Overview

overview

10

Static

static

5

5943effc53...d0.exe

windows7_x64

10

5943effc53...d0.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    111s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    06-11-2020 10:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exe

  • Size

    3.5MB

  • MD5

    1d1d1d3bbd32a651a4d3a5f7921d85f2

  • SHA1

    cabc5f91a11bda3a0b25b477093d7e7204b0c056

  • SHA256

    5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0

  • SHA512

    40c4f55e07e6a8df507408fdd7443883fecd767d77ea57a0475e517050bcb2a31ba961d207b67d38ff64b673ff949822f734a8a3bfc1cfa13197769ad92a959a

Score
10/10
darkcometguest16evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

console-wifi.ddns.net:1604

Mutex

DC_MUTEX-8VGGSVK

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    ifCVVYKKmA7g

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 6 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exe
    "C:\Users\Admin\AppData\Local\Temp\5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:640
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3684
      • C:\Users\Admin\AppData\Local\Temp\Server.exe
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Checks computer location settings
        • Adds Run key to start application
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2128
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\Server.exe" +s +h
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3988
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Users\Admin\AppData\Local\Temp\Server.exe" +s +h
            5⤵
            • Views/modifies file attributes
            PID:3164
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3968
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
            5⤵
            • Views/modifies file attributes
            PID:3156
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          4⤵
            PID:1832
          • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
            "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2364
            • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
              C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:804
              • C:\Windows\SysWOW64\notepad.exe
                notepad
                6⤵
                  PID:3928
        • C:\Users\Admin\AppData\Local\Temp\Program.exe
          "C:\Users\Admin\AppData\Local\Temp\Program.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2596
          • C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\setup.exe
            ".\setup.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3840

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Winlogon Helper DLL

      1
      T1004

      Hidden Files and Directories

      2
      T1158

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Hidden Files and Directories

      2
      T1158

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Program.exe
        MD5

        eb1463293c4ac8e5c99f26d3bbfd921a

        SHA1

        49e748069393dd518f32c285b8c666509e161f96

        SHA256

        a68cfb6e60498b2d9127e66bde8f57df7e4f3ec5ce4201718520d0e309e06976

        SHA512

        eaf3e70b79905812fa388643d211a7cf055e54261762d5d80a7ed73b617e5f2df5781492250a45523ea4cbcef7522902d643d403fa86aeb06b72fc15381c241a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Program.exe
        MD5

        eb1463293c4ac8e5c99f26d3bbfd921a

        SHA1

        49e748069393dd518f32c285b8c666509e161f96

        SHA256

        a68cfb6e60498b2d9127e66bde8f57df7e4f3ec5ce4201718520d0e309e06976

        SHA512

        eaf3e70b79905812fa388643d211a7cf055e54261762d5d80a7ed73b617e5f2df5781492250a45523ea4cbcef7522902d643d403fa86aeb06b72fc15381c241a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Server.exe
        MD5

        20c3e0029c9b5456c5ac15d93cc65904

        SHA1

        ced8d8ca4fae7af284196b050cce0f3ac57ed9ae

        SHA256

        a92d4c3236ec8bbadb74f42de7ebafbc66c3f11f5ae84903032e50bd83793928

        SHA512

        9f63578f350c5aeaca3e3b9bdb8c0c93cc1d2d44bc494f24430dbd193303135c766204ec6b1352c458e580781762c6ddbe45a82e20f4ac99ee208130c4a2e2de

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Server.exe
        MD5

        20c3e0029c9b5456c5ac15d93cc65904

        SHA1

        ced8d8ca4fae7af284196b050cce0f3ac57ed9ae

        SHA256

        a92d4c3236ec8bbadb74f42de7ebafbc66c3f11f5ae84903032e50bd83793928

        SHA512

        9f63578f350c5aeaca3e3b9bdb8c0c93cc1d2d44bc494f24430dbd193303135c766204ec6b1352c458e580781762c6ddbe45a82e20f4ac99ee208130c4a2e2de

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Server.exe
        MD5

        20c3e0029c9b5456c5ac15d93cc65904

        SHA1

        ced8d8ca4fae7af284196b050cce0f3ac57ed9ae

        SHA256

        a92d4c3236ec8bbadb74f42de7ebafbc66c3f11f5ae84903032e50bd83793928

        SHA512

        9f63578f350c5aeaca3e3b9bdb8c0c93cc1d2d44bc494f24430dbd193303135c766204ec6b1352c458e580781762c6ddbe45a82e20f4ac99ee208130c4a2e2de

