Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-01-2025 06:02
Behavioral task
behavioral1
Sample
HAXIMIZE-V2.0CRACKED.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
150 seconds
General
-
Target
HAXIMIZE-V2.0CRACKED.exe
-
Size
658KB
-
MD5
efa6a56bc92b0d9e88d95bdeae626fca
-
SHA1
99a1864c799f9c79ac646c9bdab868ba55fc7029
-
SHA256
d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6
-
SHA512
439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0
-
SSDEEP
12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hD:KZ1xuVVjfFoynPaVBUR8f+kN10EBJ
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
sussysdfffdfff343.duckdns.org:1604
Mutex
DC_MUTEX-QH9A6P4
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
YBnxcFaotAui
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
JavaUpdater
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" HAXIMIZE-V2.0CRACKED.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" iexplore.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2716 attrib.exe 2572 attrib.exe -
Executes dropped EXE 1 IoCs
pid Process 3064 msdcsc.exe -
Loads dropped DLL 2 IoCs
pid Process 1792 HAXIMIZE-V2.0CRACKED.exe 1792 HAXIMIZE-V2.0CRACKED.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" HAXIMIZE-V2.0CRACKED.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3064 set thread context of 2744 3064 msdcsc.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HAXIMIZE-V2.0CRACKED.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2744 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1792 HAXIMIZE-V2.0CRACKED.exe Token: SeSecurityPrivilege 1792 HAXIMIZE-V2.0CRACKED.exe Token: SeTakeOwnershipPrivilege 1792 HAXIMIZE-V2.0CRACKED.exe Token: SeLoadDriverPrivilege 1792 HAXIMIZE-V2.0CRACKED.exe Token: SeSystemProfilePrivilege 1792 HAXIMIZE-V2.0CRACKED.exe Token: SeSystemtimePrivilege 1792 HAXIMIZE-V2.0CRACKED.exe Token: SeProfSingleProcessPrivilege 1792 HAXIMIZE-V2.0CRACKED.exe Token: SeIncBasePriorityPrivilege 1792 HAXIMIZE-V2.0CRACKED.exe Token: SeCreatePagefilePrivilege 1792 HAXIMIZE-V2.0CRACKED.exe Token: SeBackupPrivilege 1792 HAXIMIZE-V2.0CRACKED.exe Token: SeRestorePrivilege 1792 HAXIMIZE-V2.0CRACKED.exe Token: SeShutdownPrivilege 1792 HAXIMIZE-V2.0CRACKED.exe Token: SeDebugPrivilege 1792 HAXIMIZE-V2.0CRACKED.exe Token: SeSystemEnvironmentPrivilege 1792 HAXIMIZE-V2.0CRACKED.exe Token: SeChangeNotifyPrivilege 1792 HAXIMIZE-V2.0CRACKED.exe Token: SeRemoteShutdownPrivilege 1792 HAXIMIZE-V2.0CRACKED.exe Token: SeUndockPrivilege 1792 HAXIMIZE-V2.0CRACKED.exe Token: SeManageVolumePrivilege 1792 HAXIMIZE-V2.0CRACKED.exe Token: SeImpersonatePrivilege 1792 HAXIMIZE-V2.0CRACKED.exe Token: SeCreateGlobalPrivilege 1792 HAXIMIZE-V2.0CRACKED.exe Token: 33 1792 HAXIMIZE-V2.0CRACKED.exe Token: 34 1792 HAXIMIZE-V2.0CRACKED.exe Token: 35 1792 HAXIMIZE-V2.0CRACKED.exe Token: SeIncreaseQuotaPrivilege 3064 msdcsc.exe Token: SeSecurityPrivilege 3064 msdcsc.exe Token: SeTakeOwnershipPrivilege 3064 msdcsc.exe Token: SeLoadDriverPrivilege 3064 msdcsc.exe Token: SeSystemProfilePrivilege 3064 msdcsc.exe Token: SeSystemtimePrivilege 3064 msdcsc.exe Token: SeProfSingleProcessPrivilege 3064 msdcsc.exe Token: SeIncBasePriorityPrivilege 3064 msdcsc.exe Token: SeCreatePagefilePrivilege 3064 msdcsc.exe Token: SeBackupPrivilege 3064 msdcsc.exe Token: SeRestorePrivilege 3064 msdcsc.exe Token: SeShutdownPrivilege 3064 msdcsc.exe Token: SeDebugPrivilege 3064 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3064 msdcsc.exe Token: SeChangeNotifyPrivilege 3064 msdcsc.exe Token: SeRemoteShutdownPrivilege 3064 msdcsc.exe Token: SeUndockPrivilege 3064 msdcsc.exe Token: SeManageVolumePrivilege 3064 msdcsc.exe Token: SeImpersonatePrivilege 3064 msdcsc.exe Token: SeCreateGlobalPrivilege 3064 msdcsc.exe Token: 33 3064 msdcsc.exe Token: 34 3064 msdcsc.exe Token: 35 3064 msdcsc.exe Token: SeIncreaseQuotaPrivilege 2744 iexplore.exe Token: SeSecurityPrivilege 2744 iexplore.exe Token: SeTakeOwnershipPrivilege 2744 iexplore.exe Token: SeLoadDriverPrivilege 2744 iexplore.exe Token: SeSystemProfilePrivilege 2744 iexplore.exe Token: SeSystemtimePrivilege 2744 iexplore.exe Token: SeProfSingleProcessPrivilege 2744 iexplore.exe Token: SeIncBasePriorityPrivilege 2744 iexplore.exe Token: SeCreatePagefilePrivilege 2744 iexplore.exe Token: SeBackupPrivilege 2744 iexplore.exe Token: SeRestorePrivilege 2744 iexplore.exe Token: SeShutdownPrivilege 2744 iexplore.exe Token: SeDebugPrivilege 2744 iexplore.exe Token: SeSystemEnvironmentPrivilege 2744 iexplore.exe Token: SeChangeNotifyPrivilege 2744 iexplore.exe Token: SeRemoteShutdownPrivilege 2744 iexplore.exe Token: SeUndockPrivilege 2744 iexplore.exe Token: SeManageVolumePrivilege 2744 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2744 iexplore.