Analysis
-
max time kernel
147s -
max time network
136s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
25-03-2021 22:00
General
-
Target
Wolfteam/Hack.exe
Malware Config
Extracted
darkcomet
Guest16
olmayanoc.duckdns.org:1604
DC_MUTEX-CWXJ2HG
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
uEE4dQifbptz
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Wolfteam\Hack.exe"C:\Users\Admin\AppData\Local\Temp\Wolfteam\Hack.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1d5349887bf319b3883a8e84797f2f0f
SHA13dd4311bdaee5164f1d4e4b3183fea9262a0a721
SHA256a2aacc0b545223c09ebf8540450cd436d1fe4274b10660c4cb90b2dd35727a39
SHA512e9faf7ad9998c6d0c9831eca28ad4822140d0b55dcb28974101a2b8e8a1fb0ef3a9f9aacc1f797440316a10dd3b03c6a13b4276b113d55689ce66825bc470680
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1d5349887bf319b3883a8e84797f2f0f
SHA13dd4311bdaee5164f1d4e4b3183fea9262a0a721
SHA256a2aacc0b545223c09ebf8540450cd436d1fe4274b10660c4cb90b2dd35727a39
SHA512e9faf7ad9998c6d0c9831eca28ad4822140d0b55dcb28974101a2b8e8a1fb0ef3a9f9aacc1f797440316a10dd3b03c6a13b4276b113d55689ce66825bc470680
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1d5349887bf319b3883a8e84797f2f0f
SHA13dd4311bdaee5164f1d4e4b3183fea9262a0a721
SHA256a2aacc0b545223c09ebf8540450cd436d1fe4274b10660c4cb90b2dd35727a39
SHA512e9faf7ad9998c6d0c9831eca28ad4822140d0b55dcb28974101a2b8e8a1fb0ef3a9f9aacc1f797440316a10dd3b03c6a13b4276b113d55689ce66825bc470680
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1d5349887bf319b3883a8e84797f2f0f
SHA13dd4311bdaee5164f1d4e4b3183fea9262a0a721
SHA256a2aacc0b545223c09ebf8540450cd436d1fe4274b10660c4cb90b2dd35727a39
SHA512e9faf7ad9998c6d0c9831eca28ad4822140d0b55dcb28974101a2b8e8a1fb0ef3a9f9aacc1f797440316a10dd3b03c6a13b4276b113d55689ce66825bc470680
-
memory/1340-6-0x0000000000000000-mapping.dmp
-
memory/1340-10-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/1416-11-0x0000000000400000-0x00000000004E1000-memory.dmpFilesize
900KB
-
memory/1416-12-0x000000000048F888-mapping.dmp
-
memory/1676-2-0x0000000075A41000-0x0000000075A43000-memory.dmpFilesize
8KB
-
memory/1676-3-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB