Analysis
-
max time kernel
162s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 16:27
Behavioral task
behavioral1
Sample
flexabyprojectv2.exe
Resource
win7-20221111-en
General
-
Target
flexabyprojectv2.exe
-
Size
252KB
-
MD5
b414dba465bb735661e18eae4e7aca89
-
SHA1
30c69c395ef9bc6cbcf0fbc7dc8a8f07b1b696c2
-
SHA256
82df3f039af299fd82ac54b1c8e02346509f9a2c8f09cb843d9d7a6d2d842b2c
-
SHA512
7de9df971ca0deda15a408e9f4b7c15210453b38072d5b6192ecfc35e65cfb1eb6c772ce3bc1499f82d76c20d40e6b552879c21b0856ec283192847130914d08
-
SSDEEP
6144:FcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37:FcW7KEZlPzCy37
Malware Config
Extracted
darkcomet
Sazan
hckexe.duckdns.org:1604
DC_MUTEX-DY54MEJ
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
aBlcf64AC80d
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
flexabyprojectv2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" flexabyprojectv2.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 4760 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 3052 attrib.exe 620 attrib.exe -
Processes:
resource yara_rule behavioral2/memory/4984-132-0x0000000000400000-0x00000000004B7000-memory.dmp upx C:\Windows\SysWOW64\MSDCSC\msdcsc.exe upx C:\Windows\SysWOW64\MSDCSC\msdcsc.exe upx behavioral2/memory/4760-141-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4984-142-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
flexabyprojectv2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation flexabyprojectv2.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
flexabyprojectv2.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" flexabyprojectv2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Drops file in System32 directory 3 IoCs
Processes:
flexabyprojectv2.exedescription ioc process File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe flexabyprojectv2.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe flexabyprojectv2.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ flexabyprojectv2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
flexabyprojectv2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ flexabyprojectv2.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
flexabyprojectv2.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4984 flexabyprojectv2.exe Token: SeSecurityPrivilege 4984 flexabyprojectv2.exe Token: SeTakeOwnershipPrivilege 4984 flexabyprojectv2.exe Token: SeLoadDriverPrivilege 4984 flexabyprojectv2.exe Token: SeSystemProfilePrivilege 4984 flexabyprojectv2.exe Token: SeSystemtimePrivilege 4984 flexabyprojectv2.exe Token: SeProfSingleProcessPrivilege 4984 flexabyprojectv2.exe Token: SeIncBasePriorityPrivilege 4984 flexabyprojectv2.exe Token: SeCreatePagefilePrivilege 4984 flexabyprojectv2.exe Token: SeBackupPrivilege 4984 flexabyprojectv2.exe Token: SeRestorePrivilege 4984 flexabyprojectv2.exe Token: SeShutdownPrivilege 4984 flexabyprojectv2.exe Token: SeDebugPrivilege 4984 flexabyprojectv2.exe Token: SeSystemEnvironmentPrivilege 4984 flexabyprojectv2.exe Token: SeChangeNotifyPrivilege 4984 flexabyprojectv2.exe Token: SeRemoteShutdownPrivilege 4984 flexabyprojectv2.exe Token: SeUndockPrivilege 4984 flexabyprojectv2.exe Token: SeManageVolumePrivilege 4984 flexabyprojectv2.exe Token: SeImpersonatePrivilege 4984 flexabyprojectv2.exe Token: SeCreateGlobalPrivilege 4984 flexabyprojectv2.exe Token: 33 4984 flexabyprojectv2.exe Token: 34 4984 flexabyprojectv2.exe Token: 35 4984 flexabyprojectv2.exe Token: 36 4984 flexabyprojectv2.exe Token: SeIncreaseQuotaPrivilege 4760 msdcsc.exe Token: SeSecurityPrivilege 4760 msdcsc.exe Token: SeTakeOwnershipPrivilege 4760 msdcsc.exe Token: SeLoadDriverPrivilege 4760 msdcsc.exe Token: SeSystemProfilePrivilege 4760 msdcsc.exe Token: SeSystemtimePrivilege 