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\FTwister.exe
        MD5

        77b433be94c9eca443c11fcf77c1d72b

        SHA1

        769769015bf74d009f0740bdadea247e1ee64705

        SHA256

        d87131fc3ae4851c0adcc61ea7fc07f8568f32ce1bd069ef6f56cae69292a700

        SHA512

        a3e229f000e2a8675e1a482f11204b4e516a68fb80667a04f546d4c76f7f9f79a8367f7c8dc00abb77233ba50febf9d319a4a68f93fe61e85daf125180613ed6

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\Setup.exe
        MD5

        70129043d8e6c20865eddf71d76dda25

        SHA1

        466fff0b395f280e60f5f7da573bd965aec8c60d

        SHA256

        ddd24730907c8320457fb87838a073707fee197b87eeba0b6fb36a9f4288d643

        SHA512

        4b72bfc245940934a448d6cc64e9369a2d1b60d6d3eaf9a29bb290dbd89ca61fad8c41eb3f4f4cc99bcef7adf02c606a76a21fb833785f1eb1f0064071deedd6

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\setup.exe
        MD5

        70129043d8e6c20865eddf71d76dda25

        SHA1

        466fff0b395f280e60f5f7da573bd965aec8c60d

        SHA256

        ddd24730907c8320457fb87838a073707fee197b87eeba0b6fb36a9f4288d643

        SHA512

        4b72bfc245940934a448d6cc64e9369a2d1b60d6d3eaf9a29bb290dbd89ca61fad8c41eb3f4f4cc99bcef7adf02c606a76a21fb833785f1eb1f0064071deedd6

        Download Submit
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        MD5

        20c3e0029c9b5456c5ac15d93cc65904

        SHA1

        ced8d8ca4fae7af284196b050cce0f3ac57ed9ae

        SHA256

        a92d4c3236ec8bbadb74f42de7ebafbc66c3f11f5ae84903032e50bd83793928

        SHA512

        9f63578f350c5aeaca3e3b9bdb8c0c93cc1d2d44bc494f24430dbd193303135c766204ec6b1352c458e580781762c6ddbe45a82e20f4ac99ee208130c4a2e2de

        Download Submit
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        MD5

        20c3e0029c9b5456c5ac15d93cc65904

        SHA1

        ced8d8ca4fae7af284196b050cce0f3ac57ed9ae

        SHA256

        a92d4c3236ec8bbadb74f42de7ebafbc66c3f11f5ae84903032e50bd83793928

        SHA512

        9f63578f350c5aeaca3e3b9bdb8c0c93cc1d2d44bc494f24430dbd193303135c766204ec6b1352c458e580781762c6ddbe45a82e20f4ac99ee208130c4a2e2de

        Download Submit
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        MD5

        20c3e0029c9b5456c5ac15d93cc65904

        SHA1

        ced8d8ca4fae7af284196b050cce0f3ac57ed9ae

        SHA256

        a92d4c3236ec8bbadb74f42de7ebafbc66c3f11f5ae84903032e50bd83793928

        SHA512

        9f63578f350c5aeaca3e3b9bdb8c0c93cc1d2d44bc494f24430dbd193303135c766204ec6b1352c458e580781762c6ddbe45a82e20f4ac99ee208130c4a2e2de

        Download Submit
      • memory/804-26-0x000000000048F888-mapping.dmp
        Download
      • memory/1832-17-0x0000000000000000-mapping.dmp
        Download
      • memory/1832-18-0x0000000000640000-0x0000000000641000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1832-19-0x0000000000000000-mapping.dmp
        Download
      • memory/2128-12-0x0000000000400000-0x00000000004B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2128-13-0x000000000048F888-mapping.dmp
        Download
      • memory/2364-22-0x0000000000000000-mapping.dmp
        Download
      • memory/2596-6-0x00000000745A0000-0x0000000074633000-memory.dmp
        Filesize

        588KB

        Download
      • memory/2596-3-0x0000000000000000-mapping.dmp
        Download
      • memory/3156-21-0x0000000000000000-mapping.dmp
        Download
      • memory/3164-20-0x0000000000000000-mapping.dmp
        Download
      • memory/3684-0-0x0000000000000000-mapping.dmp
        Download
      • memory/3840-10-0x00000000745A0000-0x0000000074633000-memory.dmp
        Filesize

        588KB

        Download
      • memory/3840-7-0x0000000000000000-mapping.dmp
        Download
      • memory/3928-28-0x0000000000000000-mapping.dmp
        Download
      • memory/3928-29-0x0000000003370000-0x0000000003371000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3928-30-0x0000000000000000-mapping.dmp
        Download
      • memory/3968-16-0x0000000000000000-mapping.dmp
        Download
      • memory/3988-15-0x0000000000000000-mapping.dmp
        Download