprojectv2.exe cmd.exe PID 1264 wrote to memory of 688 1264 flexabyprojectv2.exe cmd.exe PID 1264 wrote to memory of 688 1264 flexabyprojectv2.exe cmd.exe PID 996 wrote to memory of 580 996 cmd.exe attrib.exe PID 996 wrote to memory of 580 996 cmd.exe attrib.exe PID 996 wrote to memory of 580 996 cmd.exe attrib.exe PID 996 wrote to memory of 580 996 cmd.exe attrib.exe PID 688 wrote to memory of 1396 688 cmd.exe attrib.exe PID 688 wrote to memory of 1396 688 cmd.exe attrib.exe PID 688 wrote to memory of 1396 688 cmd.exe attrib.exe PID 688 wrote to memory of 1396 688 cmd.exe attrib.exe PID 1264 wrote to memory of 1736 1264 flexabyprojectv2.exe msdcsc.exe PID 1264 wrote to memory of 1736 1264 flexabyprojectv2.exe msdcsc.exe PID 1264 wrote to memory of 1736 1264 flexabyprojectv2.exe msdcsc.exe PID 1264 wrote to memory of 1736 1264 flexabyprojectv2.exe msdcsc.exe PID 1736 wrote to memory of 1844 1736 msdcsc.exe iexplore.exe PID 1736 wrote to memory of 1844 1736 msdcsc.exe iexplore.exe PID 1736 wrote to memory of 1844 1736 msdcsc.exe iexplore.exe PID 1736 wrote to memory of 1844 1736 msdcsc.exe iexplore.exe PID 1736 wrote to memory of 1844 1736 msdcsc.exe iexplore.exe PID 1736 wrote to memory of 1844 1736 msdcsc.exe iexplore.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 580 attrib.exe 1396 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\flexabyprojectv2.exe"C:\Users\Admin\AppData\Local\Temp\flexabyprojectv2.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\flexabyprojectv2.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\flexabyprojectv2.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies security service
- Disables RegEdit via registry modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
252KB
MD5b414dba465bb735661e18eae4e7aca89
SHA130c69c395ef9bc6cbcf0fbc7dc8a8f07b1b696c2
SHA25682df3f039af299fd82ac54b1c8e02346509f9a2c8f09cb843d9d7a6d2d842b2c
SHA5127de9df971ca0deda15a408e9f4b7c15210453b38072d5b6192ecfc35e65cfb1eb6c772ce3bc1499f82d76c20d40e6b552879c21b0856ec283192847130914d08
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
252KB
MD5b414dba465bb735661e18eae4e7aca89
SHA130c69c395ef9bc6cbcf0fbc7dc8a8f07b1b696c2
SHA25682df3f039af299fd82ac54b1c8e02346509f9a2c8f09cb843d9d7a6d2d842b2c
SHA5127de9df971ca0deda15a408e9f4b7c15210453b38072d5b6192ecfc35e65cfb1eb6c772ce3bc1499f82d76c20d40e6b552879c21b0856ec283192847130914d08
-
\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
252KB
MD5b414dba465bb735661e18eae4e7aca89
SHA130c69c395ef9bc6cbcf0fbc7dc8a8f07b1b696c2
SHA25682df3f039af299fd82ac54b1c8e02346509f9a2c8f09cb843d9d7a6d2d842b2c
SHA5127de9df971ca0deda15a408e9f4b7c15210453b38072d5b6192ecfc35e65cfb1eb6c772ce3bc1499f82d76c20d40e6b552879c21b0856ec283192847130914d08
-
\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
252KB
MD5b414dba465bb735661e18eae4e7aca89
SHA130c69c395ef9bc6cbcf0fbc7dc8a8f07b1b696c2
SHA25682df3f039af299fd82ac54b1c8e02346509f9a2c8f09cb843d9d7a6d2d842b2c
SHA5127de9df971ca0deda15a408e9f4b7c15210453b38072d5b6192ecfc35e65cfb1eb6c772ce3bc1499f82d76c20d40e6b552879c21b0856ec283192847130914d08
-
memory/580-58-0x0000000000000000-mapping.dmp
-
memory/688-57-0x0000000000000000-mapping.dmp
-
memory/996-56-0x0000000000000000-mapping.dmp
-
memory/1264-54-0x0000000075291000-0x0000000075293000-memory.dmpFilesize
8KB
-
memory/1264-55-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1264-67-0x00000000039E0000-0x0000000003A97000-memory.dmpFilesize
732KB
-
memory/1264-68-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1396-59-0x0000000000000000-mapping.dmp
-
memory/1736-62-0x0000000000000000-mapping.dmp
-
memory/1736-66-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB