Analysis
-
max time kernel
422s -
max time network
426s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2023 09:32
Static task
static1
General
-
Target
omgf.exe
-
Size
334KB
-
MD5
94417934059ba8724ff5933a244441da
-
SHA1
3ac2b1bb84efd7284650ebb25c2a60d4665e8785
-
SHA256
d530105c5a60d787d0060424b996e547f3db4b2cfd12d1320d56f3b59a2f34e3
-
SHA512
3a7e6f666bbfc7b054f7d351c54915e16f57339628682fa5ac628619fb6b74e3216a53c79d861ac9f80e211f1df055e7f41f9bd4f83da49ef5883b854e8c2b68
-
SSDEEP
6144:UMMWJH007FoGoyy3GSrsM/XII6aN2Z1sVd+SK6brDgNqpbn+UnCP8NBKKhcKXbJ:pJH0NGoyYYB7Z10s+DgNqR+T8NBKebJ
Malware Config
Extracted
darkcomet
Guest16
147.185.221.212:46856
DC_MUTEX-F4BY55C
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
K5uLvFjyQEWC
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
omgf.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" omgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" iexplore.exe -
Modifies firewall policy service 2 TTPs 8 IoCs
Processes:
iexplore.exemsdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe -
Modifies security service 2 TTPs 3 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "1" iexplore.exe -
Processes:
iexplore.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "0" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "0" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe -
Disables RegEdit via registry modification 3 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0" iexplore.exe -
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 3424 attrib.exe 976 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
omgf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation omgf.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 3956 msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
iexplore.exeomgf.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" omgf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
LogonUI.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini LogonUI.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 3956 set thread context of 1432 3956 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 52 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409 = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "4" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Keyboard Layout\Substitutes LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName = "@Winlangdb.dll,-1121" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\1 = "00000409" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\KeyboardLayout = "67699721" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\Profile = "{00000000-0000-0000-0000-000000000000}" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowShiftLock = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "173" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowCasing = "1" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID = "{00000000-0000-0000-0000-000000000000}" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{af0fc727-0000-0000-0000-d01200000000}\MaxCapacity = "15140" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\Languages = 65006e002d005500530000000000 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{af0fc727-0000-0000-0000-d01200000000}\NukeOnDelete = "0" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language\00000000 = "00000409" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\LANGUAGE LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 01000000000000002d3fa69f0e6ad901 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{af0fc727-0000-0000-0000-d01200000000} LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 LogonUI.exe -
Modifies registry class 1 IoCs
Processes:
omgf.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ omgf.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
iexplore.exepid process 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe 1432 iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 1432 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
omgf.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 748 omgf.exe Token: SeSecurityPrivilege 748 omgf.exe Token: SeTakeOwnershipPrivilege 748 omgf.exe Token: SeLoadDriverPrivilege 748 omgf.exe Token: SeSystemProfilePrivilege 748 omgf.exe Token: SeSystemtimePrivilege 748 omgf.exe Token: SeProfSingleProcessPrivilege 748 omgf.exe Token: SeIncBasePriorityPrivilege 748 omgf.exe Token: SeCreatePagefilePrivilege 748 omgf.exe Token: SeBackupPrivilege 748 omgf.exe Token: SeRestorePrivilege 748 omgf.exe Token: SeShutdownPrivilege 748 omgf.exe Token: SeDebugPrivilege 748 omgf.exe Token: SeSystemEnvironmentPrivilege 748 omgf.exe Token: SeChangeNotifyPrivilege 748 omgf.exe Token: SeRemoteShutdownPrivilege 748 omgf.exe Token: SeUndockPrivilege 748 omgf.exe Token: SeManageVolumePrivilege 748 omgf.exe Token: SeImpersonatePrivilege 748 omgf.exe Token: SeCreateGlobalPrivilege 748 omgf.exe Token: 33 748 omgf.exe Token: 34 748 omgf.exe Token: 35 748 omgf.exe Token: 36 748 omgf.exe Token: SeIncreaseQuotaPrivilege 3956 msdcsc.exe Token: SeSecurityPrivilege 3956 msdcsc.exe Token: SeTakeOwnershipPrivilege 3956 msdcsc.exe Token: SeLoadDriverPrivilege 3956 msdcsc.exe Token: SeSystemProfilePrivilege 3956 msdcsc.exe Token: SeSystemtimePrivilege 3956 msdcsc.exe Token: SeProfSingleProcessPrivilege 3956 msdcsc.exe Token: SeIncBasePriorityPrivilege 3956 msdcsc.exe Token: SeCreatePagefilePrivilege 3956 msdcsc.exe Token: SeBackupPrivilege 3956 msdcsc.exe Token: SeRestorePrivilege 3956 msdcsc.exe Token: SeShutdownPrivilege 3956 msdcsc.exe Token: SeDebugPrivilege 3956 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3956 msdcsc.exe Token: SeChangeNotifyPrivilege 3956 msdcsc.exe Token: SeRemoteShutdownPrivilege 3956 msdcsc.exe Token: SeUndockPrivilege 3956 msdcsc.exe Token: SeManageVolumePrivilege 3956 msdcsc.exe Token: SeImpersonatePrivilege 3956 msdcsc.exe Token: SeCreateGlobalPrivilege 3956 msdcsc.exe Token: 33 3956 msdcsc.exe Token: 34 3956 msdcsc.exe Token: 35 3956 msdcsc.exe Token: 36 3956 msdcsc.exe Token: SeIncreaseQuotaPrivilege 1432 iexplore.exe Token: SeSecurityPrivilege 1432 iexplore.exe Token: SeTakeOwnershipPrivilege 1432 iexplore.exe Token: SeLoadDriverPrivilege 1432 iexplore.exe Token: SeSystemProfilePrivilege 1432 iexplore.exe Token: SeSystemtimePrivilege 1432 iexplore.exe Token: SeProfSingleProcessPrivilege 1432 iexplore.exe Token: SeIncBasePriorityPrivilege 1432 iexplore.exe Token: SeCreatePagefilePrivilege 1432 iexplore.exe Token: SeBackupPrivilege 1432 iexplore.exe Token: SeRestorePrivilege 1432 iexplore.exe Token: SeShutdownPrivilege 1432 iexplore.exe Token: SeDebugPrivilege 1432 iexplore.exe Token: SeSystemEnvironmentPrivilege 1432 iexplore.exe Token: SeChangeNotifyPrivilege 1432 iexplore.exe Token: SeRemoteShutdownPrivilege 1432 iexplore.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
iexplore.exeLogonUI.exepid process 1432 iexplore.exe 664 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
omgf.execmd.execmd.exemsdcsc.exeiexplore.execmd.exedescription pid process target process PID 748 wrote to memory of 4272 748 omgf.exe cmd.exe PID 748 wrote to memory of 4272 748 omgf.exe cmd.exe PID 748 wrote to memory of 4272 748 omgf.exe cmd.exe PID 748 wrote to memory of 4544 748 omgf.exe cmd.exe PID 748 wrote to memory of 4544 748 omgf.exe cmd.exe PID 748 wrote to memory of 4544 748 omgf.exe cmd.exe PID 748 wrote to memory of 4552 748 omgf.exe notepad.exe PID 748 wrote to memory of 4552 748 omgf.exe notepad.exe PID 748 wrote to memory of 4552 748 omgf.exe notepad.exe PID 748 wrote to memory of 4552 748 omgf.exe notepad.exe PID 748 wrote to memory of 4552 748 omgf.exe notepad.exe PID 748 wrote to memory of 4552 748 omgf.exe notepad.exe PID 748 wrote to memory of 4552 748 omgf.exe notepad.exe PID 748 wrote to memory of 4552 748 omgf.exe notepad.exe PID 748 wrote to memory of 4552 748 omgf.exe notepad.exe PID 748 wrote to memory of 4552 748 omgf.exe notepad.exe PID 748 wrote to memory of 4552 748 omgf.exe notepad.exe PID 748 wrote to memory of 4552 748 omgf.exe notepad.exe PID 748 wrote to memory of 4552 748 omgf.exe notepad.exe PID 748 wrote to memory of 4552 748 omgf.exe notepad.exe PID 748 wrote to memory of 4552 748 omgf.exe notepad.exe PID 748 wrote to memory of 4552 748 omgf.exe notepad.exe PID 748 wrote to memory of 4552 748 omgf.exe notepad.exe PID 4272 wrote to memory of 3424 4272 cmd.exe attrib.exe PID 4272 wrote to memory of 3424 4272 cmd.exe attrib.exe PID 4272 wrote to memory of 3424 4272 cmd.exe attrib.exe PID 4544 wrote to memory of 976 4544 cmd.exe attrib.exe PID 4544 wrote to memory of 976 4544 cmd.exe attrib.exe PID 4544 wrote to memory of 976 4544 cmd.exe attrib.exe PID 748 wrote to memory of 3956 748 omgf.exe msdcsc.exe PID 748 wrote to memory of 3956 748 omgf.exe msdcsc.exe PID 748 wrote to memory of 3956 748 omgf.exe msdcsc.exe PID 3956 wrote to memory of 1432 3956 msdcsc.exe iexplore.exe PID 3956 wrote to memory of 1432 3956 msdcsc.exe iexplore.exe PID 3956 wrote to memory of 1432 3956 msdcsc.exe iexplore.exe PID 3956 wrote to memory of 1432 3956 msdcsc.exe iexplore.exe PID 3956 wrote to memory of 1432 3956 msdcsc.exe iexplore.exe PID 1432 wrote to memory of 2064 1432 iexplore.exe notepad.exe PID 1432 wrote to memory of 2064 1432 iexplore.exe notepad.exe PID 1432 wrote to memory of 2064 1432 iexplore.exe notepad.exe PID 1432 wrote to memory of 2064 1432 iexplore.exe notepad.exe PID 1432 wrote to memory of 2064 1432 iexplore.exe notepad.exe PID 1432 wrote to memory of 2064 1432 iexplore.exe notepad.exe PID 1432 wrote to memory of 2064 1432 iexplore.exe notepad.exe PID 1432 wrote to memory of 2064 1432 iexplore.exe notepad.exe PID 1432 wrote to memory of 2064 1432 iexplore.exe notepad.exe PID 1432 wrote to memory of 2064 1432 iexplore.exe notepad.exe PID 1432 wrote to memory of 2064 1432 iexplore.exe notepad.exe PID 1432 wrote to memory of 2064 1432 iexplore.exe notepad.exe PID 1432 wrote to memory of 2064 1432 iexplore.exe notepad.exe PID 1432 wrote to memory of 2064 1432 iexplore.exe notepad.exe PID 1432 wrote to memory of 2064 1432 iexplore.exe notepad.exe PID 1432 wrote to memory of 2064 1432 iexplore.exe notepad.exe PID 1432 wrote to memory of 2064 1432 iexplore.exe notepad.exe PID 1432 wrote to memory of 2064 1432 iexplore.exe notepad.exe PID 1432 