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 1792 wrote to memory of 2568 1792 HAXIMIZE-V2.0CRACKED.exe 30 PID 1792 wrote to memory of 2568 1792 HAXIMIZE-V2.0CRACKED.exe 30 PID 1792 wrote to memory of 2568 1792 HAXIMIZE-V2.0CRACKED.exe 30 PID 1792 wrote to memory of 2568 1792 HAXIMIZE-V2.0CRACKED.exe 30 PID 1792 wrote to memory of 1624 1792 HAXIMIZE-V2.0CRACKED.exe 31 PID 1792 wrote to memory of 1624 1792 HAXIMIZE-V2.0CRACKED.exe 31 PID 1792 wrote to memory of 1624 1792 HAXIMIZE-V2.0CRACKED.exe 31 PID 1792 wrote to memory of 1624 1792 HAXIMIZE-V2.0CRACKED.exe 31 PID 1624 wrote to memory of 2716 1624 cmd.exe 34 PID 1624 wrote to memory of 2716 1624 cmd.exe 34 PID 1624 wrote to memory of 2716 1624 cmd.exe 34 PID 1624 wrote to memory of 2716 1624 cmd.exe 34 PID 2568 wrote to memory of 2572 2568 cmd.exe 35 PID 2568 wrote to memory of 2572 2568 cmd.exe 35 PID 2568 wrote to memory of 2572 2568 cmd.exe 35 PID 2568 wrote to memory of 2572 2568 cmd.exe 35 PID 1792 wrote to memory of 3064 1792 HAXIMIZE-V2.0CRACKED.exe 36 PID 1792 wrote to memory of 3064 1792 HAXIMIZE-V2.0CRACKED.exe 36 PID 1792 wrote to memory of 3064 1792 HAXIMIZE-V2.0CRACKED.exe 36 PID 1792 wrote to memory of 3064 1792 HAXIMIZE-V2.0CRACKED.exe 36 PID 3064 wrote to memory of 2744 3064 msdcsc.exe 37 PID 3064 wrote to memory of 2744 3064 msdcsc.exe 37 PID 3064 wrote to memory of 2744 3064 msdcsc.exe 37 PID 3064 wrote to memory of 2744 3064 msdcsc.exe 37 PID 3064 wrote to memory of 2744 3064 msdcsc.exe 37 PID 3064 wrote to memory of 2744 3064 msdcsc.exe 37 PID 2744 wrote to memory of 2848 2744 iexplore.exe 38 PID 2744 wrote to memory of 2848 2744 iexplore.exe 38 PID 2744 wrote to memory of 2848 2744 iexplore.exe 38 PID 2744 wrote to memory of 2848 2744 iexplore.exe 38 PID 2744 wrote to memory of 2848 2744 iexplore.exe 38 PID 2744 wrote to memory of 2848 2744 iexplore.exe 38 PID 2744 wrote to memory of 2848 2744 iexplore.exe 38 PID 2744 wrote to memory of 2848 2744 iexplore.exe 38 PID 2744 wrote to memory of 2848 2744 iexplore.exe 38 PID 2744 wrote to memory of 2848 2744 iexplore.exe 38 PID 2744 wrote to memory of 2848 2744 iexplore.exe 38 PID 2744 wrote to memory of 2848 2744 iexplore.exe 38 PID 2744 wrote to memory of 2848 2744 iexplore.exe 38 PID 2744 wrote to memory of 2848 2744 iexplore.exe 38 PID 2744 wrote to memory of 2848 2744 iexplore.exe 38 PID 2744 wrote to memory of 2848 2744 iexplore.exe 38 PID 2744 wrote to memory of 2848 2744 iexplore.exe 38 PID 2744 wrote to memory of 2848 2744 iexplore.exe 38 PID 2744 wrote to memory of 2848 2744 iexplore.exe 38 PID 2744 wrote to memory of 2848 2744 iexplore.exe 38 PID 2744 wrote to memory of 2848 2744 iexplore.exe 38 PID 2744 wrote to memory of 2848 2744 iexplore.exe 38 PID 2744 wrote to memory of 2848 2744 iexplore.exe 38 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2716 attrib.exe 2572 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0CRACKED.exe"C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0CRACKED.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0CRACKED.exe" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0CRACKED.exe" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2572
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2716
-
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- System Location Discovery: System Language Discovery
PID:2848
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
658KB
MD5efa6a56bc92b0d9e88d95bdeae626fca
SHA199a1864c799f9c79ac646c9bdab868ba55fc7029
SHA256d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6
SHA512439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0