Overview

overview

10

Static

static

10

44e72945b2...d6.exe

windows7_x64

10

44e72945b2...d6.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    15-05-2021 18:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe

  • Size

    1.6MB

  • MD5

    49ad81fde492c509161ed75c94e61633

  • SHA1

    0c494c7a110022d19808f6e4dbc9e3e103c912c6

  • SHA256

    44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6

  • SHA512

    08a795ebed9cf08b913f781b866b3e8e0e6cb854e5d224981cb821f2afaea8b9013a1412a266b321f32fcbadd6a12d2018a8cd9f7b9a5843ff7421ec76e97520

Score
10/10
darkcomet0006285155275evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

0006285155275

C2

wsws.myftp.org:2222

Mutex

DC_MUTEX-HB8VFRH

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    GixsKsK0q5Nb

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe
    "C:\Users\Admin\AppData\Local\Temp\44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3984
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\2019__INÖNÜ_YÖS_SiNAV_SORULARi.PDF"
      2⤵
      • Checks processor information in registry
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2132
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=14566F153A18BC811684586CAE5504DA --mojo-platform-channel-handle=1628 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
          4⤵
            PID:736
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3EAC4E8E366572778A61C75208871F9B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3EAC4E8E366572778A61C75208871F9B --renderer-client-id=2 --mojo-platform-channel-handle=1620 --allow-no-sandbox-job /prefetch:1
            4⤵
              PID:3340
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6754EF5867A208C8F0AE59B9F1F7012B --mojo-platform-channel-handle=2188 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
              4⤵
                PID:4132
              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5EB0D522A90C483ECC5FD7A8606F5F1D --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                4⤵
                  PID:4236
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B81B5E4F6BB22F5C2B2957D2C36ED5D4 --mojo-platform-channel-handle=1816 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                  4⤵
                    PID:4336
              • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe
                "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe"
                2⤵
                • Modifies firewall policy service
                • Modifies security service
                • Executes dropped EXE
                • Windows security modification
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:2732
                • C:\Windows\SysWOW64\notepad.exe
                  notepad
                  3⤵
                    PID:3996

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe
                MD5

                49ad81fde492c509161ed75c94e61633

                SHA1

                0c494c7a110022d19808f6e4dbc9e3e103c912c6

                SHA256

                44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6

                SHA512

                08a795ebed9cf08b913f781b866b3e8e0e6cb854e5d224981cb821f2afaea8b9013a1412a266b321f32fcbadd6a12d2018a8cd9f7b9a5843ff7421ec76e97520

                Download Submit
              • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe
                MD5

                49ad81fde492c509161ed75c94e61633

                SHA1

                0c494c7a110022d19808f6e4dbc9e3e103c912c6

                SHA256

                44e72945b261534ce07e4af390ecc8ba876999b71589e0100f30634509196bd6

                SHA512

                08a795ebed9cf08b913f781b866b3e8e0e6cb854e5d224981cb821f2afaea8b9013a1412a266b321f32fcbadd6a12d2018a8cd9f7b9a5843ff7421ec76e97520

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\2019__INÖNÜ_YÖS_SiNAV_SORULARi.PDF
                MD5

                d41d8cd98f00b204e9800998ecf8427e

                SHA1

                da39a3ee5e6b4b0d3255bfef95601890afd80709

                SHA256

                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                SHA512

                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                Download Submit
              • memory/736-126-0x0000000000000000-mapping.dmp
                Download
              • memory/736-124-0x0000000077542000-0x000000007754200C-memory.dmp
                Filesize

                12B

                Download
              • memory/1900-115-0x0000000000000000-mapping.dmp
                Download
              • memory/2132-123-0x0000000000000000-mapping.dmp
                Download
              • memory/2732-121-0x0000000002190000-0x0000000002191000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2732-116-0x0000000000000000-mapping.dmp
                Download
              • memory/3340-127-0x0000000077542000-0x000000007754200C-memory.dmp
                Filesize

                12B

                Download
              • memory/3340-130-0x0000000000000000-mapping.dmp
                Download
              • memory/3984-114-0x0000000000870000-0x0000000000871000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3996-122-0x00000000007C0000-0x00000000007C1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3996-120-0x0000000000000000-mapping.dmp
                Download
              • memory/4132-134-0x0000000077542000-0x000000007754200C-memory.dmp
                Filesize

                12B

                Download
              • memory/4132-136-0x0000000000000000-mapping.dmp
                Download
              • memory/4236-140-0x0000000000000000-mapping.dmp
                Download
              • memory/4236-138-0x0000000077542000-0x000000007754200C-memory.dmp
                Filesize

                12B

                Download
              • memory/4336-142-0x0000000077542000-0x000000007754200C-memory.dmp
                Filesize

                12B

                Download
              • memory/4336-144-0x0000000000000000-mapping.dmp
                Download