wrote to memory of 2064 1432 iexplore.exe notepad.exe PID 1432 wrote to memory of 2064 1432 iexplore.exe notepad.exe PID 1432 wrote to memory of 2064 1432 iexplore.exe notepad.exe PID 1432 wrote to memory of 2064 1432 iexplore.exe notepad.exe PID 1432 wrote to memory of 5000 1432 iexplore.exe cmd.exe PID 1432 wrote to memory of 5000 1432 iexplore.exe cmd.exe PID 1432 wrote to memory of 5000 1432 iexplore.exe cmd.exe PID 5000 wrote to memory of 4076 5000 cmd.exe PING.EXE PID 5000 wrote to memory of 4076 5000 cmd.exe PING.EXE -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3424 attrib.exe 976 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\omgf.exe"C:\Users\Admin\AppData\Local\Temp\omgf.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\omgf.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\omgf.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.15⤵
- Runs ping.exe
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4fc 0x4c81⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3990055 /state1:0x41c64e6d1⤵
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-1013461898-3711306144-4198452673-1000\ReadOnly\LockScreen_O\LockScreen___1280_0720_notdimmed.jpgFilesize
307KB
MD554abf29e7e48fffbcc76271bafb47fec
SHA1f37266fab79af8983080ee79ff2235c38206ab63
SHA2565878638054f33e7f031d7f8c669e6090f2246c7a1daa6d5a03856b1da98023b3
SHA512a667ca802c2f72f9bb69d2dd77170c73c815fae0ae193303a48abf59437a6fd8edbe71a0a5fb4ecbed5fa39841c4bba6e26e47b7011388950737c0f895fd8ed3
-
C:\Users\Admin\AppData\Roaming\sample.wavFilesize
685B
MD5e57ab2c18b339c60ee5b9a6c6a1ecb87
SHA1e0d2cd3205c204c613d3132b7f7d3830f9ee808f
SHA256c7a517529485bd85eb4a4f614488295af87644aa2eb68b3f3b0800aa22db98aa
SHA512fa6773df0c6d19f12f5815323341f24d08d4e843869b1907f63321bb34e15e2046b6d9344fca21a460f4230fb07d72e043606a61ac377542899ca9c8d81613b6
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
334KB
MD594417934059ba8724ff5933a244441da
SHA13ac2b1bb84efd7284650ebb25c2a60d4665e8785
SHA256d530105c5a60d787d0060424b996e547f3db4b2cfd12d1320d56f3b59a2f34e3
SHA5123a7e6f666bbfc7b054f7d351c54915e16f57339628682fa5ac628619fb6b74e3216a53c79d861ac9f80e211f1df055e7f41f9bd4f83da49ef5883b854e8c2b68
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
334KB
MD594417934059ba8724ff5933a244441da
SHA13ac2b1bb84efd7284650ebb25c2a60d4665e8785
SHA256d530105c5a60d787d0060424b996e547f3db4b2cfd12d1320d56f3b59a2f34e3
SHA5123a7e6f666bbfc7b054f7d351c54915e16f57339628682fa5ac628619fb6b74e3216a53c79d861ac9f80e211f1df055e7f41f9bd4f83da49ef5883b854e8c2b68
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
334KB
MD594417934059ba8724ff5933a244441da
SHA13ac2b1bb84efd7284650ebb25c2a60d4665e8785
SHA256d530105c5a60d787d0060424b996e547f3db4b2cfd12d1320d56f3b59a2f34e3
SHA5123a7e6f666bbfc7b054f7d351c54915e16f57339628682fa5ac628619fb6b74e3216a53c79d861ac9f80e211f1df055e7f41f9bd4f83da49ef5883b854e8c2b68
-
memory/748-133-0x0000000000400000-0x00000000004E9000-memory.dmpFilesize
932KB
-
memory/748-136-0x00000000022C0000-0x00000000022C1000-memory.dmpFilesize
4KB
-
memory/748-200-0x0000000000400000-0x00000000004E9000-memory.dmpFilesize
932KB
-
memory/1432-197-0x0000000000400000-0x00000000004E9000-memory.dmpFilesize
932KB
-
memory/2064-199-0x00000000007F0000-0x00000000007F1000-memory.dmpFilesize
4KB
-
memory/3956-198-0x0000000000400000-0x00000000004E9000-memory.dmpFilesize
932KB
-
memory/4552-138-0x0000000000AB0000-0x0000000000AB1000-memory.dmpFilesize
4KB