4760 msdcsc.exe Token: SeProfSingleProcessPrivilege 4760 msdcsc.exe Token: SeIncBasePriorityPrivilege 4760 msdcsc.exe Token: SeCreatePagefilePrivilege 4760 msdcsc.exe Token: SeBackupPrivilege 4760 msdcsc.exe Token: SeRestorePrivilege 4760 msdcsc.exe Token: SeShutdownPrivilege 4760 msdcsc.exe Token: SeDebugPrivilege 4760 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4760 msdcsc.exe Token: SeChangeNotifyPrivilege 4760 msdcsc.exe Token: SeRemoteShutdownPrivilege 4760 msdcsc.exe Token: SeUndockPrivilege 4760 msdcsc.exe Token: SeManageVolumePrivilege 4760 msdcsc.exe Token: SeImpersonatePrivilege 4760 msdcsc.exe Token: SeCreateGlobalPrivilege 4760 msdcsc.exe Token: 33 4760 msdcsc.exe Token: 34 4760 msdcsc.exe Token: 35 4760 msdcsc.exe Token: 36 4760 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 4760 msdcsc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
flexabyprojectv2.execmd.execmd.exemsdcsc.exedescription pid process target process PID 4984 wrote to memory of 3440 4984 flexabyprojectv2.exe cmd.exe PID 4984 wrote to memory of 3440 4984 flexabyprojectv2.exe cmd.exe PID 4984 wrote to memory of 3440 4984 flexabyprojectv2.exe cmd.exe PID 4984 wrote to memory of 4196 4984 flexabyprojectv2.exe cmd.exe PID 4984 wrote to memory of 4196 4984 flexabyprojectv2.exe cmd.exe PID 4984 wrote to memory of 4196 4984 flexabyprojectv2.exe cmd.exe PID 3440 wrote to memory of 3052 3440 cmd.exe attrib.exe PID 3440 wrote to memory of 3052 3440 cmd.exe attrib.exe PID 3440 wrote to memory of 3052 3440 cmd.exe attrib.exe PID 4196 wrote to memory of 620 4196 cmd.exe attrib.exe PID 4196 wrote to memory of 620 4196 cmd.exe attrib.exe PID 4196 wrote to memory of 620 4196 cmd.exe attrib.exe PID 4984 wrote to memory of 4760 4984 flexabyprojectv2.exe msdcsc.exe PID 4984 wrote to memory of 4760 4984 flexabyprojectv2.exe msdcsc.exe PID 4984 wrote to memory of 4760 4984 flexabyprojectv2.exe msdcsc.exe PID 4760 wrote to memory of 4688 4760 msdcsc.exe iexplore.exe PID 4760 wrote to memory of 4688 4760 msdcsc.exe iexplore.exe PID 4760 wrote to memory of 4688 4760 msdcsc.exe iexplore.exe PID 4760 wrote to memory of 4704 4760 msdcsc.exe explorer.exe PID 4760 wrote to memory of 4704 4760 msdcsc.exe explorer.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3052 attrib.exe 620 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\flexabyprojectv2.exe"C:\Users\Admin\AppData\Local\Temp\flexabyprojectv2.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\flexabyprojectv2.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\flexabyprojectv2.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
252KB
MD5b414dba465bb735661e18eae4e7aca89
SHA130c69c395ef9bc6cbcf0fbc7dc8a8f07b1b696c2
SHA25682df3f039af299fd82ac54b1c8e02346509f9a2c8f09cb843d9d7a6d2d842b2c
SHA5127de9df971ca0deda15a408e9f4b7c15210453b38072d5b6192ecfc35e65cfb1eb6c772ce3bc1499f82d76c20d40e6b552879c21b0856ec283192847130914d08
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
252KB
MD5b414dba465bb735661e18eae4e7aca89
SHA130c69c395ef9bc6cbcf0fbc7dc8a8f07b1b696c2
SHA25682df3f039af299fd82ac54b1c8e02346509f9a2c8f09cb843d9d7a6d2d842b2c
SHA5127de9df971ca0deda15a408e9f4b7c15210453b38072d5b6192ecfc35e65cfb1eb6c772ce3bc1499f82d76c20d40e6b552879c21b0856ec283192847130914d08
-
memory/620-136-0x0000000000000000-mapping.dmp
-
memory/3052-135-0x0000000000000000-mapping.dmp
-
memory/3440-133-0x0000000000000000-mapping.dmp
-
memory/4196-134-0x0000000000000000-mapping.dmp
-
memory/4704-140-0x0000000000000000-mapping.dmp
-
memory/4760-137-0x0000000000000000-mapping.dmp
-
memory/4760-141-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4984-132-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4984-142-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB